Non-expiring/long-lived token for deploy user

what do folks use for setting up a deploy user to provision via terraform?

i’d like to setup atlantis to drive provisioning of vms, so the atlantis user will need a token to apply terraform. in practice so far, i’ve just used my own user (ldap), which is a pain, because it seems like i can’t generate a non-expiring token for my user. using the TOKEN_PASSWORD in my account to authenticate also seems to fail.

what’s the best way to setup a deploy user with token authentication here? i don’t want to have to re-generate a token every time someone needs to provision. we’re using open nebula 5.8.5 at the moment, in case it matters.

thanks in advance for any advice.

Hi @nstgermain,

Did you try using oneuser login command? you can use --time argument to define the duration of your token:

     --time x                  Token duration in seconds, defaults to 36000 (10
                               h). To reset the token set time to 0.To generate
                               a non-expiring token use -1 (not valid for ssh
                               and x509 tokens).

ah, i didn’t try that. i was generating tokens just via sunstone.

this seemed to work, but the expiration for the token i just generated looks to have a time limit (from oneuser show <my_id> and in sunstone:

9a5a351 *0    oneadmin   2022-04-08 08:31:37
f99baf2 0     oneadmin   2022-04-08 08:32:30

is that just a cosmetic thing? i’ll see if the token actually doesn’t expire.

just replying to myself… i don’t think that worked for my ldap user, but it did work for a local user account:

2ac77db 0     oneadmin   forever

so is there some limitation where ldap users can’t generate non-expiring tokens?