mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-18 23:08:48 +00:00
gcloud: Wed Nov 13 10:04:10 UTC 2024
This commit is contained in:
parent
7da5872e5c
commit
a63704a3af
252 changed files with 4821 additions and 807 deletions
|
|
@ -6,16 +6,18 @@ SYNOPSIS
|
|||
gcloud access-context-manager cloud-bindings create --group-key=GROUP_KEY
|
||||
[--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
|
||||
[--level=[LEVEL,...]] [--organization=ORGANIZATION]
|
||||
[--session-length=SESSION_LENGTH]
|
||||
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
Create a new cloud access binding. The access level will be globally bound
|
||||
with the group.
|
||||
Create a new cloud access binding. The access level and/or session settings
|
||||
will be globally bound with the group.
|
||||
|
||||
Allowlisted Applications can be specified to limit the scope of the cloud
|
||||
access binding in the 'binding-file'. In such case, the access level
|
||||
specified in the yaml file will be bound with the group and the allowlisted
|
||||
applications.
|
||||
To apply access level and/or session settings to a specific application,
|
||||
specify the restricted application in the 'binding-file'. In such case, the
|
||||
access level and/or session settings specified in the yaml file will be
|
||||
bound with the group and the restricted applications.
|
||||
|
||||
EXAMPLES
|
||||
To create a new cloud access binding, run:
|
||||
|
|
@ -46,9 +48,40 @@ EXAMPLES
|
|||
--level=accessPolicies/123/accessLevels/abc \
|
||||
--dry-run-level=accessPolicies/123/accessLevels/def
|
||||
|
||||
To create a new cloud access binding with global session settings, specify
|
||||
your session length using an ISO duration string and the session-length
|
||||
flag. For example:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--session-length=2h
|
||||
|
||||
To set a particular session reauth method for these session settings, run:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--session-length=2h --session-reauth-method=LOGIN
|
||||
|
||||
To create session settings for a particular application, supply a YAML file
|
||||
and run:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--binding-file='binding.yaml'
|
||||
|
||||
Global and per-app session settings can be set on the same group, along
|
||||
with access levels. For example:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--session-length=2h --session-reauth-method=LOGIN \
|
||||
--level=accessPolicies/123/accessLevels/abc \
|
||||
--dry-run-level=accessPolicies/123/accessLevels/def \
|
||||
--binding-file='binding.yaml'
|
||||
|
||||
REQUIRED FLAGS
|
||||
--group-key=GROUP_KEY
|
||||
Google Group id whose members are subject to the restrictions of this
|
||||
Google Group ID whose members are subject to the restrictions of this
|
||||
binding.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
|
|
@ -74,6 +107,44 @@ OPTIONAL FLAGS
|
|||
--organization=ORGANIZATION
|
||||
Parent organization for this binding.
|
||||
|
||||
--session-length=SESSION_LENGTH
|
||||
The maximum lifetime of a user session provided as an ISO 8601 duration
|
||||
string. Must be at least one hour or zero seconds, and no more than
|
||||
twenty-four hours. Granularity is limited to seconds.
|
||||
|
||||
When --session-length=0 then users in the group attached to this
|
||||
binding will have infinite session length, effectively disabling the
|
||||
session settings.
|
||||
|
||||
A session begins when a user signs in successfully. If a user signs out
|
||||
before the end of the session lifetime, a new login creates a new
|
||||
session with a fresh lifetime. When a session expires, the user is
|
||||
asked to re-authenticate in accordance with session-method.
|
||||
|
||||
Setting --session-reauth-method when --session-length is empty raises
|
||||
an error.
|
||||
|
||||
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
|
||||
Specifies the type of re-authentication challenge given to the user
|
||||
when their session expires. Defaults to --session-reauth-method=login
|
||||
if unspecified and --session-length is set. Cannot be used when
|
||||
--session-length is empty or 0.
|
||||
|
||||
SESSION_REAUTH_METHOD must be one of:
|
||||
|
||||
login
|
||||
The user must complete a regular login.
|
||||
|
||||
password
|
||||
The user will only be required to enter their password.
|
||||
|
||||
security-key
|
||||
The user must re-autheticate using their security key. Before
|
||||
enabling this session reauth method, ensure a security key is
|
||||
properly configured for the user. For help configuring your
|
||||
security key, see
|
||||
https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
|
|
|
|||
|
|
@ -26,6 +26,10 @@ EXAMPLES
|
|||
- accessPolicies/9522/accessLevels/specific_location
|
||||
groupKey: a3dad
|
||||
name: organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N
|
||||
sessionSettings:
|
||||
sessionLength: 57600s
|
||||
sessionLengthEnabled: true
|
||||
sessionReauthMethod: LOGIN
|
||||
|
||||
Or
|
||||
|
||||
|
|
@ -57,6 +61,19 @@ EXAMPLES
|
|||
clientScope:
|
||||
restrictedClientApplication:
|
||||
name: Cloud Console
|
||||
- activeSettings:
|
||||
sessionSettings:
|
||||
sessionLength: 57600s
|
||||
sessionLengthEnabled: true
|
||||
sessionReauthMethod: LOGIN
|
||||
scope:
|
||||
clientScope:
|
||||
restrictedClientApplication:
|
||||
clientId: 123.apps.googleusercontent.com
|
||||
sessionSettings:
|
||||
sessionLength: 57600s
|
||||
sessionLengthEnabled: true
|
||||
sessionReauthMethod: LOGIN
|
||||
|
||||
FLAGS
|
||||
Organization resource - The parent organization of the bindings you want
|
||||
|
|
|
|||
|
|
@ -4,13 +4,16 @@ NAME
|
|||
|
||||
SYNOPSIS
|
||||
gcloud access-context-manager cloud-bindings update
|
||||
(--binding=BINDING : --organization=ORGANIZATION)
|
||||
(--binding=BINDING : --organization=ORGANIZATION) [--append]
|
||||
[--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
|
||||
[--level=[LEVEL,...]] [GCLOUD_WIDE_FLAG ...]
|
||||
[--level=[LEVEL,...]] [--session-length=SESSION_LENGTH]
|
||||
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
Update an existing cloud access binding. You can update the level, dry run
|
||||
level and scoped access settings. They can't all be empty.
|
||||
level, session settings, and scoped access settings. They cannot all be
|
||||
empty.
|
||||
|
||||
EXAMPLES
|
||||
To update an existing cloud access binding, run:
|
||||
|
|
@ -25,11 +28,37 @@ EXAMPLES
|
|||
--binding=my-binding-id --level= \
|
||||
--dry-run-level=accessPolicies/123/accessLevels/new-def
|
||||
|
||||
To update scoped access settings, run:
|
||||
To replace scoped access settings with a new list, run:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings update \
|
||||
--binding=my-binding-id --binding-file='binding.yaml'
|
||||
|
||||
To append scoped access settings to the existing list, run:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings update \
|
||||
--binding=my-binding-id --binding-file='binding.yaml' --append
|
||||
|
||||
Note this is only possible for scoped access settings that exclusively hold
|
||||
session settings (i.e. no access levels).
|
||||
|
||||
To update session settings, run:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings update \
|
||||
--binding=my-binding-id --session-length=2h
|
||||
|
||||
To update the session reauth method you must also specify --session-length
|
||||
(this can be the existing value if you only want to modify the reauth
|
||||
method), run:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings update \
|
||||
--binding=my-binding-id --session-length=2h \
|
||||
--session-reauth-method=login
|
||||
|
||||
To disable session settings, set --session-length=0, for example:
|
||||
|
||||
$ gcloud access-context-manager cloud-bindings update \
|
||||
--binding=my-binding-id --session-length=0
|
||||
|
||||
REQUIRED FLAGS
|
||||
Cloud access binding resource - The cloud access binding you want to
|
||||
update. The arguments in this group can be used to specify the attributes
|
||||
|
|
@ -57,6 +86,13 @@ REQUIRED FLAGS
|
|||
▸ set the property access_context_manager/organization.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--append
|
||||
When true, append the ScopedAccessSettings in --binding-file to the
|
||||
existing ScopedAccessSettings on the binding. When false, the existing
|
||||
binding's ScopedAccessSettings will be overwritten. Defaults to false.
|
||||
You may only append ScopedAccessSettings that exclusively hold session
|
||||
settings (i.e no access levels).
|
||||
|
||||
--binding-file=YAML_FILE
|
||||
Path to the file that contains a Google Cloud Platform user access
|
||||
binding.
|
||||
|
|
@ -66,7 +102,8 @@ OPTIONAL FLAGS
|
|||
ScopedAccessSettings only. No other binding fields are allowed.
|
||||
|
||||
The file content replaces the corresponding fields in the existing
|
||||
binding.
|
||||
binding. Unless --append is specified. See --append help text for more
|
||||
details.
|
||||
|
||||
--dry-run-level=[DRY_RUN_LEVEL,...]
|
||||
The dry run access level that replaces the existing dry run level for
|
||||
|
|
@ -78,6 +115,42 @@ OPTIONAL FLAGS
|
|||
binding. The input must be the full identifier of an access level, such
|
||||
as accessPolicies/123/accessLevels/new-abc.
|
||||
|
||||
--session-length=SESSION_LENGTH
|
||||
The maximum lifetime of a user session provided as an ISO 8601 duration
|
||||
string. Must be at least one hour or zero, and no more than twenty-four
|
||||
hours. Granularity is limited to seconds.
|
||||
|
||||
When --session-length=0 users in the group attached to this binding
|
||||
will have infinite session length, effectively disabling the session
|
||||
settings.
|
||||
|
||||
A session begins after a user signs in successfully. If a user signs
|
||||
out before the end of the session lifetime, a new login creates a new
|
||||
session with a fresh lifetime. When a session expires, the user is
|
||||
asked to reauthenticate in accordance with session-reauth-method.
|
||||
|
||||
Setting --session-reauth-method when --session-length is empty raises
|
||||
an error. Cannot set --session-length on restricted client
|
||||
applications; please use scoped access settings.
|
||||
|
||||
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
|
||||
Specifies the security check a user must undergo when their session
|
||||
expires. Defaults to --session-reauth-method=LOGIN if unspecified and
|
||||
--session-length is set. Cannot be used when --session-length is empty
|
||||
or 0. SESSION_REAUTH_METHOD must be one of:
|
||||
|
||||
login
|
||||
The user will be prompted to perform regular login. Users who are
|
||||
enrolled in two-step verification and haven't chosen to "Remember
|
||||
this computer" will be prompted for their second factor.
|
||||
|
||||
password
|
||||
The user will only be required to enter their password.
|
||||
|
||||
security-key
|
||||
The user will be prompted to autheticate using their security key.
|
||||
If no security key has been configured, the LOGIN method is used.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue