Proposed Change
We suggest introducing the capability to configure the OIDC provider used for generating Buildkite OIDC tokens. This change aims to mirror the flexibility provided by Terraform Enterprise, which allows users to setup and configure their own AWS OIDC Identity provider.
Rationale for the Change
Currently, all Buildkite customers rely on the same OIDC provider. This commonality increases the risk of incorrectly configured IAM role trust relationships that do not enforce organization-specific constraints, making it possible for any Buildkite customer to assume such roles erroneously.
While it’s conceivable to incorporate condition logic within your trust policy to scrutinize data from the OIDC claims — particularly the organization_id — to mitigate this security loophole, the approach isn’t foolproof. Specifically, if multiple individuals are permitted to define IAM roles and trust policies, there’s a risk that the necessary conditional logic might be overlooked.