gcloud beta iam access-policies update - update AccessPolicy instance

gcloud beta iam access-policies update(ACCESS_POLICY :--folder=FOLDER--location=LOCATION--organization=ORGANIZATION)[--async][--display-name=DISPLAY_NAME][--etag=ETAG][--[no-]validate-only][--annotations=[ANNOTATIONS,…]    |--update-annotations=[UPDATE_ANNOTATIONS,…]--clear-annotations    |--remove-annotations=REMOVE_ANNOTATIONS][--clear-details--details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]    |--add-details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]--clear-details-rules    |--remove-details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]][GCLOUD_WIDE_FLAG …]

AccessPolicy resource - Identifier. The resource name of the access policy.

The following formats are supported:

• projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
• projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
• folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
• organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}The arguments in this group can be used to specify the attributes of thisresource. (NOTE) Some attributes are not given arguments in this group but canbe set in other ways.

To set theproject attribute:

• provide the argumentaccess_policy on the command line with a fullyspecified name;
• provide the argument--project on the command line;
• set the propertycore/project. This resource can be one of thefollowing types: [iam.folders.locations.accessPolicies,iam.organizations.locations.accessPolicies,iam.projects.locations.accessPolicies].

This must be specified.

ACCESS_POLICY

ID of the accessPolicy or fully qualified identifier for the accessPolicy.

To set theaccess_policy attribute:

• provide the argumentaccess_policy on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--folder=FOLDER

The folder id of the accessPolicy resource.

To set thefolder attribute:

• provide the argumentaccess_policy on the command line with a fullyspecified name;
• provide the argument--folder on the command line. Must bespecified for resource of type [iam.folders.locations.accessPolicies].

--location=LOCATION

The location id of the accessPolicy resource.

To set thelocation attribute:

• provide the argumentaccess_policy on the command line with a fullyspecified name;
• provide the argument--location on the command line.

--organization=ORGANIZATION

The organization id of the accessPolicy resource.

To set theorganization attribute:

• provide the argumentaccess_policy on the command line with a fullyspecified name;
• provide the argument--organization on the command line. Must bespecified for resource of type [iam.organizations.locations.accessPolicies].

--async

Return immediately, without waiting for the operation in progress to complete.

--display-name=DISPLAY_NAME

The description of the access policy. Must be less than or equal to 63characters.

--etag=ETAG

The etag for the access policy. If this is provided on update, it must match theserver's etag.

--[no-]validate-only

If set, validate the request and preview the update, but do not actually postit. Use--validate-only to enable and--no-validate-only to disable.

Update annotations.

At most one of these can be specified:

--annotations=[ANNOTATIONS,…]

Set annotations to new value. User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.

KEY

SetsKEY value.

VALUE

SetsVALUE value.

Shorthand Example:

--annotations=string=string

JSON Example:

--annotations='{"string": "string"}'

File Example:

--annotations=path_to_file.(yaml|json)

--update-annotations=[UPDATE_ANNOTATIONS,…]

Update annotations value or add key value pair. User defined annotations. Seehttps://google.aip.dev/148#annotationsfor more details such as format and size limitations.

KEY

SetsKEY value.

VALUE

SetsVALUE value.

Shorthand Example:

--update-annotations=string=string

JSON Example:

--update-annotations='{"string": "string"}'

File Example:

--update-annotations=path_to_file.(yaml|json)

At most one of these can be specified:

--clear-annotations

Clear annotations value and set to empty map.

--remove-annotations=REMOVE_ANNOTATIONS

Remove existing value from map annotations. Setsremove_annotationsvalue.Shorthand Example:

--remove-annotations=string,string

JSON Example:

--remove-annotations=["string"]

File Example:

--remove-annotations=path_to_file.(yaml|json)

Access policy details.

--clear-details

Set googleIamV3betaAccessPolicy.details back to default value.

Update details_rules.

At most one of these can be specified:

--details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]

Set details_rules to new value. A list of access policy rules.

conditions

The conditions that determine whether this rule applies to a request. Conditionsare identified by their key, which is the FQDN of the service that they arerelevant to. For example:"conditions": { "iam.googleapis.com": <celexpression> }. Each rule is evaluated independently. If this rule doesnot apply to a request, other rules might still apply. Currently supported keysare as follows:

• eventarc.googleapis.com: Can useCEL functions thatevaluate resource fields.

• iam.googleapis.com: Can useCEL functions thatevaluateresourcetags and combine them using boolean and logical operators. Other functionsand operators are not supported.

KEY

SetsKEY value.

VALUE

SetsVALUE value.

description

Description of the expression. This is a longer text which describes theexpression, e.g. when hovered over it in a UI.

expression

Textual representation of an expression in Common Expression Language syntax.

location

String indicating the location of the expression for error reporting, e.g. afile name and a position in the file.

title

Title for the expression, i.e. a short string describing its purpose. This canbe used e.g. in UIs which allow to enter the expression.

description

Customer specified description of the rule. Must be less than or equal to 256characters.

effect

The effect of the rule.

excludedPrincipals

The identities that are excluded from the access policy rule, even if they arelisted in theprincipals. For example, you could add a Google groupto theprincipals, then exclude specific users who belong to thatgroup.

operation

Attributes that are used to determine whether this rule applies to a request.

excludedPermissions

Specifies the permissions that this rule excludes from the set of affectedpermissions given bypermissions. If a permission appears inpermissionsand inexcluded_permissions then it willnot besubject to the policy effect.

The excluded permissions can be specified using the same syntax aspermissions.

permissions

The permissions that are explicitly affected by this rule. Each permission usesthe format{service_fqdn}/{resource}.{verb}, where{service_fqdn} is the fully qualified domain name for the service.Currently supported permissions are as follows:

• eventarc.googleapis.com/messageBuses.publish.

principals

The identities for which this rule's effect governs using one or morepermissions on Google Cloud resources. This field can contain the followingvalues:

• principal://goog/subject/{email_id}: A specific Google Account.Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com.

If an identifier that was previously set on a policy is soft deleted, then callsto read that policy will return the identifier with a deleted prefix. Userscannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specificGoogle Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890.If the Google Account is recovered, this identifier reverts to the standardidentifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Googlegroup that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890.If the Google group is restored, this identifier reverts to the standardidentifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.If the service account is undeleted, this identifier reverts to the standardidentifier for a service account.

Shorthand Example:

--details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]--details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

JSON Example:

--details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

File Example:

--details-rules=path_to_file.(yaml|json)

--add-details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]

Add new value to details_rules list. A list of access policy rules.

conditions

The conditions that determine whether this rule applies to a request. Conditionsare identified by their key, which is the FQDN of the service that they arerelevant to. For example:"conditions": { "iam.googleapis.com": <celexpression> }. Each rule is evaluated independently. If this rule doesnot apply to a request, other rules might still apply. Currently supported keysare as follows:

• eventarc.googleapis.com: Can useCEL functions thatevaluate resource fields.

• iam.googleapis.com: Can useCEL functions thatevaluateresourcetags and combine them using boolean and logical operators. Other functionsand operators are not supported.

KEY

SetsKEY value.

VALUE

SetsVALUE value.

description

Description of the expression. This is a longer text which describes theexpression, e.g. when hovered over it in a UI.

expression

Textual representation of an expression in Common Expression Language syntax.

location

String indicating the location of the expression for error reporting, e.g. afile name and a position in the file.

title

Title for the expression, i.e. a short string describing its purpose. This canbe used e.g. in UIs which allow to enter the expression.

description

Customer specified description of the rule. Must be less than or equal to 256characters.

effect

The effect of the rule.

excludedPrincipals

The identities that are excluded from the access policy rule, even if they arelisted in theprincipals. For example, you could add a Google groupto theprincipals, then exclude specific users who belong to thatgroup.

operation

Attributes that are used to determine whether this rule applies to a request.

excludedPermissions

Specifies the permissions that this rule excludes from the set of affectedpermissions given bypermissions. If a permission appears inpermissionsand inexcluded_permissions then it willnot besubject to the policy effect.

The excluded permissions can be specified using the same syntax aspermissions.

permissions

The permissions that are explicitly affected by this rule. Each permission usesthe format{service_fqdn}/{resource}.{verb}, where{service_fqdn} is the fully qualified domain name for the service.Currently supported permissions are as follows:

• eventarc.googleapis.com/messageBuses.publish.

principals

The identities for which this rule's effect governs using one or morepermissions on Google Cloud resources. This field can contain the followingvalues:

• principal://goog/subject/{email_id}: A specific Google Account.Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com.

If an identifier that was previously set on a policy is soft deleted, then callsto read that policy will return the identifier with a deleted prefix. Userscannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specificGoogle Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890.If the Google Account is recovered, this identifier reverts to the standardidentifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Googlegroup that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890.If the Google group is restored, this identifier reverts to the standardidentifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.If the service account is undeleted, this identifier reverts to the standardidentifier for a service account.

Shorthand Example:

--add-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]--add-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

JSON Example:

--add-details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

File Example:

--add-details-rules=path_to_file.(yaml|json)

At most one of these can be specified:

--clear-details-rules

Clear details_rules value and set to empty list.

--remove-details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]

Remove existing value from details_rules list. A list of access policy rules.

conditions

The conditions that determine whether this rule applies to a request. Conditionsare identified by their key, which is the FQDN of the service that they arerelevant to. For example:"conditions": { "iam.googleapis.com": <celexpression> }. Each rule is evaluated independently. If this rule doesnot apply to a request, other rules might still apply. Currently supported keysare as follows:

• eventarc.googleapis.com: Can useCEL functions thatevaluate resource fields.

• iam.googleapis.com: Can useCEL functions thatevaluateresourcetags and combine them using boolean and logical operators. Other functionsand operators are not supported.

KEY

SetsKEY value.

VALUE

SetsVALUE value.

description

Description of the expression. This is a longer text which describes theexpression, e.g. when hovered over it in a UI.

expression

Textual representation of an expression in Common Expression Language syntax.

location

String indicating the location of the expression for error reporting, e.g. afile name and a position in the file.

title

Title for the expression, i.e. a short string describing its purpose. This canbe used e.g. in UIs which allow to enter the expression.

description

Customer specified description of the rule. Must be less than or equal to 256characters.

effect

The effect of the rule.

excludedPrincipals

The identities that are excluded from the access policy rule, even if they arelisted in theprincipals. For example, you could add a Google groupto theprincipals, then exclude specific users who belong to thatgroup.

operation

Attributes that are used to determine whether this rule applies to a request.

excludedPermissions

Specifies the permissions that this rule excludes from the set of affectedpermissions given bypermissions. If a permission appears inpermissionsand inexcluded_permissions then it willnot besubject to the policy effect.

The excluded permissions can be specified using the same syntax aspermissions.

permissions

The permissions that are explicitly affected by this rule. Each permission usesthe format{service_fqdn}/{resource}.{verb}, where{service_fqdn} is the fully qualified domain name for the service.Currently supported permissions are as follows:

• eventarc.googleapis.com/messageBuses.publish.

principals

The identities for which this rule's effect governs using one or morepermissions on Google Cloud resources. This field can contain the followingvalues:

• principal://goog/subject/{email_id}: A specific Google Account.Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com.

If an identifier that was previously set on a policy is soft deleted, then callsto read that policy will return the identifier with a deleted prefix. Userscannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specificGoogle Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890.If the Google Account is recovered, this identifier reverts to the standardidentifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Googlegroup that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890.If the Google group is restored, this identifier reverts to the standardidentifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.If the service account is undeleted, this identifier reverts to the standardidentifier for a service account.

Shorthand Example:

--remove-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]--remove-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

JSON Example:

--remove-details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

File Example:

--remove-details-rules=path_to_file.(yaml|json)

Run$gcloud help for details.