gcloud beta privateca subordinates add-iam-policy-binding - add IAM policy binding for a subordinate Certificate Authority
gcloud beta privateca subordinates add-iam-policy-binding (CERTIFICATE_AUTHORITY : --location=LOCATION) --member=PRINCIPAL --role=ROLE [GCLOUD_WIDE_FLAG ...]
(BETA) Adds a policy binding to the IAM policy of a subordinate Certificate Authority. One binding consists of a member and a role.
See https://cloud.google.com/iam/docs/managing-policies for details of the policy file format and contents.
To add an IAM policy binding for the role of 'roles/privateca.certificateManager' for the user 'test-user@gmail.com' on the CA 'server-tls-1' with the location 'us-west1', run:
$ gcloud beta privateca subordinates add-iam-policy-binding \ server-tls-1 --location='us-west1' \ --member='user:test-user@gmail.com' \ --role='roles/privateca.certificateManager'
- Certificate Authority resource - The certificate authority for which to add the
IAM policy binding. The arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument certificate_authority on the command line with a fully specified name;
- —
set the property core/project;
- —
provide the argument --project on the command line.
This must be specified.
- CERTIFICATE_AUTHORITY
ID of the Certificate Authority or fully qualified identifier for the Certificate Authority. To set the certificate_authority attribute:
provide the argument certificate_authority on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
- --location=LOCATION
The location of the Certificate Authority. To set the location attribute:
provide the argument certificate_authority on the command line with a fully specified name;
provide the argument --location on the command line;
set the property privateca/location.
- --member=PRINCIPAL
The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.
Some resources also accept the following special values:
- —
allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
- —
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.
- --role=ROLE
Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command uses the privateca/v1beta1 API. The full documentation for this API can be found at: https://cloud.google.com/
This command is currently in beta and might change without notice.