Control session length for Google Cloud Console and gcloud CLI

What’s changing 

We’re opening a public beta so G Suite, Google Cloud Platform (GCP), and Cloud Identity admins can set a fixed session duration for specific apps and services. After the session expires, users will need to re-enter their login credentials to continue to access:
Settings can be customized for specific organizational units.

Note that this is designed to work on the web. However, the settings will apply to authentication on all platforms, including the web and mobile apps where they exist. As a result, affected mobile apps may not work properly when the feature is enabled.

Who’s impacted 

Admins only

Why you’d use it 

Many apps and services include sensitive data, and it’s important that only specific users can access that information. By requiring re-authentication, you can make it more difficult for the wrong people to obtain that data if they gain unauthorized access to a device.

How to get started 

  • Admins: Find session length controls at Admin console > Security > Google Cloud session control (Beta). See our Help Center to learn more about how to set session length for Google Cloud services
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Additional details 

Third-party SAML identity providers and session length controls 
If your organization uses a third-party SAML-based identity provider, the cloud sessions will expire, but the user may be transparently reauthenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that the user is rechallenged for authentication, be sure to match the session timeout at the IdP with the session length you’d like to enforce.

Provides fixed-time controls (not activity-based) 
Note that the new session control is a fixed time limit—it does not look for session activity, or ‘idle time’. At this time, Google Cloud and G Suite do not support activity-based session expiry.

Re-authentication options 
When choosing a session length, admins will be able to choose:
  • Between a range of predefined session lengths, or set a custom session length. 
  • Whether users need regular login credentials (password and, if configured, 2-Step Verification), or require a security key to re-authenticate. 

Helpful links 

Help Center: Beta: Set session length for Google Cloud services 


Rollout details 

Available to all G Suite and Cloud Identity editions

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches