Add token lifetime parameter to be able to override default expiration

[gmercadal]

The default expiration time for oauth 2.0 access tokens is 1h in GCP, https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth

There are some use cases that might require a longer time. GCP does allow extending the lifetime for certain service accounts with an organisation constraint.

The changes below add an additional gcp_token_lifetime parameter to the TokenService with a default value that matches the default one in GCP. It can be set in case it needs to be extended after the organisation policy is configured.

I can also adapt the documentation if you want to include it.

[jdyke]

Thanks for the enhancement @gmercadal ! Do you mind updating the documentation as well? I think this is a great addition.

[gmercadal]

Thanks for the enhancement @gmercadal ! Do you mind updating the documentation as well? I think this is a great addition.

Cool! I'm not very proficient with python, so feel free to ask any changes that you think would improve the solution.

[jdyke]

Thanks @gmercadal ! Do you mind providing an example with the new expiry time filled out? A lot of users will copy / paste examples to use in their own scripts so having something available will be a big help. Example:

token_service = TokenService(
  gcp_project_number=getenv('GCP_PROJECT_NUMBER'),
  gcp_workload_id=getenv('GCP_WORKLOAD_ID'),
  gcp_workload_provider=getenv('GCP_WORKLOAD_PROVIDER'),
  gcp_service_account_email=getenv('GCP_SERVICE_ACCOUNT_EMAIL'),
  aws_account_id=getenv('AWS_ACCOUNT_ID'),
  aws_role_name=getenv('AWS_ROLE_NAME'),
  aws_region=getenv('AWS_REGION'),
  gcp_token_lifetime="21600s" # 6 hours
)

[gmercadal]

Do you need anything else? I'm going to need that lifetime extension.

[jdyke]

Hi @gmercadal, I appreciate your patience. I'll test this today and provide feedback.

Thanks