A set of agent hooks that fetch credentials from Amazon Secrets Manager for checking out a project.
The following credential types are supported:
ssh-agentfor SSH Private Keysgit-credentialvia git's credential.helper
When run via the agent pre-checkout and pre-exit hook, your builds will check the following Secrets Manager paths:
buildkite/{queue_name}/{pipeline_slug}/ssh-private-keybuildkite/{queue_name}/{pipeline_slug}/git-credentials
Both of these secrets use the SecretBinary type.
This example uploads an ssh key for a git+ssh checkout for a pipeline:
# generate a deploy key for your project
ssh-keygen -t rsa -b 4096 -f id_rsa_buildkite
pbcopy < id_rsa_buildkite.pub # paste this into your github deploy key
# create a managed secret with the private key
aws secretsmanager create-secret \
--name "buildkite/<queue-name>/<pipeline-slug>/ssh-private-key" \
--secret-binary file://id_rsa_buildkiteHere's an example for how you'd configure git credentials for a pipeline, using a GitHub personal access token:
aws secretsmanager create-secret \
--name "buildkite/<queue-name>/<pipeline-slug>/git-credentials" \
--secret-string "https://<username>:<access-token>@github.com"MIT (see LICENSE)