This page describes some scenarios when you might need to authenticate again, even if you previously authenticated successfully.
Google Workspace session configuration
If you are accessing Google Cloud by using a Google Workspace user
account, your Google Workspace administrator can configure the maximum
session length, and whether reauthentication is required when the session
expires. The credentials provided by local Application Default Credentials (ADC)
files also expire when the session expires. You must refresh them by running the
gcloud auth application-default login command
again.
If you have questions about your Google Workspace session configuration, contact your Google Workspace administrator. For information about setting the Google Workspace session length, see Set session length for Google Cloud services.
Identity-Aware Proxy reauthentication
IAP can be configured to require reauthentication to protected services and applications after a specific period of time. For more information, see IAP reauthentication.
Refresh token expiration
Refresh tokens can expire due to session length, or for other reasons. When they expire, you must authenticate again. For more information, see Refresh token expiration.
Sensitive actions
The following Google Cloud actions are considered sensitive actions:
- Billing assignment changes
- IAM allow policy changes at the organization, folder, or project level
To ensure that these sensitive actions aren't initiated by bad actors using credential theft, Google Cloud adds an extra layer of security by requiring reauthentication.
Reauthentication for sensitive actions is in the process of rolling out across Google Cloud accounts. The rollout is expected to be complete in 2026.
When reauthentication is required
When you initiate a sensitive action, you are required to reenter your password or complete multi-factor authentication (MFA) if all of the following conditions are met:
- The action is initiated in the Google Cloud console.
- You have not reauthenticated in the last 15 minutes.
- Your user account is managed by Google.
User accounts managed by an external identity provider (IdP) and federated by using Workforce Identity Federation are not required to reauthenticate.
Disable reauthentication
Reauthenticating for sensitive actions is enabled by default. To apply for an exception, contact support with your reason for the exception.