05/22/2021, 10:16 PM
What’s the best practice for working with expiration-type fields? Specifically, I am generating a JWT and want to fill in the
field, which is in epoch time seconds. If I just do something like
time.Now().Add(time.Hour * 24 * 30)
(to make one that expires in a month), that seems bad as it would regenerate the JWT every time that the stack was updated, which could cause downstream things to restart (e.g. if it was in a Kubernetes
), even though there may be plenty of expiration left. I’m curious what others have done for similar cases. To give an example, here is how I am generating the JWT
jwtKey, err := tls.NewPrivateKey(ctx, "jwt-key", &tls.PrivateKeyArgs{
		Algorithm: pulumi.String("RSA"),
		RsaBits:   <http://pulumi.Int|pulumi.Int>(4096),
	if err != nil {
		return err

	systemToken := pulumi.ToSecret(pulumi.All(jwtKey.PrivateKeyPem).ApplyT(
		func(args []interface{}) (string, error) {
			privateKey := args[0].(string)

			privateKeyPem, err := decodePrivateKey([]byte(privateKey))
			if err != nil {
				return "", err

			// Create the JWT claims, which includes the username, groups and expiry time
			claims := &claims{
				Username: "myusername",
				Issue:    "myissuer",
				Groups:   []string{"system"},
				StandardClaims: jwt.StandardClaims{
					// A 10 year token
					ExpiresAt: time.Now().Add(time.Hour * 24 * 30).Unix(),
			token := jwt.NewWithClaims(jwt.SigningMethodRS512, claims)
			tokenString, err := token.SignedString(privateKeyPem)

			return tokenString, err

	ctx.Export("jwt-public-key", jwtKey.PublicKeyPem)
	ctx.Export("jwt-private-key", jwtKey.PrivateKeyPem)
	ctx.Export("system-token", systemToken)