A set of agent hooks that fetch credentials from AWS Systems Manager Parameter Store for checking out a project.
The following credential types are supported:
ssh-agent
for SSH Private Keysgit-credential
via git's credential.helper
When run via the agent pre-checkout and pre-exit hook, your builds will check the following Secrets Manager paths:
/buildkite/{queue_name}/ssh-private-key
/buildkite/{queue_name}/git-credentials
/buildkite/{queue_name}/{pipeline_slug}/ssh-private-key
/buildkite/{queue_name}/{pipeline_slug}/git-credentials
You can customize the prefix of /buildkite
by setting $BUILDKITE_SSM_SECRETS_PREFIX
.
All of these secrets expect a SecureString
type.
This example uploads an ssh key for a git+ssh checkout for a pipeline:
# generate a deploy key for your project
ssh-keygen -t rsa -b 4096 -f id_rsa_buildkite
pbcopy < id_rsa_buildkite.pub # paste this into your github deploy key
# create a secret with the private key
aws ssm put-parameter \
--name "/buildkite/<queue-name>/<pipeline-slug>/ssh-private-key" \
--type SecureString \
--value "$(cat id_rsa_buildkite)"
Here's an example for how you'd configure git credentials for a pipeline, using a GitHub personal access token:
aws ssm put-parameter \
--name "/buildkite/<queue-name>/<pipeline-slug>/git-credentials" \
--type SecureString \
--value "https://<username>:<access-token>@github.com"
MIT (see LICENSE)