NAME
    gcloud alpha access-context-manager cloud-bindings create - create cloud
        access bindings for a specific group

SYNOPSIS
    gcloud alpha access-context-manager cloud-bindings create
        [--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
        [--group-key=GROUP_KEY] [--level=[LEVEL,...]]
        [--organization=ORGANIZATION]
        [--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,
          ...]]
        [--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,
          ...]] [--session-length=SESSION_LENGTH]
        [--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) Create a new access binding. The access level (if any) will be
    bound with

      ▪ a group and the restricted client application
      ▪ a specific service account or all service accounts in a specified
        project.

    The session settings (if any) will be bound with

      ▪ a group

    If you want to bind session settings to a particular application, use
    scoped access settings.

    If a group key is specified, the access level and/or session settings are
    globally enforced for all context-aware access group members, as specified
    in the binding. If a restricted client application is also specified, then
    the enforcement applies only to the specified application, and not to the
    entire organization. Session settings are incompatible with the top level
    --restricted-client-application flags; please use --binding-file to specify
    scoped access settings. If the restricted client application is specified,
    then --binding-file cannot be set. If a service account is specified, then
    the enforcement applies only to the specified service account. If a service
    account project is specified, the enforcement applies to all of the service
    accounts belonging to the specified project.

EXAMPLES
    To create a new global cloud access binding, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc

    To create a new cloud access binding for particular applications, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' \
            --restricted-client-application-names='Google Cloud SDK, Cloud
         Console' \
            --restricted-client-application-client-ids='123456789.apps.googl\
        eusercontent.com'

    To create a new cloud access binding for particular applications using a
    yaml file, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --binding-file='binding.yaml'

    To create a new global cloud access binding, and for particular
    applications using a yaml file, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' --binding-file='binding.yaml'

    To create a new global cloud access binding for the dry run access level,
    run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def

    To create a new cloud access binding for the dry run access level for
    particular applications, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def \
            --organization='1234567890' \
            --restricted-client-application-names='Google Cloud SDK, Cloud
         Console' \
            --restricted-client-application-client-ids='123456789.apps.googl\
        eusercontent.com'

    To create a new cloud access binding for a particular service account, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --service-account=service-account@project.iam.gserviceaccount.co\
        m --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890'

    To create a new cloud access binding for all service accounts in a
    particular project, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --service-account-project-number='987654321' \
            --level=accessPolicies/123/accessLevels/abc \
            --organization='1234567890' \

    To create a new cloud access binding with global session settings, specify
    your session length using an ISO duration string and the session-length
    flag. For example:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h

    To set a particular session reauth method for these session settings, run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h --session-reauth-method=LOGIN

    To create session settings for specific applications, supply a YAML file
    and run:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --binding-file='binding.yaml'

    Global and per-app session settings can be set on the same group, along
    with access levels. For example:

        $ gcloud alpha access-context-manager cloud-bindings create \
            --group-key=my-group-key --organization='1234567890' \
            --session-length=2h --session-reauth-method=LOGIN \
            --level=accessPolicies/123/accessLevels/abc \
            --dry-run-level=accessPolicies/123/accessLevels/def \
            --binding-file='binding.yaml'

FLAGS
     --binding-file=YAML_FILE
        Path to the file that contains a Google Cloud Platform user access
        binding.

        This file contains a YAML-compliant object representing a
        GcpUserAccessBinding (as described in the API reference) containing
        ScopedAccessSettings only. No other binding fields are allowed.

     --dry-run-level=[DRY_RUN_LEVEL,...]
        The dry run access level that binds to the given group and restricted
        client applications. The dry run access level is evaluated but isn't
        enforced. Denial on a dry run access level is logged. The input must be
        the full identifier of an access level, such as
        accessPolicies/123/accessLevels/new-def. If no
        restricted-client-application-client-ids or
        restricted-client-application-names are provided, then the access level
        is applied to the entire organization.

     --group-key=GROUP_KEY
        Google Group ID whose members are subject to the restrictions of this
        binding.

     --level=[LEVEL,...]
        The access level that binds to the given group and restricted client
        applications. The input must be the full identifier of an access level,
        such as accessPolicies/123/accessLevels/abc. If no
        restricted-client-application-client-ids or
        restricted-client-application-names are provided, then the access level
        is applied to the entire organization.

     --organization=ORGANIZATION
        Parent organization for this binding.

     --restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,...]
        Client IDs to which the access level is applied.

     --restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,...]
        Application names to which the access level is applied.

     --session-length=SESSION_LENGTH
        The maximum lifetime of a user session provided as an ISO 8601 duration
        string. Must be at least one hour or zero seconds, and no more than
        twenty-four hours. Granularity is limited to seconds.

        When --session-length=0 then users in the group attached to this
        binding will have infinite session length, effectively disabling
        session.

        A session begins when a user signs-in successfully. If a user signs out
        before the end of the session lifetime, a new login creates a new
        session with a fresh lifetime. When a session expires, the user is
        asked to re-authenticate in accordance with session-method.

        Setting --session-reauth-method when --session-length is empty raises
        an error. Cannot set --session-length with
        --restricted-client-application-client-ids or
        --restricted-client-application-names; please use scoped access
        settings.

     --session-reauth-method=SESSION_REAUTH_METHOD; default="login"
        Specifies the type of re-authentication challenge given to the user
        when their session expires. Defaults to --session-reauth-method=login
        if unspecified and --session-length is set. Cannot be used when
        --session-length is empty or 0.

        SESSION_REAUTH_METHOD must be one of:

         login
            The user must complete a regular login.

         password
            The user will only be required to enter their password.

         security-key
            The user must re-autheticate using their security key. Before
            enabling this session reauth method, ensure a security key is
            properly configured for the user. For help configuring your
            security key, see
            https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the accesscontextmanager/v1alpha API. The full
    documentation for this API can be found at:
    https://cloud.google.com/access-context-manager/docs/reference/rest/

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. This variant is also available:

        $ gcloud access-context-manager cloud-bindings create

