From 569c56bc622d1256ef3d3c0bb9d76d69721ec981 Mon Sep 17 00:00:00 2001 From: Cody Oss <6331106+codyoss@users.noreply.github.com> Date: Mon, 30 Aug 2021 16:43:02 -0600 Subject: [PATCH] fix(impersonate): allow lifetimes up to 12 hours (#1186) Service accounts that have been added to an org policy with constraints/iam.allowServiceAccountCredentialLifetimeExtension may request a token lifetime of up to 12 hours. Fixes: #1185 --- impersonate/impersonate.go | 8 +++++--- impersonate/impersonate_test.go | 2 +- impersonate/user_test.go | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/impersonate/impersonate.go b/impersonate/impersonate.go index 602601007b7..52c32589b72 100644 --- a/impersonate/impersonate.go +++ b/impersonate/impersonate.go @@ -39,7 +39,9 @@ type CredentialsConfig struct { // Lifetime is the amount of time until the impersonated token expires. If // unset the token's lifetime will be one hour and be automatically // refreshed. If set the token may have a max lifetime of one hour and will - // not be refreshed. Optional. + // not be refreshed. Service accounts that have been added to an org policy + // with constraints/iam.allowServiceAccountCredentialLifetimeExtension may + // request a token lifetime of up to 12 hours. Optional. Lifetime time.Duration // Subject is the sub field of a JWT. This field should only be set if you // wish to impersonate as a user. This feature is useful when using domain @@ -66,8 +68,8 @@ func CredentialsTokenSource(ctx context.Context, config CredentialsConfig, opts if len(config.Scopes) == 0 { return nil, fmt.Errorf("impersonate: scopes must be provided") } - if config.Lifetime.Seconds() > 3600 { - return nil, fmt.Errorf("impersonate: max lifetime is 3600s") + if config.Lifetime.Hours() > 12 { + return nil, fmt.Errorf("impersonate: max lifetime is 12 hours") } var isStaticToken bool diff --git a/impersonate/impersonate_test.go b/impersonate/impersonate_test.go index a652cc630c2..c26c7fafc1a 100644 --- a/impersonate/impersonate_test.go +++ b/impersonate/impersonate_test.go @@ -39,7 +39,7 @@ func TestTokenSource_serviceAccount(t *testing.T) { name: "lifetime over max", targetPrincipal: "foo@project-id.iam.gserviceaccount.com", scopes: []string{"scope"}, - lifetime: 3601 * time.Second, + lifetime: 13 * time.Hour, wantErr: true, }, { diff --git a/impersonate/user_test.go b/impersonate/user_test.go index d21407a3b06..0358eecc883 100644 --- a/impersonate/user_test.go +++ b/impersonate/user_test.go @@ -40,7 +40,7 @@ func TestTokenSource_user(t *testing.T) { name: "lifetime over max", targetPrincipal: "foo@project-id.iam.gserviceaccount.com", scopes: []string{"scope"}, - lifetime: 3601 * time.Second, + lifetime: 13 * time.Hour, wantErr: true, }, {