Update TTL for ACR auth token

[lindhe]

It seems like the ACR token for service principals has a TTL of 75 minutes, not 3 hours like it said in the documentation. This change updates the documentation to be accurate.

I'm using External Secrets to populate an imagePullSecret in Kubernetes with a token using the ACRAccessToken generator, using credentials for a Service Principal. I have configured the ACRAccessToken generator to refresh every 3 hours since that's the TTL that it said in the docs for "ACR authentication token" for a Service Principal:

azure-management-docs/articles/container-registry/container-registry-authentication.md

Line 119 in 83727a4

ACR authentication token gets created upon login to the ACR, and is refreshed upon subsequent operations. The time to live for that token is 3 hours.

Yet, I'm finding that the tokens I get only have a TTL of 75 minutes:

$ kubectl get secret regcred -o jsonpath='{ .data.\.dockerconfigjson }' | base64 -d | jq -r '.auths."example.azurecr.io".password' | cut -d . -f 2 | base64 -d | jq '.nbf,.exp,.iat' | awk '{ print strftime("%Y-%m-%d %H:%M:%S", $1) }'
2024-11-25 08:15:08
2024-11-25 09:30:08
2024-11-25 08:15:08

So now I'm trying to understand if the documentation is wrong or if I found the wrong documentation. I'm noting that you use the term "authentication token", not "access token", so perhaps I'm looking at the wrong thing. Am I?

If I'm right, I think we should merge this PR to fix the documentation. If I'm wrong, do you have any idea where I can find the documentation for the ACR Access Token? 🙏

[prmerger-automator]

@lindhe : Thanks for your contribution! The author(s) have been notified to review your proposed change.

[learn-build-service-prod]

Learn Build status updates of commit 6d728d6:

✅ Validation status: passed

File	Status	Preview URL	Details
articles/container-registry/container-registry-authentication.md	✅Succeeded

For more details, please refer to the build report.

For any questions, please:

• Try searching the learn.microsoft.com contributor guides
• Post your question in the Learn support channel

[Court72]

@tejaswikolli-web

Can you review the proposed changes?

Important: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

[lindhe]

Again, I want to emphasise: do not blindly merge this! I hope this is correct, but I do not know and need your help verifying it.

[github-actions]

This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Get Help
Docs Support Teams Channel
Resolve Merge Conflict

[lindhe]

Ping

[github-actions]

This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Get Help
Docs Support Teams Channel
Resolve Merge Conflict

[lindhe]

Ping

[v-dirichards]

@tejaswikolli-web

Can you review this old PR and determine whether it needs to be closed or merged?

@MicrosoftDocs/public-repo-pr-review-team

[github-actions]

This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Get Help
Docs Support Teams Channel
Resolve Merge Conflict

[lindhe]

Ping

[github-actions]

This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Get Help
Docs Support Teams Channel
Resolve Merge Conflict

[lindhe]

Ping

[v-dirichards]

@rayoef Could you review this proposed update to your article and enter #sign-off in a comment if it's ready to merge? Thanks!

[github-actions]

This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Get Help
Docs Support Teams Channel
Resolve Merge Conflict

[rayoef]

Thank you for your contribution to our documentation! I've confirmed with engineering that the time to live hasn't changed, so we won't be uptaking your edit.

#please-close

[m5i-work]

@lindhe The TTL for ACR access token is 1 hour. But we add a -15 min offset to token issue time to avoid clock skew between different machines. The .iat in the token should be 15min ago from token issue time, so the actual expiry time of token .exp is still 1 hour from now.

[lindhe]

Thank you for checking that! Then I must have misunderstood. Do you have any idea as to why I'm getting the timestamps shown in my example? Clearly they have 75 minutes TTL, but perhaps they are not ACR auth tokens?

Are they considered something else, like "access tokens" or "refresh tokens"? 🤔

[m5i-work]

@lindhe You should be using access token (1hour TTL) not refresh token (3hours TTL). See my comment above why you observe 75 mins TTL.

[lindhe]

Ah, so they are different! That's great. I was unable to find any documentation regarding access tokens TTL, which was why I got hung up on this issue, thinking that the current documentation was incorrect.

I'm guessing the TTL of access tokens is not documented anywhere, except in this thread? At least I'm unable to find it when searching around, but Azure docs is big so maybe I've missed it.

I would probably have expected to find it either under "Repository-scoped access token" in this table or somewhere in the article about that topic.