Configure session controls for re-authentication

Session controls let you configure how often users must re-authenticate after being granted access, and whether a full login, password only, or hardware security key is required.

You can apply session controls to do the following:

• Enforce frequent re-authentication for privileged users Require users with elevated privileges, such as project owners and billing administrators, to re-authenticate more frequently.
• Configure longer sessions for certain applications Allow certain applications, such as context-based AI applications like Gemini, to have longer session durations to preserve the large context window required for optimal performance.

Define session length and re-authentication methods

You can define session controls when creating an Access Context Manager binding. For details about the session controls, see Apply policies to user groups using access bindings.

Key considerations when defining session controls:

• You cannot specify the Google Cloud console using clientId. To enforce session controls for the Google Cloud console, define it as a default and then create exceptions for other applications.
• Only the most recently created access binding that matches the request is used when resolving session control settings.

Example policy configuration

Following is an example that demonstrates how to create a session control that requires re-authentication every 18 hours by default with LOGIN, and every two hours for a specific application (SENSITIVE_APP_ID) with SECURITY_KEY.

Default settings

The --level, --session-length, and --session-reauth-method flags in the Google Cloud CLI command (or the corresponding fields in the JSON body for the API call) set the default behavior for all applications not explicitly defined in scopedAccessSettings.

Application-specific settings

The scopedAccessSettings section in the YAML file (or JSON body) lets you override the default settings for specific applications. In the example, we set a two hour re-authentication requirement with SECURITY_KEY for the application with the client ID SENSITIVE_APP_ID.

To exempt certain apps from session control, set the sessionLength field to 0s or sessionLengthEnabled to false. The sessionReauthMethod method will then be ignored.

scopedAccessSettings:
  scope:
    clientScope:
      restrictedClientApplication:
        clientId: SENSITIVE_APP_ID
  activeSettings:
    sessionSettings:
      sessionLength: 7200s
      sessionReauthMethod: SECURITY_KEY
      sessionLengthEnabled: true

gcloud access-context-manager cloud-bindings create \
    --organization ORG_ID \
    --group-key GROUP_ID \
    --binding-file BINDING_FILE_PATH \
    --level DEFAULT_ACCESS_LEVEL
    --session-length 18h \
    --session-reauth-method LOGIN

{
  "groupKey": "GROUP_ID",
  "accessLevels": [
    "accessPolicies/POLICY_ID/accessLevels/DEFAULT_ACCESS_LEVEL"
  ],
  "scopedAccessSettings": [
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "clientId": "SENSITIVE_APP_ID"
          }
        }
      },
      "activeSettings": {
        "accessLevels": [
          "accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
        ],
        "sessionSettings": [
          {
            "sessionLength": "2h",
            "sessionReauthMethod": "SECURITY_KEY",
            "sessionLengthEnabled": true
          }
        ]
      }
    }
  ]

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings