gcloud alpha access-context-manager cloud-bindings update
- NAME
- gcloud alpha access-context-manager cloud-bindings update - update an existing access binding under an organization
- SYNOPSIS
gcloud alpha access-context-manager cloud-bindings update(--binding=BINDING:--organization=ORGANIZATION)[--append][--binding-file=YAML_FILE][--dry-run-level=[DRY_RUN_LEVEL,…]][--level=[LEVEL,…]][--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]][--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]][--session-length=SESSION_LENGTH][--session-reauth-method=SESSION_REAUTH_METHOD; default="login"][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(ALPHA)Update an existing access binding. You can update thelevel, dry run level, scoped access settings, session settings, restrictedclient application client IDs, and restricted client application names. Theycan't all be empty. Session settings are incompatible with restricted clientapplication client IDs/names; please use scoped access settings to bind sessionsettings to an application.- EXAMPLES
- To update an existing access binding, run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--level=accessPolicies/123/accessLevels/new-abcTo remove level and add dry run level, run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--level=--dry-run-level=accessPolicies/123/accessLevels/new-defTo update restricted client applications, run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--restricted-client-application-client-ids='123.apps.googleusercontent.com'--restricted-client-application-names='Cloud Console, GoogleCloud SDK'Or
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--binding-file='binding.yaml'To replace scoped access settings with a new list, run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--binding-file='binding.yaml'To append scoped access settings to the existing list, run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--binding-file='binding.yaml'--appendNote this is only possible for scoped access settings that exclusively holdsession settings.
To update session settings, run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--session-length=2hTo update the session reauth method you must also specify --session-length (thiscan be the existing value if you only want to modify the reauth method), run:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--session-length=2h--session-reauth-method=loginTo disable session settings, set --session-length=0, for example:
gcloudalphaaccess-context-managercloud-bindingsupdate--binding=my-binding-id--session-length=0 - REQUIRED FLAGS
- Cloud access binding resource - The cloud access binding you want to update. Thearguments in this group can be used to specify the attributes of this resource.
This must be specified.
--binding=BINDING- ID of the cloud-access-binding or fully qualified identifier for thecloud-access-binding.
To set the
bindingattribute:- provide the argument
--bindingon the command line.
This flag argument must be specified if any of the other arguments in this groupare specified.
- provide the argument
--organization=ORGANIZATION- The ID of the organization.To set the
organizationattribute:- provide the argument
--bindingon the command line with a fullyspecified name; - provide the argument
--organizationon the command line; - set the property
access_context_manager/organization.
- provide the argument
- Cloud access binding resource - The cloud access binding you want to update. Thearguments in this group can be used to specify the attributes of this resource.
- OPTIONAL FLAGS
--append- When true, append the ScopedAccessSettings in
--binding-fileto theexisting ScopedAccessSettings on the binding. When false, the existing binding'sScopedAccessSettings will be overwritten. Defaults to false. You may only appendScopedAccessSettings that exclusively hold session settings (i.e no accesslevels). --binding-file=YAML_FILE- Path to the file that contains a Google Cloud Platform user access binding.
This file contains a YAML-compliant object representing a GcpUserAccessBinding(as described in the API reference) containing ScopedAccessSettings only. Noother binding fields are allowed.
The file content replaces the corresponding fields in the existing binding.Unless --append is specified. See --append help text for more details.
--dry-run-level=[DRY_RUN_LEVEL,…]- The dry run access level that replaces the existing dry run level for the givenbinding. The input must be the full identifier of an access level, such as
accessPolicies/123/accessLevels/new-def. --level=[LEVEL,…]- The access level that replaces the existing level for the given binding. Theinput must be the full identifier of an access level, such as
accessPolicies/123/accessLevels/new-abc. --restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]- The application client IDs that replace the existing application client IDs forthe restricted client applications in the given binding.
--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]- The application names that replace the existing application names for therestricted client applications in the given binding.
--session-length=SESSION_LENGTH- The maximum lifetime of a user session provided as an ISO 8601 duration string.Must be at least one hour or zero, and no more than twenty-four hours.Granularity is limited to seconds.
When --session-length=0 users in the group attached to this binding will haveinfinite session length, effectively disabling the session settings.
A session begins after a user signs in successfully. If a user signs out beforethe end of the session lifetime, a new login creates a new session with a freshlifetime. When a session expires, the user is asked to reauthenticate inaccordance with session-reauth-method.
Setting --session-reauth-method when --session-length is empty raises an error.Cannot set --session-length on restricted client applications; please use scopedaccess settings.
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"- Specifies the security check a user must undergo when their session expires.Defaults to --session-reauth-method=LOGIN if unspecified and --session-length isset. Cannot be used when --session-length is empty or 0.
SESSION_REAUTH_METHODmust be one of:login- The user will be prompted to perform regular login. Users who are enrolled intwo-step verification and haven't chosen to "Remember this computer" will beprompted for their second factor.
password- The user will only be required to enter their password.
security-key- The user will be prompted to autheticate using their security key. If nosecurity key has been configured, the LOGIN method is used.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - API REFERENCE
- This command uses the
accesscontextmanager/v1alphaAPI. The fulldocumentation for this API can be found at:https://cloud.google.com/access-context-manager/docs/reference/rest/ - NOTES
- This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. This variant is also available:
gcloudaccess-context-managercloud-bindingsupdate
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-22 UTC.