1

I'm trying to configure automation in my automation tool (called Tines), that will query the GCP IAM Recommender API and get recommendations for all my GCP projects.

So naturally two API services are involved here:

  1. cloudresourcemanager.googleapis.com (to list the GCP projects)
  2. recommender.googleapis.com (to get the recommendations)

For this purpose, I have created a service account with the appropriate roles. I also have a JSON key file for the service account. I'm using PyJWT to generate signed JWT tokens, which work absolutely fine.

I'm facing two problems.

Problem 1: While creating the JWT tokens, when I try to set the expiration time to more than 1 hour, the authentication fails. Any idea how to increase the validity of the JWT token to say a week?

Problem 2: I have to create two JWT tokens for the two API services involved. The more services that get involved, the more tokens that are needed. It's become too hectic. Is there a global API endpoint that I can use for scoping (something like global.googleapis.com)? If yes, then I'd need to create only one JWT token with the 'aud' parameter from my JWT payload set to that global endpoint.

Please advise. Much thanks in advance.

NewKidOnTheBlock
  • 55
  • 5

1 Answers1

2

Problem 1: While creating the JWT tokens, when I try to set the expiration time to more than 1 hour, the authentication fails. Any idea how to increase the validity of the JWT token to say a week?

The maximum token lifetime for a non-organization account is 3,600 seconds. For organizations, you can change a policy constraint to permit tokens for up to 12 hours. One week is not possible.

The constraint is:

constraints/iam.allowServiceAccountCredentialLifetimeExtension

Organization policy constraints

I recommend that you keep track of the tokens that you create. Each time you prepare to use one, check the expiration time. If the expiration time is within x seconds (I use 20 seconds), recreate the token.

Problem 2: I have to create two JWT tokens for the two API services involved. The more services that get involved, the more tokens that are needed. It's become too hectic. Is there a global API endpoint that I can use for scoping (something like global.googleapis.com)? If yes, then I'd need to create only one JWT token with the 'aud' parameter from my JWT payload set to that global endpoint.

JWT Tokens have an audience field. That field specifies the service that the token is authorized to call. Unfortunately, only one audience field is supported.

One point that I am not sure of from your question. The cloud resource manager and recommender APIs accept Google OAuth 2.0 Access Tokens. Those tokens are not JWTs. They are created from JWTs and then exchanged. If you change your design to use Access Tokens, then the audience to use is https://www.googleapis.com/oauth2/v4/token. That will only work for Access Tokens and not for Identity Tokens. The same token lifetime (3600 seconds or 12 hours) still applies.

I wrote an article that shows how to create a JWT and exchange it for an OAuth 2.0 Access Token.

Google Cloud – Creating OAuth Access Tokens for REST API Calls

John Hanley
  • 74,467
  • 6
  • 95
  • 159