NAME
    gcloud alpha endpoints services add-iam-policy-binding - add IAM policy
        binding to a service

SYNOPSIS
    gcloud alpha endpoints services add-iam-policy-binding SERVICE
        --member=PRINCIPAL --role=ROLE
        [--condition=[KEY=VALUE,...] | --condition-from-file=PATH_TO_FILE]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) Add an IAM policy binding to the IAM policy of a service. One
    binding consists of a member, a role, and an optional condition.

    Note: The 'roles/servicemanagement.serviceConsumer' role can only be added
    to a member which is a user, group, or service account.

EXAMPLES
    To add an IAM policy binding with the role of
    'roles/servicemanagement.serviceConsumer' for the user
    'test-user@example.com' on the service 'my-service', run:

        $ gcloud alpha endpoints services add-iam-policy-binding \
            my-service --member='user:test-user@example.com' \
            --role='roles/servicemanagement.serviceConsumer'

    To add an IAM policy binding with the role of
    'roles/servicemanagement.serviceConsumer' for the service account
    'my-iam-account@my-project.iam.gserviceaccount.com' on the service
    'my-service', run:

        $ gcloud alpha endpoints services add-iam-policy-binding \
            my-service \
            --member='serviceAccount:my-iam-account@my-project.iam.gservicea\
        ccount.com' --role='roles/servicemanagement.serviceConsumer'

    To add an IAM policy binding which expires at the end of the year 2018 for
    the role of 'roles/servicemanagement.quotaAdmin' and the user
    'test-user@example.com' with service 'my-service', run:

        $ gcloud alpha endpoints services add-iam-policy-binding \
            my-service --member='user:test-user@example.com' \
            --role='roles/servicemanagement.quotaAdmin' \
            --condition='expression=request.time <
         timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,descrip\
        tion=Expires at midnight on 2018-12-31'

    See https://cloud.google.com/iam/docs/managing-policies for details of
    policy role and member types. See
    https://cloud.google.com/iam/docs/conditions-overview for details on
    conditions.

POSITIONAL ARGUMENTS
     Service resource - The service for which to add IAM policy binding to.
     This represents a Cloud resource.

     This must be specified.

       SERVICE
          ID of the service or fully qualified identifier for the service.

          To set the service attribute:
          ▸ provide the argument service on the command line.

REQUIRED FLAGS
     --member=PRINCIPAL
        The principal to add the binding for. Should be of the form
        user|group|serviceAccount:email or domain:domain.

        Examples: user:test-user@gmail.com, group:admins@example.com,
        serviceAccount:test123@example.domain.com, or
        domain:example.domain.com.

        Some resources also accept the following special values:
        ◆ allUsers - Special identifier that represents anyone who is on the
          internet, with or without a Google account.
        ◆ allAuthenticatedUsers - Special identifier that represents anyone
          who is authenticated with a Google account or a service account.

     --role=ROLE
        Role name to assign to the principal. The role name is the complete
        path of a predefined role, such as roles/logging.viewer, or the role ID
        for a custom role, such as
        organizations/{ORGANIZATION_ID}/roles/logging.viewer.

OPTIONAL FLAGS
     At most one of these can be specified:

       --condition=[KEY=VALUE,...]
          A condition to include in the binding. When the condition is
          explicitly specified as None (--condition=None), a binding without a
          condition is added. When the condition is specified and is not None,
          --role cannot be a basic role. Basic roles are roles/editor,
          roles/owner, and roles/viewer. For more on conditions, refer to the
          conditions overview guide:
          https://cloud.google.com/iam/docs/conditions-overview

          When using the --condition flag, include the following key-value
          pairs:

           expression
              (Required) Condition expression that evaluates to True or False.
              This uses a subset of Common Expression Language syntax.

              If the condition expression includes a comma, use a different
              delimiter to separate the key-value pairs. Specify the delimiter
              before listing the key-value pairs. For example, to specify a
              colon (:) as the delimiter, do the following:
              --condition=^:^title=TITLE:expression=EXPRESSION. For more
              information, see
              https://cloud.google.com/sdk/gcloud/reference/topic/escaping.

           title
              (Required) A short string describing the purpose of the
              expression.

           description
              (Optional) Additional description for the expression.

       --condition-from-file=PATH_TO_FILE
          Path to a local JSON or YAML file that defines the condition. To see
          available fields, see the help for --condition. Use a full or
          relative path to a local file containing the value of condition.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the servicemanagement/v1 API. The full documentation for
    this API can be found at: https://cloud.google.com/service-management/

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. These variants are also available:

        $ gcloud endpoints services add-iam-policy-binding

        $ gcloud beta endpoints services add-iam-policy-binding

