All integrations
CircleCI
CI/CD

Automate Cerbos policy deployments with CircleCI

Push validated Cerbos policies to Cerbos Hub on every merge using a CircleCI workflow.

Workflow-driven

Workflow-driven

A single config file triggers policy uploads on every push to your main branch

Environment secrets

Environment secrets

Store Cerbos Hub credentials as project environment variables, injected securely at runtime

Zero-downtime updates

Zero-downtime updates

Cerbos Hub distributes updated bundles to connected PDPs with no restarts or redeployments

How Cerbos works with CircleCI

Authorization policies should go through the same review and deployment rigour as application code. CircleCI lets you automate that workflow so every policy change is tested and deployed without manual steps.

Cerbos Hub stores your compiled policy bundles and distributes them to connected PDP instances. A CI/CD pipeline pushes validated policies to Cerbos Hub on every merge, and your PDPs pick up the changes automatically.

With CircleCI handling the pipeline and Cerbos Hub handling distribution, policy updates flow from pull request to production with a full audit trail and zero downtime.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How to deploy Cerbos policies with CircleCI

  1. Create a config file, Add .circleci/config.yml to your repository with a job that runs the cerbosctl Docker image.
  2. Store credentials as environment variables, Add CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET in your CircleCI project settings.
  3. Push to main, Every push to main triggers the workflow, which uploads your policies to Cerbos Hub using hub store replace-files.
  4. PDPs update automatically, Connected PDP instances pull the latest policy bundle from Cerbos Hub with zero downtime.

FAQ

How does the CircleCI workflow deploy policies?

A job runs the cerbosctl Docker image and executes `hub store replace-files` to upload your policy directory to Cerbos Hub. Connected PDP instances pull the updated bundle automatically.

What credentials do I need?

You need a Cerbos Hub client ID and client secret with Read & Write permissions, stored as environment variables in your CircleCI project settings.

Can I restrict deployments to the main branch?

Yes. Use CircleCI workflow filters to run the upload job only on pushes to the main branch, so feature-branch commits skip deployment.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Azure DevOps
Azure DevOps PipelinesPush Cerbos policies to Cerbos Hub on every merge via Azure DevOps Pipelines
CI/CD
Bitbucket Pipelines
Bitbucket PipelinesPush Cerbos policies to Cerbos Hub on every merge via Bitbucket Pipelines
CI/CD
Buildkite
BuildkitePush Cerbos policies to Cerbos Hub on every merge via Buildkite
CI/CD
GitHub Actions
GitHub ActionsPush Cerbos policies to Cerbos Hub on every merge via GitHub Actions
CI/CD
GitLab CI/CD
GitLab CI/CDPush Cerbos policies to Cerbos Hub on every merge via GitLab CI/CD
CI/CD
Agent2Agent
Agent2Agent ProtocolPolicy-driven authorization for inter-agent communication via the Agent2Agent protocol
AI

Cerbos + CircleCI

  • Policies deployed to Cerbos Hub automatically on every merge via CircleCI
  • Connected PDP instances pick up changes with zero downtime
  • Policy changes go through the same review process as application code
  • Full audit trail from commit to production deployment
Book a free policy workshopTry the Playground