gcloud beta iam access-policies create

NAME
gcloud beta iam access-policies create - create AccessPolicy instance
SYNOPSIS
gcloud beta iam access-policies create(ACCESS_POLICY :--folder=FOLDER--location=LOCATION--organization=ORGANIZATION)[--annotations=[ANNOTATIONS,…]][--async][--details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]][--display-name=DISPLAY_NAME][--etag=ETAG][--validate-only][GCLOUD_WIDE_FLAG]
DESCRIPTION
(BETA) Create AccessPolicy instance.
EXAMPLES
To create a policy instance calledmy-policy, run:
gcloudbetaiamaccess-policiescreatemy-policy--organization=123--location=global--details.rules=rule1.json
POSITIONAL ARGUMENTS
AccessPolicy resource - Identifier. The resource name of the access policy.

The following formats are supported:

  • projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
  • projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
  • folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
  • organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}The arguments in this group can be used to specify the attributes of thisresource. (NOTE) Some attributes are not given arguments in this group but canbe set in other ways.

To set theproject attribute:

  • provide the argumentaccess_policy on the command line with a fullyspecified name;
  • provide the argument--project on the command line;
  • set the propertycore/project. This resource can be one of thefollowing types: [iam.folders.locations.accessPolicies,iam.organizations.locations.accessPolicies,iam.projects.locations.accessPolicies].

This must be specified.

ACCESS_POLICY
ID of the accessPolicy or fully qualified identifier for the accessPolicy.

To set theaccess_policy attribute:

  • provide the argumentaccess_policy on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--folder=FOLDER
The folder id of the accessPolicy resource.

To set thefolder attribute:

  • provide the argumentaccess_policy on the command line with a fullyspecified name;
  • provide the argument--folder on the command line. Must bespecified for resource of type [iam.folders.locations.accessPolicies].
--location=LOCATION
The location id of the accessPolicy resource.

To set thelocation attribute:

  • provide the argumentaccess_policy on the command line with a fullyspecified name;
  • provide the argument--location on the command line.
--organization=ORGANIZATION
The organization id of the accessPolicy resource.

To set theorganization attribute:

  • provide the argumentaccess_policy on the command line with a fullyspecified name;
  • provide the argument--organization on the command line. Must bespecified for resource of type [iam.organizations.locations.accessPolicies].
FLAGS
--annotations=[ANNOTATIONS,…]
User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.
KEY
SetsKEY value.
VALUE
SetsVALUE value.
Shorthand Example:
--annotations=string=string

JSON Example:

--annotations='{"string": "string"}'

File Example:

--annotations=path_to_file.(yaml|json)
--async
Return immediately, without waiting for the operation in progress to complete.
Access policy details.
--details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]
Required, A list of access policy rules.
conditions
The conditions that determine whether this rule applies to a request. Conditionsare identified by their key, which is the FQDN of the service that they arerelevant to. For example:"conditions": { "iam.googleapis.com": <celexpression> }. Each rule is evaluated independently. If this rule doesnot apply to a request, other rules might still apply. Currently supported keysare as follows:
  • eventarc.googleapis.com: Can useCEL functions thatevaluate resource fields.
  • iam.googleapis.com: Can useCEL functions thatevaluateresourcetags and combine them using boolean and logical operators. Other functionsand operators are not supported.
KEY
SetsKEY value.
VALUE
SetsVALUE value.
description
Description of the expression. This is a longer text which describes theexpression, e.g. when hovered over it in a UI.
expression
Textual representation of an expression in Common Expression Language syntax.
location
String indicating the location of the expression for error reporting, e.g. afile name and a position in the file.
title
Title for the expression, i.e. a short string describing its purpose. This canbe used e.g. in UIs which allow to enter the expression.
description
Customer specified description of the rule. Must be less than or equal to 256characters.
effect
The effect of the rule.
excludedPrincipals
The identities that are excluded from the access policy rule, even if they arelisted in theprincipals. For example, you could add a Google groupto theprincipals, then exclude specific users who belong to thatgroup.
operation
Attributes that are used to determine whether this rule applies to a request.
excludedPermissions
Specifies the permissions that this rule excludes from the set of affectedpermissions given bypermissions. If a permission appears inpermissionsand inexcluded_permissions then it willnot besubject to the policy effect.

The excluded permissions can be specified using the same syntax aspermissions.

permissions
The permissions that are explicitly affected by this rule. Each permission usesthe format{service_fqdn}/{resource}.{verb}, where{service_fqdn} is the fully qualified domain name for the service.Currently supported permissions are as follows:
  • eventarc.googleapis.com/messageBuses.publish.
principals
The identities for which this rule's effect governs using one or morepermissions on Google Cloud resources. This field can contain the followingvalues:
  • principal://goog/subject/{email_id}: A specific Google Account.Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com.
If an identifier that was previously set on a policy is soft deleted, then callsto read that policy will return the identifier with a deleted prefix. Userscannot set identifiers with this syntax.
  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specificGoogle Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890.If the Google Account is recovered, this identifier reverts to the standardidentifier for a Google Account.
  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Googlegroup that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890.If the Google group is restored, this identifier reverts to the standardidentifier for a Google group.
  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.If the service account is undeleted, this identifier reverts to the standardidentifier for a service account.
Shorthand Example:
--details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]--details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

JSON Example:

--details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

File Example:

--details-rules=path_to_file.(yaml|json)
--display-name=DISPLAY_NAME
The description of the access policy. Must be less than or equal to 63characters.
--etag=ETAG
The etag for the access policy. If this is provided on update, it must match theserver's etag.
--validate-only
If set, validate the request and preview the creation, but do not actually postit.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

API REFERENCE
This command uses theiam/v3beta API. The full documentation forthis API can be found at:https://cloud.google.com/iam/
NOTES
This command is currently in beta and might change without notice.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-09 UTC.