Skip to content

Long-lived ASTA_TOKEN for service accounts / bots (30-day expiry breaks unattended agents) #70

Description

@gas2own

Problem

ASTA_TOKEN (the credential the asta-plugins skills authenticate with at runtime) currently expires after 30 days. That's fine for an interactive human who re-auths periodically, but it's a recurring failure mode for unattended service accounts and bots.

In gas2own we just plumbed ASTA_TOKEN through every environment that drives an agent — local docker-run, the GCP VM, and the Cloud Run dispatcher — via Secret Manager (gas2own-asta-token) so the baked asta-plugins skills can authenticate (see allenai/gas2own#163). The gas2own dispatcher runs fully unattended (triggered by Slack/GitHub events), so a 30-day expiry means:

  • the token silently goes stale, and
  • every skill call that needs Asta auth starts failing ~once a month, with
  • no human in the loop to notice or refresh it until something breaks.

Rotating a Secret Manager value every 30 days by hand isn't a viable operating model for a bot.

Ask

Provide a long-lived (or non-expiring / auto-renewable) token mechanism for service accounts and bots — something a headless agent can use without a 30-day manual refresh. Options worth considering:

  • A dedicated service-account token type with a long (or configurable) TTL.
  • A refresh-token / client-credentials flow the agent can run non-interactively to mint short-lived tokens on demand.
  • Documented rotation guidance if long-lived tokens are intentionally not offered, so consumers can automate renewal.

Context / links

  • gas2own PR: allenai/gas2own#163 (registers the asta-plugins skill catalog in all gas2own environments and wires ASTA_TOKEN through GCP/terraform).
  • Requested by @robe-ai2: "currently ASTA_TOKEN expires after 30 days ... we need a long-lived token for service accounts / bots going forward."

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions