How to increase the gcloud re-authentication timeout? Currently it expires every 1 hr

Question

I run below commands

• to authenticate to google cloud with my corporate email id (ldap)
• to update my kubeconfig file on my on-premis machine
• access to k8s control plane from on-premis machine using kube-api-proxy. (I use this proxy to reach control plane as there is no VPC peering between GKE control plane vpc and my corporate network)

gcloud auth login --no-launch-browser  ## I use corporate email id to authenticate
gcloud container clusters get-credentials <>gke_cluster_name> --region <region> --project <gcp_project>
export https_proxy=<kube_api_proxy>:8118  ## Proxy to connect to k8s controlplane
kubectl get no

Every 1 hour, I have to repeat above steps to re-authenticate as I fail with below error otherwise when I try to connect to k8S

Unable to connect to the server: error executing access token command "/usr/lib64/google-cloud-sdk/bin/gcloud 
config config-helper --format=json": err=exit status 1 output= stderr=ERROR: gcloud crashed (TransportError):
HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token 
(Caused by ProxyError('Cannot connect to proxy.', 
OSError('Tunnel connection failed: 403 Request blocked by Privoxy')))

Is there a way I can increase this timeout, let's say 4 hours or so, as I have a job that runs more than 1 hour and it fails in middle due to timeout.

Answer 1

The CLI gcloud creates OAuth Access Tokens that are valid for 3,600 seconds. That is the maximum lifetime supported for non-organization projects. This is also the maximum lifetime for user identities, which you are using.

To increase the token lifetime for an Organization, you must create credentials from a service account and set the Organization Policy Constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension which supports tokens with a lifetime of 12 hours. link

However, I am not aware of a method of using that constraint within the CLI without modifying the source code of the CLI, which is written in Python. I have never made this change because writing my own code is much easier.

Instead, write your own token generator. There are many source code examples on the Internet. I wrote an article which includes source code link. Change this line in my code to the time desired:

# Set how long this token will be valid in seconds
expires_in = 3600   # Expires in 1 hour

In Summary:

1. You must be part of a Google Cloud Organization.
2. You must create credentials from a service account.
3. You must set the Organization Policy Constraint.
4. The constraint must include the email address of allowed service accounts.