Intent-Aware Authorization for Zero Trust CI/CD

TL;DR

This work addresses the gap in Zero Trust CI/CD where identity alone cannot ensure secure deployments. It introduces intent-aware authorization, integrating justification and runtime context into policy decisions governed by engines like OPA and Cedar, backed by SPIFFE-based identities and credential brokers. The approach relies on a runtime control loop with short-lived credentials and a denial-by-denial mechanism for revocation, enabling fine-grained, auditable access in ephemeral CI/CD workflows. The paper covers architectural patterns, implementation notes, threat modeling, and practical use cases for human-approved overrides, demonstrating actionable guidance for secure platform engineering at scale.

Abstract

This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system builds on SPIFFE-based workload identity and credential brokers, and enables fine-grained, auditable authorization. This is the third paper in a series on Zero Trust CI/CD design patterns.