New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extended token lifetime from auth doesn't work #237
Comments
Hi @mowies Thank you for opening an issue. I see there's some confusion about the Can you try setting |
@sethvargo
And that's exactly what I wanted to prevent in the first place. |
@bharathkkb thoughts? |
@sethvargo @bharathkkb any updates on this? |
Hi @mowies - sorry for the delay. Extending the token lifetime would require switching from the standard oauth2 endpoints to the iamcredentials endpoints. That is an easy fix, but doing so would require users to grant additional IAM roles such as In addition to the permissions, the iamcredentials endpoint requires us to know the email address of the authenticated service account, which may not always be known. This is actually one of the reasons that the "auth" action requires a service_account_email input. There's two options here:
|
TL;DR
I am using
google-github-actions/auth
with the following settings:After that, I use the
get-gke-credentials
action to get my kubeconfig. I assumed that I can use that kubeconfig for the above set7200s
(2h) but instead, my pipeline still fails exactly after (the default) 1h with unauthorized errors.Expected behavior
I can use my kube config for 2h, since I set my token in the auth action to be valid for 2h.
Observed behavior
My pipeline starts failing with unauthorized errors exactly after 1h.
I checked the debug logs of my pipeline and the access token is indeed showing an expiration time of 2h. So I assume that the
get-gke-credentials
action uses a different token somehow?Action YAML
Log output
Additional information
No response
The text was updated successfully, but these errors were encountered: