OIDC authentication in Test Engine

Test Engine now supports OIDC token authentication for test collectors and bktec. An OIDC policy must be set on any suite using OIDC authentication, specifying which pipelines are permitted access to the suite.

Test Collectors

It's now possible for test collectors to use temporary OIDC tokens to authenticate test result uploads.

bktec

As of version 2.6.0, the Buildkite Test Engine Client (bktec) supports generating short lived OIDC tokens for authentication with Test Engine.

bktec has previously required two authentication environment variables to be set on builds, BUILDKITE_TEST_ENGINE_API_ACCESS_TOKEN and BUILDKITE_ANALYTICS_TOKEN. Both of these are now optional. bktec will generate an OIDC token if either is missing.

• If the previously mandatory environment variable BUILDKITE_TEST_ENGINE_API_ACCESS_TOKEN is not set , bktec will generate an OIDC token to communicate with the test splitting API.
• If the environment variable BUILDKITE_ANALYTICS_TOKEN is not set, bktec will generate an OIDC token and set BUILDKITE_ANALYTICS_TOKEN with it's value when invoking the test runner. Test collectors use this environment variable by default to authenticate test result uploads.
• Token lifetime is 2 hours by default, and can be controlled with the --oidc-lifetime flag.
• OIDC token generation can be disabled with the --no-oidc flag.

Further reading

• Setting and OIDC policy, and configurting test collectors to use OIDC
• Using OIDC with bktec
• Test Engine authentication environment variables