A set of agent hooks that fetch credentials from AWS Systems Manager Parameter Store for checking out a project.
The following credential types are supported:
ssh-agentfor SSH Private Keysgit-credentialvia git's credential.helper
When run via the agent pre-checkout and pre-exit hook, your builds will check the following Secrets Manager paths:
/buildkite/{queue_name}/ssh-private-key/buildkite/{queue_name}/git-credentials/buildkite/{queue_name}/{pipeline_slug}/ssh-private-key/buildkite/{queue_name}/{pipeline_slug}/git-credentials
You can customize the prefix of /buildkite by setting $BUILDKITE_SSM_SECRETS_PREFIX.
All of these secrets expect a SecureString type.
This example uploads an ssh key for a git+ssh checkout for a pipeline:
# generate a deploy key for your project
ssh-keygen -t rsa -b 4096 -f id_rsa_buildkite
pbcopy < id_rsa_buildkite.pub # paste this into your github deploy key
# create a secret with the private key
aws ssm put-parameter \
--name "/buildkite/<queue-name>/<pipeline-slug>/ssh-private-key" \
--type SecureString \
--value "$(cat id_rsa_buildkite)"Here's an example for how you'd configure git credentials for a pipeline, using a GitHub personal access token:
aws ssm put-parameter \
--name "/buildkite/<queue-name>/<pipeline-slug>/git-credentials" \
--type SecureString \
--value "https://<username>:<access-token>@github.com"MIT (see LICENSE)