Triggering builds from AWS

I’m wondering if it’s currently possible to trigger a build from AWS in some way without using a personal access token.

Our use case is that we will have some ML training jobs running overnight, when those jobs finish, the will put their static data into an S3 bucket. We would then like to automate a way for our normal deployment pipeline to run. As our normal deployment pipeline already knows how to pull in the training data, bake the docker image and deploy the production application.

There are a few reasons we would like to avoid a personal access token. Securing and rotating that token are a challenge in itself. If it’s tied to a real person, we need processes in place for when they leave the company. If it’s a service user, we need to pay for an extra account for each security context we want to use this pattern in.

We have considered taking the data from the S3 bucket and putting it into code somewhere, then a normal git push would trigger the pipeline. But now we have the same problem with the git credentials vs the buildkite credentials.

Given we know the pipeline to trigger, which has a webhook attached to the git repository, is it possible to post a payload manually to the webhook? I notice there is already some logic in place to make sure only 1 build gets triggered per webhook payload, so perhaps constructing a unique payload for the HEAD commit would be difficult. Perhaps a separate more generic webhook? Similar to a slack webhook that is in itself the “token” locked to 1 channel?

What are the options here if webhooks are only useful for git payloads and PATs are tied to users?

Hi @tigris :wave:

That’s an interesting question!

It’s not possible, but we discussed your situation internally and you could do something involving pushing back to git (and thereby causing a standard webhook), but API with a machine user really seems like the right thing to do. You could contact support and we could just allocate a bot user for each context, and check the details of this.