gcloud storage buckets add-iam-policy-binding - add an IAM policy binding to a bucket
gcloud storage buckets add-iam-policy-binding URL --member=PRINCIPAL --role=ROLE [--condition=[KEY=VALUE,...] | --condition-from-file=CONDITION_FROM_FILE] [GCLOUD_WIDE_FLAG ...]
Add an IAM policy binding to a bucket. For more information, see Cloud Identity and Access Management https://cloud.google.com/storage/docs/access-control/iam.
To grant a single role to a single principal for BUCKET:
$ gcloud storage buckets add-iam-policy-binding gs://BUCKET \ --member=user:john.doe@example.com \ --role=roles/storage.objectCreator
To make objects in BUCKET publicly readable:
$ gcloud storage buckets add-iam-policy-binding gs://BUCKET \ --member=AllUsers --role=roles/storage.objectViewer
To specify a custom role for a principal on BUCKET:
$ gcloud storage buckets add-iam-policy-binding gs://BUCKET \ --member=user:john.doe@example.com --role=roles/customRoleName
- URL
URL of bucket to add IAM policy binding to.
- --member=PRINCIPAL
The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.
Some resources also accept the following special values:
- —
allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
- —
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.
- --role=ROLE
Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.
- At most one of these can be specified:
- --condition=[KEY=VALUE,...]
A condition to include in the binding. When the condition is explicitly specified as None (--condition=None), a binding without a condition is added. When the condition is specified and is not None, --role cannot be a basic role. Basic roles are roles/editor, roles/owner, and roles/viewer. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overview
When using the --condition flag, include the following key-value pairs:
- expression
(Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax.
If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (:) as the delimiter, do the following: --condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping.
- title
(Required) A short string describing the purpose of the expression.
- description
(Optional) Additional description for the expression.
- --condition-from-file=CONDITION_FROM_FILE
Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for --condition.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This variant is also available:
$ gcloud alpha storage buckets add-iam-policy-binding