Is there a way to increase lifetime of access tokens?
Closed this issue · 1 comments
By default, access tokens expire after 3,600 seconds and the gcsfuse needs to access metadata.google.internal to renew its tokens.
For security reasons, we have a case where we need to block connections to metadata.google.internal after starting the main container. Therefore, gcsfuse in init container stops working after 1 hour.
Is there a configuration to increase this period? As far as I see here, there is no way. https://github.com/GoogleCloudPlatform/gcs-fuse-csi-driver/blob/main/pkg/cloud_provider/auth/token_sources.go#L122
the code is not directly used by gcsfuse. This is a token exchange performed by CSI driver during node publish to verify service account access to the bucket
I believe your ask would be more directed towards the client initialized by gcsfuse which leaves in a separate repository. Request to please file the issue in https://github.com/GoogleCloudPlatform/gcsfuse. If we have a consensus on configurable timeout, and make the necessary changes in gcsfuse, the next step would be to configure the timeout though some k8s API (e.g PV mount options)