Configure session controls for re-authentication

Session controls let you configure how often users must re-authenticate after being granted access, and whether a full login, password only, or hardware security key is required.

You can apply session controls to do the following:

  • Enforce frequent re-authentication for privileged users Require users with elevated privileges, such as project owners and billing administrators, to re-authenticate more frequently.
  • Configure longer sessions for certain applications Allow certain applications, such as context-based AI applications like Gemini, to have longer session durations to preserve the large context window required for optimal performance.

Define session length and re-authentication methods

You can define session controls when creating an Access Context Manager binding. For details about the session controls, see Apply policies to user groups using access bindings.

gcloud

  • Set default session controls for all applications

    Use the --session-length flag to set the session duration and the --session-reauth-method flag to specify the re-authentication method. For example, you can set a session duration time of 30 minutes (30m) and a LOGIN, PASSWORD, or SECURITY_KEY re-authentication method.

    This will be applied to all applications unless overridden by application-specific settings.

  • Set application-specific session controls

    Define scopedAccessSettings in a YAML file to specify session controls for specific applications using client_id. This lets you override the default session controls for those applications. You can then pass the YAML file using the --binding-file flag.

API

Define the sessionLength and sessionReauthMethod fields within the sessionSettings object in the JSON body of your POST request to create or update a GcpUserAccessBinding binding. Use scopedAccessSettings to define application-specific session controls. See Define configurations for specific applications for details.

Key considerations when defining session controls:

  • You cannot specify the Google Cloud console using client_id. To enforce session controls for the Google Cloud console, define it as a default and then create exceptions for other applications.
  • Only the most recently created access binding that matches the request is used when resolving session control settings.

Example policy configuration

Following is an example that demonstrates how to create a session control that requires re-authentication every 18 hours by default with LOGIN, and every two hours for a specific application (SENSITIVE_APP_ID) with SECURITY_KEY.

Default settings

The --level, --session-length, and --session-reauth-method flags in the Google Cloud CLI command (or the corresponding fields in the JSON body for the API call) set the default behavior for all applications not explicitly defined in scopedAccessSettings.

Application-specific settings

The scopedAccessSettings section in the YAML file (or JSON body) lets you override the default settings for specific applications. In the example, we set a two hour re-authentication requirement with SECURITY_KEY for the application with the client ID SENSITIVE_APP_ID.

gcloud

The settings configuration:

scopedAccessSettings:
  - scope:
      clientScope:
        restrictedClientApplication:
          client_id: SENSITIVE_APP_ID
    activeSettings:
      accessLevels:
        - accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME
      sessionSettings:
        - sessionLength: 2h
          sessionReauthMethod: SECURITY_KEY
          sessionLengthEnabled: true

Create the access binding:

gcloud access-context-manager cloud-bindings create \
    --organization ORG_ID \
    --group-key GROUP_ID \
    --binding-file BINDING_FILE_PATH \
    --level DEFAULT_ACCESS_LEVEL  
    --session-length 18h \
    --session-reauth-method LOGIN

API

JSON body:

{
  "groupKey": "GROUP_ID",
  "accessLevels": [
    "accessPolicies/POLICY_ID/accessLevels/DEFAULT_ACCESS_LEVEL"
  ],
  "scopedAccessSettings": [
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "client_id": "SENSITIVE_APP_ID"
          }
        }
      },
      "activeSettings": {
        "accessLevels": [
          "accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
        ],
        "sessionSettings": [
          {
            "sessionLength": "2h",
            "sessionReauthMethod": "SECURITY_KEY",
            "sessionLengthEnabled": true
          }
        ]
      }
    }
  ]

Post request:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings