gcloud_iam_service-accounts_add-iam-policy-binding (1)
NAME
- gcloud iam service-accounts add-iam-policy-binding - add an IAM policy binding to an IAM Service Account
SYNOPSIS
-
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=MEMBER --role=ROLE [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
When managing IAM roles, you can treat a service account either as a resource or as an identity. This command is to add iam policy bindings to a service account resource. There are other gcloud commands to manage IAM policies for other types of resources. For example, to manage IAM policies on a project, use the $ gcloud projects commands.
POSITIONAL ARGUMENTS
-
-
ServiceAccount resource - The Service Account to which to add the IAM policy
binding. This represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways. To set the [project]
attribute: provide the argument [service_account] on the command line with a
fully specified name; set the property [core/project]; provide the argument
[--project] on the command line. This must be specified.
-
- SERVICE_ACCOUNT
-
ID of the serviceAccount or fully qualified identifier for the serviceAccount.
-
-
ServiceAccount resource - The Service Account to which to add the IAM policy
binding. This represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways. To set the [project]
attribute: provide the argument [service_account] on the command line with a
fully specified name; set the property [core/project]; provide the argument
[--project] on the command line. This must be specified.
REQUIRED FLAGS
-
- --member=MEMBER
-
The member to add the binding for. Should be of the form
user|group|serviceAccount:email or domain:domain.
Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.
Can also be one of the following special values:-
- ---
- allUsers - anyone who is on the internet, with or without a Google account.
- ---
- allAuthenticatedUsers - anyone who is authenticated with a Google account or a service account.
-
-
- --role=ROLE
-
Define the role of the member.
GCLOUD WIDE FLAGS
These flags are available to all commands: --account, --configuration, --flags-file, --flatten, --format, --help, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details.
API REFERENCE
This command uses the iam/v1 API. The full documentation for this API can be found at: cloud.google.com/iam
EXAMPLES
To add an IAM policy binding for the role of 'roles/editor' for the user 'test-user@gmail.com' on a service account with identifier 'my-iam-account@somedomain.com', run:
-
$ gcloud iam service-accounts add-iam-policy-binding \
my-iam-account@somedomain.com \
--member='user:test-user@gmail.com' --role='roles/editor'
To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:
-
$ gcloud iam service-accounts add-iam-policy-binding \
test-proj1@example.domain.com \
--member='serviceAccount:test-proj1@example.domain.com' \
--role='roles/editor'
To add an IAM policy binding for the role of 'roles/editor' for all authenticated users on a service account with identifier 'my-iam-account@somedomain.com', run:
-
$ gcloud iam service-accounts add-iam-policy-binding \
my-iam-account@somedomain.com --member='allAuthenticatedUsers' \
--role='roles/editor'
See cloud.google.com/iam/docs/managing-policies for details of policy role and member types.
NOTES
These variants are also available:
- $ gcloud alpha iam service-accounts add-iam-policy-binding $ gcloud beta iam service-accounts add-iam-policy-binding