gcloud iam service-accounts add-iam-policy-binding - add an IAM policy binding to an IAM service account
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=PRINCIPAL --role=ROLE [--condition=[KEY=VALUE,...] | --condition-from-file=CONDITION_FROM_FILE] [GCLOUD_WIDE_FLAG ...]
Add an IAM policy binding to an IAM service account. A binding consists of at least one member, a role, and an optional condition. Adding a binding to a service account grants the specified member the specified role on the service account.
When managing IAM roles, you can treat a service account either as a resource or as an identity. This command adds an IAM policy binding to a service account resource. There are other gcloud commands to manage IAM policies for other types of resources. For example, to manage IAM policies on a project, use the $ gcloud projects commands.
If the service account does not exist, this command returns a PERMISSION_DENIED error.
To add an IAM policy binding for the role of 'roles/editor' for the user 'test-user@gmail.com' on a service account with identifier 'my-iam-account@my-project.iam.gserviceaccount.com', run:
$ gcloud iam service-accounts add-iam-policy-binding \ my-iam-account@my-project.iam.gserviceaccount.com \ --member='user:test-user@gmail.com' --role='roles/editor'
To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:
$ gcloud iam service-accounts add-iam-policy-binding \ test-proj1@example.domain.com \ --member='serviceAccount:test-proj1@example.domain.com' \ --role='roles/editor'
To add an IAM policy binding for the role of 'roles/editor' for all authenticated users on a service account with identifier 'my-iam-account@my-project.iam.gserviceaccount.com', run:
$ gcloud iam service-accounts add-iam-policy-binding \ my-iam-account@my-project.iam.gserviceaccount.com \ --member='allAuthenticatedUsers' --role='roles/editor'
To add an IAM policy binding which expires at the end of the year 2018 for the role of 'roles/iam.serviceAccountAdmin' and the user 'test-user@gmail.com' on a service account with identifier 'my-iam-account@my-project.iam.gserviceaccount.com', run:
$ gcloud iam service-accounts add-iam-policy-binding \ my-iam-account@my-project.iam.gserviceaccount.com \ --member='user:test-user@gmail.com' \ --role='roles/iam.serviceAccountAdmin' \ --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,descrip\ tion=Expires at midnight on 2018-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.
- ServiceAccount resource - The service account to which the IAM policy binding
is being added. Note that the user, group or service account in the --member flag is being granted access to this service account. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument service_account on the command line with a fully specified name;
- —
set the property core/project;
- —
provide the argument --project on the command line.
This must be specified.
- SERVICE_ACCOUNT
ID of the serviceAccount or fully qualified identifier for the serviceAccount. To set the service_account attribute:
provide the argument service_account on the command line.
- --member=PRINCIPAL
The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.
Some resources also accept the following special values:
- —
allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
- —
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.
- --role=ROLE
Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.
- At most one of these can be specified:
- --condition=[KEY=VALUE,...]
A condition to include in the binding. When the condition is explicitly specified as None (--condition=None), a binding without a condition is added. When the condition is specified and is not None, --role cannot be a basic role. Basic roles are roles/editor, roles/owner, and roles/viewer. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overview
When using the --condition flag, include the following key-value pairs:
- expression
(Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax.
If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (:) as the delimiter, do the following: --condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping.
- title
(Required) A short string describing the purpose of the expression.
- description
(Optional) Additional description for the expression.
- --condition-from-file=CONDITION_FROM_FILE
Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for --condition.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command uses the iam/v1 API. The full documentation for this API can be found at: https://cloud.google.com/iam/
These variants are also available:
$ gcloud alpha iam service-accounts add-iam-policy-binding
$ gcloud beta iam service-accounts add-iam-policy-binding