There is only fixed lifetime choices (30 days, 90 days, 1 year, No expiration) list for token maximum lifetime setting. I cannot set token maximum lifetime to 180 days or other values not listed here.
Is there any other way I can set 180 days for token maximum lifetime? Or is there any enhancement feature for customized token maximum lifetime in SonarQube roadmap?
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
Hi Ann,
Thanks for quick response.
This functionality is only provided in SonarQube Enterprise version according to doc: Generating and using tokens.
I’m just wondering why only list days options are available for set but no customized days values?
The motivation to set 180 days token expiration is to compliance with company security rules.
Hi Ann,
According to our company security policy, we classified Sonar users as 2 types: Human user and service account (for API access automation).
Human user password & token must rotate after maximum 180 days.
Service account token must rotate after maximum 365 days (1 year).
Both human user and service account user can create token from My Account → Security with maximum lifetime defined by Admin per Token maximum lifetime.
We are expecting to set different token maximum lifetime to human user and service account for company security policy. However SonarQube cannot distinguish human user and service account, we can only set single global token maximum lifetime for all accounts. To compliance with security policy both for human user and service account, our Sonar Admin had to set token maximum lifetime to 90 days (since no separate setting available and 180 days compliance to both account type but 180 days is not available in current list).
Refresh sonar token ever 90 days is tedious and unnecessary. To decrease the maintenance effort, we would prefer 180 days token maximum lifetime both for human user and service account.
Arbitrary expiration is not mandatory if additional 180 days option is available.
Human user is supposed to login Sonar WebUI and check report. Sometimes human user also create token for Sonar automation purpose.
Service account is intended to used for Sonar automation (e.g. CICD pipeline Sonar scan) with token. Service account is a team share account which belongs to team admin only.
Company IT security policy requires human user rotate password/token at least every 180 days.
For service account, the potential token leak risk is lower than human account, therefore security policy only requires rotation period every 365 days to save the maintenance effort (refresh token and re-config new token in CICD pipeline).
The different lifetime for different account type is defined by company security policy.
180 days lifetime complies with security policy for both human user (180 days) and service account (less than 365 days) .
Thanks for providing some explanation and for bringing this to our attention. We take your feedback into consideration. We will track the interest in this feature from now on.
Hi, Alexander & Ann
Thanks very much for your understanding and support!
Looking forward that additional 180 days option for token maximum lifetime would be available in near coming SonarQube enterprise release soon.
