google-github-actions · sethvargo · Aug 7, 2024 · Aug 7, 2024
@@ -191,6 +191,10 @@ Cloud as an output for use in future steps in the workflow. These options only
 apply to ID tokens generated by this action. By default, this action does not
 generate any tokens.
 
+> [!CAUTION]
+>
+> ID Tokens have a maximum lifetime of 10 minutes. This value cannot be changed.
+
 -   `service_account`: (Required) Email address or unique identifier of the
     Google Cloud service account for which to generate the ID token. For
     example:
@@ -333,8 +337,8 @@ In this setup, the Workload Identity Pool has direct IAM permissions on Google
 Cloud resources; there are no intermediate service accounts or keys. This is
 preferred since it directly authenticates GitHub Actions to Google Cloud without
 a proxy resource. However, not all Google Cloud resources support `principalSet`
-identities. Please see the documentation for your Google Cloud service for more
-information.
+identities, and the resulting token has a maximum lifetime of 10 minutes. Please
+see the documentation for your Google Cloud service for more information.
 
 [![Authenticate to Google Cloud from GitHub Actions with Direct Workload Identity Federation](docs/google-github-actions-auth-direct-workload-identity-federation.svg)](docs/google-github-actions-auth-direct-workload-identity-federation.svg)