Skip to content

Commit

Permalink
fix(impersonate): allow lifetimes up to 12 hours (#1186)
Browse files Browse the repository at this point in the history
Service accounts that have been added to an org policy
with constraints/iam.allowServiceAccountCredentialLifetimeExtension may
request a token lifetime of up to 12 hours.

Fixes: #1185
  • Loading branch information
codyoss authored Aug 30, 2021
1 parent 7019080 commit 569c56b
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 5 deletions.
8 changes: 5 additions & 3 deletions impersonate/impersonate.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@ type CredentialsConfig struct {
// Lifetime is the amount of time until the impersonated token expires. If
// unset the token's lifetime will be one hour and be automatically
// refreshed. If set the token may have a max lifetime of one hour and will
// not be refreshed. Optional.
// not be refreshed. Service accounts that have been added to an org policy
// with constraints/iam.allowServiceAccountCredentialLifetimeExtension may
// request a token lifetime of up to 12 hours. Optional.
Lifetime time.Duration
// Subject is the sub field of a JWT. This field should only be set if you
// wish to impersonate as a user. This feature is useful when using domain
Expand All @@ -66,8 +68,8 @@ func CredentialsTokenSource(ctx context.Context, config CredentialsConfig, opts
if len(config.Scopes) == 0 {
return nil, fmt.Errorf("impersonate: scopes must be provided")
}
if config.Lifetime.Seconds() > 3600 {
return nil, fmt.Errorf("impersonate: max lifetime is 3600s")
if config.Lifetime.Hours() > 12 {
return nil, fmt.Errorf("impersonate: max lifetime is 12 hours")
}

var isStaticToken bool
Expand Down
2 changes: 1 addition & 1 deletion impersonate/impersonate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ func TestTokenSource_serviceAccount(t *testing.T) {
name: "lifetime over max",
targetPrincipal: "foo@project-id.iam.gserviceaccount.com",
scopes: []string{"scope"},
lifetime: 3601 * time.Second,
lifetime: 13 * time.Hour,
wantErr: true,
},
{
Expand Down
2 changes: 1 addition & 1 deletion impersonate/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ func TestTokenSource_user(t *testing.T) {
name: "lifetime over max",
targetPrincipal: "foo@project-id.iam.gserviceaccount.com",
scopes: []string{"scope"},
lifetime: 3601 * time.Second,
lifetime: 13 * time.Hour,
wantErr: true,
},
{
Expand Down

0 comments on commit 569c56b

Please sign in to comment.