Skip to content

Update OIDC roles to use session tokens #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
duckalini merged 1 commit into from
Jul 14, 2025
Merged

Update OIDC roles to use session tokens #337

duckalini merged 1 commit into from
Jul 14, 2025

Conversation

@duckalini
Copy link
Contributor

@duckalini duckalini commented Jul 9, 2025
edited
Loading

Description

Rolling out using OIDC session tokens in all buildkite pipelines that assume IAM roles.

Context

Notably rolls out https://github.com/buildkite/terraform-modules/pull/60 in alignment with our incident 486 findings.

This moves everyone away from the glob matching sub claims and over to session tokens, from https://github.com/buildkite/terraform-modules/pull/56

The IAM role trust policies are being updated in buildkite-dev account in PR: https://github.com/buildkite/aws-buildkite-dev/pull/468 - this will need to be merged and applied before any of these pipeline.yml changes work.

Changes

Update plugin version to one that supports session tags, and add session tag requirements to it.

Testing

Once the IAM change is merged and applied, I'll retry the build and ensure it is GREEN before merging. This has worked in other pipelines.

@duckalini duckalini marked this pull request as ready for review July 9, 2025 04:00
@duckalini duckalini requested a review from a team as a code owner July 9, 2025 04:00
pda
pda approved these changes Jul 9, 2025
View reviewed changes
Copy link
Member

@pda pda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@duckalini
Copy link
Contributor Author

duckalini commented Jul 14, 2025

Green now that the changes are applied, so merging!

@duckalini duckalini merged commit 3025e3b into main Jul 14, 2025
1 check was pending
@duckalini duckalini deleted the plt-4154 branch July 14, 2025 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pda pda pda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@duckalini @pda