1. Resources
  2. /
  3. Plugins
  4. /
  5. vault-oidc-auth-buildkite-plugin

Vault OIDC Authentication Buildkite Plugin

Authenticate to Hashicorp Vault with Buildkite OIDC (JWT) tokens.

In early 2023 Buildkite began offering per-pipeline OIDC tokens. These short-lived tokens can be used to authenticate individual pipeline jobs to a Vault instance.

Example

Add the following to your pipeline.yml:

steps:
  - command: ./run_build.sh
    plugins:
      - planetscale/vault-oidc-auth#v1.1.1:
          vault_addr: "https://my-vault-server"  # required.
          path: auth/buildkite                   # optional. default "auth/buildkite"
          role: some-role                        # optional. default "$BUILDKITE_PIPELINE_SLUG"
          audience: vault                        # optional. default "vault"
          env_prefix: DEV_                       # optional. default "". (prefix to add to exported env variable names)
          set_vault_addr: false                  # optional. default "true". (set VAULT_ADDR env var to the value of 'vault_addr')

If authentication is successful a VAULT_TOKEN is added to the environment, as well as VAULT_ADDR if set_vault_addr is true.

Setting the env_prefix will add a prefix to the exported VAULT_TOKEN and VAULT_ADDR environment variables, eg: enf_prefix: PROD_ will result in PROD_VAULT_TOKEN and PROD_VAULT_ADDR.

Vault Configuration

Configure an instance of the JWT Vault auth backend at auth/buildkite:

vault auth enable -path=buildkite jwt
vault write auth/buildkite/config jwks_url=https://agent.buildkite.com/.well-known/jwks

Get your Buildkite organization ID from the GraphQL console:

query getOrganizationID {organization(slug: "planetscale") {uuid}}

Create an auth role for a pipeline including the organization ID from above. Do this for each pipeline you wish to authenticate to Vault:

vault write auth/buildkite/role/my-repo -<<EOF
{
  "bound_audiences": ["vault"],
  "policies": ["default"],
  "user_claim": "pipeline_slug",
  "bound_claims": {
    "organization_id": ["ORG_ID_GOES_HERE"]
  },
  "role_type": "jwt",
  "token_type": "batch",
  "token_explicit_max_ttl": "2h"
}
EOF

Developing

To run the linters:

docker-compose run --rm lint-shellcheck
docker-compose run --rm lint-plugin

To run the tests:

docker-compose run --rm tests

Contributing

  1. Fork the repo
  2. Make the changes
  3. Run the tests
  4. Commit and push your changes
  5. Send a pull request

Recommended plugins

AWS Secrets Manager

Read secrets from AWS Secrets Manager.

seek-oss seek-oss

Vault Secrets

Expose build secrets stored in Vault to your jobs.

Official

Vault Secrets

Expose build secrets stored in Vault to your jobs.

Official

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started for free.

Get started View pricing
Buildkite Pipelines

Platform

  1. Pipelines
  2. Public pipelines
  3. Test Engine
  4. Package Registries
  5. Mobile Delivery Cloud
  6. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Example pipelines
  5. Plugins
  6. Webinars
  7. Case studies
  8. Events
  9. Migration Services
  10. Comparisons
  11. CI/CD perspectives

Company

  1. About
  2. Careers
  3. Press
  4. Security
  5. Brand assets
  6. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025