Skip to content

planetscale/vault-oidc-auth-buildkite-plugin

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vault OIDC Authentication Buildkite Plugin

Authenticate to Hashicorp Vault with Buildkite OIDC (JWT) tokens.

In early 2023 Buildkite began offering per-pipeline OIDC tokens. These short-lived tokens can be used to authenticate individual pipeline jobs to a Vault instance.

Example

Add the following to your pipeline.yml:

steps:
  - command: ./run_build.sh
    plugins:
      - planetscale/vault-oidc-auth#v1.1.1:
          vault_addr: "https://my-vault-server"  # required.
          path: auth/buildkite                   # optional. default "auth/buildkite"
          role: some-role                        # optional. default "$BUILDKITE_PIPELINE_SLUG"
          audience: vault                        # optional. default "vault"
          env_prefix: DEV_                       # optional. default "". (prefix to add to exported env variable names)
          set_vault_addr: false                  # optional. default "true". (set VAULT_ADDR env var to the value of 'vault_addr')

If authentication is successful a VAULT_TOKEN is added to the environment, as well as VAULT_ADDR if set_vault_addr is true.

Setting the env_prefix will add a prefix to the exported VAULT_TOKEN and VAULT_ADDR environment variables, eg: enf_prefix: PROD_ will result in PROD_VAULT_TOKEN and PROD_VAULT_ADDR.

Vault Configuration

Configure an instance of the JWT Vault auth backend at auth/buildkite:

vault auth enable -path=buildkite jwt
vault write auth/buildkite/config jwks_url=https://agent.buildkite.com/.well-known/jwks

Get your Buildkite organization ID from the GraphQL console:

query getOrganizationID {organization(slug: "planetscale") {uuid}}

Create an auth role for a pipeline including the organization ID from above. Do this for each pipeline you wish to authenticate to Vault:

vault write auth/buildkite/role/my-repo -<<EOF
{
  "bound_audiences": ["vault"],
  "policies": ["default"],
  "user_claim": "pipeline_slug",
  "bound_claims": {
    "organization_id": ["ORG_ID_GOES_HERE"],
    "pipeline_slug": "my-repo"
  },
  "role_type": "jwt",
  "token_type": "batch",
  "token_explicit_max_ttl": "2h"
}
EOF

Developing

To run the linters:

docker-compose run --rm lint-shellcheck
docker-compose run --rm lint-plugin

To run the tests:

docker-compose run --rm tests

Contributing

  1. Fork the repo
  2. Make the changes
  3. Run the tests
  4. Commit and push your changes
  5. Send a pull request

About

Authenticate to Hashicorp Vault with Buildkite OIDC (JWT) tokens.

Topics

Resources

License

Stars

1 star

Watchers

2 watching

Forks

Packages

 
 
 

Contributors