English

Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD

Cryptography and Security 2025-04-22 v1 Software Engineering

Abstract

Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We walk through practical design patterns, including brokers that issue tokens just in time, apply access policies, and operate across trust domains. These ideas help reduce static permissions, improve auditability, and support Zero Trust goals in deployment workflows. This is the second paper in a three-part series on secure CI/CD identity architecture.

Keywords

Cite

@article{arxiv.2504.14761,
  title  = {Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD},
  author = {Surya Teja Avirneni},
  journal= {arXiv preprint arXiv:2504.14761},
  year   = {2025}
}

Comments

10 pages, 2 figures. Originally authored in November 2024. Second paper in a three-part series on Zero Trust CI/CD and dynamic Workload Identity enforcement. Builds on SPIFFE-based authentication to introduce credential broker patterns and policy-based access control

R2 v1 2026-06-28T23:04:59.168Z