Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

impersonate: token limited to 1 hour #1185

Closed
salrashid123 opened this issue Aug 26, 2021 · 2 comments · Fixed by #1186
Closed

impersonate: token limited to 1 hour #1185

salrashid123 opened this issue Aug 26, 2021 · 2 comments · Fixed by #1186
Assignees
@codyoss
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@salrashid123
Copy link

A impersonated token is restricted to one hour here:

https://github.com/googleapis/google-api-go-client/blob/master/impersonate/impersonate.go#L69

however, an org policy can be set that allows credentials valid upto 12 hours:

constraints/iam.allowServiceAccountCredentialLifetimeExtension

Allow extending lifetime of OAuth 2.0 access tokens to up to 12 hours

This list constraint defines the set of service accounts that can be granted OAuth 2.0 access tokens with a lifetime of up to 12 hours. By default, the maximum lifetime for these access tokens is 1 hour. The allowed/denied list of service accounts must specify one or more service account email addresses.

eg i'm setting one here to 4000s


$ date
Wed 25 Aug 2021 07:50:45 PM EDT

$ curl --request POST   'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/vault-server%40pubsub-msg.iam.gserviceaccount.com:generateAccessToken'   --header "Authorization: Bearer `gcloud auth  print-access-token`"   --header 'Accept: application/json'  --header 'Content-Type: application/json'  --data '{"lifetime":"4000s","scope":["https://www.googleapis.com/auth/cloud-platform"]}' 
{
  "accessToken": "ya29.c.Kr...",
  "expireTime": "2021-08-26T00:57:30Z"
}
@salrashid123 salrashid123 added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Aug 26, 2021
@codyoss codyoss changed the title Impersonated token limited to 1hour impersonate: token limited to 1 hour Aug 26, 2021
@codyoss
Copy link
Member

codyoss commented Aug 26, 2021

@salrashid123 this is a good call out. Since the API auto-refreshes by default and this requires the extra IAM permission to work it was left out of the initial implementation. But maybe this was an oversight. Since we don't lazily load the credentials if a lifetime is provided a user without the proper IAM permission should get an error right away if the lifetime is too long.

@codyoss codyoss mentioned this issue Aug 26, 2021
Merged
@salrashid123
Copy link
Author

correct, i just modified the a separate implementation of this here:

and if set the lifetime to some really large number, id see the google api error when trying to get the impersonated token:

googleapi: Error 400: Lifetime of access token can not be larger than 12h, badRequest

just as a side note, this capability to set upto 12hrs seems to be just for the iamcredential api. When i tried to override the regular oauth2 service account flow eg
https://developers.google.com/identity/protocols/oauth2/service-account#authorizingrequests

by setting a large exp during, i'd see an error saying you can only set this upto 1hr

exp | The expiration time of the assertion, specified as seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum of 1 hour after the issued time.

i'll confirm that tomorrow

gcf-merge-on-green bot pushed a commit that referenced this issue Aug 30, 2021
@codyoss
fix(impersonate): allow lifetimes up to 12 hours (#1186)
569c56b 
Service accounts that have been added to an org policy
with constraints/iam.allowServiceAccountCredentialLifetimeExtension may
request a token lifetime of up to 12 hours.

Fixes: #1185
@salrashid123 salrashid123 mentioned this issue Aug 31, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(impersonate): allow lifetimes up to 12 hours
2 participants
@codyoss @salrashid123