GCP IAM Updates Detected

jdyke · Oct 3, 2024 · 2480efe · 2480efe
1 parent 490a5e1
commit 2480efe
Show file tree

Hide file tree

Showing 17 changed files with 210 additions and 10 deletions.
diff --git a/roles/aiplatform.serviceAgent b/roles/aiplatform.serviceAgent
@@ -38,6 +38,11 @@
     "aiplatform.batchPredictionJobs.get",
     "aiplatform.batchPredictionJobs.list",
     "aiplatform.cacheConfigs.get",
+    "aiplatform.cachedContents.create",
+    "aiplatform.cachedContents.delete",
+    "aiplatform.cachedContents.get",
+    "aiplatform.cachedContents.list",
+    "aiplatform.cachedContents.update",
     "aiplatform.consents.get",
     "aiplatform.contexts.addContextArtifactsAndExecutions",
     "aiplatform.contexts.addContextChildren",

diff --git a/roles/aiplatform.viewer b/roles/aiplatform.viewer
@@ -17,6 +17,8 @@
     "aiplatform.batchPredictionJobs.get",
     "aiplatform.batchPredictionJobs.list",
     "aiplatform.cacheConfigs.get",
+    "aiplatform.cachedContents.get",
+    "aiplatform.cachedContents.list",
     "aiplatform.consents.get",
     "aiplatform.contexts.get",
     "aiplatform.contexts.list",

diff --git a/roles/bigquerymigration.orchestrator b/roles/bigquerymigration.orchestrator
@@ -4,6 +4,7 @@
   "includedPermissions": [
     "bigquerymigration.subtasks.create",
     "bigquerymigration.taskTypes.orchestrateTask",
+    "bigquerymigration.taskTypes.writeLogs",
     "bigquerymigration.workflows.orchestrateTask",
     "storage.objects.list"
   ],

diff --git a/roles/cloudjobdiscovery.admin b/roles/cloudjobdiscovery.admin
@@ -9,5 +9,5 @@
   ],
   "name": "roles/cloudjobdiscovery.admin",
   "stage": "GA",
-  "title": "Admin"
+  "title": "Cloud Talent Solution Admin"
 }
diff --git a/roles/container.cloudKmsKeyUser b/roles/container.cloudKmsKeyUser
@@ -0,0 +1,16 @@
+{
+  "description": "Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "cloudkms.cryptoKeyVersions.get",
+    "cloudkms.cryptoKeyVersions.useToSign",
+    "cloudkms.cryptoKeyVersions.useToVerify",
+    "cloudkms.cryptoKeyVersions.viewPublicKey",
+    "cloudkms.locations.get",
+    "cloudkms.locations.list",
+    "resourcemanager.projects.get"
+  ],
+  "name": "roles/container.cloudKmsKeyUser",
+  "stage": "ALPHA",
+  "title": "Kubernetes Engine KMS Crypto Key User"
+}
diff --git a/roles/datapipelines.serviceAgent b/roles/datapipelines.serviceAgent
@@ -89,6 +89,11 @@
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.update",
+    "storage.folders.create",
+    "storage.folders.delete",
+    "storage.folders.get",
+    "storage.folders.list",
+    "storage.folders.rename",
     "storage.managedFolders.create",
     "storage.managedFolders.delete",
     "storage.managedFolders.get",

diff --git a/roles/dataproc.serviceAgent b/roles/dataproc.serviceAgent
@@ -348,6 +348,11 @@
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.update",
+    "storage.folders.create",
+    "storage.folders.delete",
+    "storage.folders.get",
+    "storage.folders.list",
+    "storage.folders.rename",
     "storage.managedFolders.create",
     "storage.managedFolders.delete",
     "storage.managedFolders.get",

diff --git a/roles/editor b/roles/editor
@@ -84,6 +84,11 @@
     "aiplatform.batchPredictionJobs.list",
     "aiplatform.cacheConfigs.get",
     "aiplatform.cacheConfigs.update",
+    "aiplatform.cachedContents.create",
+    "aiplatform.cachedContents.delete",
+    "aiplatform.cachedContents.get",
+    "aiplatform.cachedContents.list",
+    "aiplatform.cachedContents.update",
     "aiplatform.consents.get",
     "aiplatform.consents.update",
     "aiplatform.contexts.addContextArtifactsAndExecutions",
@@ -2229,6 +2234,11 @@
     "cloudsql.backupRuns.delete",
     "cloudsql.backupRuns.get",
     "cloudsql.backupRuns.list",
+    "cloudsql.backups.create",
+    "cloudsql.backups.delete",
+    "cloudsql.backups.get",
+    "cloudsql.backups.list",
+    "cloudsql.backups.update",
     "cloudsql.databases.create",
     "cloudsql.databases.delete",
     "cloudsql.databases.get",
@@ -2267,6 +2277,8 @@
     "cloudsql.instances.stopReplica",
     "cloudsql.instances.truncateLog",
     "cloudsql.instances.update",
+    "cloudsql.operations.get",
+    "cloudsql.operations.list",
     "cloudsql.schemas.view",
     "cloudsql.sslCerts.create",
     "cloudsql.sslCerts.delete",
@@ -2338,6 +2350,11 @@
     "cloudtrace.tasks.delete",
     "cloudtrace.tasks.get",
     "cloudtrace.tasks.list",
+    "cloudtrace.traceScopes.create",
+    "cloudtrace.traceScopes.delete",
+    "cloudtrace.traceScopes.get",
+    "cloudtrace.traceScopes.list",
+    "cloudtrace.traceScopes.update",
     "cloudtrace.traces.get",
     "cloudtrace.traces.list",
     "cloudtrace.traces.patch",
@@ -2840,12 +2857,6 @@
     "compute.machineImages.useReadOnly",
     "compute.machineTypes.get",
     "compute.machineTypes.list",
-    "compute.maintenancePolicies.create",
-    "compute.maintenancePolicies.delete",
-    "compute.maintenancePolicies.get",
-    "compute.maintenancePolicies.getIamPolicy",
-    "compute.maintenancePolicies.list",
-    "compute.maintenancePolicies.use",
     "compute.networkAttachments.create",
     "compute.networkAttachments.delete",
     "compute.networkAttachments.get",
@@ -3023,7 +3034,6 @@
     "compute.regionTargetHttpProxies.listEffectiveTags",
     "compute.regionTargetHttpProxies.listTagBindings",
     "compute.regionTargetHttpProxies.setUrlMap",
-    "compute.regionTargetHttpProxies.update",
     "compute.regionTargetHttpProxies.use",
     "compute.regionTargetHttpsProxies.create",
     "compute.regionTargetHttpsProxies.delete",
@@ -6166,6 +6176,8 @@
     "logging.buckets.copyLogEntries",
     "logging.buckets.get",
     "logging.buckets.list",
+    "logging.buckets.listEffectiveTags",
+    "logging.buckets.listTagBindings",
     "logging.exclusions.get",
     "logging.exclusions.list",
     "logging.links.create",
@@ -6798,6 +6810,28 @@
     "networksecurity.gatewaySecurityPolicyRules.use",
     "networksecurity.locations.get",
     "networksecurity.locations.list",
+    "networksecurity.mirroringDeploymentGroups.create",
+    "networksecurity.mirroringDeploymentGroups.delete",
+    "networksecurity.mirroringDeploymentGroups.get",
+    "networksecurity.mirroringDeploymentGroups.list",
+    "networksecurity.mirroringDeploymentGroups.update",
+    "networksecurity.mirroringDeploymentGroups.use",
+    "networksecurity.mirroringDeployments.create",
+    "networksecurity.mirroringDeployments.delete",
+    "networksecurity.mirroringDeployments.get",
+    "networksecurity.mirroringDeployments.list",
+    "networksecurity.mirroringDeployments.update",
+    "networksecurity.mirroringEndpointGroupAssociations.create",
+    "networksecurity.mirroringEndpointGroupAssociations.delete",
+    "networksecurity.mirroringEndpointGroupAssociations.get",
+    "networksecurity.mirroringEndpointGroupAssociations.list",
+    "networksecurity.mirroringEndpointGroupAssociations.update",
+    "networksecurity.mirroringEndpointGroups.create",
+    "networksecurity.mirroringEndpointGroups.delete",
+    "networksecurity.mirroringEndpointGroups.get",
+    "networksecurity.mirroringEndpointGroups.list",
+    "networksecurity.mirroringEndpointGroups.update",
+    "networksecurity.mirroringEndpointGroups.use",
     "networksecurity.operations.cancel",
     "networksecurity.operations.delete",
     "networksecurity.operations.get",
@@ -8291,6 +8325,11 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.folders.create",
+    "storage.folders.delete",
+    "storage.folders.get",
+    "storage.folders.list",
+    "storage.folders.rename",
     "storage.hmacKeys.create",
     "storage.hmacKeys.delete",
     "storage.hmacKeys.get",
@@ -8788,6 +8827,7 @@
     "vmwareengine.privateConnections.list",
     "vmwareengine.privateConnections.listPeeringRoutes",
     "vmwareengine.privateConnections.update",
+    "vmwareengine.projectState.get",
     "vmwareengine.services.use",
     "vmwareengine.services.view",
     "vmwareengine.subnets.get",

diff --git a/roles/firebase.admin b/roles/firebase.admin
@@ -515,6 +515,11 @@
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.update",
+    "storage.folders.create",
+    "storage.folders.delete",
+    "storage.folders.get",
+    "storage.folders.list",
+    "storage.folders.rename",
     "storage.managedFolders.create",
     "storage.managedFolders.delete",
     "storage.managedFolders.get",

diff --git a/roles/multiclusteringress.serviceAgent b/roles/multiclusteringress.serviceAgent
@@ -158,7 +158,6 @@
     "compute.regionTargetHttpProxies.listEffectiveTags",
     "compute.regionTargetHttpProxies.listTagBindings",
     "compute.regionTargetHttpProxies.setUrlMap",
-    "compute.regionTargetHttpProxies.update",
     "compute.regionTargetHttpProxies.use",
     "compute.regionTargetHttpsProxies.create",
     "compute.regionTargetHttpsProxies.createTagBinding",

diff --git a/roles/networksecurity.mirroringEndpointViewer b/roles/networksecurity.mirroringEndpointViewer
@@ -2,10 +2,14 @@
   "description": "Enables read-only access to mirroring resources on the Consumer's side.",
   "etag": "AA==",
   "includedPermissions": [
+    "networksecurity.mirroringEndpointGroupAssociations.get",
+    "networksecurity.mirroringEndpointGroupAssociations.list",
+    "networksecurity.mirroringEndpointGroups.get",
+    "networksecurity.mirroringEndpointGroups.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],
   "name": "roles/networksecurity.mirroringEndpointViewer",
-  "stage": "ALPHA",
+  "stage": "BETA",
   "title": "Mirroring Endpoint Viewer"
 }
diff --git a/roles/oci.serviceAgent b/roles/oci.serviceAgent
@@ -0,0 +1,102 @@
+{
+  "description": "Grants Cloud OCI access to services and APIs in the user project",
+  "etag": "AA==",
+  "includedPermissions": [
+    "compute.addresses.get",
+    "compute.addresses.list",
+    "compute.globalAddresses.get",
+    "compute.globalAddresses.list",
+    "compute.globalOperations.get",
+    "compute.globalOperations.list",
+    "compute.interconnectAttachments.create",
+    "compute.interconnectAttachments.delete",
+    "compute.interconnectAttachments.get",
+    "compute.interconnectAttachments.list",
+    "compute.interconnectAttachments.setLabels",
+    "compute.interconnectAttachments.update",
+    "compute.interconnectAttachments.use",
+    "compute.interconnectLocations.get",
+    "compute.interconnectLocations.list",
+    "compute.interconnectRemoteLocations.get",
+    "compute.interconnectRemoteLocations.list",
+    "compute.interconnects.create",
+    "compute.interconnects.delete",
+    "compute.interconnects.get",
+    "compute.interconnects.getMacsecConfig",
+    "compute.interconnects.list",
+    "compute.interconnects.setLabels",
+    "compute.interconnects.update",
+    "compute.interconnects.use",
+    "compute.networks.get",
+    "compute.networks.list",
+    "compute.networks.updatePolicy",
+    "compute.projects.get",
+    "compute.regionOperations.get",
+    "compute.regionOperations.list",
+    "compute.regions.get",
+    "compute.regions.list",
+    "compute.routers.create",
+    "compute.routers.delete",
+    "compute.routers.get",
+    "compute.routers.list",
+    "compute.routers.update",
+    "compute.routers.use",
+    "compute.routes.get",
+    "compute.routes.list",
+    "compute.subnetworks.get",
+    "compute.subnetworks.list",
+    "compute.zones.get",
+    "compute.zones.list",
+    "dns.changes.create",
+    "dns.changes.get",
+    "dns.changes.list",
+    "dns.dnsKeys.get",
+    "dns.dnsKeys.list",
+    "dns.managedZoneOperations.get",
+    "dns.managedZoneOperations.list",
+    "dns.managedZones.create",
+    "dns.managedZones.delete",
+    "dns.managedZones.get",
+    "dns.managedZones.getIamPolicy",
+    "dns.managedZones.list",
+    "dns.managedZones.update",
+    "dns.networks.bindDNSResponsePolicy",
+    "dns.networks.bindPrivateDNSPolicy",
+    "dns.networks.bindPrivateDNSZone",
+    "dns.networks.targetWithPeeringZone",
+    "dns.networks.useHealthSignals",
+    "dns.policies.create",
+    "dns.policies.delete",
+    "dns.policies.get",
+    "dns.policies.getIamPolicy",
+    "dns.policies.list",
+    "dns.policies.update",
+    "dns.projects.get",
+    "dns.resourceRecordSets.create",
+    "dns.resourceRecordSets.delete",
+    "dns.resourceRecordSets.get",
+    "dns.resourceRecordSets.list",
+    "dns.resourceRecordSets.update",
+    "dns.responsePolicies.create",
+    "dns.responsePolicies.delete",
+    "dns.responsePolicies.get",
+    "dns.responsePolicies.list",
+    "dns.responsePolicies.update",
+    "dns.responsePolicyRules.create",
+    "dns.responsePolicyRules.delete",
+    "dns.responsePolicyRules.get",
+    "dns.responsePolicyRules.list",
+    "dns.responsePolicyRules.update",
+    "networkconnectivity.internalRanges.create",
+    "networkconnectivity.internalRanges.delete",
+    "networkconnectivity.internalRanges.get",
+    "networkconnectivity.internalRanges.list",
+    "networkconnectivity.operations.get",
+    "networkconnectivity.operations.list",
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.updateLiens"
+  ],
+  "name": "roles/oci.serviceAgent",
+  "stage": "ALPHA",
+  "title": "Cloud OCI Service Agent"
+}
diff --git a/roles/run.serviceAgent b/roles/run.serviceAgent
@@ -57,6 +57,8 @@
     "resourcemanager.projects.list",
     "run.routes.invoke",
     "serviceusage.services.use",
+    "storage.folders.get",
+    "storage.folders.list",
     "storage.managedFolders.get",
     "storage.managedFolders.list",
     "storage.objects.get",

diff --git a/roles/run.sourceDeveloper b/roles/run.sourceDeveloper
@@ -145,6 +145,9 @@
     "storage.buckets.create",
     "storage.buckets.get",
     "storage.buckets.list",
+    "storage.folders.create",
+    "storage.folders.get",
+    "storage.folders.list",
     "storage.managedFolders.create",
     "storage.managedFolders.get",
     "storage.managedFolders.list",

diff --git a/roles/storage.objectAdmin b/roles/storage.objectAdmin
@@ -5,6 +5,11 @@
     "orgpolicy.policy.get",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list",
+    "storage.folders.create",
+    "storage.folders.delete",
+    "storage.folders.get",
+    "storage.folders.list",
+    "storage.folders.rename",
     "storage.managedFolders.create",
     "storage.managedFolders.delete",
     "storage.managedFolders.get",

diff --git a/roles/storage.objectUser b/roles/storage.objectUser
@@ -5,6 +5,11 @@
     "orgpolicy.policy.get",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list",
+    "storage.folders.create",
+    "storage.folders.delete",
+    "storage.folders.get",
+    "storage.folders.list",
+    "storage.folders.rename",
     "storage.managedFolders.create",
     "storage.managedFolders.delete",
     "storage.managedFolders.get",

diff --git a/roles/vmwareengine.vmwareengineAdmin b/roles/vmwareengine.vmwareengineAdmin
@@ -81,6 +81,7 @@
     "vmwareengine.privateConnections.list",
     "vmwareengine.privateConnections.listPeeringRoutes",
     "vmwareengine.privateConnections.update",
+    "vmwareengine.projectState.get",
     "vmwareengine.services.use",
     "vmwareengine.services.view",
     "vmwareengine.subnets.get",