Session controls let you configure how often users must re-authenticate after being granted access and whether a full login, password only, or hardware security key is required.
You can apply session controls to do the following:
- Enforce frequent re-authentication for privileged users: Require users with elevated privileges, such as project owners and billing administrators, to re-authenticate more frequently.
- Configure longer sessions for certain applications: Allow certain applications, such as context-based AI applications like Gemini, to have longer session durations to preserve the large context window required for optimal performance.
Define session length and re-authentication methods
You can define session controls when creating an Access Context Manager binding. For more information about the session controls, see Apply policies to user groups using access bindings.
gcloud
Set default session controls for all applications
Use the
--session-length
flag to set the session duration. The value can range from 0 to 24 hours. Specify the duration using the ISO 8601 duration format. For example, use "12H30M5S" to set a session that is 12 hours, 30 minutes, and 5 seconds long. Use the--session-reauth-method
flag to specify the re-authentication method. For example, you can set a session duration time of 30 minutes (30m) and aLOGIN
,PASSWORD
, orSECURITY_KEY
re-authentication method.This will be applied to all applications unless overridden by application-specific settings.
Set application-specific session controls
Define
scopedAccessSettings
in a YAML file to specify session controls for specific applications usingclientId
. This lets you override the default session controls for those applications. You can then pass the YAML file using the--binding-file flag
.
API
Define the sessionLength
and sessionReauthMethod
fields within the
sessionSettings
object in the JSON body of your POST request to create
or update a GcpUserAccessBinding
binding.
sessionLength
is the length of the session between 0 and 24 hours. The value must be a string and consist of an integer between 0 and 86400, followed immediately by the letter 's'.sessionReauthMethod
can beLOGIN
,PASSWORD
, orSECURITY_KEY
.- Use
scopedAccessSettings
to define application-specific session controls. See Define configurations for specific applications for details.
Terraform
Within the Terraform Google Cloud User Access Binding resource, populate the session_settings
argument to configure general session length controls that apply to all user traffic:
session_length
: The duration of the session in seconds. For example, 900s sets the session length to 15 minutes. The 's' at the end is required.session_length_enabled
: Set to false to disable the specified session settings.session_reauth_method
: The type of authentication challenge that's used to refresh credentials. The options areLOGIN
,PASSWORD
, orSECURITY_KEY
.use_oidc_max_age
: An advanced field that's used to configure whether the session honors an optional OIDC maximum age parameter, which is specified if the authenticating credential is an OAuth token.
Key considerations when defining session controls:
- Only the most recently created access binding that matches the request is used when resolving session control settings.
Example policy configuration
The following example shows how to create a session control that
requires re-authentication every 18 hours with LOGIN
and every two
hours for a specific application (SENSITIVE_APP_ID
) with SECURITY_KEY
.
Default settings
The --level
, --session-length
, and --session-reauth-method
flags in the
Google Cloud CLI command (or the corresponding fields in the JSON body for the
API call) set the default behavior for all applications not explicitly defined
in scopedAccessSettings
.
Application-specific settings
The scopedAccessSettings
section in the YAML file (or JSON body) lets you
override the default settings for specific applications. In the example, we
set a two hour re-authentication requirement with SECURITY_KEY
for the
application with the client ID SENSITIVE_APP_ID
.
To exempt certain apps from session control, set the
sessionLength
field to 0s
or sessionLengthEnabled
to false
. The sessionReauthMethod
method will then be ignored.
gcloud
The settings configuration:
scopedAccessSettings:
scope:
clientScope:
restrictedClientApplication:
clientId: SENSITIVE_APP_ID
activeSettings:
sessionSettings:
sessionLength: 7200s
sessionReauthMethod: SECURITY_KEY
sessionLengthEnabled: true
Create the access binding:
gcloud access-context-manager cloud-bindings create \
--organization ORG_ID \
--group-key GROUP_ID \
--binding-file BINDING_FILE_PATH \
--level DEFAULT_ACCESS_LEVEL
--session-length 18h \
--session-reauth-method LOGIN
API
JSON body:
{
"groupKey": "GROUP_ID",
"accessLevels": [
"accessPolicies/POLICY_ID/accessLevels/DEFAULT_ACCESS_LEVEL"
],
"scopedAccessSettings": [
{
"scope": {
"clientScope": {
"restrictedClientApplication": {
"clientId": "SENSITIVE_APP_ID"
}
}
},
"activeSettings": {
"accessLevels": [
"accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
],
"sessionSettings": [
{
"sessionLength": "2h",
"sessionReauthMethod": "SECURITY_KEY",
"sessionLengthEnabled": true
}
]
}
}
]
Post request:
POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
Terraform
To specify a session length for access requests from users coming from "Group Key" across all apps:
resource "google_access_context_manager_gcp_user_access_binding" "gcp_user_access_binding" {
organization_id = "{Organization ID}"
group_key = "{Group Key}"
session_settings {
session_length = "1800s"
session_length_enabled = true
session_reauth_method = "LOGIN"
use_oidc_max_age = false
}
To specify a session length for requests from users coming from a specific Google Group using a specific app, such as the Google Cloud console, populate the appropriate scoped_access_settings
argument with a session_settings
argument in active_settings
. The sub-arguments within session_settings
are identical to the top level argument.
resource "google_access_context_manager_gcp_user_access_binding" "gcp_user_access_binding" {
organization_id = "{Organization ID}"
group_key = "{Group Key}"
scoped_access_settings {
scope {
client_scope {
restricted_client_application {
name = "Cloud Console"
}
}
}
active_settings {
session_settings {
session_length = "1800s"
session_length_enabled = true
session_reauth_method = "LOGIN"
use_oidc_max_age = false
}
}
}
}