nicholas.cloud

Hi there, I'm Nicholas!

I’m a developer with a passion for cloud platforms, web development and automation!

I use this blog to write about my interests. They’re usually tech-related, but there’s also the odd music and gaming piece too.


Using Buildkite OIDC with Hashicorp Vault

2023-09-19 // 4 min read // #buildkite #hashicorp-vault

Earlier this year, Buildkite announced support for OpenID Connect tokens. Briefly, a Buildkite agent can request a signed JWT (JSON Web Token) from Buildkite representing details (claims) about its current job. This JWT can then be used to authenticate with systems that accept it.

For Hashicorp Vault, services typically authenticate using the AppRole method with a senstive set of credentials. It’s fine to use this flow on a Buildkite agent to access Vault secrets, but the credentials for this are long-lived.

The new OIDC flow removes to need to manage these long-lived credentials, and also makes it possible to craft fine-grained policies for a Buildkite agent without requiring multiple sets of login credentials!

Read more →

Signing Terraform provider releases with a local Buildkite agent

2023-07-17 // 4 min read // #buildkite

For a while now, I’ve built and published my own Terraform provider for retrieving secrets from a pass store. One of the requirements to publish a Terraform provider is that every release must be signed with a GPG key.

I have a Buildkite pipeline to build and publish these releases to GitHub. A step in this pipeline has access to a private key for signing, but it’s a different key from the one I use on my own machine. I consider the latter too sensitive to expose freely to my Buildkite agents.

With that said, managing a second key just to publish my Terraform provider is quite irksome when it has no other use for me. However, it’s unfortunately necessary if I don’t want to expose my regular key to my CI environment.

But if the worry is around exposing a secret to Buildkite agents running outside my machine, why not introduce an agent that runs specifically on my machine?

Read more →

My Apple Watch, six months in

2023-07-16 // 7 min read

Since late September, I’ve been working to establish an exercise routine as I improve my fitness. One of my decisions in that journey has been to buy a smart watch, and having just ticked over six months since purchase I thought it would be an opportune time to reflect on some of my highlights.

Read more →

Fixing a slow Tailscale SSH connection

Discovering a tradeoff Tailscale makes for convenience

2022-09-25 // 4 min read // #tailscale

I’ve been trying out Tailscale recently to simplify networking between my devices. With the beta launch of Tailscale SSH offering the ability to connect to my DigitalOcean droplet without SSH keypairs, I was eager to incorporate it into my setup.

Said setup is a matter for another time, but with Tailscale SSH enabled for my droplet I was able to remote in with a plain ssh nicholas@gandra-dee!

However, there was a visible half-second delay when entering commands. While not a dealbreaker, it made each session a frustrating experience!

Read more →

Happy anniversary to Journey!

2022-03-14 // 2 min read // #gaming

As I’ve just found learned, today is the anniversary of Journey’s release ten years ago. It’s a video game from thatgamecompany where you guide a mysterious wanderer in robes on a pilgrimage to climb a distant mountain.

Journey is one of the games that’s stuck with me a lot since I’ve played it.

Read more →

Older posts