gcloud alpha access-context-manager cloud-bindings create

NAME
gcloud alpha access-context-manager cloud-bindings create - create cloud access bindings for a specific group
SYNOPSIS
gcloud alpha access-context-manager cloud-bindings create [--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,…]] [--group-key=GROUP_KEY] [--level=[LEVEL,…]] [--organization=ORGANIZATION] [--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]] [--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]] [--session-length=SESSION_LENGTH] [--session-reauth-method=SESSION_REAUTH_METHOD; default="login"] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) Create a new access binding. The access level (if any) will be bound with
  • a group and the restricted client application
  • a specific service account or all service accounts in a specified project.

The session settings (if any) will be bound with

  • a group

If you want to bind session settings to a particular application, use scoped access settings.

If a group key is specified, the access level and/or session settings are globally enforced for all context-aware access group members, as specified in the binding. If a restricted client application is also specified, then the enforcement applies only to the specified application, and not to the entire organization. Session settings are incompatible with the top level --restricted-client-application flags; please use --binding-file to specify scoped access settings. If the restricted client application is specified, then --binding-file cannot be set. If a service account is specified, then the enforcement applies only to the specified service account. If a service account project is specified, the enforcement applies to all of the service accounts belonging to the specified project.

EXAMPLES
To create a new global cloud access binding, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc

To create a new cloud access binding for particular applications, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
 Console' \
    --restricted-client-application-client-ids='123456789.apps.googl\
eusercontent.com'

To create a new cloud access binding for particular applications using a yaml file, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'

To create a new global cloud access binding, and for particular applications using a yaml file, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --binding-file='binding.yaml'

To create a new global cloud access binding for the dry run access level, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def

To create a new cloud access binding for the dry run access level for particular applications, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
 Console' \
    --restricted-client-application-client-ids='123456789.apps.googl\
eusercontent.com'

To create a new cloud access binding for a particular service account, run:

gcloud alpha access-context-manager cloud-bindings create --service-account=service-account@project.iam.gserviceaccount.com --level=accessPolicies/123/accessLevels/abc --organization='1234567890'

To create a new cloud access binding for all service accounts in a particular project, run:



To create a new cloud access binding with global session settings, specify your session length using an ISO duration string and the session-length flag. For example:

gcloud alpha access-context-manager cloud-bindings create --service-account-project-number='987654321' --level=accessPolicies/123/accessLevels/abc --organization='1234567890' gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h

To set a particular session reauth method for these session settings, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN

To create session settings for specific applications, supply a YAML file and run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'

Global and per-app session settings can be set on the same group, along with access levels. For example:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --binding-file='binding.yaml'
FLAGS
--binding-file=YAML_FILE
Path to the file that contains a Google Cloud Platform user access binding.

This file contains a YAML-compliant object representing a GcpUserAccessBinding (as described in the API reference) containing ScopedAccessSettings only. No other binding fields are allowed.

--dry-run-level=[DRY_RUN_LEVEL,…]
The dry run access level that binds to the given group and restricted client applications. The dry run access level is evaluated but isn't enforced. Denial on a dry run access level is logged. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/new-def. If no restricted-client-application-client-ids or restricted-client-application-names are provided, then the access level is applied to the entire organization.
--group-key=GROUP_KEY
Google Group ID whose members are subject to the restrictions of this binding.
--level=[LEVEL,…]
The access level that binds to the given group and restricted client applications. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/abc. If no restricted-client-application-client-ids or restricted-client-application-names are provided, then the access level is applied to the entire organization.
--organization=ORGANIZATION
Parent organization for this binding.
--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]
Client IDs to which the access level is applied.
--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]
Application names to which the access level is applied.
--session-length=SESSION_LENGTH
The maximum lifetime of a user session provided as an ISO 8601 duration string. Must be at least one hour or zero seconds, and no more than twenty-four hours. Granularity is limited to seconds.

When --session-length=0 then users in the group attached to this binding will have infinite session length, effectively disabling session.

A session begins when a user signs-in successfully. If a user signs out before the end of the session lifetime, a new login creates a new session with a fresh lifetime. When a session expires, the user is asked to re-authenticate in accordance with session-method.

Setting --session-reauth-method when --session-length is empty raises an error. Cannot set --session-length with --restricted-client-application-client-ids or --restricted-client-application-names; please use scoped access settings.

--session-reauth-method=SESSION_REAUTH_METHOD; default="login"
Specifies the type of re-authentication challenge given to the user when their session expires. Defaults to --session-reauth-method=login if unspecified and --session-length is set. Cannot be used when --session-length is empty or 0.

SESSION_REAUTH_METHOD must be one of:

login
The user must complete a regular login.
password
The user will only be required to enter their password.
security-key
The user must re-autheticate using their security key. Before enabling this session reauth method, ensure a security key is properly configured for the user. For help configuring your security key, see https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE
This command uses the accesscontextmanager/v1alpha API. The full documentation for this API can be found at: https://cloud.google.com/access-context-manager/docs/reference/rest/
NOTES
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. This variant is also available:
gcloud access-context-manager cloud-bindings create