I am currently thinking about a model where I would enable individual teams at the org to run their own buildkite agents. This would mean I’d have to hand out the one-and-only agent token I have for my org.
In order to limit blast radius if this gets compromised, it would be nice if I could have more than one agent token so one team’s sloppy handling of their token wouldn’t ruin the day for everyone else.
Now, following on from that thought: It would be really cool if I could tie each one of these new agent tokens to queues, or somehow restrict them. I wouldn’t want to have a situation where some team at the org is spinning up an agent, but accidentally putting them onto the
default queue. I’d want them to “stay in their lane” so to speak - only have a queue name for themselves so they don’t accidentally hijack some other team’s build jobs.
- Multiple tokens per org
- Some token-to-agent-queue restriction (agent with token X can only be assigned to queue Y)
Is something like this even remotely on the roadmap? Or of interest to others?