# 38 Cloud session control + admin re-auth

> v0.0.3 · role: Prevent · [policy: #3 · #29](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Google Cloud sessions — the Cloud Console and gcloud/Cloud SDK — carry their own session policy, entirely separate from the Workspace web session. New Google Cloud customers get a 16-hour session length enforced by default, but older organizations may default to never requiring reauthentication — there, a stolen laptop or an exfiltrated token keeps working indefinitely. This forces re-authentication on a short timer (1 hour is the floor, 24 hours the ceiling), and the method matters: a password re-auth is defeated by a phished credential, a security key is not.

Documentation: [Set session length for Google Cloud services](https://knowledge.workspace.google.com/admin/security/set-session-length-for-google-cloud-services) · [Best practices for mitigating compromised OAuth tokens for Google Cloud CLI](https://docs.cloud.google.com/architecture/bps-for-mitigating-gcloud-oauth-tokens)

## Caveats

- This governs the Google Cloud console, gcloud, and any third-party or internal app requesting Google Cloud scopes (apps marked Trusted can be exempted via 'Exempt trusted apps') — but not the Google Cloud console mobile app. The Workspace web session is a different setting (№12), and setting one while assuming both are covered is the classic mistake.
- Service accounts and long-lived OAuth refresh tokens are not subject to session control — automation keeps working after the human session expires, which is the point and also the gap.
- Reauthentication is not re-authorization — an already-open gcloud operation continues to completion.

## Setup steps

1. Select the admin/privileged OU (organizational unit), then require reauthentication rather than leaving the session length at its default. — `Security › Access and data control › Google Cloud session control`

   - **Reauthentication policy** = Require reauthentication

2. Set the reauthentication frequency to the shortest value the admins will tolerate (1 hour is the floor; 24 hours is the ceiling). — `Security › Access and data control › Google Cloud session control`

   - **Reauthentication frequency** = 1 hour

3. Choose the reauthentication method — password alone lets a phished credential re-open the session; the security key path does not. — `Security › Access and data control › Google Cloud session control`

   - **Reauthentication method** = Security key (where FIDO2 is deployed) rather than Password

## How to verify

1. Leave a gcloud/console session past the configured window, then run any privileged command — it must demand re-authentication.

   ```
   gcloud projects list  # after expiry: prompts for reauth
   ```

## Settings screens

- Security > Access and data control > Google Cloud session control
  - console: https://admin.google.com/ac/security/reauth/admin-tools
  - screenshot: ../screenshots/admin.google.com/ac/security/reauth/admin-tools.png
