CircleCI Integration

Secure your CI/CD pipelines with TigerAccess OIDC authentication, context-based permissions, and just-in-time access to infrastructure—without long-lived credentials.

View Documentation Request Demo

Features

Secure Pipeline Access

Replace static credentials with dynamic, short-lived access tied to your CI/CD workflows.

OIDC Authentication

Replace long-lived credentials with short-lived OIDC tokens for secure pipeline authentication.

Context-Based Permissions

Fine-grained access control with CircleCI contexts mapped to TigerAccess roles and permissions.

Orb Integration

Ready-to-use TigerAccess orb for simplified configuration and standardized security practices.

Secure Deployments

Just-in-time access for production deployments with approval workflows and audit trails.

Capabilities

Enterprise CI/CD Security

OIDC token authentication

Context secrets management

Project access controls

Pipeline triggers

Custom orb support

Environment variables

Resource classes

Approval job integration

SSH key management

Database access from pipelines

Kubernetes deployments

Session recording

Setup

Get Started in Minutes

Follow these simple steps to integrate TigerAccess with your CircleCI pipelines.

Configure OIDC Trust

Create an OIDC connector in TigerAccess to trust CircleCI as an identity provider.

tacctl oidc add circleci \
  --issuer=https://oidc.circleci.com/org/YOUR_ORG_ID \
  --audience=tigeraccess \
  --claims-to-roles='{"project_id":".*","context_ids":"prod-deploy"}:deployer'

Add TigerAccess Orb

Include the TigerAccess orb in your CircleCI config to enable secure access.

version: 2.1

orbs:
  tigeraccess: tigeraccess/[email protected]

jobs:
  deploy:
    docker:
      - image: cimg/base:stable
    steps:
      - checkout
      - tigeraccess/login:
          cluster: production.tigeraccess.io
      - run:
          name: Deploy to production
          command: |
            tac ssh deploy@prod-server "deploy.sh"

Configure Context Permissions

Map CircleCI contexts to TigerAccess roles for fine-grained access control.

# Create a role for production deployments
tacctl roles add prod-deployer \
  --allowed-resources='type=node,labels[env]=production' \
  --allowed-actions='ssh,exec'

# Map context to role via OIDC claims
tacctl oidc update circleci \
  --add-claims-mapping='context_ids:prod-deploy:prod-deployer'

Verify Pipeline Access

Test the integration by running a pipeline with TigerAccess authentication.

# In your CircleCI pipeline
- tigeraccess/login:
    cluster: production.tigeraccess.io

- run: tac ls
  # Shows all accessible resources based on context

- run: tac ssh user@production-server
  # Establishes secure SSH session with audit logging

Use Cases

Real-World Pipeline Scenarios

Production Deployments

Grant pipelines just-in-time access to production infrastructure with automatic approval workflows and comprehensive audit trails.

Database Migrations

Execute database migrations from CI/CD with secure, temporary credentials and complete session recording for compliance.

Infrastructure Automation

Run Terraform and other infrastructure-as-code tools with time-limited credentials tied to specific pipeline runs.

Security Scanning

Access production systems for security scanning and vulnerability assessment with controlled, audited access.

FAQ

Frequently Asked Questions

How does OIDC authentication work with CircleCI?

CircleCI generates OIDC tokens for each pipeline run that include claims about the project, branch, and context. TigerAccess validates these tokens and issues short-lived certificates based on the configured claims-to-roles mappings, eliminating the need for long-lived credentials.

Can I use different permissions for different contexts?

Yes. You can map CircleCI contexts to different TigerAccess roles, allowing you to have separate permissions for development, staging, and production deployments. The context_ids claim in the OIDC token determines which role is assigned.

Are pipeline actions recorded for audit purposes?

Absolutely. Every action performed through TigerAccess from CircleCI pipelines is recorded with full context including the project ID, workflow ID, job number, and the user who triggered the pipeline. Session recordings are also captured for SSH and database sessions.

How do approval jobs work with TigerAccess?

CircleCI approval jobs can be combined with TigerAccess access requests. You can configure pipelines to request elevated access that requires human approval before proceeding with production deployments, creating an additional security checkpoint.

Can I use TigerAccess with self-hosted CircleCI runners?

Yes. TigerAccess works with both CircleCI cloud and self-hosted runners. For self-hosted runners, ensure they have network connectivity to your TigerAccess cluster. The OIDC authentication flow works identically for both deployment models.

What happens if a pipeline run exceeds the certificate TTL?

TigerAccess certificates issued to pipelines have configurable TTLs (typically 1-2 hours). If a pipeline run exceeds this duration, the orb can automatically request a new certificate. You can also configure longer TTLs for specific workflows that require extended runtime.

Ready to Secure Your Infrastructure?

Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.

Start Free Trial Contact Sales

No credit card required • 14-day free trial • Enterprise support available