included jwt_claim expiration error message (#16804)

2022-08-21 19:15:31 -07:00 · 2022-08-21 19:15:31 -07:00 · 1ec3e21d83
parent 6be8e7adca
commit 1ec3e21d83
1 changed files with 2 additions and 0 deletions
--- a/website/content/docs/auth/gcp.mdx
+++ b/website/content/docs/auth/gcp.mdx
@ -310,6 +310,8 @@ be specified as a [NumericDate](https://tools.ietf.org/html/rfc7519#section-2) v
 (seconds from Epoch). This value must be before the max JWT expiration allowed for a
 role. This defaults to 15 minutes and cannot be more than 1 hour.

+If a user generates a token that expires after 15 minutes, and the gcp role has `max_jwt_exp` set to the default, Vault will return the following error: `Expiration date must be set to no more that 15 mins in JWT_CLAIM, otherwise the login request returns error "role requires that service account JWTs expire within 900 seconds`. In this case, the user must create a new signed JWT with a shorter expiration, or set `max_jwt_exp` to a higher value in the gcp role.
+
 One you have all this information, the JWT token can be signed using curl and
 [oauth2l](https://github.com/google/oauth2l):