Multiple agent tokens per org (with agent queue restrictions)

moensch · December 7, 2018, 4:16am

Hey all

I am currently thinking about a model where I would enable individual teams at the org to run their own buildkite agents. This would mean I’d have to hand out the one-and-only agent token I have for my org.

In order to limit blast radius if this gets compromised, it would be nice if I could have more than one agent token so one team’s sloppy handling of their token wouldn’t ruin the day for everyone else.

Now, following on from that thought: It would be really cool if I could tie each one of these new agent tokens to queues, or somehow restrict them. I wouldn’t want to have a situation where some team at the org is spinning up an agent, but accidentally putting them onto the default queue. I’d want them to “stay in their lane” so to speak - only have a queue name for themselves so they don’t accidentally hijack some other team’s build jobs.

To summarize:

Multiple tokens per org
Some token-to-agent-queue restriction (agent with token X can only be assigned to queue Y)

Is something like this even remotely on the roadmap? Or of interest to others?

bresmith · January 9, 2019, 6:11pm

This is of use to us as well, is there any word on this?

anon18197598 · January 10, 2019, 12:47am

Hey folks! In the immediate short-term, you can absolutely create multiple Agent Registration Tokens through the GraphQL API:

mutation CreateAgentToken {
  agentTokenCreate(input: {
    organizationID: "T3JnYW5pemF0aW9uLS0tYTk4OTYxYjctYWRjMS00MWFhLTg3MjYtY2ZiMmM0NmU0MmUw",
    description: "My New Agent Registration Token"
  }) {
    agentTokenEdge {
      node {
        id
        description
        token
      }
    }
  }
}

https://buildkite.com/user/graphql/console/7086a9e9-93dd-4349-842e-6b31b583342b

You can find your organization id at the bottom of your organization settings page.

In the longer term, we have big plans to add ways to restrict Agents, Pipelines and Teams into locked down Clusters. Will post elsewhere on that and link back here.

anon18197598 · January 10, 2019, 5:01am

I explained a bit more about what we have planned for the constraints you mentioned: Restricting access to agents

bresmith · January 10, 2019, 9:23pm

awesome, thank you Lachlan! We’ll give this a shot

thirtytwobits · May 31, 2019, 6:37am

Buildkite has so much more functionality then is documented. I really hope you get time to significantly beef up your documentation.

Topic		Replies	Views
New Agent Tokens documentation 📖 Announcements	0	481	March 6, 2019
Limit jobs an agent can handle? General	17	796	January 11, 2024
Is BUILDKITE_AGENT_ACCESS_TOKEN equivalent to github token General	2	450	June 21, 2022
Buildkite-agent artifact download --pipeline --branch --last-passed Features Requests	3	646	October 25, 2022
Waiting for a buildkite agent to become available General	1	772	March 22, 2023

Multiple agent tokens per org (with agent queue restrictions)

Related topics