New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

why do pipelines have $BUILDKITE_AGENT_TOKEN set by default? #404

Closed
nhooyr opened this Issue Feb 11, 2019 · 2 comments

Comments

2 participants
@nhooyr
Copy link

nhooyr commented Feb 11, 2019

E.g. in a large org a rogue employee could easily trigger a CI job and print out $BUILDKITE_AGENT_TOKEN and then push a force commit to remove the echo statement and pretty much no one would ever know they have this org level credential.

I'm not sure what a rogue employee could actually do with the agent token, but I can't see the use in exposing it to pipelines, especially by default.

@nhooyr

This comment has been minimized.

Copy link
Author

nhooyr commented Feb 11, 2019

Likewise with the $BUILDKITE_AGENT_ACCESS_TOKEN.From what I understand, the agent access token is used for things like uploading pipelines. However, its per agent and I think thats an issue in exposing it in the pipeline as anyone who grabs it can do things on a per agent basis which could include pipelines they do not have permissions for.

Instead, each pipeline should get a brand new access token it can use. That way, tokens are isolated to only the pipeline that they are exposed in.

@toolmantim

This comment has been minimized.

Copy link
Member

toolmantim commented Feb 13, 2019

This is something we've just recently fixed in buildkite/agent#908 — no longer with the BUILDKITE_AGENT_TOKEN be passed down.

But your feedback about agent token designs, and pipeline permissions, is something we're actively working to improve. https://forum.buildkite.community/t/multiple-agent-tokens-per-org-with-agent-queue-restrictions/143/5 is probably a relevant feature request worth voting on!

I'm going to close this issue here though, because it's not really a docs issue. Thanks for the feedback!

@toolmantim toolmantim closed this Feb 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment