Skip to content

Default auth_token expiration is 5 minutes instead of 10 minutes #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dsotirakis opened this issue Mar 18, 2025 · 3 comments
Closed

Default auth_token expiration is 5 minutes instead of 10 minutes #474

dsotirakis opened this issue Mar 18, 2025 · 3 comments
Labels
bug Something isn't working

Comments

@dsotirakis
Copy link

dsotirakis commented Mar 18, 2025
edited
Loading

TL;DR

When using Direct Workload Identity Federation, the default expiration time for the auth_token is 5 minutes instead of 10 (which is what's been written in the documentation).

Expected behavior

The expectation would be for the token to be valid for 10 minutes as mentioned in the README.md file in the root.

Observed behavior

If I try to print the OIDC JWT token in GitHub Actions, I get:

{
  "actor": "dsotirakis",
  "aud": "https://github.com/org",
  "base_ref": "main",
  "event_name": "pull_request",
  "exp": 1741684978,
  "iat": 1741684678,
}

The ttl for the token then is exp-iat= 300s = 5m.

If I run some steps that takes more than 5 minutes after I get authenticated, I get:

#30 ERROR: failed to push us-docker.pkg.dev[...]: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://us-docker.pkg.dev/v2/token?scope=repository%[...]%[...]%[...]%3Apull%2Cpush&service=us-docker.pkg.dev: 401 Unauthorized

which agrees with the token expiration.

Action YAML

build:
    name: Build and publish mlops-lab
    runs-on: ubuntu-latest
    strategy:
      matrix:
        platform: [linux/amd64, linux/arm64]
    steps:
    - uses: actions/checkout@v4
    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
    - name: Login to Google Artifact Registry
      uses: google-github-actions/auth@v2
      with:
        workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
    - name: Set up gcloud CLI
      uses: google-github-actions/setup-gcloud@v2
    - name: Configure Docker
      run: gcloud auth configure-docker us-docker.pkg.dev
    - name: Extract platform suffix
      id: platform-suffix
      run: |
        SUFFIX=$(echo "${{ matrix.platform }}" | tr '/' '-')
        echo "suffix=${SUFFIX}" >> $GITHUB_OUTPUT
    - name: Build and push
      uses: docker/build-push-action@v5
      with:
        context: .
        file: ./lab/Dockerfile
        platforms: ${{ matrix.platform }}
        push: true
        tags: |
          "tag1"
        build-args: |
          BUILDKIT_INLINE_CACHE=1
          GO_VERSION=1.24

Additional information

Possible workarounds:

a) Use Identity Federation with Service Accounts. This is not something we want to do, since we want to start moving to the more secure Direct Federation. Reason it works with this is because the access_token that is generated using the Service Account has a TTL of 1 hour.

b) Instead of using auth_token, use the credentials.json, install gcloud binary and configure-docker instead. Example:

    - uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
      if: ${{ steps.auth_with_service_account.outputs.access_token == '' }}
      name: Auth with direct WIF
      id: auth_with_direct_wif
      with:
        project_id: "<PROJECT_ID>"
        workload_identity_provider: "projects/<PROJECT_ID>/locations/global/workloadIdentityPools/github/providers/github-provider"
    - name: "Set up Cloud SDK"
      uses: "google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a" # v2.1.4
      with:
        version: ">= 363.0.0"
    - name: "Use gcloud CLI to configure docker"
      shell: sh
      run: "gcloud auth configure-docker ${{ inputs.registry }}"

This way we still get a bigger TTL for the credentials.json file that gets generated when running the action.

Related issues: #432
Recent comment: #432 (comment)
@dsotirakis dsotirakis added the bug Something isn't working label Mar 18, 2025
@github-actions GitHub Actions
Copy link

Hi there @dsotirakis 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

@dsotirakis dsotirakis mentioned this issue Apr 23, 2025
Closed
@dsotirakis
Copy link
Author

@sethvargo 👋
Sorry for the direct ping, I wonder if there are any actions that can be made for this issue? Thanks!

@sethvargo
Copy link
Member

Hi @dsotirakis - it looks like GitHub changed the value from 10min -> 5min, but we have no control over how the GitHub OIDC token is generated. There doesn't appear to be a way to request a longer exp on the token (at least not a documented one), and Google Cloud uses the provided OIDC token to determine the expiration of the federated token.

The documentation says:

ID Tokens have a maximum lifetime of 10 minutes. This value cannot be changed.

That is true and it's referred to token_format: 'id_token', which is different than using the federated token directly.

I'll document this in #483, but you may want to raise an FR to GitHub. We can't mint a token that exceeds the lifetime of the OIDC token.

@sethvargo sethvargo closed this as not planned Won't fix, can't repro, duplicate, stale Apr 25, 2025
@sethvargo sethvargo mentioned this issue May 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sethvargo @dsotirakis