Skip to content
Latchkey

Buildkite S3 secrets bucket "AccessDenied" in CI

The Buildkite S3 Secrets hook downloads env and SSH files from a secrets bucket keyed by pipeline. If the agent IAM role cannot read that bucket, S3 returns AccessDenied and no secrets load.

What this error means

The agent log shows an S3 GetObject AccessDenied for the secrets bucket, and steps run without the expected environment or SSH key.

buildkite
+++ Downloading secrets from s3://my-buildkite-secrets/my-pipeline/env
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

Common causes

The agent role cannot read the secrets bucket

The instance profile or role attached to the agent lacks s3:GetObject (and often KMS decrypt) on the secrets bucket path.

The bucket or key prefix is misconfigured

The BUILDKITE_SECRETS_BUCKET points at the wrong bucket, or the per-pipeline prefix does not match the pipeline slug.

How to fix it

Grant read (and decrypt) on the secrets bucket

  1. Confirm the secrets bucket and per-pipeline prefix.
  2. Attach an IAM policy allowing s3:GetObject on that path, plus kms:Decrypt if the objects are encrypted.
  3. Re-run so the S3 Secrets hook can load env and SSH files.
IAM policy
{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "kms:Decrypt"],
  "Resource": "arn:aws:s3:::my-buildkite-secrets/*"
}

Point at the correct secrets bucket

Set the secrets bucket env var to the bucket that actually holds the pipeline secrets.

Terminal
export BUILDKITE_SECRETS_BUCKET="my-buildkite-secrets"

How to prevent it

  • Scope the agent role to read only its secrets bucket path.
  • Include KMS decrypt when secrets are encrypted at rest.
  • Keep the secrets prefix aligned with the pipeline slug.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →