OIDC authentication

Buildkite Test Engine test collectors can use ephemeral OIDC tokens generated by buildkite-agent as an alternative to the long-lived suite token associated with each suite.

Configure a project to use OIDC

For a project that is already configured to use test collection, first set an OIDC policy in the settings for the suite you want to upload to, listing the pipelines you want to upload test results from.

- iss: "https://agent.buildkite.com"
  claims:
    organization_slug: "your-org"
    pipeline_slug:
      in:
        - "your-pipeline"
        - "another-pipeline"
  scopes:
    - "read_suites"
    - "write_uploads"

Add a script to generate and export an OIDC token to BUILDKITE_ANALYTICS_TOKEN before each run.

If you use bktec, you can skip the following steps. bktec generates OIDC tokens automatically.

generate-test-engine-oidc-token

SUITE_URL="https://buildkite.com/organizations/my-org/analytics/suites/my-project-test-suite"
LIFETIME=300 # Lifetime of tokens in seconds.
BUILDKITE_ANALYTICS_TOKEN=$(buildkite-agent oidc request-token --audience "$SUITE_URL" --lifetime $LIFETIME)
export BUILDKITE_ANALYTICS_TOKEN

Specify a lifetime that exceeds the duration of your longest expected build script to ensure the token does not expire during the build.

Remove any existing configuration that sets BUILDKITE_ANALYTICS_TOKEN and call the token generation script before your build script.

pipeline.yml

steps:
  - label: "Run tests"
    commands:
      - generate-test-engine-oidc-token
      - test-runner-execution-command