From 81034da10c646038dfcd899b525cfa5b3b670fd4 Mon Sep 17 00:00:00 2001 From: jdyke Date: Sat, 14 Dec 2024 12:44:14 +0000 Subject: [PATCH] GCP IAM Updates Detected --- roles/appengine.serviceAdmin | 1 + roles/appengineflex.serviceAgent | 5 +++ roles/auditmanager.ccfAdmin | 20 +++++++++ roles/auditmanager.ccfViewer | 17 ++++++++ roles/backupdr.backupConfigViewer | 11 +++++ roles/bigquerymigration.orchestrator | 3 -- roles/billing.costsManager | 4 ++ roles/cloudtpu.serviceAgent | 10 +++++ roles/commerceorggovernance.viewer | 2 + roles/composer.serviceAgent | 22 ++++++++++ roles/compute.admin | 10 +++++ roles/container.cloudKmsKeyUser | 1 + roles/datapipelines.serviceAgent | 2 + roles/dataplex.encryptionAdmin | 4 +- roles/dataprep.serviceAgent | 3 ++ roles/dataproc.serverlessEditor | 2 +- roles/dataproc.serverlessNode | 17 ++++++++ roles/dataproc.serviceAgent | 12 ++++++ roles/discoveryengine.user | 6 ++- roles/firebase.developAdmin | 2 + roles/firebasecrashlytics.serviceAgent | 17 ++++++++ roles/gkehub.admin | 5 +++ roles/gkemulticloud.serviceAgent | 5 +++ roles/healthcare.fhirStoreAdmin | 2 + roles/ml.serviceAgent | 2 + roles/notebooks.serviceAgent | 10 +++++ roles/observability.editor | 5 +++ roles/oracledatabase.autonomousDatabaseViewer | 1 - roles/oracledatabase.viewer | 1 - roles/orgpolicy.policyAdmin | 8 +++- roles/parametermanager.admin | 15 ++++++- roles/parametermanager.parameterVersionAdder | 7 ++- ...ommender.firestoredatabasereliabilityAdmin | 2 +- ...mmender.firestoredatabasereliabilityViewer | 2 +- roles/recommender.orgPolicyAdmin | 19 ++++++++ roles/recommender.orgPolicyViewer | 17 ++++++++ roles/recommender.spannerViewer | 6 ++- roles/resourcemanager.tagUser | 6 ++- roles/resourcemanager.tagViewer | 4 +- roles/run.jobsExecutorWithOverrides | 2 +- roles/run.sourceDeveloper | 28 ++++++++++++ roles/telcoautomation.admin | 2 + roles/telcoautomation.opsAdminTier4 | 2 + roles/tpu.admin | 1 + roles/viewer | 43 +++++++++++++++++-- 45 files changed, 346 insertions(+), 20 deletions(-) create mode 100644 roles/auditmanager.ccfAdmin create mode 100644 roles/auditmanager.ccfViewer create mode 100644 roles/backupdr.backupConfigViewer create mode 100644 roles/firebasecrashlytics.serviceAgent create mode 100644 roles/recommender.orgPolicyAdmin create mode 100644 roles/recommender.orgPolicyViewer diff --git a/roles/appengine.serviceAdmin b/roles/appengine.serviceAdmin index 5a584fea..c8d2838b 100644 --- a/roles/appengine.serviceAdmin +++ b/roles/appengine.serviceAdmin @@ -17,6 +17,7 @@ "appengine.versions.get", "appengine.versions.list", "appengine.versions.update", + "artifactregistry.projectsettings.get", "resourcemanager.projects.get", "resourcemanager.projects.list" ], diff --git a/roles/appengineflex.serviceAgent b/roles/appengineflex.serviceAgent index 4a9582f1..faf5123f 100644 --- a/roles/appengineflex.serviceAgent +++ b/roles/appengineflex.serviceAgent @@ -2,6 +2,10 @@ "description": "Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.", "etag": "AA==", "includedPermissions": [ + "artifactregistry.projectsettings.get", + "artifactregistry.repositories.create", + "artifactregistry.repositories.get", + "artifactregistry.repositories.uploadArtifacts", "billing.accounts.get", "cloudbuild.builds.create", "cloudbuild.builds.get", @@ -154,6 +158,7 @@ "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.setIamPolicy", + "serviceusage.services.enable", "storage.buckets.create", "storage.buckets.delete", "storage.buckets.get", diff --git a/roles/auditmanager.ccfAdmin b/roles/auditmanager.ccfAdmin new file mode 100644 index 00000000..8c781090 --- /dev/null +++ b/roles/auditmanager.ccfAdmin @@ -0,0 +1,20 @@ +{ + "description": "Full access to Custom Compliance Framework resources.", + "etag": "AA==", + "includedPermissions": [ + "auditmanager.billingSettings.get", + "auditmanager.customComplianceFrameworks.create", + "auditmanager.customComplianceFrameworks.delete", + "auditmanager.customComplianceFrameworks.get", + "auditmanager.customComplianceFrameworks.list", + "auditmanager.customComplianceFrameworks.update", + "auditmanager.locations.get", + "auditmanager.locations.list", + "auditmanager.operations.get", + "auditmanager.operations.list", + "resourcemanager.organizations.get" + ], + "name": "roles/auditmanager.ccfAdmin", + "stage": "BETA", + "title": "Custom Compliance Framework Admin" +} diff --git a/roles/auditmanager.ccfViewer b/roles/auditmanager.ccfViewer new file mode 100644 index 00000000..16803949 --- /dev/null +++ b/roles/auditmanager.ccfViewer @@ -0,0 +1,17 @@ +{ + "description": "Allows viewing Custom Compliance Framework resources.", + "etag": "AA==", + "includedPermissions": [ + "auditmanager.billingSettings.get", + "auditmanager.customComplianceFrameworks.get", + "auditmanager.customComplianceFrameworks.list", + "auditmanager.locations.get", + "auditmanager.locations.list", + "auditmanager.operations.get", + "auditmanager.operations.list", + "resourcemanager.organizations.get" + ], + "name": "roles/auditmanager.ccfViewer", + "stage": "BETA", + "title": "Custom Compliance Framework Viewer" +} diff --git a/roles/backupdr.backupConfigViewer b/roles/backupdr.backupConfigViewer new file mode 100644 index 00000000..d02b2f71 --- /dev/null +++ b/roles/backupdr.backupConfigViewer @@ -0,0 +1,11 @@ +{ + "description": "Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.", + "etag": "AA==", + "includedPermissions": [ + "backupdr.resourceBackupConfigs.get", + "backupdr.resourceBackupConfigs.list" + ], + "name": "roles/backupdr.backupConfigViewer", + "stage": "BETA", + "title": "Backup and DR Backup Config Viewer" +} diff --git a/roles/bigquerymigration.orchestrator b/roles/bigquerymigration.orchestrator index 792383dc..5053d284 100644 --- a/roles/bigquerymigration.orchestrator +++ b/roles/bigquerymigration.orchestrator @@ -2,9 +2,6 @@ "description": "Orchestrator of EDW migration tasks.", "etag": "AA==", "includedPermissions": [ - "bigquerymigration.subtasks.create", - "bigquerymigration.taskTypes.orchestrateTask", - "bigquerymigration.taskTypes.writeLogs", "bigquerymigration.workflows.orchestrateTask", "storage.objects.list" ], diff --git a/roles/billing.costsManager b/roles/billing.costsManager index 50887f67..e8f3f40a 100644 --- a/roles/billing.costsManager +++ b/roles/billing.costsManager @@ -8,6 +8,10 @@ "billing.accounts.getUsageExportSpec", "billing.accounts.list", "billing.accounts.updateUsageExportSpec", + "billing.anomalies.get", + "billing.anomalies.list", + "billing.anomaliesConfigs.get", + "billing.anomaliesConfigs.update", "billing.budgets.create", "billing.budgets.delete", "billing.budgets.get", diff --git a/roles/cloudtpu.serviceAgent b/roles/cloudtpu.serviceAgent index 0081c54c..507288aa 100644 --- a/roles/cloudtpu.serviceAgent +++ b/roles/cloudtpu.serviceAgent @@ -6,7 +6,15 @@ "backupdr.backupPlanAssociations.deleteForComputeInstance", "backupdr.backupPlanAssociations.list", "backupdr.backupPlanAssociations.triggerBackupForComputeInstance", + "backupdr.backupPlans.get", + "backupdr.backupPlans.list", "backupdr.backupPlans.useForComputeInstance", + "backupdr.backupVaults.get", + "backupdr.backupVaults.list", + "backupdr.locations.list", + "backupdr.operations.get", + "backupdr.operations.list", + "backupdr.serviceConfig.initialize", "compute.acceleratorTypes.get", "compute.acceleratorTypes.list", "compute.addresses.create", @@ -537,6 +545,8 @@ "compute.regionUrlMaps.validate", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.get", "compute.reservations.list", "compute.resourcePolicies.create", diff --git a/roles/commerceorggovernance.viewer b/roles/commerceorggovernance.viewer index 09d65d54..ea8270df 100644 --- a/roles/commerceorggovernance.viewer +++ b/roles/commerceorggovernance.viewer @@ -9,6 +9,8 @@ "commerceorggovernance.populateCollectionJobs.list", "commerceorggovernance.services.get", "commerceorggovernance.services.list", + "consumerprocurement.entitlements.get", + "consumerprocurement.entitlements.list", "resourcemanager.projects.get", "resourcemanager.projects.list" ], diff --git a/roles/composer.serviceAgent b/roles/composer.serviceAgent index 704a9eca..94563850 100644 --- a/roles/composer.serviceAgent +++ b/roles/composer.serviceAgent @@ -25,6 +25,7 @@ "appengine.versions.get", "appengine.versions.list", "appengine.versions.update", + "artifactregistry.projectsettings.get", "artifactregistry.repositories.create", "artifactregistry.repositories.delete", "artifactregistry.repositories.get", @@ -34,8 +35,20 @@ "backupdr.backupPlanAssociations.deleteForComputeInstance", "backupdr.backupPlanAssociations.list", "backupdr.backupPlanAssociations.triggerBackupForComputeInstance", + "backupdr.backupPlans.get", + "backupdr.backupPlans.list", "backupdr.backupPlans.useForComputeInstance", + "backupdr.backupVaults.get", + "backupdr.backupVaults.list", + "backupdr.locations.list", + "backupdr.operations.get", + "backupdr.operations.list", + "backupdr.serviceConfig.initialize", + "cloudaicompanion.companions.generateChat", + "cloudaicompanion.companions.generateCode", "cloudaicompanion.entitlements.get", + "cloudaicompanion.instances.completeCode", + "cloudaicompanion.instances.generateCode", "cloudnotifications.activities.list", "cloudsql.backupRuns.create", "cloudsql.backupRuns.delete", @@ -620,6 +633,8 @@ "compute.regionUrlMaps.validate", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.get", "compute.reservations.list", "compute.resourcePolicies.create", @@ -1330,6 +1345,11 @@ "logging.logMetrics.get", "logging.logMetrics.list", "logging.logMetrics.update", + "logging.logScopes.create", + "logging.logScopes.delete", + "logging.logScopes.get", + "logging.logScopes.list", + "logging.logScopes.update", "logging.logServiceIndexes.list", "logging.logServices.list", "logging.logs.list", @@ -1761,12 +1781,14 @@ "storage.buckets.enableObjectRetention", "storage.buckets.get", "storage.buckets.getIamPolicy", + "storage.buckets.getIpFilter", "storage.buckets.getObjectInsights", "storage.buckets.list", "storage.buckets.listEffectiveTags", "storage.buckets.listTagBindings", "storage.buckets.restore", "storage.buckets.setIamPolicy", + "storage.buckets.setIpFilter", "storage.buckets.update", "storage.folders.create", "storage.folders.delete", diff --git a/roles/compute.admin b/roles/compute.admin index 6cfa4db2..1057ebbc 100644 --- a/roles/compute.admin +++ b/roles/compute.admin @@ -6,7 +6,15 @@ "backupdr.backupPlanAssociations.deleteForComputeInstance", "backupdr.backupPlanAssociations.list", "backupdr.backupPlanAssociations.triggerBackupForComputeInstance", + "backupdr.backupPlans.get", + "backupdr.backupPlans.list", "backupdr.backupPlans.useForComputeInstance", + "backupdr.backupVaults.get", + "backupdr.backupVaults.list", + "backupdr.locations.list", + "backupdr.operations.get", + "backupdr.operations.list", + "backupdr.serviceConfig.initialize", "compute.acceleratorTypes.get", "compute.acceleratorTypes.list", "compute.addresses.create", @@ -643,6 +651,8 @@ "compute.regionUrlMaps.validate", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.create", "compute.reservations.delete", "compute.reservations.get", diff --git a/roles/container.cloudKmsKeyUser b/roles/container.cloudKmsKeyUser index db9321bf..24359c46 100644 --- a/roles/container.cloudKmsKeyUser +++ b/roles/container.cloudKmsKeyUser @@ -6,6 +6,7 @@ "cloudkms.cryptoKeyVersions.useToSign", "cloudkms.cryptoKeyVersions.useToVerify", "cloudkms.cryptoKeyVersions.viewPublicKey", + "cloudkms.cryptoKeys.get", "cloudkms.locations.get", "cloudkms.locations.list", "resourcemanager.projects.get" diff --git a/roles/datapipelines.serviceAgent b/roles/datapipelines.serviceAgent index ab32db52..4bb6857b 100644 --- a/roles/datapipelines.serviceAgent +++ b/roles/datapipelines.serviceAgent @@ -82,12 +82,14 @@ "storage.buckets.enableObjectRetention", "storage.buckets.get", "storage.buckets.getIamPolicy", + "storage.buckets.getIpFilter", "storage.buckets.getObjectInsights", "storage.buckets.list", "storage.buckets.listEffectiveTags", "storage.buckets.listTagBindings", "storage.buckets.restore", "storage.buckets.setIamPolicy", + "storage.buckets.setIpFilter", "storage.buckets.update", "storage.folders.create", "storage.folders.delete", diff --git a/roles/dataplex.encryptionAdmin b/roles/dataplex.encryptionAdmin index eb49f597..abc2f6e7 100644 --- a/roles/dataplex.encryptionAdmin +++ b/roles/dataplex.encryptionAdmin @@ -6,7 +6,9 @@ "dataplex.encryptionConfig.delete", "dataplex.encryptionConfig.get", "dataplex.encryptionConfig.list", - "dataplex.encryptionConfig.update" + "dataplex.encryptionConfig.update", + "dataplex.operations.get", + "dataplex.operations.list" ], "name": "roles/dataplex.encryptionAdmin", "stage": "BETA", diff --git a/roles/dataprep.serviceAgent b/roles/dataprep.serviceAgent index b044e446..63b35c29 100644 --- a/roles/dataprep.serviceAgent +++ b/roles/dataprep.serviceAgent @@ -28,6 +28,7 @@ "bigquery.reservationAssignments.search", "bigquery.reservations.get", "bigquery.reservations.list", + "bigquery.reservations.listFailoverDatasets", "bigquery.routines.create", "bigquery.routines.delete", "bigquery.routines.get", @@ -293,6 +294,8 @@ "compute.regionUrlMaps.validate", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.get", "compute.reservations.list", "compute.resourcePolicies.get", diff --git a/roles/dataproc.serverlessEditor b/roles/dataproc.serverlessEditor index e0d4436d..857a52ac 100644 --- a/roles/dataproc.serverlessEditor +++ b/roles/dataproc.serverlessEditor @@ -50,6 +50,6 @@ "resourcemanager.projects.list" ], "name": "roles/dataproc.serverlessEditor", - "stage": "ALPHA", + "stage": "GA", "title": "Dataproc serverless session user permissions" } diff --git a/roles/dataproc.serverlessNode b/roles/dataproc.serverlessNode index e69de29b..eb26d199 100644 --- a/roles/dataproc.serverlessNode +++ b/roles/dataproc.serverlessNode @@ -0,0 +1,17 @@ +{ + "description": "Node access to Dataproc Serverless sessions. Intended for service accounts.", + "etag": "AA==", + "includedPermissions": [ + "dataproc.sessions.sparkApplicationRead", + "dataproc.sessions.sparkApplicationWrite", + "dataprocrm.nodePools.create", + "dataprocrm.nodePools.delete", + "dataprocrm.nodePools.deleteNodes", + "dataprocrm.nodePools.get", + "dataprocrm.nodePools.list", + "dataprocrm.nodePools.resize" + ], + "name": "roles/dataproc.serverlessNode", + "stage": "GA", + "title": "Dataproc Serverless Node." +} diff --git a/roles/dataproc.serviceAgent b/roles/dataproc.serviceAgent index 36ed1e02..d50b9b8f 100644 --- a/roles/dataproc.serviceAgent +++ b/roles/dataproc.serviceAgent @@ -6,7 +6,15 @@ "backupdr.backupPlanAssociations.deleteForComputeInstance", "backupdr.backupPlanAssociations.list", "backupdr.backupPlanAssociations.triggerBackupForComputeInstance", + "backupdr.backupPlans.get", + "backupdr.backupPlans.list", "backupdr.backupPlans.useForComputeInstance", + "backupdr.backupVaults.get", + "backupdr.backupVaults.list", + "backupdr.locations.list", + "backupdr.operations.get", + "backupdr.operations.list", + "backupdr.serviceConfig.initialize", "compute.acceleratorTypes.get", "compute.acceleratorTypes.list", "compute.addresses.createInternal", @@ -198,6 +206,8 @@ "compute.regionOperations.list", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.get", "compute.reservations.list", "compute.resourcePolicies.list", @@ -350,12 +360,14 @@ "storage.buckets.enableObjectRetention", "storage.buckets.get", "storage.buckets.getIamPolicy", + "storage.buckets.getIpFilter", "storage.buckets.getObjectInsights", "storage.buckets.list", "storage.buckets.listEffectiveTags", "storage.buckets.listTagBindings", "storage.buckets.restore", "storage.buckets.setIamPolicy", + "storage.buckets.setIpFilter", "storage.buckets.update", "storage.folders.create", "storage.folders.delete", diff --git a/roles/discoveryengine.user b/roles/discoveryengine.user index 25e3578d..d4178a2b 100644 --- a/roles/discoveryengine.user +++ b/roles/discoveryengine.user @@ -3,9 +3,13 @@ "etag": "AA==", "includedPermissions": [ "discoveryengine.answers.get", + "discoveryengine.completionConfigs.completeQuery", "discoveryengine.servingConfigs.answer", "discoveryengine.servingConfigs.search", - "discoveryengine.sessions.get" + "discoveryengine.sessions.delete", + "discoveryengine.sessions.get", + "discoveryengine.sessions.list", + "discoveryengine.sessions.update" ], "name": "roles/discoveryengine.user", "stage": "BETA", diff --git a/roles/firebase.developAdmin b/roles/firebase.developAdmin index 4549668e..3ba0cb45 100644 --- a/roles/firebase.developAdmin +++ b/roles/firebase.developAdmin @@ -442,12 +442,14 @@ "storage.buckets.enableObjectRetention", "storage.buckets.get", "storage.buckets.getIamPolicy", + "storage.buckets.getIpFilter", "storage.buckets.getObjectInsights", "storage.buckets.list", "storage.buckets.listEffectiveTags", "storage.buckets.listTagBindings", "storage.buckets.restore", "storage.buckets.setIamPolicy", + "storage.buckets.setIpFilter", "storage.buckets.update", "storage.folders.create", "storage.folders.delete", diff --git a/roles/firebasecrashlytics.serviceAgent b/roles/firebasecrashlytics.serviceAgent new file mode 100644 index 00000000..9e01e28b --- /dev/null +++ b/roles/firebasecrashlytics.serviceAgent @@ -0,0 +1,17 @@ +{ + "description": "Access to BigQuery export for Crashlytics", + "etag": "AA==", + "includedPermissions": [ + "bigquery.datasets.create", + "bigquery.datasets.get", + "bigquery.tables.create", + "bigquery.tables.get", + "bigquery.tables.getData", + "bigquery.tables.update", + "bigquery.tables.updateData", + "serviceusage.services.use" + ], + "name": "roles/firebasecrashlytics.serviceAgent", + "stage": "GA", + "title": "Firebase Crashlytics Service Agent" +} diff --git a/roles/gkehub.admin b/roles/gkehub.admin index 43216feb..f2df1c16 100644 --- a/roles/gkehub.admin +++ b/roles/gkehub.admin @@ -23,6 +23,11 @@ "gkehub.membershipbindings.get", "gkehub.membershipbindings.list", "gkehub.membershipbindings.update", + "gkehub.membershipfeatures.create", + "gkehub.membershipfeatures.delete", + "gkehub.membershipfeatures.get", + "gkehub.membershipfeatures.list", + "gkehub.membershipfeatures.update", "gkehub.memberships.create", "gkehub.memberships.delete", "gkehub.memberships.generateConnectManifest", diff --git a/roles/gkemulticloud.serviceAgent b/roles/gkemulticloud.serviceAgent index 103fe9f3..9e38aaa2 100644 --- a/roles/gkemulticloud.serviceAgent +++ b/roles/gkemulticloud.serviceAgent @@ -23,6 +23,11 @@ "gkehub.membershipbindings.get", "gkehub.membershipbindings.list", "gkehub.membershipbindings.update", + "gkehub.membershipfeatures.create", + "gkehub.membershipfeatures.delete", + "gkehub.membershipfeatures.get", + "gkehub.membershipfeatures.list", + "gkehub.membershipfeatures.update", "gkehub.memberships.create", "gkehub.memberships.delete", "gkehub.memberships.generateConnectManifest", diff --git a/roles/healthcare.fhirStoreAdmin b/roles/healthcare.fhirStoreAdmin index ff2b75da..6aee2e5d 100644 --- a/roles/healthcare.fhirStoreAdmin +++ b/roles/healthcare.fhirStoreAdmin @@ -10,9 +10,11 @@ "healthcare.fhirStores.create", "healthcare.fhirStores.deidentify", "healthcare.fhirStores.delete", + "healthcare.fhirStores.deleteFhirOperation", "healthcare.fhirStores.explainDataAccess", "healthcare.fhirStores.export", "healthcare.fhirStores.get", + "healthcare.fhirStores.getFhirOperation", "healthcare.fhirStores.getIamPolicy", "healthcare.fhirStores.import", "healthcare.fhirStores.list", diff --git a/roles/ml.serviceAgent b/roles/ml.serviceAgent index e28aefd6..4be71244 100644 --- a/roles/ml.serviceAgent +++ b/roles/ml.serviceAgent @@ -86,12 +86,14 @@ "storage.buckets.enableObjectRetention", "storage.buckets.get", "storage.buckets.getIamPolicy", + "storage.buckets.getIpFilter", "storage.buckets.getObjectInsights", "storage.buckets.list", "storage.buckets.listEffectiveTags", "storage.buckets.listTagBindings", "storage.buckets.restore", "storage.buckets.setIamPolicy", + "storage.buckets.setIpFilter", "storage.buckets.update", "storage.folders.create", "storage.folders.delete", diff --git a/roles/notebooks.serviceAgent b/roles/notebooks.serviceAgent index 390654d0..f1f8d132 100644 --- a/roles/notebooks.serviceAgent +++ b/roles/notebooks.serviceAgent @@ -21,7 +21,15 @@ "backupdr.backupPlanAssociations.deleteForComputeInstance", "backupdr.backupPlanAssociations.list", "backupdr.backupPlanAssociations.triggerBackupForComputeInstance", + "backupdr.backupPlans.get", + "backupdr.backupPlans.list", "backupdr.backupPlans.useForComputeInstance", + "backupdr.backupVaults.get", + "backupdr.backupVaults.list", + "backupdr.locations.list", + "backupdr.operations.get", + "backupdr.operations.list", + "backupdr.serviceConfig.initialize", "compute.acceleratorTypes.get", "compute.acceleratorTypes.list", "compute.addresses.createInternal", @@ -392,6 +400,8 @@ "compute.regionUrlMaps.validate", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.get", "compute.reservations.list", "compute.resourcePolicies.create", diff --git a/roles/observability.editor b/roles/observability.editor index 83375ee4..179f46f8 100644 --- a/roles/observability.editor +++ b/roles/observability.editor @@ -2,6 +2,11 @@ "description": "Edit access to Observability resources.", "etag": "AA==", "includedPermissions": [ + "observability.analyticsViews.create", + "observability.analyticsViews.delete", + "observability.analyticsViews.get", + "observability.analyticsViews.list", + "observability.analyticsViews.update", "observability.scopes.get", "observability.scopes.update" ], diff --git a/roles/oracledatabase.autonomousDatabaseViewer b/roles/oracledatabase.autonomousDatabaseViewer index e8b2b2fe..a11107da 100644 --- a/roles/oracledatabase.autonomousDatabaseViewer +++ b/roles/oracledatabase.autonomousDatabaseViewer @@ -5,7 +5,6 @@ "oracledatabase.autonomousDatabaseBackups.get", "oracledatabase.autonomousDatabaseBackups.list", "oracledatabase.autonomousDatabaseCharacterSets.list", - "oracledatabase.autonomousDatabases.generateWallet", "oracledatabase.autonomousDatabases.get", "oracledatabase.autonomousDatabases.list", "oracledatabase.autonomousDbVersions.list", diff --git a/roles/oracledatabase.viewer b/roles/oracledatabase.viewer index f0e9f0cc..62ae3b43 100644 --- a/roles/oracledatabase.viewer +++ b/roles/oracledatabase.viewer @@ -5,7 +5,6 @@ "oracledatabase.autonomousDatabaseBackups.get", "oracledatabase.autonomousDatabaseBackups.list", "oracledatabase.autonomousDatabaseCharacterSets.list", - "oracledatabase.autonomousDatabases.generateWallet", "oracledatabase.autonomousDatabases.get", "oracledatabase.autonomousDatabases.list", "oracledatabase.autonomousDbVersions.list", diff --git a/roles/orgpolicy.policyAdmin b/roles/orgpolicy.policyAdmin index 4a9378e7..fb799e99 100644 --- a/roles/orgpolicy.policyAdmin +++ b/roles/orgpolicy.policyAdmin @@ -17,7 +17,13 @@ "policysimulator.orgPolicyViolations.list", "policysimulator.orgPolicyViolationsPreviews.create", "policysimulator.orgPolicyViolationsPreviews.get", - "policysimulator.orgPolicyViolationsPreviews.list" + "policysimulator.orgPolicyViolationsPreviews.list", + "recommender.orgPolicyInsights.get", + "recommender.orgPolicyInsights.list", + "recommender.orgPolicyInsights.update", + "recommender.orgPolicyRecommendations.get", + "recommender.orgPolicyRecommendations.list", + "recommender.orgPolicyRecommendations.update" ], "name": "roles/orgpolicy.policyAdmin", "stage": "GA", diff --git a/roles/parametermanager.admin b/roles/parametermanager.admin index 2b5b55f2..767ffc99 100644 --- a/roles/parametermanager.admin +++ b/roles/parametermanager.admin @@ -2,10 +2,23 @@ "description": "Grants full access to all Parameter Manager resources. Intended for project admins & owners who need to perform all administrative tasks.", "etag": "AA==", "includedPermissions": [ + "parametermanager.locations.get", + "parametermanager.locations.list", + "parametermanager.parameterVersions.create", + "parametermanager.parameterVersions.delete", + "parametermanager.parameterVersions.get", + "parametermanager.parameterVersions.list", + "parametermanager.parameterVersions.render", + "parametermanager.parameterVersions.update", + "parametermanager.parameters.create", + "parametermanager.parameters.delete", + "parametermanager.parameters.get", + "parametermanager.parameters.list", + "parametermanager.parameters.update", "resourcemanager.projects.get", "resourcemanager.projects.list" ], "name": "roles/parametermanager.admin", - "stage": "ALPHA", + "stage": "BETA", "title": "Parameter Manager Admin" } diff --git a/roles/parametermanager.parameterVersionAdder b/roles/parametermanager.parameterVersionAdder index 7a941ea2..886b9efc 100644 --- a/roles/parametermanager.parameterVersionAdder +++ b/roles/parametermanager.parameterVersionAdder @@ -2,10 +2,15 @@ "description": "Grants create access to Parameter Manager ParameterVersion resources. Intended for users & applications that need to perform create operations on ParameterVersions only.", "etag": "AA==", "includedPermissions": [ + "parametermanager.locations.get", + "parametermanager.locations.list", + "parametermanager.parameterVersions.create", + "parametermanager.parameters.get", + "parametermanager.parameters.list", "resourcemanager.projects.get", "resourcemanager.projects.list" ], "name": "roles/parametermanager.parameterVersionAdder", - "stage": "ALPHA", + "stage": "BETA", "title": "Parameter Manager Parameter Version Adder" } diff --git a/roles/recommender.firestoredatabasereliabilityAdmin b/roles/recommender.firestoredatabasereliabilityAdmin index c61d8c0d..fe633ca0 100644 --- a/roles/recommender.firestoredatabasereliabilityAdmin +++ b/roles/recommender.firestoredatabasereliabilityAdmin @@ -14,6 +14,6 @@ "resourcemanager.projects.list" ], "name": "roles/recommender.firestoredatabasereliabilityAdmin", - "stage": "BETA", + "stage": "GA", "title": "Firestore Database Reliability Recommender Admin" } diff --git a/roles/recommender.firestoredatabasereliabilityViewer b/roles/recommender.firestoredatabasereliabilityViewer index 49a7d95d..94452d06 100644 --- a/roles/recommender.firestoredatabasereliabilityViewer +++ b/roles/recommender.firestoredatabasereliabilityViewer @@ -12,6 +12,6 @@ "resourcemanager.projects.list" ], "name": "roles/recommender.firestoredatabasereliabilityViewer", - "stage": "BETA", + "stage": "GA", "title": "Firestore Database Reliability Recommender Viewer" } diff --git a/roles/recommender.orgPolicyAdmin b/roles/recommender.orgPolicyAdmin new file mode 100644 index 00000000..d7ceab2f --- /dev/null +++ b/roles/recommender.orgPolicyAdmin @@ -0,0 +1,19 @@ +{ + "description": "Admin of Org Policy Insights and Recommendations.", + "etag": "AA==", + "includedPermissions": [ + "recommender.locations.get", + "recommender.locations.list", + "recommender.orgPolicyInsights.get", + "recommender.orgPolicyInsights.list", + "recommender.orgPolicyInsights.update", + "recommender.orgPolicyRecommendations.get", + "recommender.orgPolicyRecommendations.list", + "recommender.orgPolicyRecommendations.update", + "resourcemanager.projects.get", + "resourcemanager.projects.list" + ], + "name": "roles/recommender.orgPolicyAdmin", + "stage": "BETA", + "title": "Org Policy Recommender Admin" +} diff --git a/roles/recommender.orgPolicyViewer b/roles/recommender.orgPolicyViewer new file mode 100644 index 00000000..76ab9433 --- /dev/null +++ b/roles/recommender.orgPolicyViewer @@ -0,0 +1,17 @@ +{ + "description": "Viewer of Org Policy Insights and Recommendations.", + "etag": "AA==", + "includedPermissions": [ + "recommender.locations.get", + "recommender.locations.list", + "recommender.orgPolicyInsights.get", + "recommender.orgPolicyInsights.list", + "recommender.orgPolicyRecommendations.get", + "recommender.orgPolicyRecommendations.list", + "resourcemanager.projects.get", + "resourcemanager.projects.list" + ], + "name": "roles/recommender.orgPolicyViewer", + "stage": "BETA", + "title": "Org Policy Recommender Viewer" +} diff --git a/roles/recommender.spannerViewer b/roles/recommender.spannerViewer index 6e806573..b3aece7c 100644 --- a/roles/recommender.spannerViewer +++ b/roles/recommender.spannerViewer @@ -4,10 +4,14 @@ "includedPermissions": [ "recommender.locations.get", "recommender.locations.list", + "recommender.spannerProjectReliabilityInsights.get", + "recommender.spannerProjectReliabilityInsights.list", + "recommender.spannerProjectReliabilityRecommendations.get", + "recommender.spannerProjectReliabilityRecommendations.list", "resourcemanager.projects.get", "resourcemanager.projects.list" ], "name": "roles/recommender.spannerViewer", - "stage": "ALPHA", + "stage": "BETA", "title": "Spanner Project Reliability Recommender Viewer" } diff --git a/roles/resourcemanager.tagUser b/roles/resourcemanager.tagUser index c17bfbe4..ba07356e 100644 --- a/roles/resourcemanager.tagUser +++ b/roles/resourcemanager.tagUser @@ -356,7 +356,11 @@ "storage.buckets.createTagBinding", "storage.buckets.deleteTagBinding", "storage.buckets.listEffectiveTags", - "storage.buckets.listTagBindings" + "storage.buckets.listTagBindings", + "workflows.workflows.createTagBinding", + "workflows.workflows.deleteTagBinding", + "workflows.workflows.listEffectiveTags", + "workflows.workflows.listTagBindings" ], "name": "roles/resourcemanager.tagUser", "stage": "GA", diff --git a/roles/resourcemanager.tagViewer b/roles/resourcemanager.tagViewer index f10862f1..f919357e 100644 --- a/roles/resourcemanager.tagViewer +++ b/roles/resourcemanager.tagViewer @@ -180,7 +180,9 @@ "spanner.instances.listEffectiveTags", "spanner.instances.listTagBindings", "storage.buckets.listEffectiveTags", - "storage.buckets.listTagBindings" + "storage.buckets.listTagBindings", + "workflows.workflows.listEffectiveTags", + "workflows.workflows.listTagBindings" ], "name": "roles/resourcemanager.tagViewer", "stage": "GA", diff --git a/roles/run.jobsExecutorWithOverrides b/roles/run.jobsExecutorWithOverrides index 21c3505d..60cbc7d3 100644 --- a/roles/run.jobsExecutorWithOverrides +++ b/roles/run.jobsExecutorWithOverrides @@ -1,5 +1,5 @@ { - "description": "Can excute and cancel Cloud Run jobs with overrides.", + "description": "Can execute and cancel Cloud Run jobs with overrides.", "etag": "AA==", "includedPermissions": [ "run.executions.cancel", diff --git a/roles/run.sourceDeveloper b/roles/run.sourceDeveloper index ba69d0f2..5bef6a75 100644 --- a/roles/run.sourceDeveloper +++ b/roles/run.sourceDeveloper @@ -2,9 +2,37 @@ "description": "Deploy and manage Cloud Run source deployed resources.", "etag": "AA==", "includedPermissions": [ + "artifactregistry.attachments.get", + "artifactregistry.attachments.list", + "artifactregistry.dockerimages.get", + "artifactregistry.dockerimages.list", + "artifactregistry.files.download", + "artifactregistry.files.get", + "artifactregistry.files.list", + "artifactregistry.locations.get", + "artifactregistry.locations.list", + "artifactregistry.mavenartifacts.get", + "artifactregistry.mavenartifacts.list", + "artifactregistry.npmpackages.get", + "artifactregistry.npmpackages.list", + "artifactregistry.packages.get", + "artifactregistry.packages.list", + "artifactregistry.projectsettings.get", + "artifactregistry.pythonpackages.get", + "artifactregistry.pythonpackages.list", "artifactregistry.repositories.create", + "artifactregistry.repositories.downloadArtifacts", "artifactregistry.repositories.get", "artifactregistry.repositories.list", + "artifactregistry.repositories.listEffectiveTags", + "artifactregistry.repositories.listTagBindings", + "artifactregistry.repositories.readViaVirtualRepository", + "artifactregistry.rules.get", + "artifactregistry.rules.list", + "artifactregistry.tags.get", + "artifactregistry.tags.list", + "artifactregistry.versions.get", + "artifactregistry.versions.list", "cloudbuild.builds.create", "cloudbuild.builds.get", "cloudbuild.builds.list", diff --git a/roles/telcoautomation.admin b/roles/telcoautomation.admin index e8d10aa6..fb339307 100644 --- a/roles/telcoautomation.admin +++ b/roles/telcoautomation.admin @@ -13,6 +13,8 @@ "logging.logEntries.list", "logging.logMetrics.get", "logging.logMetrics.list", + "logging.logScopes.get", + "logging.logScopes.list", "logging.logServiceIndexes.list", "logging.logServices.list", "logging.logs.list", diff --git a/roles/telcoautomation.opsAdminTier4 b/roles/telcoautomation.opsAdminTier4 index 105ebbb0..cad3bdf0 100644 --- a/roles/telcoautomation.opsAdminTier4 +++ b/roles/telcoautomation.opsAdminTier4 @@ -13,6 +13,8 @@ "logging.logEntries.list", "logging.logMetrics.get", "logging.logMetrics.list", + "logging.logScopes.get", + "logging.logScopes.list", "logging.logServiceIndexes.list", "logging.logServices.list", "logging.logs.list", diff --git a/roles/tpu.admin b/roles/tpu.admin index 24d78660..a69cf34e 100644 --- a/roles/tpu.admin +++ b/roles/tpu.admin @@ -12,6 +12,7 @@ "tpu.nodes.delete", "tpu.nodes.get", "tpu.nodes.list", + "tpu.nodes.performMaintenance", "tpu.nodes.reimage", "tpu.nodes.reset", "tpu.nodes.simulateMaintenanceEvent", diff --git a/roles/viewer b/roles/viewer index 965882bd..5d5af447 100644 --- a/roles/viewer +++ b/roles/viewer @@ -497,6 +497,8 @@ "auditmanager.controlReports.get", "auditmanager.controlReports.list", "auditmanager.controls.list", + "auditmanager.customComplianceFrameworks.get", + "auditmanager.customComplianceFrameworks.list", "auditmanager.findings.get", "auditmanager.findings.list", "auditmanager.locations.get", @@ -573,6 +575,8 @@ "backupdr.managementServers.viewWorkflows", "backupdr.operations.get", "backupdr.operations.list", + "backupdr.resourceBackupConfigs.get", + "backupdr.resourceBackupConfigs.list", "baremetalsolution.instancequotas.list", "baremetalsolution.instances.get", "baremetalsolution.instances.list", @@ -672,6 +676,7 @@ "bigquery.reservationAssignments.search", "bigquery.reservations.get", "bigquery.reservations.list", + "bigquery.reservations.listFailoverDatasets", "bigquery.routines.get", "bigquery.routines.list", "bigquery.rowAccessPolicies.getIamPolicy", @@ -684,8 +689,6 @@ "bigquery.tables.listTagBindings", "bigquery.tables.replicateData", "bigquery.transfers.get", - "bigquerymigration.locations.get", - "bigquerymigration.locations.list", "bigquerymigration.subtasks.get", "bigquerymigration.subtasks.list", "bigquerymigration.workflows.get", @@ -723,6 +726,8 @@ "bigtable.tables.list", "bigtable.tables.readRows", "bigtable.tables.sampleRowKeys", + "billing.anomalies.get", + "billing.anomalies.list", "billing.billingAccountPrice.get", "billing.billingAccountPrices.list", "billing.billingAccountServices.get", @@ -1575,6 +1580,8 @@ "compute.regionUrlMaps.validate", "compute.regions.get", "compute.regions.list", + "compute.reservationBlocks.get", + "compute.reservationBlocks.list", "compute.reservations.get", "compute.reservations.list", "compute.resourcePolicies.get", @@ -2834,6 +2841,8 @@ "gkehub.locations.list", "gkehub.membershipbindings.get", "gkehub.membershipbindings.list", + "gkehub.membershipfeatures.get", + "gkehub.membershipfeatures.list", "gkehub.memberships.generateConnectManifest", "gkehub.memberships.get", "gkehub.memberships.getIamPolicy", @@ -2932,6 +2941,7 @@ "healthcare.fhirStores.explainDataAccess", "healthcare.fhirStores.export", "healthcare.fhirStores.get", + "healthcare.fhirStores.getFhirOperation", "healthcare.fhirStores.getIamPolicy", "healthcare.fhirStores.list", "healthcare.fhirStores.searchResources", @@ -3105,6 +3115,8 @@ "logging.logEntries.list", "logging.logMetrics.get", "logging.logMetrics.list", + "logging.logScopes.get", + "logging.logScopes.list", "logging.logServiceIndexes.list", "logging.logServices.list", "logging.logs.list", @@ -3398,6 +3410,14 @@ "networksecurity.gatewaySecurityPolicies.list", "networksecurity.gatewaySecurityPolicyRules.get", "networksecurity.gatewaySecurityPolicyRules.list", + "networksecurity.interceptDeploymentGroups.get", + "networksecurity.interceptDeploymentGroups.list", + "networksecurity.interceptDeployments.get", + "networksecurity.interceptDeployments.list", + "networksecurity.interceptEndpointGroupAssociations.get", + "networksecurity.interceptEndpointGroupAssociations.list", + "networksecurity.interceptEndpointGroups.get", + "networksecurity.interceptEndpointGroups.list", "networksecurity.locations.get", "networksecurity.locations.list", "networksecurity.mirroringDeploymentGroups.get", @@ -3482,6 +3502,8 @@ "oauthconfig.clientpolicy.get", "oauthconfig.testusers.get", "oauthconfig.verification.get", + "observability.analyticsViews.get", + "observability.analyticsViews.list", "observability.scopes.get", "ondemandscanning.operations.get", "ondemandscanning.operations.list", @@ -3491,7 +3513,6 @@ "oracledatabase.autonomousDatabaseBackups.get", "oracledatabase.autonomousDatabaseBackups.list", "oracledatabase.autonomousDatabaseCharacterSets.list", - "oracledatabase.autonomousDatabases.generateWallet", "oracledatabase.autonomousDatabases.get", "oracledatabase.autonomousDatabases.list", "oracledatabase.autonomousDbVersions.list", @@ -3548,6 +3569,12 @@ "parallelstore.locations.list", "parallelstore.operations.get", "parallelstore.operations.list", + "parametermanager.locations.get", + "parametermanager.locations.list", + "parametermanager.parameterVersions.get", + "parametermanager.parameterVersions.list", + "parametermanager.parameters.get", + "parametermanager.parameters.list", "paymentsresellersubscription.products.list", "paymentsresellersubscription.promotions.list", "paymentsresellersubscription.subscriptions.get", @@ -3858,6 +3885,10 @@ "recommender.networkAnalyzerLoadBalancerInsights.list", "recommender.networkAnalyzerVpcConnectivityInsights.get", "recommender.networkAnalyzerVpcConnectivityInsights.list", + "recommender.orgPolicyInsights.get", + "recommender.orgPolicyInsights.list", + "recommender.orgPolicyRecommendations.get", + "recommender.orgPolicyRecommendations.list", "recommender.resourcemanagerProjectChangeRiskInsights.get", "recommender.resourcemanagerProjectChangeRiskInsights.list", "recommender.resourcemanagerProjectChangeRiskRecommendations.get", @@ -3888,6 +3919,10 @@ "recommender.runServiceSecurityInsights.list", "recommender.runServiceSecurityRecommendations.get", "recommender.runServiceSecurityRecommendations.list", + "recommender.spannerProjectReliabilityInsights.get", + "recommender.spannerProjectReliabilityInsights.list", + "recommender.spannerProjectReliabilityRecommendations.get", + "recommender.spannerProjectReliabilityRecommendations.list", "recommender.spendBasedCommitmentInsights.get", "recommender.spendBasedCommitmentInsights.list", "recommender.spendBasedCommitmentRecommendations.get", @@ -4531,7 +4566,9 @@ "workflows.stepEntries.list", "workflows.workflows.get", "workflows.workflows.list", + "workflows.workflows.listEffectiveTags", "workflows.workflows.listRevision", + "workflows.workflows.listTagBindings", "workloadcertificate.locations.get", "workloadcertificate.locations.list", "workloadcertificate.operations.get",