Session controls let you configure how often users must re-authenticate after being granted access, and whether a full login, password only, or hardware security key is required.
You can apply session controls to do the following:
- Enforce frequent re-authentication for privileged users Require users with elevated privileges, such as project owners and billing administrators, to re-authenticate more frequently.
- Configure longer sessions for certain applications Allow certain applications, such as context-based AI applications like Gemini, to have longer session durations to preserve the large context window required for optimal performance.
Define session length and re-authentication methods
You can define session controls when creating an Access Context Manager binding. For details about the session controls, see Apply policies to user groups using access bindings.
gcloud
Set default session controls for all applications
Use the
--session-length
flag to set the session duration and the--session-reauth-method
flag to specify the re-authentication method. For example, you can set a session duration time of 30 minutes (30m) and aLOGIN
,PASSWORD
, orSECURITY_KEY
re-authentication method.This will be applied to all applications unless overridden by application-specific settings.
Set application-specific session controls
Define
scopedAccessSettings
in a YAML file to specify session controls for specific applications usingclientId
. This lets you override the default session controls for those applications. You can then pass the YAML file using the--binding-file flag
.
API
Define the sessionLength
and sessionReauthMethod
fields within the
sessionSettings object
in the JSON body of your POST request to create
or update a GcpUserAccessBinding
binding. Use scopedAccessSettings
to
define application-specific session controls.
See Define configurations for specific applications
for details.
Key considerations when defining session controls:
- You cannot specify the Google Cloud console using
clientId
. To enforce session controls for the Google Cloud console, define it as a default and then create exceptions for other applications. - Only the most recently created access binding that matches the request is used when resolving session control settings.
Example policy configuration
Following is an example that demonstrates how to create a session control that
requires re-authentication every 18 hours by default with LOGIN
, and every two
hours for a specific application (SENSITIVE_APP_ID
) with SECURITY_KEY
.
Default settings
The --level
, --session-length
, and --session-reauth-method
flags in the
Google Cloud CLI command (or the corresponding fields in the JSON body for the
API call) set the default behavior for all applications not explicitly defined
in scopedAccessSettings
.
Application-specific settings
The scopedAccessSettings
section in the YAML file (or JSON body) lets you
override the default settings for specific applications. In the example, we
set a two hour re-authentication requirement with SECURITY_KEY
for the
application with the client ID SENSITIVE_APP_ID
.
gcloud
The settings configuration:
scopedAccessSettings:
- scope:
clientScope:
restrictedClientApplication:
clientId: SENSITIVE_APP_ID
activeSettings:
accessLevels:
- accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME
sessionSettings:
- sessionLength: 2h
sessionReauthMethod: SECURITY_KEY
sessionLengthEnabled: true
Create the access binding:
gcloud access-context-manager cloud-bindings create \
--organization ORG_ID \
--group-key GROUP_ID \
--binding-file BINDING_FILE_PATH \
--level DEFAULT_ACCESS_LEVEL
--session-length 18h \
--session-reauth-method LOGIN
API
JSON body:
{
"groupKey": "GROUP_ID",
"accessLevels": [
"accessPolicies/POLICY_ID/accessLevels/DEFAULT_ACCESS_LEVEL"
],
"scopedAccessSettings": [
{
"scope": {
"clientScope": {
"restrictedClientApplication": {
"clientId": "SENSITIVE_APP_ID"
}
}
},
"activeSettings": {
"accessLevels": [
"accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
],
"sessionSettings": [
{
"sessionLength": "2h",
"sessionReauthMethod": "SECURITY_KEY",
"sessionLengthEnabled": true
}
]
}
}
]
Post request:
POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings