Multiple agent tokens per org (with agent queue restrictions)


#1

Hey all

I am currently thinking about a model where I would enable individual teams at the org to run their own buildkite agents. This would mean I’d have to hand out the one-and-only agent token I have for my org.

In order to limit blast radius if this gets compromised, it would be nice if I could have more than one agent token so one team’s sloppy handling of their token wouldn’t ruin the day for everyone else.

Now, following on from that thought: It would be really cool if I could tie each one of these new agent tokens to queues, or somehow restrict them. I wouldn’t want to have a situation where some team at the org is spinning up an agent, but accidentally putting them onto the default queue. I’d want them to “stay in their lane” so to speak - only have a queue name for themselves so they don’t accidentally hijack some other team’s build jobs.

To summarize:

  • Multiple tokens per org
  • Some token-to-agent-queue restriction (agent with token X can only be assigned to queue Y)

Is something like this even remotely on the roadmap? Or of interest to others?


#2

This is of use to us as well, is there any word on this?


#3

Hey folks! In the immediate short-term, you can absolutely create multiple Agent Registration Tokens through the GraphQL API:

mutation CreateAgentToken {
  agentTokenCreate(input: {
    organizationID: "T3JnYW5pemF0aW9uLS0tYTk4OTYxYjctYWRjMS00MWFhLTg3MjYtY2ZiMmM0NmU0MmUw",
    description: "My New Agent Registration Token"
  }) {
    agentTokenEdge {
      node {
        id
        description
        token
      }
    }
  }
}

https://buildkite.com/user/graphql/console/7086a9e9-93dd-4349-842e-6b31b583342b

You can find your organization id at the bottom of your organization settings page.

In the longer term, we have big plans to add ways to restrict Agents, Pipelines and Teams into locked down Clusters. Will post elsewhere on that and link back here.


#4

I explained a bit more about what we have planned for the constraints you mentioned: Restricting access to agents


#5

awesome, thank you Lachlan! We’ll give this a shot