gcloud beta access-context-manager policies add-iam-policy-binding - add IAM policy binding for an access policy
gcloud beta access-context-manager policies add-iam-policy-binding [POLICY] --member=PRINCIPAL --role=ROLE [--condition=[KEY=VALUE,...] | --condition-from-file=CONDITION_FROM_FILE] [GCLOUD_WIDE_FLAG ...]
(BETA) Adds a policy binding to the IAM policy of an access policy. The binding consists of a role, identity, and access policy.
To add an IAM policy binding for the role of roles/notebooks.admin for the user 'test-user@gmail.com' on the access policy 'accessPolicies/123', run:
$ gcloud beta access-context-manager policies \ add-iam-policy-binding --member='user:test-user@gmail.com' \ --role='roles/notebooks.admin' accessPolicies/123
See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.
- Policy resource - The access policy to add the IAM binding. This represents a
Cloud resource.
- [POLICY]
ID of the policy or fully qualified identifier for the policy. To set the policy attribute:
provide the argument policy on the command line;
set the property access_context_manager/policy;
automatically, if the current account belongs to an organization with exactly one access policy..
- --member=PRINCIPAL
The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.
Some resources also accept the following special values:
- —
allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
- —
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.
- --role=ROLE
Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.
- At most one of these can be specified:
- --condition=[KEY=VALUE,...]
A condition to include in the binding. When the condition is explicitly specified as None (--condition=None), a binding without a condition is added. When the condition is specified and is not None, --role cannot be a basic role. Basic roles are roles/editor, roles/owner, and roles/viewer. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overview
When using the --condition flag, include the following key-value pairs:
- expression
(Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax.
If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (:) as the delimiter, do the following: --condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping.
- title
(Required) A short string describing the purpose of the expression.
- description
(Optional) Additional description for the expression.
- --condition-from-file=CONDITION_FROM_FILE
Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for --condition.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command uses the accesscontextmanager/v1 API. The full documentation for this API can be found at: https://cloud.google.com/access-context-manager/docs/reference/rest/
This command is currently in beta and might change without notice. These variants are also available:
$ gcloud access-context-manager policies add-iam-policy-binding
$ gcloud alpha access-context-manager policies add-iam-policy-binding