Merge pull request #1263 from buildkite/signing-params

mcncl · web-flow · commit 08324060d117 · 2025-10-08T10:25:32.000+11:00
Add signing parameters to cfn template
diff --git a/packer/linux/stack/conf/bin/bk-install-elastic-stack.sh b/packer/linux/stack/conf/bin/bk-install-elastic-stack.sh
@@ -259,6 +259,7 @@ else
   BUILDKITE_AGENT_TIMESTAMPS_LINES="false"
   BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS="false"
 fi
+
 echo Setting \$BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS to \$BUILDKITE_AGENT_TIMESTAMP_LINES
 echo "BUILDKITE_AGENT_TIMESTAMP_LINES is $BUILDKITE_AGENT_TIMESTAMPS_LINES"
 echo "BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS is $BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS"
@@ -299,9 +300,49 @@ tracing-backend=${BUILDKITE_AGENT_TRACING_BACKEND}
 cancel-grace-period=${BUILDKITE_AGENT_CANCEL_GRACE_PERIOD}
 signal-grace-period-seconds=${BUILDKITE_AGENT_SIGNAL_GRACE_PERIOD_SECONDS}
 signing-aws-kms-key=${BUILDKITE_AGENT_SIGNING_KMS_KEY}
-verification-failure-behavior=${BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR}
+verification-failure-behavior=${BUILDKITE_AGENT_JOB_VERIFICATION_NO_SIGNATURE_BEHAVIOR}
 EOF
 
+if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_PATH" ]]; then
+  echo "Fetching signing key from ssm: $BUILDKITE_AGENT_SIGNING_KEY_PATH..."
+
+  keyfile=/etc/buildkite-agent/signing-key.json
+
+  aws ssm get-parameter \
+    --name "$BUILDKITE_AGENT_SIGNING_KEY_PATH" \
+    --with-decryption \
+    --query Parameter.Value \
+    --output text >"$keyfile"
+
+  echo "Setting ownership and permissions for $keyfile..."
+  chown root:buildkite-agent "$keyfile"
+  chmod 640 "$keyfile"
+
+  echo "signing-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_ID" ]]; then
+  echo "signing-jwks-key-id=$BUILDKITE_AGENT_SIGNING_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then
+  echo "Fetching verification key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
+
+  keyfile=/etc/buildkite-agent/verification-key.json
+
+  aws ssm get-parameter \
+    --name "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" \
+    --with-decryption \
+    --query Parameter.Value \
+    --output text >"$keyfile"
+
+  echo "Setting ownership and permissions for $keyfile..."
+  chown root:buildkite-agent "$keyfile"
+  chmod 640 "$keyfile"
+
+  echo "verification-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
 if [[ "${BUILDKITE_ENV_FILE_URL}" != "" ]]; then
   echo "Fetching env file from ${BUILDKITE_ENV_FILE_URL}..."
   /usr/local/bin/bk-fetch.sh "${BUILDKITE_ENV_FILE_URL}" /var/lib/buildkite-agent/env
diff --git a/packer/windows/stack/conf/bin/bk-install-elastic-stack.ps1 b/packer/windows/stack/conf/bin/bk-install-elastic-stack.ps1
@@ -161,10 +161,49 @@ disconnect-after-job=${Env:BUILDKITE_TERMINATE_INSTANCE_AFTER_JOB}
 disconnect-after-uptime=${Env:BUILDKITE_AGENT_DISCONNECT_AFTER_UPTIME}
 tracing-backend=${Env:BUILDKITE_AGENT_TRACING_BACKEND}
 signing-aws-kms-key=${Env:BUILDKITE_AGENT_SIGNING_KMS_KEY}
-verification-failure-behavior=${Env:BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR}
+verification-failure-behavior=${Env:BUILDKITE_AGENT_JOB_VERIFICATION_NO_SIGNATURE_BEHAVIOR}
 "@
 $OFS=" "
 
+If (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_PATH)) {
+  Write-Output "Fetching signing key from ssm: $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH..."
+
+  $keyfile=C:\buildkite-agent\signing-key.json
+
+  aws ssm get-parameter `
+    --name "$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH" `
+    --with-decryption `
+    --query Parameter.Value `
+    --output text >"$keyfile"
+
+  Write-Output "Setting permissions for $keyfile..."
+  # Remove inheritance and set explicit permissions: Administrators=FullControl, buildkite-agent=Read
+  icacls "$keyfile" /inheritance:r /grant:r "Administrators:F" /grant:r "buildkite-agent:R"
+
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-file=$keyfile"
+}
+
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_ID)) {
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID"
+}
+
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) {
+  Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
+
+  $keyfile=C:\buildkite-agent\verification-key.json
+
+  aws ssm get-parameter `
+    --name "$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH" `
+    --with-decryption `
+    --query Parameter.Value `
+    --output text >"$keyfile"
+
+  Write-Output "Setting permissions for $keyfile..."
+  # Remove inheritance and set explicit permissions: Administrators=FullControl, buildkite-agent=Read  
+  icacls "$keyfile" /inheritance:r /grant:r "Administrators:F" /grant:r "buildkite-agent:R"
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-jwks-file=$keyfile"
+}
+
 nssm set lifecycled AppEnvironmentExtra +AWS_REGION=$Env:AWS_REGION
 nssm set lifecycled AppEnvironmentExtra +LIFECYCLED_HANDLER="C:\buildkite-agent\bin\stop-agent-gracefully.ps1"
 Restart-Service lifecycled
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -42,6 +42,9 @@ Metadata:
         - PipelineSigningKMSKeySpec
         - PipelineSigningKMSAccess
         - PipelineSigningVerificationFailureBehavior
+        - BuildkiteAgentSigningKeySSMParameter
+        - BuildkiteAgentSigningKeyID
+        - BuildkiteAgentVerificationKeySSMParameter
 
       - Label:
           default: Advanced Configuration
@@ -368,6 +371,25 @@ Parameters:
       - "opentelemetry"
     Default: ""
 
+  BuildkiteAgentSigningKeySSMParameter:
+    Description: Existing SSM Parameter Store path to a JSON Web Key Set (JWKS) containing a key to sign jobs with.
+    Type: String
+    Default: ""
+    AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
+    ConstraintDescription: "Expects a leading forward slash"
+
+  BuildkiteAgentSigningKeyID:
+    Description: The ID of the key in the JWKS to use for signing jobs. If not specified, and the JWKS contains only one key, that key will be used.
+    Type: String
+    Default: ""
+
+  BuildkiteAgentVerificationKeySSMParameter:
+    Description: Existing SSM Parameter Store path to a JSON Web Key Set (JWKS) containing keys with which to verify jobs.
+    Type: String
+    Default: ""
+    AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
+    ConstraintDescription: "Expects a leading forward slash"
+
   BuildkiteAgentCancelGracePeriod:
     Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts.
     Type: Number
@@ -1921,12 +1943,15 @@ Resources:
                   $Env:BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}"
                   $Env:BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}"
                   $Env:BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}"
+                  $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}"
                   $Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}"
                   $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
                   $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
                   $Env:BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}"
                   $Env:BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}"
-                  $Env:BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}"
+                  $Env:BUILDKITE_AGENT_JOB_VERIFICATION_NO_SIGNATURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}"
                   $Env:BUILDKITE_ENV_FILE_URL="${AgentEnvFileUrl}"
                   $Env:BUILDKITE_AUTHORIZED_USERS_URL="${AuthorizedUsersUrl}"
                   $Env:BUILDKITE_ECR_POLICY="${ECRAccessPolicy}"
@@ -2013,11 +2038,14 @@ Resources:
                   BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}" \
                   BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}" \
                   BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
+                  BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
+                  BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
+                  BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
                   BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
                   BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
                   BUILDKITE_AGENT_SIGNAL_GRACE_PERIOD_SECONDS="${BuildkiteAgentSignalGracePeriod}" \
                   BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}" \
-                  BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}" \
+                  BUILDKITE_AGENT_JOB_VERIFICATION_NO_SIGNATURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}" \
                   BUILDKITE_QUEUE="${BuildkiteQueue}" \
                   BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" \
                   BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}" \
