NAME

gcloud alpha access-context-manager policies add-iam-policy-binding - add IAM policy binding for an access policy

SYNOPSIS

gcloud alpha access-context-manager policies add-iam-policy-binding [POLICY] --member=PRINCIPAL --role=ROLE [--condition=[KEY=VALUE,...] | --condition-from-file=CONDITION_FROM_FILE] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

(ALPHA) Adds a policy binding to the IAM policy of an access policy. The binding consists of a role, identity, and access policy.

EXAMPLES

To add an IAM policy binding for the role of roles/notebooks.admin for the user 'test-user@gmail.com' on the access policy 'accessPolicies/123', run:

$ gcloud alpha access-context-manager policies \ add-iam-policy-binding --member='user:test-user@gmail.com' \ --role='roles/notebooks.admin' accessPolicies/123

See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.

POSITIONAL ARGUMENTS

Policy resource - The access policy to add the IAM binding. This represents a

Cloud resource.

[POLICY]

ID of the policy or fully qualified identifier for the policy. To set the policy attribute:

  • provide the argument policy on the command line;

  • set the property access_context_manager/policy;

  • automatically, if the current account belongs to an organization with exactly one access policy..

REQUIRED FLAGS

--member=PRINCIPAL

The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.

Some resources also accept the following special values:

allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.

allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.

--role=ROLE

Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.

OPTIONAL FLAGS

At most one of these can be specified:
--condition=[KEY=VALUE,...]

A condition to include in the binding. When the condition is explicitly specified as None (--condition=None), a binding without a condition is added. When the condition is specified and is not None, --role cannot be a basic role. Basic roles are roles/editor, roles/owner, and roles/viewer. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overview

When using the --condition flag, include the following key-value pairs:

expression

(Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax.

If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (:) as the delimiter, do the following: --condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping.

title

(Required) A short string describing the purpose of the expression.

description

(Optional) Additional description for the expression.

--condition-from-file=CONDITION_FROM_FILE

Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for --condition.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE

This command uses the accesscontextmanager/v1alpha API. The full documentation for this API can be found at: https://cloud.google.com/access-context-manager/docs/reference/rest/

NOTES

This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:

$ gcloud access-context-manager policies add-iam-policy-binding

$ gcloud beta access-context-manager policies add-iam-policy-binding