Expanding info on the agent access token & registration token scopes #1709
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Your Render PR Server URL is https://bk-docs-pr-1709.onrender.com. Follow its progress at https://dashboard.render.com/web/srv-cbv1os82i3mvqpikiopg. |
|
The PR is out of its draft stage but needs a fresh re-read before an actual human being will be kindly asked to give it a go. |
plaindocs
suggested changes
Aug 30, 2022
|
|
||
| {:toc} | ||
|
|
||
| ## The default token | ||
|
|
||
| When you create a new organization in Buildkite, a default agent token is created. This token can be used for testing and development, but it's recommended to [create new, specific tokens](#creating-tokens) for each new environment. | ||
| When you create a new organization in Buildkite, a default agent token (agent registration token) is created to start an agent. This token but cannot be used with the artifacts or meta-data. While it can be used for testing and development, it's recommended to [create new, specific tokens](#creating-tokens) for each new environment. |
There was a problem hiding this comment.
This token but cannot be used with the artifacts or meta-data.
this needs more words :-p
|
|
||
| {:toc} | ||
|
|
||
| ## The default token | ||
|
|
||
| When you create a new organization in Buildkite, a default agent token is created. This token can be used for testing and development, but it's recommended to [create new, specific tokens](#creating-tokens) for each new environment. | ||
| When you create a new organization in Buildkite, a default agent token (agent registration token) is created to start an agent. This token but cannot be used with the artifacts or meta-data. While it can be used for testing and development, it's recommended to [create new, specific tokens](#creating-tokens) for each new environment. |
There was a problem hiding this comment.
Suggested change
| When you create a new organization in Buildkite, a default agent token (agent registration token) is created to start an agent. This token but cannot be used with the artifacts or meta-data. While it can be used for testing and development, it's recommended to [create new, specific tokens](#creating-tokens) for each new environment. | |
| When you create a new organization in Buildkite, a default agent token (agent registration token) is created to start an agent. This token but cannot be used with the artifacts or meta-data. The default token can be used for testing and development, but you should [create new, specific tokens](#creating-tokens) for each new production environment. |
|
|
||
| ## Exchanging tokens | ||
|
|
||
| Agent registration token (default token) can be exchanged for an agent session token without any additional checks. To do it, the agent needs to call the `https://agent.buildkite.com/v3/register` endpoint with its registration token in the authorization header. The API response to this query is a regular agent access token that is next ingested and used by the agent. |
There was a problem hiding this comment.
Does this happen automatically? Or do you need to save the agent access token
| @@ -1,12 +1,26 @@ | |||
| # Agent Tokens | |||
|
|
|||
| The Buildkite Agent requires an agent token to connect to Buildkite and register for work. If you are an admin of your Buildkite organization, you can view the tokens on your [Agents page](https://buildkite.com/organizations/-/agents). | |||
| The Buildkite agent requires an agent token to connect to Buildkite and register for work. If you are an admin of your Buildkite organization, you can view the tokens on your [Agents page](https://buildkite.com/organizations/-/agents). | |||
|
|
|||
| {:toc} | |||
|
|
|||
| ## The default token | |||
There was a problem hiding this comment.
Let's call this
Agent registration token (default token)
| @@ -97,6 +111,12 @@ Once a token is revoked, no new agents will be able to start with that token. Re | |||
|
|
|||
| Agent tokens are specific to each Buildkite organization, and can be used to register an agent with any [queue](/docs/agent/v3/queues). Agent tokens can not be shared between organizations. | |||
|
|
|||
| Agent tokens define the access permissions (`read` and/or `write`) for actions to be performed on all jobs and pipelines. This is necessary as Buildkite agents can run for extended periods of time. An agent might get launched to service one pipeline and then pick up work for another one after. This means that the access tokens for agents need the access to all pipelines and jobs. | |||
There was a problem hiding this comment.
Agent tokens define the access permissions
I'm not sure what this means either
|
|
||
| ## Log security considerations | ||
|
|
||
| Agent access token can allow writing to the stdout of a job as job log streaming happens on the `https://agent.buildkite.com/v3/jobs/chunks` agent API endpoint authenticated by the agent access token. If a bad actor gains access to your agent access token, they would be able to falsify new logs, but they wouldn’t be able to remove any existing logs as the endpoint is append-only. |
There was a problem hiding this comment.
Suggested change
| Agent access token can allow writing to the stdout of a job as job log streaming happens on the `https://agent.buildkite.com/v3/jobs/chunks` agent API endpoint authenticated by the agent access token. If a bad actor gains access to your agent access token, they would be able to falsify new logs, but they wouldn’t be able to remove any existing logs as the endpoint is append-only. | |
| Agent access token allow writing to the stdout of a job as job log streaming happens on the `https://agent.buildkite.com/v3/jobs/chunks` agent API endpoint authenticated by the agent access token. If a bad actor gains access to your agent access token, they would be able to falsify new logs, but they wouldn’t be able to remove any existing logs as the endpoint is append-only. |
| ## Log security considerations | ||
|
|
||
| Agent access token can allow writing to the stdout of a job as job log streaming happens on the `https://agent.buildkite.com/v3/jobs/chunks` agent API endpoint authenticated by the agent access token. If a bad actor gains access to your agent access token, they would be able to falsify new logs, but they wouldn’t be able to remove any existing logs as the endpoint is append-only. | ||
|
|
||
| ## Session tokens |
There was a problem hiding this comment.
This is an agent session token, right? as in
Agent access tokens (agent session tokens) are created when an agent is registered with Buildkite, and are unique for every registered agent.
So let's be consistent how we talk about them
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Regarding the Issue #1413.