Scenario: We are in a multi-app, multi-language, mutli-account AWS environment with buildkite agents hosted in one of our AWS accounts. We need to run build steps within the context of a docker container (using the docker or docker-compose plugins) with an assumed role (using the cultureamp/aws-assume-role-buildkite-plugin) that gives the necessary permissions to carry out releases, pushes to S3, cloudformation stack updates, etc... to the application's resources in different accounts. We want to follow the principle of least permission with these app-specific roles so that the build for App-A can't interfere with resources of App-B.
It would be advantageous if we could execute some steps within the context of the same checkout and on the same agent node. This would enable us to do something like:
step1: After checking out and using the default buildkite agent's instance-profile/role, decrypt a config file using sops leveraging some restricted KMS key.
step2: On the same node and without a clean checkout, run a script leveraging the decrypted config in a docker container using an assumed role that is specific to this application
Since we can't do the above, we have to replicate the permissions needed to do the sops decryption w/KMS in all trusted roles we create for buildkite agents to assume across N apps. We also have to chain commands or author & run wrappers within the docker build containers to first do the decryption and then carry out the real work of the step.
It would be much better for us if we could simply allow those cross-cutting permissions to be in place for the agents themselves, carry out common cross-cutting tasks like secrets decryption as a step with the artifact of that step (the decrypted file) being available during subsequent step(s).
I am new to buildkite, so there may be some non-hacky way to achieve the above that I haven't come across in the documentation. If so, feel free to point me to it and tell me to RTFM 😄
Scenario: We are in a multi-app, multi-language, mutli-account AWS environment with buildkite agents hosted in one of our AWS accounts. We need to run build steps within the context of a docker container (using the docker or docker-compose plugins) with an assumed role (using the cultureamp/aws-assume-role-buildkite-plugin) that gives the necessary permissions to carry out releases, pushes to S3, cloudformation stack updates, etc... to the application's resources in different accounts. We want to follow the principle of least permission with these app-specific roles so that the build for App-A can't interfere with resources of App-B.
It would be advantageous if we could execute some steps within the context of the same checkout and on the same agent node. This would enable us to do something like:
sopsleveraging some restricted KMS key.Since we can't do the above, we have to replicate the permissions needed to do the sops decryption w/KMS in all trusted roles we create for buildkite agents to assume across N apps. We also have to chain commands or author & run wrappers within the docker build containers to first do the decryption and then carry out the real work of the step.
It would be much better for us if we could simply allow those cross-cutting permissions to be in place for the agents themselves, carry out common cross-cutting tasks like secrets decryption as a step with the artifact of that step (the decrypted file) being available during subsequent step(s).
I am new to buildkite, so there may be some non-hacky way to achieve the above that I haven't come across in the documentation. If so, feel free to point me to it and tell me to RTFM 😄