1. Resources
  2. /
  3. Plugins
  4. /
  5. pulumi-oidc-buildkite-plugin

Pulumi OIDC Buildkite Plugin

A Buildkite plugin to exchange Buildkite OIDC tokens against Pulumi access tokens.

Options

These are all the options available to configure this plugin’s behavior.

Required

org_name (string)

The Pulumi org. Needed to create the correct audience.

Optional

lifetime (number)

The time (in seconds) the OIDC token will be valid for before expiry. Must be a non-negative integer. If the flag is omitted or set to 0, the API will choose a default finite lifetime. (default: 0)

requested_token_type (string)

The type of token it will request, one of:

urn:pulumi:token-type:access_token:organization
urn:pulumi:token-type:access_token:team
urn:pulumi:token-type:access_token:personal

scope (string)

The scope to use when requesting the Pulumi access token, according to the token type:

For personal access tokens: user:USER_NAME
For team access tokens: team:TEAM_NAME
For organization access tokens, the admin scope can be set to request a token with admin privileges (the authorization policy should explicitly grant the increased permissions)

debug (boolean)

Toogle to output debug information. This will print the Buildkite token as well as the exchanged Pulumi token. This allows to introspect the tokens to debug any issues.

Examples

Show how your plugin is to be used

steps:
  - label: "🔨 Running plugin"
    command: "echo template plugin"
    plugins:
      - pulumi-oidc#v0.1.0:
          org_name: "acme_org"

And with other options as well

If you want to change the plugin behavior:

steps:
  - label: "🔨 Running plugin"
    command: "echo template plugin with options"
    plugins:
      - pulumi-oidc#v1.0.0:
          org_name: "acme_org"
          lifetime: 3600
          requested_token_type: "urn:pulumi:token-type:access_token:team"
          scope: "team:acme_team"
          debug: true

📜 License

The package is available as open source under the terms of the MIT License.

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Buildkite Pipelines

Platform

  1. Pipelines
  2. Public pipelines
  3. Test Engine
  4. Package Registries
  5. Mobile Delivery Cloud
  6. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Example pipelines
  5. Plugins
  6. Webinars
  7. Case studies
  8. Events
  9. Migration Services
  10. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Brand assets
  5. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025