I’m looking for ideas on how to perform privileged actions on buildkite build agents.
- we want to perform terraform statefile drift detection against Heroku
- we would need a Heroku admin user to perform that detection (rather than a normal or read only user)
- we don’t want anybody with Buildkite access to be able to access that user
- but we still want teams to be able to reconfigure their builds (eg, change their pipeline, build environment variables, etc)
Other use cases include automating deploys to production environments (where we want the deploy agent to have production write access, but nobody else) and automation of onboarding/offboarding tasks in an infrastructure as code environment.