Is your feature request related to a problem? Please describe.
Currently, there is no way to configure the maximum OIDC token lifetime at the agent level. This means teams that require shorter-lived tokens for security compliance must trust client to not set high token lifetime, which may not align with their organization's security policies.
Describe the solution you'd like
Allow Buildkite agent allows operators to set the maximum allowable OIDC token lifetime at the agent level. This would let platform teams enforce an upper bound on token lifetimes across all pipelines running on that agent, regardless of what individual pipeline steps request. This also reduces the risk if tokens are leaked that they are bounded to what the agent security settings are.
Describe alternatives you've considered
N/A
Is your feature request related to a problem? Please describe.
Currently, there is no way to configure the maximum OIDC token lifetime at the agent level. This means teams that require shorter-lived tokens for security compliance must trust client to not set high token lifetime, which may not align with their organization's security policies.
Describe the solution you'd like
Allow Buildkite agent allows operators to set the maximum allowable OIDC token lifetime at the agent level. This would let platform teams enforce an upper bound on token lifetimes across all pipelines running on that agent, regardless of what individual pipeline steps request. This also reduces the risk if tokens are leaked that they are bounded to what the agent security settings are.
Describe alternatives you've considered
N/A