1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-16 12:22:03 +00:00

gcloud: Wed Jun 18 10:54:11 UTC 2025

This commit is contained in:
Automated 2025-06-18 10:54:11 +00:00
parent fa40c10f6a
commit 3a534cb57c
83 changed files with 849 additions and 219 deletions

View file

@ -5,12 +5,12 @@ NAME
SYNOPSIS
gcloud beta container fleet scopes add-app-operator-binding SCOPE
--role=ROLE (--group=GROUP | --user=USER) [--labels=[KEY=VALUE,...]]
[GCLOUD_WIDE_FLAG ...]
(--custom-role=CUSTOM_ROLE | --role=ROLE) (--group=GROUP | --user=USER)
[--labels=[KEY=VALUE,...]] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) One binding consists of an app operator principal (user/group) and a
role (view/edit/admin).
role (view/edit/admin or a custom role).
This command sets up the different permissions required for an app
operator, including usage of fleet scopes, connect gateway, logging, and
@ -66,6 +66,26 @@ EXAMPLES
▪ creates fleet scope RBAC role binding: role admin with a random ID
for user person@google.com.
---
The following command:
$ gcloud beta container fleet scopes add-app-operator-binding \
SCOPE --custom-role=my-custom-role --user=person@google.com \
--project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeViewer on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role my-custom-role with a
random ID for user person@google.com.
For any tailored IAM permissions required when using a custom role, the
user or group can separately be granted additional IAM permissions on the
project.
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
@ -91,8 +111,14 @@ POSITIONAL ARGUMENTS
▸ provide the argument SCOPE on the command line.
REQUIRED FLAGS
--role=ROLE
Role to assign. ROLE must be one of: admin, edit, view.
Exactly one of these must be specified:
--custom-role=CUSTOM_ROLE
Custom role to assign to principal.
--role=ROLE
Predefined role to assign to principal (admin, edit, view). ROLE must
be one of: admin, edit, view.
Exactly one of these must be specified:

View file

@ -15,7 +15,7 @@ DESCRIPTION
permissions required for an app operator, including usage of fleet scopes,
connect gateway, logging, and metrics. The overarching principal role
(view/edit/admin, or custom) is determined by (1) the fleet scope RBAC role
(view, edit, or admin), (2) the fleet scope-level IAM role
(view, edit, admin or a custom role), (2) the fleet scope-level IAM role
(roles/gkehub.scopeViewer, roles/gkehub.scopeEditor, or
roles/gkehub.scopeAdmin), (3) the project-level IAM role
(roles/gkehub.scopeViewerProjectLevel, or

View file

@ -61,7 +61,24 @@ EXAMPLES
The following command:
$ gcloud beta container fleet scopes remove-app-operator-binding \
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
SCOPE --user=person@google.com --project=PROJECT_ID
assuming the user already has a custom role:
▪ removes IAM policy binding: roles/gkehub.scopeViewer from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_ID if the user does not have the edit/admin role for any other
scope under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role admin for user
person@google.com.
---
The following command:
$ gcloud beta container fleet scopes remove-app-operator-binding \
SCOPE --user=person@google.com --project=PROJECT_ID
assuming the user already has the admin role:
▪ removes IAM policy binding: roles/gkehub.scopeAdmin from SCOPE