Skip to content

Document token lifetimes #432

New issue
New issue
Closed
#433
Closed
Document token lifetimes#432
#433
Labels
bugSomething isn't working
@fotinakis

Description

@fotinakis
fotinakis
opened on Aug 6, 2024

TL;DR

Please document the default token lifetimes which you'll encounter using each different method.

Expected behavior

I would have expected to be able to use Direct Workload Identity Federation method alongside a docker builds which get pushed to Google Artifact Registry, without error.

Observed behavior

It seems that using Direct Workload Identity Federation has a <10 min (?) token lifetime before the token expires. Perhaps this is the id-token default lifetime?

Here is what I think would be a minimal reproduction case of this bug:

      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ...
          project_id: ...
      - run: gcloud --quiet auth configure-docker us-docker.pkg.dev
      - run: docker buildx build --push -t some_image:tag .

The "bug":

If some_image is a docker build that takes 1 minute to build, all is fine.
If some_image is a docker build that takes >10 minutes, it always fails at the very end with:

#12 ERROR: failed to push us-docker.pkg.dev/[...]: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://us-docker.pkg.dev/v2/token?scope=repository%3A[...]%3Apull%2Cpush&service=us-docker.pkg.dev: 401 Unauthorized

Switching to Service Account method with token_format: access_token works as it has a 1 hour access_token time (but it would have saved a lot of time to have the Direct method's token lifetime documented, as well as the default service account method without setting the format).

Obviously this is not a "bug" per se — but it's very unexpected behavior if you don't know what to look for and what the token lifetime is for the Direct method, or have any way to configure it.

Action YAML

name: foo
on: [push]
jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/.../locations/global/workloadIdentityPools/.../providers/...
          project_id: ...
      - name: Do thing
        run: docker buildx build --push -t some_image:tag .

Log output

n/a

Additional information

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      pFad - Phonifier reborn

      Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

      Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


      Alternative Proxies:

      Alternative Proxy

      pFad Proxy

      pFad v3 Proxy

      pFad v4 Proxy