mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-09 02:55:19 +00:00
245 lines
11 KiB
Text
245 lines
11 KiB
Text
NAME
|
|
gcloud alpha access-context-manager cloud-bindings create - create cloud
|
|
access bindings for a specific group
|
|
|
|
SYNOPSIS
|
|
gcloud alpha access-context-manager cloud-bindings create
|
|
[--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,...]]
|
|
[--group-key=GROUP_KEY] [--level=[LEVEL,...]]
|
|
[--organization=ORGANIZATION]
|
|
[--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,
|
|
...]]
|
|
[--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,
|
|
...]] [--session-length=SESSION_LENGTH]
|
|
[--session-reauth-method=SESSION_REAUTH_METHOD; default="login"]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
(ALPHA) Create a new access binding. The access level (if any) will be
|
|
bound with
|
|
|
|
▪ a group and the restricted client application
|
|
▪ a specific service account or all service accounts in a specified
|
|
project.
|
|
|
|
The session settings (if any) will be bound with
|
|
|
|
▪ a group
|
|
|
|
If you want to bind session settings to a particular application, use
|
|
scoped access settings.
|
|
|
|
If a group key is specified, the access level and/or session settings are
|
|
globally enforced for all context-aware access group members, as specified
|
|
in the binding. If a restricted client application is also specified, then
|
|
the enforcement applies only to the specified application, and not to the
|
|
entire organization. Session settings are incompatible with the top level
|
|
--restricted-client-application flags; please use --binding-file to specify
|
|
scoped access settings. If the restricted client application is specified,
|
|
then --binding-file cannot be set. If a service account is specified, then
|
|
the enforcement applies only to the specified service account. If a service
|
|
account project is specified, the enforcement applies to all of the service
|
|
accounts belonging to the specified project.
|
|
|
|
EXAMPLES
|
|
To create a new global cloud access binding, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc
|
|
|
|
To create a new cloud access binding for particular applications, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--organization='1234567890' \
|
|
--restricted-client-application-names='Google Cloud SDK, Cloud
|
|
Console' \
|
|
--restricted-client-application-client-ids='123456789.apps.googl\
|
|
eusercontent.com'
|
|
|
|
To create a new cloud access binding for particular applications using a
|
|
yaml file, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--binding-file='binding.yaml'
|
|
|
|
To create a new global cloud access binding, and for particular
|
|
applications using a yaml file, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--organization='1234567890' --binding-file='binding.yaml'
|
|
|
|
To create a new global cloud access binding for the dry run access level,
|
|
run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--dry-run-level=accessPolicies/123/accessLevels/def
|
|
|
|
To create a new cloud access binding for the dry run access level for
|
|
particular applications, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--dry-run-level=accessPolicies/123/accessLevels/def \
|
|
--organization='1234567890' \
|
|
--restricted-client-application-names='Google Cloud SDK, Cloud
|
|
Console' \
|
|
--restricted-client-application-client-ids='123456789.apps.googl\
|
|
eusercontent.com'
|
|
|
|
To create a new cloud access binding for a particular service account, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--service-account=service-account@project.iam.gserviceaccount.co\
|
|
m --level=accessPolicies/123/accessLevels/abc \
|
|
--organization='1234567890'
|
|
|
|
To create a new cloud access binding for all service accounts in a
|
|
particular project, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--service-account-project-number='987654321' \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--organization='1234567890' \
|
|
|
|
To create a new cloud access binding with global session settings, specify
|
|
your session length using an ISO duration string and the session-length
|
|
flag. For example:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--session-length=2h
|
|
|
|
To set a particular session reauth method for these session settings, run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--session-length=2h --session-reauth-method=LOGIN
|
|
|
|
To create session settings for specific applications, supply a YAML file
|
|
and run:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--binding-file='binding.yaml'
|
|
|
|
Global and per-app session settings can be set on the same group, along
|
|
with access levels. For example:
|
|
|
|
$ gcloud alpha access-context-manager cloud-bindings create \
|
|
--group-key=my-group-key --organization='1234567890' \
|
|
--session-length=2h --session-reauth-method=LOGIN \
|
|
--level=accessPolicies/123/accessLevels/abc \
|
|
--dry-run-level=accessPolicies/123/accessLevels/def \
|
|
--binding-file='binding.yaml'
|
|
|
|
FLAGS
|
|
--binding-file=YAML_FILE
|
|
Path to the file that contains a Google Cloud Platform user access
|
|
binding.
|
|
|
|
This file contains a YAML-compliant object representing a
|
|
GcpUserAccessBinding (as described in the API reference) containing
|
|
ScopedAccessSettings only. No other binding fields are allowed.
|
|
|
|
--dry-run-level=[DRY_RUN_LEVEL,...]
|
|
The dry run access level that binds to the given group and restricted
|
|
client applications. The dry run access level is evaluated but isn't
|
|
enforced. Denial on a dry run access level is logged. The input must be
|
|
the full identifier of an access level, such as
|
|
accessPolicies/123/accessLevels/new-def. If no
|
|
restricted-client-application-client-ids or
|
|
restricted-client-application-names are provided, then the access level
|
|
is applied to the entire organization.
|
|
|
|
--group-key=GROUP_KEY
|
|
Google Group ID whose members are subject to the restrictions of this
|
|
binding.
|
|
|
|
--level=[LEVEL,...]
|
|
The access level that binds to the given group and restricted client
|
|
applications. The input must be the full identifier of an access level,
|
|
such as accessPolicies/123/accessLevels/abc. If no
|
|
restricted-client-application-client-ids or
|
|
restricted-client-application-names are provided, then the access level
|
|
is applied to the entire organization.
|
|
|
|
--organization=ORGANIZATION
|
|
Parent organization for this binding.
|
|
|
|
--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,...]
|
|
Client IDs to which the access level is applied.
|
|
|
|
--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,...]
|
|
Application names to which the access level is applied.
|
|
|
|
--session-length=SESSION_LENGTH
|
|
The maximum lifetime of a user session provided as an ISO 8601 duration
|
|
string. Must be at least one hour or zero seconds, and no more than
|
|
twenty-four hours. Granularity is limited to seconds.
|
|
|
|
When --session-length=0 then users in the group attached to this
|
|
binding will have infinite session length, effectively disabling
|
|
session.
|
|
|
|
A session begins when a user signs-in successfully. If a user signs out
|
|
before the end of the session lifetime, a new login creates a new
|
|
session with a fresh lifetime. When a session expires, the user is
|
|
asked to re-authenticate in accordance with session-method.
|
|
|
|
Setting --session-reauth-method when --session-length is empty raises
|
|
an error. Cannot set --session-length with
|
|
--restricted-client-application-client-ids or
|
|
--restricted-client-application-names; please use scoped access
|
|
settings.
|
|
|
|
--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
|
|
Specifies the type of re-authentication challenge given to the user
|
|
when their session expires. Defaults to --session-reauth-method=login
|
|
if unspecified and --session-length is set. Cannot be used when
|
|
--session-length is empty or 0.
|
|
|
|
SESSION_REAUTH_METHOD must be one of:
|
|
|
|
login
|
|
The user must complete a regular login.
|
|
|
|
password
|
|
The user will only be required to enter their password.
|
|
|
|
security-key
|
|
The user must re-autheticate using their security key. Before
|
|
enabling this session reauth method, ensure a security key is
|
|
properly configured for the user. For help configuring your
|
|
security key, see
|
|
https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
API REFERENCE
|
|
This command uses the accesscontextmanager/v1alpha API. The full
|
|
documentation for this API can be found at:
|
|
https://cloud.google.com/access-context-manager/docs/reference/rest/
|
|
|
|
NOTES
|
|
This command is currently in alpha and might change without notice. If this
|
|
command fails with API permission errors despite specifying the correct
|
|
project, you might be trying to access an API with an invitation-only early
|
|
access allowlist. This variant is also available:
|
|
|
|
$ gcloud access-context-manager cloud-bindings create
|
|
|