gcloud beta iam policy-bindings create

NAME
gcloud beta iam policy-bindings create - create PolicyBinding instance
SYNOPSIS
gcloud beta iam policy-bindings create (POLICY_BINDING : --folder=FOLDER --location=LOCATION --organization=ORGANIZATION) --policy=POLICY --target-principal-set=TARGET_PRINCIPAL_SET [--annotations=[ANNOTATIONS,…]] [--async] [--display-name=DISPLAY_NAME] [--etag=ETAG] [--policy-kind=POLICY_KIND] [--condition-description=CONDITION_DESCRIPTION --condition-expression=CONDITION_EXPRESSION --condition-location=CONDITION_LOCATION --condition-title=CONDITION_TITLE] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(BETA) Create PolicyBinding instance.
EXAMPLES
To create a policy binding instance called my-binding that references a principal access boundary policy run: 
gcloud beta iam policy-bindings create my-binding --organization=123 --location=global --policy=organizations/123/locations/global/principalAccessBoundaryPolicies/my-policy --target-principal-set=//cloudresourcemanager.googleapis.com/organizations/123
POSITIONAL ARGUMENTS
PolicyBinding resource - Identifier. The resource name of the policy binding. The binding parent is the closest CRM resource (i.e., Project, Folder or Organization) to the binding target.

Format: projects/{project_id}/locations/{location}/policyBindings/{policy_binding_id} projects/{project_number}/locations/{location}/policyBindings/{policy_binding_id} folders/{folder_id}/locations/{location}/policyBindings/{policy_binding_id} organizations/{organization_id}/locations/{location}/policyBindings/{policy_binding_id} The arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

  • provide the argument policy_binding on the command line with a fully specified name;
  • set the property core/project;
  • provide the argument --project on the command line. This resource can be one of the following types: [iam.folders.locations.policyBindings, iam.organizations.locations.policyBindings, iam.projects.locations.policyBindings].

This must be specified.

POLICY_BINDING
ID of the policyBinding or fully qualified identifier for the policyBinding.

To set the policy_binding attribute:

  • provide the argument policy_binding on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--folder=FOLDER
The folder id of the policyBinding resource.

To set the folder attribute:

  • provide the argument policy_binding on the command line with a fully specified name;
  • provide the argument --folder on the command line. Must be specified for resource of type [iam.folders.locations.policyBindings].
--location=LOCATION
The location id of the policyBinding resource.

To set the location attribute:

  • provide the argument policy_binding on the command line with a fully specified name;
  • provide the argument --location on the command line.
--organization=ORGANIZATION
The organization id of the policyBinding resource.

To set the organization attribute:

  • provide the argument policy_binding on the command line with a fully specified name;
  • provide the argument --organization on the command line. Must be specified for resource of type [iam.organizations.locations.policyBindings].
REQUIRED FLAGS
--policy=POLICY
The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).
Target is the full resource name of the resource to which the policy will be bound. Immutable once set.

This must be specified.

Arguments for the target.
--target-principal-set=TARGET_PRINCIPAL_SET
Full Resource Name used for principal access boundary policy bindings Examples: Organization: "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID" Folder: "//cloudresourcemanager.googleapis.com/folders/FOLDER_ID" Project: "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID" Workload Identity Pool: "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID" Workforce Identity: "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID" Workspace Identity: "//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID"
OPTIONAL FLAGS
--annotations=[ANNOTATIONS,…]
User defined annotations. See http://google.aip.dev/148#annotations for more details such as format and size limitations.
KEY
Sets KEY value.
VALUE
Sets VALUE value.
Shorthand Example: 
--annotations=string=string

JSON Example: 

--annotations='{"string": "string"}'

File Example: 

--annotations=path_to_file.(yaml|json)
--async
Return immediately, without waiting for the operation in progress to complete.
--display-name=DISPLAY_NAME
The description of the policy binding. Must be less than or equal to 63 characters.
--etag=ETAG
The etag for the policy binding. If this is provided on update, it must match the server's etag.
--policy-kind=POLICY_KIND
The kind of the policy to attach in this binding:

+ When the policy is empty, this field must be set. + When the policy is set, this field + can be left empty and will be set to the policy kind, or + must set to the input policy kind

POLICY_KIND must be (only one value is supported):

principal-access-boundary
Principal access boundary policy kind
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at http://github.com/google/cel-spec.

Example (Comparison): 

title: "Summary size limit"
description: "Determines if a summary is less than 100 chars"
expression: "document.summary.size() < 100"

Example (Equality): 

title: "Requestor is owner"
description: "Determines if requestor is the document owner"
expression: "document.owner == request.auth.claims.email"

Example (Logic): 

title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"

Example (Data Manipulation): 

title: "Notification string"
description: "Create a notification string with a timestamp."
expression: "'New message received at ' + string(document.create_time)"

The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

--condition-description=CONDITION_DESCRIPTION
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
--condition-expression=CONDITION_EXPRESSION
Textual representation of an expression in Common Expression Language syntax.
--condition-location=CONDITION_LOCATION
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
--condition-title=CONDITION_TITLE
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE
This command uses the iam/v3beta API. The full documentation for this API can be found at: http://cloud.go888ogle.com.fqhub.com/iam/
NOTES
This command is currently in beta and might change without notice.