Privileged build agent access management

I’m looking for ideas on how to perform privileged actions on buildkite build agents.

For example:

  • we want to perform terraform statefile drift detection against Heroku
  • we would need a Heroku admin user to perform that detection (rather than a normal or read only user)

However:

  • we don’t want anybody with Buildkite access to be able to access that user
  • but we still want teams to be able to reconfigure their builds (eg, change their pipeline, build environment variables, etc)

Other use cases include automating deploys to production environments (where we want the deploy agent to have production write access, but nobody else) and automation of onboarding/offboarding tasks in an infrastructure as code environment.

One trick that we’ve used in the past is creating a Lambda that performs the privileged action (for us it was updating a CloudFormation stack) and then giving a specific Buildkite pipeline credentials to invoke JUST that lambda. That way you can have really granular control over what the BK pipeline can do.

Inlining this here as we ended up solving this in another Slack:

What will hopefully work for us is using on-agent whitelisting to whitelist pipelines. As the credentials will be on the agent instance, and as we control the agent instance, if we whitelist that agent to certain pipelines (with corresponding limited access controls on those pipelines, filtering of what branches get built, etc), and if we assert that only those agents run on that instance, we can use agents those to perform dangerous/privileged things.