NAME
    gcloud beta iam access-policies create - create AccessPolicy instance

SYNOPSIS
    gcloud beta iam access-policies create
        (ACCESS_POLICY
          : --folder=FOLDER --location=LOCATION --organization=ORGANIZATION)
        [--annotations=[ANNOTATIONS,...]] [--async]
        [--details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],
          [effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],
          [operation=OPERATION],[principals=PRINCIPALS]]
        [--display-name=DISPLAY_NAME] [--etag=ETAG] [--validate-only]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (BETA) Create AccessPolicy instance.

EXAMPLES
    To create a policy instance called my-policy, run:

        $ gcloud beta iam access-policies create my-policy \
            --organization=123 --location=global --details-rules=rule1.json

POSITIONAL ARGUMENTS
     AccessPolicy resource - Identifier. The resource name of the access
     policy.

     The following formats are supported:

      ◆ projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
      ◆ projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
      ◆ folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
      ◆ organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}
        The arguments in this group can be used to specify the attributes of
        this resource. (NOTE) Some attributes are not given arguments in this
        group but can be set in other ways.

     To set the project attribute:
      ◆ provide the argument access_policy on the command line with a fully
        specified name;
      ◆ provide the argument --project on the command line;
      ◆ set the property core/project. This resource can be one of the
        following types: [iam.folders.locations.accessPolicies,
        iam.organizations.locations.accessPolicies,
        iam.projects.locations.accessPolicies].

     This must be specified.

       ACCESS_POLICY
          ID of the accessPolicy or fully qualified identifier for the
          accessPolicy.

          To set the access_policy attribute:
          ▸ provide the argument access_policy on the command line.

          This positional argument must be specified if any of the other
          arguments in this group are specified.

       --folder=FOLDER
          The folder id of the accessPolicy resource.

          To set the folder attribute:
          ▸ provide the argument access_policy on the command line with a
            fully specified name;
          ▸ provide the argument --folder on the command line. Must be
            specified for resource of type
            [iam.folders.locations.accessPolicies].

       --location=LOCATION
          The location id of the accessPolicy resource.

          To set the location attribute:
          ▸ provide the argument access_policy on the command line with a
            fully specified name;
          ▸ provide the argument --location on the command line.

       --organization=ORGANIZATION
          The organization id of the accessPolicy resource.

          To set the organization attribute:
          ▸ provide the argument access_policy on the command line with a
            fully specified name;
          ▸ provide the argument --organization on the command line. Must be
            specified for resource of type
            [iam.organizations.locations.accessPolicies].

FLAGS
     --annotations=[ANNOTATIONS,...]
        User defined annotations. See https://google.aip.dev/148#annotations
        for more details such as format and size limitations.

         KEY
            Sets KEY value.

         VALUE
            Sets VALUE value.

        Shorthand Example:

            --annotations=string=string

        JSON Example:

            --annotations='{"string": "string"}'

        File Example:

            --annotations=path_to_file.(yaml|json)

     --async
        Return immediately, without waiting for the operation in progress to
        complete.

     Access policy details.

     --details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]
        Required, A list of access policy rules.

         conditions
            The conditions that determine whether this rule applies to a
            request. Conditions are identified by their key, which is the FQDN
            of the service that they are relevant to. For example:
            "conditions": { "iam.googleapis.com": { "expression": <cel
            expression> } }. Each rule is evaluated independently. If this rule
            does not apply to a request, other rules might still apply.
            Currently supported keys are as follows:

            ▸ eventarc.googleapis.com: Can use CEL functions that evaluate
              resource fields.

            ▸ iam.googleapis.com: Can use CEL functions that evaluate
              resource tags
              (https://cloud.google.com/iam/help/conditions/resource-tags) and
              combine them using boolean and logical operators. Other functions
              and operators are not supported.

             KEY
                Sets KEY value.

             VALUE
                Sets VALUE value.

                 description
                    Description of the expression. This is a longer text which
                    describes the expression, e.g. when hovered over it in a
                    UI.

                 expression
                    Textual representation of an expression in Common
                    Expression Language syntax.

                 location
                    String indicating the location of the expression for error
                    reporting, e.g. a file name and a position in the file.

                 title
                    Title for the expression, i.e. a short string describing
                    its purpose. This can be used e.g. in UIs which allow to
                    enter the expression.

         description
            Customer specified description of the rule. Must be less than or
            equal to 256 characters.

         effect
            The effect of the rule.

         excludedPrincipals
            The identities that are excluded from the access policy rule, even
            if they are listed in the principals. For example, you could add a
            Google group to the principals, then exclude specific users who
            belong to that group.

         operation
            Attributes that are used to determine whether this rule applies to
            a request.

             excludedPermissions
                Specifies the permissions that this rule excludes from the set
                of affected permissions given by permissions. If a permission
                appears in permissions and in excluded_permissions then it will
                not be subject to the policy effect.

                The excluded permissions can be specified using the same syntax
                as permissions.

             permissions
                The permissions that are explicitly affected by this rule. Each
                permission uses the format {service_fqdn}/{resource}.{verb},
                where {service_fqdn} is the fully qualified domain name for the
                service. Currently supported permissions are as follows:

                ▫ eventarc.googleapis.com/messageBuses.publish.

         principals
            The identities for which this rule's effect governs using one or
            more permissions on Google Cloud resources. This field can contain
            the following values:

            ▸ principal://goog/subject/{email_id}: A specific Google Account.
              Includes Gmail, Cloud Identity, and Google Workspace user
              accounts. For example,
              principal://goog/subject/alice@example.com.

            If an identifier that was previously set on a policy is soft
            deleted, then calls to read that policy will return the identifier
            with a deleted prefix. Users cannot set identifiers with this
            syntax.

            ▸ deleted:principal://goog/subject/{email_id}?uid={uid}: A
              specific Google Account that was deleted recently. For example,
              deleted:principal://goog/subject/alice@example.com?uid=1234567890.
              If the Google Account is recovered, this identifier reverts to
              the standard identifier for a Google Account.

            ▸ deleted:principalSet://goog/group/{group_id}?uid={uid}: A
              Google group that was deleted recently. For example,
              deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
              If the Google group is restored, this identifier reverts to the
              standard identifier for a Google group.

            ▸ deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
              A Google Cloud service account that was deleted recently. For
              example,
              deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
              If the service account is undeleted, this identifier reverts to
              the standard identifier for a service account.

        Shorthand Example:

            --details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string] --details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

        JSON Example:

            --details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

        File Example:

            --details-rules=path_to_file.(yaml|json)

     --display-name=DISPLAY_NAME
        The description of the access policy. Must be less than or equal to 63
        characters.

     --etag=ETAG
        The etag for the access policy. If this is provided on update, it must
        match the server's etag.

     --validate-only
        If set, validate the request and preview the creation, but do not
        actually post it.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the iam/v3beta API. The full documentation for this API
    can be found at: https://cloud.google.com/iam/

NOTES
    This command is currently in beta and might change without notice.

