Here’s a concise catalogue of DevOps / CI-CD / automation tools that include BOTH first-class programmatic APIs and built-in IAM (authentication, authorization, RBAC, SSO) capabilities — with a short note on what each provides and when to pick it.

Core choices

• GitLab (Self-managed / SaaS)

  • API: Full REST+GraphQL API for projects, pipelines, users, groups, tokens.
  • IAM: Built-in groups, roles/permissions (Guest/Reporter/Developer/Maintainer/Owner), SAML/LDAP/SCIM, fine-grained access controls, protected branches, deploy tokens.
  • Best when you want an all-in-one Git + CI/CD platform with strong built-in auth and automation.

• GitHub (GitHub Enterprise / GitHub.com)

  • API: Comprehensive REST + GraphQL APIs for repos, actions, workflows, apps, secrets.
  • IAM: Organizations, teams, role-based repo access, GitHub Apps and fine-grained PATs, OIDC for actions, SAML/SCIM for SSO provisioning (Enterprise).
  • Best for cloud-native workflows, strong ecosystem, GitHub Actions automation + OIDC.

• GitHub Actions (part of GitHub)

  • API: Workflow runs, artifacts, secrets via API.
  • IAM: Uses GitHub’s org/team/role model; OIDC for short-lived cloud credentials; fine-grained actions permissions.
  • Best when CI/CD tightly integrated with GitHub.

• Azure DevOps

  • API: REST APIs for pipelines, repos, artifacts, work items.
  • IAM: Project-level groups/roles, integration with Azure AD, SAML/SSO, granular pipeline permissions.
  • Best if you’re in Microsoft/Azure ecosystem or need a traditional ALM + CI/CD suite.

• Google Cloud Build + Cloud IAM

  • API: Cloud Build REST API; programmatic triggers, builds, artifacts.
  • IAM: Uses Google Cloud IAM (roles, service accounts, conditional access).
  • Best for GCP-native workloads requiring cloud IAM controls.

• AWS CodePipeline / CodeBuild (with AWS IAM)

  • API: Full AWS APIs/SDKs/CloudFormation for pipelines and builds.
  • IAM: Uses AWS IAM (policies, roles, resource-level permissions), IAM Roles for Service Accounts (IRSA) + OIDC.
  • Best for workloads hosted on AWS that require granular cloud IAM.

• HashiCorp Terraform Cloud / Enterprise

  • API: REST API for runs, workspaces, variables, policies.
  • IAM: Organizations, teams, roles, SAML/SSO, policy controls (Sentinel in enterprise).
  • Best where infrastructure-as-code governance and policy are priorities.

• HashiCorp Vault (secrets + identity)

  • API: Full HTTP API for dynamic secrets, leases, auth methods.
  • IAM: Multiple auth backends (LDAP, OIDC, AppRole), fine-grained secret policies.
  • Best as secrets and identity service integrated into DevOps pipelines (not a CI tool).

• Argo CD (and Argo Workflows)

  • API: Kubernetes-native REST/gRPC APIs, CLI, web UI.
  • IAM: Role-Based Access Control (RBAC), SSO via OIDC/SAML, integration with Kubernetes RBAC.
  • Best for GitOps deployments on Kubernetes.

• Spinnaker

  • API: Microservice APIs for pipelines, applications, delivery configs.
  • IAM: Integrated with SSO (SAML/OIDC), supports role-based access; can integrate with cloud IAM providers.
  • Best for sophisticated multi-cloud delivery pipelines.

• Jenkins (with Enterprise/Auth plugins) / Jenkins X

  • API: Remote REST API + CLI for job control.
  • IAM: Core is minimal — but enterprise setups use LDAP/SAML plugins, Role-Based Authorization Strategy, and enterprise distributions (CloudBees Jenkins) provide stronger RBAC and SSO.
  • Best if you need extreme extensibility and plugin ecosystem; expect to add IAM via plugins or use a managed distro.

• Ansible Tower / AWX (Red Hat Ansible Automation Platform)

  • API: Full REST API for job templates, inventories, workflows.
  • IAM: Built-in RBAC, LDAP/SAML, teams/organizations; credential management.
  • Best for configuration management and automation with centralized control and auditing.

• Puppet Enterprise / Chef Automate

  • API: REST APIs for nodes, runs, reports.
  • IAM: RBAC, LDAP/SAML integration, enterprise-level access controls and audit logs.
  • Best for large-scale configuration management with enterprise governance.

• CircleCI

  • API: REST API for pipelines, insights, contexts, tokens.
  • IAM: Organization/team controls, SAML SSO for enterprise, contexts for secret scoping.
  • Best for SaaS-first CI with a straightforward API and enterprise SSO.

How to choose (short checklist)

• Cloud-aligned? Use the cloud provider’s CI (AWS/Azure/GCP) to leverage their IAM.
• All-in-one Git + CI with built-in IAM: GitLab or GitHub (Enterprise).
• Kubernetes GitOps: ArgoCD (+ Kubernetes RBAC) or Flux.
• Strong policy-as-code + IaC governance: Terraform Cloud + Sentinel (enterprise).
• Secrets + dynamic credentials: Vault (use alongside CI/CD).
• Enterprise RBAC + support: Commercial editions (GitHub Enterprise, GitLab EE, CloudBees Jenkins, Puppet/Chef Enterprise).

Practical notes

• Many tools separate authentication (who you are) and authorization (what you can do). Check SSO support (SAML/OIDC) and provisioning (SCIM) if you need centralized identity management.
• For least-privilege automation, prefer tools supporting short-lived credentials (OIDC for GitHub Actions, IRSA for AWS) and strong secrets management (Vault, encrypted contexts).
• If you need auditability and fine-grained policies, prioritize platforms with enterprise RBAC and native audit logs (GitLab EE, GitHub Enterprise, Terraform Enterprise).

If you’d like, I can:

• Map these options to your environment (cloud vendor, self-hosted vs SaaS, team size, compliance needs), or
• Produce a short decision matrix comparing 3–4 candidates side-by-side for your constraints.