이름
gdcloud iam roles create - 맞춤 역할을 만듭니다.
개요
gdcloud iam roles create ROLE_NAME
{ --file=ROLE_FILE |
--description=DESCRIPTION
--title=TITLE
[--scope=[PROJECT | ORGANIZATION]]
[--permissions=[permissions1,...]]
[--stage=[ALPHA | BETA | GA | DISABLED]]
[--projects=[project1,...]]
[--namespace=NAMESPACE]
} [flags]
설명
프로젝트 또는 조직 범위에 대해 좁게 정의된 권한으로 커스텀 역할을 만듭니다. 이 역할은 최소 권한의 원칙에 따라 특정 작업을 수행하는 데 필요한 최소한의 액세스 권한만 부여합니다.
EXAMPLES
To create an organization-level custom role with specific permissions, run:
gdcloud iam roles create org-viewer --scope=organization --title="Organization Viewer" --description="Grants read-only access to storage buckets and compute instances at the organization level" --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list --stage=<BETA|GA|ALPHA>
To create a project-level custom role for deploying resources in specific project namespaces, run:
gdcloud iam roles create project-resource-manager --scope=project --title="Project Resource Manager" --description="Allows managing compute instances and disks within specific projects" --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --stage=<BETA|GA|ALPHA> --projects=project-id-1,project-id-2...
To create a project-level custom role applicable to all projects, run:
gdcloud iam roles create project-instance-operator --scope=project --title="Project Instance Operator" --description=""Grants permissions to start and stop compute instances across all projects" --permissions=admin:compute:instances.start,admin:compute:instances.stop --stage=<BETA|GA|ALPHA>
To create a custom role in a specific system namespace, run:
gdcloud iam roles create iam-role-manager --scope=organization --title="IAM Role Manager" --description="Allows creating and updating IAM roles" --permissions=iamAdmin:iam:roles:create,iamAdmin:iam:roles:update --stage=<BETA|GA|ALPHA> --namespace=<namespace-name>
To create a custom role from a YAML configuration file, run:
gdcloud iam roles create my_role --file=ROLE_FILE
필수 플래그
--description string Description of the CustomRole custom resource.
--permissions iamRoleName:apiGroup:resource:verb A list of permissions granted to this CustomRole. Each permission must be specified in one of the following formats: iamRoleName:apiGroup:resource:verb (for resource that don't have individual name) or `iamRoleName:apiGroup:resource:resourceName:verb` (for resource with specific name). Wildcards (`*`) are explicitly prohibited in any part of the permission string (apiGroup, resource, verb, or resourceName) to enforce the principle of least privilege.
--title string Title of the CustomRole custom resource.
선택적 플래그
--file string Path to a file containing YAML configuration for a CustomRole custom resource. If set, the gdcloud CLI creates the CustomRole from the YAML configuration and ignores the other flags. The YAML must include 'title', 'description', and 'permissions' (formatted as 'iamRoleName:apiGroup:resource:verb' or 'iamRoleName:apiGroup:resource:resourceName:verb', no wildcards). Optional fields: 'stage', 'scope', 'projects', 'namespace' (if applicable). These fields, if present, must follow the same format as their corresponding command-line flags.
--namespace string Namespace of the CustomRole custom resource, required only when defining permissions in organization scope.
--projects strings Comma-separated list of project IDs where the CustomRole will be applied. Required when the scope is 'project'; not applicable for 'organization' scope. Example: --projects=project-id-1,project-id-2,project-id-3
--scope string Scope of the CustomRole (organization or project). Use 'organization' for system-level permissions and 'project' for project-specific permissions. (default "organization")
--stage string Release stage of the CustomRole (ALPHA, BETA, or GA). (default "ALPHA")
GDCLOUD 전체 플래그
이러한 플래그는 모든 명령어에서 사용할 수 있습니다(--configuration, --format, --help, --project, --quiet).
자세한 내용은 gdcloud CLI 참조 개요 페이지를 참고하세요.