Get JWT from inside of a running BK job:
curl -s -X POST -H "Authorization: Token ${BUILDKITE_AGENT_ACCESS_TOKEN}" \
"${BUILDKITE_AGENT_ENDPOINT:-https://agent.buildkite.com/v3}/jobs/${BUILDKITE_JOB_ID}/oidc/tokens" \
--data '{"audience":"vault"}'
In a future, currently (2022/11/17) unreleased version of buildkite-agent
you can run this instead: