From 6384b341b739135f1aacc53ef6c51631cb8da911 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Tue, 6 Aug 2024 21:28:34 -0400 Subject: [PATCH] Document ID Token lifetimes (#433) Closes https://github.com/google-github-actions/auth/issues/432 --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7373e96f..883312a1 100644 --- a/README.md +++ b/README.md @@ -191,6 +191,10 @@ Cloud as an output for use in future steps in the workflow. These options only apply to ID tokens generated by this action. By default, this action does not generate any tokens. +> [!CAUTION] +> +> ID Tokens have a maximum lifetime of 10 minutes. This value cannot be changed. + - `service_account`: (Required) Email address or unique identifier of the Google Cloud service account for which to generate the ID token. For example: @@ -333,8 +337,8 @@ In this setup, the Workload Identity Pool has direct IAM permissions on Google Cloud resources; there are no intermediate service accounts or keys. This is preferred since it directly authenticates GitHub Actions to Google Cloud without a proxy resource. However, not all Google Cloud resources support `principalSet` -identities. Please see the documentation for your Google Cloud service for more -information. +identities, and the resulting token has a maximum lifetime of 10 minutes. Please +see the documentation for your Google Cloud service for more information. [![Authenticate to Google Cloud from GitHub Actions with Direct Workload Identity Federation](docs/google-github-actions-auth-direct-workload-identity-federation.svg)](docs/google-github-actions-auth-direct-workload-identity-federation.svg)