gcloud iam principal-access-boundary-policies update

NAME
gcloud iam principal-access-boundary-policies update - update PrincipalAccessBoundaryPolicy instance
SYNOPSIS
gcloud iam principal-access-boundary-policies update(PRINCIPAL_ACCESS_BOUNDARY_POLICY :--location=LOCATION--organization=ORGANIZATION)[--async][--display-name=DISPLAY_NAME][--etag=ETAG][--annotations=[ANNOTATIONS,…]    |--update-annotations=[UPDATE_ANNOTATIONS,…]--clear-annotations    |--remove-annotations=REMOVE_ANNOTATIONS][--clear-details--details-enforcement-version=DETAILS_ENFORCEMENT_VERSION--details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]    |--add-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]--clear-details-rules    |--remove-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]][GCLOUD_WIDE_FLAG]
DESCRIPTION
Update PrincipalAccessBoundaryPolicy instance.
EXAMPLES
To update display name ofmy-policy in organization123, run:
gcloudiamprincipal-access-boundary-policiesupdatemy-policy--organization=123--location=global--display-name=new-display-name
POSITIONAL ARGUMENTS
PrincipalAccessBoundaryPolicy resource - Identifier. The resource name of theprincipal access boundary policy.

The following format is supported:organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}The arguments in this group can be used to specify the attributes of thisresource.

This must be specified.

PRINCIPAL_ACCESS_BOUNDARY_POLICY
ID of the principalAccessBoundaryPolicy or fully qualified identifier for theprincipalAccessBoundaryPolicy.

To set theprincipal_access_boundary_policy attribute:

  • provide the argumentprincipal_access_boundary_policy on thecommand line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--location=LOCATION
The location id of the principalAccessBoundaryPolicy resource.

To set thelocation attribute:

  • provide the argumentprincipal_access_boundary_policy on thecommand line with a fully specified name;
  • provide the argument--location on the command line.
--organization=ORGANIZATION
The organization id of the principalAccessBoundaryPolicy resource.

To set theorganization attribute:

  • provide the argumentprincipal_access_boundary_policy on thecommand line with a fully specified name;
  • provide the argument--organization on the command line.
FLAGS
--async
Return immediately, without waiting for the operation in progress to complete.
--display-name=DISPLAY_NAME
The description of the principal access boundary policy. Must be less than orequal to 63 characters.
--etag=ETAG
The etag for the principal access boundary. If this is provided on update, itmust match the server's etag.
Update annotations.

At most one of these can be specified:

--annotations=[ANNOTATIONS,…]
Set annotations to new value. User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.
KEY
SetsKEY value.
VALUE
SetsVALUE value.
Shorthand Example:
--annotations=string=string

JSON Example:

--annotations='{"string": "string"}'

File Example:

--annotations=path_to_file.(yaml|json)
Or at least one of these can be specified:
--update-annotations=[UPDATE_ANNOTATIONS,…]
Update annotations value or add key value pair. User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.
KEY
SetsKEY value.
VALUE
SetsVALUE value.
Shorthand Example:
--update-annotations=string=string

JSON Example:

--update-annotations='{"string": "string"}'

File Example:

--update-annotations=path_to_file.(yaml|json)
At most one of these can be specified:
--clear-annotations
Clear annotations value and set to empty map.
--remove-annotations=REMOVE_ANNOTATIONS
Remove existing value from map annotations. Setsremove_annotationsvalue.Shorthand Example:
--remove-annotations=string,string

JSON Example:

--remove-annotations=["string"]

File Example:

--remove-annotations=path_to_file.(yaml|json)
Principal access boundary policy details
--clear-details
Set googleIamV3PrincipalAccessBoundaryPolicy.details back to default value.
--details-enforcement-version=DETAILS_ENFORCEMENT_VERSION
The version number (for example,1 orlatest) thatindicates which permissions are able to be blocked by the policy. If empty, thePAB policy version will be set to the most recent version number at the time ofthe policy's creation.
Update details_rules.

At most one of these can be specified:

--details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]
Set details_rules to new value. A list of principal access boundary policyrules. The number of rules in a policy is limited to 500.
description
The description of the principal access boundary policy rule. Must be less thanor equal to 256 characters.
effect
The access relationship of principals to the resources in this rule.
resources
A list of Resource Manager resources. If a resource is listed in the rule, thenthe rule applies for that resource and its descendants. The number of resourcesin a policy is limited to 500 across all rules in the policy.

The following resource types are supported:

  • Organizations, such as//cloudresourcemanager.googleapis.com/organizations/123.
  • Folders, such as//cloudresourcemanager.googleapis.com/folders/123.
  • Projects, such as//cloudresourcemanager.googleapis.com/projects/123 or//cloudresourcemanager.googleapis.com/projects/my-project-id.
Shorthand Example:
--details-rules=description=string,effect=string,resources=[string]--details-rules=description=string,effect=string,resources=[string]

JSON Example:

--details-rules='[{"description": "string", "effect": "string", "resources": ["string"]}]'

File Example:

--details-rules=path_to_file.(yaml|json)
Or at least one of these can be specified:
--add-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]
Add new value to details_rules list. A list of principal access boundary policyrules. The number of rules in a policy is limited to 500.
description
The description of the principal access boundary policy rule. Must be less thanor equal to 256 characters.
effect
The access relationship of principals to the resources in this rule.
resources
A list of Resource Manager resources. If a resource is listed in the rule, thenthe rule applies for that resource and its descendants. The number of resourcesin a policy is limited to 500 across all rules in the policy.

The following resource types are supported:

  • Organizations, such as//cloudresourcemanager.googleapis.com/organizations/123.
  • Folders, such as//cloudresourcemanager.googleapis.com/folders/123.
  • Projects, such as//cloudresourcemanager.googleapis.com/projects/123 or//cloudresourcemanager.googleapis.com/projects/my-project-id.
Shorthand Example:
--add-details-rules=description=string,effect=string,resources=[string]--add-details-rules=description=string,effect=string,resources=[string]

JSON Example:

--add-details-rules='[{"description": "string", "effect": "string", "resources": ["string"]}]'

File Example:

--add-details-rules=path_to_file.(yaml|json)
At most one of these can be specified:
--clear-details-rules
Clear details_rules value and set to empty list.
--remove-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]
Remove existing value from details_rules list. A list of principal accessboundary policy rules. The number of rules in a policy is limited to 500.
description
The description of the principal access boundary policy rule. Must be less thanor equal to 256 characters.
effect
The access relationship of principals to the resources in this rule.
resources
A list of Resource Manager resources. If a resource is listed in the rule, thenthe rule applies for that resource and its descendants. The number of resourcesin a policy is limited to 500 across all rules in the policy.

The following resource types are supported:

  • Organizations, such as//cloudresourcemanager.googleapis.com/organizations/123.
  • Folders, such as//cloudresourcemanager.googleapis.com/folders/123.
  • Projects, such as//cloudresourcemanager.googleapis.com/projects/123 or//cloudresourcemanager.googleapis.com/projects/my-project-id.
Shorthand Example:
--remove-details-rules=description=string,effect=string,resources=[string]--remove-details-rules=description=string,effect=string,resources=[string]

JSON Example:

--remove-details-rules='[{"description": "string", "effect": "string", "resources": ["string"]}]'

File Example:

--remove-details-rules=path_to_file.(yaml|json)
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

API REFERENCE
This command uses theiam/v3 API. The full documentation for thisAPI can be found at:https://cloud.google.com/iam/
NOTES
This variant is also available:
gcloudbetaiamprincipal-access-boundary-policiesupdate

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-01-21 UTC.