1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-16 12:22:03 +00:00
gcloud-help/gcloud/alpha/container/binauthz/policy/remove-iam-policy-binding
2022-03-01 04:29:52 +00:00

127 lines
5.4 KiB
Text

NAME
gcloud alpha container binauthz policy remove-iam-policy-binding - remove
IAM policy binding of a Binary Authorization policy
SYNOPSIS
gcloud alpha container binauthz policy remove-iam-policy-binding
--member=PRINCIPAL --role=ROLE
[--all | --condition=[KEY=VALUE,...]
| --condition-from-file=CONDITION_FROM_FILE] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) Remove an IAM policy binding from the IAM policy of a Binary
Authorization policy. One binding consists of a member, a role, and an
optional condition.
EXAMPLES
To remove an IAM policy binding for the role of
'roles/binaryauthorization.attestationAuthoritiesEditor' for the user
'test-user@gmail.com' on the current project's Binary Authorization policy,
run:
$ gcloud alpha container binauthz policy remove-iam-policy-binding \
--member='user:test-user@gmail.com' \
--role='roles/binaryauthorization.attestationAuthoritiesEditor'
To remove an IAM policy binding which expires at the end of the year 2018
for the role of 'roles/binaryauthorization.attestationAuthoritiesEditor'
and the user 'test-user@gmail.com' on the current project's Binary
Authorization policy, run:
$ gcloud alpha container binauthz policy remove-iam-policy-binding \
--member='user:test-user@gmail.com' \
--role='roles/binaryauthorization.attestationAuthoritiesEditor' \
--condition='expression=request.time <
timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,descrip\
tion=Expires at midnight on 2018-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
REQUIRED FLAGS
--member=PRINCIPAL
The principal to remove the binding for. Should be of the form
user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com,
serviceAccount:test123@example.domain.com, or
domain:example.domain.com.
Deleted principals have an additional deleted: prefix and a ?uid=UID
suffix, where UID is a unique identifier for the principal. Example:
deleted:user:test-user@gmail.com?uid=123456789012345678901.
Some resources also accept the following special values:
◆ allUsers - Special identifier that represents anyone who is on the
internet, with or without a Google account.
◆ allAuthenticatedUsers - Special identifier that represents anyone
who is authenticated with a Google account or a service account.
--role=ROLE
The role to remove the principal from.
OPTIONAL FLAGS
At most one of these can be specified:
--all
Remove all bindings with this role and principal, irrespective of any
conditions.
--condition=[KEY=VALUE,...]
The condition of the binding that you want to remove. When the
condition is explicitly specified as None (--condition=None), a
binding without a condition is removed. Otherwise, only a binding
with a condition that exactly matches the specified condition
(including the optional description) is removed. For more on
conditions, refer to the conditions overview guide:
https://cloud.google.com/iam/docs/conditions-overview
When using the --condition flag, include the following key-value
pairs:
expression
(Required) Condition expression that evaluates to True or False.
This uses a subset of Common Expression Language syntax.
If the condition expression includes a comma, use a different
delimiter to separate the key-value pairs. Specify the delimiter
before listing the key-value pairs. For example, to specify a
colon (:) as the delimiter, do the following:
--condition=^:^title=TITLE:expression=EXPRESSION. For more
information, see
https://cloud.google.com/sdk/gcloud/reference/topic/escaping.
title
(Required) A short string describing the purpose of the
expression.
description
(Optional) Additional description for the expression.
--condition-from-file=CONDITION_FROM_FILE
Path to a local JSON or YAML file that defines the condition. To see
available fields, see the help for --condition.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
API REFERENCE
This command uses the binaryauthorization/v1alpha2 API. The full
documentation for this API can be found at:
https://cloud.google.com/binary-authorization/
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud container binauthz policy remove-iam-policy-binding
$ gcloud beta container binauthz policy remove-iam-policy-binding