Configure session controls for re-authentication

Session controls let you configure how often users must re-authenticate after being granted access and whether a full login, password only, or hardware security key is required.

You can apply session controls to do the following:

  • Enforce frequent re-authentication for privileged users: Require users with elevated privileges, such as project owners and billing administrators, to re-authenticate more frequently.
  • Configure longer sessions for certain applications: Allow certain applications, such as context-based AI applications like Gemini, to have longer session durations to preserve the large context window required for optimal performance.

Define session length and re-authentication methods

You can define session controls when creating an Access Context Manager binding. For more information about the session controls, see Apply policies to user groups using access bindings.

gcloud

  • Set default session controls for all applications

    Use the --session-length flag to set the session duration. The value can range from 0 to 24 hours. Specify the duration using the ISO 8601 duration format. For example, use "12H30M5S" to set a session that is 12 hours, 30 minutes, and 5 seconds long. Use the --session-reauth-method flag to specify the re-authentication method. For example, you can set a session duration time of 30 minutes (30m) and a LOGIN, PASSWORD, or SECURITY_KEY re-authentication method.

    This will be applied to all applications unless overridden by application-specific settings.

  • Set application-specific session controls

    Define scopedAccessSettings in a YAML file to specify session controls for specific applications using clientId. This lets you override the default session controls for those applications. You can then pass the YAML file using the --binding-file flag.

API

Define the sessionLength and sessionReauthMethod fields within the sessionSettings object in the JSON body of your POST request to create or update a GcpUserAccessBinding binding.

  • sessionLength is the length of the session between 0 and 24 hours. The value must be a string and consist of an integer between 0 and 86400, followed immediately by the letter 's'.
  • sessionReauthMethod can be LOGIN, PASSWORD, or SECURITY_KEY.
  • Use scopedAccessSettings to define application-specific session controls. See Define configurations for specific applications for details.

Terraform

Within the Terraform Google Cloud User Access Binding resource, populate the session_settings argument to configure general session length controls that apply to all user traffic:

  • session_length: The duration of the session in seconds. For example, 900s sets the session length to 15 minutes. The 's' at the end is required.
  • session_length_enabled: Set to false to disable the specified session settings.
  • session_reauth_method: The type of authentication challenge that's used to refresh credentials. The options are LOGIN, PASSWORD, or SECURITY_KEY.
  • use_oidc_max_age: An advanced field that's used to configure whether the session honors an optional OIDC maximum age parameter, which is specified if the authenticating credential is an OAuth token.

Key considerations when defining session controls:

  • Only the most recently created access binding that matches the request is used when resolving session control settings.

Example policy configuration

The following example shows how to create a session control that requires re-authentication every 18 hours with LOGIN and every two hours for a specific application (SENSITIVE_APP_ID) with SECURITY_KEY.

Default settings

The --level, --session-length, and --session-reauth-method flags in the Google Cloud CLI command (or the corresponding fields in the JSON body for the API call) set the default behavior for all applications not explicitly defined in scopedAccessSettings.

Application-specific settings

The scopedAccessSettings section in the YAML file (or JSON body) lets you override the default settings for specific applications. In the example, we set a two hour re-authentication requirement with SECURITY_KEY for the application with the client ID SENSITIVE_APP_ID.

To exempt certain apps from session control, set the sessionLength field to 0s or sessionLengthEnabled to false. The sessionReauthMethod method will then be ignored.

gcloud

The settings configuration:

scopedAccessSettings:
  scope:
    clientScope:
      restrictedClientApplication:
        clientId: SENSITIVE_APP_ID
  activeSettings:
    sessionSettings:
      sessionLength: 7200s
      sessionReauthMethod: SECURITY_KEY
      sessionLengthEnabled: true

Create the access binding:

gcloud access-context-manager cloud-bindings create \
    --organization ORG_ID \
    --group-key GROUP_ID \
    --binding-file BINDING_FILE_PATH \
    --level DEFAULT_ACCESS_LEVEL
    --session-length 18h \
    --session-reauth-method LOGIN

API

JSON body:

{
  "groupKey": "GROUP_ID",
  "accessLevels": [
    "accessPolicies/POLICY_ID/accessLevels/DEFAULT_ACCESS_LEVEL"
  ],
  "scopedAccessSettings": [
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "clientId": "SENSITIVE_APP_ID"
          }
        }
      },
      "activeSettings": {
        "accessLevels": [
          "accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
        ],
        "sessionSettings": [
          {
            "sessionLength": "2h",
            "sessionReauthMethod": "SECURITY_KEY",
            "sessionLengthEnabled": true
          }
        ]
      }
    }
  ]

Post request:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Terraform

To specify a session length for access requests from users coming from "Group Key" across all apps:

    resource "google_access_context_manager_gcp_user_access_binding" "gcp_user_access_binding" {
      organization_id = "{Organization ID}"
      group_key = "{Group Key}"
      session_settings {
        session_length = "1800s"
        session_length_enabled = true
        session_reauth_method = "LOGIN"
        use_oidc_max_age = false
      }

To specify a session length for requests from users coming from a specific Google Group using a specific app, such as the Google Cloud console, populate the appropriate scoped_access_settings argument with a session_settings argument in active_settings. The sub-arguments within session_settings are identical to the top level argument.

    resource "google_access_context_manager_gcp_user_access_binding" "gcp_user_access_binding" {
      organization_id = "{Organization ID}"
      group_key = "{Group Key}"
      scoped_access_settings {
        scope {
          client_scope {
            restricted_client_application {
              name = "Cloud Console"
            }
          }
        }
        active_settings {
          session_settings {
            session_length = "1800s"
            session_length_enabled = true
            session_reauth_method = "LOGIN"
            use_oidc_max_age = false
          }
        }
      }
    }