gcloud alpha iam service-accounts add-iam-policy-binding

NAME
gcloud alpha iam service-accounts add-iam-policy-binding - add an IAM policy binding to an IAM service account
SYNOPSIS
gcloud alpha iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=PRINCIPAL --role=ROLE [--condition=[KEY=VALUE,…]     | --condition-from-file=PATH_TO_FILE] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) Add an IAM policy binding to an IAM service account. A binding consists of at least one member, a role, and an optional condition. Adding a binding to a service account grants the specified member the specified role on the service account.

When managing IAM roles, you can treat a service account either as a resource or as an identity. This command adds an IAM policy binding to a service account resource. There are other gcloud commands to manage IAM policies for other types of resources. For example, to manage IAM policies on a project, use the $ gcloud projects commands.

If the service account does not exist, this command returns a PERMISSION_DENIED error.

EXAMPLES
To add an IAM policy binding for the role of 'roles/editor' for the user 'test-user@gmail.com' on a service account with identifier 'my-iam-account@my-project.iam.gserviceaccount.com', run:
gcloud alpha iam service-accounts add-iam-policy-binding my-iam-account@my-project.iam.gserviceaccount.com --member='user:test-user@gmail.com' --role='roles/editor'

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud alpha iam service-accounts add-iam-policy-binding test-proj1@example.domain.com --member='serviceAccount:test-proj1@example.domain.com' --role='roles/editor'

To add an IAM policy binding for the role of 'roles/editor' for all authenticated users on a service account with identifier 'my-iam-account@my-project.iam.gserviceaccount.com', run:

gcloud alpha iam service-accounts add-iam-policy-binding my-iam-account@my-project.iam.gserviceaccount.com --member='allAuthenticatedUsers' --role='roles/editor'

To add an IAM policy binding which expires at the end of the year 2018 for the role of 'roles/iam.serviceAccountAdmin' and the user 'test-user@gmail.com' on a service account with identifier 'my-iam-account@my-project.iam.gserviceaccount.com', run:

gcloud alpha iam service-accounts add-iam-policy-binding my-iam-account@my-project.iam.gserviceaccount.com --member='user:test-user@gmail.com' --role='roles/iam.serviceAccountAdmin' --condition='expression=request.time <
 timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,descrip\
tion=Expires at midnight on 2018-12-31'

See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.

POSITIONAL ARGUMENTS
ServiceAccount resource - The service account to which the IAM policy binding is being added. Note that the user, group or service account in the --member flag is being granted access to this service account. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

  • provide the argument service_account on the command line with a fully specified name;
  • provide the argument --project on the command line;
  • set the property core/project.

This must be specified.

SERVICE_ACCOUNT
ID of the serviceAccount or fully qualified identifier for the serviceAccount.

To set the service_account attribute:

  • provide the argument service_account on the command line.
REQUIRED FLAGS
--member=PRINCIPAL
The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.

Some resources also accept the following special values:

  • allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
  • allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.
--role=ROLE
Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.
OPTIONAL FLAGS
At most one of these can be specified:
--condition=[KEY=VALUE,…]
A condition to include in the binding. When the condition is explicitly specified as None (--condition=None), a binding without a condition is added. When the condition is specified and is not None, --role cannot be a basic role. Basic roles are roles/editor, roles/owner, and roles/viewer. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overview

When using the --condition flag, include the following key-value pairs:

expression
(Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax.

If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (:) as the delimiter, do the following: --condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping.

title
(Required) A short string describing the purpose of the expression.
description
(Optional) Additional description for the expression.
--condition-from-file=PATH_TO_FILE
Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for --condition. Use a full or relative path to a local file containing the value of condition.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE
This command uses the iam/v1 API. The full documentation for this API can be found at: https://cloud.google.com/iam/
NOTES
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
gcloud iam service-accounts add-iam-policy-binding
gcloud beta iam service-accounts add-iam-policy-binding