Feature: Configurable Google Cloud OIDC token lifetime#2050
Open
HuyPhanNguyen wants to merge 4 commits into
Open
Feature: Configurable Google Cloud OIDC token lifetime#2050HuyPhanNguyen wants to merge 4 commits into
HuyPhanNguyen wants to merge 4 commits into
Conversation
Reads Octopus.Action variable {account}.OpenIdConnect.TokenLifetimeSeconds (default 3600, clamped 600-43200) instead of the hardcoded 3600 when building the gcloud create-cred-config call.
HuyPhanNguyen
force-pushed
the
huy/2026/fd-535-gcp-oidc-token-lifetime
branch
from
1151d57 to
eb0a55b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
SetupGCloudAuthentication.TryAuthenticateWithOidchardcoded--service-account-token-lifetime-seconds=3600when building thegcloud iam workload-identity-pools create-cred-configcall for Google Cloud OIDC / Workload Identity Federation auth. Deployment steps that run longer than 60 minutes hit a mid-step credential expiry. Google supports 600–43200 seconds (up to 12 hours). Raised by STOXX (FD-535).Results
Reads the lifetime from the account-scoped deployment variable
{accountVariable}.OpenIdConnect.TokenLifetimeSeconds(emitted by the Octopus Server change), defaults to 3600 when unset, clamps to Google's 600–43200 range (logging a warning when out of range), and threads it into the gcloud argument.Fixes FD-535
Before
create-cred-configwas always called with--service-account-token-lifetime-seconds=3600.After
variables.GetInt32("{account}.OpenIdConnect.TokenLifetimeSeconds") ?? 3600, clamped to 600–43200, interpolated into the gcloud arg.Companion to the OctopusDeploy server PR (adds the
GoogleCloudOidcAccounttype +TokenLifetimeSecondsfield that produces this variable). Verified end-to-end against real Google Workload Identity Federation.