NAME

gcloud alpha access-context-manager perimeters update - update the enforced configuration for an existing Service Perimeter

SYNOPSIS

gcloud alpha access-context-manager perimeters update (PERIMETER : --policy=POLICY) [--description=DESCRIPTION] [--title=TITLE] [--type=TYPE] [--add-access-levels=[LEVEL,...] | --clear-access-levels | --remove-access-levels=[LEVEL,...] | --set-access-levels=[LEVEL,...]] [--add-resources=[RESOURCES,...] | --clear-resources | --remove-resources=[RESOURCES,...] | --set-resources=[RESOURCES,...]] [--add-restricted-services=[SERVICE,...] | --clear-restricted-services | --remove-restricted-services=[SERVICE,...] | --set-restricted-services=[SERVICE,...]] [--clear-egress-policies | --set-egress-policies=YAML_FILE] [--clear-ingress-policies | --set-ingress-policies=YAML_FILE] [--enable-vpc-accessible-services --add-vpc-allowed-services=[VPC_SERVICE,...] | --clear-vpc-allowed-services | --remove-vpc-allowed-services=[VPC_SERVICE,...]] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

(ALPHA) This command updates the enforced configuration (status) of a Service Perimeter.

EXAMPLES

To update the enforced configuration for a Service Perimeter:

$ gcloud alpha access-context-manager perimeters update \ my-perimeter --add-resources="projects/123,projects/456" \ --remove-restricted-services="storage.googleapis.com" \ --add-access-levels="accessPolicies/123/accessLevels/a_level" \ --enable-vpc-accessible-services --clear-vpc-allowed-services

POSITIONAL ARGUMENTS

Perimeter resource - The service perimeter to update. The arguments in this

group can be used to specify the attributes of this resource.

This must be specified.

PERIMETER

ID of the perimeter or fully qualified identifier for the perimeter. To set the perimeter attribute:

  • provide the argument perimeter on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--policy=POLICY

The ID of the access policy. To set the policy attribute:

  • provide the argument perimeter on the command line with a fully specified name;

  • provide the argument --policy on the command line;

  • set the property access_context_manager/policy.

FLAGS

--description=DESCRIPTION

Long-form description of service perimeter.

--title=TITLE

Short human-readable title of the service perimeter.

--type=TYPE

Type of the perimeter.

A regular perimeter allows resources within this service perimeter to import and export data amongst themselves. A project may belong to at most one regular service perimeter.

A bridge perimeter allows resources in different regular service perimeters to import and export data between each other. A project may belong to multiple bridge service perimeters (only if it also belongs to a regular service perimeter). Both restricted and unrestricted service lists, as well as access level lists, must be empty.

TYPE must be one of: bridge, regular.

These flags modify the member access levels of this perimeter. An

intra-perimeter request must satisfy these access levels (for example, MY_LEVEL; must be in the same access policy as this perimeter) to be allowed.

At most one of these can be specified:

--add-access-levels=[LEVEL,...]

Append the given values to the current access levels.

--clear-access-levels

Empty the current access levels.

--remove-access-levels=[LEVEL,...]

Remove the given values from the current access levels.

--set-access-levels=[LEVEL,...]

Completely replace the current access levels with the given values.

These flags modify the member resources of this perimeter. Resources must be

projects, in the form projects/<projectnumber>.

At most one of these can be specified:

--add-resources=[RESOURCES,...]

Append the given values to the current resources.

--clear-resources

Empty the current resources.

--remove-resources=[RESOURCES,...]

Remove the given values from the current resources.

--set-resources=[RESOURCES,...]

Completely replace the current resources with the given values.

These flags modify the member restricted services of this perimeter. The

perimeter boundary DOES apply to these services (for example, storage.googleapis.com).

At most one of these can be specified:

--add-restricted-services=[SERVICE,...]

Append the given values to the current restricted services.

--clear-restricted-services

Empty the current restricted services.

--remove-restricted-services=[SERVICE,...]

Remove the given values from the current restricted services.

--set-restricted-services=[SERVICE,...]

Completely replace the current restricted services with the given values.

These flags modify the enforced EgressPolicies of this ServicePerimeter.

At most one of these can be specified:

--clear-egress-policies

Empties existing enforced Egress Policies.

--set-egress-policies=YAML_FILE

Path to a file containing a list of Egress Policies.

This file contains a list of YAML-compliant objects representing Egress Policies described in the API reference.

For more information about the alpha version, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters For more information about non-alpha versions, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

These flags modify the enforced IngressPolicies of this ServicePerimeter.

At most one of these can be specified:

--clear-ingress-policies

Empties existing enforced Ingress Policies.

--set-ingress-policies=YAML_FILE

Path to a file containing a list of Ingress Policies.

This file contains a list of YAML-compliant objects representing Ingress Policies described in the API reference.

For more information about the alpha version, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters For more information about non-alpha versions, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

--enable-vpc-accessible-services

When specified restrict API calls within the Service Perimeter to the set of vpc allowed services. To disable use '--no-enable-vpc-accessible-services'.

These flags modify the member vpc allowed services of this perimeter. Services

allowed to be called within the Perimeter when VPC Accessible Services is enabled

At most one of these can be specified:

--add-vpc-allowed-services=[VPC_SERVICE,...]

Append the given values to the current vpc allowed services.

--clear-vpc-allowed-services

Empty the current vpc allowed services.

--remove-vpc-allowed-services=[VPC_SERVICE,...]

Remove the given values from the current vpc allowed services.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:

$ gcloud access-context-manager perimeters update

$ gcloud beta access-context-manager perimeters update