Automate Cerbos policy deployments with GitLab Runners
Push validated Cerbos policies to Cerbos Hub on every merge using a GitLab CI/CD pipeline.
Pipeline-driven
A single .gitlab-ci.yml file triggers policy uploads on every push to your main branch
Protected variables
Store Cerbos Hub credentials as protected and masked CI/CD variables, injected securely at runtime
Zero-downtime updates
Cerbos Hub distributes updated bundles to connected PDPs with no restarts or redeployments
How Cerbos works with GitLab CI/CD
Authorization policies should go through the same review and deployment rigour as application code. GitLab CI/CD lets you automate that workflow so every policy change is tested and deployed without manual steps.
Cerbos Hub stores your compiled policy bundles and distributes them to connected PDP instances. A CI/CD pipeline pushes validated policies to Cerbos Hub on every merge, and your PDPs pick up the changes automatically.
With GitLab CI/CD handling the pipeline and Cerbos Hub handling distribution, policy updates flow from pull request to production with a full audit trail and zero downtime.
How to deploy Cerbos policies with GitLab CI/CD
- Create a CI/CD config file, Add
.gitlab-ci.ymlto your repository with a job that uses Docker-in-Docker to run the cerbosctl image. - Store credentials as CI/CD variables, Add
CERBOS_HUB_CLIENT_IDandCERBOS_HUB_CLIENT_SECRETas protected, masked variables in GitLab. - Push to main, Every push to main triggers the pipeline, which uploads your policies to Cerbos Hub using
hub store replace-files. - PDPs update automatically, Connected PDP instances pull the latest policy bundle from Cerbos Hub with zero downtime.
FAQ
How does the GitLab pipeline deploy policies?
A job uses Docker-in-Docker to run the cerbosctl image and execute `hub store replace-files`, uploading your policy directory to Cerbos Hub. Connected PDP instances pull the updated bundle automatically.
What credentials do I need?
You need a Cerbos Hub client ID and client secret with Read & Write permissions, stored as protected and masked CI/CD variables in GitLab.
Do I need shared runners or a self-hosted runner?
Either works. The pipeline uses Docker-in-Docker, which is supported by GitLab shared runners and self-hosted runners with Docker enabled.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + GitLab CI/CD
- Policies deployed to Cerbos Hub automatically on every merge via GitLab CI/CD
- Connected PDP instances pick up changes with zero downtime
- Policy changes go through the same review process as application code
- Full audit trail from commit to production deployment
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.