A Buildkite plugin to assume-role-with-web-identity using a Buildkite OIDC token before running the build command.
Important
You will need to configure an appropriate OIDC identity
provider
in your AWS account with a Provider URL of https://agent.buildkite.com
and
an Audience of sts.amazonaws.com
. This can be automated with
Terraform. Then you can create a
role
to be assumed.
Use the plugin in your steps like this:
steps:
- command: aws sts get-caller-identity
plugins:
- aws-assume-role-with-web-identity#v1.1.0:
role-arn: arn:aws:iam::AWS-ACCOUNT-ID:role/SOME-ROLE
This will call buildkite-agent oidc request-token --audience sts.amazonaws.com
and exchange the resulting token for AWS credentials which are then added into the environment so tools like the AWS CLI will use the assumed role.
The name of the IAM role this plugin should assume.
The value of the role-session-name
to pass with the STS request. This value can be referred to in assume-role policy, and will be recorded in Cloudtrail.
Defaults to buildkite-job-${BUILDKITE_JOB_ID}
.
An integer number of seconds that the assumed role session should last. Passed as the value of the duration-seconds
parameter in the STS request.
Defaults to 3600
(via the AWS CLI).
Exports AWS_REGION
and AWS_DEFAULT_REGION
with the value you set. If not set
the values of AWS_REGION
and AWS_DEFAULT_REGION
will not be changed.
Note that and AWS_REGION
is used by the AWS CLI v2 and most SDKs.
AWS_DEFAULT_REGION
is included for compatibility with older SDKs and CLI
versions.
If you automate your infrastructure with Terraform, the following configuration will setup a valid OIDC IdP in AWS -- adapted from an example for using OIDC with EKS:
locals {
agent_endpoint = "https://agent.buildkite.com"
}
data "tls_certificate" "buildkite-agent" {
url = local.agent_endpoint
}
resource "aws_iam_openid_connect_provider" "buildkite-agent" {
url = local.agent_endpoint
client_id_list = [
"sts.amazonaws.com",
]
thumbprint_list = [
data.tls_certificate.buildkite-agent.certificates[0].sha1_fingerprint,
]
}
The oidc request will set the audience and subject as follows:
- Audience:
sts.amazonaws.com
- Subject:
organization:<ORG_SLUG>:pipeline:<PIPELINE_SLUG>:ref:<BRANCH_REF>:commit:<BUILD_COMMIT>:step:<STEP_ID>
In addition to the aws_iam_openid_connect_provider
the role being assumed should have a trust policy that can be defined like so.
Be sure to replace the <ORG_SLUG> and/or <PIPELINE_SLUG> placeholders.
data "aws_iam_policy_document" "buildkite-oidc-assume-role-trust-policy" {
statement {
sid = "BuildkiteAssumeRole"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.buildkite-agent.arn]
}
condition {
test = "ForAnyValue:StringLike"
variable = "agent.buildkite.com:sub"
values = [
"organization:<ORG_SLUG>:pipeline:*", # Example: Allow any pipeline in the organization access
"organization:<ORG_SLUG>:pipeline:<PIPELINE_SLUG>:*", # Example: Restrict access to a pipeline in the organization
]
}
condition {
test = "StringEquals"
variable = "agent.buildkite.com:aud"
values = ["sts.amazonaws.com"]
}
}
}