mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 10:35:03 +00:00
165 lines
6.8 KiB
Text
165 lines
6.8 KiB
Text
NAME
|
|
gcloud access-context-manager cloud-bindings create - create cloud access
|
|
bindings for a specific group
|
|
|
|
SYNOPSIS
|
|
gcloud access-context-manager cloud-bindings create --group-key=GROUP_KEY
|
|
[--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
|
|
[--level=[LEVEL,...]] [--organization=ORGANIZATION]
|
|
[--session-length=SESSION_LENGTH]
|
|
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
Create a new cloud access binding. The access level and/or session settings
|
|
will be globally bound with the group.
|
|
|
|
To apply access level and/or session settings to a specific application,
|
|
specify the restricted application in the 'binding-file'. In such case, the
|
|
access level and/or session settings specified in the yaml file will be
|
|
bound with the group and the restricted applications.
|
|
|
|
EXAMPLES
|
|
To create a new cloud access binding, run:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc
|
|
|
|
To create a new cloud access binding for particular applications using a
|
|
yaml file, run:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--binding-file='binding.yaml'
|
|
|
|
To create a new global cloud access binding, and for particular
|
|
applications using a yaml file, run:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--organization='1234567890' --binding-file='binding.yaml'
|
|
|
|
To create a new cloud access binding for the dry run access level, run:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--dry-run-level=accessPolicies/123/accessLevels/def
|
|
|
|
To create a new cloud access binding with global session settings, specify
|
|
your session length using an ISO duration string and the session-length
|
|
flag. For example:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--session-length=2h
|
|
|
|
To set a particular session reauth method for these session settings, run:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--session-length=2h --session-reauth-method=LOGIN
|
|
|
|
To create session settings for a particular application, supply a YAML file
|
|
and run:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--binding-file='binding.yaml'
|
|
|
|
Global and per-app session settings can be set on the same group, along
|
|
with access levels. For example:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--session-length=2h --session-reauth-method=LOGIN \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--dry-run-level=accessPolicies/123/accessLevels/def \
|
|
--binding-file='binding.yaml'
|
|
|
|
REQUIRED FLAGS
|
|
--group-key=GROUP_KEY
|
|
Google Group ID whose members are subject to the restrictions of this
|
|
binding.
|
|
|
|
OPTIONAL FLAGS
|
|
--binding-file=YAML_FILE
|
|
Path to the file that contains a Google Cloud Platform user access
|
|
binding.
|
|
|
|
This file contains a YAML-compliant object representing a
|
|
GcpUserAccessBinding (as described in the API reference) containing
|
|
ScopedAccessSettings only. No other binding fields are allowed.
|
|
|
|
--dry-run-level=[DRY_RUN_LEVEL,...]
|
|
The dry run access level that binds to the given group. The dry run
|
|
access level will be evaluated but won't be enforced. Denial on dry run
|
|
access level will be logged. The input must be the full identifier of
|
|
an access level, such as accessPolicies/123/accessLevels/new-def.
|
|
|
|
--level=[LEVEL,...]
|
|
The access level that binds to the given group. The input must be the
|
|
full identifier of an access level, such as
|
|
accessPolicies/123/accessLevels/abc.
|
|
|
|
--organization=ORGANIZATION
|
|
Parent organization for this binding.
|
|
|
|
--session-length=SESSION_LENGTH
|
|
The maximum lifetime of a user session provided as an ISO 8601 duration
|
|
string. Must be at least one hour or zero seconds, and no more than
|
|
twenty-four hours. Granularity is limited to seconds.
|
|
|
|
When --session-length=0 then users in the group attached to this
|
|
binding will have infinite session length, effectively disabling the
|
|
session settings.
|
|
|
|
A session begins when a user signs in successfully. If a user signs out
|
|
before the end of the session lifetime, a new login creates a new
|
|
session with a fresh lifetime. When a session expires, the user is
|
|
asked to re-authenticate in accordance with session-method.
|
|
|
|
Setting --session-reauth-method when --session-length is empty raises
|
|
an error.
|
|
|
|
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
|
|
Specifies the type of re-authentication challenge given to the user
|
|
when their session expires. Defaults to --session-reauth-method=login
|
|
if unspecified and --session-length is set. Cannot be used when
|
|
--session-length is empty or 0.
|
|
|
|
SESSION_REAUTH_METHOD must be one of:
|
|
|
|
login
|
|
The user must complete a regular login.
|
|
|
|
password
|
|
The user will only be required to enter their password.
|
|
|
|
security-key
|
|
The user must re-autheticate using their security key. Before
|
|
enabling this session reauth method, ensure a security key is
|
|
properly configured for the user. For help configuring your
|
|
security key, see
|
|
https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
API REFERENCE
|
|
This command uses the accesscontextmanager/v1 API. The full documentation
|
|
for this API can be found at:
|
|
https://cloud.google.com/access-context-manager/docs/reference/rest/
|
|
|
|
NOTES
|
|
This variant is also available:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create
|
|
|