gcloud alpha access-context-manager cloud-bindings create

gcloud alpha access-context-manager cloud-bindings create - create cloud access bindings for a specific group

gcloud alpha access-context-manager cloud-bindings create [--binding-file=YAML_FILE] [--dry-run-level=[DRY_RUN_LEVEL,…]] [--federated-principal=FEDERATED_PRINCIPAL] [--group-key=GROUP_KEY] [--level=[LEVEL,…]] [--organization=ORGANIZATION] [--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]] [--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]] [--service-account=SERVICE_ACCOUNT] [--service-account-project-number=SERVICE_ACCOUNT_PROJECT_NUMBER] [--session-length=SESSION_LENGTH] [--session-reauth-method=SESSION_REAUTH_METHOD; default="login"] [GCLOUD_WIDE_FLAG …]

• a group and the restricted client application
• a specific service account or all service accounts in a specified project.

The session settings (if any) will be bound with

• a group

If you want to bind session settings to a particular application, use scoped access settings.

If a group key is specified, the access level and/or session settings are globally enforced for all context-aware access group members, as specified in the binding. If a restricted client application is also specified, then the enforcement applies only to the specified application, and not to the entire organization. Session settings are incompatible with the top level --restricted-client-application flags; please use --binding-file to specify scoped access settings. If the restricted client application is specified, then --binding-file cannot be set. If a service account is specified, then the enforcement applies only to the specified service account. If a service account project is specified, the enforcement applies to all of the service accounts that belong to the specified project. If a federated principal is specified, then the enforcement applies only to the specified federated principal.

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc

To create a new cloud access binding for particular applications, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
 Console' \
    --restricted-client-application-client-ids='123456789.apps.googl\
eusercontent.com'

To create a new cloud access binding for particular applications using a yaml file, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'

To create a new global cloud access binding, and for particular applications using a yaml file, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --binding-file='binding.yaml'

To create a new global cloud access binding for the dry run access level, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def

To create a new cloud access binding for the dry run access level for particular applications, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
 Console' \
    --restricted-client-application-client-ids='123456789.apps.googl\
eusercontent.com'

To create a new cloud access binding for a particular service account, run:

gcloud alpha access-context-manager cloud-bindings create --service-account=service-account@project.iam.gserviceaccount.com --level=accessPolicies/123/accessLevels/abc --organization='1234567890'

To create a new cloud access binding for all service accounts in a particular project, run:

To create a new cloud access binding for a specific federated principal, run:

gcloud alpha access-context-manager cloud-bindings create --service-account-project-number='987654321' --level=accessPolicies/123/accessLevels/abc --organization='1234567890' gcloud alpha access-context-manager cloud-bindings create --federated-principal='//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/my-subject' --level=accessPolicies/123/accessLevels/abc --organization='1234567890'

To create a new cloud access binding for all workforce identities in a given org, run the following command:

gcloud alpha access-context-manager cloud-bindings create --federated-principal='principalSet://cloudresourcemanager.googleapis.com/organizations/ORG_NUMBER/type/WorkforcePool' --organization='1234567890' --binding-file='binding.yaml'

To create a new cloud access binding with global session settings, specify your session length using an ISO duration string and the session-length flag. For example:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h

To set a particular session reauth method for these session settings, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN

To create session settings for specific applications, supply a YAML file and run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --binding-file='binding.yaml'

Global and per-app session settings can be set on the same group, along with access levels. For example:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --organization='1234567890' --session-length=2h --session-reauth-method=LOGIN --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --binding-file='binding.yaml'

--binding-file=YAML_FILE

Path to the file that contains a Google Cloud Platform user access binding.

This file contains a YAML-compliant object representing a GcpUserAccessBinding (as described in the API reference: https://docs.cloud.google.com/access-context-manager/docs/apply-policies-to-user-groups#define_configurations_for_specific_applications) containing ScopedAccessSettings only. No other binding fields are allowed. For bindings tied to all workforce identities in a given org, the ScopedAccessSettings must only contain sessionSettings within the activeSettings list. No other fields are allowed.

--dry-run-level=[DRY_RUN_LEVEL,…]

The dry run access level that binds to the given group and restricted client applications. The dry run access level is evaluated but isn't enforced. Denial on a dry run access level is logged. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/new-def. If no --restricted-client-application-client-ids or --restricted-client-application-names are provided, then the access level is applied to the entire organization. This parameter is not supported for bindings tied to all workforce identities in an organization.

--federated-principal=FEDERATED_PRINCIPAL

IAM federated principal that this binding applies to. Can be a single principal or a principal set. Used to assign policies to third-party workforce or workload identities. At most one of --group-key, --federated-principal, --service-account, or --service-account-project-number may be specified.

--group-key=GROUP_KEY

Google Group ID whose members are subject to the restrictions of this binding. At most one of --group-key, --federated-principal, --service-account, or --service-account-project-number may be specified.

--level=[LEVEL,…]

The access level that binds to the given group and restricted client applications. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/abc. If no --restricted-client-application-client-ids or --restricted-client-application-names are provided, then the access level is applied to the entire organization. This parameter is not supported for bindings tied to all workforce identities in an organization.

--organization=ORGANIZATION

Parent organization for this binding.

--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]

Client IDs that this access level applies to. This parameter is not supported for bindings tied to all workforce identities in an organization.

--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]

Application names that the access level applies to.

--service-account=SERVICE_ACCOUNT

Service account email that this binding applies to. Used to assign policies to a single first-party service account. At most one of --group-key, --federated-principal, --service-account, or --service-account-project-number may be specified.

--service-account-project-number=SERVICE_ACCOUNT_PROJECT_NUMBER

Project number of the project that contains the service accounts that are subject to the restrictions of this binding. Used to assign policies to all service accounts in a Google Cloud project. At most one of --group-key, --federated-principal, --service-account, or --service-account-project-number may be specified.

--session-length=SESSION_LENGTH

The maximum lifetime of a user session provided as an ISO 8601 duration string. For Cloud Identity users, this must be at least one hour or zero seconds, and no more than twenty-four hours. For workforce identities, this can be up to 90 days, or 14 days for Cloud Console. Granularity is limited to seconds.

When --session-length=0 then users in the group attached to this binding will have infinite session length, effectively disabling session.

A session begins when a user signs-in successfully. If a user signs out before the end of the session lifetime, a new login creates a new session with a fresh lifetime. When a session expires, the user is asked to re-authenticate in accordance with session-method.

Setting --session-reauth-method when --session-length is empty raises an error. Cannot set --session-length with --restricted-client-application-client-ids or --restricted-client-application-names; please use scoped access settings. This parameter is not supported for bindings tied to all workforce identities in an organization.

--session-reauth-method=SESSION_REAUTH_METHOD; default="login"

Specifies the type of re-authentication challenge given to the user when their session expires. Defaults to --session-reauth-method=login if unspecified and --session-length is set. Cannot be used when --session-length is empty or 0. This parameter is not supported for bindings tied to all workforce identities in an organization.

SESSION_REAUTH_METHOD must be one of:

login

The user must complete a regular login.

password

The user will only be required to enter their password.

security-key

The user must re-autheticate using their security key. Before enabling this session reauth method, ensure a security key is properly configured for the user. For help configuring your security key, see https://support.google.com/a/answer/2537800?hl=en#zippy=%2Cview-add-or-remove-security-keys

Run $ gcloud help for details.