Console
Start free

gcloud beta iam policy-bindings create

NAME
gcloud beta iam policy-bindings create - create PolicyBinding instance
SYNOPSIS
gcloud beta iam policy-bindings create (POLICY_BINDING : --folder=FOLDER --location=LOCATION --organization=ORGANIZATION) --policy=POLICY (--target-principal-set=TARGET_PRINCIPAL_SET     | --target-resource=TARGET_RESOURCE) [--annotations=[ANNOTATIONS,…]] [--async] [--display-name=DISPLAY_NAME] [--etag=ETAG] [--policy-kind=POLICY_KIND] [--condition-description=CONDITION_DESCRIPTION --condition-expression=CONDITION_EXPRESSION --condition-location=CONDITION_LOCATION --condition-title=CONDITION_TITLE] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(BETA) Create PolicyBinding instance.
EXAMPLES
To create a policy binding instance called my-binding that references a principal access boundary policy run: 
gcloud beta iam policy-bindings create my-binding --organization=123 --location=global --policy=organizations/123/locations/global/principalAccessBoundaryPolicies/my-policy --target-principal-set=//cloudresourcemanager.googleapis.com/organizations/123
POSITIONAL ARGUMENTS
PolicyBinding resource - Identifier. The name of the policy binding, in the format {binding_parent/locations/{location}/policyBindings/{policy_binding_id}. The binding parent is the closest Resource Manager resource (project, folder, or organization) to the binding target.

Format:

To set the project attribute:

This must be specified.
POLICY_BINDING
ID of the policyBinding or fully qualified identifier for the policyBinding.

To set the policy_binding attribute:

This positional argument must be specified if any of the other arguments in this group are specified.
--folder=FOLDER
The folder id of the policyBinding resource. To set the folder attribute:
--location=LOCATION
The location id of the policyBinding resource. To set the location attribute:
--organization=ORGANIZATION
The organization id of the policyBinding resource. To set the organization attribute:
REQUIRED FLAGS
--policy=POLICY
The resource name of the policy to be bound. The binding parent and policy must belong to the same organization.
The full resource name of the resource to which the policy will be bound. Immutable once set. This must be specified. Arguments for the target. At most one of these can be specified:
--target-principal-set=TARGET_PRINCIPAL_SET
The full resource name that's used for principal access boundary policy bindings. The principal set must be directly parented by the policy binding's parent or same as the parent if the target is a project, folder, or organization. Examples:
--target-resource=TARGET_RESOURCE
The full resource name that's used for access policy bindings. Examples:
OPTIONAL FLAGS
--annotations=[ANNOTATIONS,…]
User-defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations.
KEY
Sets KEY value.
VALUE
Sets VALUE value.
Shorthand Example: 
--annotations=string=string

JSON Example: 

--annotations='{"string": "string"}'

File Example: 

--annotations=path_to_file.(yaml|json)
--async
Return immediately, without waiting for the operation in progress to complete.
--display-name=DISPLAY_NAME
The description of the policy binding. Must be less than or equal to 63 characters.
--etag=ETAG
The etag for the policy binding. If this is provided on update, it must match the server's etag.
--policy-kind=POLICY_KIND
The kind of the policy to attach in this binding. This field must be one of the following: POLICY_KIND must be one of:
access
Access policy kind.
principal-access-boundary
Principal access boundary policy kind
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec.

Example (Comparison): 

title: "Summary size limit"
description: "Determines if a summary is less than 100 chars"
expression: "document.summary.size() < 100"

Example (Equality): 

title: "Requestor is owner"
description: "Determines if requestor is the document owner"
expression: "document.owner == request.auth.claims.email"

Example (Logic): 

title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"

Example (Data Manipulation): 

title: "Notification string"
description: "Create a notification string with a timestamp."
expression: "'New message received at ' + string(document.create_time)"
 The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
--condition-description=CONDITION_DESCRIPTION
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
--condition-expression=CONDITION_EXPRESSION
Textual representation of an expression in Common Expression Language syntax.
--condition-location=CONDITION_LOCATION
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
--condition-title=CONDITION_TITLE
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE
This command uses the iam/v3beta API. The full documentation for this API can be found at: https://cloud.google.com/iam/
NOTES
This command is currently in beta and might change without notice. This variant is also available: 
gcloud iam policy-bindings create