Fetch all roles

darkbitio · Feb 6, 2025 · bbc4b6d · bbc4b6d
1 parent d99bed8
commit bbc4b6d
Show file tree

Hide file tree

Showing 58 changed files with 735 additions and 71 deletions.
diff --git a/gcp_roles_cai.json b/gcp_roles_cai.json
diff --git a/roles/bigquery.admin b/roles/bigquery.admin
@@ -115,6 +115,16 @@
     "bigquery.transfers.get",
     "bigquery.transfers.update",
     "bigquerymigration.translation.translate",
+    "dataform.commentThreads.create",
+    "dataform.commentThreads.delete",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.commentThreads.update",
+    "dataform.comments.create",
+    "dataform.comments.delete",
+    "dataform.comments.get",
+    "dataform.comments.list",
+    "dataform.comments.update",
     "dataform.compilationResults.create",
     "dataform.compilationResults.get",
     "dataform.compilationResults.list",

diff --git a/roles/bigquery.studioAdmin b/roles/bigquery.studioAdmin
@@ -138,6 +138,16 @@
     "compute.reservations.list",
     "compute.zones.get",
     "compute.zones.list",
+    "dataform.commentThreads.create",
+    "dataform.commentThreads.delete",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.commentThreads.update",
+    "dataform.comments.create",
+    "dataform.comments.delete",
+    "dataform.comments.get",
+    "dataform.comments.list",
+    "dataform.comments.update",
     "dataform.compilationResults.create",
     "dataform.compilationResults.get",
     "dataform.compilationResults.list",

diff --git a/roles/bigquery.studioUser b/roles/bigquery.studioUser
@@ -20,6 +20,10 @@
     "compute.regions.list",
     "compute.zones.get",
     "compute.zones.list",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.comments.get",
+    "dataform.comments.list",
     "dataform.locations.get",
     "dataform.locations.list",
     "dataform.repositories.create",

diff --git a/roles/cloudaicompanion.serviceAgent b/roles/cloudaicompanion.serviceAgent
@@ -16,6 +16,7 @@
     "developerconnect.gitRepositoryLinks.fetchGitRefs",
     "developerconnect.gitRepositoryLinks.fetchReadToken",
     "developerconnect.gitRepositoryLinks.get",
+    "developerconnect.gitRepositoryLinks.gitProxyRead",
     "developerconnect.gitRepositoryLinks.list",
     "logging.logEntries.create",
     "logging.logEntries.route",

diff --git a/roles/cloudaicompanion.settingsAdmin b/roles/cloudaicompanion.settingsAdmin
@@ -0,0 +1,53 @@
+{
+  "description": "Grants read and write access to the setting and their bindings.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "cloudaicompanion.dataSharingWithGoogleSettings.create",
+    "cloudaicompanion.dataSharingWithGoogleSettings.delete",
+    "cloudaicompanion.dataSharingWithGoogleSettings.get",
+    "cloudaicompanion.dataSharingWithGoogleSettings.list",
+    "cloudaicompanion.dataSharingWithGoogleSettings.update",
+    "cloudaicompanion.geminiGcpEnablementSettings.create",
+    "cloudaicompanion.geminiGcpEnablementSettings.delete",
+    "cloudaicompanion.geminiGcpEnablementSettings.get",
+    "cloudaicompanion.geminiGcpEnablementSettings.list",
+    "cloudaicompanion.geminiGcpEnablementSettings.update",
+    "cloudaicompanion.loggingSettings.create",
+    "cloudaicompanion.loggingSettings.delete",
+    "cloudaicompanion.loggingSettings.get",
+    "cloudaicompanion.loggingSettings.list",
+    "cloudaicompanion.loggingSettings.update",
+    "cloudaicompanion.releaseChannelSettings.create",
+    "cloudaicompanion.releaseChannelSettings.delete",
+    "cloudaicompanion.releaseChannelSettings.get",
+    "cloudaicompanion.releaseChannelSettings.list",
+    "cloudaicompanion.releaseChannelSettings.update",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsCreate",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsDelete",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsGet",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsList",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUpdate",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUse",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsCreate",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsDelete",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsGet",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsList",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUpdate",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUse",
+    "cloudaicompanion.settingBindings.loggingSettingsCreate",
+    "cloudaicompanion.settingBindings.loggingSettingsDelete",
+    "cloudaicompanion.settingBindings.loggingSettingsGet",
+    "cloudaicompanion.settingBindings.loggingSettingsList",
+    "cloudaicompanion.settingBindings.loggingSettingsUpdate",
+    "cloudaicompanion.settingBindings.loggingSettingsUse",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsCreate",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsDelete",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsGet",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsList",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsUpdate",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsUse"
+  ],
+  "name": "roles/cloudaicompanion.settingsAdmin",
+  "stage": "BETA",
+  "title": "Settings Admin"
+}
diff --git a/roles/cloudaicompanion.settingsUser b/roles/cloudaicompanion.settingsUser
@@ -0,0 +1,25 @@
+{
+  "description": "Grants read access to the setting and their bindings.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "cloudaicompanion.dataSharingWithGoogleSettings.get",
+    "cloudaicompanion.dataSharingWithGoogleSettings.list",
+    "cloudaicompanion.geminiGcpEnablementSettings.get",
+    "cloudaicompanion.geminiGcpEnablementSettings.list",
+    "cloudaicompanion.loggingSettings.get",
+    "cloudaicompanion.loggingSettings.list",
+    "cloudaicompanion.releaseChannelSettings.get",
+    "cloudaicompanion.releaseChannelSettings.list",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsGet",
+    "cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsList",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsGet",
+    "cloudaicompanion.settingBindings.geminiGcpEnablementSettingsList",
+    "cloudaicompanion.settingBindings.loggingSettingsGet",
+    "cloudaicompanion.settingBindings.loggingSettingsList",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsGet",
+    "cloudaicompanion.settingBindings.releaseChannelSettingsList"
+  ],
+  "name": "roles/cloudaicompanion.settingsUser",
+  "stage": "BETA",
+  "title": "Settings User"
+}
diff --git a/roles/cloudaicompanion.user b/roles/cloudaicompanion.user
@@ -10,6 +10,7 @@
     "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
+    "cloudaicompanion.instances.queryEffectiveSettingBindings",
     "cloudaicompanion.licenses.selfAssign",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

diff --git a/roles/clouddeploy.admin b/roles/clouddeploy.admin
@@ -32,8 +32,10 @@
     "clouddeploy.deployPolicies.create",
     "clouddeploy.deployPolicies.delete",
     "clouddeploy.deployPolicies.get",
+    "clouddeploy.deployPolicies.getIamPolicy",
     "clouddeploy.deployPolicies.list",
     "clouddeploy.deployPolicies.override",
+    "clouddeploy.deployPolicies.setIamPolicy",
     "clouddeploy.deployPolicies.update",
     "clouddeploy.jobRuns.get",
     "clouddeploy.jobRuns.list",

diff --git a/roles/clouddeploy.policyAdmin b/roles/clouddeploy.policyAdmin
@@ -5,8 +5,10 @@
     "clouddeploy.deployPolicies.create",
     "clouddeploy.deployPolicies.delete",
     "clouddeploy.deployPolicies.get",
+    "clouddeploy.deployPolicies.getIamPolicy",
     "clouddeploy.deployPolicies.list",
     "clouddeploy.deployPolicies.override",
+    "clouddeploy.deployPolicies.setIamPolicy",
     "clouddeploy.deployPolicies.update",
     "clouddeploy.locations.get",
     "clouddeploy.locations.list",

diff --git a/roles/clouddeploy.viewer b/roles/clouddeploy.viewer
@@ -16,6 +16,7 @@
     "clouddeploy.deliveryPipelines.listEffectiveTags",
     "clouddeploy.deliveryPipelines.listTagBindings",
     "clouddeploy.deployPolicies.get",
+    "clouddeploy.deployPolicies.getIamPolicy",
     "clouddeploy.deployPolicies.list",
     "clouddeploy.jobRuns.get",
     "clouddeploy.jobRuns.list",

diff --git a/roles/cloudfunctions.admin b/roles/cloudfunctions.admin
@@ -11,7 +11,6 @@
     "cloudfunctions.functions.delete",
     "cloudfunctions.functions.get",
     "cloudfunctions.functions.getIamPolicy",
-    "cloudfunctions.functions.invoke",
     "cloudfunctions.functions.list",
     "cloudfunctions.functions.setIamPolicy",
     "cloudfunctions.functions.sourceCodeGet",

diff --git a/roles/cloudfunctions.developer b/roles/cloudfunctions.developer
@@ -10,7 +10,6 @@
     "cloudfunctions.functions.create",
     "cloudfunctions.functions.delete",
     "cloudfunctions.functions.get",
-    "cloudfunctions.functions.invoke",
     "cloudfunctions.functions.list",
     "cloudfunctions.functions.sourceCodeGet",
     "cloudfunctions.functions.sourceCodeSet",

diff --git a/roles/cloudfunctions.serviceAgent b/roles/cloudfunctions.serviceAgent
@@ -69,7 +69,6 @@
     "cloudbuild.operations.list",
     "cloudbuild.workerpools.use",
     "cloudfunctions.functions.get",
-    "cloudfunctions.functions.invoke",
     "cloudfunctions.functions.list",
     "cloudfunctions.operations.get",
     "cloudfunctions.operations.list",

diff --git a/roles/cloudsql.admin b/roles/cloudsql.admin
@@ -37,6 +37,7 @@
     "cloudsql.instances.listServerCertificates",
     "cloudsql.instances.listTagBindings",
     "cloudsql.instances.login",
+    "cloudsql.instances.manageEncryption",
     "cloudsql.instances.migrate",
     "cloudsql.instances.performDiskShrink",
     "cloudsql.instances.promoteReplica",

diff --git a/roles/composer.serviceAgent b/roles/composer.serviceAgent
@@ -80,6 +80,7 @@
     "cloudsql.instances.listServerCertificates",
     "cloudsql.instances.listTagBindings",
     "cloudsql.instances.login",
+    "cloudsql.instances.manageEncryption",
     "cloudsql.instances.migrate",
     "cloudsql.instances.performDiskShrink",
     "cloudsql.instances.promoteReplica",
@@ -1378,6 +1379,8 @@
     "logging.views.update",
     "monitoring.alertPolicies.get",
     "monitoring.alertPolicies.list",
+    "monitoring.alertPolicies.listEffectiveTags",
+    "monitoring.alertPolicies.listTagBindings",
     "monitoring.dashboards.get",
     "monitoring.dashboards.list",
     "monitoring.groups.get",

diff --git a/roles/compute.admin b/roles/compute.admin
@@ -654,10 +654,12 @@
     "compute.regions.list",
     "compute.reservationBlocks.get",
     "compute.reservationBlocks.list",
+    "compute.reservationBlocks.performMaintenance",
     "compute.reservations.create",
     "compute.reservations.delete",
     "compute.reservations.get",
     "compute.reservations.list",
+    "compute.reservations.performMaintenance",
     "compute.reservations.resize",
     "compute.reservations.update",
     "compute.resourcePolicies.create",

diff --git a/roles/compute.futureReservationAdmin b/roles/compute.futureReservationAdmin
@@ -12,7 +12,9 @@
     "compute.instanceTemplates.list",
     "compute.machineTypes.list",
     "compute.regions.list",
+    "compute.reservationBlocks.performMaintenance",
     "compute.reservations.create",
+    "compute.reservations.performMaintenance",
     "compute.zones.list"
   ],
   "name": "roles/compute.futureReservationAdmin",

diff --git a/roles/compute.serviceAgent b/roles/compute.serviceAgent
@@ -36,6 +36,8 @@
     "logging.logEntries.create",
     "monitoring.alertPolicies.get",
     "monitoring.alertPolicies.list",
+    "monitoring.alertPolicies.listEffectiveTags",
+    "monitoring.alertPolicies.listTagBindings",
     "monitoring.dashboards.get",
     "monitoring.dashboards.list",
     "monitoring.groups.get",

diff --git a/roles/contactcenterinsights.viewer b/roles/contactcenterinsights.viewer
@@ -31,7 +31,8 @@
     "contactcenterinsights.qaScorecards.list",
     "contactcenterinsights.settings.get",
     "contactcenterinsights.views.get",
-    "contactcenterinsights.views.list"
+    "contactcenterinsights.views.list",
+    "contactcenterinsights.visibilityLabels.list"
   ],
   "name": "roles/contactcenterinsights.viewer",
   "stage": "GA",

diff --git a/roles/container.defaultNodeServiceAgent b/roles/container.defaultNodeServiceAgent
@@ -0,0 +1,16 @@
+{
+  "description": "Minimal set of permissions required by a GKE node to support standard capabilities such as logging and monitoring. Replaces the container.nodeServiceAgent role with a reduced permission set.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "autoscaling.sites.writeMetrics",
+    "logging.logEntries.create",
+    "monitoring.metricDescriptors.create",
+    "monitoring.metricDescriptors.list",
+    "monitoring.timeSeries.create",
+    "monitoring.timeSeries.list",
+    "serviceusage.services.use"
+  ],
+  "name": "roles/container.defaultNodeServiceAgent",
+  "stage": "GA",
+  "title": "Kubernetes Engine Default Node Service Agent"
+}
diff --git a/roles/container.nodeServiceAgent b/roles/container.nodeServiceAgent
@@ -16,5 +16,5 @@
   ],
   "name": "roles/container.nodeServiceAgent",
   "stage": "GA",
-  "title": "Kubernetes Engine Node Service Agent"
+  "title": "[Deprecated] Kubernetes Engine Node Service Agent"
 }
diff --git a/roles/contentwarehouse.serviceAgent b/roles/contentwarehouse.serviceAgent
@@ -2,7 +2,6 @@
   "description": "Gives the Content Warehouse service account to manage customer resources",
   "etag": "AA==",
   "includedPermissions": [
-    "cloudfunctions.functions.invoke",
     "documentai.datasets.createDocuments",
     "documentai.processors.get",
     "documentai.processors.processBatch",

diff --git a/roles/dataflow.serviceAgent b/roles/dataflow.serviceAgent
@@ -905,6 +905,16 @@
     "dataflow.snapshots.delete",
     "dataflow.snapshots.get",
     "dataflow.snapshots.list",
+    "dataform.commentThreads.create",
+    "dataform.commentThreads.delete",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.commentThreads.update",
+    "dataform.comments.create",
+    "dataform.comments.delete",
+    "dataform.comments.get",
+    "dataform.comments.list",
+    "dataform.comments.update",
     "dataform.compilationResults.create",
     "dataform.compilationResults.get",
     "dataform.compilationResults.list",
@@ -1036,6 +1046,8 @@
     "logging.views.update",
     "monitoring.alertPolicies.get",
     "monitoring.alertPolicies.list",
+    "monitoring.alertPolicies.listEffectiveTags",
+    "monitoring.alertPolicies.listTagBindings",
     "monitoring.dashboards.get",
     "monitoring.dashboards.list",
     "monitoring.groups.get",

diff --git a/roles/dataform.codeCommenter b/roles/dataform.codeCommenter
@@ -1,6 +1,18 @@
 {
   "description": "Permissions to comment, at the repository level. Grants CRUD access over commentThread and comment resources.",
   "etag": "AA==",
+  "includedPermissions": [
+    "dataform.commentThreads.create",
+    "dataform.commentThreads.delete",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.commentThreads.update",
+    "dataform.comments.create",
+    "dataform.comments.delete",
+    "dataform.comments.get",
+    "dataform.comments.list",
+    "dataform.comments.update"
+  ],
   "name": "roles/dataform.codeCommenter",
   "stage": "BETA",
   "title": "Code Commenter"

diff --git a/roles/dataform.codeCreator b/roles/dataform.codeCreator
@@ -2,6 +2,10 @@
   "description": "Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.",
   "etag": "AA==",
   "includedPermissions": [
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.comments.get",
+    "dataform.comments.list",
     "dataform.locations.get",
     "dataform.locations.list",
     "dataform.repositories.create",

diff --git a/roles/dataform.codeEditor b/roles/dataform.codeEditor
@@ -2,6 +2,16 @@
   "description": "Edit access code resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "dataform.commentThreads.create",
+    "dataform.commentThreads.delete",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.commentThreads.update",
+    "dataform.comments.create",
+    "dataform.comments.delete",
+    "dataform.comments.get",
+    "dataform.comments.list",
+    "dataform.comments.update",
     "dataform.locations.get",
     "dataform.locations.list",
     "dataform.repositories.commit",

diff --git a/roles/dataform.codeOwner b/roles/dataform.codeOwner
@@ -2,6 +2,16 @@
   "description": "Full access to code resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "dataform.commentThreads.create",
+    "dataform.commentThreads.delete",
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.commentThreads.update",
+    "dataform.comments.create",
+    "dataform.comments.delete",
+    "dataform.comments.get",
+    "dataform.comments.list",
+    "dataform.comments.update",
     "dataform.locations.get",
     "dataform.locations.list",
     "dataform.repositories.commit",

diff --git a/roles/dataform.editor b/roles/dataform.editor
@@ -2,6 +2,10 @@
   "description": "Edit access to Workspaces and Read-only access to Repositories.",
   "etag": "AA==",
   "includedPermissions": [
+    "dataform.commentThreads.get",
+    "dataform.commentThreads.list",
+    "dataform.comments.get",
+    "dataform.comments.list",
     "dataform.compilationResults.create",
     "dataform.compilationResults.get",
     "dataform.compilationResults.list",