GCP IAM Updates Detected

jdyke · Dec 13, 2024 · a9da326 · a9da326
1 parent 46d2e2c
commit a9da326
Show file tree

Hide file tree

Showing 86 changed files with 820 additions and 24 deletions.
diff --git a/roles/anthossupport.serviceAgent b/roles/anthossupport.serviceAgent
@@ -13,6 +13,8 @@
     "gkehub.locations.list",
     "gkehub.membershipbindings.get",
     "gkehub.membershipbindings.list",
+    "gkehub.membershipfeatures.get",
+    "gkehub.membershipfeatures.list",
     "gkehub.memberships.generateConnectManifest",
     "gkehub.memberships.get",
     "gkehub.memberships.getIamPolicy",

diff --git a/roles/appengine.appAdmin b/roles/appengine.appAdmin
@@ -25,6 +25,7 @@
     "appengine.versions.get",
     "appengine.versions.list",
     "appengine.versions.update",
+    "artifactregistry.projectsettings.get",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/appengine.appViewer b/roles/appengine.appViewer
@@ -12,6 +12,7 @@
     "appengine.services.list",
     "appengine.versions.get",
     "appengine.versions.list",
+    "artifactregistry.projectsettings.get",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/appengine.codeViewer b/roles/appengine.codeViewer
@@ -13,6 +13,7 @@
     "appengine.versions.get",
     "appengine.versions.getFileContents",
     "appengine.versions.list",
+    "artifactregistry.projectsettings.get",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/appengine.deployer b/roles/appengine.deployer
@@ -14,6 +14,7 @@
     "appengine.versions.delete",
     "appengine.versions.get",
     "appengine.versions.list",
+    "artifactregistry.projectsettings.get",
     "artifactregistry.repositories.deleteArtifacts",
     "artifactregistry.repositories.downloadArtifacts",
     "artifactregistry.repositories.uploadArtifacts",

diff --git a/roles/auditmanager.serviceAgent b/roles/auditmanager.serviceAgent
@@ -607,11 +607,18 @@
     "resourcemanager.folders.get",
     "resourcemanager.folders.getIamPolicy",
     "resourcemanager.folders.list",
+    "resourcemanager.hierarchyNodes.listEffectiveTags",
+    "resourcemanager.hierarchyNodes.listTagBindings",
     "resourcemanager.organizations.get",
     "resourcemanager.organizations.getIamPolicy",
     "resourcemanager.projects.get",
     "resourcemanager.projects.getIamPolicy",
     "resourcemanager.projects.list",
+    "resourcemanager.tagHolds.list",
+    "resourcemanager.tagKeys.get",
+    "resourcemanager.tagKeys.list",
+    "resourcemanager.tagValues.get",
+    "resourcemanager.tagValues.list",
     "secretmanager.secrets.list",
     "serviceusage.quotas.get",
     "serviceusage.services.get",

diff --git a/roles/backupdr.admin b/roles/backupdr.admin
@@ -81,6 +81,7 @@
     "backupdr.operations.delete",
     "backupdr.operations.get",
     "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/batch.serviceAgent b/roles/batch.serviceAgent
@@ -6,7 +6,15 @@
     "backupdr.backupPlanAssociations.deleteForComputeInstance",
     "backupdr.backupPlanAssociations.list",
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
+    "backupdr.backupPlans.get",
+    "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeInstance",
+    "backupdr.backupVaults.get",
+    "backupdr.backupVaults.list",
+    "backupdr.locations.list",
+    "backupdr.operations.get",
+    "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
     "compute.acceleratorTypes.get",
     "compute.acceleratorTypes.list",
     "compute.addresses.createInternal",
@@ -315,6 +323,8 @@
     "compute.regionUrlMaps.listTagBindings",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.get",
     "compute.reservations.list",
     "compute.resourcePolicies.create",

diff --git a/roles/bigquery.admin b/roles/bigquery.admin
@@ -68,6 +68,7 @@
     "bigquery.reservations.delete",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "bigquery.reservations.update",
     "bigquery.routines.create",
     "bigquery.routines.delete",

diff --git a/roles/bigquery.resourceAdmin b/roles/bigquery.resourceAdmin
@@ -21,6 +21,7 @@
     "bigquery.reservations.delete",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "bigquery.reservations.update",
     "recommender.bigqueryCapacityCommitmentsInsights.get",
     "recommender.bigqueryCapacityCommitmentsInsights.list",

diff --git a/roles/bigquery.resourceEditor b/roles/bigquery.resourceEditor
@@ -17,6 +17,7 @@
     "bigquery.reservations.delete",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "bigquery.reservations.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

diff --git a/roles/bigquery.resourceViewer b/roles/bigquery.resourceViewer
@@ -13,6 +13,7 @@
     "bigquery.reservationAssignments.search",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/bigquery.studioAdmin b/roles/bigquery.studioAdmin
@@ -1,5 +1,5 @@
 {
-  "description": "Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.",
+  "description": "Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor.",
   "etag": "AA==",
   "includedPermissions": [
     "aiplatform.notebookRuntimeTemplates.apply",
@@ -84,6 +84,7 @@
     "bigquery.reservations.delete",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "bigquery.reservations.update",
     "bigquery.routines.create",
     "bigquery.routines.delete",
@@ -129,8 +130,13 @@
     "bigquery.transfers.get",
     "bigquery.transfers.update",
     "bigquerymigration.translation.translate",
+    "compute.projects.get",
+    "compute.regions.get",
+    "compute.regions.list",
     "compute.reservations.get",
     "compute.reservations.list",
+    "compute.zones.get",
+    "compute.zones.list",
     "dataform.compilationResults.create",
     "dataform.compilationResults.get",
     "dataform.compilationResults.list",
@@ -192,6 +198,45 @@
     "dataform.workspaces.setIamPolicy",
     "dataform.workspaces.writeFile",
     "dataplex.projects.search",
+    "dataproc.batches.analyze",
+    "dataproc.batches.cancel",
+    "dataproc.batches.create",
+    "dataproc.batches.delete",
+    "dataproc.batches.get",
+    "dataproc.batches.list",
+    "dataproc.operations.cancel",
+    "dataproc.operations.delete",
+    "dataproc.operations.get",
+    "dataproc.operations.list",
+    "dataproc.sessionTemplates.create",
+    "dataproc.sessionTemplates.delete",
+    "dataproc.sessionTemplates.get",
+    "dataproc.sessionTemplates.list",
+    "dataproc.sessionTemplates.update",
+    "dataproc.sessions.create",
+    "dataproc.sessions.delete",
+    "dataproc.sessions.get",
+    "dataproc.sessions.list",
+    "dataproc.sessions.sparkApplicationRead",
+    "dataproc.sessions.sparkApplicationWrite",
+    "dataproc.sessions.terminate",
+    "dataprocrm.nodePools.create",
+    "dataprocrm.nodePools.delete",
+    "dataprocrm.nodePools.deleteNodes",
+    "dataprocrm.nodePools.get",
+    "dataprocrm.nodePools.list",
+    "dataprocrm.nodePools.resize",
+    "dataprocrm.nodes.get",
+    "dataprocrm.nodes.heartbeat",
+    "dataprocrm.nodes.list",
+    "dataprocrm.nodes.update",
+    "dataprocrm.operations.get",
+    "dataprocrm.operations.list",
+    "dataprocrm.workloads.cancel",
+    "dataprocrm.workloads.create",
+    "dataprocrm.workloads.delete",
+    "dataprocrm.workloads.get",
+    "dataprocrm.workloads.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/bigquery.studioUser b/roles/bigquery.studioUser
@@ -1,5 +1,5 @@
 {
-  "description": "Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.",
+  "description": "Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor.",
   "etag": "AA==",
   "includedPermissions": [
     "aiplatform.notebookRuntimeTemplates.apply",
@@ -15,11 +15,55 @@
     "bigquery.readsessions.create",
     "bigquery.readsessions.getData",
     "bigquery.readsessions.update",
+    "compute.projects.get",
+    "compute.regions.get",
+    "compute.regions.list",
+    "compute.zones.get",
+    "compute.zones.list",
     "dataform.locations.get",
     "dataform.locations.list",
     "dataform.repositories.create",
     "dataform.repositories.list",
     "dataplex.projects.search",
+    "dataproc.batches.analyze",
+    "dataproc.batches.cancel",
+    "dataproc.batches.create",
+    "dataproc.batches.delete",
+    "dataproc.batches.get",
+    "dataproc.batches.list",
+    "dataproc.operations.cancel",
+    "dataproc.operations.delete",
+    "dataproc.operations.get",
+    "dataproc.operations.list",
+    "dataproc.sessionTemplates.create",
+    "dataproc.sessionTemplates.delete",
+    "dataproc.sessionTemplates.get",
+    "dataproc.sessionTemplates.list",
+    "dataproc.sessionTemplates.update",
+    "dataproc.sessions.create",
+    "dataproc.sessions.delete",
+    "dataproc.sessions.get",
+    "dataproc.sessions.list",
+    "dataproc.sessions.sparkApplicationRead",
+    "dataproc.sessions.sparkApplicationWrite",
+    "dataproc.sessions.terminate",
+    "dataprocrm.nodePools.create",
+    "dataprocrm.nodePools.delete",
+    "dataprocrm.nodePools.deleteNodes",
+    "dataprocrm.nodePools.get",
+    "dataprocrm.nodePools.list",
+    "dataprocrm.nodePools.resize",
+    "dataprocrm.nodes.get",
+    "dataprocrm.nodes.heartbeat",
+    "dataprocrm.nodes.list",
+    "dataprocrm.nodes.update",
+    "dataprocrm.operations.get",
+    "dataprocrm.operations.list",
+    "dataprocrm.workloads.cancel",
+    "dataprocrm.workloads.create",
+    "dataprocrm.workloads.delete",
+    "dataprocrm.workloads.get",
+    "dataprocrm.workloads.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/bigquery.user b/roles/bigquery.user
@@ -19,6 +19,7 @@
     "bigquery.reservationAssignments.search",
     "bigquery.reservations.get",
     "bigquery.reservations.list",
+    "bigquery.reservations.listFailoverDatasets",
     "bigquery.routines.list",
     "bigquery.savedqueries.get",
     "bigquery.savedqueries.list",

diff --git a/roles/bigquerymigration.editor b/roles/bigquerymigration.editor
@@ -2,12 +2,13 @@
   "description": "Editor of EDW migration workflows.",
   "etag": "AA==",
   "includedPermissions": [
-    "bigquerymigration.locations.get",
-    "bigquerymigration.locations.list",
     "bigquerymigration.subtasks.get",
     "bigquerymigration.subtasks.list",
     "bigquerymigration.workflows.create",
     "bigquerymigration.workflows.delete",
+    "bigquerymigration.workflows.enableAiOutputTypes",
+    "bigquerymigration.workflows.enableLineageOutputTypes",
+    "bigquerymigration.workflows.enableOutputTypePermissions",
     "bigquerymigration.workflows.get",
     "bigquerymigration.workflows.list",
     "bigquerymigration.workflows.update"

diff --git a/roles/bigquerymigration.viewer b/roles/bigquerymigration.viewer
@@ -2,8 +2,6 @@
   "description": "Viewer of EDW migration MigrationWorkflow.",
   "etag": "AA==",
   "includedPermissions": [
-    "bigquerymigration.locations.get",
-    "bigquerymigration.locations.list",
     "bigquerymigration.subtasks.get",
     "bigquerymigration.subtasks.list",
     "bigquerymigration.workflows.get",

diff --git a/roles/bigquerymigration.worker b/roles/bigquerymigration.worker
@@ -2,8 +2,6 @@
   "description": "Worker that executes EDW migration subtasks.",
   "etag": "AA==",
   "includedPermissions": [
-    "bigquerymigration.subtaskTypes.executeTask",
-    "bigquerymigration.subtasks.executeTask",
     "storage.objects.create",
     "storage.objects.get",
     "storage.objects.list"

diff --git a/roles/billing.admin b/roles/billing.admin
@@ -19,6 +19,11 @@
     "billing.accounts.update",
     "billing.accounts.updatePaymentInfo",
     "billing.accounts.updateUsageExportSpec",
+    "billing.anomalies.get",
+    "billing.anomalies.list",
+    "billing.anomalies.submitFeedback",
+    "billing.anomaliesConfigs.get",
+    "billing.anomaliesConfigs.update",
     "billing.billingAccountPrice.get",
     "billing.billingAccountPrices.list",
     "billing.billingAccountServices.get",

diff --git a/roles/billing.viewer b/roles/billing.viewer
@@ -10,6 +10,9 @@
     "billing.accounts.getSpendingInformation",
     "billing.accounts.getUsageExportSpec",
     "billing.accounts.list",
+    "billing.anomalies.get",
+    "billing.anomalies.list",
+    "billing.anomaliesConfigs.get",
     "billing.billingAccountPrice.get",
     "billing.billingAccountPrices.list",
     "billing.billingAccountServices.get",

diff --git a/roles/cloudsql.admin b/roles/cloudsql.admin
@@ -2,7 +2,11 @@
   "description": "Full control of Cloud SQL resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudaicompanion.companions.generateChat",
+    "cloudaicompanion.companions.generateCode",
     "cloudaicompanion.entitlements.get",
+    "cloudaicompanion.instances.completeCode",
+    "cloudaicompanion.instances.generateCode",
     "cloudsql.backupRuns.create",
     "cloudsql.backupRuns.delete",
     "cloudsql.backupRuns.get",

diff --git a/roles/cloudsql.studioUser b/roles/cloudsql.studioUser
@@ -2,6 +2,10 @@
   "description": "Role allowing access to Cloud SQL Studio",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudaicompanion.companions.generateChat",
+    "cloudaicompanion.companions.generateCode",
+    "cloudaicompanion.instances.completeCode",
+    "cloudaicompanion.instances.generateCode",
     "cloudsql.databases.list",
     "cloudsql.instances.executeSql",
     "cloudsql.instances.get",

diff --git a/roles/commerceorggovernance.admin b/roles/commerceorggovernance.admin
@@ -20,6 +20,8 @@
     "commerceorggovernance.services.get",
     "commerceorggovernance.services.list",
     "commerceorggovernance.services.request",
+    "consumerprocurement.entitlements.get",
+    "consumerprocurement.entitlements.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/commerceorggovernance.user b/roles/commerceorggovernance.user
@@ -5,6 +5,8 @@
     "commerceorggovernance.services.get",
     "commerceorggovernance.services.list",
     "commerceorggovernance.services.request",
+    "consumerprocurement.entitlements.get",
+    "consumerprocurement.entitlements.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/compute.instanceAdmin b/roles/compute.instanceAdmin
@@ -6,7 +6,15 @@
     "backupdr.backupPlanAssociations.deleteForComputeInstance",
     "backupdr.backupPlanAssociations.list",
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
+    "backupdr.backupPlans.get",
+    "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeInstance",
+    "backupdr.backupVaults.get",
+    "backupdr.backupVaults.list",
+    "backupdr.locations.list",
+    "backupdr.operations.get",
+    "backupdr.operations.list",
+    "backupdr.serviceConfig.initialize",
     "compute.acceleratorTypes.get",
     "compute.acceleratorTypes.list",
     "compute.addresses.createInternal",
@@ -192,6 +200,8 @@
     "compute.regionOperations.list",
     "compute.regions.get",
     "compute.regions.list",
+    "compute.reservationBlocks.get",
+    "compute.reservationBlocks.list",
     "compute.reservations.get",
     "compute.reservations.list",
     "compute.resourcePolicies.list",