Pulumi OIDC Buildkite Plugin

A Buildkite plugin to exchange Buildkite OIDC tokens against Pulumi access tokens.

Options

These are all the options available to configure this plugin’s behavior.

Required

org_name (string)

The Pulumi org. Needed to create the correct audience.

Optional

lifetime (number)

The time (in seconds) the OIDC token will be valid for before expiry. Must be a non-negative integer. If the flag is omitted or set to 0, the API will choose a default finite lifetime. (default: 0)

requested_token_type (string)

The type of token it will request, one of:

urn:pulumi:token-type:access_token:organization
urn:pulumi:token-type:access_token:team
urn:pulumi:token-type:access_token:personal

scope (string)

The scope to use when requesting the Pulumi access token, according to the token type:

For personal access tokens: user:USER_NAME
For team access tokens: team:TEAM_NAME
For organization access tokens, the admin scope can be set to request a token with admin privileges (the authorization policy should explicitly grant the increased permissions)

debug (boolean)

Toogle to output debug information. This will print the Buildkite token as well as the exchanged Pulumi token. This allows to introspect the tokens to debug any issues.

Examples

Show how your plugin is to be used

steps:
  - label: "🔨 Running plugin"
    command: "echo template plugin"
    plugins:
      - pulumi-oidc#v0.1.0:
          org_name: "acme_org"

And with other options as well

If you want to change the plugin behavior:

steps:
  - label: "🔨 Running plugin"
    command: "echo template plugin with options"
    plugins:
      - pulumi-oidc#v1.0.0:
          org_name: "acme_org"
          lifetime: 3600
          requested_token_type: "urn:pulumi:token-type:access_token:team"
          scope: "team:acme_team"
          debug: true

📜 License

The package is available as open source under the terms of the MIT License.