NAME
    gcloud beta iam access-policies update - update AccessPolicy instance

SYNOPSIS
    gcloud beta iam access-policies update
        (ACCESS_POLICY
          : --folder=FOLDER --location=LOCATION --organization=ORGANIZATION)
        [--async] [--display-name=DISPLAY_NAME] [--etag=ETAG]
        [--[no-]validate-only]
        [--annotations=[ANNOTATIONS,...]
          | --update-annotations=[UPDATE_ANNOTATIONS,...] --clear-annotations
          | --remove-annotations=REMOVE_ANNOTATIONS]
        [--clear-details
          --details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],
          [effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],
          [operation=OPERATION],[principals=PRINCIPALS]
          | --add-details-rules=[conditions=CONDITIONS],
          [description=DESCRIPTION],[effect=EFFECT],
          [excludedPrincipals=EXCLUDEDPRINCIPALS],
          [operation=OPERATION],[principals=PRINCIPALS] --clear-details-rules
          | --remove-details-rules=[conditions=CONDITIONS],
          [description=DESCRIPTION],[effect=EFFECT],
          [excludedPrincipals=EXCLUDEDPRINCIPALS],
          [operation=OPERATION],[principals=PRINCIPALS]] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (BETA) Update AccessPolicy instance.

EXAMPLES
    To update display name of my-policy in organization 123, run:

        $ gcloud beta iam access-policies update my-policy \
            --organization=123 --location=global \
            --display-name=new-display-name

POSITIONAL ARGUMENTS
     AccessPolicy resource - Identifier. The resource name of the access
     policy.

     The following formats are supported:

      ◆ projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
      ◆ projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
      ◆ folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
      ◆ organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}
        The arguments in this group can be used to specify the attributes of
        this resource. (NOTE) Some attributes are not given arguments in this
        group but can be set in other ways.

     To set the project attribute:
      ◆ provide the argument access_policy on the command line with a fully
        specified name;
      ◆ provide the argument --project on the command line;
      ◆ set the property core/project. This resource can be one of the
        following types: [iam.folders.locations.accessPolicies,
        iam.organizations.locations.accessPolicies,
        iam.projects.locations.accessPolicies].

     This must be specified.

       ACCESS_POLICY
          ID of the accessPolicy or fully qualified identifier for the
          accessPolicy.

          To set the access_policy attribute:
          ▸ provide the argument access_policy on the command line.

          This positional argument must be specified if any of the other
          arguments in this group are specified.

       --folder=FOLDER
          The folder id of the accessPolicy resource.

          To set the folder attribute:
          ▸ provide the argument access_policy on the command line with a
            fully specified name;
          ▸ provide the argument --folder on the command line. Must be
            specified for resource of type
            [iam.folders.locations.accessPolicies].

       --location=LOCATION
          The location id of the accessPolicy resource.

          To set the location attribute:
          ▸ provide the argument access_policy on the command line with a
            fully specified name;
          ▸ provide the argument --location on the command line.

       --organization=ORGANIZATION
          The organization id of the accessPolicy resource.

          To set the organization attribute:
          ▸ provide the argument access_policy on the command line with a
            fully specified name;
          ▸ provide the argument --organization on the command line. Must be
            specified for resource of type
            [iam.organizations.locations.accessPolicies].

FLAGS
     --async
        Return immediately, without waiting for the operation in progress to
        complete.

     --display-name=DISPLAY_NAME
        The description of the access policy. Must be less than or equal to 63
        characters.

     --etag=ETAG
        The etag for the access policy. If this is provided on update, it must
        match the server's etag.

     --[no-]validate-only
        If set, validate the request and preview the update, but do not
        actually post it. Use --validate-only to enable and --no-validate-only
        to disable.

     Update annotations.

     At most one of these can be specified:

       --annotations=[ANNOTATIONS,...]
          Set annotations to new value. User defined annotations. See
          https://google.aip.dev/148#annotations for more details such as
          format and size limitations.

           KEY
              Sets KEY value.

           VALUE
              Sets VALUE value.

          Shorthand Example:

              --annotations=string=string

          JSON Example:

              --annotations='{"string": "string"}'

          File Example:

              --annotations=path_to_file.(yaml|json)

       Or at least one of these can be specified:

         --update-annotations=[UPDATE_ANNOTATIONS,...]
            Update annotations value or add key value pair. User defined
            annotations. See https://google.aip.dev/148#annotations for more
            details such as format and size limitations.

             KEY
                Sets KEY value.

             VALUE
                Sets VALUE value.

            Shorthand Example:

                --update-annotations=string=string

            JSON Example:

                --update-annotations='{"string": "string"}'

            File Example:

                --update-annotations=path_to_file.(yaml|json)

         At most one of these can be specified:

           --clear-annotations
              Clear annotations value and set to empty map.

           --remove-annotations=REMOVE_ANNOTATIONS
              Remove existing value from map annotations. Sets
              remove_annotations value.

              Shorthand Example:

                  --remove-annotations=string,string

              JSON Example:

                  --remove-annotations=["string"]

              File Example:

                  --remove-annotations=path_to_file.(yaml|json)

     Access policy details.

     --clear-details
        Set googleIamV3betaAccessPolicy.details back to default value.

     Update details_rules.

     At most one of these can be specified:

       --details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]
          Set details_rules to new value. A list of access policy rules.

           conditions
              The conditions that determine whether this rule applies to a
              request. Conditions are identified by their key, which is the
              FQDN of the service that they are relevant to. For example:
              "conditions": { "iam.googleapis.com": { "expression": <cel
              expression> } }. Each rule is evaluated independently. If this
              rule does not apply to a request, other rules might still apply.
              Currently supported keys are as follows:

              ▫ eventarc.googleapis.com: Can use CEL functions that evaluate
                resource fields.

              ▫ iam.googleapis.com: Can use CEL functions that evaluate
                resource tags
                (https://cloud.google.com/iam/help/conditions/resource-tags)
                and combine them using boolean and logical operators. Other
                functions and operators are not supported.

               KEY
                  Sets KEY value.

               VALUE
                  Sets VALUE value.

                   description
                      Description of the expression. This is a longer text
                      which describes the expression, e.g. when hovered over it
                      in a UI.

                   expression
                      Textual representation of an expression in Common
                      Expression Language syntax.

                   location
                      String indicating the location of the expression for
                      error reporting, e.g. a file name and a position in the
                      file.

                   title
                      Title for the expression, i.e. a short string describing
                      its purpose. This can be used e.g. in UIs which allow to
                      enter the expression.

           description
              Customer specified description of the rule. Must be less than or
              equal to 256 characters.

           effect
              The effect of the rule.

           excludedPrincipals
              The identities that are excluded from the access policy rule,
              even if they are listed in the principals. For example, you could
              add a Google group to the principals, then exclude specific users
              who belong to that group.

           operation
              Attributes that are used to determine whether this rule applies
              to a request.

               excludedPermissions
                  Specifies the permissions that this rule excludes from the
                  set of affected permissions given by permissions. If a
                  permission appears in permissions and in excluded_permissions
                  then it will not be subject to the policy effect.

                  The excluded permissions can be specified using the same
                  syntax as permissions.

               permissions
                  The permissions that are explicitly affected by this rule.
                  Each permission uses the format
                  {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the
                  fully qualified domain name for the service. Currently
                  supported permissions are as follows:

                  ◇ eventarc.googleapis.com/messageBuses.publish.

           principals
              The identities for which this rule's effect governs using one or
              more permissions on Google Cloud resources. This field can
              contain the following values:

              ▫ principal://goog/subject/{email_id}: A specific Google
                Account. Includes Gmail, Cloud Identity, and Google Workspace
                user accounts. For example,
                principal://goog/subject/alice@example.com.

              If an identifier that was previously set on a policy is soft
              deleted, then calls to read that policy will return the
              identifier with a deleted prefix. Users cannot set identifiers
              with this syntax.

              ▫ deleted:principal://goog/subject/{email_id}?uid={uid}: A
                specific Google Account that was deleted recently. For example,
                deleted:principal://goog/subject/alice@example.com?uid=1234567890.
                If the Google Account is recovered, this identifier reverts to
                the standard identifier for a Google Account.

              ▫ deleted:principalSet://goog/group/{group_id}?uid={uid}: A
                Google group that was deleted recently. For example,
                deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
                If the Google group is restored, this identifier reverts to the
                standard identifier for a Google group.

              ▫ deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
                A Google Cloud service account that was deleted recently. For
                example,
                deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
                If the service account is undeleted, this identifier reverts to
                the standard identifier for a service account.

          Shorthand Example:

              --details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string] --details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

          JSON Example:

              --details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

          File Example:

              --details-rules=path_to_file.(yaml|json)

       Or at least one of these can be specified:

         --add-details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]
            Add new value to details_rules list. A list of access policy rules.

             conditions
                The conditions that determine whether this rule applies to a
                request. Conditions are identified by their key, which is the
                FQDN of the service that they are relevant to. For example:
                "conditions": { "iam.googleapis.com": { "expression": <cel
                expression> } }. Each rule is evaluated independently. If this
                rule does not apply to a request, other rules might still
                apply. Currently supported keys are as follows:

                ◇ eventarc.googleapis.com: Can use CEL functions that
                  evaluate resource fields.

                ◇ iam.googleapis.com: Can use CEL functions that evaluate
                  resource tags
                  (https://cloud.google.com/iam/help/conditions/resource-tags)
                  and combine them using boolean and logical operators. Other
                  functions and operators are not supported.

                 KEY
                    Sets KEY value.

                 VALUE
                    Sets VALUE value.

                     description
                        Description of the expression. This is a longer text
                        which describes the expression, e.g. when hovered over
                        it in a UI.

                     expression
                        Textual representation of an expression in Common
                        Expression Language syntax.

                     location
                        String indicating the location of the expression for
                        error reporting, e.g. a file name and a position in the
                        file.

                     title
                        Title for the expression, i.e. a short string
                        describing its purpose. This can be used e.g. in UIs
                        which allow to enter the expression.

             description
                Customer specified description of the rule. Must be less than
                or equal to 256 characters.

             effect
                The effect of the rule.

             excludedPrincipals
                The identities that are excluded from the access policy rule,
                even if they are listed in the principals. For example, you
                could add a Google group to the principals, then exclude
                specific users who belong to that group.

             operation
                Attributes that are used to determine whether this rule applies
                to a request.

                 excludedPermissions
                    Specifies the permissions that this rule excludes from the
                    set of affected permissions given by permissions. If a
                    permission appears in permissions and in
                    excluded_permissions then it will not be subject to the
                    policy effect.

                    The excluded permissions can be specified using the same
                    syntax as permissions.

                 permissions
                    The permissions that are explicitly affected by this rule.
                    Each permission uses the format
                    {service_fqdn}/{resource}.{verb}, where {service_fqdn} is
                    the fully qualified domain name for the service. Currently
                    supported permissions are as follows:

                    ▹ eventarc.googleapis.com/messageBuses.publish.

             principals
                The identities for which this rule's effect governs using one
                or more permissions on Google Cloud resources. This field can
                contain the following values:

                ◇ principal://goog/subject/{email_id}: A specific Google
                  Account. Includes Gmail, Cloud Identity, and Google Workspace
                  user accounts. For example,
                  principal://goog/subject/alice@example.com.

                If an identifier that was previously set on a policy is soft
                deleted, then calls to read that policy will return the
                identifier with a deleted prefix. Users cannot set identifiers
                with this syntax.

                ◇ deleted:principal://goog/subject/{email_id}?uid={uid}: A
                  specific Google Account that was deleted recently. For
                  example,
                  deleted:principal://goog/subject/alice@example.com?uid=1234567890.
                  If the Google Account is recovered, this identifier reverts
                  to the standard identifier for a Google Account.

                ◇ deleted:principalSet://goog/group/{group_id}?uid={uid}: A
                  Google group that was deleted recently. For example,
                  deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
                  If the Google group is restored, this identifier reverts to
                  the standard identifier for a Google group.

                ◇ deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
                  A Google Cloud service account that was deleted recently. For
                  example,
                  deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
                  If the service account is undeleted, this identifier reverts
                  to the standard identifier for a service account.

            Shorthand Example:

                --add-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string] --add-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

            JSON Example:

                --add-details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

            File Example:

                --add-details-rules=path_to_file.(yaml|json)

         At most one of these can be specified:

           --clear-details-rules
              Clear details_rules value and set to empty list.

           --remove-details-rules=[conditions=CONDITIONS],[description=DESCRIPTION],[effect=EFFECT],[excludedPrincipals=EXCLUDEDPRINCIPALS],[operation=OPERATION],[principals=PRINCIPALS]
              Remove existing value from details_rules list. A list of access
              policy rules.

               conditions
                  The conditions that determine whether this rule applies to a
                  request. Conditions are identified by their key, which is the
                  FQDN of the service that they are relevant to. For example:
                  "conditions": { "iam.googleapis.com": { "expression": <cel
                  expression> } }. Each rule is evaluated independently. If
                  this rule does not apply to a request, other rules might
                  still apply. Currently supported keys are as follows:

                  ▹ eventarc.googleapis.com: Can use CEL functions that
                    evaluate resource fields.

                  ▹ iam.googleapis.com: Can use CEL functions that evaluate
                    resource tags
                    (https://cloud.google.com/iam/help/conditions/resource-tags)
                    and combine them using boolean and logical operators. Other
                    functions and operators are not supported.

                   KEY
                      Sets KEY value.

                   VALUE
                      Sets VALUE value.

                       description
                          Description of the expression. This is a longer text
                          which describes the expression, e.g. when hovered
                          over it in a UI.

                       expression
                          Textual representation of an expression in Common
                          Expression Language syntax.

                       location
                          String indicating the location of the expression for
                          error reporting, e.g. a file name and a position in
                          the file.

                       title
                          Title for the expression, i.e. a short string
                          describing its purpose. This can be used e.g. in UIs
                          which allow to enter the expression.

               description
                  Customer specified description of the rule. Must be less than
                  or equal to 256 characters.

               effect
                  The effect of the rule.

               excludedPrincipals
                  The identities that are excluded from the access policy rule,
                  even if they are listed in the principals. For example, you
                  could add a Google group to the principals, then exclude
                  specific users who belong to that group.

               operation
                  Attributes that are used to determine whether this rule
                  applies to a request.

                   excludedPermissions
                      Specifies the permissions that this rule excludes from
                      the set of affected permissions given by permissions. If
                      a permission appears in permissions and in
                      excluded_permissions then it will not be subject to the
                      policy effect.

                      The excluded permissions can be specified using the same
                      syntax as permissions.

                   permissions
                      The permissions that are explicitly affected by this
                      rule. Each permission uses the format
                      {service_fqdn}/{resource}.{verb}, where {service_fqdn} is
                      the fully qualified domain name for the service.
                      Currently supported permissions are as follows:

                      ▪ eventarc.googleapis.com/messageBuses.publish.

               principals
                  The identities for which this rule's effect governs using one
                  or more permissions on Google Cloud resources. This field can
                  contain the following values:

                  ▹ principal://goog/subject/{email_id}: A specific Google
                    Account. Includes Gmail, Cloud Identity, and Google
                    Workspace user accounts. For example,
                    principal://goog/subject/alice@example.com.

                  If an identifier that was previously set on a policy is soft
                  deleted, then calls to read that policy will return the
                  identifier with a deleted prefix. Users cannot set
                  identifiers with this syntax.

                  ▹ deleted:principal://goog/subject/{email_id}?uid={uid}: A
                    specific Google Account that was deleted recently. For
                    example,
                    deleted:principal://goog/subject/alice@example.com?uid=1234567890.
                    If the Google Account is recovered, this identifier reverts
                    to the standard identifier for a Google Account.

                  ▹ deleted:principalSet://goog/group/{group_id}?uid={uid}: A
                    Google group that was deleted recently. For example,
                    deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
                    If the Google group is restored, this identifier reverts to
                    the standard identifier for a Google group.

                  ▹ deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
                    A Google Cloud service account that was deleted recently.
                    For example,
                    deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
                    If the service account is undeleted, this identifier
                    reverts to the standard identifier for a service account.

              Shorthand Example:

                  --remove-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string] --remove-details-rules=conditions={string={description=string,expression=string,location=string,title=string}},description=string,effect=string,excludedPrincipals=[string],operation={excludedPermissions=[string],permissions=[string]},principals=[string]

              JSON Example:

                  --remove-details-rules='[{"conditions": {"string": {"description": "string", "expression": "string", "location": "string", "title": "string"}}, "description": "string", "effect": "string", "excludedPrincipals": ["string"], "operation": {"excludedPermissions": ["string"], "permissions": ["string"]}, "principals": ["string"]}]'

              File Example:

                  --remove-details-rules=path_to_file.(yaml|json)

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the iam/v3beta API. The full documentation for this API
    can be found at: https://cloud.google.com/iam/

NOTES
    This command is currently in beta and might change without notice.

