gcloud beta iam policy-bindings create - create PolicyBinding instance

gcloud beta iam policy-bindings create(POLICY_BINDING :--folder=FOLDER--location=LOCATION--organization=ORGANIZATION)--policy=POLICY(--target-principal-set=TARGET_PRINCIPAL_SET    |--target-resource=TARGET_RESOURCE)[--annotations=[ANNOTATIONS,…]][--async][--display-name=DISPLAY_NAME][--etag=ETAG][--policy-kind=POLICY_KIND][--condition-description=CONDITION_DESCRIPTION--condition-expression=CONDITION_EXPRESSION--condition-location=CONDITION_LOCATION--condition-title=CONDITION_TITLE][GCLOUD_WIDE_FLAG …]

PolicyBinding resource - Identifier. The name of the policy binding, in theformat{binding_parent/locations/{location}/policyBindings/{policy_binding_id}.The binding parent is the closest Resource Manager resource (project, folder, ororganization) to the binding target.

Format:

• projects/{project_id}/locations/{location}/policyBindings/{policy_binding_id}
• projects/{project_number}/locations/{location}/policyBindings/{policy_binding_id}
• folders/{folder_id}/locations/{location}/policyBindings/{policy_binding_id}
• organizations/{organization_id}/locations/{location}/policyBindings/{policy_binding_id}The arguments in this group can be used to specify the attributes of thisresource. (NOTE) Some attributes are not given arguments in this group but canbe set in other ways.

To set theproject attribute:

• provide the argumentpolicy_binding on the command line with afully specified name;
• provide the argument--project on the command line;
• set the propertycore/project. This resource can be one of thefollowing types: [iam.folders.locations.policyBindings,iam.organizations.locations.policyBindings,iam.projects.locations.policyBindings].

This must be specified.

POLICY_BINDING

ID of the policyBinding or fully qualified identifier for the policyBinding.

To set thepolicy_binding attribute:

• provide the argumentpolicy_binding on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--folder=FOLDER

The folder id of the policyBinding resource.

To set thefolder attribute:

• provide the argumentpolicy_binding on the command line with afully specified name;
• provide the argument--folder on the command line. Must bespecified for resource of type [iam.folders.locations.policyBindings].

--location=LOCATION

The location id of the policyBinding resource.

To set thelocation attribute:

• provide the argumentpolicy_binding on the command line with afully specified name;
• provide the argument--location on the command line.

--organization=ORGANIZATION

The organization id of the policyBinding resource.

To set theorganization attribute:

• provide the argumentpolicy_binding on the command line with afully specified name;
• provide the argument--organization on the command line. Must bespecified for resource of type [iam.organizations.locations.policyBindings].

--policy=POLICY

The resource name of the policy to be bound. The binding parent and policy mustbelong to the same organization.

The full resource name of the resource to which the policy will be bound.Immutable once set.

This must be specified.

Arguments for the target.

At most one of these can be specified:

--target-principal-set=TARGET_PRINCIPAL_SET

The full resource name that's used for principal access boundary policybindings. The principal set must be directly parented by the policy binding'sparent or same as the parent if the target is a project, folder, ororganization.

Examples:

• For bindings parented by an organization:
  • Organization://cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID
  • Workforce Identity://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID
  • Workspace Identity://iam.googleapis.com/locations/global/workspace/WORKSPACE_ID
• For bindings parented by a folder:
  • Folder://cloudresourcemanager.googleapis.com/folders/FOLDER_ID
• For bindings parented by a project:
  • Project:
    • //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER
    • //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
  • Workload Identity Pool://iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID

--target-resource=TARGET_RESOURCE

The full resource name that's used for access policy bindings.

Examples:

• Organization://cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID
  • Folder://cloudresourcemanager.googleapis.com/folders/FOLDER_ID
    • Project:
      • //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER
      • //cloudresourcemanager.googleapis.com/projects/PROJECT_ID

--annotations=[ANNOTATIONS,…]

User-defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.

KEY

SetsKEY value.

VALUE

SetsVALUE value.

Shorthand Example:

--annotations=string=string

JSON Example:

--annotations='{"string": "string"}'

File Example:

--annotations=path_to_file.(yaml|json)

--async

Return immediately, without waiting for the operation in progress to complete.

--display-name=DISPLAY_NAME

The description of the policy binding. Must be less than or equal to 63characters.

--etag=ETAG

The etag for the policy binding. If this is provided on update, it must matchthe server's etag.

--policy-kind=POLICY_KIND

The kind of the policy to attach in this binding. This field must be one of thefollowing:

• Left empty (will be automatically set to the policy kind)
• The input policy kind.

POLICY_KIND must be one of:

access

Access policy kind.

principal-access-boundary

Principal access boundary policy kind

Represents a textual expression in the Common Expression Language (CEL) syntax.CEL is a C-like expression language. The syntax and semantics of CEL aredocumented athttps://github.com/google/cel-spec.

Example (Comparison):

title:"Summary size limit"description:"Determines if a summary is less than 100 chars"expression:"document.summary.size() < 100"

Example (Equality):

title:"Requestor is owner"description:"Determines if requestor is the document owner"expression:"document.owner == request.auth.claims.email"

Example (Logic):

title:"Public documents"description:"Determine whether the document should be publicly visible"expression:"document.type != 'private' && document.type != 'internal'"

Example (Data Manipulation):

title:"Notification string"description:"Create a notification string with a timestamp."expression:"'New message received at ' + string(document.create_time)"

The exact variables and functions that may be referenced within an expressionare determined by the service that evaluates it. See the service documentationfor additional information.

--condition-description=CONDITION_DESCRIPTION

Description of the expression. This is a longer text which describes theexpression, e.g. when hovered over it in a UI.

--condition-expression=CONDITION_EXPRESSION

Textual representation of an expression in Common Expression Language syntax.

--condition-location=CONDITION_LOCATION

String indicating the location of the expression for error reporting, e.g. afile name and a position in the file.

--condition-title=CONDITION_TITLE

Title for the expression, i.e. a short string describing its purpose. This canbe used e.g. in UIs which allow to enter the expression.

Run$gcloud help for details.