Skip to content

[OIDC] - Enable Agent Level Max Token Lifetime#3792

Open
krishnakpandian wants to merge 2 commits into
buildkite:mainfrom
krishnakpandian:feature/oidc/agent-max-token-lifetime
Open

[OIDC] - Enable Agent Level Max Token Lifetime#3792
krishnakpandian wants to merge 2 commits into
buildkite:mainfrom
krishnakpandian:feature/oidc/agent-max-token-lifetime

Conversation

@krishnakpandian

@krishnakpandian krishnakpandian commented Apr 5, 2026
edited
Loading

Copy link
Copy Markdown

Description

  • Currently buildkite-agent request token has no guardrails at the agent level for how long a token can live for, by default it lives for 5 minutes

Context

  • Using the --lifetime flag, the token lifespan can live much longer and if leaked can mean a valid token can live longer than what is preferential to broker services.

Changes

  • Added an optional start up flag called oidc-token-max-lifetime-seconds which when passed the to the buildkite-agent binary will limit any subsequent calls to buildkite-agent request token --lifetime <seconds> to at clamp the total time set by the agent startup

Testing

% go test ./...
go: downloading github.com/buildkite/bintest/v3 v3.3.0
go: downloading gotest.tools/v3 v3.5.2
go: downloading github.com/gliderlabs/ssh v0.3.8
go: downloading github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
?       github.com/buildkite/agent/v3   [no test files]
ok      github.com/buildkite/agent/v3/agent     6.760s
ok      github.com/buildkite/agent/v3/agent/integration       7.449s
ok      github.com/buildkite/agent/v3/agent/plugin   0.654s
ok      github.com/buildkite/agent/v3/api       0.923s
?       github.com/buildkite/agent/v3/api/proto/gen  [no test files]
?       github.com/buildkite/agent/v3/api/proto/gen/agentedgev1connect        [no test files]
ok      github.com/buildkite/agent/v3/clicommand     7.410s
?       github.com/buildkite/agent/v3/cliconfig [no test files]
?       github.com/buildkite/agent/v3/core      [no test files]
ok      github.com/buildkite/agent/v3/env       1.981s
ok      github.com/buildkite/agent/v3/internal/agentapi       1.552s
?       github.com/buildkite/agent/v3/internal/agenthttp      [no test files]
ok      github.com/buildkite/agent/v3/internal/artifact       1.850s
?       github.com/buildkite/agent/v3/internal/awslib[no test files]
?       github.com/buildkite/agent/v3/internal/bkgql [no test files]
ok      github.com/buildkite/agent/v3/internal/cache 2.463s
?       github.com/buildkite/agent/v3/internal/cryptosigner/aws       [no test files]
ok      github.com/buildkite/agent/v3/internal/cryptosigner/gcp       2.206s
?       github.com/buildkite/agent/v3/internal/e2e   [no test files]
ok      github.com/buildkite/agent/v3/internal/experiments    2.574s
?       github.com/buildkite/agent/v3/internal/file  [no test files]
ok      github.com/buildkite/agent/v3/internal/job   13.159s
?       github.com/buildkite/agent/v3/internal/job/githttptest        [no test files]
ok      github.com/buildkite/agent/v3/internal/job/hook       8.111s
ok      github.com/buildkite/agent/v3/internal/job/integration  38.524s
?       github.com/buildkite/agent/v3/internal/job/integration/test-binary-hook [no test files]
ok      github.com/buildkite/agent/v3/internal/mime     2.482s
ok      github.com/buildkite/agent/v3/internal/olfactor 2.333s
ok      github.com/buildkite/agent/v3/internal/osutil   2.358s
?       github.com/buildkite/agent/v3/internal/ptr      [no test files]
?       github.com/buildkite/agent/v3/internal/race     [no test files]
ok      github.com/buildkite/agent/v3/internal/redact   2.279s
ok      github.com/buildkite/agent/v3/internal/replacer 2.199s
ok      github.com/buildkite/agent/v3/internal/secrets  2.264s
?       github.com/buildkite/agent/v3/internal/self     [no test files]
ok      github.com/buildkite/agent/v3/internal/shell    3.795s
ok      github.com/buildkite/agent/v3/internal/shellscript      1.755s
ok      github.com/buildkite/agent/v3/internal/socket   1.884s
ok      github.com/buildkite/agent/v3/internal/stdin    1.790s
?       github.com/buildkite/agent/v3/internal/system   [no test files]
ok      github.com/buildkite/agent/v3/internal/tempfile 1.908s
ok      github.com/buildkite/agent/v3/internal/trie     1.879s
ok      github.com/buildkite/agent/v3/jobapi    1.119s
ok      github.com/buildkite/agent/v3/kubernetes        6.083s
ok      github.com/buildkite/agent/v3/lock      1.274s
ok      github.com/buildkite/agent/v3/logger    1.217s
?       github.com/buildkite/agent/v3/metrics   [no test files]
ok      github.com/buildkite/agent/v3/process   1.468s
ok      github.com/buildkite/agent/v3/status    1.325s
?       github.com/buildkite/agent/v3/test/fixtures/hook        [no test files]
ok      github.com/buildkite/agent/v3/tracetools        1.242s
ok      github.com/buildkite/agent/v3/version   1.058s
  • Tests have run locally (with go test ./...). Buildkite employees may check this if the pipeline has run automatically.
  • Code is formatted (with go tool gofumpt -extra -w .)

Disclosures / Credits

  • Intent + general design of functionality were made by @krishnakpandian but changes were largely orchestrated through cursor

#3793

@krishnakpandian krishnakpandian marked this pull request as ready for review April 5, 2026 19:43
@krishnakpandian krishnakpandian requested review from a team as code owners April 5, 2026 19:43
@DrJosh9000 DrJosh9000 added the feature New user-facing feature! label Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature New user-facing feature!

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@krishnakpandian @DrJosh9000