Access Tokens generated by the Vault Google Cloud secrets engine, despite a TTL with a lower value being set for the Vault Google Cloud secrets engine, have a TTL of 60 minutes.
An existing GCP secrets mount setup that's already working may resemble the following:
vault read gcp/configKey Value
--- -----
identity_token_audience n/a
identity_token_ttl 0s
max_ttl 8m
service_account_email n/a
ttl 5m
vault read gcp/roleset/my-token-rolesetKey Value
--- -----
bindings map[//cloudresourcemanager.googleapis.com/projects/gcp-project-1:[roles/viewer]]
project gcp-project-1
secret_type access_token
service_account_email vaultmy-token-roles-1764946172@gcp-project-1.iam.gserviceaccount.com
token_scopes [https://www.googleapis.com/auth/cloud-platform]
vault read gcp/roleset/my-token-roleset/tokenKey Value
--- -----
expires_at_seconds 1764949808
token ****.*.****nqXlhPbDuQ4XyaNiHlIiONVgkTkZq_trTjUPWbrgZq8OfrB7OQjydKIT__hxWZ0OZxj2Mp_dl7NGdqpbUCWu2JiRlcz3RUakTdp1crS8tQnntKnBtCEkPmIBA5k1bFJsBe0SsOCLrvLinGaFNkXdgpMI5vFDYSXlgIEZBdMWnooMZE9EFqUhwOZhIX-dEdx-q3QpLQFYHZzGk8QOV8aYSIz8nMtFtY1GxzzBmZsp6vbGvSfiJBrc6DFx4sApWiJrlqHdS9KWwrfDQ-flLeYYGJY1nq5CaDcQGJVquVJG4vucatH9xgMRG0FrWjuWt9Dc8HA5jpNgO_KeqeoCC7uN-7r0-EXHJ7fNX1HgQixfb11eTzjwuWEg-nRAH387PF72XUrx1jbhdukk0pguXpzJ19sW6YoeWkw5B1st2mOg4jQI4qv1RI5SR2WXu-l3bRfVJeWMiyZ8VwfRSXyjSoVQ_YbWkr-v9Mnou4Z5tfII-qRdcupvfsBpsJX3735fikFrZFZ8ibiyotSloSt9tZvQUsURm-XkmV5wdugIFdIFIVgV6uZ9S3M6_osmvwXjoJeqFMwWtvto627y3yqJdauQQsroimXmQdk-Sw4RFW5YRueZbomajoww2geyr2j5r-i6yS4leXIex80qSmlRrURWXJZjysS9iUn8UbsubaS6vU0ZrkwkF2BFyt2vRY_JrIYshehfmo58Vbi-oq8sJncFeSzdgXkOu1I799F3ca15358jisRi5s9aVWmxxsyIQv1l3MfYoIQl3lwSlp_XM4Me2uh8skJw4ObkWmqZ2gFWihkM3jlvhi11bjxcR5giz0165x4g0o6q4fttim66JXhRiiQteutwU1ttuJV9zWw-zS-9JqVpw8bsJpyXxBMUMqJm5nsjbny7-bWIcd-rrRgg3qxSadequJ-9Z_BJ9tt8UvXmfhufb6UB0tJlyn4iygoljoveZqQMgJ_drWWmBX6dddOvqySzqzv_y6t9MUc-ugY_gsy2YYanq
token_ttl 59m58sCause
GCP User access token's have a hard-coded TTL of 60 minutes in Google Cloud, therefore the TTL value specified for the Vault Google Cloud secrets engine is not being applied when the secret_type of a RoleSet is set to access_token. When the RoleSet is configured for a different secret_type such as: service_account_key the specified the TTL value specified for the Vault Google Cloud secrets engine shall be applied.
Additionally when the secret_type is set to access_token, Vault doesn't create leases for the issued secret. The Secrets / Access Token will automatically expire after on hour. However when the secret_type is set to service_account_key leases are created within Vault and Vault is responsible for secret management including expiry / revocation of the key from Google Cloud.
Additional Information
Vault Documentation: Google Cloud secrets engine
Vault API Documentation: Google Cloud secrets engine (API)
GCP Access Token Documentation: Access Tokens