GCP IAM Updates Detected

roles/appengine.serviceAdmin

@@ -17,6 +17,7 @@
     "appengine.versions.get",
     "appengine.versions.list",
     "appengine.versions.update",
+    "artifactregistry.projectsettings.get",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

roles/appengineflex.serviceAgent

@@ -2,6 +2,10 @@
   "description": "Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.",
   "etag": "AA==",
   "includedPermissions": [
+    "artifactregistry.projectsettings.get",
+    "artifactregistry.repositories.create",
+    "artifactregistry.repositories.get",
+    "artifactregistry.repositories.uploadArtifacts",
     "billing.accounts.get",
     "cloudbuild.builds.create",
     "cloudbuild.builds.get",
@@ -154,6 +158,7 @@
     "resourcemanager.projects.get",
     "resourcemanager.projects.getIamPolicy",
     "resourcemanager.projects.setIamPolicy",
+    "serviceusage.services.enable",
     "storage.buckets.create",
     "storage.buckets.delete",
     "storage.buckets.get",

roles/auditmanager.ccfAdmin

@@ -0,0 +1,20 @@
+{
+  "description": "Full access to Custom Compliance Framework resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "auditmanager.billingSettings.get",
+    "auditmanager.customComplianceFrameworks.create",
+    "auditmanager.customComplianceFrameworks.delete",
+    "auditmanager.customComplianceFrameworks.get",
+    "auditmanager.customComplianceFrameworks.list",
+    "auditmanager.customComplianceFrameworks.update",
+    "auditmanager.locations.get",
+    "auditmanager.locations.list",
+    "auditmanager.operations.get",
+    "auditmanager.operations.list",
+    "resourcemanager.organizations.get"
+  ],
+  "name": "roles/auditmanager.ccfAdmin",
+  "stage": "BETA",
+  "title": "Custom Compliance Framework Admin"
+}

roles/auditmanager.ccfViewer

@@ -0,0 +1,17 @@
+{
+  "description": "Allows viewing Custom Compliance Framework resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "auditmanager.billingSettings.get",
+    "auditmanager.customComplianceFrameworks.get",
+    "auditmanager.customComplianceFrameworks.list",
+    "auditmanager.locations.get",
+    "auditmanager.locations.list",
+    "auditmanager.operations.get",
+    "auditmanager.operations.list",
+    "resourcemanager.organizations.get"
+  ],
+  "name": "roles/auditmanager.ccfViewer",
+  "stage": "BETA",
+  "title": "Custom Compliance Framework Viewer"
+}

roles/backupdr.backupConfigViewer

@@ -0,0 +1,11 @@
+{
+  "description": "Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "backupdr.resourceBackupConfigs.get",
+    "backupdr.resourceBackupConfigs.list"
+  ],
+  "name": "roles/backupdr.backupConfigViewer",
+  "stage": "BETA",
+  "title": "Backup and DR Backup Config Viewer"
+}

roles/bigquerymigration.orchestrator

@@ -2,9 +2,6 @@
   "description": "Orchestrator of EDW migration tasks.",
   "etag": "AA==",
   "includedPermissions": [
-    "bigquerymigration.subtasks.create",
-    "bigquerymigration.taskTypes.orchestrateTask",
-    "bigquerymigration.taskTypes.writeLogs",
     "bigquerymigration.workflows.orchestrateTask",
     "storage.objects.list"
   ],

roles/billing.costsManager

@@ -8,6 +8,10 @@
     "billing.accounts.getUsageExportSpec",
     "billing.accounts.list",
     "billing.accounts.updateUsageExportSpec",
+    "billing.anomalies.get",
+    "billing.anomalies.list",
+    "billing.anomaliesConfigs.get",
+    "billing.anomaliesConfigs.update",
     "billing.budgets.create",
     "billing.budgets.delete",
     "billing.budgets.get",

roles/cloudtpu.serviceAgent

@@ -6,7 +6,15 @@
     "backupdr.backupPlanAssociations.deleteForComputeInstance",
     "backupdr.backupPlanAssociations.list",
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
+    "backupdr.backupPlans.get",
+    "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeInstance",
+    "backupdr.backupVaults.get",
+    "backupdr.backupVaults.list",
+    "backupdr.locations.list",
+    "backupdr.operations.get",
+    "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
     "compute.acceleratorTypes.get",
     "compute.acceleratorTypes.list",
     "compute.addresses.create",
@@ -537,6 +545,8 @@
     "compute.regionUrlMaps.validate",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.get",
     "compute.reservations.list",
     "compute.resourcePolicies.create",

roles/commerceorggovernance.viewer

@@ -9,6 +9,8 @@
     "commerceorggovernance.populateCollectionJobs.list",
     "commerceorggovernance.services.get",
     "commerceorggovernance.services.list",
+    "consumerprocurement.entitlements.get",
+    "consumerprocurement.entitlements.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

roles/composer.serviceAgent

@@ -25,6 +25,7 @@
     "appengine.versions.get",
     "appengine.versions.list",
     "appengine.versions.update",
+    "artifactregistry.projectsettings.get",
     "artifactregistry.repositories.create",
     "artifactregistry.repositories.delete",
     "artifactregistry.repositories.get",
@@ -34,8 +35,20 @@
     "backupdr.backupPlanAssociations.deleteForComputeInstance",
     "backupdr.backupPlanAssociations.list",
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
+    "backupdr.backupPlans.get",
+    "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeInstance",
+    "backupdr.backupVaults.get",
+    "backupdr.backupVaults.list",
+    "backupdr.locations.list",
+    "backupdr.operations.get",
+    "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
+    "cloudaicompanion.companions.generateChat",
+    "cloudaicompanion.companions.generateCode",
     "cloudaicompanion.entitlements.get",
+    "cloudaicompanion.instances.completeCode",
+    "cloudaicompanion.instances.generateCode",
     "cloudnotifications.activities.list",
     "cloudsql.backupRuns.create",
     "cloudsql.backupRuns.delete",
@@ -620,6 +633,8 @@
     "compute.regionUrlMaps.validate",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.get",
     "compute.reservations.list",
     "compute.resourcePolicies.create",
@@ -1330,6 +1345,11 @@
     "logging.logMetrics.get",
     "logging.logMetrics.list",
     "logging.logMetrics.update",
+    "logging.logScopes.create",
+    "logging.logScopes.delete",
+    "logging.logScopes.get",
+    "logging.logScopes.list",
+    "logging.logScopes.update",
     "logging.logServiceIndexes.list",
     "logging.logServices.list",
     "logging.logs.list",
@@ -1761,12 +1781,14 @@
     "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
+    "storage.buckets.getIpFilter",
     "storage.buckets.getObjectInsights",
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
+    "storage.buckets.setIpFilter",
     "storage.buckets.update",
     "storage.folders.create",
     "storage.folders.delete",

roles/compute.admin

@@ -6,7 +6,15 @@
     "backupdr.backupPlanAssociations.deleteForComputeInstance",
     "backupdr.backupPlanAssociations.list",
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
+    "backupdr.backupPlans.get",
+    "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeInstance",
+    "backupdr.backupVaults.get",
+    "backupdr.backupVaults.list",
+    "backupdr.locations.list",
+    "backupdr.operations.get",
+    "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
     "compute.acceleratorTypes.get",
     "compute.acceleratorTypes.list",
     "compute.addresses.create",
@@ -643,6 +651,8 @@
     "compute.regionUrlMaps.validate",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.create",
     "compute.reservations.delete",
     "compute.reservations.get",

roles/container.cloudKmsKeyUser

@@ -6,6 +6,7 @@
     "cloudkms.cryptoKeyVersions.useToSign",
     "cloudkms.cryptoKeyVersions.useToVerify",
     "cloudkms.cryptoKeyVersions.viewPublicKey",
+    "cloudkms.cryptoKeys.get",
     "cloudkms.locations.get",
     "cloudkms.locations.list",
     "resourcemanager.projects.get"

roles/datapipelines.serviceAgent

@@ -82,12 +82,14 @@
     "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
+    "storage.buckets.getIpFilter",
     "storage.buckets.getObjectInsights",
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
+    "storage.buckets.setIpFilter",
     "storage.buckets.update",
     "storage.folders.create",
     "storage.folders.delete",

roles/dataplex.encryptionAdmin

@@ -6,7 +6,9 @@
     "dataplex.encryptionConfig.delete",
     "dataplex.encryptionConfig.get",
     "dataplex.encryptionConfig.list",
-    "dataplex.encryptionConfig.update"
+    "dataplex.encryptionConfig.update",
+    "dataplex.operations.get",
+    "dataplex.operations.list"
   ],
   "name": "roles/dataplex.encryptionAdmin",
   "stage": "BETA",

roles/dataprep.serviceAgent

@@ -28,6 +28,7 @@
     "bigquery.reservationAssignments.search",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "bigquery.routines.create",
     "bigquery.routines.delete",
     "bigquery.routines.get",
@@ -293,6 +294,8 @@
     "compute.regionUrlMaps.validate",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.get",
     "compute.reservations.list",
     "compute.resourcePolicies.get",

roles/dataproc.serverlessEditor

@@ -50,6 +50,6 @@
     "resourcemanager.projects.list"
   ],
   "name": "roles/dataproc.serverlessEditor",
-  "stage": "ALPHA",
+  "stage": "GA",
   "title": "Dataproc serverless session user permissions"
 }

roles/dataproc.serverlessNode

@@ -0,0 +1,17 @@
+{
+  "description": "Node access to Dataproc Serverless sessions. Intended for service accounts.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "dataproc.sessions.sparkApplicationRead",
+    "dataproc.sessions.sparkApplicationWrite",
+    "dataprocrm.nodePools.create",
+    "dataprocrm.nodePools.delete",
+    "dataprocrm.nodePools.deleteNodes",
+    "dataprocrm.nodePools.get",
+    "dataprocrm.nodePools.list",
+    "dataprocrm.nodePools.resize"
+  ],
+  "name": "roles/dataproc.serverlessNode",
+  "stage": "GA",
+  "title": "Dataproc Serverless Node."
+}

roles/dataproc.serviceAgent

@@ -6,7 +6,15 @@
     "backupdr.backupPlanAssociations.deleteForComputeInstance",
     "backupdr.backupPlanAssociations.list",
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
+    "backupdr.backupPlans.get",
+    "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeInstance",
+    "backupdr.backupVaults.get",
+    "backupdr.backupVaults.list",
+    "backupdr.locations.list",
+    "backupdr.operations.get",
+    "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
     "compute.acceleratorTypes.get",
     "compute.acceleratorTypes.list",
     "compute.addresses.createInternal",
@@ -198,6 +206,8 @@
     "compute.regionOperations.list",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.get",
     "compute.reservations.list",
     "compute.resourcePolicies.list",
@@ -350,12 +360,14 @@
     "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
+    "storage.buckets.getIpFilter",
     "storage.buckets.getObjectInsights",
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
+    "storage.buckets.setIpFilter",
     "storage.buckets.update",
     "storage.folders.create",
     "storage.folders.delete",

roles/discoveryengine.user

@@ -3,9 +3,13 @@
   "etag": "AA==",
   "includedPermissions": [
     "discoveryengine.answers.get",
+    "discoveryengine.completionConfigs.completeQuery",
     "discoveryengine.servingConfigs.answer",
     "discoveryengine.servingConfigs.search",
-    "discoveryengine.sessions.get"
+    "discoveryengine.sessions.delete",
+    "discoveryengine.sessions.get",
+    "discoveryengine.sessions.list",
+    "discoveryengine.sessions.update"
   ],
   "name": "roles/discoveryengine.user",
   "stage": "BETA",

roles/firebase.developAdmin

@@ -442,12 +442,14 @@
     "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
+    "storage.buckets.getIpFilter",
     "storage.buckets.getObjectInsights",
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
+    "storage.buckets.setIpFilter",
     "storage.buckets.update",
     "storage.folders.create",
     "storage.folders.delete",

roles/firebasecrashlytics.serviceAgent

@@ -0,0 +1,17 @@
+{
+  "description": "Access to BigQuery export for Crashlytics",
+  "etag": "AA==",
+  "includedPermissions": [
+    "bigquery.datasets.create",
+    "bigquery.datasets.get",
+    "bigquery.tables.create",
+    "bigquery.tables.get",
+    "bigquery.tables.getData",
+    "bigquery.tables.update",
+    "bigquery.tables.updateData",
+    "serviceusage.services.use"
+  ],
+  "name": "roles/firebasecrashlytics.serviceAgent",
+  "stage": "GA",
+  "title": "Firebase Crashlytics Service Agent"
+}

roles/gkehub.admin

@@ -23,6 +23,11 @@
     "gkehub.membershipbindings.get",
     "gkehub.membershipbindings.list",
     "gkehub.membershipbindings.update",
+    "gkehub.membershipfeatures.create",
+    "gkehub.membershipfeatures.delete",
+    "gkehub.membershipfeatures.get",
+    "gkehub.membershipfeatures.list",
+    "gkehub.membershipfeatures.update",
     "gkehub.memberships.create",
     "gkehub.memberships.delete",
     "gkehub.memberships.generateConnectManifest",