IAM permissions change log

This page describes changes to the public Identity and Access Management (IAM) permissions for all Generally Available (GA) and Preview services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is retired or is no longer supported in custom roles, IAM automatically removes the permission from your custom roles. In contrast, when a permission is added, IAM does not automatically add the permission to your custom roles.

For changes that occurred before 2022, see Archived permissions change log.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM permissions change log

Upcoming IAM changes for the week of 2023-09-25

Service Description
Chronicle

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.events.findUdmFieldValues
Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

alloydb.instances.connect
Dataproc Metastore

The Dataproc Metastore Metadata Editor role (roles/metastore.metadataEditor) has reached General Availability (GA).
Dataproc Metastore

The Dataproc Metastore Metadata Mutate Admin role (roles/metastore.metadataMutateAdmin) has reached General Availability (GA).
Dataproc Metastore

The Dataproc Metastore Data Owner role (roles/metastore.metadataOwner) has reached General Availability (GA).
Dataproc Metastore

The Dataproc Metastore Metadata Query Admin role (roles/metastore.metadataQueryAdmin) has reached General Availability (GA).
Dataproc Metastore

The Dataproc Metastore Metadata User role (roles/metastore.metadataUser) has reached General Availability (GA).
Dataproc Metastore

The Dataproc Metastore Metadata Viewer role (roles/metastore.metadataViewer) has reached General Availability (GA).
Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.subnetworks.getIamPolicy
Privileged Access Manager

The Privileged Access Manager Folder Service Agent role (roles/privilegedaccessmanager.folderServiceAgent) has reached General Availability (GA).
Privileged Access Manager

The Privileged Access Manager Organization Service Agent role (roles/privilegedaccessmanager.organizationServiceAgent) has reached General Availability (GA).
Privileged Access Manager

The Privileged Access Manager Project Service Agent role (roles/privilegedaccessmanager.projectServiceAgent) has reached General Availability (GA).
Rapid Migration Assessment

The following permissions have been added to the RMA Service Agent role (roles/rapidmigrationassessment.serviceAgent):

migrationcenter.sources.list
Chronicle

The following permissions have been added:

chronicle.events.findUdmFieldValues
Chronicle

The following permissions are supported in custom roles:

chronicle.events.findUdmFieldValues
Memorystore for Memcached

The following permissions have been added:

memcache.instances.upgrade
Memorystore for Memcached

The following permissions have reached General Availability (GA):

memcache.instances.upgrade
Dataproc Metastore

The following permissions have reached General Availability (GA):

metastore.services.mutateMetadata
metastore.services.queryMetadata

IAM changes as of 2023-09-22

Service Description
Vertex AI

The Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin) has reached General Availability (GA).
Vertex AI

The Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser) has reached General Availability (GA).
Vertex AI

The Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin) has reached General Availability (GA).
Vertex AI

The Notebook Runtime User role (roles/aiplatform.notebookRuntimeUser) has reached General Availability (GA).
Anthos Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.networkEndpointGroups.use
networksecurity.authorizationPolicies.create
networksecurity.authorizationPolicies.delete
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.update
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.update
networksecurity.clientTlsPolicies.use
networksecurity.operations.cancel
networksecurity.operations.delete
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.update
networksecurity.serverTlsPolicies.use
networkservices.endpointPolicies.create
networkservices.endpointPolicies.delete
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.endpointPolicies.update
networkservices.endpointPolicies.use
networkservices.gateways.create
networkservices.gateways.delete
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.update
networkservices.gateways.use
networkservices.grpcRoutes.create
networkservices.grpcRoutes.delete
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.grpcRoutes.update
networkservices.grpcRoutes.use
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.update
networkservices.httpFilters.use
networkservices.httpRoutes.create
networkservices.httpRoutes.delete
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpRoutes.update
networkservices.httpRoutes.use
networkservices.meshes.create
networkservices.meshes.delete
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.update
networkservices.meshes.use
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list
networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update
networkservices.tcpRoutes.create
networkservices.tcpRoutes.delete
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tcpRoutes.update
networkservices.tcpRoutes.use
networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
Dataform

The Dataform Admin role (roles/dataform.admin) has reached General Availability (GA).
Dataform

The Dataform Editor role (roles/dataform.editor) has reached General Availability (GA).
Dataform

The Dataform Viewer role (roles/dataform.viewer) has reached General Availability (GA).
Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Developer role (roles/datafusion.developer):

datafusion.instances.runtime
Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Operator role (roles/datafusion.operator):

datafusion.instances.runtime
Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Viewer role (roles/datafusion.viewer):

datafusion.instances.runtime
Dataplex

The Dataplex DataScan Creator role (roles/dataplex.dataScanCreator) has reached General Availability (GA).
Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

datafusion.instances.runtime
VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.useReadOnly
Cloud Workstations

The following permissions have been added to the Cloud Workstations Admin role (roles/workstations.admin):

compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.zones.get
compute.zones.list
Advisory Notifications

The following permissions have been added:

advisorynotifications.settings.get
advisorynotifications.settings.update
Advisory Notifications

The following permissions are supported in custom roles:

advisorynotifications.settings.get
advisorynotifications.settings.update
Vertex AI

The following permissions have been added:

aiplatform.featureGroups.create
aiplatform.featureGroups.delete
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureGroups.update
Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade
Apigee

The following permissions have been added:

apigee.addonsconfig.get
apigee.addonsconfig.update
Apigee

The following permissions are supported in custom roles:

apigee.addonsconfig.get
apigee.addonsconfig.update
Apigee

The following permissions have reached General Availability (GA):

apigee.addonsconfig.get
apigee.addonsconfig.update
Chronicle

The following permissions have been added:

chronicle.dataAccessLabels.create
chronicle.dataAccessLabels.delete
chronicle.dataAccessLabels.get
chronicle.dataAccessLabels.list
chronicle.dataAccessLabels.update
chronicle.dataAccessScopes.create
chronicle.dataAccessScopes.delete
chronicle.dataAccessScopes.get
chronicle.dataAccessScopes.list
chronicle.dataAccessScopes.permit
chronicle.dataAccessScopes.update
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.import
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.get
chronicle.events.import
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.globalDataAccessScopes.permit
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents
Chronicle

The following permissions are supported in custom roles:

chronicle.dataAccessLabels.create
chronicle.dataAccessLabels.delete
chronicle.dataAccessLabels.get
chronicle.dataAccessLabels.list
chronicle.dataAccessLabels.update
chronicle.dataAccessScopes.create
chronicle.dataAccessScopes.delete
chronicle.dataAccessScopes.get
chronicle.dataAccessScopes.list
chronicle.dataAccessScopes.permit
chronicle.dataAccessScopes.update
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.import
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.get
chronicle.events.import
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.globalDataAccessScopes.permit
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents
Compute Engine

The following permissions have been added:

compute.instanceSettings.get
compute.instanceSettings.update
compute.interconnects.getMacsecConfig
compute.projects.setManagedProtectionTier
Compute Engine

The following permissions are supported in custom roles:

compute.instanceSettings.get
compute.instanceSettings.update
compute.interconnects.getMacsecConfig
Compute Engine

The following permissions have reached General Availability (GA):

compute.interconnects.getMacsecConfig
compute.projects.setManagedProtectionTier
Dataform

The following permissions are supported in custom roles:

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.list
dataform.repositories.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.writeFile
Dataform

The following permissions have reached General Availability (GA):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile
Dialogflow

The following permissions have been added:

dialogflow.generators.create
dialogflow.generators.delete
dialogflow.generators.get
dialogflow.generators.list
dialogflow.generators.update
Dialogflow

The following permissions have reached General Availability (GA):

dialogflow.generators.create
dialogflow.generators.delete
dialogflow.generators.get
dialogflow.generators.list
dialogflow.generators.update
Network Services

The following permissions have been added:

networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update
Network Services

The following permissions are supported in custom roles:

networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update
Cloud OS Config

The following permissions have been added:

osconfig.osPolicyAssignmentReports.searchSummaries
osconfig.osPolicyAssignments.searchPolicies
osconfig.upgradeReports.get
osconfig.upgradeReports.getSummary
osconfig.upgradeReports.list
osconfig.upgradeReports.searchSummaries
Cloud OS Config

The following permissions are supported in custom roles:

osconfig.osPolicyAssignmentReports.searchSummaries
osconfig.osPolicyAssignments.searchPolicies
osconfig.upgradeReports.get
osconfig.upgradeReports.getSummary
osconfig.upgradeReports.list
osconfig.upgradeReports.searchSummaries
Policy Remediator Manager

The following permissions have been added:

policyremediatormanager.locations.get
policyremediatormanager.locations.list
policyremediatormanager.operations.cancel
policyremediatormanager.operations.delete
policyremediatormanager.operations.get
policyremediatormanager.operations.list
policyremediatormanager.remediatorServices.disable
policyremediatormanager.remediatorServices.enable
policyremediatormanager.remediatorServices.get
Policy Remediator Manager

The following permissions are supported in custom roles:

policyremediatormanager.locations.get
policyremediatormanager.locations.list
policyremediatormanager.operations.cancel
policyremediatormanager.operations.delete
policyremediatormanager.operations.get
policyremediatormanager.operations.list
policyremediatormanager.remediatorServices.disable
policyremediatormanager.remediatorServices.enable
policyremediatormanager.remediatorServices.get
Workflows

The following permissions have been added:

workflows.callbacks.list
workflows.workflows.listRevision
Workflows

The following permissions have reached General Availability (GA):

workflows.callbacks.list
workflows.workflows.listRevision

IAM changes as of 2023-09-17

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
Anthos Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Assured Workloads

The Assured Workloads Monitoring Service Agent role (roles/assuredworkloads.monitoringServiceAgent) has reached General Availability (GA).
Assured Workloads

The following permissions have been added to the Assured Workloads Reader role (roles/assuredworkloads.reader):

orgpolicy.policy.get
Bare Metal Solution

The following permissions have been added to the Bare Metal Solution Editor role (roles/baremetalsolution.editor):

baremetalsolution.osimages.list
Bare Metal Solution

The following permissions have been added to the Bare Metal Solution Instances Admin role (roles/baremetalsolution.instancesadmin):

baremetalsolution.osimages.list
Chronicle

The Chronicle API Restricted Data Access role (roles/chronicle.restrictedDataAccess) has been added with the following permissions:

chronicle.dataAccessScopes.permit
chronicle.googleapis.com/dataAccessScopes.permit
Chronicle

The Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer) has been added with the following permissions:

chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.events.batchGet
chronicle.events.get
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.googleapis.com/entities.find
chronicle.googleapis.com/entities.findRelatedEntities
chronicle.googleapis.com/entities.get
chronicle.googleapis.com/entities.searchEntities
chronicle.googleapis.com/entities.summarize
chronicle.googleapis.com/entities.summarizeFromQuery
chronicle.googleapis.com/entityRiskScores.queryEntityRiskScores
chronicle.googleapis.com/events.batchGet
chronicle.googleapis.com/events.get
chronicle.googleapis.com/events.queryProductSourceStats
chronicle.googleapis.com/events.udmSearch
chronicle.googleapis.com/events.validateQuery
chronicle.googleapis.com/instances.get
chronicle.googleapis.com/instances.report
chronicle.googleapis.com/legacies.legacyBatchGetCases
chronicle.googleapis.com/legacies.legacyCalculateAlertStats
chronicle.googleapis.com/legacies.legacyFetchAlertsView
chronicle.googleapis.com/legacies.legacyFetchUdmSearchCsv
chronicle.googleapis.com/legacies.legacyFetchUdmSearchView
chronicle.googleapis.com/legacies.legacyFindAssetEvents
chronicle.googleapis.com/legacies.legacyFindRawLogs
chronicle.googleapis.com/legacies.legacyFindUdmEvents
chronicle.googleapis.com/legacies.legacyGetAlert
chronicle.googleapis.com/legacies.legacyGetFinding
chronicle.googleapis.com/legacies.legacyGetRuleCounts
chronicle.googleapis.com/legacies.legacyGetRulesTrends
chronicle.googleapis.com/legacies.legacyRunTestRule
chronicle.googleapis.com/legacies.legacySearchArtifactEvents
chronicle.googleapis.com/legacies.legacySearchAssetEvents
chronicle.googleapis.com/legacies.legacySearchFindings
chronicle.googleapis.com/legacies.legacySearchRawLogs
chronicle.googleapis.com/legacies.legacySearchRuleDetectionCountBuckets
chronicle.googleapis.com/legacies.legacySearchRuleDetectionEvents
chronicle.googleapis.com/legacies.legacySearchRuleResults
chronicle.googleapis.com/legacies.legacySearchRulesAlerts
chronicle.googleapis.com/legacies.legacySearchUserEvents
chronicle.googleapis.com/logs.get
chronicle.googleapis.com/logs.list
chronicle.googleapis.com/operations.get
chronicle.googleapis.com/operations.list
chronicle.googleapis.com/operations.wait
chronicle.googleapis.com/retrohunts.get
chronicle.googleapis.com/retrohunts.list
chronicle.googleapis.com/ruleDeployments.get
chronicle.googleapis.com/ruleDeployments.list
chronicle.googleapis.com/ruleExecutionErrors.list
chronicle.googleapis.com/rules.get
chronicle.googleapis.com/rules.list
chronicle.googleapis.com/rules.listRevisions
chronicle.googleapis.com/rules.verifyRuleText
chronicle.googleapis.com/signalGraphs.exploreNode
chronicle.googleapis.com/signalGraphs.initializeGraph
chronicle.instances.get
chronicle.instances.report
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents
chronicle.logs.get
chronicle.logs.list
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.ruleExecutionErrors.list
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.signalGraphs.exploreNode
chronicle.signalGraphs.initializeGraph
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Controls Partner API

The Cloud Controls Partner Access Approval Service Agent role (roles/cloudcontrolspartner.accessApprovalServiceAgent) has reached General Availability (GA).
Cloud Controls Partner API

The following permissions have been added to the Cloud Controls Partner Admin role (roles/cloudcontrolspartner.admin):

cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.platformcontrols.get
Cloud Deploy

The following permissions have been added to the Cloud Deploy Service Agent role (roles/clouddeploy.serviceAgent):

storage.objects.get
Commerce Price Management

The following permissions have been added to the Commerce Price Management Private Offers Admin role (roles/commercepricemanagement.privateOffersAdmin):

commerceprice.privateoffers.sendEmail
Compute Engine

The Compute Future Reservation Admin role (roles/compute.futureReservationAdmin) has been added with the following permissions:

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.googleapis.com/futureReservations.cancel
compute.googleapis.com/futureReservations.create
compute.googleapis.com/futureReservations.delete
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
compute.googleapis.com/futureReservations.update
compute.googleapis.com/reservations.create
compute.reservations.create
Compute Engine

The Compute Future Reservation User role (roles/compute.futureReservationUser) has been added with the following permissions:

compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.googleapis.com/futureReservations.create
compute.googleapis.com/futureReservations.delete
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
compute.googleapis.com/futureReservations.update
compute.googleapis.com/reservations.create
compute.reservations.create
Compute Engine

The Compute Future Reservation Viewer role (roles/compute.futureReservationViewer) has been added with the following permissions:

compute.futureReservations.get
compute.futureReservations.list
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
Connectors

The following permissions have been added to the Connectors Endpoint Attachment Admin role (roles/connectors.endpointAttachmentAdmin):

connectors.locations.get
connectors.locations.list
Connectors

The following permissions have been added to the Connectors Endpoint Attachment Viewer role (roles/connectors.endpointAttachmentViewer):

connectors.locations.get
connectors.locations.list
Connectors

The following permissions have been added to the Connectors Managed Zone Admin role (roles/connectors.managedZoneAdmin):

connectors.locations.get
connectors.locations.list
Connectors

The following permissions have been added to the Connectors Managed Zone Viewer role (roles/connectors.managedZoneViewer):

connectors.locations.get
connectors.locations.list
Data Catalog

The following permissions have been added to the DataCatalog Data Steward role (roles/datacatalog.dataSteward):

datacatalog.relationships.list
Data Catalog

The following permissions have been added to the DataCatalog Entry Viewer role (roles/datacatalog.entryViewer):

datacatalog.relationships.list
Dataplex

The following permissions have been added to the Dataplex Metadata Reader role (roles/dataplex.metadataReader):

resourcemanager.projects.get
resourcemanager.projects.list
Dataplex

The following permissions have been added to the Dataplex Metadata Writer role (roles/dataplex.metadataWriter):

resourcemanager.projects.get
resourcemanager.projects.list
Datastore

The Cloud Datastore Backups Admin role (roles/datastore.backupsAdmin) has reached General Availability (GA).
Datastore

The Cloud Datastore Backup Schedules Admin role (roles/datastore.backupSchedulesAdmin) has reached General Availability (GA).
Datastore

The Cloud Datastore Backup Schedules Viewer role (roles/datastore.backupSchedulesViewer) has reached General Availability (GA).
Datastore

The Cloud Datastore Backups Viewer role (roles/datastore.backupsViewer) has reached General Availability (GA).
Datastore

The Cloud Datastore Restore Admin role (roles/datastore.restoreAdmin) has reached General Availability (GA).
Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.conversations.create
Sensitive Data Protection

The DLP Connections Admin role (roles/dlp.connectionsAdmin) has reached General Availability (GA).
Sensitive Data Protection

The DLP Connections Viewer role (roles/dlp.connectionsReader) has reached General Availability (GA).
Basic Role

The following permissions have been added to the Editor role (roles/editor):

commerceprice.privateoffers.sendEmail
Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

bigquery.datasets.update
Multi Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

compute.networkEndpointGroups.list
Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.subnetworks.setIamPolicy
Basic Role

The following permissions have been added to the Owner role (roles/owner):

commerceprice.privateoffers.sendEmail
Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.create
compute.images.get
Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.disks.useReadOnly
Vertex AI

The following permissions have been added:

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimeTemplates.update
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade
BeyondCorp Enterprise

The following permissions have been added:

beyondcorp.partnerTenants.create
beyondcorp.partnerTenants.delete
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.partnerTenants.update
beyondcorp.proxyConfigs.create
beyondcorp.proxyConfigs.delete
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
beyondcorp.proxyConfigs.update
BeyondCorp Enterprise

The following permissions are supported in custom roles:

beyondcorp.partnerTenants.create
beyondcorp.partnerTenants.delete
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.partnerTenants.update
beyondcorp.proxyConfigs.create
beyondcorp.proxyConfigs.delete
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
beyondcorp.proxyConfigs.update
Certificate Manager

The following permissions have reached General Availability (GA):

certificatemanager.trustconfigs.create
certificatemanager.trustconfigs.delete
certificatemanager.trustconfigs.get
certificatemanager.trustconfigs.list
certificatemanager.trustconfigs.update
certificatemanager.trustconfigs.use
Cloud AI Companion API

The following permissions have been added:

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode
Cloud AI Companion API

The following permissions are supported in custom roles:

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode
Cloud Deploy

The following permissions have been added:

clouddeploy.rollouts.rollback
Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.rollouts.rollback
Cloud Deploy

The following permissions have reached General Availability (GA):

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.retryJob
Cloud Quotas

The following permissions have been added:

cloudquotas.quotas.get
cloudquotas.quotas.update
Cloud Quotas

The following permissions are supported in custom roles:

cloudquotas.quotas.get
cloudquotas.quotas.update
Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.resellerDiscountConfig.get
Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.resellerDiscountConfig.get
Commerce Price Management

The following permissions have been added:

commerceprice.privateoffers.sendEmail
Compute Engine

The following permissions have been added:

compute.nodeGroups.performMaintenance
Compute Engine

The following permissions are supported in custom roles:

compute.nodeGroups.performMaintenance
Compute Engine

The following permissions have reached General Availability (GA):

compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly
Contact Center AI Platform

The following permissions have reached General Availability (GA):

contactcenteraiplatform.contactCenters.program
Contact Center AI Insights

The following permissions have been added:

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
contactcenterinsights.issueModels.import
Contact Center AI Insights

The following permissions are supported in custom roles:

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
contactcenterinsights.issueModels.import
Contact Center AI Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
Dataproc

The following permissions have been added:

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate
Dataproc

The following permissions are supported in custom roles:

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate
Dataproc

The following permissions have reached General Availability (GA):

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate
Datastore

The following permissions have been added:

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase
Datastore

The following permissions are supported in custom roles:

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase
Datastore

The following permissions have reached General Availability (GA):

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase
Sensitive Data Protection

The following permissions have been added:

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
GDC Hardware Management API

The following permissions have been added:

gdchardwaremanagement.changeLogEntries.get
gdchardwaremanagement.changeLogEntries.list
gdchardwaremanagement.comments.create
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardware.update
gdchardwaremanagement.hardwareGroups.create
gdchardwaremanagement.hardwareGroups.delete
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.hardwareGroups.update
gdchardwaremanagement.locations.get
gdchardwaremanagement.locations.list
gdchardwaremanagement.operations.cancel
gdchardwaremanagement.operations.delete
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.delete
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.submit
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.create
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.sites.update
gdchardwaremanagement.skus.get
gdchardwaremanagement.skus.list
GDC Hardware Management API

The following permissions are supported in custom roles:

gdchardwaremanagement.changeLogEntries.get
gdchardwaremanagement.changeLogEntries.list
gdchardwaremanagement.comments.create
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardware.update
gdchardwaremanagement.hardwareGroups.create
gdchardwaremanagement.hardwareGroups.delete
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.hardwareGroups.update
gdchardwaremanagement.locations.get
gdchardwaremanagement.locations.list
gdchardwaremanagement.operations.cancel
gdchardwaremanagement.operations.delete
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.delete
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.submit
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.create
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.sites.update
gdchardwaremanagement.skus.get
gdchardwaremanagement.skus.list
Cloud Healthcare API

The following permissions have been added:

healthcare.fhirStores.applyConsents
healthcare.fhirStores.rollback
Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.rollback
Payment Gateway issuer switch

The following permissions have been added:

issuerswitch.accountManagerTransactions.update
issuerswitch.managedAccounts.get
issuerswitch.managedAccounts.update
Payment Gateway issuer switch

The following permissions are supported in custom roles:

issuerswitch.accountManagerTransactions.update
issuerswitch.managedAccounts.get
issuerswitch.managedAccounts.update
Network Services

The following permissions have been added:

networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update
Network Services

The following permissions are supported in custom roles:

networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update
Recommender

The following permissions have been added:

recommender.cloudDeprecationGeneralInsights.get
recommender.cloudDeprecationGeneralInsights.list
recommender.cloudDeprecationGeneralInsights.update
recommender.cloudDeprecationGeneralRecommendations.get
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.update
Recommender

The following permissions are supported in custom roles:

recommender.cloudDeprecationGeneralInsights.get
recommender.cloudDeprecationGeneralInsights.list
recommender.cloudDeprecationGeneralInsights.update
recommender.cloudDeprecationGeneralRecommendations.get
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.update
Cloud Run

The following permissions have been added:

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
Cloud Run

The following permissions are supported in custom roles:

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
Cloud Run

The following permissions have reached General Availability (GA):

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
Secure Source Manager

The following permissions have been added:

securesourcemanager.instances.access
securesourcemanager.instances.create
securesourcemanager.instances.createRepository
securesourcemanager.instances.delete
securesourcemanager.instances.get
securesourcemanager.instances.getIamPolicy
securesourcemanager.instances.list
securesourcemanager.instances.setIamPolicy
securesourcemanager.locations.get
securesourcemanager.locations.list
securesourcemanager.operations.cancel
securesourcemanager.operations.delete
securesourcemanager.operations.get
securesourcemanager.operations.list
securesourcemanager.repositories.create
securesourcemanager.repositories.delete
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.getIamPolicy
securesourcemanager.repositories.list
securesourcemanager.repositories.push
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
securesourcemanager.repositories.setIamPolicy
securesourcemanager.repositories.update
securesourcemanager.repositories.writeIssues
securesourcemanager.repositories.writePullRequests
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.createAny
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.deleteAny
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
securesourcemanager.sshkeys.listAny
Secure Source Manager

The following permissions are supported in custom roles:

securesourcemanager.instances.access
securesourcemanager.instances.create
securesourcemanager.instances.createRepository
securesourcemanager.instances.delete
securesourcemanager.instances.get
securesourcemanager.instances.getIamPolicy
securesourcemanager.instances.list
securesourcemanager.instances.setIamPolicy
securesourcemanager.locations.get
securesourcemanager.locations.list
securesourcemanager.operations.cancel
securesourcemanager.operations.delete
securesourcemanager.operations.get
securesourcemanager.operations.list
securesourcemanager.repositories.create
securesourcemanager.repositories.delete
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.getIamPolicy
securesourcemanager.repositories.list
securesourcemanager.repositories.push
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
securesourcemanager.repositories.setIamPolicy
securesourcemanager.repositories.update
securesourcemanager.repositories.writeIssues
securesourcemanager.repositories.writePullRequests
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.createAny
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.deleteAny
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
securesourcemanager.sshkeys.listAny
Workload Manager

The following permissions have been added:

workloadmanager.actuations.create
workloadmanager.actuations.delete
workloadmanager.actuations.get
workloadmanager.actuations.list
workloadmanager.deployments.create
workloadmanager.deployments.delete
workloadmanager.deployments.get
workloadmanager.deployments.list

IAM changes as of 2023-08-18

Service Description
Cloud Deploy

The following permissions have been added to the Cloud Deploy Service Agent role (roles/clouddeploy.serviceAgent):

iam.serviceAccounts.getAccessToken
Contact Center AI Insights

The following permissions have been added to the Contact Center AI Insights Service Agent role (roles/contactcenterinsights.serviceAgent):

storage.objects.create
storage.objects.update
Dataplex

The following permissions have been added to the Dataplex DataScan Administrator role (roles/dataplex.dataScanAdmin):

dataplex.operations.get
dataplex.operations.list
Dataplex

The following permissions have been added to the Dataplex DataScan Editor role (roles/dataplex.dataScanEditor):

dataplex.operations.get
dataplex.operations.list
Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

compute.regionOperations.get
Cloud Storage

The Storage Object User role (roles/storage.objectUser) has reached General Availability (GA).
Vertex AI

The following permissions have been added:

aiplatform.endpoints.getIamPolicy
aiplatform.endpoints.setIamPolicy
Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
Contact Center AI Platform

The following permissions have been added:

contactcenteraiplatform.contactCenters.program
Contact Center AI Platform

The following permissions are supported in custom roles:

contactcenteraiplatform.contactCenters.program
GKE Hub

The following permissions have been added:

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update
GKE Hub

The following permissions are supported in custom roles:

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update
GKE Hub

The following permissions have reached General Availability (GA):

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update
Payment Gateway issuer switch

The following permissions have been added:

issuerswitch.accountManagerTransactions.list
issuerswitch.issuerParticipants.get
issuerswitch.issuerParticipants.update
Payment Gateway issuer switch

The following permissions are supported in custom roles:

issuerswitch.accountManagerTransactions.list
issuerswitch.issuerParticipants.get
issuerswitch.issuerParticipants.update
Recommender

The following permissions have been added:

recommender.iamPolicyChangeRiskInsights.get
recommender.iamPolicyChangeRiskInsights.list
recommender.iamPolicyChangeRiskInsights.update
recommender.iamPolicyChangeRiskRecommendations.get
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.update
recommender.iamServiceAccountChangeRiskInsights.get
recommender.iamServiceAccountChangeRiskInsights.list
recommender.iamServiceAccountChangeRiskInsights.update
recommender.iamServiceAccountChangeRiskRecommendations.get
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.update
recommender.resourcemanagerProjectChangeRiskInsights.get
recommender.resourcemanagerProjectChangeRiskInsights.list
recommender.resourcemanagerProjectChangeRiskInsights.update
recommender.resourcemanagerProjectChangeRiskRecommendations.get
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.update
Recommender

The following permissions are supported in custom roles:

recommender.iamPolicyChangeRiskInsights.get
recommender.iamPolicyChangeRiskInsights.list
recommender.iamPolicyChangeRiskInsights.update
recommender.iamPolicyChangeRiskRecommendations.get
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.update
recommender.iamServiceAccountChangeRiskInsights.get
recommender.iamServiceAccountChangeRiskInsights.list
recommender.iamServiceAccountChangeRiskInsights.update
recommender.iamServiceAccountChangeRiskRecommendations.get
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.update
recommender.resourcemanagerProjectChangeRiskInsights.get
recommender.resourcemanagerProjectChangeRiskInsights.list
recommender.resourcemanagerProjectChangeRiskInsights.update
recommender.resourcemanagerProjectChangeRiskRecommendations.get
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.update

IAM changes as of 2023-08-11

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

run.routes.invoke
run.services.create
run.services.delete
run.services.get
Firebase Remote Config

The following permissions have been removed from the Cloud Config Service Agent role (roles/cloudconfig.serviceAgent):

krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.get
krmapihosting.operations.list
Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

compute.networks.list
compute.routers.list
Google Cloud Migration Center

The following permissions have been added to the Migration Center Admin role (roles/migrationcenter.admin):

serviceusage.quotas.get
Google Cloud Migration Center

The following permissions have been added to the Migration Center Viewer role (roles/migrationcenter.viewer):

serviceusage.quotas.get
Serverless Integrations

The following permissions have been added to the Serverless Integrations Service Agent role (roles/runapps.serviceAgent):

run.jobs.get
run.jobs.list
Security Command Center

The Security Center Attack Paths Reader role (roles/securitycenter.attackPathsViewer) has reached General Availability (GA).
Security Command Center

The Security Center Resource Value Configurations Editor role (roles/securitycenter.resourceValueConfigsEditor) has reached General Availability (GA).
Security Command Center

The Security Center Resource Value Configurations Viewer role (roles/securitycenter.resourceValueConfigsViewer) has reached General Availability (GA).
Security Command Center

The Security Center Simulations Reader role (roles/securitycenter.simulationsViewer) has reached General Availability (GA).
Security Command Center

The Security Center Valued Resources Reader role (roles/securitycenter.valuedResourcesViewer) has reached General Availability (GA).
BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/reservations.create
bigqueryreservation.googleapis.com/reservations.delete
bigqueryreservation.googleapis.com/reservations.get
bigqueryreservation.googleapis.com/reservations.list
bigqueryreservation.googleapis.com/reservations.update
Commerce Agreement Publishing

The following permissions have been added:

commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update
Compute Engine

The following permissions have been added:

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.getIamPolicy
compute.futureReservations.list
compute.futureReservations.setIamPolicy
compute.futureReservations.update
compute.networkAttachments.getIamPolicy
compute.networkAttachments.setIamPolicy
Compute Engine

The following permissions are supported in custom roles:

compute.futureReservations.getIamPolicy
compute.futureReservations.setIamPolicy
compute.networkAttachments.getIamPolicy
compute.networkAttachments.setIamPolicy
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
Compute Engine

The following permissions have reached General Availability (GA):

compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.getIamPolicy
compute.networkAttachments.list
compute.networkAttachments.setIamPolicy
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
Contact Center AI Insights

The following permissions have been added:

contactcenterinsights.issueModels.export
Contact Center AI Insights

The following permissions are supported in custom roles:

contactcenterinsights.issueModels.export
Contact Center AI Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.issueModels.export
Datastore

The following permissions have been added:

datastore.databases.delete
Datastore

The following permissions have reached General Availability (GA):

datastore.databases.delete
Recommender

The following permissions have been added:

recommender.cloudCostGeneralInsights.get
recommender.cloudCostGeneralInsights.list
recommender.cloudCostGeneralInsights.update
recommender.cloudCostGeneralRecommendations.get
recommender.cloudCostGeneralRecommendations.list
recommender.cloudCostGeneralRecommendations.update
recommender.cloudManageabilityGeneralInsights.get
recommender.cloudManageabilityGeneralInsights.list
recommender.cloudManageabilityGeneralInsights.update
recommender.cloudManageabilityGeneralRecommendations.get
recommender.cloudManageabilityGeneralRecommendations.list
recommender.cloudManageabilityGeneralRecommendations.update
recommender.cloudPerformanceGeneralInsights.get
recommender.cloudPerformanceGeneralInsights.list
recommender.cloudPerformanceGeneralInsights.update
recommender.cloudPerformanceGeneralRecommendations.get
recommender.cloudPerformanceGeneralRecommendations.list
recommender.cloudPerformanceGeneralRecommendations.update
recommender.cloudReliabilityGeneralInsights.get
recommender.cloudReliabilityGeneralInsights.list
recommender.cloudReliabilityGeneralInsights.update
recommender.cloudReliabilityGeneralRecommendations.get
recommender.cloudReliabilityGeneralRecommendations.list
recommender.cloudReliabilityGeneralRecommendations.update
recommender.cloudSecurityGeneralInsights.get
recommender.cloudSecurityGeneralInsights.list
recommender.cloudSecurityGeneralInsights.update
recommender.cloudSecurityGeneralRecommendations.get
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudSecurityGeneralRecommendations.update
Recommender

The following permissions are supported in custom roles:

recommender.cloudCostGeneralInsights.get
recommender.cloudCostGeneralInsights.list
recommender.cloudCostGeneralInsights.update
recommender.cloudCostGeneralRecommendations.get
recommender.cloudCostGeneralRecommendations.list
recommender.cloudCostGeneralRecommendations.update
recommender.cloudManageabilityGeneralInsights.get
recommender.cloudManageabilityGeneralInsights.list
recommender.cloudManageabilityGeneralInsights.update
recommender.cloudManageabilityGeneralRecommendations.get
recommender.cloudManageabilityGeneralRecommendations.list
recommender.cloudManageabilityGeneralRecommendations.update
recommender.cloudPerformanceGeneralInsights.get
recommender.cloudPerformanceGeneralInsights.list
recommender.cloudPerformanceGeneralInsights.update
recommender.cloudPerformanceGeneralRecommendations.get
recommender.cloudPerformanceGeneralRecommendations.list
recommender.cloudPerformanceGeneralRecommendations.update
recommender.cloudReliabilityGeneralInsights.get
recommender.cloudReliabilityGeneralInsights.list
recommender.cloudReliabilityGeneralInsights.update
recommender.cloudReliabilityGeneralRecommendations.get
recommender.cloudReliabilityGeneralRecommendations.list
recommender.cloudReliabilityGeneralRecommendations.update
recommender.cloudSecurityGeneralInsights.get
recommender.cloudSecurityGeneralInsights.list
recommender.cloudSecurityGeneralInsights.update
recommender.cloudSecurityGeneralRecommendations.get
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudSecurityGeneralRecommendations.update
Security Command Center

The following permissions have been added:

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list
Security Command Center

The following permissions are supported in custom roles:

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list
Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

IAM changes as of 2023-08-04

Service Description
Cloud Billing

The following permissions have been added to the Billing Account Administrator role (roles/billing.admin):

cloudasset.assets.searchAllResources
Firebase Remote Config

The following permissions have been added to the Cloud Config Service Agent role (roles/cloudconfig.serviceAgent):

iam.serviceAccounts.actAs
Google Cloud Support

The following permissions have been added to the Tech Support Editor role (roles/cloudsupport.techSupportEditor):

cloudasset.assets.searchAllResources
Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

bigquery.jobs.create
bigquery.tables.getData
Discovery Engine

The following permissions have been added to the Discovery Engine Admin role (roles/discoveryengine.admin):

discoveryengine.engines.update
Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

iam.serviceAccounts.getOpenIdToken
GKE Dataplane Management

The Warp Run Service Agent role (roles/gkedataplanemanagement.warpRunServiceAgent) has reached General Availability (GA).
Cloud Integrations

The following permissions have been added to the Application Integration Service Agent role (roles/integrations.serviceAgent):

cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.get
cloudscheduler.locations.list
Recommender

The Recommendations Exporter role (roles/recommender.exporter) has reached General Availability (GA).
Workload Manager

The following permissions have been added to the Workload Manager Service Agent role (roles/workloadmanager.serviceAgent):

config.resources.list
Cloud Workstations

The following permissions have been added to the Cloud Workstations User role (roles/workstations.user):

workstations.workstations.update
Apigee

The following permissions have been added:

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update
Apigee

The following permissions are supported in custom roles:

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update
Apigee

The following permissions have reached General Availability (GA):

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update
Content Warehouse

The following permissions have been added:

contentwarehouse.dataExportJobs.create
contentwarehouse.dataExportJobs.update
contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update
contentwarehouse.schemas.create
contentwarehouse.schemas.delete
contentwarehouse.schemas.get
contentwarehouse.schemas.list
contentwarehouse.schemas.update
Content Warehouse

The following permissions have reached General Availability (GA):

contentwarehouse.dataExportJobs.create
contentwarehouse.dataExportJobs.update
contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update
contentwarehouse.schemas.create
contentwarehouse.schemas.delete
contentwarehouse.schemas.get
contentwarehouse.schemas.list
contentwarehouse.schemas.update
Discovery Engine

The following permissions have been added:

discoveryengine.completionConfigs.get
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.controls.update
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.dataStores.create
discoveryengine.dataStores.delete
discoveryengine.dataStores.enrollSolutions
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.dataStores.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.update
discoveryengine.models.create
discoveryengine.models.delete
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.models.pause
discoveryengine.models.resume
discoveryengine.models.tune
discoveryengine.models.update
discoveryengine.projects.get
discoveryengine.projects.provision
discoveryengine.projects.reportConsentChange
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.update
discoveryengine.servingConfigs.create
discoveryengine.servingConfigs.delete
discoveryengine.servingConfigs.get
discoveryengine.servingConfigs.list
discoveryengine.servingConfigs.update
discoveryengine.siteSearchEngines.get
discoveryengine.targetSites.batchCreate
discoveryengine.targetSites.create
discoveryengine.targetSites.delete
discoveryengine.targetSites.get
discoveryengine.targetSites.list
discoveryengine.targetSites.update
discoveryengine.userEvents.fetchStats
discoveryengine.userEvents.purge
discoveryengine.widgetConfigs.get
discoveryengine.widgetConfigs.update
Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.completionConfigs.get
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.controls.update
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.update
discoveryengine.targetSites.batchCreate
discoveryengine.widgetConfigs.get
discoveryengine.widgetConfigs.update
Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.use
Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.use
Recommender

The following permissions have reached General Availability (GA):

recommender.resources.export

IAM changes as of 2023-07-28

Service Description
Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.userEvents.create
Apigee

The following permissions have been added:

apigee.securityActions.create
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActions.update
apigee.securityActionsConfig.get
apigee.securityActionsConfig.update
Apigee

The following permissions are supported in custom roles:

apigee.securityActions.create
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActions.update
apigee.securityActionsConfig.get
apigee.securityActionsConfig.update
Apigee

The following permissions have reached General Availability (GA):

apigee.securityActions.create
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActions.update
apigee.securityActionsConfig.get
apigee.securityActionsConfig.update
BigQuery

The following permissions have been added:

bigquery.tables.replicateData
BigQuery

The following permissions are supported in custom roles:

bigquery.tables.replicateData
Compute Engine

The following permissions are supported in custom roles:

compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.list
Compute Engine

The following permissions have reached General Availability (GA):

compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.update
compute.serviceAttachments.use

IAM changes as of 2023-07-21

Service Description
Vertex AI

The Vertex AI Notebook Service Agent role (roles/aiplatform.notebookServiceAgent) has reached General Availability (GA).
Analytics Hub

The Analytics Hub Subscription Owner role (roles/analyticshub.subscriptionOwner) has reached General Availability (GA).
Assured Workloads

The following permissions have been added to the Assured Workloads Editor role (roles/assuredworkloads.editor):

logging.cmekSettings.update
logging.googleapis.com/settings.update
logging.settings.update
Bare Metal Solution

The OS Images Viewer role (roles/baremetalsolution.osimagesviewer) has reached General Availability (GA).
Cloud Billing

The following permissions have been added to the Billing Account Administrator role (roles/billing.admin):

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceRecommendations.get
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.get
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.get
recommender.computeInstanceMachineTypeRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list
Cloud Asset Inventory

The Effective Policies Service Agent role (roles/cloudasset.effectivePolicyServiceAgent) has reached General Availability (GA).
Cloud Build

The Cloud Build Connection Admin role (roles/cloudbuild.connectionAdmin) has reached General Availability (GA).
Cloud Build

The Cloud Build Connection Viewer role (roles/cloudbuild.connectionViewer) has reached General Availability (GA).
Cloud Build

The Cloud Build Read Only Token Accessor role (roles/cloudbuild.readTokenAccessor) has reached General Availability (GA).
Cloud Build

The Cloud Build Token Accessor role (roles/cloudbuild.tokenAccessor) has reached General Availability (GA).
Commerce Business Enablement

The following permissions have been added to the Commerce Business Enablement PaymentConfig Admin role (roles/commercebusinessenablement.paymentConfigAdmin):

commercebusinessenablement.partnerInfo.get
Commerce Business Enablement

The following permissions have been added to the Commerce Business Enablement PaymentConfig Viewer role (roles/commercebusinessenablement.paymentConfigViewer):

commercebusinessenablement.partnerInfo.get
Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.conversations.converse
Basic Role

The following permissions have been added to the Editor role (roles/editor):

datastore.operations.get
datastore.operations.list
Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

datastore.operations.get
datastore.operations.list
Analytics Hub

The following permissions have been added:

analyticshub.dataExchanges.subscribe
analyticshub.dataExchanges.viewSubscriptions
analyticshub.listings.viewSubscriptions
analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update
Analytics Hub

The following permissions are supported in custom roles:

analyticshub.dataExchanges.subscribe
analyticshub.dataExchanges.viewSubscriptions
analyticshub.listings.viewSubscriptions
analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update
Analytics Hub

The following permissions have reached General Availability (GA):

analyticshub.dataExchanges.subscribe
analyticshub.dataExchanges.viewSubscriptions
analyticshub.listings.viewSubscriptions
analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update
Bare Metal Solution

The following permissions have been added:

baremetalsolution.osimages.list
Bare Metal Solution

The following permissions are supported in custom roles:

baremetalsolution.osimages.list
Bare Metal Solution

The following permissions have reached General Availability (GA):

baremetalsolution.osimages.list
Cloud Billing

The following permissions have been added:

billing.billingAccountPrice.get
billing.billingAccountServices.get
billing.billingAccountServices.list
billing.billingAccountSkuGroupSkus.get
billing.billingAccountSkuGroupSkus.list
billing.billingAccountSkuGroups.get
billing.billingAccountSkuGroups.list
billing.billingAccountSkus.get
billing.billingAccountSkus.list
Cloud Billing

The following permissions are supported in custom roles:

billing.billingAccountPrice.get
billing.billingAccountServices.get
billing.billingAccountServices.list
billing.billingAccountSkuGroupSkus.get
billing.billingAccountSkuGroupSkus.list
billing.billingAccountSkuGroups.get
billing.billingAccountSkuGroups.list
billing.billingAccountSkus.get
billing.billingAccountSkus.list
Cloud Billing

The following permissions have reached General Availability (GA):

billing.billingAccountPrice.get
billing.billingAccountServices.get
billing.billingAccountServices.list
billing.billingAccountSkuGroupSkus.get
billing.billingAccountSkuGroupSkus.list
billing.billingAccountSkuGroups.get
billing.billingAccountSkuGroups.list
billing.billingAccountSkus.get
billing.billingAccountSkus.list
Cloud Build

The following permissions have been added:

cloudbuild.operations.get
cloudbuild.operations.list
Cloud Build

The following permissions are supported in custom roles:

cloudbuild.operations.get
cloudbuild.operations.list
Cloud Build

The following permissions have reached General Availability (GA):

cloudbuild.connections.create
cloudbuild.connections.delete
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild.connections.getIamPolicy
cloudbuild.connections.list
cloudbuild.connections.setIamPolicy
cloudbuild.connections.update
cloudbuild.operations.get
cloudbuild.operations.list
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.accessReadWriteToken
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild.repositories.fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list
Compute Engine

The following permissions have been added:

compute.backendBuckets.createTagBinding
compute.backendBuckets.deleteTagBinding
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendServices.createTagBinding
compute.backendServices.deleteTagBinding
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.createTagBinding
compute.firewalls.deleteTagBinding
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.createTagBinding
compute.forwardingRules.deleteTagBinding
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalForwardingRules.createTagBinding
compute.globalForwardingRules.deleteTagBinding
compute.globalForwardingRules.listEffectiveTags
compute.globalForwardingRules.listTagBindings
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.createTagBinding
compute.healthChecks.deleteTagBinding
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.createTagBinding
compute.httpHealthChecks.deleteTagBinding
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.createTagBinding
compute.httpsHealthChecks.deleteTagBinding
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networks.createTagBinding
compute.networks.deleteTagBinding
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.regionBackendServices.createTagBinding
compute.regionBackendServices.deleteTagBinding
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionFirewallPolicies.createTagBinding
compute.regionFirewallPolicies.deleteTagBinding
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionHealthChecks.createTagBinding
compute.regionHealthChecks.deleteTagBinding
compute.regionHealthChecks.listEffectiveTags
compute.regionHealthChecks.listTagBindings
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionSecurityPolicies.createTagBinding
compute.regionSecurityPolicies.deleteTagBinding
compute.regionSecurityPolicies.listEffectiveTags
compute.regionSecurityPolicies.listTagBindings
compute.regionSslCertificates.createTagBinding
compute.regionSslCertificates.deleteTagBinding
compute.regionSslCertificates.listEffectiveTags
compute.regionSslCertificates.listTagBindings
compute.regionTargetHttpProxies.createTagBinding
compute.regionTargetHttpProxies.deleteTagBinding
compute.regionTargetHttpProxies.listEffectiveTags
compute.regionTargetHttpProxies.listTagBindings
compute.regionTargetHttpsProxies.createTagBinding
compute.regionTargetHttpsProxies.deleteTagBinding
compute.regionTargetHttpsProxies.listEffectiveTags
compute.regionTargetHttpsProxies.listTagBindings
compute.regionUrlMaps.createTagBinding
compute.regionUrlMaps.deleteTagBinding
compute.regionUrlMaps.listEffectiveTags
compute.regionUrlMaps.listTagBindings
compute.routes.createTagBinding
compute.routes.deleteTagBinding
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.createTagBinding
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.sslCertificates.createTagBinding
compute.sslCertificates.deleteTagBinding
compute.sslCertificates.listEffectiveTags
compute.sslCertificates.listTagBindings
compute.sslPolicies.createTagBinding
compute.sslPolicies.deleteTagBinding
compute.sslPolicies.listEffectiveTags
compute.sslPolicies.listTagBindings
compute.subnetworks.createTagBinding
compute.subnetworks.deleteTagBinding
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.targetHttpProxies.createTagBinding
compute.targetHttpProxies.deleteTagBinding
compute.targetHttpProxies.listEffectiveTags
compute.targetHttpProxies.listTagBindings
compute.targetHttpsProxies.createTagBinding
compute.targetHttpsProxies.deleteTagBinding
compute.targetHttpsProxies.listEffectiveTags
compute.targetHttpsProxies.listTagBindings
compute.targetInstances.createTagBinding
compute.targetInstances.deleteTagBinding
compute.targetInstances.listEffectiveTags
compute.targetInstances.listTagBindings
compute.targetPools.createTagBinding
compute.targetPools.deleteTagBinding
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.targetSslProxies.createTagBinding
compute.targetSslProxies.deleteTagBinding
compute.targetSslProxies.listEffectiveTags
compute.targetSslProxies.listTagBindings
compute.targetTcpProxies.createTagBinding
compute.targetTcpProxies.deleteTagBinding
compute.targetTcpProxies.listEffectiveTags
compute.targetTcpProxies.listTagBindings
compute.urlMaps.createTagBinding
compute.urlMaps.deleteTagBinding
compute.urlMaps.listEffectiveTags
compute.urlMaps.listTagBindings
Compute Engine

The following permissions have reached General Availability (GA):

compute.backendBuckets.createTagBinding
compute.backendBuckets.deleteTagBinding
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendServices.createTagBinding
compute.backendServices.deleteTagBinding
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.createTagBinding
compute.firewalls.deleteTagBinding
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.createTagBinding
compute.forwardingRules.deleteTagBinding
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalForwardingRules.createTagBinding
compute.globalForwardingRules.deleteTagBinding
compute.globalForwardingRules.listEffectiveTags
compute.globalForwardingRules.listTagBindings
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.createTagBinding
compute.healthChecks.deleteTagBinding
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.createTagBinding
compute.httpHealthChecks.deleteTagBinding
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.createTagBinding
compute.httpsHealthChecks.deleteTagBinding
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networks.createTagBinding
compute.networks.deleteTagBinding
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.regionBackendServices.createTagBinding
compute.regionBackendServices.deleteTagBinding
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionFirewallPolicies.createTagBinding
compute.regionFirewallPolicies.deleteTagBinding
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionHealthChecks.createTagBinding
compute.regionHealthChecks.deleteTagBinding
compute.regionHealthChecks.listEffectiveTags
compute.regionHealthChecks.listTagBindings
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionSslCertificates.createTagBinding
compute.regionSslCertificates.deleteTagBinding
compute.regionSslCertificates.listEffectiveTags
compute.regionSslCertificates.listTagBindings
compute.regionTargetHttpProxies.createTagBinding
compute.regionTargetHttpProxies.deleteTagBinding
compute.regionTargetHttpProxies.listEffectiveTags
compute.regionTargetHttpProxies.listTagBindings
compute.regionTargetHttpsProxies.createTagBinding
compute.regionTargetHttpsProxies.deleteTagBinding
compute.regionTargetHttpsProxies.listEffectiveTags
compute.regionTargetHttpsProxies.listTagBindings
compute.regionUrlMaps.createTagBinding
compute.regionUrlMaps.deleteTagBinding
compute.regionUrlMaps.listEffectiveTags
compute.regionUrlMaps.listTagBindings
compute.routes.createTagBinding
compute.routes.deleteTagBinding
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.createTagBinding
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.sslCertificates.createTagBinding
compute.sslCertificates.deleteTagBinding
compute.sslCertificates.listEffectiveTags
compute.sslCertificates.listTagBindings
compute.sslPolicies.createTagBinding
compute.sslPolicies.deleteTagBinding
compute.sslPolicies.listEffectiveTags
compute.sslPolicies.listTagBindings
compute.subnetworks.createTagBinding
compute.subnetworks.deleteTagBinding
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.targetHttpProxies.createTagBinding
compute.targetHttpProxies.deleteTagBinding
compute.targetHttpProxies.listEffectiveTags
compute.targetHttpProxies.listTagBindings
compute.targetHttpsProxies.createTagBinding
compute.targetHttpsProxies.deleteTagBinding
compute.targetHttpsProxies.listEffectiveTags
compute.targetHttpsProxies.listTagBindings
compute.targetInstances.createTagBinding
compute.targetInstances.deleteTagBinding
compute.targetInstances.listEffectiveTags
compute.targetInstances.listTagBindings
compute.targetPools.createTagBinding
compute.targetPools.deleteTagBinding
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.targetSslProxies.createTagBinding
compute.targetSslProxies.deleteTagBinding
compute.targetSslProxies.listEffectiveTags
compute.targetSslProxies.listTagBindings
compute.targetTcpProxies.createTagBinding
compute.targetTcpProxies.deleteTagBinding
compute.targetTcpProxies.listEffectiveTags
compute.targetTcpProxies.listTagBindings
compute.urlMaps.createTagBinding
compute.urlMaps.deleteTagBinding
compute.urlMaps.listEffectiveTags
compute.urlMaps.listTagBindings
Data Catalog

The following permissions have been added:

datacatalog.entries.createGlossaryCategory
datacatalog.entries.deleteGlossaryCategory
datacatalog.entries.updateGlossaryCategory
datacatalog.operations.list
datacatalog.relationships.createBelongsTo
datacatalog.relationships.deleteBelongsTo
Data Catalog

The following permissions are supported in custom roles:

datacatalog.entries.createGlossaryCategory
datacatalog.entries.deleteGlossaryCategory
datacatalog.entries.updateGlossaryCategory
datacatalog.relationships.createBelongsTo
datacatalog.relationships.deleteBelongsTo
Google Cloud NetApp Volumes

The following permissions have been added:

netapp.activeDirectories.create
netapp.activeDirectories.delete
netapp.activeDirectories.get
netapp.activeDirectories.list
netapp.activeDirectories.update
netapp.kmsConfigs.create
netapp.kmsConfigs.delete
netapp.kmsConfigs.encrypt
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.kmsConfigs.update
netapp.kmsConfigs.verify
netapp.replications.create
netapp.replications.delete
netapp.replications.get
netapp.replications.list
netapp.replications.resume
netapp.replications.reverse
netapp.replications.stop
netapp.replications.update
netapp.snapshots.create
netapp.snapshots.delete
netapp.snapshots.get
netapp.snapshots.list
netapp.snapshots.update
netapp.storagePools.create
netapp.storagePools.delete
netapp.storagePools.get
netapp.storagePools.list
netapp.storagePools.update
netapp.volumes.create
netapp.volumes.delete
netapp.volumes.get
netapp.volumes.list
netapp.volumes.revert
netapp.volumes.update
Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.kmsConfigs.create
netapp.kmsConfigs.delete
netapp.kmsConfigs.encrypt
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.kmsConfigs.update
netapp.kmsConfigs.verify
netapp.replications.create
netapp.replications.delete
netapp.replications.get
netapp.replications.list
netapp.replications.resume
netapp.replications.reverse
netapp.replications.stop
netapp.replications.update
Policy Simulator

The following permissions have been added:

policysimulator.orgPolicyViolations.list
policysimulator.orgPolicyViolationsPreviews.create
policysimulator.orgPolicyViolationsPreviews.get
policysimulator.orgPolicyViolationsPreviews.list
Recommender

The following permissions have been added:

recommender.runServiceCostInsights.get
recommender.runServiceCostInsights.list
recommender.runServiceCostInsights.update
recommender.runServiceCostRecommendations.get
recommender.runServiceCostRecommendations.list
recommender.runServiceCostRecommendations.update
Recommender

The following permissions are supported in custom roles:

recommender.runServiceCostInsights.get
recommender.runServiceCostInsights.list
recommender.runServiceCostInsights.update
recommender.runServiceCostRecommendations.get
recommender.runServiceCostRecommendations.list
recommender.runServiceCostRecommendations.update
Recommender

The following permissions have reached General Availability (GA):

recommender.runServiceCostInsights.get
recommender.runServiceCostInsights.list
recommender.runServiceCostInsights.update
recommender.runServiceCostRecommendations.get
recommender.runServiceCostRecommendations.list
recommender.runServiceCostRecommendations.update

IAM changes as of 2023-07-14

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.featureViews.searchNearestEntities
Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.featureViews.searchNearestEntities
Vertex AI

The following permissions have been added to the Vertex AI Feature Store EntityType owner role (roles/aiplatform.entityTypeOwner):

aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
Vertex AI

The following permissions have been added to the Vertex AI Feature Store Admin role (roles/aiplatform.featurestoreAdmin):

aiplatform.featureOnlineStores.create
aiplatform.featureOnlineStores.delete
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureOnlineStores.update
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.sync
aiplatform.featureViews.update
Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Viewer role (roles/aiplatform.featurestoreDataViewer):

aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Writer role (roles/aiplatform.featurestoreDataWriter):

aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.featureViews.searchNearestEntities
Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.featureViews.searchNearestEntities
Vertex AI

The following permissions have been added to the Vertex AI Viewer role (roles/aiplatform.viewer):

aiplatform.featureViews.searchNearestEntities
Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Mount User role (roles/backupdr.mountUser):

backupdr.managementServers.viewBackupPlans
Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Restore User role (roles/backupdr.restoreUser):

backupdr.managementServers.viewBackupPlans
Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Service Agent role (roles/backupdr.serviceAgent):

compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.regionOperations.get
compute.regions.get
compute.snapshots.delete
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Compute Engine

The following permissions have been removed from the Compute Engine Service Agent role (roles/compute.serviceAgent):

compute.zoneOperations.get
Connectors

The Connectors Event Subscriptions Admin role (roles/connectors.eventSubscriptionAdmin) has reached General Availability (GA).
Connectors

The Connectors Event Subscriptions Viewer role (roles/connectors.eventSubscriptionViewer) has reached General Availability (GA).
Basic Role

The following permissions have been added to the Editor role (roles/editor):

aiplatform.featureViews.searchNearestEntities
Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.projects.get
Basic Role

The following permissions have been added to the Owner role (roles/owner):

aiplatform.featureViews.searchNearestEntities
Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

aiplatform.featureViews.searchNearestEntities
Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.featureViews.searchNearestEntities
Vertex AI

The following permissions have been added:

aiplatform.featureOnlineStores.create
aiplatform.featureOnlineStores.delete
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureOnlineStores.update
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.searchNearestEntities
aiplatform.featureViews.sync
aiplatform.featureViews.update
Commerce Offer Catalog

The following permissions have been added:

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.list
Commerce Offer Catalog

The following permissions are supported in custom roles:

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.list
Connectors

The following permissions have been added:

connectors.eventSubscriptions.create
connectors.eventSubscriptions.delete
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
connectors.eventSubscriptions.update
connectors.eventtypes.get
connectors.eventtypes.list
Connectors

The following permissions have reached General Availability (GA):

connectors.eventSubscriptions.create
connectors.eventSubscriptions.delete
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
connectors.eventSubscriptions.update
connectors.eventtypes.get
connectors.eventtypes.list
Data Catalog

The following permissions have been added:

datacatalog.catalogs.searchAll
Discovery Engine

The following permissions have been added:

discoveryengine.conversations.converse
discoveryengine.servingConfigs.search
Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.conversations.converse
Network Connectivity Center

The following permissions have been added:

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update
Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update
Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update
Personalized Service Health

The following permissions have been added:

servicehealth.events.get
servicehealth.events.list
servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list
Personalized Service Health

The following permissions are supported in custom roles:

servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list

IAM changes as of 2023-06-30

Service Description
Cloud Key Management Service

The Cloud KMS Expert Raw AES-CBC Key Manager role (roles/cloudkms.expertRawAesCbc) has reached General Availability (GA).
Cloud Key Management Service

The Cloud KMS Expert Raw AES-CTR Key Manager role (roles/cloudkms.expertRawAesCtr) has reached General Availability (GA).
Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

compute.networkAttachments.get
dns.networks.targetWithPeeringZone
Network Connectivity Center

The Group User role (roles/networkconnectivity.groupUser) has reached General Availability (GA).
Workload Certificate

The following permissions have been added to the Workload Certificate Service Agent role (roles/workloadcertificate.serviceAgent):

container.thirdPartyObjects.update
Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
storage.buckets.list
BigQuery

The following permissions have been added:

bigquery.datasets.listSharedDatasetUsage
BigQuery

The following permissions are supported in custom roles:

bigquery.datasets.listSharedDatasetUsage
Cloud Key Management Service

The following permissions have been added:

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
cloudkms.cryptoKeyVersions.manageRawAesCtrKeys
Cloud Key Management Service

The following permissions have reached General Availability (GA):

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
cloudkms.cryptoKeyVersions.manageRawAesCtrKeys
Translation

The following permissions have been added:

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list
Translation

The following permissions are supported in custom roles:

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list
Translation

The following permissions have reached General Availability (GA):

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list
Cloud Config Manager API

The following permissions have been added:

config.resources.get
config.resources.list
Cloud Config Manager API

The following permissions are supported in custom roles:

config.resources.get
config.resources.list
Network Connectivity Center

The following permissions have been added:

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy
networkconnectivity.hubs.listSpokes
Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.setIamPolicy
networkconnectivity.hubs.listSpokes
Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.setIamPolicy
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy
networkconnectivity.hubs.listSpokes
Network Security

The following permissions have been added:

networksecurity.firewallEndpointAssociations.create
networksecurity.firewallEndpointAssociations.delete
networksecurity.firewallEndpointAssociations.get
networksecurity.firewallEndpointAssociations.list
networksecurity.firewallEndpointAssociations.update
networksecurity.firewallEndpoints.create
networksecurity.firewallEndpoints.delete
networksecurity.firewallEndpoints.get
networksecurity.firewallEndpoints.list
networksecurity.firewallEndpoints.update
networksecurity.firewallEndpoints.use
networksecurity.securityProfileGroups.create
networksecurity.securityProfileGroups.delete
networksecurity.securityProfileGroups.get
networksecurity.securityProfileGroups.list
networksecurity.securityProfileGroups.update
networksecurity.securityProfileGroups.use
networksecurity.securityProfiles.create
networksecurity.securityProfiles.delete
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.update
networksecurity.securityProfiles.use
Cloud Spanner

The following permissions are supported in custom roles:

spanner.databases.update

IAM changes as of 2023-06-23

Service Description
Access Approval

The Access Approval Approver role (roles/accessapproval.approver) has reached General Availability (GA).
Access Approval

The Access Approval Config Editor role (roles/accessapproval.configEditor) has reached General Availability (GA).
Access Approval

The Access Approval Invalidator role (roles/accessapproval.invalidator) has reached General Availability (GA).
Access Approval

The Access Approval Viewer role (roles/accessapproval.viewer) has reached General Availability (GA).
Compute Engine

The following permissions have been added to the Compute Security Admin role (roles/compute.securityAdmin):

compute.routers.get
compute.routers.list
Security Command Center

The following permissions have been removed from the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
cloudsql.instances.get
compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.diskTypes.list
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.list
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.get
container.operations.list
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
dlp.jobs.get
dlp.jobs.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.get
logging.locations.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.alertPolicies.get
recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
securitycenter.assets.group
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.setWorkflowState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
Security Command Center

The following permissions have been removed from the Security Health Analytics Service Agent role (roles/securitycenter.securityHealthAnalyticsServiceAgent):

apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list