From 9671da0f2b5b4679e50cc20f4988746d6196c4fd Mon Sep 17 00:00:00 2001 From: jdyke Date: Fri, 2 Feb 2024 12:55:49 +0000 Subject: [PATCH] GCP IAM Updates Detected --- roles/accesscontextmanager.policyAdmin | 12 ----- roles/appengine.appViewer | 1 + roles/chronicle.limitedViewer | 1 + roles/chronicle.restrictedDataAccessViewer | 1 - roles/chronicle.viewer | 5 ++- roles/cloudasset.otherCloudConfigServiceAgent | 7 --- roles/ondemandscanning.serviceAgent | 1 + roles/owner | 3 +- roles/securesourcemanager.admin | 45 +++++++++++++++++++ roles/viewer | 1 + roles/workloadmanager.admin | 3 -- roles/workloadmanager.deploymentAdmin | 3 ++ 12 files changed, 58 insertions(+), 25 deletions(-) delete mode 100644 roles/cloudasset.otherCloudConfigServiceAgent create mode 100644 roles/securesourcemanager.admin diff --git a/roles/accesscontextmanager.policyAdmin b/roles/accesscontextmanager.policyAdmin index e29b646c..41c93252 100644 --- a/roles/accesscontextmanager.policyAdmin +++ b/roles/accesscontextmanager.policyAdmin @@ -8,18 +8,6 @@ "accesscontextmanager.accessLevels.list", "accesscontextmanager.accessLevels.replaceAll", "accesscontextmanager.accessLevels.update", - "accesscontextmanager.accessPolicies.create", - "accesscontextmanager.accessPolicies.delete", - "accesscontextmanager.accessPolicies.get", - "accesscontextmanager.accessPolicies.getIamPolicy", - "accesscontextmanager.accessPolicies.list", - "accesscontextmanager.accessPolicies.setIamPolicy", - "accesscontextmanager.accessPolicies.update", - "accesscontextmanager.accessZones.create", - "accesscontextmanager.accessZones.delete", - "accesscontextmanager.accessZones.get", - "accesscontextmanager.accessZones.list", - "accesscontextmanager.accessZones.update", "accesscontextmanager.authorizedOrgsDescs.create", "accesscontextmanager.authorizedOrgsDescs.delete", "accesscontextmanager.authorizedOrgsDescs.get", diff --git a/roles/appengine.appViewer b/roles/appengine.appViewer index c60a5746..57532e81 100644 --- a/roles/appengine.appViewer +++ b/roles/appengine.appViewer @@ -3,6 +3,7 @@ "etag": "AA==", "includedPermissions": [ "appengine.applications.get", + "appengine.applications.listRuntimes", "appengine.instances.get", "appengine.instances.list", "appengine.operations.get", diff --git a/roles/chronicle.limitedViewer b/roles/chronicle.limitedViewer index da93bffb..b1bf053e 100644 --- a/roles/chronicle.limitedViewer +++ b/roles/chronicle.limitedViewer @@ -68,6 +68,7 @@ "chronicle.multitenantDirectories.get", "chronicle.operations.get", "chronicle.operations.list", + "chronicle.operations.streamSearch", "chronicle.operations.wait", "chronicle.preferenceSets.get", "chronicle.preferenceSets.update", diff --git a/roles/chronicle.restrictedDataAccessViewer b/roles/chronicle.restrictedDataAccessViewer index 095e4c0c..59b6637f 100644 --- a/roles/chronicle.restrictedDataAccessViewer +++ b/roles/chronicle.restrictedDataAccessViewer @@ -5,7 +5,6 @@ "chronicle.ais.createFeedback", "chronicle.ais.translateUdmQuery", "chronicle.ais.translateYlRule", - "chronicle.dataAccessScopes.list", "chronicle.entities.find", "chronicle.entities.findRelatedEntities", "chronicle.entities.get", diff --git a/roles/chronicle.viewer b/roles/chronicle.viewer index 23d42e12..a33244fe 100644 --- a/roles/chronicle.viewer +++ b/roles/chronicle.viewer @@ -25,10 +25,10 @@ "chronicle.dashboards.get", "chronicle.dashboards.list", "chronicle.dashboards.schedule", - "chronicle.dataAccessScopes.list", "chronicle.entities.find", "chronicle.entities.findRelatedEntities", "chronicle.entities.get", + "chronicle.entities.list", "chronicle.entities.queryEntityRiskScoreModifications", "chronicle.entities.searchEntities", "chronicle.entities.summarize", @@ -101,6 +101,7 @@ "chronicle.multitenantDirectories.get", "chronicle.operations.get", "chronicle.operations.list", + "chronicle.operations.streamSearch", "chronicle.operations.wait", "chronicle.preferenceSets.get", "chronicle.preferenceSets.update", @@ -122,6 +123,8 @@ "chronicle.searchQueries.get", "chronicle.searchQueries.list", "chronicle.searchQueries.update", + "chronicle.watchlists.get", + "chronicle.watchlists.list", "resourcemanager.projects.get", "resourcemanager.projects.list" ], diff --git a/roles/cloudasset.otherCloudConfigServiceAgent b/roles/cloudasset.otherCloudConfigServiceAgent deleted file mode 100644 index 65df471b..00000000 --- a/roles/cloudasset.otherCloudConfigServiceAgent +++ /dev/null @@ -1,7 +0,0 @@ -{ - "description": "Service Agent used by other-cloud config to collect assets data from other-cloud.", - "etag": "AA==", - "name": "roles/cloudasset.otherCloudConfigServiceAgent", - "stage": "GA", - "title": "Other Cloud Config Service Agent" -} diff --git a/roles/ondemandscanning.serviceAgent b/roles/ondemandscanning.serviceAgent index 82e77a23..1d6e8131 100644 --- a/roles/ondemandscanning.serviceAgent +++ b/roles/ondemandscanning.serviceAgent @@ -4,6 +4,7 @@ "includedPermissions": [ "artifactregistry.dockerimages.get", "artifactregistry.dockerimages.list", + "artifactregistry.files.download", "artifactregistry.files.get", "artifactregistry.files.list", "artifactregistry.locations.get", diff --git a/roles/owner b/roles/owner index 26c2a84d..0b0e084b 100644 --- a/roles/owner +++ b/roles/owner @@ -361,6 +361,7 @@ "alloydb.instances.connect", "alloydb.instances.create", "alloydb.instances.delete", + "alloydb.instances.executeSql", "alloydb.instances.failover", "alloydb.instances.get", "alloydb.instances.injectFault", @@ -7894,6 +7895,7 @@ "retail.attributesConfigs.replaceCatalogAttribute", "retail.attributesConfigs.update", "retail.catalogs.completeQuery", + "retail.catalogs.exportAnalyticsMetrics", "retail.catalogs.import", "retail.catalogs.list", "retail.catalogs.update", @@ -8233,7 +8235,6 @@ "securityposture.postures.get", "securityposture.postures.list", "securityposture.postures.update", - "securityposture.reports.create", "servicebroker.bindingoperations.get", "servicebroker.bindingoperations.list", "servicebroker.bindings.create", diff --git a/roles/securesourcemanager.admin b/roles/securesourcemanager.admin new file mode 100644 index 00000000..9191836b --- /dev/null +++ b/roles/securesourcemanager.admin @@ -0,0 +1,45 @@ +{ + "description": "Full access to all Secure Source Manager resources.", + "etag": "AA==", + "includedPermissions": [ + "resourcemanager.projects.get", + "resourcemanager.projects.list", + "securesourcemanager.instances.access", + "securesourcemanager.instances.create", + "securesourcemanager.instances.createRepository", + "securesourcemanager.instances.delete", + "securesourcemanager.instances.get", + "securesourcemanager.instances.getIamPolicy", + "securesourcemanager.instances.list", + "securesourcemanager.instances.setIamPolicy", + "securesourcemanager.locations.get", + "securesourcemanager.locations.list", + "securesourcemanager.operations.cancel", + "securesourcemanager.operations.delete", + "securesourcemanager.operations.get", + "securesourcemanager.operations.list", + "securesourcemanager.repositories.create", + "securesourcemanager.repositories.delete", + "securesourcemanager.repositories.fetch", + "securesourcemanager.repositories.get", + "securesourcemanager.repositories.getIamPolicy", + "securesourcemanager.repositories.list", + "securesourcemanager.repositories.push", + "securesourcemanager.repositories.readIssues", + "securesourcemanager.repositories.readPullRequests", + "securesourcemanager.repositories.setIamPolicy", + "securesourcemanager.repositories.update", + "securesourcemanager.repositories.writeIssues", + "securesourcemanager.repositories.writePullRequests", + "securesourcemanager.sshkeys.create", + "securesourcemanager.sshkeys.createAny", + "securesourcemanager.sshkeys.delete", + "securesourcemanager.sshkeys.deleteAny", + "securesourcemanager.sshkeys.get", + "securesourcemanager.sshkeys.list", + "securesourcemanager.sshkeys.listAny" + ], + "name": "roles/securesourcemanager.admin", + "stage": "BETA", + "title": "Secure Source Manager Admin" +} diff --git a/roles/viewer b/roles/viewer index 97e6ce68..16e21409 100644 --- a/roles/viewer +++ b/roles/viewer @@ -3378,6 +3378,7 @@ "retail.attributesConfigs.exportCatalogAttributes", "retail.attributesConfigs.get", "retail.catalogs.completeQuery", + "retail.catalogs.exportAnalyticsMetrics", "retail.catalogs.list", "retail.controls.export", "retail.controls.get", diff --git a/roles/workloadmanager.admin b/roles/workloadmanager.admin index a5747955..fd6b07b1 100644 --- a/roles/workloadmanager.admin +++ b/roles/workloadmanager.admin @@ -10,17 +10,14 @@ "compute.regions.list", "compute.subnetworks.list", "compute.zones.list", - "dns.managedZones.list", "iam.serviceAccounts.list", "monitoring.timeSeries.list", "orgpolicy.policy.get", "resourcemanager.projects.get", - "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", "serviceusage.quotas.get", "serviceusage.services.get", "storage.buckets.list", - "storage.objects.list", "workloadmanager.actuations.create", "workloadmanager.actuations.delete", "workloadmanager.actuations.get", diff --git a/roles/workloadmanager.deploymentAdmin b/roles/workloadmanager.deploymentAdmin index 7f6826c0..db12f485 100644 --- a/roles/workloadmanager.deploymentAdmin +++ b/roles/workloadmanager.deploymentAdmin @@ -10,13 +10,16 @@ "compute.regions.list", "compute.subnetworks.list", "compute.zones.list", + "dns.managedZones.list", "iam.serviceAccounts.list", "monitoring.timeSeries.list", "resourcemanager.projects.get", + "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", "serviceusage.quotas.get", "serviceusage.services.get", "storage.buckets.list", + "storage.objects.list", "workloadmanager.actuations.create", "workloadmanager.actuations.delete", "workloadmanager.actuations.get",