Backend: id_token: Configurable expiry time

Problem to solve

With #207125 (closed) we introduced new CI variable (id_token) that contains JWT which can be used to authenticate with 3rd party systems (e.g. Vault). Expiry time for this tokens is set same as the job timeout (or 5 minutes if there is no timeout) - https://gitlab.com/gitlab-org/gitlab/-/blob/33ddf71a5ca6e2ad537fa2ef85c72d79736bda5b/lib/gitlab/ci/jwt.rb#L7-40.

Currently there is no way to configure the expiry time.

Intended users

Delaney (Development Team Lead)
Sasha (Software Developer)
Alex (Security Operations Engineer)

User experience goal

Users should be able to fine tune id_token expiry time in order to make it fit their use case and tighten security.

Proposal

Option 1 - Introduce new setting under CI / CD Settings / General (just after Timeout) to let users specify expiry time. If set this value should be used when generating the JWT, if not set we should stick to current behavior - job timeout or 5 minutes.

Option 2 - Introduce a keyword to specific via API.

Edited Aug 19, 2024 by Jocelyn Eillis