- NAME
-
- gcloud alpha container binauthz policy remove-iam-policy-binding - remove IAM policy binding of a Binary Authorization policy
- SYNOPSIS
-
-
gcloud alpha container binauthz policy remove-iam-policy-binding--member=PRINCIPAL--role=ROLE[--all|--condition=[KEY=VALUE,…] |--condition-from-file=PATH_TO_FILE] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
(ALPHA)Remove an IAM policy binding from the IAM policy of a Binary Authorization policy. One binding consists of a member, a role, and an optional condition. - EXAMPLES
-
To remove an IAM policy binding for the role of
'roles/binaryauthorization.attestationAuthoritiesEditor' for the user
'test-user@gmail.com' on the current project's Binary Authorization policy, run:
gcloud alpha container binauthz policy remove-iam-policy-binding --member='user:test-user@gmail.com' --role='roles/binaryauthorization.attestationAuthoritiesEditor'To remove an IAM policy binding which expires at the end of the year 2018 for the role of 'roles/binaryauthorization.attestationAuthoritiesEditor' and the user 'test-user@gmail.com' on the current project's Binary Authorization policy, run:
gcloud alpha container binauthz policy remove-iam-policy-binding --member='user:test-user@gmail.com' --role='roles/binaryauthorization.attestationAuthoritiesEditor' --condition='expression=request.time <timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,descrip\ tion=Expires at midnight on 2018-12-31'See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.
- REQUIRED FLAGS
-
--member=PRINCIPAL-
The principal to remove the binding for. Should be of the form
user|group|serviceAccount:emailordomain:domain.Examples:
user:test-user@gmail.com,group:admins@example.com,serviceAccount:test123@example.domain.com, ordomain:example.domain.com.Deleted principals have an additional
deleted:prefix and a?uid=UIDsuffix, whereUIDdeleted:user:test-user@gmail.com?uid=123456789012345678901.Some resources also accept the following special values:
-
allUsers- Special identifier that represents anyone who is on the internet, with or without a Google account. -
allAuthenticatedUsers- Special identifier that represents anyone who is authenticated with a Google account or a service account.
-
--role=ROLE- The role to remove the principal from.
- OPTIONAL FLAGS
-
-
At most one of these can be specified:
--all- Remove all bindings with this role and principal, irrespective of any conditions.
--condition=[KEY=VALUE,…]-
The condition of the binding that you want to remove. When the condition is
explicitly specified as
None(--condition=None), a binding without a condition is removed. Otherwise, only a binding with a condition that exactly matches the specified condition (including the optional description) is removed. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overviewWhen using the
--conditionflag, include the following key-value pairs:expression-
(Required) Condition expression that evaluates to True or False. This uses a
subset of Common Expression Language syntax.
If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (
:) as the delimiter, do the following:--condition=^:^title=TITLE:expression=EXPRESSION. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping. title- (Required) A short string describing the purpose of the expression.
description- (Optional) Additional description for the expression.
--condition-from-file=PATH_TO_FILE-
Path to a local JSON or YAML file that defines the condition. To see available
fields, see the help for
--condition. Use a full or relative path to a local file containing the value of condition.
-
At most one of these can be specified:
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - API REFERENCE
-
This command uses the
binaryauthorization/v1alpha2API. The full documentation for this API can be found at: https://cloud.google.com/binary-authorization/ - NOTES
-
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation-only early access
allowlist. These variants are also available:
gcloud container binauthz policy remove-iam-policy-bindinggcloud beta container binauthz policy remove-iam-policy-binding
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-30 UTC.