Support for short-lived access tokens

[smithrobs]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

It would be nice to have support for short-lived access tokens.

Example:

import * as service from "@pulumi/pulumiservice";

const accessToken = new service.AccessToken("token", {
    description: "example-accesstoken",
    expires: 1724375054 // (GMT): Friday, August 23, 2024 1:04:14 AM
});

[yenoromm]

Just to add fuel to the fire, is a fixed point in time like suggested above the most maintainable approach for users? It seems pretty static, how do we as users handle the rotation of this? Through some bespoke imperative function?

My suggestion would be keep it more aligned with something like the tls provider and certificates. Specify an expiry time period (hours/days/months etc) and have an early renewal period so we don't wait for it to expire before renewing. Unknown to me is how Pulumi cloud handle revoking tokens whilst in use, it may cause an error if the token is in active use at the time of replacement but waiting for it to expire seems equally as breaking. I think something like this would be easier to consume as a user:

import pulumi_pulumiservice as pulumiservice

pulumiservice.AccessToken(
    "token",
    description = "example-accesstoken",
    active_hours = 720,
    early_replacement_hours = 48
)