Intent-Aware Authorization for Zero Trust CI/CD
Abstract
This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system builds on SPIFFE-based workload identity and credential brokers, and enables fine-grained, auditable authorization. This is the third paper in a series on Zero Trust CI/CD design patterns.
Cite
@article{arxiv.2504.14777,
title = {Intent-Aware Authorization for Zero Trust CI/CD},
author = {Surya Teja Avirneni},
journal= {arXiv preprint arXiv:2504.14777},
year = {2025}
}
Comments
13 pages. Originally authored in Dec 2024. Third paper in a three-part series on Zero Trust CI/CD and Workload Identity. Expands on SPIFFE-based authentication and credential brokers with policy-based, intent-aware authorization patterns using OPA and Cedar