gcloud secrets add-iam-policy-binding - add IAM policy binding to a secret
gcloud secrets add-iam-policy-binding SECRET --member=PRINCIPAL --role=ROLE [--condition=[KEY=VALUE,...] | --condition-from-file=CONDITION_FROM_FILE] [GCLOUD_WIDE_FLAG ...]
Add an IAM policy binding to the IAM policy of a secret. One binding consists of a member and a role.
To add an IAM policy binding for the role of 'roles/secretmanager.secretAccessor' for the user 'test-user@gmail.com' on my-secret, run:
$ gcloud secrets add-iam-policy-binding my-secret \ --member='user:test-user@gmail.com' \ --role='roles/secretmanager.secretAccessor'
See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.
- Secret resource - Name of the secret for which to add the IAM policy binding.
This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument secret on the command line with a fully specified name;
- —
set the property core/project;
- —
provide the argument --project on the command line.
This must be specified.
- SECRET
ID of the secret or fully qualified identifier for the secret. To set the secret attribute:
provide the argument secret on the command line.
- --member=PRINCIPAL
The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.
Some resources also accept the following special values:
- —
allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
- —
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.
- --role=ROLE
Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.
- At most one of these can be specified:
- --condition=[KEY=VALUE,...]
A condition to include in the binding. When the condition is explicitly specified as None (--condition=None), a binding without a condition is added. When the condition is specified and is not None, --role cannot be a basic role. Basic roles are roles/editor, roles/owner, and roles/viewer. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overview
When using the --condition flag, include the following key-value pairs:
- expression
(Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax.
If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (:) as the delimiter, do the following: --condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping.
- title
(Required) A short string describing the purpose of the expression.
- description
(Optional) Additional description for the expression.
- --condition-from-file=CONDITION_FROM_FILE
Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for --condition.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command uses the secretmanager/v1 API. The full documentation for this API can be found at: https://cloud.google.com/secret-manager/
This variant is also available:
$ gcloud beta secrets add-iam-policy-binding