Default `auth_token` expiration is 5 minutes instead of 10 minutes

[dsotirakis]

TL;DR

When using Direct Workload Identity Federation, the default expiration time for the auth_token is 5 minutes instead of 10 (which is what's been written in the documentation).

Expected behavior

The expectation would be for the token to be valid for 10 minutes as mentioned in the README.md file in the root.

Observed behavior

If I try to print the OIDC JWT token in GitHub Actions, I get:

{
  "actor": "dsotirakis",
  "aud": "https://github.com/org",
  "base_ref": "main",
  "event_name": "pull_request",
  "exp": 1741684978,
  "iat": 1741684678,
}

The ttl for the token then is exp-iat= 300s = 5m.

---

If I run some steps that takes more than 5 minutes after I get authenticated, I get:

#30 ERROR: failed to push us-docker.pkg.dev[...]: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://us-docker.pkg.dev/v2/token?scope=repository%[...]%[...]%[...]%3Apull%2Cpush&service=us-docker.pkg.dev: 401 Unauthorized

which agrees with the token expiration.

Action YAML

build:
    name: Build and publish mlops-lab
    runs-on: ubuntu-latest
    strategy:
      matrix:
        platform: [linux/amd64, linux/arm64]
    steps:
    - uses: actions/checkout@v4
    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
    - name: Login to Google Artifact Registry
      uses: google-github-actions/auth@v2
      with:
        workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
    - name: Set up gcloud CLI
      uses: google-github-actions/setup-gcloud@v2
    - name: Configure Docker
      run: gcloud auth configure-docker us-docker.pkg.dev
    - name: Extract platform suffix
      id: platform-suffix
      run: |
        SUFFIX=$(echo "${{ matrix.platform }}" | tr '/' '-')
        echo "suffix=${SUFFIX}" >> $GITHUB_OUTPUT
    - name: Build and push
      uses: docker/build-push-action@v5
      with:
        context: .
        file: ./lab/Dockerfile
        platforms: ${{ matrix.platform }}
        push: true
        tags: |
          "tag1"
        build-args: |
          BUILDKIT_INLINE_CACHE=1
          GO_VERSION=1.24

Additional information

Possible workarounds:

a) Use Identity Federation with Service Accounts. This is not something we want to do, since we want to start moving to the more secure Direct Federation. Reason it works with this is because the access_token that is generated using the Service Account has a TTL of 1 hour.

b) Instead of using auth_token, use the credentials.json, install gcloud binary and configure-docker instead. Example:

    - uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
      if: ${{ steps.auth_with_service_account.outputs.access_token == '' }}
      name: Auth with direct WIF
      id: auth_with_direct_wif
      with:
        project_id: "<PROJECT_ID>"
        workload_identity_provider: "projects/<PROJECT_ID>/locations/global/workloadIdentityPools/github/providers/github-provider"
    - name: "Set up Cloud SDK"
      uses: "google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a" # v2.1.4
      with:
        version: ">= 363.0.0"
    - name: "Use gcloud CLI to configure docker"
      shell: sh
      run: "gcloud auth configure-docker ${{ inputs.registry }}"

This way we still get a bigger TTL for the credentials.json file that gets generated when running the action.

Related issues: #432
Recent comment: #432 (comment)

[github-actions]

Hi there @dsotirakis 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[dsotirakis]

@sethvargo 👋
Sorry for the direct ping, I wonder if there are any actions that can be made for this issue? Thanks!

[sethvargo]

Hi @dsotirakis - it looks like GitHub changed the value from 10min -> 5min, but we have no control over how the GitHub OIDC token is generated. There doesn't appear to be a way to request a longer exp on the token (at least not a documented one), and Google Cloud uses the provided OIDC token to determine the expiration of the federated token.

The documentation says:

ID Tokens have a maximum lifetime of 10 minutes. This value cannot be changed.

That is true and it's referred to token_format: 'id_token', which is different than using the federated token directly.

I'll document this in #483, but you may want to raise an FR to GitHub. We can't mint a token that exceeds the lifetime of the OIDC token.