Introduction:
Users can experience issues with their OIDC token expiring when using OIDC in a job that is configured for a run time longer than 5 Hours which is the default TTL for the Token - This can be especially prevalent with projects using a self-hosted runner with a max_run_time
configured for a custom value higher than 5 hours resulting in the following error response:
An error occurred (ExpiredTokenException) when calling the AssumeRoleWithWebIdentity operation: Token expired: current date/time 1689326185 must be before the expiration date/time 1689284727 Failed to assume role
TTL overrides can be applied at both the project level as well as the organization level.
We suggest applying them at the project level as most projects will not exceed the default TTL on our managed compute resources.
Prerequisites:
- OIDC Token
- A valid API Token scoped to Admin Permissions
- Your Organization ID
- This is found under your Organization Settings page within the Overview Section
- Your project's ID
- This is found under your Project Settings page within the Overview Section
Instructions:
Project Level
- Step 1 - Check to confirm if there are any existing claims that have been patched
- This can be accomplished by using the "Get project-level claims" Endpoint
-
https://circleci.com/api/v2/org/{orgID}/project/{projectID}/oidc-custom-claims
- Step 2 - Apply your Custom TTL using the API
- This can be accomplished by using the "Patch project-level claims" endpoint
-
curl --request PATCH \
--url https://circleci.com/api/v2/org/{orgID}/project/{projectID}/oidc-custom-claims \
--header "Circle-Token: $CIRCLE_TOKEN" \
--header 'content-type: application/json' \
--data '{"ttl":"10h"}' - Note: the
$CIRCLE_TOKEN
is your API token
- Step 3 - Check to confirm the patch has been applied successfully and is reflected in the
project-level claims
- This can be accomplished by using the "Get project-level claims" Endpoint
-
https://circleci.com/api/v2/org/{orgID}/project/{projectID}/oidc-custom-claims
Organization Level
- Step 1 - Check to confirm if there are any existing claims that have been patched
- This can be accomplished by using the "Get org-level claims" Endpoint
-
https://circleci.com/api/v2/org/{orgID}/oidc-custom-claims
- Step 2 - Apply your Custom TTL using the API
- This can be accomplished by using the "Patch org-level claims" endpoint
-
curl --request PATCH \
--url https://circleci.com/api/v2/org/<org_id>/oidc-custom-claims \
--header "Circle-Token: $CIRCLE_TOKEN" \
--header 'content-type: application/json' \
--data '{"ttl":"10h"}' - Note: the
$CIRCLE_TOKEN
is your API token
- Step 3 - Check to confirm the patch has been applied successfully and is reflected in the
org-level claims
- This can be accomplished by using the "Get org-level claims" Endpoint
-
https://circleci.com/api/v2/org/{orgID}/oidc-custom-claims
Outcome:
Once the API PATCH
has been applied, the TTL is now configured to the value used in the API request that was sent during Step 2 above.
Comments
Article is closed for comments.