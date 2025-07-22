Akeyless BuildKite Plugin
Integration between Akeyless and BuildKite with JWT authentication. Allows for secrets retrieval into environment variables.
Requirements
- The environment should have
python3in $PATH
- A JWT Auth method is created in Akeyless. See: https://docs.akeyless.io/docs/oauth20jwt
- The access-id of the auth method created in (2)
Example
Add the following to your
pipeline.yml:
steps:
- command: echo "Hello World"
plugins:
- dropbox/akeyless-buildkite-plugin:
auth_access_id: "p-myid1729"
secrets:
MY_ENV_VAR1: path/to/secret/var1
MY_ENV_VAR2: path/to/secret/var2
or to not expose auth access id:
steps:
- command: echo "Hello World"
plugins:
- dropbox/akeyless-buildkite-plugin:
auth_secret_name: "AUTH_ID_SECRET" # See: https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets
secrets:
MY_ENV_VAR1: path/to/secret/var1
MY_ENV_VAR2: path/to/secret/var2
Configuration
audience (Optional, string)
The audience for the Akeyless token. Defaults to ‘buildkite’. Should match the audience configured when creating the Akeyless Auth Method
akeyless_url (Optional, string)
The URL of the Akeyless API server. Defaults to ‘https://api.akeyless.io’.
auth_access_id (Required, string)
The Akeyless access ID for authentication. This can be retrieved either via Akeyless CLI, Console, or UI. See: https://docs.akeyless.io/docs/oauth20jwt.
auth_secret_name (Required, string)
Use an agent secret to get
auth_access_id instead of inputting it directly. See: https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets
secrets (Required, object)
Mapping of env var to Akeyless paths - where each env var will receive the value of the Akeyless path. Invalid paths (insufficient permissions, non-existent) will be ignored.
store_token (Optional, boolean)
Whether to store the Akeyless token in an environment variable. If true, the access token will be stored (and redacted) in the
AKEYLESS_TOKEN env var.
When used, be mindful that there is a TTL on this oken (Default: 15m).
