As an administrator, you can control how long different users can access the Google Cloud Platform (GCP) Console and Cloud SDK without having to re-authenticate. For example, for users that work remotely, you might want to limit the time that they can access sensitive resources. If you set a session length, they’re prompted to sign in again to start a new session.
The session length setting applies to:
- GCP Console
- The gcloud command-line tool (Cloud SDK)
- Any applications (including third-party applications, or your own applications) that require user authorization for Cloud Platform scopes. To review the apps requiring Cloud platform scopes in the Apps access control UI, see Control which third-party & internal apps access Google Workspace data.
Note: This feature is recommended in addition to the related feature called Google session control, which applies a session length to all Google web properties. The current Beta feature allows you to configure a different session length specifically for GCP sessions, and also covers the non-web Cloud SDK sessions. The session length setting does not apply to the Cloud Console mobile app.
Set session durations
From the Admin console Home page, go to SecurityGoogle Cloud session control.
- On the left, select the organizational unit where you want to set session length.
For all users, select the top-level organizational unit. Initially, an organizational unit inherits the settings of its parent.
- Under Session duration, select Set session duration, and choose the duration from the drop-down list.
The minimum length allowed is 1 hour, and the maximum is 24 hours. The length does not include how long a user has been inactive in the session. It is the fixed time that elapses before the user needs to sign in again.
You can also check the Exempt trusted apps box to exempt trusted apps from re-authentication. (Trusted apps are marked as Trusted on the App access control page. For more details, see When and how to use the 'Exempt trusted apps' feature below. See also, Control which third-party & internal apps access Google Workspace data.)
- Under Re-authentication method, select Password or Security key to specify how the user needs to re-authenticate.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
It might take up to 24 hours for the settings to be applied.
When and how to use the 'Exempt trusted apps' feature
The re-authentication policy you configure here applies to all Google and third-party apps that access GCP resources by requiring the cloud-platform scope. For instructions on reviewing the apps currently in use by your organization, see Control which third-party & internal apps access Google Workspace data. Make sure you filter for apps that require the Cloud Platform service.
During review, you may find some applications that you don't want to interrupt with a re-auth requirement. For example, there may be an application that's running server-side but with user credentials rather than using a service account. Such applications would not be able to complete a re-authentication challenge because no user is present on the server. Ideally, these apps would use service account credentials, but to temporarily allow these apps to continue to work without re-authentication, you would add them to the Trusted apps list in Apps access control, and enable the Exempt trusted apps checkbox in the Cloud session control setting.
When and how users sign in
If you need some users to sign in more frequently than others, place them in different organizational units. Then, apply different session lengths to them. That way, certain users won’t be interrupted to sign in again when it isn’t necessary.
If you require a security key, users who do not have one cannot use the GCP Console or Cloud SDK until they set it up. Once they have a security key, they can switch to using their password instead if they want.
Third-party identity providers
- With the GCP Console—If you require a user to re-authenticate using their password, they’re redirected to the IdP. The IdP might not require the user to re-enter their password to start another GCP Console session, if the user already has a session active with the IdP—because they are using another application that caused the session to remain active.
If a user must re-authenticate by touching their security key, they can do this in the GCP Console. They will not be redirected to the IdP.
- With the Cloud SDK—If a password is required for re-authentication, gcloud will require the user to execute the gcloud auth login command to renew the session. This will bring up a browser window, and the user will be taken to the IdP, where they may be prompted for credentials if there's no active session with the IdP.
If a user must reauthenticate by touching their security key, they can do this on the Cloud SDK. They will not be redirected to the IdP.