bored-table-20691
05/22/2021, 10:16 PMexp
field, which is in epoch time seconds. If I just do something like time.Now().Add(time.Hour * 24 * 30)
(to make one that expires in a month), that seems bad as it would regenerate the JWT every time that the stack was updated, which could cause downstream things to restart (e.g. if it was in a Kubernetes Secret
), even though there may be plenty of expiration left. I’m curious what others have done for similar cases.
To give an example, here is how I am generating the JWT
jwtKey, err := tls.NewPrivateKey(ctx, "jwt-key", &tls.PrivateKeyArgs{
Algorithm: pulumi.String("RSA"),
RsaBits: <http://pulumi.Int|pulumi.Int>(4096),
})
if err != nil {
return err
}
systemToken := pulumi.ToSecret(pulumi.All(jwtKey.PrivateKeyPem).ApplyT(
func(args []interface{}) (string, error) {
privateKey := args[0].(string)
privateKeyPem, err := decodePrivateKey([]byte(privateKey))
if err != nil {
return "", err
}
// Create the JWT claims, which includes the username, groups and expiry time
claims := &claims{
Username: "myusername",
Issue: "myissuer",
Groups: []string{"system"},
StandardClaims: jwt.StandardClaims{
// A 10 year token
ExpiresAt: time.Now().Add(time.Hour * 24 * 30).Unix(),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodRS512, claims)
tokenString, err := token.SignedString(privateKeyPem)
return tokenString, err
},
))
ctx.Export("jwt-public-key", jwtKey.PublicKeyPem)
ctx.Export("jwt-private-key", jwtKey.PrivateKeyPem)
ctx.Export("system-token", systemToken)