gcloud alpha access-context-manager cloud-bindings create

gcloud alpha access-context-manager cloud-bindings create - create cloud access bindings for a specific group
gcloud alpha access-context-manager cloud-bindings create [--dry-run-level=[DRY_RUN_LEVEL,…]] [--group-key=GROUP_KEY] [--level=[LEVEL,…]] [--organization=ORGANIZATION] [--restricted-client-application-client-ids=[RESTRICTED_CLIENT_APPLICATION_CLIENT_IDS,…]] [--restricted-client-application-names=[RESTRICTED_CLIENT_APPLICATION_NAMES,…]] [GCLOUD_WIDE_FLAG]
(ALPHA) Create a new access binding. The access level will be bound with
  • a group and the restricted client application
  • a specific service account or all service accounts in a specified project.

If a group key is specified, the access level is enforced at the organization level for all context-aware access group members, as specified in the binding. If a restricted client application is also specified, then the enforcement applies only to the specified application, and not to the entire organization. If a service account is specified, then the enforcement applies only to the specified service account. If a service account project is specified, then the enforcement applies to all the service accounts belongs to the specified project.

To create a new cloud access binding at the organization level, run:
gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc

To create a new cloud access binding for particular applications, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
 Console' \

To create a new cloud access binding for the dry run access level at the organization level, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def

To create a new cloud access binding for the dry run access level for particular applications, run:

gcloud alpha access-context-manager cloud-bindings create --group-key=my-group-key --level=accessPolicies/123/accessLevels/abc --dry-run-level=accessPolicies/123/accessLevels/def --organization='1234567890' --restricted-client-application-names='Google Cloud SDK, Cloud
 Console' \

To create a new cloud access binding for a particular service account, run:

gcloud alpha access-context-manager cloud-bindings create --service-account=service-account@project.iam.gserviceaccount.com --level=accessPolicies/123/accessLevels/abc --organization='1234567890'

To create a new cloud access binding for all service accounts in a particular project, run:

The dry run access level that binds to the given group and restricted client applications. The dry run access level is evaluated but isn't enforced. Denial on a dry run access level is logged. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/new-def. If no restricted-client-application-client-ids or restricted-client-application-names are provided, then the access level is applied to the entire organization.
Google Group id whose members are subject to the restrictions of this binding.
The access level that binds to the given group and restricted client applications. The input must be the full identifier of an access level, such as accessPolicies/123/accessLevels/abc. If no restricted-client-application-client-ids or restricted-client-application-names are provided, then the access level is applied to the entire organization.
Parent organization for this binding.
Client IDs to which the access level is applied.
Application names to which the access level is applied.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

This command uses the accesscontextmanager/v1alpha API. The full documentation for this API can be found at: https://cloud.google.com/access-context-manager/docs/reference/rest/
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. This variant is also available:
gcloud alpha access-context-manager cloud-bindings create --service-account-project-number='987654321' --level=accessPolicies/123/accessLevels/abc --organization='1234567890' gcloud access-context-manager cloud-bindings create