As an administrator, you can control how long different users can access the Google Cloud Platform (GCP) Console and Cloud SDK without having to sign in again. For example, for users that work remotely, you might want to limit the time that they can access sensitive resources. If you set a session length, they’re prompted to sign in again to start a new session.
In addition to the GCP Console and Cloud SDK, the session length setting also applies to:
- The gcloud command-line tool
- Any application that requires user authorization for Cloud admin scopes
Note: The session length setting does not apply to the Cloud Console mobile app.
When and how users sign in
If you need some users to sign in more frequently than others, place them in different organizational units. Then, apply different session lengths to them. That way, certain users won’t be interrupted to sign in again when it isn’t necessary.
If you require a security key, users who do not have one cannot use the GCP Console or Cloud SDK until they set it up. Once they have a security key, they can switch to using their password instead if they want.
Third-party identity providers
- With the GCP Console—If you require a user to sign in again using their password, they’re redirected to the IdP for signing in.The IdP might not require the user to re-enter their password to start another GCP Console session. Therefore, we recommend that you set short session lengths when you use a third-party IdP.
If a user must sign in again by touching their security key, they can do this in the GCP Console. They will not be redirected to the IdP.
- With the Cloud SDK—If you require a user to sign in again using their password, they will not be redirected to the IdP. To sign in again, they enter the gcloud auth login command and then complete the authentication with the IdP.
If a user must sign in again by touching their security key, they can do this on the Cloud SDK. They will not be redirected to the IdP.
This feature is available with all G Suite and Cloud Identity licenses.
Set session durations
From the Admin console Home page, go to SecurityGoogle Cloud session control.
To see Security on the Home page, you might have to click More controls at the bottom.
- On the left, select the organizational unit where you want to set session length.
For all users, select the top-level organizational unit. Initially, an organizational unit inherits the settings of its parent.
- Under Session duration, select Set session duration and from the list under the option, select a session length.
The minimum length allowed is one hour, and the maximum is 24 hours. The length does not include how long a user has been inactive in the session. It is the fixed time that elapses before the user needs to sign in again.
- Under Re-authentication method, select Password or Security key to specify how the user needs to sign back in.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
It might take up to 24 hours for the settings to be applied.