Skip to content

LOKE/secrets-buildkite-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

hooks

hooks

 
 

README.md

README.md

 
 

plugin.yml

plugin.yml

 
 

Repository files navigation

secrets-buildkite-plugin

A plugin the uses buildkite oicd tokens to fetch secrets from ssm parameter store and inject them into the build environment.

Example

- command: do_thing
  plugins:
    - LOKE/secrets#v0.0.2:
        role-arn: arn:aws:iam::<aws-account-id>:role/<iam-role>
        env:
          SECRET: ssm-param-store-id

You need an IAM role with trust of the oicd token, the trust policy should be something like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<aws-account-id>:oidc-provider/agent.buildkite.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "agent.buildkite.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "agent.buildkite.com:sub": [
                        "organization:<org-slug>:pipeline:<pipeline-slug>:*"
                    ]
                }
            }
        }
    ]
}

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages