Cerbos Cloud (Beta)

Cerbos Cloud simplifies the process of authoring authorization policies, testing changes and rolling out updates to production. It’s a scalable solution for developers who want to save time, streamline their workflows and confidently roll out authorization updates — freeing you to focus on delivering great products to your customers.


This is a BETA release of new functionality for Cerbos. While it has been tested thoroughly during development, issues may still need to be addressed. The future of this capability will depend on the feedback received during this testing period and may result in it potentially being altered, delayed, or cancelled.


Managed CI/CD pipeline for Cerbos policies

Cerbos Cloud serves as a managed CI/CD pipeline specifically designed for validating, testing, and distributing policies in a more efficient manner compared to the open-source version. With Cerbos Cloud, you can automate and streamline the entire policy management process.

Coordinated rollout of policy changes

Cerbos Cloud simplifies policy updates by centrally managing the rollout process to all PDP instances. Instead of each instance handling its own update cycle, Cerbos Cloud takes the proactive approach of pushing policy changes to all instances. This ensures a smoother rollout experience and reduces the time it takes for all PDPs to get in sync with each other.

Leverage your Git workflow

GitOps is a first-class citizen in the Cerbos ecosystem. Cerbos Cloud is no exception with support for branches, tags and commit hashes as policy sources. You can build multiple versions of policy bundles based on Git references and distribute them to Cerbos PDP instances running in your environment(s).

PDP monitoring

Cerbos Cloud provides visibility into your deployed PDP instances, including which policies are currently being served, the current version and when it was last seen.

How it works

Cerbos Cloud is a cloud-hosted management control plane. Cerbos instances and the data they process remain strictly inside your network perimeter. Switching to Cerbos Cloud is as simple as pushing a minor configuration change to your existing Cerbos deployment. Everything remains the same except that Cerbos instances now receive optimized policy bundles from Cerbos Cloud instead of having to poll a policy repository and compile new policies locally.

Cerbos Cloud handles the validation, testing, compilation and deployment of policy updates to all connected Cerbos instances.

How Cerbos Cloud works

  1. Make a change to policies and push to GitHub

  2. Cerbos Cloud detects the new commit and downloads the new policy definitions

  3. Validate the new policy definitions

  4. Run any policy tests available in the repo

  5. Generate a compact binary representation of the policies and build an encrypted policy bundle

  6. Update the status of labels (symbolic references to git branches, tags or commits defined by you)

  7. Send a message to any connected PDPs watching the updated labels that a new bundle is available

  8. PDP instances download the new bundle and start serving it