gcloud access-context-manager cloud-bindings create

NAME: gcloud access-context-manager cloud-bindings create - create cloud access bindings for a specific group
SYNOPSIS: gcloud access-context-manager cloud-bindings create --group-key=GROUP_KEY [--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,…]] [--level=[LEVEL,…]] [--organization=ORGANIZATION] [--session-length=SESSION_LENGTH] [--session-reauth-method=SESSION_REAUTH_METHOD; default="login"] [GCLOUD_WIDE_FLAG …]
DESCRIPTION: Create a new cloud access binding. The access level and/or session settings will be globally bound with the group.
To apply access level and/or session settings to a specific application, specify the restricted application in the 'binding-file'. In such case, the access level and/or session settings specified in the yaml file will be bound with the group and the restricted applications.
EXAMPLES: To create a new cloud access binding, run:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc

To create a new cloud access binding for particular applications using a yaml file, run:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'

To create a new global cloud access binding, and for particular applications using a yaml file, run:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --binding-file='binding.yaml'

To create a new cloud access binding for the dry run access level, run:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def

To create a new cloud access binding with global session settings, specify your session length using an ISO duration string and the session-length flag. For example:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h

To set a particular session reauth method for these session settings, run:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN

To create session settings for a particular application, supply a YAML file and run:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'

Global and per-app session settings can be set on the same group, along with access levels. For example:
gcloud access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --binding-file='binding.yaml'
REQUIRED FLAGS: --group-key=GROUP_KEY

Google Group ID whose members are subject to the restrictions of this binding.
OPTIONAL FLAGS: --binding-file=YAML_FILE

Path to the file that contains a Google Cloud Platform user access binding.
This file contains a YAML-compliant object representing a GcpUserAccessBinding (as described in the API reference) containing ScopedAccessSettings only. No other binding fields are allowed.

--dry-run-level=[DRY_RUN_LEVEL,…]

The dry run access level that binds to the given group. The dry run access level will be evaluated but won't be enforced. Denial on dry run access level will be logged. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/new-def.

--level=[LEVEL,…]

The access level that binds to the given group. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/abc.

--organization=ORGANIZATION

Parent organization for this binding.

--session-length=SESSION_LENGTH

The maximum lifetime of a user session provided as an ISO 8601 duration string. Must be at least one hour or zero seconds, and no more than twenty-four hours. Granularity is limited to seconds.
When --session-length=0 then users in the group attached to this binding will have infinite session length, effectively disabling the session settings.
A session begins when a user signs in successfully. If a user signs out before the end of the session lifetime, a new login creates a new session with a fresh lifetime. When a session expires, the user is asked to re-authenticate in accordance with session-method.
Setting --session-reauth-method when --session-length is empty raises an error.

--session-reauth-method=SESSION_REAUTH_METHOD; default="login"

Specifies the type of re-authentication challenge given to the user when their session expires. Defaults to --session-reauth-method=login if unspecified and --session-length is set. Cannot be used when --session-length is empty or 0.
SESSION_REAUTH_METHOD must be one of:

login

The user must complete a regular login.

password

The user will only be required to enter their password.

security-key

The user must re-autheticate using their security key. Before enabling this session reauth method, ensure a security key is properly configured for the user. For help configuring your security key, see https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
GCLOUD WIDE FLAGS: These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
API REFERENCE: This command uses the accesscontextmanager/v1 API. The full documentation for this API can be found at: https://cloud.google.com/access-context-manager/docs/reference/rest/
NOTES: This variant is also available:
gcloud alpha access-context-manager cloud-bindings create