gcloud beta access-context-manager perimeters dry-run create - create a dry-run mode configuration for a new or existing Service Perimeter

gcloud beta access-context-manager perimeters dry-run create(PERIMETER :--policy=POLICY)(--access-levels=[access_levels,…]--egress-policies=YAML_FILE--ingress-policies=YAML_FILE--resources=[resources,…]--restricted-services=[restricted_services,…]--enable-vpc-accessible-services--vpc-allowed-services=[vpc_allowed_services,…]    | [--perimeter-title=PERIMETER_TITLE--perimeter-type=PERIMETER_TYPE :--perimeter-access-levels=[access_levels,…]--perimeter-description=PERIMETER_DESCRIPTION--perimeter-egress-policies=YAML_FILE--perimeter-ingress-policies=YAML_FILE--perimeter-resources=[resources,…]--perimeter-restricted-services=[restricted_services,…]--perimeter-enable-vpc-accessible-services--perimeter-vpc-allowed-services=[vpc_allowed_services,…]])[--async][GCLOUD_WIDE_FLAG …]

When a perimeter with the specified name does exist, a dry-run modeconfiguration will be created for it. The behavior of the enforcement modeconfiguration, if present, will not be impacted in this case. Requests thatviolate the existing enforcement mode configuration of the Service Perimeterwill continue being denied. Requests that only violate the policy in the dry-runmode configuration will be logged but will not be denied.

gcloudbetaaccess-context-managerperimetersdry-runcreatemy-perimeter--resources="projects/0123456789"--access-levels="accessPolicies/a_policy/accessLevels/a_level"--restricted-services="storage.googleapis.com"

To create a dry-run configuration for a new Service Perimeter:

gcloudbetaaccess-context-managerperimetersdry-runcreatemy-perimeter--perimeter-title="My New Perimeter"--perimeter-description="Perimeter description"--perimeter-type="regular"--perimeter-resources="projects/0123456789"--perimeter-access-levels="accessPolicies/a_policy/accessLevels/a_level"--perimeter-restricted-services="storage.googleapis.com"

Perimeter resource - The service perimeter to update. The arguments in thisgroup can be used to specify the attributes of this resource.

This must be specified.

PERIMETER

ID of the perimeter or fully qualified identifier for the perimeter.

To set theperimeter attribute:

• provide the argumentperimeter on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--policy=POLICY

The ID of the access policy.

To set thepolicy attribute:

• provide the argumentperimeter on the command line with a fullyspecified name;
• provide the argument--policy on the command line;
• set the propertyaccess_context_manager/policy.

Exactly one of these must be specified:

Arguments for creating dry-run spec for an **existing** Service Perimeter.

--access-levels=[access_levels,…]

Comma-separated list of IDs for access levels (in the same policy) that anintra-perimeter request must satisfy to be allowed.

--egress-policies=YAML_FILE

Path to a file containing a list of Egress Policies. This file contains a listof YAML-compliant objects representing Egress Policies described in the APIreference. For more information about the alpha version, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimetersFor more information about non-alpha versions, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

--ingress-policies=YAML_FILE

Path to a file containing a list of Ingress Policies. This file contains a listof YAML-compliant objects representing Ingress Policies described in the APIreference. For more information about the alpha version, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimetersFor more information about non-alpha versions, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

--resources=[resources,…]

Comma-separated list of resources (currently only projects, in the formprojects/<projectnumber>) in this perimeter.

--restricted-services=[restricted_services,…]

Comma-separated list of services to which the perimeter boundarydoes apply (for example,storage.googleapis.com).

--enable-vpc-accessible-services

Whether to restrict API calls within the perimeter to those in thevpc-allowed-services list.

--vpc-allowed-services=[vpc_allowed_services,…]

Comma-separated list of APIs accessible from within the Service Perimeter. Inorder to include all restricted services, use reference "RESTRICTED-SERVICES".Requires vpc-accessible-services be enabled.

Arguments for creating a dry-run spec for a new Service Perimeter.

--perimeter-title=PERIMETER_TITLE

Short human-readable title for the Service Perimeter.

This flag argument must be specified if any of the other arguments in this groupare specified.

--perimeter-type=PERIMETER_TYPE

Type of the perimeter.

A*regular*perimeterallowsresourceswithinthisserviceperimetertoimportandexportdataamongstthemselves.Aprojectmaybelongtoatmostoneregularserviceperimeter.

A*bridge*perimeterallowsresourcesindifferentregularserviceperimeterstoimportandexportdatabetweeneachother.Aprojectmaybelongtomultiplebridgeserviceperimeters(onlyifitalsobelongstoaregularserviceperimeter).Bothrestrictedandunrestrictedservicelists,aswellasaccesslevellists,mustbeempty.

This flag argument must be specified if any of the other arguments in this groupare specified.

--perimeter-access-levels=[access_levels,…]

Comma-separated list of IDs for access levels (in the same policy) that anintra-perimeter request must satisfy to be allowed.

--perimeter-description=PERIMETER_DESCRIPTION

Long-form description of Service Perimeter.

--perimeter-egress-policies=YAML_FILE

Path to a file containing a list of Egress Policies. This file contains a listof YAML-compliant objects representing Egress Policies described in the APIreference. For more information about the alpha version, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimetersFor more information about non-alpha versions, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

--perimeter-ingress-policies=YAML_FILE

Path to a file containing a list of Ingress Policies. This file contains a listof YAML-compliant objects representing Ingress Policies described in the APIreference. For more information about the alpha version, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimetersFor more information about non-alpha versions, see:https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters

--perimeter-resources=[resources,…]

Comma-separated list of resources (currently only projects, in the formprojects/<projectnumber>) in this perimeter.

--perimeter-restricted-services=[restricted_services,…]

Comma-separated list of services to which the perimeter boundarydoes apply (for example,storage.googleapis.com).

--perimeter-enable-vpc-accessible-services

Whether to restrict API calls within the perimeter to those in thevpc-allowed-services list.

--perimeter-vpc-allowed-services=[vpc_allowed_services,…]

Comma-separated list of APIs accessible from within the Service Perimeter. Inorder to include all restricted services, use reference "RESTRICTED-SERVICES".Requires vpc-accessible-services be enabled.

--async

Return immediately, without waiting for the operation in progress to complete.

Run$gcloud help for details.