- NAME
-
- gcloud alpha access-context-manager cloud-bindings create - create cloud access bindings for a specific group
- SYNOPSIS
-
-
gcloud alpha access-context-manager cloud-bindings create
[--binding-file
=YAML_FILE
] [--dry-run-level
=[DRY_RUN_LEVEL
,…]] [--group-key
=GROUP_KEY
] [--level
=[LEVEL
,…]] [--organization
=ORGANIZATION
] [--restricted-client-application-client-ids
=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS
,…]] [--restricted-client-application-names
=[RESTRICTED_CLIENT_APPLICATION_NAMES
,…]] [--session-length
=SESSION_LENGTH
] [--session-reauth-method
=SESSION_REAUTH_METHOD
; default="login"] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
(ALPHA)
Create a new access binding. The access level (if any) will be bound with- a group and the restricted client application
- a specific service account or all service accounts in a specified project.
The session settings (if any) will be bound with
- a group
If you want to bind session settings to a particular application, use scoped access settings.
If a group key is specified, the access level and/or session settings are globally enforced for all context-aware access group members, as specified in the binding. If a restricted client application is also specified, then the enforcement applies only to the specified application, and not to the entire organization. Session settings are incompatible with the top level --restricted-client-application flags; please use --binding-file to specify scoped access settings. If the restricted client application is specified, then --binding-file cannot be set. If a service account is specified, then the enforcement applies only to the specified service account. If a service account project is specified, the enforcement applies to all of the service accounts belonging to the specified project.
- EXAMPLES
-
To create a new global cloud access binding, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc
To create a new cloud access binding for particular applications, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
Console' \ --restricted-client-application-client-ids='123456789.apps.googl\ eusercontent.com'To create a new cloud access binding for particular applications using a yaml file, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'
To create a new global cloud access binding, and for particular applications using a yaml file, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --binding-file='binding.yaml'
To create a new global cloud access binding for the dry run access level, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def
To create a new cloud access binding for the dry run access level for particular applications, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
Console' \ --restricted-client-application-client-ids='123456789.apps.googl\ eusercontent.com'To create a new cloud access binding for a particular service account, run:
gcloud alpha access-context-manager cloud-bindings create --service-account=[email protected] --level=accessPolicies/123/accessLevels/abc --organization='1234567890'
To create a new cloud access binding for all service accounts in a particular project, run:
To create a new cloud access binding with global session settings, specify your session length using an ISO duration string and the
session-length
flag. For example:gcloud alpha access-context-manager cloud-bindings create --service-account-project-number='987654321' --level=accessPolicies/123/accessLevels/abc --organization='1234567890' gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h
To set a particular session reauth method for these session settings, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN
To create session settings for specific applications, supply a YAML file and run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'
Global and per-app session settings can be set on the same group, along with access levels. For example:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --binding-file='binding.yaml'
- FLAGS
-
--binding-file
=YAML_FILE
-
Path to the file that contains a Google Cloud Platform user access binding.
This file contains a YAML-compliant object representing a GcpUserAccessBinding (as described in the API reference) containing ScopedAccessSettings only. No other binding fields are allowed.
--dry-run-level
=[DRY_RUN_LEVEL
,…]-
The dry run access level that binds to the given group and restricted client
applications. The dry run access level is evaluated but isn't enforced. Denial
on a dry run access level is logged. The input must be the full identifier of an
access level, such as
accessPolicies/123/accessLevels/new-def
. If norestricted-client-application-client-ids
orrestricted-client-application-names
are provided, then the access level is applied to the entire organization. --group-key
=GROUP_KEY
- Google Group ID whose members are subject to the restrictions of this binding.
--level
=[LEVEL
,…]-
The access level that binds to the given group and restricted client
applications. The input must be the full identifier of an access level, such as
accessPolicies/123/accessLevels/abc
. If norestricted-client-application-client-ids
orrestricted-client-application-names
are provided, then the access level is applied to the entire organization. --organization
=ORGANIZATION
- Parent organization for this binding.
--restricted-client-application-client-ids
=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS
,…]- Client IDs to which the access level is applied.
--restricted-client-application-names
=[RESTRICTED_CLIENT_APPLICATION_NAMES
,…]- Application names to which the access level is applied.
--session-length
=SESSION_LENGTH
-
The maximum lifetime of a user session provided as an ISO 8601 duration string.
Must be at least one hour or zero seconds, and no more than twenty-four hours.
Granularity is limited to seconds.
When --session-length=0 then users in the group attached to this binding will have infinite session length, effectively disabling session.
A session begins when a user signs-in successfully. If a user signs out before the end of the session lifetime, a new login creates a new session with a fresh lifetime. When a session expires, the user is asked to re-authenticate in accordance with session-method.
Setting --session-reauth-method when --session-length is empty raises an error. Cannot set --session-length with --restricted-client-application-client-ids or --restricted-client-application-names; please use scoped access settings.
--session-reauth-method
=SESSION_REAUTH_METHOD
; default="login"-
Specifies the type of re-authentication challenge given to the user when their
session expires. Defaults to --session-reauth-method=login if unspecified and
--session-length is set. Cannot be used when --session-length is empty or 0.
SESSION_REAUTH_METHOD
must be one of:login
- The user must complete a regular login.
password
- The user will only be required to enter their password.
security-key
- The user must re-autheticate using their security key. Before enabling this session reauth method, ensure a security key is properly configured for the user. For help configuring your security key, see https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - API REFERENCE
-
This command uses the
accesscontextmanager/v1alpha
API. The full documentation for this API can be found at: https://cloud.google.com/access-context-manager/docs/reference/rest/ - NOTES
-
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation-only early access
allowlist. This variant is also available:
gcloud access-context-manager cloud-bindings create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-11-12 UTC.