Skip to content

Instantly share code, notes, and snippets.

@joemiller
Last active April 7, 2023 15:13
Show Gist options
  • Save joemiller/51bec8e04de85af44540fbb85c392d00 to your computer and use it in GitHub Desktop.
Save joemiller/51bec8e04de85af44540fbb85c392d00 to your computer and use it in GitHub Desktop.
Buildkite OIDC JWT example with Vault auth

Get JWT from inside of a running BK job:

curl -s -X POST -H "Authorization: Token ${BUILDKITE_AGENT_ACCESS_TOKEN}" \
  "${BUILDKITE_AGENT_ENDPOINT:-https://agent.buildkite.com/v3}/jobs/${BUILDKITE_JOB_ID}/oidc/tokens" \
  --data '{"audience":"vault"}'

In a future, currently (2022/11/17) unreleased version of buildkite-agent you can run this instead:

buildkite-agent oidc request-token --audience vault

Example JWT payload:

{
  "iss": "https://agent.buildkite.com",
  "sub": "organization:planetscale:pipeline:vault-secrets-buildkite-plugin:ref:refs/heads/buildkite-oidc-token-test:commit:750339bffa630404607f73dd8ed2f2c4de3670c7:step:",
  "aud": "vault",
  "iat": 1668694871,
  "nbf": 1668694871,
  "exp": 1668695171,
  "organization_slug": "planetscale",
  "pipeline_slug": "vault-secrets-buildkite-plugin",
  "build_number": 175,
  "build_branch": "buildkite-oidc-token-test",
  "build_commit": "750339bffa630404607f73dd8ed2f2c4de3670c7",
  "step_key": null,
  "job_id": "018485f6-1f53-4f18-9b53-72428db4d239",
  "agent_id": "018485f6-eec2-4b61-a7be-0e35ef563df0"
}

Configuring Vault JWT backend:

# mount jwt backend to /buildkite and configure it:
vault auth enable -path=buildkite jwt
vault write auth/buildkite/config jwks_url=https://agent.buildkite.com/.well-known/jwks

# create an auth role:
write auth/buildkite/role/demo -<<EOF
{
  "bound_audiences": "vault",
  "policies": ["default"],
  "user_claim": "pipeline_slug",
  "role_type": "jwt",
  "token_type": "batch",
  "token_period": 0,
  "token_explicit_max_ttl": "2h",
  "bound_claims": {"organization_slug":"owner", "pipeline_slug":["repo1","repo2"]}
}
EOF

# use a JWT to auth to vault and get a vault token
vault write auth/buildkite/login role=demo jwt="eyJh.."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment