Service account tokens set to never expire have a forced expiration date of 1 year after rotation.

Summary

Our customer has reported that when a service account token is rotated (renewed), it automatically gets an expiration date of 1 year, even if it was originally set to never expire. The customer wants the option to keep tokens non-expiring after rotation, especially for service accounts.

The customer believes that maintaining non-expiring tokens for service accounts (when rotated) would:

  1. Allow development teams more autonomy in managing their tokens.
  2. Reduce the need for frequent administrator involvement.
  3. Enable quicker response to potential security issues by allowing teams to rotate compromised tokens themselves without waiting for admin assistance.

I'm creating this as a bug because it's different from the behavior specified in the 16.6 release notes from when this was changed:

GitLab administrators and group Owners can choose if they want to enforce an expiry date for service accounts. Previously, service account tokens had to expire within a year, in line with personal, project, and group access token expiration limits. This allows administrators and group Owners to choose the balance between security and ease of use that best aligns with their goals.

Technically though it might be a feature because it only happens on rotation.

Steps to reproduce

  1. Create a new token for a service account without an expiry

  2. Rotate token via API

  3. Check the output to see what the new expiry has been set to

Note: I was able to reproduce this and was not able to set the token to never expire even when specifying expire_at=null.

What is the current bug behavior?

Default : expires_at date is set 7 days after rotation Custom : expires_at date can be set max 1 year after rotation

What is the expected correct behavior?

Default : expires_at date is set 7 days after rotation, non-expiring if non-expiring before token rotation Custom : allow non_expiring if non-expiring before token rotation

Output of checks

This bug happens on GitLab.com

Possible fixes and links

Customer issue can be found in https://gitlab.zendesk.com/agent/tickets/543635 (Internal use only)