Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD
Abstract
Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We walk through practical design patterns, including brokers that issue tokens just in time, apply access policies, and operate across trust domains. These ideas help reduce static permissions, improve auditability, and support Zero Trust goals in deployment workflows. This is the second paper in a three-part series on secure CI/CD identity architecture.
Cite
@article{arxiv.2504.14761,
title = {Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD},
author = {Surya Teja Avirneni},
journal= {arXiv preprint arXiv:2504.14761},
year = {2025}
}
Comments
10 pages, 2 figures. Originally authored in November 2024. Second paper in a three-part series on Zero Trust CI/CD and dynamic Workload Identity enforcement. Builds on SPIFFE-based authentication to introduce credential broker patterns and policy-based access control