1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-18 23:08:48 +00:00

gcloud: Wed Nov 13 10:04:10 UTC 2024

This commit is contained in:
Automated 2024-11-13 10:04:10 +00:00
parent 7da5872e5c
commit a63704a3af
252 changed files with 4821 additions and 807 deletions

View file

@ -6,16 +6,18 @@ SYNOPSIS
gcloud access-context-manager cloud-bindings create --group-key=GROUP_KEY
[--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
[--level=[LEVEL,...]] [--organization=ORGANIZATION]
[--session-length=SESSION_LENGTH]
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
Create a new cloud access binding. The access level will be globally bound
with the group.
Create a new cloud access binding. The access level and/or session settings
will be globally bound with the group.
Allowlisted Applications can be specified to limit the scope of the cloud
access binding in the 'binding-file'. In such case, the access level
specified in the yaml file will be bound with the group and the allowlisted
applications.
To apply access level and/or session settings to a specific application,
specify the restricted application in the 'binding-file'. In such case, the
access level and/or session settings specified in the yaml file will be
bound with the group and the restricted applications.
EXAMPLES
To create a new cloud access binding, run:
@ -46,9 +48,40 @@ EXAMPLES
--level=accessPolicies/123/accessLevels/abc \
--dry-run-level=accessPolicies/123/accessLevels/def
To create a new cloud access binding with global session settings, specify
your session length using an ISO duration string and the session-length
flag. For example:
$ gcloud access-context-manager cloud-bindings create \
--group-key=my-group-key --organization='1234567890' \
--session-length=2h
To set a particular session reauth method for these session settings, run:
$ gcloud access-context-manager cloud-bindings create \
--group-key=my-group-key --organization='1234567890' \
--session-length=2h --session-reauth-method=LOGIN
To create session settings for a particular application, supply a YAML file
and run:
$ gcloud access-context-manager cloud-bindings create \
--group-key=my-group-key --organization='1234567890' \
--binding-file='binding.yaml'
Global and per-app session settings can be set on the same group, along
with access levels. For example:
$ gcloud access-context-manager cloud-bindings create \
--group-key=my-group-key --organization='1234567890' \
--session-length=2h --session-reauth-method=LOGIN \
--level=accessPolicies/123/accessLevels/abc \
--dry-run-level=accessPolicies/123/accessLevels/def \
--binding-file='binding.yaml'
REQUIRED FLAGS
--group-key=GROUP_KEY
Google Group id whose members are subject to the restrictions of this
Google Group ID whose members are subject to the restrictions of this
binding.
OPTIONAL FLAGS
@ -74,6 +107,44 @@ OPTIONAL FLAGS
--organization=ORGANIZATION
Parent organization for this binding.
--session-length=SESSION_LENGTH
The maximum lifetime of a user session provided as an ISO 8601 duration
string. Must be at least one hour or zero seconds, and no more than
twenty-four hours. Granularity is limited to seconds.
When --session-length=0 then users in the group attached to this
binding will have infinite session length, effectively disabling the
session settings.
A session begins when a user signs in successfully. If a user signs out
before the end of the session lifetime, a new login creates a new
session with a fresh lifetime. When a session expires, the user is
asked to re-authenticate in accordance with session-method.
Setting --session-reauth-method when --session-length is empty raises
an error.
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
Specifies the type of re-authentication challenge given to the user
when their session expires. Defaults to --session-reauth-method=login
if unspecified and --session-length is set. Cannot be used when
--session-length is empty or 0.
SESSION_REAUTH_METHOD must be one of:
login
The user must complete a regular login.
password
The user will only be required to enter their password.
security-key
The user must re-autheticate using their security key. Before
enabling this session reauth method, ensure a security key is
properly configured for the user. For help configuring your
security key, see
https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,

View file

@ -26,6 +26,10 @@ EXAMPLES
- accessPolicies/9522/accessLevels/specific_location
groupKey: a3dad
name: organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N
sessionSettings:
sessionLength: 57600s
sessionLengthEnabled: true
sessionReauthMethod: LOGIN
Or
@ -57,6 +61,19 @@ EXAMPLES
clientScope:
restrictedClientApplication:
name: Cloud Console
- activeSettings:
sessionSettings:
sessionLength: 57600s
sessionLengthEnabled: true
sessionReauthMethod: LOGIN
scope:
clientScope:
restrictedClientApplication:
clientId: 123.apps.googleusercontent.com
sessionSettings:
sessionLength: 57600s
sessionLengthEnabled: true
sessionReauthMethod: LOGIN
FLAGS
Organization resource - The parent organization of the bindings you want

View file

@ -4,13 +4,16 @@ NAME
SYNOPSIS
gcloud access-context-manager cloud-bindings update
(--binding=BINDING : --organization=ORGANIZATION)
(--binding=BINDING : --organization=ORGANIZATION) [--append]
[--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
[--level=[LEVEL,...]] [GCLOUD_WIDE_FLAG ...]
[--level=[LEVEL,...]] [--session-length=SESSION_LENGTH]
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
Update an existing cloud access binding. You can update the level, dry run
level and scoped access settings. They can't all be empty.
level, session settings, and scoped access settings. They cannot all be
empty.
EXAMPLES
To update an existing cloud access binding, run:
@ -25,11 +28,37 @@ EXAMPLES
--binding=my-binding-id --level= \
--dry-run-level=accessPolicies/123/accessLevels/new-def
To update scoped access settings, run:
To replace scoped access settings with a new list, run:
$ gcloud access-context-manager cloud-bindings update \
--binding=my-binding-id --binding-file='binding.yaml'
To append scoped access settings to the existing list, run:
$ gcloud access-context-manager cloud-bindings update \
--binding=my-binding-id --binding-file='binding.yaml' --append
Note this is only possible for scoped access settings that exclusively hold
session settings (i.e. no access levels).
To update session settings, run:
$ gcloud access-context-manager cloud-bindings update \
--binding=my-binding-id --session-length=2h
To update the session reauth method you must also specify --session-length
(this can be the existing value if you only want to modify the reauth
method), run:
$ gcloud access-context-manager cloud-bindings update \
--binding=my-binding-id --session-length=2h \
--session-reauth-method=login
To disable session settings, set --session-length=0, for example:
$ gcloud access-context-manager cloud-bindings update \
--binding=my-binding-id --session-length=0
REQUIRED FLAGS
Cloud access binding resource - The cloud access binding you want to
update. The arguments in this group can be used to specify the attributes
@ -57,6 +86,13 @@ REQUIRED FLAGS
▸ set the property access_context_manager/organization.
OPTIONAL FLAGS
--append
When true, append the ScopedAccessSettings in --binding-file to the
existing ScopedAccessSettings on the binding. When false, the existing
binding's ScopedAccessSettings will be overwritten. Defaults to false.
You may only append ScopedAccessSettings that exclusively hold session
settings (i.e no access levels).
--binding-file=YAML_FILE
Path to the file that contains a Google Cloud Platform user access
binding.
@ -66,7 +102,8 @@ OPTIONAL FLAGS
ScopedAccessSettings only. No other binding fields are allowed.
The file content replaces the corresponding fields in the existing
binding.
binding. Unless --append is specified. See --append help text for more
details.
--dry-run-level=[DRY_RUN_LEVEL,...]
The dry run access level that replaces the existing dry run level for
@ -78,6 +115,42 @@ OPTIONAL FLAGS
binding. The input must be the full identifier of an access level, such
as accessPolicies/123/accessLevels/new-abc.
--session-length=SESSION_LENGTH
The maximum lifetime of a user session provided as an ISO 8601 duration
string. Must be at least one hour or zero, and no more than twenty-four
hours. Granularity is limited to seconds.
When --session-length=0 users in the group attached to this binding
will have infinite session length, effectively disabling the session
settings.
A session begins after a user signs in successfully. If a user signs
out before the end of the session lifetime, a new login creates a new
session with a fresh lifetime. When a session expires, the user is
asked to reauthenticate in accordance with session-reauth-method.
Setting --session-reauth-method when --session-length is empty raises
an error. Cannot set --session-length on restricted client
applications; please use scoped access settings.
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
Specifies the security check a user must undergo when their session
expires. Defaults to --session-reauth-method=LOGIN if unspecified and
--session-length is set. Cannot be used when --session-length is empty
or 0. SESSION_REAUTH_METHOD must be one of:
login
The user will be prompted to perform regular login. Users who are
enrolled in two-step verification and haven't chosen to "Remember
this computer" will be prompted for their second factor.
password
The user will only be required to enter their password.
security-key
The user will be prompted to autheticate using their security key.
If no security key has been configured, the LOGIN method is used.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,