mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-18 14:56:05 +00:00
gcloud: Wed Nov 13 10:04:10 UTC 2024
This commit is contained in:
parent
7da5872e5c
commit
a63704a3af
252 changed files with 4821 additions and 807 deletions
|
|
@ -10,24 +10,36 @@ SYNOPSIS
|
|||
[--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,
|
||||
...]]
|
||||
[--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,
|
||||
...]] [GCLOUD_WIDE_FLAG ...]
|
||||
...]] [--session-length=SESSION_LENGTH]
|
||||
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(ALPHA) Create a new access binding. The access level will be bound with
|
||||
(ALPHA) Create a new access binding. The access level (if any) will be
|
||||
bound with
|
||||
|
||||
▪ a group and the restricted client application
|
||||
▪ a specific service account or all service accounts in a specified
|
||||
project.
|
||||
|
||||
If a group key is specified, the access level is globally enforced for all
|
||||
context-aware access group members, as specified in the binding. If a
|
||||
restricted client application is also specified, then the enforcement
|
||||
applies only to the specified application, and not to the entire
|
||||
organization. If the restricted client application is specified, then
|
||||
--binding-file cannot be set. If a service account is specified, then the
|
||||
enforcement applies only to the specified service account. If a service
|
||||
account project is specified, then the enforcement applies to all the
|
||||
service accounts belongs to the specified project.
|
||||
The session settings (if any) will be bound with
|
||||
|
||||
▪ a group
|
||||
|
||||
If you want to bind session settings to a particular application, use
|
||||
scoped access settings.
|
||||
|
||||
If a group key is specified, the access level and/or session settings are
|
||||
globally enforced for all context-aware access group members, as specified
|
||||
in the binding. If a restricted client application is also specified, then
|
||||
the enforcement applies only to the specified application, and not to the
|
||||
entire organization. Session settings are incompatible with the top level
|
||||
--restricted-client-application flags; please use --binding-file to specify
|
||||
scoped access settings. If the restricted client application is specified,
|
||||
then --binding-file cannot be set. If a service account is specified, then
|
||||
the enforcement applies only to the specified service account. If a service
|
||||
account project is specified, the enforcement applies to all of the service
|
||||
accounts belonging to the specified project.
|
||||
|
||||
EXAMPLES
|
||||
To create a new global cloud access binding, run:
|
||||
|
|
@ -98,6 +110,37 @@ EXAMPLES
|
|||
--level=accessPolicies/123/accessLevels/abc \
|
||||
--organization='1234567890' \
|
||||
|
||||
To create a new cloud access binding with global session settings, specify
|
||||
your session length using an ISO duration string and the session-length
|
||||
flag. For example:
|
||||
|
||||
$ gcloud alpha access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--session-length=2h
|
||||
|
||||
To set a particular session reauth method for these session settings, run:
|
||||
|
||||
$ gcloud alpha access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--session-length=2h --session-reauth-method=LOGIN
|
||||
|
||||
To create session settings for specific applications, supply a YAML file
|
||||
and run:
|
||||
|
||||
$ gcloud alpha access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--binding-file='binding.yaml'
|
||||
|
||||
Global and per-app session settings can be set on the same group, along
|
||||
with access levels. For example:
|
||||
|
||||
$ gcloud alpha access-context-manager cloud-bindings create \
|
||||
--group-key=my-group-key --organization='1234567890' \
|
||||
--session-length=2h --session-reauth-method=LOGIN \
|
||||
--level=accessPolicies/123/accessLevels/abc \
|
||||
--dry-run-level=accessPolicies/123/accessLevels/def \
|
||||
--binding-file='binding.yaml'
|
||||
|
||||
FLAGS
|
||||
--binding-file=YAML_FILE
|
||||
Path to the file that contains a Google Cloud Platform user access
|
||||
|
|
@ -118,7 +161,7 @@ FLAGS
|
|||
is applied to the entire organization.
|
||||
|
||||
--group-key=GROUP_KEY
|
||||
Google Group id whose members are subject to the restrictions of this
|
||||
Google Group ID whose members are subject to the restrictions of this
|
||||
binding.
|
||||
|
||||
--level=[LEVEL,...]
|
||||
|
|
@ -138,6 +181,47 @@ FLAGS
|
|||
--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,...]
|
||||
Application names to which the access level is applied.
|
||||
|
||||
--session-length=SESSION_LENGTH
|
||||
The maximum lifetime of a user session provided as an ISO 8601 duration
|
||||
string. Must be at least one hour or zero seconds, and no more than
|
||||
twenty-four hours. Granularity is limited to seconds.
|
||||
|
||||
When --session-length=0 then users in the group attached to this
|
||||
binding will have infinite session length, effectively disabling
|
||||
session.
|
||||
|
||||
A session begins when a user signs-in successfully. If a user signs out
|
||||
before the end of the session lifetime, a new login creates a new
|
||||
session with a fresh lifetime. When a session expires, the user is
|
||||
asked to re-authenticate in accordance with session-method.
|
||||
|
||||
Setting --session-reauth-method when --session-length is empty raises
|
||||
an error. Cannot set --session-length with
|
||||
--restricted-client-application-client-ids or
|
||||
--restricted-client-application-names; please use scoped access
|
||||
settings.
|
||||
|
||||
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
|
||||
Specifies the type of re-authentication challenge given to the user
|
||||
when their session expires. Defaults to --session-reauth-method=login
|
||||
if unspecified and --session-length is set. Cannot be used when
|
||||
--session-length is empty or 0.
|
||||
|
||||
SESSION_REAUTH_METHOD must be one of:
|
||||
|
||||
login
|
||||
The user must complete a regular login.
|
||||
|
||||
password
|
||||
The user will only be required to enter their password.
|
||||
|
||||
security-key
|
||||
The user must re-autheticate using their security key. Before
|
||||
enabling this session reauth method, ensure a security key is
|
||||
properly configured for the user. For help configuring your
|
||||
security key, see
|
||||
https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue