IBM Cloud Docs
Setting limits for login sessions

Setting limits for login sessions

Improve the security of your account by requiring account users to enter their login credentials at customized intervals. As an account owner or user assigned the administrator role for the Identity service, you can select the time that a user's active session can last before they need to enter their credentials again. You can also choose the duration that a user is inactive before they are signed out of their session and are required to enter their credentials again.

To review and end active sessions to help maintain the security of your account, see Monitoring your login sessions.

Before you begin

If you have the following access, you can update the settings for login sessions:

  • Account owners
  • Editor or administrator role on all account management services
  • Editor or administrator role on IAM identity service

If a user is a member of multiple accounts, the lowest value of each setting is applied to their session. For example, let's say a user is a member of two accounts: dev account and test account. If dev account has a 15 minute inactivity timeout, and test account has a 30 minute inactivity timeout, the 15 minute inactivity timeout is applied to both accounts.

Before you can set limits for login sessions by using Terraform, make sure that you have completed the following:

  • Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
  • Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Setting duration of active sessions

An active session is how long a user is continuously working in their account. How an active session is gauged also depends on the duration of your session sign out due to inactivity limit. For instance, if you set the sign out to 2 hours, then the user would need to interact with the account one time between those 2 hours.

To update your user's active sessions settings, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Settings.
  2. From the Login session section, click the Edit icon Edit icon from the Active sessions tile.
  3. Enter the time limit. The longest a session can last is 720 hours.
  4. Click Save.

Setting duration of active sessions by using Terraform

An active session is how long a user is continuously working in their account. How an active session is gauged also depends on the duration of your session sign out due to inactivity limit. For instance, if you set the sign out to 2 hours, then the user would need to interact with the account one time between those 2 hours.

To update your user's active sessions settings by using terraform, complete the following steps:

  1. Create an argument in your main.tf file. The following example sets the duration of an active session by using the ibm_iam_account_settings and iam_account_settings_instance resources.

  2. Enter the period of time in seconds in which you want a session to invalidate due to inactivity. Supported valid values are

    • Any whole number between between 900 and 7200.
    • Use NOT_SET to unset account setting and use service default.
    resource "ibm_iam_account_settings" "iam_account_settings_instance" {
session_invalidation_in_seconds = "7200"
}

  3. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan

    2. Run terraform apply to create the resources that are defined in the plan.

      terraform apply

For more information, see the Terraform documentation.

Setting session duration for trusted profiles

For more information, see Updating trusted profiles.

Setting the sign out due to inactivity duration

An inactive session is when the user hasn't completed any requests that send a token for validation for the duration selected. If the sign out due to inactivity duration is 1 hour, then the user will be signed out after an hour if they haven't done anything in their account in that time. To update your user's sign out due to inactivity settings, complete the following steps.

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Settings.
  2. From the Login session section, click the Edit icon Edit icon from the Sign out due to inactivity tile.
  3. Enter the time limit. The longest an inactive session can last is 24 hours.
  4. Click Save.

Setting the sign out due to inactivity duration by using Terraform

An inactive session is when the user hasn't completed any requests that send a token for validation for the duration selected. If the sign out due to inactivity duration is 1 hour, then the user will be signed out after an hour if they haven't done anything in their account in that time. To update your user's sign out due to inactivity settings, complete the following steps.

To update your user's sign out due to inactivity duration by using terraform, complete the following steps:

  1. Create an argument in your main.tf file. The following example sets the inactive sign out by using the ibm_iam_account_settings and iam_account_settings_instance resources.

  2. Enter the period of time in seconds in which you want a session to invalidate due to inactivity. Supported valid values are

    • Any whole number between between 900 and 7200.
    • Use NOT_SET to unset account setting and use service default.
    resource "ibm_iam_account_settings" "iam_account_settings_instance" {
  session_expiration_in_seconds = "3600"
}

  3. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan

    2. Run terraform apply to create the resources that are defined in the plan.

      terraform apply

For more information, see the Terraform documentation.

Setting the number of allowed concurrent sessions

You can choose the maximum number of concurrent sessions that are allowed for your account users. Concurrent sessions are active sessions that the user is signed into at one time. Users can have multiple sessions open by using different browsers or several logins with the IBM Cloud CLI. Multiple concurrent sessions are more beneficial for parallel workloads.

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Settings.
  2. From the Concurrent sessions tile, click the Edit icon Edit icon, click the Unlimited dropdown > Limit sessions.
  3. Enter the limit. Users can have an unlimited number of concurrent sessions.
  4. Click Save.

Setting the number of allowed concurrent sessions by using Terraform

You can choose the maximum number of concurrent sessions that are allowed for your account users. Concurrent sessions are active sessions that the user is signed into at one time. Users can have multiple sessions open by using different browsers or several logins with the IBM Cloud CLI. Multiple concurrent sessions are more beneficial for parallel workloads.

To update your user's allowed number of concurrent sessions by using terraform, complete the following steps:

  1. Create an argument in your main.tf file. The following example sets the number of allowed concurrent sessions by using the ibm_iam_account_settings and iam_account_settings_instance resources.

  2. Enter the period of time in seconds in which you want a session to invalidate due to inactivity. Supported valid values are

    • Any whole number greater than '0'.
    • Use NOT_SET to unset account setting and use service default.
    resource "ibm_iam_account_settings" "iam_account_settings_instance" {
 max_sessions_per_identity = "3"
}

  3. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan

    2. Run terraform apply to create the resources that are defined in the plan.

      terraform apply

For more information, see the Terraform documentation.

Determining when sessions are created

Login session settings apply only when there is connected login session. If no login session is created, then limits for IAM tokens apply. Use the following table to help you understand when each setting applies.

Sessions are created when a user logs in to the IBM Cloud® CLI or IBM Cloud® console. For example, if you create a user API key and use it for the IBM Cloud® CLI, this generates a login session. However, if you use the same API key to create a token for API calls, like creating an IAM access token for a user or service ID, this does not generate a session.

Table 1. Sessions and refresh token availability - Users
When a session is created or not depends on a combination of the identity type and login type.
Login type Sessions Refresh tokens
IBM Cloud® Console Checkmark icon Checkmark icon
IBM Cloud® CLI Checkmark icon Checkmark icon
API call
Table 1. Sessions and refresh token availability - Trusted profiles for federated users
When a session is created or not depends on a combination of the identity type and login type.
Login type Sessions Refresh tokens
IBM Cloud® Console Checkmark icon Checkmark icon
IBM Cloud® CLI Checkmark icon Checkmark icon
API call
Table 1. Sessions and refresh token availability - Service IDs
When a session is created or not depends on a combination of the identity type and login type.
Login type Sessions Refresh tokens
IBM Cloud® Console N/A N/A
IBM Cloud® CLI Checkmark icon
API call