Support 12h lifetime Access_Token via the new GCP Policie "iam.allowServiceAccountCredentialLifetimeExtension"

[mcandries]

Hello,

TL;DR :
GCP now allow acces_token generation with a lifetime up to 12 hours instead of previous hard limit of 1 hour.
However Vault plugin doesn't seem to allow using it because we can't ask for a specified TTL for access_token in Vault.

What happen :
I allowed the "iam.allowServiceAccountCredentialLifetimeExtension" for the service account generated by Vault.

Manually i can call GCP API :
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/VAULT-SA-ACCOUNT@MY-PROJECT.iam.gserviceaccount.com:generateAccessToken" and ask for a 12h token via "lifetime": "43200s" in the payload.
It work well, i got a 12h valid token.

In Vault, i set TTL to 43200s via :
vault write /gcp/MY-PROJECT/config ttl=43200s max_ttl=43200s

Then, i ask for a token via :
vault read /gcp/MY-PROJECT/token/MY-ROLESET

--> i get a 1h valid token

I suppose it's because, according to the documentatio, "ttl" and "ttl_max" are only use with "Service Account Key" method, not with "access_token".

Desired behavior :
Got a 12 hours valid token.

Thanks !

[kalafut]

Thanks for highlighting this change. We'll take a look and see if it can be incorporated.

[austingebauer]

@mcandries - Thanks for the feature request!

My understanding is that this would require the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy be modified to include the service accounts that are created by Vault. Automating this seems like a larger scope than simply setting a TTL value. Also, requiring a manual configuration step may be an undesirable user experience. We don't have current plans for implementing this feature but are open to other perspectives on a potential approach.

[salrashid123]

extending a token upto 12hrs is currently only available through the IAM api. The access_token thats returned by this plugin derives that token by using the raw key here which won't allow setting an extended shelflife.

i did fork the vault plugin here to

• https://github.com/salrashid123/vault-plugin-secrets-gcp-cab which does allow impersonation and downscoped tokens.

within the policy definition for that plugin, you can set the max lifetime of the access_token returned, (eg, set the duration= upto 12hrs)

note: it is NOT supported by google, FWIW.

and another variation/fork here that supports for oidc, jwtaccess and impersonation (the impersonation part could allow for upto 12hrs once its updated with the latest auth library (see googleapis/google-api-go-client#1185)

[austingebauer]

In the next release of the plugin, we'll support access token TTLs (including up the 12hr maximum lifetime) via service account impersonation #129. I'm going to close this issue. Feel free to reopen or create a new issue if there is a different feature being requested here.