Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD

Surya Teja Avirneni

TL;DR

The paper addresses the governance gap between workload identity issuance and runtime access control in CI/CD pipelines. It proposes credential brokers as runtime policy gates that translate SPIFFE-based identities into short-lived, scoped credentials via design patterns like broker-in-the-middle, policy-gated access, and just-in-time tokenization. It provides reference architectures (self-hosted, centralized, federated) and discusses trade-offs related to trust anchors, latency, auditability, and policy lifecycle. The work advances Zero Trust CI/CD by enabling least privilege, better auditability, and cross-domain deployment, while outlining future directions for continuous policy validation and revocation mechanisms.

Abstract

Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We walk through practical design patterns, including brokers that issue tokens just in time, apply access policies, and operate across trust domains. These ideas help reduce static permissions, improve auditability, and support Zero Trust goals in deployment workflows. This is the second paper in a three-part series on secure CI/CD identity architecture.

Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD

TL;DR

The paper addresses the governance gap between workload identity issuance and runtime access control in CI/CD pipelines. It proposes credential brokers as runtime policy gates that translate SPIFFE-based identities into short-lived, scoped credentials via design patterns like broker-in-the-middle, policy-gated access, and just-in-time tokenization. It provides reference architectures (self-hosted, centralized, federated) and discusses trade-offs related to trust anchors, latency, auditability, and policy lifecycle. The work advances Zero Trust CI/CD by enabling least privilege, better auditability, and cross-domain deployment, while outlining future directions for continuous policy validation and revocation mechanisms.

Abstract

Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We walk through practical design patterns, including brokers that issue tokens just in time, apply access policies, and operate across trust domains. These ideas help reduce static permissions, improve auditability, and support Zero Trust goals in deployment workflows. This is the second paper in a three-part series on secure CI/CD identity architecture.

Paper Structure

This paper contains 19 sections, 3 figures.

Table of Contents

  1. Introduction
  2. The Governance Gap
  3. Common Anti-Patterns in Access Handling
  4. Credential Broker Design Patterns
  5. Why SPIFFE Alone Isn’t Enough
  6. Broker-in-the-Middle
  7. Policy-Gated Access
  8. Just-in-Time Tokenization
  9. Reference Architectures and Deployment Models
  10. Self-Hosted Brokers
  11. Centralized Broker Service
  12. Federated and Multi-Cloud Scenarios
  13. Design Considerations and Limitations
  14. Trust Anchors and Broker Placement
  15. Latency and Scale
  16. ...and 4 more sections

Figures (3)

  • Figure 1: The governance gap between identity issuance and access enforcement. Without a broker, access is either statically bound or manually injected. A credential broker introduces a runtime decision point to enforce policy before issuing credentials.
  • Figure 2: Reference architecture showing a SPIFFE-authenticated CI job interacting with a credential broker that evaluates policy and issues time-bound access credentials.
  • Figure 3: Reference architecture showing a SPIFFE-authenticated CI job interacting with a credential broker that evaluates policy and issues time-bound access credentials.