gcloud beta container hub scopes remove-app-operator-binding
- NAME
- gcloud beta container hub scopes remove-app-operator-binding - remove project-level and fleet scope-level IAM bindings and delete a fleet scope RBAC role binding for an app operator principal
- SYNOPSIS
gcloud beta container hub scopes remove-app-operator-bindingSCOPE(--group=GROUP|--user=USER)[GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(BETA)One binding consists of an app operator principal(user/group) and a role (view/edit/admin).This command unsets the different permissions required for an app operator,including usage of fleet scopes, connect gateway, logging, and metrics. Theauthoritative list for removing the permissions is the existing RBAC rolebindings under the specified scope.
This command can fail for the following reasons:
- The scope specified does not exist.
- The user does not have access to the specified scope.
- The principal specified does not any binding for the scope.
- The principal specified has bindings with different roles for the scope.
- EXAMPLES
- The following command:
gcloudbetacontainerhubscopesremove-app-operator-bindingSCOPE--group=people@google.com--project=PROJECT_IDassuming the group already has the
viewrole:- removes IAM policy binding: roles/gkehub.scopeViewer from
SCOPE - removes IAM policy binding: roles/gkehub.scopeViewerProjectLevel from
PROJECT_IDif the group does not have theviewrolefor any other scope under the project - removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_IDcondition where bucket corresponds toSCOPE - deletes existing fleet scope RBAC role binding: role
viewfor grouppeople@google.com.
---
The following command:
gcloudbetacontainerhubscopesremove-app-operator-bindingSCOPE--user=person@google.com--project=PROJECT_IDassuming the user already has the
editrole:- removes IAM policy binding: roles/gkehub.scopeEditor from
SCOPE - removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_IDif the user does not have theedit/adminrole for any other scope under the project - removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_IDcondition where bucket corresponds toSCOPE - deletes existing fleet scope RBAC role binding: role
editfor userperson@google.com.
---
The following command:
gcloudbetacontainerhubscopesremove-app-operator-bindingSCOPE--user=person@google.com--project=PROJECT_IDassuming the user already has a custom role:
- removes IAM policy binding: roles/gkehub.scopeViewer from
SCOPE - removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_IDif the user does not have theedit/adminrole for any other scope under the project - removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_IDcondition where bucket corresponds toSCOPE - deletes existing fleet scope RBAC role binding: role
adminfor userperson@google.com.
---
The following command:
gcloudbetacontainerhubscopesremove-app-operator-bindingSCOPE--user=person@google.com--project=PROJECT_IDassuming the user already has the
adminrole:- removes IAM policy binding: roles/gkehub.scopeAdmin from
SCOPE - removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_IDif the user does not have theedit/adminrole for any other scope under the project - removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_IDcondition where bucket corresponds toSCOPE - deletes existing fleet scope RBAC role binding: role
adminfor userperson@google.com.
- removes IAM policy binding: roles/gkehub.scopeViewer from
- POSITIONAL ARGUMENTS
- Scope resource - The group of arguments defining the Fleet Scope. Thisrepresents a Cloud resource. (NOTE) Some attributes are not given arguments inthis group but can be set in other ways.
To set the
projectattribute:- provide the argument
SCOPEon the command line with a fullyspecified name; - provide the argument
--projecton the command line; - set the property
core/project.
To set the
locationattribute:- provide the argument
SCOPEon the command line with a fullyspecified name; - global is the only supported location.
This must be specified.
SCOPE- ID of the scope or fully qualified identifier for the scope.
To set the
scopeattribute:- provide the argument
SCOPEon the command line.
- provide the argument
- provide the argument
- Scope resource - The group of arguments defining the Fleet Scope. Thisrepresents a Cloud resource. (NOTE) Some attributes are not given arguments inthis group but can be set in other ways.
- REQUIRED FLAGS
- Exactly one of these must be specified:
--group=GROUP- Group for the role binding.
--user=USER- User for the role binding.
- Exactly one of these must be specified:
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This command is currently in beta and might change without notice. This variantis also available:
gcloudalphacontainerhubscopesremove-app-operator-binding
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-06-17 UTC.