.TH "GCLOUD_ACCESS\-CONTEXT\-MANAGER_POLICIES_ADD\-IAM\-POLICY\-BINDING" 1 .SH "NAME" .HP gcloud access\-context\-manager policies add\-iam\-policy\-binding \- add IAM policy binding for an access policy .SH "SYNOPSIS" .HP \f5gcloud access\-context\-manager policies add\-iam\-policy\-binding\fR [\fIPOLICY\fR] \fB\-\-member\fR=\fIPRINCIPAL\fR \fB\-\-role\fR=\fIROLE\fR [\fB\-\-condition\fR=[\fIKEY\fR=\fIVALUE\fR,...]\ |\ \fB\-\-condition\-from\-file\fR=\fIPATH_TO_FILE\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR] .SH "DESCRIPTION" Adds a policy binding to the IAM policy of an access policy. The binding consists of a role, identity, and access policy. .SH "EXAMPLES" To add an IAM policy binding for the role of \f5\fIroles/notebooks.admin\fR\fR for the user 'test\-user@gmail.com' on the access policy 'accessPolicies/123', run: .RS 2m $ gcloud access\-context\-manager policies add\-iam\-policy\-binding \e \-\-member='user:test\-user@gmail.com' \e \-\-role='roles/notebooks.admin' accessPolicies/123 .RE See https://cloud.google.com/iam/docs/managing\-policies for details of policy role and member types. .SH "POSITIONAL ARGUMENTS" .RS 2m .TP 2m Policy resource \- The access policy to add the IAM binding. This represents a Cloud resource. .TP 2m [\fIPOLICY\fR] ID of the policy or fully qualified identifier for the policy. To set the \f5policy\fR attribute: .RS 2m .IP "\(em" 2m provide the argument \f5policy\fR on the command line; .IP "\(em" 2m set the property \f5access_context_manager/policy\fR; .IP "\(em" 2m automatically, if the current account belongs to an organization with exactly one access policy.. .RE .sp .RE .sp .SH "REQUIRED FLAGS" .RS 2m .TP 2m \fB\-\-member\fR=\fIPRINCIPAL\fR The principal to add the binding for. Should be of the form \f5user|group|serviceAccount:email\fR or \f5domain:domain\fR. Examples: \f5user:test\-user@gmail.com\fR, \f5group:admins@example.com\fR, \f5serviceAccount:test123@example.domain.com\fR, or \f5domain:example.domain.com\fR. Some resources also accept the following special values: .RS 2m .IP "\(em" 2m \f5allUsers\fR \- Special identifier that represents anyone who is on the internet, with or without a Google account. .IP "\(em" 2m \f5allAuthenticatedUsers\fR \- Special identifier that represents anyone who is authenticated with a Google account or a service account. .RE .sp .TP 2m \fB\-\-role\fR=\fIROLE\fR Role name to assign to the principal. The role name is the complete path of a predefined role, such as \f5roles/logging.viewer\fR, or the role ID for a custom role, such as \f5organizations/{ORGANIZATION_ID}/roles/logging.viewer\fR. .RE .sp .SH "OPTIONAL FLAGS" .RS 2m .TP 2m At most one of these can be specified: .RS 2m .TP 2m \fB\-\-condition\fR=[\fIKEY\fR=\fIVALUE\fR,...] A condition to include in the binding. When the condition is explicitly specified as \f5None\fR (\f5\-\-condition=None\fR), a binding without a condition is added. When the condition is specified and is not \f5None\fR, \f5\-\-role\fR cannot be a basic role. Basic roles are \f5roles/editor\fR, \f5roles/owner\fR, and \f5roles/viewer\fR. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions\-overview When using the \f5\-\-condition\fR flag, include the following key\-value pairs: .RS 2m .TP 2m \fBexpression\fR (Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax. If the condition expression includes a comma, use a different delimiter to separate the key\-value pairs. Specify the delimiter before listing the key\-value pairs. For example, to specify a colon (\f5:\fR) as the delimiter, do the following: \f5\-\-condition=^:^title=TITLE:expression=EXPRESSION\fR. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping. .TP 2m \fBtitle\fR (Required) A short string describing the purpose of the expression. .TP 2m \fBdescription\fR (Optional) Additional description for the expression. .RE .sp .TP 2m \fB\-\-condition\-from\-file\fR=\fIPATH_TO_FILE\fR Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for \f5\-\-condition\fR. Use a full or relative path to a local file containing the value of condition. .RE .RE .sp .SH "GCLOUD WIDE FLAGS" These flags are available to all commands: \-\-access\-token\-file, \-\-account, \-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten, \-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http, \-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled, \-\-verbosity. Run \fB$ gcloud help\fR for details. .SH "API REFERENCE" This command uses the \fBaccesscontextmanager/v1\fR API. The full documentation for this API can be found at: https://cloud.google.com/access\-context\-manager/docs/reference/rest/ .SH "NOTES" These variants are also available: .RS 2m $ gcloud alpha access\-context\-manager policies add\-iam\-policy\-binding .RE .RS 2m $ gcloud beta access\-context\-manager policies add\-iam\-policy\-binding .RE