Fetch all roles

darkbitio · Jan 31, 2025 · d99bed8 · d99bed8
1 parent 65cfa54
commit d99bed8
Show file tree

Hide file tree

Showing 39 changed files with 159 additions and 43 deletions.
diff --git a/gcp_roles_cai.json b/gcp_roles_cai.json
diff --git a/roles/aiplatform.admin b/roles/aiplatform.admin
@@ -137,7 +137,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",

diff --git a/roles/aiplatform.featurestoreAdmin b/roles/aiplatform.featurestoreAdmin
@@ -18,7 +18,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",

diff --git a/roles/appmetadata.workspaceMarketplaceAppConfigurationAdmin b/roles/appmetadata.workspaceMarketplaceAppConfigurationAdmin
@@ -0,0 +1,19 @@
+{
+  "description": "Workspace Marketplace App Configuration Admin",
+  "etag": "AA==",
+  "includedPermissions": [
+    "chat.bots.get",
+    "clientauthconfig.clients.create",
+    "gsuiteaddons.deployments.create",
+    "gsuiteaddons.deployments.delete",
+    "gsuiteaddons.deployments.list",
+    "gsuiteaddons.deployments.update",
+    "resourcemanager.projects.get",
+    "serviceusage.services.get",
+    "workspacemarketplace.appConfiguration.update",
+    "workspacemarketplace.appConfiguration.view"
+  ],
+  "name": "roles/appmetadata.workspaceMarketplaceAppConfigurationAdmin",
+  "stage": "BETA",
+  "title": "Workspace Marketplace App Configuration Admin"
+}
diff --git a/roles/backupdr.backupConfigViewer b/roles/backupdr.backupConfigViewer
@@ -2,6 +2,7 @@
   "description": "Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.",
   "etag": "AA==",
   "includedPermissions": [
+    "backupdr.locations.list",
     "backupdr.resourceBackupConfigs.get",
     "backupdr.resourceBackupConfigs.list"
   ],

diff --git a/roles/cloudaicompanion.user b/roles/cloudaicompanion.user
@@ -7,6 +7,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.licenses.selfAssign",

diff --git a/roles/composer.serviceAgent b/roles/composer.serviceAgent
@@ -1786,6 +1786,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/datafusion.serviceAgent b/roles/datafusion.serviceAgent
@@ -434,6 +434,7 @@
     "dns.networks.bindPrivateDNSZone",
     "dns.networks.targetWithPeeringZone",
     "firebase.projects.get",
+    "logging.logEntries.create",
     "monitoring.metricDescriptors.create",
     "monitoring.metricDescriptors.get",
     "monitoring.metricDescriptors.list",
@@ -587,6 +588,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/datapipelines.serviceAgent b/roles/datapipelines.serviceAgent
@@ -87,6 +87,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/dataplex.serviceAgent b/roles/dataplex.serviceAgent
@@ -249,6 +249,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/dataproc.serviceAgent b/roles/dataproc.serviceAgent
@@ -338,9 +338,7 @@
     "resourcemanager.hierarchyNodes.listEffectiveTags",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list",
-    "servicemanagement.services.bind",
     "serviceusage.quotas.get",
-    "serviceusage.services.enable",
     "serviceusage.services.get",
     "serviceusage.services.list",
     "serviceusage.services.use",
@@ -366,6 +364,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/datastream.serviceAgent b/roles/datastream.serviceAgent
@@ -3,6 +3,7 @@
   "etag": "AA==",
   "includedPermissions": [
     "bigquery.connections.delegate",
+    "bigquery.connections.get",
     "bigquery.datasets.create",
     "bigquery.datasets.get",
     "bigquery.jobs.create",

diff --git a/roles/discoveryengine.notebookEditor b/roles/discoveryengine.notebookEditor
@@ -2,6 +2,6 @@
   "description": "Grants read and write access to a Cloud NotebookLM Notebook.",
   "etag": "AA==",
   "name": "roles/discoveryengine.notebookEditor",
-  "stage": "ALPHA",
+  "stage": "BETA",
   "title": "Cloud NotebookLM Notebook Editor"
 }
diff --git a/roles/discoveryengine.notebookLmOwner b/roles/discoveryengine.notebookLmOwner
@@ -8,6 +8,6 @@
     "resourcemanager.projects.list"
   ],
   "name": "roles/discoveryengine.notebookLmOwner",
-  "stage": "ALPHA",
-  "title": "Cloud NotebookLM Owner"
+  "stage": "BETA",
+  "title": "Cloud NotebookLM Admin"
 }
diff --git a/roles/discoveryengine.notebookLmUser b/roles/discoveryengine.notebookLmUser
@@ -6,6 +6,6 @@
     "resourcemanager.projects.list"
   ],
   "name": "roles/discoveryengine.notebookLmUser",
-  "stage": "ALPHA",
+  "stage": "BETA",
   "title": "Cloud NotebookLM User"
 }
diff --git a/roles/discoveryengine.notebookOwner b/roles/discoveryengine.notebookOwner
@@ -2,6 +2,6 @@
   "description": "Grants full access to a Cloud NotebookLM Notebook.",
   "etag": "AA==",
   "name": "roles/discoveryengine.notebookOwner",
-  "stage": "ALPHA",
+  "stage": "BETA",
   "title": "Cloud NotebookLM Notebook Owner"
 }
diff --git a/roles/discoveryengine.notebookViewer b/roles/discoveryengine.notebookViewer
@@ -2,6 +2,6 @@
   "description": "Grants read-only access to a Cloud NotebookLM Notebook.",
   "etag": "AA==",
   "name": "roles/discoveryengine.notebookViewer",
-  "stage": "ALPHA",
+  "stage": "BETA",
   "title": "Cloud NotebookLM Notebook Viewer"
 }
diff --git a/roles/editor b/roles/editor
@@ -180,6 +180,7 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
@@ -1881,6 +1882,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.licenses.selfAssign",
@@ -9149,6 +9151,8 @@
     "workloadmanager.operations.list",
     "workloadmanager.results.list",
     "workloadmanager.rules.list",
+    "workspacemarketplace.appConfiguration.update",
+    "workspacemarketplace.appConfiguration.view",
     "workstations.operations.get",
     "workstations.workstationClusters.create",
     "workstations.workstationClusters.delete",

diff --git a/roles/firebase.admin b/roles/firebase.admin
@@ -543,6 +543,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/firebase.developAdmin b/roles/firebase.developAdmin
@@ -447,6 +447,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/iam.securityAdmin b/roles/iam.securityAdmin
@@ -38,7 +38,9 @@
     "aiplatform.entityTypes.setIamPolicy",
     "aiplatform.executions.list",
     "aiplatform.extensions.list",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureOnlineStores.getIamPolicy",
     "aiplatform.featureOnlineStores.list",
     "aiplatform.featureOnlineStores.setIamPolicy",

diff --git a/roles/iam.securityReviewer b/roles/iam.securityReviewer
@@ -35,6 +35,7 @@
     "aiplatform.entityTypes.list",
     "aiplatform.executions.list",
     "aiplatform.extensions.list",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
     "aiplatform.featureOnlineStores.getIamPolicy",
     "aiplatform.featureOnlineStores.list",

diff --git a/roles/managedkafka.admin b/roles/managedkafka.admin
@@ -2,6 +2,7 @@
   "description": "Full access to Managed Kafka resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.connect",
     "managedkafka.clusters.create",
     "managedkafka.clusters.delete",

diff --git a/roles/managedkafka.client b/roles/managedkafka.client
@@ -2,6 +2,7 @@
   "description": "Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.connect",
     "managedkafka.clusters.get",
     "managedkafka.clusters.list",

diff --git a/roles/managedkafka.clusterEditor b/roles/managedkafka.clusterEditor
@@ -2,6 +2,7 @@
   "description": "Provides read and write access to Kafka clusters. Intended for, e.g., IT Departments that provision Kafka clusters, but need not be able to read or modify topics or consumer groups.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.create",
     "managedkafka.clusters.delete",
     "managedkafka.clusters.get",

diff --git a/roles/managedkafka.consumerGroupEditor b/roles/managedkafka.consumerGroupEditor
@@ -2,6 +2,7 @@
   "description": "Provides read and write access to consumer group metadata. Intended for, e.g., developers who configure consumer groups.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.get",
     "managedkafka.clusters.list",
     "managedkafka.consumerGroups.delete",

diff --git a/roles/managedkafka.topicEditor b/roles/managedkafka.topicEditor
@@ -2,6 +2,7 @@
   "description": "Provides read and write access to topic metadata. Intended for, e.g., developers who configure topics.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.get",
     "managedkafka.clusters.list",
     "managedkafka.consumerGroups.get",

diff --git a/roles/managedkafka.viewer b/roles/managedkafka.viewer
@@ -2,6 +2,7 @@
   "description": "Readonly access to Managed Kafka resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.get",
     "managedkafka.clusters.list",
     "managedkafka.consumerGroups.get",

diff --git a/roles/ml.serviceAgent b/roles/ml.serviceAgent
@@ -91,6 +91,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

diff --git a/roles/oauthconfig.editor b/roles/oauthconfig.editor
@@ -16,6 +16,12 @@
     "clientauthconfig.clients.listWithSecrets",
     "clientauthconfig.clients.undelete",
     "clientauthconfig.clients.update",
+    "firebase.clients.create",
+    "firebase.clients.get",
+    "firebase.clients.list",
+    "firebase.clients.update",
+    "firebaseappcheck.resourcePolicies.get",
+    "firebaseappcheck.resourcePolicies.update",
     "oauthconfig.clientpolicy.get",
     "oauthconfig.testusers.get",
     "oauthconfig.testusers.update",

diff --git a/roles/oauthconfig.viewer b/roles/oauthconfig.viewer
@@ -6,6 +6,9 @@
     "clientauthconfig.brands.list",
     "clientauthconfig.clients.get",
     "clientauthconfig.clients.list",
+    "firebase.clients.get",
+    "firebase.clients.list",
+    "firebaseappcheck.resourcePolicies.get",
     "oauthconfig.clientpolicy.get",
     "oauthconfig.testusers.get",
     "oauthconfig.verification.get"

diff --git a/roles/owner b/roles/owner
@@ -188,7 +188,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",
@@ -2036,6 +2038,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.licenses.selfAssign",
@@ -9168,6 +9171,16 @@
     "retail.experiments.loadExperimentLookerDashboard",
     "retail.experiments.queryTrafficMetrics",
     "retail.experiments.update",
+    "retail.merchantControls.approverDelete",
+    "retail.merchantControls.approverGet",
+    "retail.merchantControls.approverList",
+    "retail.merchantControls.approverUpdate",
+    "retail.merchantControls.creatorCreate",
+    "retail.merchantControls.creatorDelete",
+    "retail.merchantControls.creatorGet",
+    "retail.merchantControls.creatorList",
+    "retail.merchantControls.creatorSubmit",
+    "retail.merchantControls.creatorUpdate",
     "retail.models.create",
     "retail.models.delete",
     "retail.models.get",
@@ -10392,6 +10405,8 @@
     "workloadmanager.operations.list",
     "workloadmanager.results.list",
     "workloadmanager.rules.list",
+    "workspacemarketplace.appConfiguration.update",
+    "workspacemarketplace.appConfiguration.view",
     "workstations.operations.get",
     "workstations.workstationClusters.create",
     "workstations.workstationClusters.createTagBinding",

diff --git a/roles/retail.merchantApprover b/roles/retail.merchantApprover
@@ -0,0 +1,19 @@
+{
+  "description": "Grants access and approval rights to MerchantControls in the merchant console.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "retail.merchantControls.approverDelete",
+    "retail.merchantControls.approverGet",
+    "retail.merchantControls.approverList",
+    "retail.merchantControls.approverUpdate",
+    "retail.merchantControls.creatorCreate",
+    "retail.merchantControls.creatorDelete",
+    "retail.merchantControls.creatorGet",
+    "retail.merchantControls.creatorList",
+    "retail.merchantControls.creatorSubmit",
+    "retail.merchantControls.creatorUpdate"
+  ],
+  "name": "roles/retail.merchantApprover",
+  "stage": "BETA",
+  "title": "Retail Merchant Approver"
+}
diff --git a/roles/retail.merchantCreator b/roles/retail.merchantCreator
@@ -0,0 +1,15 @@
+{
+  "description": "Grants access to own MerchantControls in the merchant console.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "retail.merchantControls.creatorCreate",
+    "retail.merchantControls.creatorDelete",
+    "retail.merchantControls.creatorGet",
+    "retail.merchantControls.creatorList",
+    "retail.merchantControls.creatorSubmit",
+    "retail.merchantControls.creatorUpdate"
+  ],
+  "name": "roles/retail.merchantCreator",
+  "stage": "BETA",
+  "title": "Retail Merchant Creator"
+}
diff --git a/roles/securitycenter.controlServiceAgent b/roles/securitycenter.controlServiceAgent
@@ -2,6 +2,8 @@
   "description": "Security Center Control service agent can monitor and configure GCP resources and import security findings.",
   "etag": "AA==",
   "includedPermissions": [
+    "accesscontextmanager.gcpUserAccessBindings.get",
+    "accesscontextmanager.gcpUserAccessBindings.list",
     "bigquery.datasets.get",
     "binaryauthorization.policy.get",
     "cloudasset.assets.analyzeIamPolicy",

diff --git a/roles/securitycenter.serviceAgent b/roles/securitycenter.serviceAgent
@@ -2,6 +2,8 @@
   "description": "Security Center service agent can scan GCP resources and import security scans.",
   "etag": "AA==",
   "includedPermissions": [
+    "accesscontextmanager.gcpUserAccessBindings.get",
+    "accesscontextmanager.gcpUserAccessBindings.list",
     "bigquery.datasets.get",
     "binaryauthorization.policy.get",
     "cloudasset.assets.analyzeIamPolicy",