NAME
    gcloud alpha access-context-manager cloud-bindings create - create cloud
        access bindings for a specific group

SYNOPSIS
    gcloud alpha access-context-manager cloud-bindings create
        [--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
        [--federated-principal=FEDERATED_PRINCIPAL] [--group-key=GROUP_KEY]
        [--level=[LEVEL,...]] [--organization=ORGANIZATION]
        [--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,
          ...]]
        [--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,
          ...]] [--service-account=SERVICE_ACCOUNT]
        [--service-account-project-number=SERVICE_ACCOUNT_PROJECT_NUMBER]
        [--session-length=SESSION_LENGTH]
        [--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) Create a new access binding. The access level (if any) will be
    bound with

      ▪ a group and the restricted client application
      ▪ a specific service account or all service accounts in a specified
        project.

    The session settings (if any) will be bound with

      ▪ a group

    If you want to bind session settings to a particular application, use
    scoped access settings.

    If a group key is specified, the access level and/or session settings are
    globally enforced for all context-aware access group members, as specified
    in the binding. If a restricted client application is also specified, then
    the enforcement applies only to the specified application, and not to the
    entire organization. Session settings are incompatible with the top level
    --restricted-client-application flags; please use --binding-file to specify
    scoped access settings. If the restricted client application is specified,
    then --binding-file cannot be set. If a service account is specified, then
    the enforcement applies only to the specified service account. If a service
    account project is specified, the enforcement applies to all of the service
    accounts that belong to the specified project. If a federated principal is
    specified, then the enforcement applies only to the specified federated
    principal.

EXAMPLES
    To create a new global cloud access binding, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc

    To create a new cloud access binding for particular applications, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' \
            --restricted-client-application-names='Google Cloud SDK, Cloud
         Console' \
            --restricted-client-application-client-ids='123456789.apps.googl\
        eusercontent.com'

    To create a new cloud access binding for particular applications using a
    yaml file, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --binding-file='binding.yaml'

    To create a new global cloud access binding, and for particular
    applications using a yaml file, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' --binding-file='binding.yaml'

    To create a new global cloud access binding for the dry run access level,
    run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def

    To create a new cloud access binding for the dry run access level for
    particular applications, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def \
            --organization='1234567890' \
            --restricted-client-application-names='Google Cloud SDK, Cloud
         Console' \
            --restricted-client-application-client-ids='123456789.apps.googl\
        eusercontent.com'

    To create a new cloud access binding for a particular service account, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --service-account=service-account@project.iam.gserviceaccount.co\
        m --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890'

    To create a new cloud access binding for all service accounts in a
    particular project, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --service-account-project-number='987654321' \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' \

    To create a new cloud access binding for a specific federated principal,
    run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --federated-principal='//iam.googleapis.com/projects/1234567890/\
        locations/global/workloadIdentityPools/my-pool/subject/my-subject' \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890'

    To create a new cloud access binding for all workforce identities in a
    given org, run the following command:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --federated-principal='principalSet://cloudresourcemanager.googl\
        eapis.com/organizations/ORG_NUMBER/type/WorkforcePool' \
            --organization='1234567890' --binding-file='binding.yaml'

    To create a new cloud access binding with global session settings, specify
    your session length using an ISO duration string and the session-length
    flag. For example:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h

    To set a particular session reauth method for these session settings, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h --session-reauth-method=LOGIN

    To create session settings for specific applications, supply a YAML file
    and run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --binding-file='binding.yaml'

    Global and per-app session settings can be set on the same group, along
    with access levels. For example:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h --session-reauth-method=LOGIN \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def \
            --binding-file='binding.yaml'

FLAGS
     --binding-file=YAML_FILE
        Path to the file that contains a Google Cloud Platform user access
        binding.

        This file contains a YAML-compliant object representing a
        GcpUserAccessBinding (as described in the API reference:
        https://docs.cloud.google.com/access-context-manager/docs/apply-policies-to-user-groups#define_configurations_for_specific_applications)
        containing ScopedAccessSettings only. No other binding fields are
        allowed. For bindings tied to all workforce identities in a given org,
        the ScopedAccessSettings must only contain sessionSettings within the
        activeSettings list. No other fields are allowed.

     --dry-run-level=[DRY_RUN_LEVEL,...]
        The dry run access level that binds to the given group and restricted
        client applications. The dry run access level is evaluated but isn't
        enforced. Denial on a dry run access level is logged. The input must be
        the full identifier of an access level, such as
        accessPolicies/123/accessLevels/new-def. If no
        --restricted-client-application-client-ids or
        --restricted-client-application-names are provided, then the access
        level is applied to the entire organization. This parameter is not
        supported for bindings tied to all workforce identities in an
        organization.

     --federated-principal=FEDERATED_PRINCIPAL
        IAM federated principal that this binding applies to. Can be a single
        principal or a principal set. Used to assign policies to third-party
        workforce or workload identities. At most one of --group-key,
        --federated-principal, --service-account, or
        --service-account-project-number may be specified.

     --group-key=GROUP_KEY
        Google Group ID whose members are subject to the restrictions of this
        binding. At most one of --group-key, --federated-principal,
        --service-account, or --service-account-project-number may be
        specified.

     --level=[LEVEL,...]
        The access level that binds to the given group and restricted client
        applications. The input must be the full identifier of an access level,
        such as accessPolicies/123/accessLevels/abc. If no
        --restricted-client-application-client-ids or
        --restricted-client-application-names are provided, then the access
        level is applied to the entire organization. This parameter is not
        supported for bindings tied to all workforce identities in an
        organization.

     --organization=ORGANIZATION
        Parent organization for this binding.

     --restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,...]
        Client IDs that this access level applies to. This parameter is not
        supported for bindings tied to all workforce identities in an
        organization.

     --restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,...]
        Application names that the access level applies to.

     --service-account=SERVICE_ACCOUNT
        Service account email that this binding applies to. Used to assign
        policies to a single first-party service account. At most one of
        --group-key, --federated-principal, --service-account, or
        --service-account-project-number may be specified.

     --service-account-project-number=SERVICE_ACCOUNT_PROJECT_NUMBER
        Project number of the project that contains the service accounts that
        are subject to the restrictions of this binding. Used to assign
        policies to all service accounts in a Google Cloud project. At most one
        of --group-key, --federated-principal, --service-account, or
        --service-account-project-number may be specified.

     --session-length=SESSION_LENGTH
        The maximum lifetime of a user session provided as an ISO 8601 duration
        string. For Cloud Identity users, this must be at least one hour or
        zero seconds, and no more than twenty-four hours. For workforce
        identities, this can be up to 90 days, or 14 days for Cloud Console.
        Granularity is limited to seconds.

        When --session-length=0 then users in the group attached to this
        binding will have infinite session length, effectively disabling
        session.

        A session begins when a user signs-in successfully. If a user signs out
        before the end of the session lifetime, a new login creates a new
        session with a fresh lifetime. When a session expires, the user is
        asked to re-authenticate in accordance with session-method.

        Setting --session-reauth-method when --session-length is empty raises
        an error. Cannot set --session-length with
        --restricted-client-application-client-ids or
        --restricted-client-application-names; please use scoped access
        settings. This parameter is not supported for bindings tied to all
        workforce identities in an organization.

     --session-reauth-method=SESSION_REAUTH_METHOD; default="login"
        Specifies the type of re-authentication challenge given to the user
        when their session expires. Defaults to --session-reauth-method=login
        if unspecified and --session-length is set. Cannot be used when
        --session-length is empty or 0. This parameter is not supported for
        bindings tied to all workforce identities in an organization.

        SESSION_REAUTH_METHOD must be one of:

         login
            The user must complete a regular login.

         password
            The user will only be required to enter their password.

         security-key
            The user must re-autheticate using their security key. Before
            enabling this session reauth method, ensure a security key is
            properly configured for the user. For help configuring your
            security key, see
            https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the accesscontextmanager/v1alpha API. The full
    documentation for this API can be found at:
    https://cloud.google.com/access-context-manager/docs/reference/rest/

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. This variant is also available:

        $ gcloud access-context-manager cloud-bindings create

