NAME
    gcloud access-context-manager cloud-bindings create - create cloud access
        bindings for a specific group

SYNOPSIS
    gcloud access-context-manager cloud-bindings create --group-key=GROUP_KEY
        [--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
        [--level=[LEVEL,...]] [--organization=ORGANIZATION]
        [--session-length=SESSION_LENGTH]
        [--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    Create a new cloud access binding. The access level and/or session settings
    will be globally bound with the group.

    To apply access level and/or session settings to a specific application,
    specify the restricted application in the 'binding-file'. In such case, the
    access level and/or session settings specified in the yaml file will be
    bound with the group and the restricted applications.

EXAMPLES
    To create a new cloud access binding, run:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc

    To create a new cloud access binding for particular applications using a
    yaml file, run:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --binding-file='binding.yaml'

    To create a new global cloud access binding, and for particular
    applications using a yaml file, run:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' --binding-file='binding.yaml'

    To create a new cloud access binding for the dry run access level, run:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def

    To create a new cloud access binding with global session settings, specify
    your session length using an ISO duration string and the session-length
    flag. For example:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h

    To set a particular session reauth method for these session settings, run:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h --session-reauth-method=LOGIN

    To create session settings for a particular application, supply a YAML file
    and run:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --binding-file='binding.yaml'

    Global and per-app session settings can be set on the same group, along
    with access levels. For example:

        $ gcloud access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h --session-reauth-method=LOGIN \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def \
            --binding-file='binding.yaml'

REQUIRED FLAGS
     --group-key=GROUP_KEY
        Google Group ID whose members are subject to the restrictions of this
        binding.

OPTIONAL FLAGS
     --binding-file=YAML_FILE
        Path to the file that contains a Google Cloud Platform user access
        binding.

        This file contains a YAML-compliant object representing a
        GcpUserAccessBinding (as described in the API reference:
        https://docs.cloud.google.com/access-context-manager/docs/apply-policies-to-user-groups#define_configurations_for_specific_applications)
        containing ScopedAccessSettings only. No other binding fields are
        allowed. For bindings tied to all workforce identities in a given org,
        the ScopedAccessSettings must only contain sessionSettings within the
        activeSettings list. No other fields are allowed.

     --dry-run-level=[DRY_RUN_LEVEL,...]
        The dry run access level that binds to the given group. The dry run
        access level will be evaluated but won't be enforced. Denial on dry run
        access level will be logged. The input must be the full identifier of
        an access level, such as accessPolicies/123/accessLevels/new-def.

     --level=[LEVEL,...]
        The access level that binds to the given group. The input must be the
        full identifier of an access level, such as
        accessPolicies/123/accessLevels/abc.

     --organization=ORGANIZATION
        Parent organization for this binding.

     --session-length=SESSION_LENGTH
        The maximum lifetime of a user session provided as an ISO 8601 duration
        string. Must be at least one hour or zero seconds, and no more than
        twenty-four hours. Granularity is limited to seconds.

        When --session-length=0 then users in the group attached to this
        binding will have infinite session length, effectively disabling the
        session settings.

        A session begins when a user signs in successfully. If a user signs out
        before the end of the session lifetime, a new login creates a new
        session with a fresh lifetime. When a session expires, the user is
        asked to re-authenticate in accordance with session-method.

        Setting --session-reauth-method when --session-length is empty raises
        an error.

     --session-reauth-method=SESSION_REAUTH_METHOD; default="login"
        Specifies the type of re-authentication challenge given to the user
        when their session expires. Defaults to --session-reauth-method=login
        if unspecified and --session-length is set. Cannot be used when
        --session-length is empty or 0.

        SESSION_REAUTH_METHOD must be one of:

         login
            The user must complete a regular login.

         password
            The user will only be required to enter their password.

         security-key
            The user must re-autheticate using their security key. Before
            enabling this session reauth method, ensure a security key is
            properly configured for the user. For help configuring your
            security key, see
            https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the accesscontextmanager/v1 API. The full documentation
    for this API can be found at:
    https://cloud.google.com/access-context-manager/docs/reference/rest/

NOTES
    This variant is also available:

        $ gcloud alpha access-context-manager cloud-bindings create

