OIDC authentication in bktec

As of version 2.6.0, the Buildkite Test Engine Client (bktec) supports generating short lived OIDC tokens for authentication with Test Engine.

bktec has previously required two authentication environment variables to set on builds, BUILDKITE_TEST_ENGINE_API_ACCESS_TOKEN and BUILDKITE_ANALYTICS_TOKEN. Both of these are now optional. bktec will generate an OIDC token if either is missing.

What's new

If the previously mandatory environment variable BUILDKITE_TEST_ENGINE_API_ACCESS_TOKEN is not set , bktec will generate an OIDC token to communicate with the test splitting API.
If the environment variable BUILDKITE_ANALYTICS_TOKEN is not set, bktec will generate an OIDC token and set BUILDKITE_ANALYTICS_TOKEN with it's value when invoking the test runner. Test collectors use this environment variable by default to authenticate test result uploads.
Token lifetime is 2 hours by default, and can be controlled with the --oidc-lifetime flag.
OIDC token generation can be disabled with the --no-oidc flag.

An OIDC policy must be set on any suite using OIDC authentication, specifying which pipelines are permitted access to the suite. You can read more on authentication environment variables in the bktec documentation.

Capabilities

Pipelines→

Test Engine→

Package Registries→

Mobile Delivery Cloud→

Flexible compute

Agentic workflows→

Replace Jenkins

Workflows for MLOps

Testing at scale

Monorepo mojo

Bazel orchestration

Example pipelines

Webinars

Blog

Public pipelines

Case studies

Events

Follow Buildkite

About

Careers

Follow Buildkite

OIDC authentication in bktec

What's new

Malcolm

Start turning complexity into an advantage

Platform

Hosting options

Resources

Company

Solutions

Legal

Support