gcloud iam principal-access-boundary-policies update
- NAME
- gcloud iam principal-access-boundary-policies update - update PrincipalAccessBoundaryPolicy instance
- SYNOPSIS
gcloud iam principal-access-boundary-policies update(PRINCIPAL_ACCESS_BOUNDARY_POLICY:--location=LOCATION--organization=ORGANIZATION)[--async][--display-name=DISPLAY_NAME][--etag=ETAG][--annotations=[ANNOTATIONS,…] |--update-annotations=[UPDATE_ANNOTATIONS,…]--clear-annotations|--remove-annotations=REMOVE_ANNOTATIONS][--clear-details--details-enforcement-version=DETAILS_ENFORCEMENT_VERSION--details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES] |--add-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]--clear-details-rules|--remove-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
- Update PrincipalAccessBoundaryPolicy instance.
- EXAMPLES
- To update display name of
my-policyin organization123, run:gcloudiamprincipal-access-boundary-policiesupdatemy-policy--organization=123--location=global--display-name=new-display-name - POSITIONAL ARGUMENTS
- PrincipalAccessBoundaryPolicy resource - Identifier. The resource name of theprincipal access boundary policy.
The following format is supported:
organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}The arguments in this group can be used to specify the attributes of thisresource.This must be specified.
PRINCIPAL_ACCESS_BOUNDARY_POLICY- ID of the principalAccessBoundaryPolicy or fully qualified identifier for theprincipalAccessBoundaryPolicy.
To set the
principal_access_boundary_policyattribute:- provide the argument
principal_access_boundary_policyon thecommand line.
This positional argument must be specified if any of the other arguments in thisgroup are specified.
- provide the argument
--location=LOCATION- The location id of the principalAccessBoundaryPolicy resource.
To set the
locationattribute:- provide the argument
principal_access_boundary_policyon thecommand line with a fully specified name; - provide the argument
--locationon the command line.
- provide the argument
--organization=ORGANIZATION- The organization id of the principalAccessBoundaryPolicy resource.
To set the
organizationattribute:- provide the argument
principal_access_boundary_policyon thecommand line with a fully specified name; - provide the argument
--organizationon the command line.
- provide the argument
- PrincipalAccessBoundaryPolicy resource - Identifier. The resource name of theprincipal access boundary policy.
- FLAGS
--async- Return immediately, without waiting for the operation in progress to complete.
--display-name=DISPLAY_NAME- The description of the principal access boundary policy. Must be less than orequal to 63 characters.
--etag=ETAG- The etag for the principal access boundary. If this is provided on update, itmust match the server's etag.
- Update annotations.
At most one of these can be specified:
--annotations=[ANNOTATIONS,…]- Set annotations to new value. User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.
KEY- Sets
KEYvalue. VALUE- Sets
VALUEvalue.
Shorthand Example:--annotations=string=string
JSON Example:--annotations='{"string": "string"}'
File Example:--annotations=path_to_file.(yaml|json)
- Or at least one of these can be specified:
--update-annotations=[UPDATE_ANNOTATIONS,…]- Update annotations value or add key value pair. User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.
KEY- Sets
KEYvalue. VALUE- Sets
VALUEvalue.
Shorthand Example:--update-annotations=string=string
JSON Example:--update-annotations='{"string": "string"}'
File Example:--update-annotations=path_to_file.(yaml|json)
- At most one of these can be specified:
--clear-annotations- Clear annotations value and set to empty map.
--remove-annotations=REMOVE_ANNOTATIONS- Remove existing value from map annotations. Sets
remove_annotationsvalue.Shorthand Example:--remove-annotations=string,stringJSON Example:--remove-annotations=["string"]
File Example:--remove-annotations=path_to_file.(yaml|json)
- Principal access boundary policy details
--clear-details- Set googleIamV3PrincipalAccessBoundaryPolicy.details back to default value.
--details-enforcement-version=DETAILS_ENFORCEMENT_VERSION- The version number (for example,
1orlatest) thatindicates which permissions are able to be blocked by the policy. If empty, thePAB policy version will be set to the most recent version number at the time ofthe policy's creation. - Update details_rules.
At most one of these can be specified:
--details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]- Set details_rules to new value. A list of principal access boundary policyrules. The number of rules in a policy is limited to 500.
description- The description of the principal access boundary policy rule. Must be less thanor equal to 256 characters.
effect- The access relationship of principals to the resources in this rule.
resources- A list of Resource Manager resources. If a resource is listed in the rule, thenthe rule applies for that resource and its descendants. The number of resourcesin a policy is limited to 500 across all rules in the policy.
The following resource types are supported:
- Organizations, such as
//cloudresourcemanager.googleapis.com/organizations/123. - Folders, such as
//cloudresourcemanager.googleapis.com/folders/123. - Projects, such as
//cloudresourcemanager.googleapis.com/projects/123or//cloudresourcemanager.googleapis.com/projects/my-project-id.
- Organizations, such as
Shorthand Example:--details-rules=description=string,effect=string,resources=[string]--details-rules=description=string,effect=string,resources=[string]
JSON Example:--details-rules='[{"description": "string", "effect": "string", "resources": ["string"]}]'
File Example:--details-rules=path_to_file.(yaml|json)
- Or at least one of these can be specified:
--add-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]- Add new value to details_rules list. A list of principal access boundary policyrules. The number of rules in a policy is limited to 500.
description- The description of the principal access boundary policy rule. Must be less thanor equal to 256 characters.
effect- The access relationship of principals to the resources in this rule.
resources- A list of Resource Manager resources. If a resource is listed in the rule, thenthe rule applies for that resource and its descendants. The number of resourcesin a policy is limited to 500 across all rules in the policy.
The following resource types are supported:
- Organizations, such as
//cloudresourcemanager.googleapis.com/organizations/123. - Folders, such as
//cloudresourcemanager.googleapis.com/folders/123. - Projects, such as
//cloudresourcemanager.googleapis.com/projects/123or//cloudresourcemanager.googleapis.com/projects/my-project-id.
- Organizations, such as
Shorthand Example:--add-details-rules=description=string,effect=string,resources=[string]--add-details-rules=description=string,effect=string,resources=[string]
JSON Example:--add-details-rules='[{"description": "string", "effect": "string", "resources": ["string"]}]'
File Example:--add-details-rules=path_to_file.(yaml|json)
- At most one of these can be specified:
--clear-details-rules- Clear details_rules value and set to empty list.
--remove-details-rules=[description=DESCRIPTION],[effect=EFFECT],[resources=RESOURCES]- Remove existing value from details_rules list. A list of principal accessboundary policy rules. The number of rules in a policy is limited to 500.
description- The description of the principal access boundary policy rule. Must be less thanor equal to 256 characters.
effect- The access relationship of principals to the resources in this rule.
resources- A list of Resource Manager resources. If a resource is listed in the rule, thenthe rule applies for that resource and its descendants. The number of resourcesin a policy is limited to 500 across all rules in the policy.
The following resource types are supported:
- Organizations, such as
//cloudresourcemanager.googleapis.com/organizations/123. - Folders, such as
//cloudresourcemanager.googleapis.com/folders/123. - Projects, such as
//cloudresourcemanager.googleapis.com/projects/123or//cloudresourcemanager.googleapis.com/projects/my-project-id.
- Organizations, such as
Shorthand Example:--remove-details-rules=description=string,effect=string,resources=[string]--remove-details-rules=description=string,effect=string,resources=[string]
JSON Example:--remove-details-rules='[{"description": "string", "effect": "string", "resources": ["string"]}]'
File Example:--remove-details-rules=path_to_file.(yaml|json)
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - API REFERENCE
- This command uses the
iam/v3API. The full documentation for thisAPI can be found at:https://cloud.google.com/iam/ - NOTES
- This variant is also available:
gcloudbetaiamprincipal-access-boundary-policiesupdate
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-01-21 UTC.