Closed gmercadal closed 3 years ago
Thanks for the enhancement @gmercadal ! Do you mind updating the documentation as well? I think this is a great addition.
Thanks for the enhancement @gmercadal ! Do you mind updating the documentation as well? I think this is a great addition.
Cool! I'm not very proficient with python, so feel free to ask any changes that you think would improve the solution.
Thanks @gmercadal ! Do you mind providing an example with the new expiry time filled out? A lot of users will copy / paste examples to use in their own scripts so having something available will be a big help. Example:
token_service = TokenService(
gcp_project_number=getenv('GCP_PROJECT_NUMBER'),
gcp_workload_id=getenv('GCP_WORKLOAD_ID'),
gcp_workload_provider=getenv('GCP_WORKLOAD_PROVIDER'),
gcp_service_account_email=getenv('GCP_SERVICE_ACCOUNT_EMAIL'),
aws_account_id=getenv('AWS_ACCOUNT_ID'),
aws_role_name=getenv('AWS_ROLE_NAME'),
aws_region=getenv('AWS_REGION'),
gcp_token_lifetime="21600s" # 6 hours
)
Do you need anything else? I'm going to need that lifetime extension.
Hi @gmercadal, I appreciate your patience. I'll test this today and provide feedback.
Thanks
The default expiration time for oauth 2.0 access tokens is 1h in GCP, https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
There are some use cases that might require a longer time. GCP does allow extending the lifetime for certain service accounts with an organisation constraint.
The changes below add an additional
gcp_token_lifetime
parameter to theTokenService
with a default value that matches the default one in GCP. It can be set in case it needs to be extended after the organisation policy is configured.I can also adapt the documentation if you want to include it.