How to configure your OIDC token's TTL at the Organization and Project Levels

Introduction:

Users can experience issues with their OIDC token expiring when using OIDC in a job that is configured for a run time longer than 5 Hours which is the default TTL for the Token - This can be especially prevalent with projects using a self-hosted runner with a max_run_time configured for a custom value higher than 5 hours resulting in the following error response:

An error occurred (ExpiredTokenException) when calling the AssumeRoleWithWebIdentity operation: Token expired: current date/time 1689326185 must be before the expiration date/time 1689284727
Failed to assume role

TTL overrides can be applied at both the project level as well as the organization level.

We suggest applying them at the project level as most projects will not exceed the default TTL on our managed compute resources.

Prerequisites:

  • OIDC Token
  • A valid API Token scoped to Admin Permissions
  • Your Organization ID 
    • This is found under your Organization Settings page within the Overview Section
  • Your project's ID
    • This is found under your Project Settings page within the Overview Section

Instructions:

Project Level

  1.  Step 1 - Check to confirm if there are any existing claims that have been patched
  2. Step 2 - Apply your Custom TTL using the API
    • This can be accomplished by using the "Patch project-level claims" endpoint
    • curl --request PATCH \
      --url https://circleci.com/api/v2/org/{orgID}/project/{projectID}/oidc-custom-claims \
      --header "Circle-Token: $CIRCLE_TOKEN" \
      --header 'content-type: application/json' \
      --data '{"ttl":"10h"}'
    • Note: the $CIRCLE_TOKEN is your API token 
  3. Step 3 - Check to confirm the patch has been applied successfully and is reflected in the project-level claims

Organization Level

  1.  Step 1 - Check to confirm if there are any existing claims that have been patched
  2. Step 2 - Apply your Custom TTL using the API
    • This can be accomplished by using the "Patch org-level claims" endpoint
    • curl --request PATCH \
      --url https://circleci.com/api/v2/org/<org_id>/oidc-custom-claims \
      --header "Circle-Token: $CIRCLE_TOKEN" \
      --header 'content-type: application/json' \
      --data '{"ttl":"10h"}'
    • Note: the $CIRCLE_TOKEN is your API token 
  3. Step 3 - Check to confirm the patch has been applied successfully and is reflected in the org-level claims

Outcome:

Once the API PATCH has been applied, the TTL is now configured to the value used in the API request that was sent during Step 2 above.

 

Additional Resources:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.