<!-- The first four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Problem to solve With https://gitlab.com/gitlab-org/gitlab/-/issues/207125 we introduced new CI variable (`id_token`) that contains JWT which can be used to authenticate with 3rd party systems (e.g. Vault). Expiry time for this tokens is set same as the job timeout (or 5 minutes if there is no timeout) - https://gitlab.com/gitlab-org/gitlab/-/blob/33ddf71a5ca6e2ad537fa2ef85c72d79736bda5b/lib/gitlab/ci/jwt.rb#L7-40. Currently there is no way to configure the expiry time. ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### User experience goal Users should be able to fine tune `id_token` expiry time in order to make it fit their use case and tighten security. ### Proposal Option 1 - Introduce new setting under `CI / CD Settings / General` (just after _Timeout_) to let users specify expiry time. If set this value should be used when generating the JWT, if not set we should stick to current behavior - job timeout or 5 minutes. Option 2 - Introduce a keyword to specific via API.