gcloud alpha container hub scopes add-app-operator-binding
- NAME
- gcloud alpha container hub scopes add-app-operator-binding - add project-level and fleet scope-level IAM bindings and create a fleet scope RBAC role binding for an app operator principal
- SYNOPSIS
gcloud alpha container hub scopes add-app-operator-bindingSCOPE(--custom-role=CUSTOM_ROLE|--role=ROLE)(--group=GROUP|--user=USER)[--labels=[KEY=VALUE,…]][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(ALPHA)One binding consists of an app operator principal(user/group) and a role (view/edit/admin or a custom role).This command sets up the different permissions required for an app operator,including usage of fleet scopes, connect gateway, logging, and metrics. Theauthoritative list for adding the permissions is the existing RBAC role bindingsunder the specified scope.
This command can fail for the following reasons:
- The scope specified does not exist.
- The user does not have access to the specified scope.
- The principal specified already has another binding for the scope.
- EXAMPLES
- The following command:
gcloudalphacontainerhubscopesadd-app-operator-bindingSCOPE--role=view--group=people@google.com--project=PROJECT_ID- adds IAM policy binding: roles/gkehub.scopeViewer on
SCOPE - adds IAM policy binding: roles/gkehub.scopeViewerProjectLevel on
PROJECT_ID - adds IAM policy binding: roles/logging.viewAccessor on
PROJECT_IDwith condition where bucket corresponds toSCOPE - creates fleet scope RBAC role binding: role
viewwith a random IDfor grouppeople@google.com.
---
The following command:
gcloudalphacontainerhubscopesadd-app-operator-bindingSCOPE--role=edit--user=person@google.com--project=PROJECT_ID- adds IAM policy binding: roles/gkehub.scopeEditor on
SCOPE - adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID - adds IAM policy binding: roles/logging.viewAccessor on
PROJECT_IDwith condition where bucket corresponds toSCOPE - creates fleet scope RBAC role binding: role
editwith a random IDfor userperson@google.com.
---
The following command:
gcloudalphacontainerhubscopesadd-app-operator-bindingSCOPE--role=admin--user=person@google.com--project=PROJECT_ID- adds IAM policy binding: roles/gkehub.scopeAdmin on
SCOPE - adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID - adds IAM policy binding: roles/logging.viewAccessor on
PROJECT_IDwith condition where bucket corresponds toSCOPE - creates fleet scope RBAC role binding: role
adminwith a random IDfor userperson@google.com.
---
The following command:
gcloudalphacontainerhubscopesadd-app-operator-bindingSCOPE--custom-role=my-custom-role--user=person@google.com--project=PROJECT_ID- adds IAM policy binding: roles/gkehub.scopeViewer on
SCOPE - adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID - adds IAM policy binding: roles/logging.viewAccessor on
PROJECT_IDwith condition where bucket corresponds toSCOPE - creates fleet scope RBAC role binding: role
my-custom-rolewith arandom ID for userperson@google.com.
For any tailored IAM permissions required when using a custom role, the user orgroup can separately be granted additional IAM permissions on the project.
- adds IAM policy binding: roles/gkehub.scopeViewer on
- POSITIONAL ARGUMENTS
- Scope resource - The group of arguments defining the Fleet Scope. Thisrepresents a Cloud resource. (NOTE) Some attributes are not given arguments inthis group but can be set in other ways.
To set the
projectattribute:- provide the argument
SCOPEon the command line with a fullyspecified name; - provide the argument
--projecton the command line; - set the property
core/project.
To set the
locationattribute:- provide the argument
SCOPEon the command line with a fullyspecified name; - global is the only supported location.
This must be specified.
SCOPE- ID of the scope or fully qualified identifier for the scope.
To set the
scopeattribute:- provide the argument
SCOPEon the command line.
- provide the argument
- provide the argument
- Scope resource - The group of arguments defining the Fleet Scope. Thisrepresents a Cloud resource. (NOTE) Some attributes are not given arguments inthis group but can be set in other ways.
- REQUIRED FLAGS
- Exactly one of these must be specified:
--custom-role=CUSTOM_ROLE- Custom role to assign to principal.
--role=ROLE- Predefined role to assign to principal (admin, edit, view).
ROLEmust be one of:admin,edit,view.
- Exactly one of these must be specified:
--group=GROUP- Group for the role binding.
--user=USER- User for the role binding.
- Exactly one of these must be specified:
- OPTIONAL FLAGS
--labels=[KEY=VALUE,…]- List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens(
-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. This variant is also available:
gcloudbetacontainerhubscopesadd-app-operator-binding
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-06-17 UTC.