release_tracks: [ALPHA, BETA, GA]
help_text:
  brief: Add IAM policy binding for a project
  description: |
    Adds a policy binding to the IAM policy of a project, given a
    project ID and the binding. One binding consists of a member, a role, and
    an optional condition.

  examples: |
    To add an IAM policy binding for the role of `roles/editor` for the user
    `test-user@gmail.com` on a project with identifier `example-project-id-1`,
    run:

      $ {command} example-project-id-1 --member='user:test-user@gmail.com' --role='roles/editor'

    To add an IAM policy binding for the role of `roles/editor` to the service
    account `test-proj1@example.domain.com` on a project with identifier `example-project-id-1`,
    run:

      $ {command} example-project-id-1 --member='serviceAccount:test-proj1@example.domain.com' --role='roles/editor'

    To add an IAM policy binding that expires at the end of the year 2021 for
    the role of `roles/browser` and the user `test-user@gmail.com` on a project
    with identifier `example-project-id-1`, run:

      $ {command} example-project-id-1 --member='user:test-user@gmail.com' --role='roles/browser' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2021,description=Expires at midnight on 2021-12-31'

    See https://cloud.google.com/iam/docs/managing-policies for details of
    policy role and member types.

request:
  collection: cloudresourcemanager.projects
  use_relative_name: false

arguments:
  resource:
    help_text: The project to add the IAM policy binding.
    spec: !REF googlecloudsdk.command_lib.projects.resources:project

iam:
  enable_condition: true
  policy_version: 3
  get_iam_policy_version_path: getIamPolicyRequest.options.requestedPolicyVersion