Closed sj26 closed 1 week ago
Teach the agent how to request OIDC tokens including aws session tags:
buildkite-agent oidc request-token --audience sts.amazonaws.com --aws-session-tag pipeline_id
Claims are then added to the returned token as aws session tags using their prescribed format:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp
which can then be used to grant permission to aws resources using attribute based access control (ABAC):
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
This is a finer grained control than the subject condition based option currently available:
https://buildkite.com/docs/pipelines/security/oidc/aws#step-2-create-a-new-or-update-an-existing-iam-role-to-use-with-your-pipelines
The Buildkite Agent API already supports this parameter.
Mostly copy/pasta of how --claim works. I also added an api test for claims alongside aws_session_tags.
--claim
claims
aws_session_tags
go test ./...
go fmt ./...
go run . oidc request-token --endpoint http://agent.buildkite.localhost --agent-access-token test --job abc123 --debug --debug-http --aws-session-tag organization_id 2024-09-24 13:43:44 DEBUG Loaded config command=oidc request-token agent_version=3.78.0+x..dirty 2024-09-24 13:43:44 DEBUG POST /jobs/abc123/oidc/tokens HTTP/1.1 Host: agent.buildkite.localhost User-Agent: buildkite-agent/3.78.0.x (darwin; arm64) Content-Length: 41 Content-Type: application/json Accept-Encoding: gzip {"aws_session_tags":["organization_id"]}
That will do the job.
Description
Teach the agent how to request OIDC tokens including aws session tags:
Claims are then added to the returned token as aws session tags using their prescribed format:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp
which can then be used to grant permission to aws resources using attribute based access control (ABAC):
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
This is a finer grained control than the subject condition based option currently available:
https://buildkite.com/docs/pipelines/security/oidc/aws#step-2-create-a-new-or-update-an-existing-iam-role-to-use-with-your-pipelines
The Buildkite Agent API already supports this parameter.
Changes
Mostly copy/pasta of how
--claim
works. I also added an api test forclaims
alongsideaws_session_tags
.Testing
go test ./...
). Buildkite employees may check this if the pipeline has run automatically.go fmt ./...
)That will do the job.