Get JWT from inside of a running BK job:
curl -s -X POST -H "Authorization: Token ${BUILDKITE_AGENT_ACCESS_TOKEN}" \
"${BUILDKITE_AGENT_ENDPOINT:-https://agent.buildkite.com/v3}/jobs/${BUILDKITE_JOB_ID}/oidc/tokens" \
--data '{"audience":"vault"}'In a future, currently (2022/11/17) unreleased version of buildkite-agent you can run this instead:
buildkite-agent oidc request-token --audience vaultExample JWT payload:
{
"iss": "https://agent.buildkite.com",
"sub": "organization:planetscale:pipeline:vault-secrets-buildkite-plugin:ref:refs/heads/buildkite-oidc-token-test:commit:750339bffa630404607f73dd8ed2f2c4de3670c7:step:",
"aud": "vault",
"iat": 1668694871,
"nbf": 1668694871,
"exp": 1668695171,
"organization_slug": "planetscale",
"pipeline_slug": "vault-secrets-buildkite-plugin",
"build_number": 175,
"build_branch": "buildkite-oidc-token-test",
"build_commit": "750339bffa630404607f73dd8ed2f2c4de3670c7",
"step_key": null,
"job_id": "018485f6-1f53-4f18-9b53-72428db4d239",
"agent_id": "018485f6-eec2-4b61-a7be-0e35ef563df0"
}Configuring Vault JWT backend:
# mount jwt backend to /buildkite and configure it:
vault auth enable -path=buildkite jwt
vault write auth/buildkite/config jwks_url=https://agent.buildkite.com/.well-known/jwks
# create an auth role:
write auth/buildkite/role/demo -<<EOF
{
"bound_audiences": "vault",
"policies": ["default"],
"user_claim": "pipeline_slug",
"role_type": "jwt",
"token_type": "batch",
"token_period": 0,
"token_explicit_max_ttl": "2h",
"bound_claims": {"organization_slug":"owner", "pipeline_slug":["repo1","repo2"]}
}
EOF
# use a JWT to auth to vault and get a vault token
vault write auth/buildkite/login role=demo jwt="eyJh.."