A Buildkite plugin to exchange Buildkite OIDC tokens against Pulumi access tokens.
These are all the options available to configure this plugin's behavior.
The Pulumi org. Needed to create the correct audience.
The time (in seconds) the OIDC token will be valid for before expiry. Must be a non-negative integer. If the flag is omitted or set to 0, the API will choose a default finite lifetime. (default: 0)
The type of token it will request, one of:
urn:pulumi:token-type:access_token:organization
urn:pulumi:token-type:access_token:team
urn:pulumi:token-type:access_token:personal
The scope to use when requesting the Pulumi access token, according to the token type:
For personal access tokens: user:USER_NAME
For team access tokens: team:TEAM_NAME
For organization access tokens, the admin scope can be set to request a token with admin privileges (the authorization policy should explicitly grant the increased permissions)
Toogle to output debug information. This will print the Buildkite token as well as the exchanged Pulumi token. This allows to introspect the tokens to debug any issues.
Show how your plugin is to be used
steps:
- label: "🔨 Running plugin"
command: "echo template plugin"
plugins:
- pulumi-oidc#v0.1.0:
org_name: "acme_org"If you want to change the plugin behavior:
steps:
- label: "🔨 Running plugin"
command: "echo template plugin with options"
plugins:
- pulumi-oidc#v1.0.0:
org_name: "acme_org"
lifetime: 3600
requested_token_type: "urn:pulumi:token-type:access_token:team"
scope: "team:acme_team"
debug: trueThe package is available as open source under the terms of the MIT License.