I am currently thinking about a model where I would enable individual teams at the org to run their own buildkite agents. This would mean I’d have to hand out the one-and-only agent token I have for my org.
In order to limit blast radius if this gets compromised, it would be nice if I could have more than one agent token so one team’s sloppy handling of their token wouldn’t ruin the day for everyone else.
Now, following on from that thought: It would be really cool if I could tie each one of these new agent tokens to queues, or somehow restrict them. I wouldn’t want to have a situation where some team at the org is spinning up an agent, but accidentally putting them onto the default queue. I’d want them to “stay in their lane” so to speak - only have a queue name for themselves so they don’t accidentally hijack some other team’s build jobs.
To summarize:
Multiple tokens per org
Some token-to-agent-queue restriction (agent with token X can only be assigned to queue Y)
Is something like this even remotely on the roadmap? Or of interest to others?
You can find your organization id at the bottom of your organization settings page.
In the longer term, we have big plans to add ways to restrict Agents, Pipelines and Teams into locked down Clusters. Will post elsewhere on that and link back here.