GCP IAM Updates Detected

roles/backupdr.backupvaultAccessor

@@ -23,6 +23,6 @@
     "backupdr.operations.list"
   ],
   "name": "roles/backupdr.backupvaultAccessor",
-  "stage": "BETA",
+  "stage": "GA",
   "title": "Backup and DR Backup Vault Accessor"
 }

roles/backupdr.backupvaultAdmin

@@ -25,6 +25,6 @@
     "backupdr.operations.list"
   ],
   "name": "roles/backupdr.backupvaultAdmin",
-  "stage": "BETA",
+  "stage": "GA",
   "title": "Backup and DR Backup Vault Admin"
 }

roles/backupdr.backupvaultLister

@@ -5,6 +5,6 @@
     "backupdr.backupVaults.list"
   ],
   "name": "roles/backupdr.backupvaultLister",
-  "stage": "BETA",
+  "stage": "GA",
   "title": "Backup and DR Backup Vault Lister"
 }

roles/backupdr.backupvaultViewer

@@ -12,6 +12,6 @@
     "backupdr.operations.list"
   ],
   "name": "roles/backupdr.backupvaultViewer",
-  "stage": "BETA",
+  "stage": "GA",
   "title": "Backup and DR Backup Vault Viewer"
 }

roles/batch.serviceAgent

@@ -216,7 +216,6 @@
     "compute.licenseCodes.getIamPolicy",
     "compute.licenseCodes.list",
     "compute.licenseCodes.update",
-    "compute.licenseCodes.use",
     "compute.licenses.create",
     "compute.licenses.delete",
     "compute.licenses.get",
@@ -241,7 +240,6 @@
     "compute.networkEndpointGroups.deleteTagBinding",
     "compute.networkEndpointGroups.detachNetworkEndpoints",
     "compute.networkEndpointGroups.get",
-    "compute.networkEndpointGroups.getIamPolicy",
     "compute.networkEndpointGroups.list",
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",

roles/bigquerydatapolicy.admin

@@ -0,0 +1,16 @@
+{
+  "description": "Role for managing Data Policies in BigQuery",
+  "etag": "AA==",
+  "includedPermissions": [
+    "bigquery.dataPolicies.create",
+    "bigquery.dataPolicies.delete",
+    "bigquery.dataPolicies.get",
+    "bigquery.dataPolicies.getIamPolicy",
+    "bigquery.dataPolicies.list",
+    "bigquery.dataPolicies.setIamPolicy",
+    "bigquery.dataPolicies.update"
+  ],
+  "name": "roles/bigquerydatapolicy.admin",
+  "stage": "ALPHA",
+  "title": "BigQuery Data Policy Admin"
+}

roles/bigquerydatapolicy.viewer

@@ -0,0 +1,11 @@
+{
+  "description": "Role for viewing Data Policies in BigQuery",
+  "etag": "AA==",
+  "includedPermissions": [
+    "bigquery.dataPolicies.get",
+    "bigquery.dataPolicies.list"
+  ],
+  "name": "roles/bigquerydatapolicy.viewer",
+  "stage": "ALPHA",
+  "title": "BigQuery Data Policy Viewer"
+}

roles/blockchainvalidatormanager.admin

@@ -0,0 +1,11 @@
+{
+  "description": "Full access to Blockchain Validator Config resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/blockchainvalidatormanager.admin",
+  "stage": "ALPHA",
+  "title": "Blockchain Validator Config Admin"
+}

roles/blockchainvalidatormanager.viewer

@@ -0,0 +1,11 @@
+{
+  "description": "Readonly access to Blockchain Validator Config resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/blockchainvalidatormanager.viewer",
+  "stage": "ALPHA",
+  "title": "Blockchain Validator Config Viewer"
+}

roles/chronicle.soarServiceAgent

@@ -3,6 +3,8 @@
   "etag": "AA==",
   "includedPermissions": [
     "cloudasset.assets.analyzeIamPolicy",
+    "cloudasset.assets.exportIamPolicy",
+    "cloudasset.assets.exportResource",
     "cloudasset.assets.searchAllIamPolicies",
     "cloudasset.assets.searchAllResources",
     "compute.firewalls.get",

roles/cloudcontrolspartner.admin

@@ -3,6 +3,8 @@
   "etag": "AA==",
   "includedPermissions": [
     "cloudcontrolspartner.accessapprovalrequests.list",
+    "cloudcontrolspartner.customers.create",
+    "cloudcontrolspartner.customers.delete",
     "cloudcontrolspartner.customers.get",
     "cloudcontrolspartner.customers.list",
     "cloudcontrolspartner.ekmconnections.get",

roles/cloudcontrolspartner.editor

@@ -3,6 +3,8 @@
   "etag": "AA==",
   "includedPermissions": [
     "cloudcontrolspartner.accessapprovalrequests.list",
+    "cloudcontrolspartner.customers.create",
+    "cloudcontrolspartner.customers.delete",
     "cloudcontrolspartner.customers.get",
     "cloudcontrolspartner.customers.list",
     "cloudcontrolspartner.ekmconnections.get",

roles/cloudcontrolspartner.supportCaseServiceAgent

@@ -5,6 +5,6 @@
     "cloudsupport.techCases.get"
   ],
   "name": "roles/cloudcontrolspartner.supportCaseServiceAgent",
-  "stage": "ALPHA",
+  "stage": "GA",
   "title": "Cloud Controls Partner Support Case Service Agent"
 }

roles/cloudfunctions.admin

@@ -37,16 +37,46 @@
     "eventarc.channels.setIamPolicy",
     "eventarc.channels.undelete",
     "eventarc.channels.update",
+    "eventarc.enrollments.create",
+    "eventarc.enrollments.delete",
+    "eventarc.enrollments.get",
+    "eventarc.enrollments.getIamPolicy",
+    "eventarc.enrollments.list",
+    "eventarc.enrollments.setIamPolicy",
+    "eventarc.enrollments.update",
     "eventarc.events.receiveAuditLogWritten",
     "eventarc.events.receiveEvent",
+    "eventarc.googleApiSources.create",
+    "eventarc.googleApiSources.delete",
+    "eventarc.googleApiSources.get",
+    "eventarc.googleApiSources.getIamPolicy",
+    "eventarc.googleApiSources.list",
+    "eventarc.googleApiSources.setIamPolicy",
+    "eventarc.googleApiSources.update",
     "eventarc.googleChannelConfigs.get",
     "eventarc.googleChannelConfigs.update",
     "eventarc.locations.get",
     "eventarc.locations.list",
+    "eventarc.messageBuses.create",
+    "eventarc.messageBuses.delete",
+    "eventarc.messageBuses.get",
+    "eventarc.messageBuses.getIamPolicy",
+    "eventarc.messageBuses.list",
+    "eventarc.messageBuses.publish",
+    "eventarc.messageBuses.setIamPolicy",
+    "eventarc.messageBuses.update",
+    "eventarc.messageBuses.use",
     "eventarc.operations.cancel",
     "eventarc.operations.delete",
     "eventarc.operations.get",
     "eventarc.operations.list",
+    "eventarc.pipelines.create",
+    "eventarc.pipelines.delete",
+    "eventarc.pipelines.get",
+    "eventarc.pipelines.getIamPolicy",
+    "eventarc.pipelines.list",
+    "eventarc.pipelines.setIamPolicy",
+    "eventarc.pipelines.update",
     "eventarc.providers.get",
     "eventarc.providers.list",
     "eventarc.triggers.create",

roles/cloudfunctions.developer

@@ -33,6 +33,18 @@
     "eventarc.channels.publish",
     "eventarc.channels.undelete",
     "eventarc.channels.update",
+    "eventarc.enrollments.create",
+    "eventarc.enrollments.delete",
+    "eventarc.enrollments.get",
+    "eventarc.enrollments.getIamPolicy",
+    "eventarc.enrollments.list",
+    "eventarc.enrollments.update",
+    "eventarc.googleApiSources.create",
+    "eventarc.googleApiSources.delete",
+    "eventarc.googleApiSources.get",
+    "eventarc.googleApiSources.getIamPolicy",
+    "eventarc.googleApiSources.list",
+    "eventarc.googleApiSources.update",
     "eventarc.googleChannelConfigs.get",
     "eventarc.googleChannelConfigs.update",
     "eventarc.locations.get",
@@ -41,6 +53,12 @@
     "eventarc.operations.delete",
     "eventarc.operations.get",
     "eventarc.operations.list",
+    "eventarc.pipelines.create",
+    "eventarc.pipelines.delete",
+    "eventarc.pipelines.get",
+    "eventarc.pipelines.getIamPolicy",
+    "eventarc.pipelines.list",
+    "eventarc.pipelines.update",
     "eventarc.providers.get",
     "eventarc.providers.list",
     "eventarc.triggers.create",

roles/cloudfunctions.serviceAgent

@@ -90,6 +90,18 @@
     "eventarc.channels.publish",
     "eventarc.channels.undelete",
     "eventarc.channels.update",
+    "eventarc.enrollments.create",
+    "eventarc.enrollments.delete",
+    "eventarc.enrollments.get",
+    "eventarc.enrollments.getIamPolicy",
+    "eventarc.enrollments.list",
+    "eventarc.enrollments.update",
+    "eventarc.googleApiSources.create",
+    "eventarc.googleApiSources.delete",
+    "eventarc.googleApiSources.get",
+    "eventarc.googleApiSources.getIamPolicy",
+    "eventarc.googleApiSources.list",
+    "eventarc.googleApiSources.update",
     "eventarc.googleChannelConfigs.get",
     "eventarc.googleChannelConfigs.update",
     "eventarc.locations.get",
@@ -98,6 +110,12 @@
     "eventarc.operations.delete",
     "eventarc.operations.get",
     "eventarc.operations.list",
+    "eventarc.pipelines.create",
+    "eventarc.pipelines.delete",
+    "eventarc.pipelines.get",
+    "eventarc.pipelines.getIamPolicy",
+    "eventarc.pipelines.list",
+    "eventarc.pipelines.update",
     "eventarc.providers.get",
     "eventarc.providers.list",
     "eventarc.triggers.create",

roles/cloudfunctions.viewer

@@ -18,11 +18,24 @@
     "eventarc.channels.get",
     "eventarc.channels.getIamPolicy",
     "eventarc.channels.list",
+    "eventarc.enrollments.get",
+    "eventarc.enrollments.getIamPolicy",
+    "eventarc.enrollments.list",
+    "eventarc.googleApiSources.get",
+    "eventarc.googleApiSources.getIamPolicy",
+    "eventarc.googleApiSources.list",
     "eventarc.googleChannelConfigs.get",
     "eventarc.locations.get",
     "eventarc.locations.list",
+    "eventarc.messageBuses.get",
+    "eventarc.messageBuses.getIamPolicy",
+    "eventarc.messageBuses.list",
+    "eventarc.messageBuses.use",
     "eventarc.operations.get",
     "eventarc.operations.list",
+    "eventarc.pipelines.get",
+    "eventarc.pipelines.getIamPolicy",
+    "eventarc.pipelines.list",
     "eventarc.providers.get",
     "eventarc.providers.list",
     "eventarc.triggers.get",

roles/cloudmigration.inframanager

@@ -53,7 +53,6 @@
     "compute.licenseCodes.get",
     "compute.licenseCodes.list",
     "compute.licenseCodes.update",
-    "compute.licenseCodes.use",
     "compute.licenses.get",
     "compute.licenses.list",
     "compute.machineTypes.get",

roles/cloudtpu.serviceAgent

@@ -335,7 +335,6 @@
     "compute.licenseCodes.list",
     "compute.licenseCodes.setIamPolicy",
     "compute.licenseCodes.update",
-    "compute.licenseCodes.use",
     "compute.licenses.create",
     "compute.licenses.delete",
     "compute.licenses.get",
@@ -369,11 +368,9 @@
     "compute.networkEndpointGroups.deleteTagBinding",
     "compute.networkEndpointGroups.detachNetworkEndpoints",
     "compute.networkEndpointGroups.get",
-    "compute.networkEndpointGroups.getIamPolicy",
     "compute.networkEndpointGroups.list",
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
-    "compute.networkEndpointGroups.setIamPolicy",
     "compute.networkEndpointGroups.use",
     "compute.networks.access",
     "compute.networks.addPeering",

roles/composer.serviceAgent

@@ -425,7 +425,6 @@
     "compute.licenseCodes.list",
     "compute.licenseCodes.setIamPolicy",
     "compute.licenseCodes.update",
-    "compute.licenseCodes.use",
     "compute.licenses.create",
     "compute.licenses.delete",
     "compute.licenses.get",
@@ -459,11 +458,9 @@
     "compute.networkEndpointGroups.deleteTagBinding",
     "compute.networkEndpointGroups.detachNetworkEndpoints",
     "compute.networkEndpointGroups.get",
-    "compute.networkEndpointGroups.getIamPolicy",
     "compute.networkEndpointGroups.list",
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
-    "compute.networkEndpointGroups.setIamPolicy",
     "compute.networkEndpointGroups.use",
     "compute.networks.access",
     "compute.networks.addPeering",
@@ -1297,6 +1294,7 @@
     "iam.serviceAccounts.actAs",
     "iam.serviceAccounts.get",
     "iam.serviceAccounts.getAccessToken",
+    "iam.serviceAccounts.getOpenIdToken",
     "iam.serviceAccounts.list",
     "logging.buckets.create",
     "logging.buckets.createTagBinding",
@@ -1344,6 +1342,8 @@
     "logging.sinks.get",
     "logging.sinks.list",
     "logging.sinks.update",
+    "logging.sqlAlerts.create",
+    "logging.sqlAlerts.update",
     "logging.views.create",
     "logging.views.delete",
     "logging.views.get",

roles/compute.admin

@@ -364,7 +364,6 @@
     "compute.licenseCodes.list",
     "compute.licenseCodes.setIamPolicy",
     "compute.licenseCodes.update",
-    "compute.licenseCodes.use",
     "compute.licenses.create",
     "compute.licenses.delete",
     "compute.licenses.get",
@@ -403,11 +402,9 @@
     "compute.networkEndpointGroups.deleteTagBinding",
     "compute.networkEndpointGroups.detachNetworkEndpoints",
     "compute.networkEndpointGroups.get",
-    "compute.networkEndpointGroups.getIamPolicy",
     "compute.networkEndpointGroups.list",
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
-    "compute.networkEndpointGroups.setIamPolicy",
     "compute.networkEndpointGroups.use",
     "compute.networks.access",
     "compute.networks.addPeering",
@@ -676,13 +673,11 @@
     "compute.securityPolicies.delete",
     "compute.securityPolicies.deleteTagBinding",
     "compute.securityPolicies.get",
-    "compute.securityPolicies.getIamPolicy",
     "compute.securityPolicies.list",
     "compute.securityPolicies.listEffectiveTags",
     "compute.securityPolicies.listTagBindings",
     "compute.securityPolicies.move",
     "compute.securityPolicies.removeAssociation",
-    "compute.securityPolicies.setIamPolicy",
     "compute.securityPolicies.setLabels",
     "compute.securityPolicies.update",
     "compute.securityPolicies.use",

roles/compute.instanceAdmin

@@ -157,11 +157,9 @@
     "compute.networkEndpointGroups.deleteTagBinding",
     "compute.networkEndpointGroups.detachNetworkEndpoints",
     "compute.networkEndpointGroups.get",
-    "compute.networkEndpointGroups.getIamPolicy",
     "compute.networkEndpointGroups.list",
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
-    "compute.networkEndpointGroups.setIamPolicy",
     "compute.networkEndpointGroups.use",
     "compute.networks.get",
     "compute.networks.list",