OIDC in Buildkite Pipelines

A Buildkite Open ID Connect (OIDC) token is a signed JSON Web Token (JWT) provided by a Buildkite Agent containing information and metadata about a pipeline and its job, including the pipeline and organization slugs, as well as job-specific data, such as the branch, the commit SHA, the job ID, and the agent ID.

Third-party products and services, such as AWS, GCP, Azure and many others, as well as Buildkite products, such as Packages, can be configured with OIDC-compatible policies that only permit Buildkite Agent interactions from specific Buildkite organizations, pipelines, jobs, and agents, associated with a pipeline's job.

A Buildkite OIDC token, representing a Buildkite Agent interaction (containing the relevant pipeline job metadata), can be used by these third-party services and Buildkite Packages, to allow the service to authenticate this interaction. If the interaction does not match or comply with the service's OIDC policy, the OIDC token and hence, subsequent interactions are rejected.

The Buildkite Agent's oidc command allows you to request an OIDC token from Buildkite for the pipeline's current job. These tokens are then consumed by federated systems like AWS, and exchanged for authenticated role-based access with specific permissions to interact with your cloud environments.

This section of the Buildkite Docs covers Buildkite's OIDC implementation with other federated systems, such as AWS.