Archived permissions change log

This page provides an archive of changes to Identity and Access Management (IAM) permissions that occurred before 2022. For more recent changes, see IAM permissions change log.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

Cloud IAM changes as of 2021-12-03

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.namespaces.create
Apigee Now GA

The role roles/apigee.apiAdminV2 (Apigee API Admin) is now GA.

Apigee Now GA

The role roles/apigee.apiReaderV2 (Apigee API Reader) is now GA.

Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.builds.builder (Cloud Build Service Account):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.environmentAndStorageObjectAdmin (Environment and Storage Object Administrator):

orgpolicy.policy.get
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
orgpolicy.policy.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

orgpolicy.policy.get
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

orgpolicy.policy.get
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

orgpolicy.policy.get
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

orgpolicy.policy.get
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

orgpolicy.policy.get
Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent):

orgpolicy.policy.get
AI Platform Role Updated

The following permissions have been added to the role roles/ml.serviceAgent (AI Platform Service Agent):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.admin (Storage Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.hmacKeyAdmin (Storage HMAC Key Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectAdmin (Storage Object Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectCreator (Storage Object Creator):

orgpolicy.policy.get
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

orgpolicy.policy.get
Certificate Manager Added certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
Certificate Manager Supported In Custom Roles certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
Compute Engine Added compute.commitments.update
Compute Engine Supported In Custom Roles compute.commitments.update
Compute Engine Now GA compute.commitments.update
Cloud Commerce Consumer Procurement Added consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
Cloud Commerce Consumer Procurement Supported In Custom Roles consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
Data Connectors Added dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list
Data Connectors Supported In Custom Roles dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list
Dataflow Added dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Network Services Added networkservices.serviceBindings.create
networkservices.serviceBindings.delete
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.serviceBindings.update
VM Migration Added vmmigration.datacenterConnectors.update
VM Migration Supported In Custom Roles vmmigration.datacenterConnectors.update

Cloud IAM changes as of 2021-11-12

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer):

resourcemanager.projects.get
resourcemanager.projects.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreResourceEditor (Vertex AI Feature Store Resource Editor):

resourcemanager.projects.get
resourcemanager.projects.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreResourceViewer (Vertex AI Feature Store Resource Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.clusterRoles.update
Apigee Now GA

The role roles/apigee.securityAdmin (Apigee Security Admin) is now GA.

Apigee Now GA

The role roles/apigee.securityViewer (Apigee Security Viewer) is now GA.

Apigee Role Updated

The following permissions have been added to the role roles/apigee.environmentAdmin (Apigee Environment Admin):

apigee.environments.update
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.loadBalancerAdmin (Compute Load Balancer Admin):

networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
Datastore Now GA

The role roles/datastore.keyVisualizerViewer (Cloud Datastore Key Visualizer Viewer) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
Google Earth Engine Role Updated

The following permissions have been added to the role roles/earthengine.appsPublisher (Earth Engine Apps Publisher):

serviceusage.services.get
Enterprise Knowledge Graph Role Updated

The following permissions have been added to the role roles/enterpriseknowledgegraph.serviceAgent (Enterprise Knowledge Graph Service Agent):

bigquery.readsessions.getData
Firebase App Check Now GA

The role roles/firebaseappcheck.serviceAgent (Firebase App Check Service Agent) is now GA.

GKE Multi-Cloud Now GA

The role roles/gkemulticloud.admin (Anthos Multi-cloud Admin) is now GA.

GKE Multi-Cloud Now GA

The role roles/gkemulticloud.telemetryWriter (Anthos Multi-cloud Telemetry Writer) is now GA.

GKE Multi-Cloud Now GA

The role roles/gkemulticloud.viewer (Anthos Multi-cloud Viewer) is now GA.

Dataproc Metastore Role Updated

The following permissions have been added to the role roles/metastore.serviceAgent (Dataproc Metastore Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Cloud Monitoring Role Updated

The following permissions have been added to the role roles/monitoring.notificationServiceAgent (Monitoring Service Agent):

servicedirectory.networks.access
servicedirectory.services.resolve
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.subnetworks.use
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.spokeAdmin (Spoke Admin):

networkconnectivity.operations.get
networkconnectivity.operations.list
Security Command Center Now GA

The role roles/securitycenter.externalSystemsEditor (Security Center External Systems Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.findingsBulkMuteEditor (Security Center Findings Bulk Mute Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.findingsMuteSetter (Security Center Findings Mute Setter) is now GA.

Security Command Center Now GA

The role roles/securitycenter.muteConfigsEditor (Security Center Mute Configurations Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.muteConfigsViewer (Security Center Mute Configurations Viewer) is now GA.

Web Security Scanner Role Updated

The following permissions have been added to the role roles/websecurityscanner.serviceAgent (Cloud Web Security Scanner Service Agent):

cloudasset.assets.listResource
Vertex AI Added aiplatform.tensorboardRuns.batchCreate
aiplatform.tensorboardTimeSeries.batchCreate
aiplatform.tensorboardTimeSeries.batchRead
Apigee Added apigee.developerbalances.adjust
Apigee Supported In Custom Roles apigee.developerbalances.adjust
Apigee Now GA apigee.developerbalances.adjust
Artifact Registry Added artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
Artifact Registry Now GA artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
Compute Engine Added compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listTagBindings
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings
Compute Engine Now GA compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listTagBindings
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings
Datastore Added datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
Datastore Now GA datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
Datastream Added datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob
Document AI Added documentai.datasetSchemas.get
documentai.datasetSchemas.update
documentai.datasets.get
documentai.datasets.update
documentai.processorTypes.get
Firebase App Check Added firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
Firebase App Check Supported In Custom Roles firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
GKE Hub Added gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.update
GKE Hub Now GA gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.update
GKE Multi-Cloud Added gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.azureClusters.generateAccessToken
GKE Multi-Cloud Now GA gkemulticloud.awsClusters.create
gkemulticloud.awsClusters.delete
gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.getAdminKubeconfig
gkemulticloud.awsClusters.list
gkemulticloud.awsClusters.update
gkemulticloud.awsNodePools.create
gkemulticloud.awsNodePools.delete
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.awsNodePools.update
gkemulticloud.awsServerConfigs.get
gkemulticloud.azureClients.create
gkemulticloud.azureClients.delete
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.create
gkemulticloud.azureClusters.delete
gkemulticloud.azureClusters.generateAccessToken
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.getAdminKubeconfig
gkemulticloud.azureClusters.list
gkemulticloud.azureClusters.update
gkemulticloud.azureNodePools.create
gkemulticloud.azureNodePools.delete
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.azureNodePools.update
gkemulticloud.azureServerConfigs.get
gkemulticloud.operations.cancel
gkemulticloud.operations.delete
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
Identity and Access Management Added iam.denypolicies.create
iam.denypolicies.delete
iam.denypolicies.get
iam.denypolicies.list
iam.denypolicies.replace
iam.denypolicies.update
Identity and Access Management Added iam.googleapis.com/denypolicies.create
iam.googleapis.com/denypolicies.delete
iam.googleapis.com/denypolicies.get
iam.googleapis.com/denypolicies.list
iam.googleapis.com/denypolicies.replace
Cloud Run Added run.operations.delete
run.operations.get
run.operations.list
Cloud Run Now GA run.operations.delete
run.operations.get
run.operations.list
Security Command Center Added securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.setMute
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Security Command Center Supported In Custom Roles securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.setMute
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Security Command Center Now GA securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.setMute
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Video Stitcher API Added videostitcher.cdnKeys.create
videostitcher.cdnKeys.delete
videostitcher.cdnKeys.get
videostitcher.cdnKeys.list
videostitcher.cdnKeys.update
videostitcher.liveAdTagDetails.get
videostitcher.liveAdTagDetails.list
videostitcher.liveSessions.create
videostitcher.liveSessions.get
videostitcher.slates.create
videostitcher.slates.delete
videostitcher.slates.get
videostitcher.slates.list
videostitcher.slates.update
videostitcher.vodAdTagDetails.get
videostitcher.vodAdTagDetails.list
videostitcher.vodSessions.create
videostitcher.vodSessions.get
videostitcher.vodStitchDetails.get
videostitcher.vodStitchDetails.list

Cloud IAM changes as of 2021-10-22

Service Change Description
Anthos Support Now GA

The role roles/anthossupport.serviceAgent (Anthos Support Service Agent) is now GA.

Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

source.repos.get
source.repos.list
Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoKeyDecrypterViaDelegation (Cloud KMS CryptoKey Decrypter Via Delegation) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation (Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoKeyEncrypterViaDelegation (Cloud KMS CryptoKey Encrypter Via Delegation) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.expertRawPKCS1 (Cloud KMS Expert Raw PKCS#1 Key Manager) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.viewer (Cloud KMS Viewer) is now GA.

Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

dataproc.operations.cancel
Data Pipelines Now GA

The role roles/datapipelines.admin (Data pipelines Admin) is now GA.

Data Pipelines Now GA

The role roles/datapipelines.invoker (Data pipelines Invoker) is now GA.

Data Pipelines Now GA

The role roles/datapipelines.viewer (Data pipelines Viewer) is now GA.

Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.editor (Dataproc Editor):

dataproc.operations.cancel
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.update
Customer Usage Data Processing Now GA

The role roles/dataprocessing.dataSourceManager (Data Processing Controls Data Source Manager) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

storage.objects.create
Cloud Domains Now GA

The role roles/domains.admin (Cloud Domains Admin) is now GA.

Cloud Domains Now GA

The role roles/domains.viewer (Cloud Domains Viewer) is now GA.

Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

iam.serviceAccounts.actAs
Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.peeringAdmin (Google Cloud Managed Identities Peering Admin) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.peeringViewer (Google Cloud Managed Identities Peering Viewer) is now GA.

Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.useInternal
Security Command Center Now GA

The role roles/securitycenter.securityResponseServiceAgent (Google Cloud Security Response Service Agent) is now GA.

Cloud Key Management Service Added cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
Cloud Key Management Service Supported In Custom Roles cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
Cloud Key Management Service Now GA cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
Compute Engine Added compute.reservations.update
Compute Engine Supported In Custom Roles compute.reservations.update
Data Pipelines Now GA datapipelines.pipelines.create
datapipelines.pipelines.delete
datapipelines.pipelines.get
datapipelines.pipelines.list
datapipelines.pipelines.run
datapipelines.pipelines.stop
datapipelines.pipelines.update
Cloud Domains Supported In Custom Roles domains.locations.get
domains.locations.list
domains.operations.cancel
domains.operations.get
domains.operations.list
Cloud Domains Now GA domains.locations.get
domains.locations.list
domains.operations.cancel
domains.operations.get
domains.operations.list
domains.registrations.configureContact
domains.registrations.configureDns
domains.registrations.configureManagement
domains.registrations.create
domains.registrations.delete
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.setIamPolicy
domains.registrations.update
Firebase Cloud Messaging Added firebasecloudmessaging.messages.create
Managed Service for Microsoft Active Directory Now GA managedidentities.peerings.create
managedidentities.peerings.delete
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.peerings.update
reCAPTCHA Enterprise Added recaptchaenterprise.relatedaccountgroupmemberships.list
recaptchaenterprise.relatedaccountgroups.list

Cloud IAM changes as of 2021-10-01

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.machineTypes.get
dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list
Artifact Registry Role Updated

The following permissions have been added to the role roles/artifactregistry.serviceAgent (Artifact Registry Service Agent):

artifactregistry.repositories.downloadArtifacts
Cloud TPU Role Updated

The following permissions have been added to the role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Connectors Now GA

The role roles/connectors.admin (Connector Admin) is now GA.

Connectors Now GA

The role roles/connectors.viewer (Connectors Viewer) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

datacatalog.categories.fineGrainedGet
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

resourcemanager.projects.updateLiens
GKE Hub Now GA

The role roles/gkehub.editor (GKE Hub Editor) is now GA.

Transcoder API Role Updated

The following permissions have been added to the role roles/transcoder.serviceAgent (Transcoder Service Agent):

transcoder.jobs.delete
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

firebaserules.rulesets.test
Connectors Added connectors.connections.create
connectors.connections.delete
connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connections.setIamPolicy
connectors.connections.update
connectors.connectors.get
connectors.connectors.list
connectors.locations.get
connectors.locations.list
connectors.operations.cancel
connectors.operations.delete
connectors.operations.get
connectors.operations.list
connectors.providers.get
connectors.providers.list
connectors.runtimeconfig.get
connectors.versions.get
connectors.versions.list
Connectors Supported In Custom Roles connectors.connections.create
connectors.connections.delete
connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connections.setIamPolicy
connectors.connections.update
connectors.connectors.get
connectors.connectors.list
connectors.locations.get
connectors.locations.list
connectors.operations.cancel
connectors.operations.delete
connectors.operations.get
connectors.operations.list
connectors.providers.get
connectors.providers.list
connectors.runtimeconfig.get
connectors.versions.get
connectors.versions.list
Connectors Now GA connectors.connections.create
connectors.connections.delete
connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connections.setIamPolicy
connectors.connections.update
connectors.connectors.get
connectors.connectors.list
connectors.locations.get
connectors.locations.list
connectors.operations.cancel
connectors.operations.delete
connectors.operations.get
connectors.operations.list
connectors.providers.get
connectors.providers.list
connectors.runtimeconfig.get
connectors.versions.get
connectors.versions.list

Cloud IAM changes as of 2021-09-24

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.configMaps.create
container.configMaps.delete
container.configMaps.update
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.serviceAccounts.create
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update
Cloud SQL Role Updated

The following permissions have been added to the role roles/cloudsql.admin (Cloud SQL Admin):

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update
Cloud SQL Role Updated

The following permissions have been added to the role roles/cloudsql.editor (Cloud SQL Editor):

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update
Cloud SQL Role Updated

The following permissions have been added to the role roles/cloudsql.viewer (Cloud SQL Viewer):

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.hostServiceAgentUser (Kubernetes Engine Host Service Agent User):

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update
dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.update
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.configWriter (Logs Configuration Writer):

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Dataproc Metastore Role Updated

The following permissions have been added to the role roles/metastore.serviceAgent (Dataproc Metastore Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.addresses.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
Recommender Role Added

The role roles/recommender.bigQueryCapacityCommitmentsAdmin (Bigquery Slot Recommender Admin) has been added with the following permissions:

cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update
recommender.googleapis.com/bigqueryCapacityCommitmentsInsights.get
recommender.googleapis.com/bigqueryCapacityCommitmentsInsights.list
recommender.googleapis.com/bigqueryCapacityCommitmentsInsights.update
recommender.googleapis.com/bigqueryCapacityCommitmentsRecommendations.get
recommender.googleapis.com/bigqueryCapacityCommitmentsRecommendations.list
recommender.googleapis.com/bigqueryCapacityCommitmentsRecommendations.update
recommender.googleapis.com/locations.get
recommender.googleapis.com/locations.list
recommender.locations.get
recommender.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Recommender Role Added

The role roles/recommender.bigQueryCapacityCommitmentsViewer (Bigquery Slot Recommender Viewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.googleapis.com/bigqueryCapacityCommitmentsInsights.get
recommender.googleapis.com/bigqueryCapacityCommitmentsInsights.list
recommender.googleapis.com/bigqueryCapacityCommitmentsRecommendations.get
recommender.googleapis.com/bigqueryCapacityCommitmentsRecommendations.list
recommender.googleapis.com/locations.get
recommender.googleapis.com/locations.list
recommender.locations.get
recommender.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Datastore Added datastore.databases.getMetadata
Datastore Now GA datastore.databases.getMetadata
Cloud Integrations Added integrations.securityAuthConfigs.create
integrations.securityAuthConfigs.delete
integrations.securityAuthConfigs.get
integrations.securityAuthConfigs.list
integrations.securityAuthConfigs.update
integrations.securityExecutions.cancel
integrations.securityExecutions.get
integrations.securityExecutions.list
integrations.securityIntegTempVers.create
integrations.securityIntegTempVers.get
integrations.securityIntegTempVers.list
integrations.securityIntegrationVers.create
integrations.securityIntegrationVers.deploy
integrations.securityIntegrationVers.get
integrations.securityIntegrationVers.list
integrations.securityIntegrationVers.update
integrations.securityIntegrations.invoke
integrations.securityIntegrations.list
Recommender Added recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update
recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update
Recommender Supported In Custom Roles recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update
recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update

Cloud IAM changes as of 2021-09-10

Service Change Description
BigQuery Added bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.restoreSnapshot
BigQuery Supported In Custom Roles bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.restoreSnapshot
Firebase Added firebase.playLinks.get
firebase.playLinks.list
firebase.playLinks.update
Firebase Supported In Custom Roles firebase.playLinks.get
firebase.playLinks.list
firebase.playLinks.update
Firebase Now GA firebase.playLinks.get
firebase.playLinks.list
firebase.playLinks.update

Cloud IAM changes as of 2021-08-30

Service Change Description
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
containeranalysis.notes.attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
Data Catalog Role Updated

The following permissions have been added to the role roles/datacatalog.admin (Data Catalog Admin):

bigquery.connections.get
bigquery.routines.get
Data Catalog Role Updated

The following permissions have been added to the role roles/datacatalog.viewer (Data Catalog Viewer):

bigquery.connections.get
bigquery.routines.get
GKE Hub Now GA

The role roles/gkehub.gatewayReader (Connect Gateway Reader) is now GA.

GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

gkemulticloud.awsClusters.get
gkemulticloud.azureClusters.get
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.sslPolicies.use
Cloud OS Config Now GA

The role roles/osconfig.inventoryViewer (OS Inventory Viewer) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.vulnerabilityReportViewer (OS VulnerabilityReport Viewer) is now GA.

Security Command Center Now GA

The role roles/securitycenter.integrationExecutorServiceAgent (Security Center Integration Executor Service Agent) is now GA.

Storage Transfer Service Role Updated

The following permissions have been added to the role roles/storagetransfer.viewer (Storage Transfer Viewer):

storagetransfer.agentpools.get
storagetransfer.agentpools.list
Cloud OS Config Now GA osconfig.inventories.get
osconfig.inventories.list
osconfig.vulnerabilityReports.get
osconfig.vulnerabilityReports.list

Cloud IAM changes as of 2021-08-27

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.thirdPartyObjects.create
Bare Metal Solution Now GA

The role roles/baremetalsolution.instancesadmin (Bare Metal Solution Instances Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.instancesviewer (Bare Metal Solution Instances Viewer) is now GA.

Cloud Deploy Role Added

The role roles/clouddeploy.releaser (Cloud Deploy Releaser) has been added with the following permissions:

clouddeploy.deliveryPipelines.get
clouddeploy.googleapis.com/deliveryPipelines.get
clouddeploy.googleapis.com/locations.get
clouddeploy.googleapis.com/locations.list
clouddeploy.googleapis.com/operations.cancel
clouddeploy.googleapis.com/operations.delete
clouddeploy.googleapis.com/operations.get
clouddeploy.googleapis.com/operations.list
clouddeploy.googleapis.com/releases.create
clouddeploy.googleapis.com/releases.get
clouddeploy.googleapis.com/releases.list
clouddeploy.googleapis.com/rollouts.create
clouddeploy.googleapis.com/rollouts.get
clouddeploy.googleapis.com/rollouts.list
clouddeploy.googleapis.com/targets.get
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Role Updated

The following permissions have been added to the role roles/clouddeploy.serviceAgent (Cloud Deploy Service Agent):

cloudbuild.workerpools.use
Content Warehouse Role Updated

The following permissions have been added to the role roles/contentwarehouse.serviceAgent (Content Warehouse Service Agent):

cloudfunctions.functions.invoke
pubsub.topics.publish
pubsublite.topics.publish
Sensitive Data Protection Now GA

The role roles/dlp.orgdriver (DLP Organization Data Profiles Driver) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.projectdriver (DLP Project Data Profiles Driver) is now GA.

Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.exportResource
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.gatewayAdmin (Connect Gateway Admin):

serviceusage.services.get
Cloud Logging Now GA

The role roles/logging.fieldAccessor (Log Field Accessor) is now GA.

Apigee Added apigee.proxies.update
Apigee Supported In Custom Roles apigee.proxies.update
Apigee Now GA apigee.proxies.update
Bare Metal Solution Added baremetalsolution.instances.create
baremetalsolution.instances.get
baremetalsolution.instances.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.create
baremetalsolution.instances.get
baremetalsolution.instances.list
Bare Metal Solution Now GA baremetalsolution.instances.create
baremetalsolution.instances.get
baremetalsolution.instances.list
BigQuery Added bigquery.jobs.delete
BigQuery Supported In Custom Roles bigquery.jobs.delete
BigQuery Now GA bigquery.jobs.delete
Cloud Deploy Added clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.approve
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update
Cloud Deploy Supported In Custom Roles clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.approve
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update
Cloud Functions Added cloudfunctions.functions.generateUploadUrl
Compute Engine Added compute.forwardingRules.use
Dialogflow Added dialogflow.conversations.update
Dialogflow Now GA dialogflow.conversations.update
Cloud Integrations Added integrations.apigeeIntegrationVers.delete
Cloud Integrations Now GA integrations.apigeeIntegrationVers.delete
Cloud Logging Now GA logging.fields.access
Storage Transfer Service Added storagetransfer.agentpools.create
storagetransfer.agentpools.delete
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.update
Storage Transfer Service Now GA storagetransfer.agentpools.create
storagetransfer.agentpools.delete
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.update

Cloud IAM changes as of 2021-08-20

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.thirdPartyObjects.create
Bare Metal Solution Now GA

The role roles/baremetalsolution.instancesadmin (Bare Metal Solution Instances Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.instancesviewer (Bare Metal Solution Instances Viewer) is now GA.

Cloud Deploy Role Added

The role roles/clouddeploy.releaser (Cloud Deploy Releaser) has been added with the following permissions:

clouddeploy.deliveryPipelines.get
clouddeploy.googleapis.com/deliveryPipelines.get
clouddeploy.googleapis.com/locations.get
clouddeploy.googleapis.com/locations.list
clouddeploy.googleapis.com/operations.cancel
clouddeploy.googleapis.com/operations.delete
clouddeploy.googleapis.com/operations.get
clouddeploy.googleapis.com/operations.list
clouddeploy.googleapis.com/releases.create
clouddeploy.googleapis.com/releases.get
clouddeploy.googleapis.com/releases.list
clouddeploy.googleapis.com/rollouts.create
clouddeploy.googleapis.com/rollouts.get
clouddeploy.googleapis.com/rollouts.list
clouddeploy.googleapis.com/targets.get
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Role Updated

The following permissions have been added to the role roles/clouddeploy.serviceAgent (Cloud Deploy Service Agent):

cloudbuild.workerpools.use
Content Warehouse Role Updated

The following permissions have been added to the role roles/contentwarehouse.serviceAgent (Content Warehouse Service Agent):

cloudfunctions.functions.invoke
pubsub.topics.publish
pubsublite.topics.publish
Sensitive Data Protection Now GA

The role roles/dlp.orgdriver (DLP Organization Data Profiles Driver) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.projectdriver (DLP Project Data Profiles Driver) is now GA.

Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.exportResource
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.gatewayAdmin (Connect Gateway Admin):

serviceusage.services.get
Cloud Logging Now GA

The role roles/logging.fieldAccessor (Log Field Accessor) is now GA.

Apigee Added apigee.proxies.update
Apigee Supported In Custom Roles apigee.proxies.update
Apigee Now GA apigee.proxies.update
Bare Metal Solution Added baremetalsolution.instances.create
baremetalsolution.instances.get
baremetalsolution.instances.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.create
baremetalsolution.instances.get
baremetalsolution.instances.list
Bare Metal Solution Now GA baremetalsolution.instances.create
baremetalsolution.instances.get
baremetalsolution.instances.list
BigQuery Added bigquery.jobs.delete
BigQuery Supported In Custom Roles bigquery.jobs.delete
BigQuery Now GA bigquery.jobs.delete
Cloud Deploy Added clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.approve
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update
Cloud Deploy Supported In Custom Roles clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.approve
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update
Cloud Functions Added cloudfunctions.functions.generateUploadUrl
Compute Engine Added compute.forwardingRules.use
Dialogflow Added dialogflow.conversations.update
Dialogflow Now GA dialogflow.conversations.update
Cloud Integrations Added integrations.apigeeIntegrationVers.delete
Cloud Integrations Now GA integrations.apigeeIntegrationVers.delete
Cloud Logging Now GA logging.fields.access
Storage Transfer Service Added storagetransfer.agentpools.create
storagetransfer.agentpools.delete
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.update
Storage Transfer Service Now GA storagetransfer.agentpools.create
storagetransfer.agentpools.delete
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.update

Cloud IAM changes as of 2021-08-13

Service Change Description
Artifact Registry Now GA

The role roles/artifactregistry.admin (Artifact Registry Administrator) is now GA.

Artifact Registry Now GA

The role roles/artifactregistry.reader (Artifact Registry Reader) is now GA.

Artifact Registry Now GA

The role roles/artifactregistry.repoAdmin (Artifact Registry Repository Administrator) is now GA.

Artifact Registry Now GA

The role roles/artifactregistry.writer (Artifact Registry Writer) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.integrationsEditor (Cloud Build Integrations Editor) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.integrationsOwner (Cloud Build Integrations Owner) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.integrationsViewer (Cloud Build Integrations Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.update
Network Connectivity Center Now GA

The role roles/networkconnectivity.hubAdmin (Hub & Spoke Admin) is now GA.

Network Connectivity Center Now GA

The role roles/networkconnectivity.hubViewer (Hub & Spoke Viewer) is now GA.

Network Connectivity Center Now GA

The role roles/networkconnectivity.spokeAdmin (Spoke Admin) is now GA.

Speech-to-Text Now GA

The role roles/speech.admin (Cloud Speech Administrator) is now GA.

Speech-to-Text Now GA

The role roles/speech.client (Cloud Speech Client) is now GA.

Speech-to-Text Now GA

The role roles/speech.editor (Cloud Speech Editor) is now GA.

Artifact Registry Now GA artifactregistry.aptartifacts.create
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.packages.delete
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.create
artifactregistry.repositories.delete
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.repositories.setIamPolicy
artifactregistry.repositories.update
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.delete
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.create
Network Connectivity Center Now GA networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update
networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update
Network Services Added networkservices.endpointPolicies.create
networkservices.endpointPolicies.delete
networkservices.endpointPolicies.get
networkservices.endpointPolicies.getIamPolicy
networkservices.endpointPolicies.list
networkservices.endpointPolicies.setIamPolicy
networkservices.endpointPolicies.update
networkservices.endpointPolicies.use
Notebooks Added notebooks.instances.getHealth
Notebooks Now GA notebooks.instances.getHealth
Speech-to-Text Added speech.adaptations.execute
speech.customClasses.create
speech.customClasses.delete
speech.customClasses.get
speech.customClasses.list
speech.customClasses.update
speech.phraseSets.create
speech.phraseSets.delete
speech.phraseSets.get
speech.phraseSets.list
speech.phraseSets.update
Speech-to-Text Supported In Custom Roles speech.adaptations.execute
speech.customClasses.create
speech.customClasses.delete
speech.customClasses.get
speech.customClasses.list
speech.customClasses.update
speech.phraseSets.create
speech.phraseSets.delete
speech.phraseSets.get
speech.phraseSets.list
speech.phraseSets.update
Speech-to-Text Now GA speech.adaptations.execute
speech.customClasses.create
speech.customClasses.delete
speech.customClasses.get
speech.customClasses.list
speech.customClasses.update
speech.phraseSets.create
speech.phraseSets.delete
speech.phraseSets.get
speech.phraseSets.list
speech.phraseSets.update

Cloud IAM changes as of 2021-08-06

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.customCodeServiceAgent (Vertex AI Custom Code Service Agent):

bigquery.readsessions.getData
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

aiplatform.annotationSpecs.create
aiplatform.annotationSpecs.delete
aiplatform.annotationSpecs.get
aiplatform.annotationSpecs.list
aiplatform.annotationSpecs.update
aiplatform.annotations.create
aiplatform.annotations.delete
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.annotations.update
aiplatform.batchPredictionJobs.cancel
aiplatform.batchPredictionJobs.delete
aiplatform.customJobs.delete
aiplatform.dataItems.create
aiplatform.dataItems.delete
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.dataItems.update
aiplatform.dataLabelingJobs.cancel
aiplatform.dataLabelingJobs.create
aiplatform.dataLabelingJobs.delete
aiplatform.dataLabelingJobs.get
aiplatform.dataLabelingJobs.list
aiplatform.datasets.delete
aiplatform.datasets.export
aiplatform.datasets.list
aiplatform.edgeDeploymentJobs.create
aiplatform.edgeDeploymentJobs.delete
aiplatform.edgeDeploymentJobs.get
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDeviceDebugInfo.get
aiplatform.edgeDevices.create
aiplatform.edgeDevices.delete
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.edgeDevices.update
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.entityTypes.importFeatureValues
aiplatform.entityTypes.list
aiplatform.entityTypes.readFeatureValues
aiplatform.entityTypes.streamingReadFeatureValues
aiplatform.entityTypes.update
aiplatform.entityTypes.writeFeatureValues
aiplatform.features.create
aiplatform.features.delete
aiplatform.features.get
aiplatform.features.list
aiplatform.features.update
aiplatform.featurestores.batchReadFeatureValues
aiplatform.featurestores.create
aiplatform.featurestores.delete
aiplatform.featurestores.importFeatures
aiplatform.featurestores.list
aiplatform.featurestores.readFeatures
aiplatform.featurestores.update
aiplatform.featurestores.writeFeatures
aiplatform.humanInTheLoops.create
aiplatform.humanInTheLoops.delete
aiplatform.humanInTheLoops.get
aiplatform.humanInTheLoops.list
aiplatform.humanInTheLoops.send
aiplatform.humanInTheLoops.update
aiplatform.hyperparameterTuningJobs.cancel
aiplatform.hyperparameterTuningJobs.create
aiplatform.hyperparameterTuningJobs.delete
aiplatform.hyperparameterTuningJobs.get
aiplatform.hyperparameterTuningJobs.list
aiplatform.indexEndpoints.create
aiplatform.indexEndpoints.delete
aiplatform.indexEndpoints.deploy
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.indexEndpoints.undeploy
aiplatform.indexEndpoints.update
aiplatform.indexes.create
aiplatform.indexes.delete
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.indexes.update
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.delete
aiplatform.modelDeploymentMonitoringJobs.delete
aiplatform.modelDeploymentMonitoringJobs.get
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelDeploymentMonitoringJobs.pause
aiplatform.modelDeploymentMonitoringJobs.resume
aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
aiplatform.modelEvaluationSlices.get
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.exportEvaluatedDataItems
aiplatform.modelEvaluations.get
aiplatform.modelEvaluations.list
aiplatform.models.delete
aiplatform.models.export
aiplatform.models.get
aiplatform.models.list
aiplatform.models.update
aiplatform.models.upload
aiplatform.nasJobs.cancel
aiplatform.nasJobs.create
aiplatform.nasJobs.delete
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.operations.list
aiplatform.pipelineJobs.cancel
aiplatform.pipelineJobs.create
aiplatform.pipelineJobs.delete
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.specialistPools.create
aiplatform.specialistPools.delete
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.specialistPools.update
aiplatform.studies.create
aiplatform.studies.delete
aiplatform.studies.get
aiplatform.studies.list
aiplatform.studies.update
aiplatform.tensorboardExperiments.create
aiplatform.tensorboardExperiments.delete
aiplatform.tensorboardExperiments.get
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardExperiments.update
aiplatform.tensorboardExperiments.write
aiplatform.tensorboardRuns.create
aiplatform.tensorboardRuns.delete
aiplatform.tensorboardRuns.get
aiplatform.tensorboardRuns.list
aiplatform.tensorboardRuns.update
aiplatform.tensorboardRuns.write
aiplatform.tensorboardTimeSeries.create
aiplatform.tensorboardTimeSeries.delete
aiplatform.tensorboardTimeSeries.get
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboardTimeSeries.read
aiplatform.tensorboardTimeSeries.update
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.cancel
aiplatform.trainingPipelines.create
aiplatform.trainingPipelines.delete
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
aiplatform.trials.create
aiplatform.trials.delete
aiplatform.trials.get
aiplatform.trials.list
aiplatform.trials.update
Dialogflow Now GA

The role roles/dialogflow.entityTypeAdmin (Dialogflow Entity Type Admin) is now GA.

Dialogflow Now GA

The role roles/dialogflow.environmentEditor (Dialogflow Environment editor) is now GA.

Dialogflow Now GA

The role roles/dialogflow.flowEditor (Dialogflow Flow editor) is now GA.

Dialogflow Now GA

The role roles/dialogflow.intentAdmin (Dialogflow Intent Admin) is now GA.

Dialogflow Now GA

The role roles/dialogflow.testCaseAdmin (Dialogflow Test Case Admin) is now GA.

Dialogflow Now GA

The role roles/dialogflow.webhookAdmin (Dialogflow Webhook Admin) is now GA.

Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationEditorRole (Apigee Integration Editor):

integrations.apigeeExecutions.list
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrations.invoke
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.spokeAdmin (Spoke Admin):

networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
Transcoder API Now GA

The role roles/transcoder.admin (Transcoder Admin) is now GA.

Transcoder API Now GA

The role roles/transcoder.viewer (Transcoder Viewer) is now GA.

Compute Engine Added compute.backendServices.getIamPolicy
compute.backendServices.setIamPolicy
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.setIamPolicy
Compute Engine Supported In Custom Roles compute.backendServices.getIamPolicy
compute.backendServices.setIamPolicy
Risk Manager Added riskmanager.operations.delete
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.get
riskmanager.policies.list
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review
riskmanager.reports.share
riskmanager.serviceAccount.create
riskmanager.settings.get
riskmanager.settings.update
Risk Manager Supported In Custom Roles riskmanager.settings.get
riskmanager.settings.update
Transcoder API Now GA transcoder.jobTemplates.create
transcoder.jobTemplates.delete
transcoder.jobTemplates.get
transcoder.jobTemplates.list
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
transcoder.jobs.list

Cloud IAM changes as of 2021-07-30

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

aiplatform.modelDeploymentMonitoringJobs.create
aiplatform.modelDeploymentMonitoringJobs.update
API Gateway Role Updated

The following permissions have been added to the role roles/apigateway.admin (ApiGateway Admin):

monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
servicemanagement.services.get
serviceusage.services.list
API Gateway Role Updated

The following permissions have been added to the role roles/apigateway.viewer (ApiGateway Viewer):

monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
servicemanagement.services.get
serviceusage.services.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.admin (Admin):

resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Editor):

resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.viewer (Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Now GA

The role roles/cloudbuild.builds.approver (Cloud Build Approver) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoOperator (Cloud KMS Crypto Operator) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.verifier (Cloud KMS CryptoKey Verifier) is now GA.

Contact Center AI Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

datalabeling.dataitems.get
datalabeling.dataitems.list
datalabeling.datasets.create
datalabeling.datasets.delete
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.import
datalabeling.operations.get
datalabeling.operations.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.worker (Dataflow Worker):

autoscaling.sites.readRecommendations
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.hubAgent (Dataproc Hub Agent):

logging.operations.get
logging.operations.list
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.worker (Dataproc Worker):

storage.multipartUploads.list
Enterprise Knowledge Graph Role Updated

The following permissions have been added to the role roles/enterpriseknowledgegraph.serviceAgent (Enterprise Knowledge Graph Service Agent):

bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Integrations Now GA

The role roles/integrations.apigeeIntegrationAdminRole (Apigee Integration Admin) is now GA.

Cloud Integrations Now GA

The role roles/integrations.apigeeIntegrationDeployerRole (Apigee Integration Deployer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.apigeeIntegrationEditorRole (Apigee Integration Editor) is now GA.

Cloud Integrations Now GA

The role roles/integrations.apigeeIntegrationInvokerRole (Apigee Integration Invoker) is now GA.

Cloud Integrations Now GA

The role roles/integrations.apigeeIntegrationsViewer (Apigee Integration Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.apigeeSuspensionResolver (Apigee Integration Approver) is now GA.

Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.viewer (Logs Viewer):

logging.operations.get
logging.operations.list
Media Asset Role Updated

The following permissions have been added to the role roles/mediaasset.serviceAgent (Media Asset Service Agent):

transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.thirdPartyObjects.delete
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

binaryauthorization.policy.get
logging.operations.get
logging.operations.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent):

binaryauthorization.policy.get
logging.operations.get
logging.operations.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

binaryauthorization.policy.get
logging.operations.get
logging.operations.list
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.legacyBucketWriter (Storage Legacy Bucket Writer):

storage.multipartUploads.list
Artifact Registry Added artifactregistry.aptartifacts.create
artifactregistry.yumartifacts.create
Cloud Build Added cloudbuild.builds.approve
Cloud Build Supported In Custom Roles cloudbuild.builds.approve
Cloud Build Now GA cloudbuild.builds.approve
Cloud Key Management Service Added cloudkms.cryptoKeyVersions.useToVerify
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.listTagBindings
cloudkms.locations.generateRandomBytes
Cloud Key Management Service Supported In Custom Roles cloudkms.cryptoKeyVersions.useToVerify
cloudkms.locations.generateRandomBytes
Cloud Key Management Service Now GA cloudkms.cryptoKeyVersions.useToVerify
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.listTagBindings
cloudkms.locations.generateRandomBytes
Data Pipelines Added datapipelines.pipelines.create
datapipelines.pipelines.delete
datapipelines.pipelines.get
datapipelines.pipelines.list
datapipelines.pipelines.run
datapipelines.pipelines.stop
datapipelines.pipelines.update
Firebase App Check Added firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
Firebase App Check Supported In Custom Roles firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
Cloud Integrations Now GA integrations.apigeeAuthConfigs.create
integrations.apigeeAuthConfigs.delete
integrations.apigeeAuthConfigs.get
integrations.apigeeAuthConfigs.list
integrations.apigeeAuthConfigs.update
integrations.apigeeCertificates.get
integrations.apigeeExecutions.list
integrations.apigeeIntegrationVers.create
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrationVers.update
integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list
integrations.apigeeSfdcChannels.create
integrations.apigeeSfdcChannels.delete
integrations.apigeeSfdcChannels.get
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcChannels.update
integrations.apigeeSfdcInstances.create
integrations.apigeeSfdcInstances.delete
integrations.apigeeSfdcInstances.get
integrations.apigeeSfdcInstances.list
integrations.apigeeSfdcInstances.update
integrations.apigeeSuspensions.list
integrations.apigeeSuspensions.resolve
Managed Service for Microsoft Active Directory Added managedidentities.peerings.create
managedidentities.peerings.delete
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.peerings.update
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.peerings.create
managedidentities.peerings.delete
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.peerings.update
Recommender Added recommender.resources.export
Recommender Supported In Custom Roles recommender.resources.export

Cloud IAM changes as of 2021-07-16

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.customResourceDefinitions.update
Cloud Build Now GA

The role roles/cloudbuild.workerPoolEditor (Cloud Build WorkerPool Editor) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.workerPoolOwner (Cloud Build WorkerPool Owner) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.workerPoolUser (Cloud Build WorkerPool User) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.workerPoolViewer (Cloud Build WorkerPool Viewer) is now GA.

Cloud TPU Role Updated

The following permissions have been added to the role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
Compliance Scanning Now GA

The role roles/compliancescanning.ServiceAgent (Compliance Scanning Service Agent) is now GA.

Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkUser (Compute Network User):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.get
networkconnectivity.operations.list
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkViewer (Compute Network Viewer):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.get
networkconnectivity.operations.list
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.orgFirewallPolicyAdmin (Compute Organization Firewall Policy Admin):

compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.orgFirewallPolicyUser (Compute Organization Firewall Policy User):

compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.get
networkconnectivity.operations.list
Data Pipelines Now GA

The role roles/datapipelines.serviceAgent (Datapipelines Service Agent) is now GA.

GKE Multi-Cloud Role Updated

The following permissions have been added to the role roles/gkemulticloud.serviceAgent (Anthos Multi-Cloud Service Agent):

gkemulticloud.awsClusters.delete
gkemulticloud.awsNodePools.delete
gkemulticloud.azureClients.delete
gkemulticloud.azureClusters.delete
gkemulticloud.azureNodePools.delete
Vertex AI Added aiplatform.artifacts.delete
aiplatform.entityTypes.writeFeatureValues
aiplatform.executions.delete
aiplatform.metadataSchemas.delete
aiplatform.tensorboardExperiments.write
Cloud Build Added cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
cloudbuild.workerpools.use
Cloud Build Supported In Custom Roles cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
cloudbuild.workerpools.use
Cloud Build Now GA cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
cloudbuild.workerpools.use
GKE Multi-Cloud Added gkemulticloud.awsNodePools.update
gkemulticloud.azureNodePools.update
Cloud Monitoring Added monitoring.metricsScopes.link
Cloud Monitoring Supported In Custom Roles monitoring.metricsScopes.link
Policy Analyzer Added policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query
policyanalyzer.serviceAccountLastAuthenticationActivities.query
Pub/Sub Lite Added pubsublite.operations.get
pubsublite.operations.list
Pub/Sub Lite Now GA pubsublite.operations.get
pubsublite.operations.list

Cloud IAM changes as of 2021-07-02

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
Cloud Composer Now GA

The role roles/composer.ServiceAgentV2Ext (Cloud Composer v2 API Service Agent Extension) is now GA.

Visual Inspection AI Now GA

The role roles/visualinspection.editor (Visual Inspection AI Solution Editor) is now GA.

Visual Inspection AI Now GA

The role roles/visualinspection.usageMetricsReporter (Visual Inspection AI Usage Metrics Reporter) is now GA.

Visual Inspection AI Now GA

The role roles/visualinspection.viewer (Visual Inspection AI Viewer) is now GA.

Compute Engine Added compute.instances.sendDiagnosticInterrupt
Compute Engine Now GA compute.instances.sendDiagnosticInterrupt
Visual Inspection AI Added visualinspection.annotationSets.create
visualinspection.annotationSets.delete
visualinspection.annotationSets.get
visualinspection.annotationSets.list
visualinspection.annotationSets.update
visualinspection.annotationSpecs.create
visualinspection.annotationSpecs.delete
visualinspection.annotationSpecs.get
visualinspection.annotationSpecs.list
visualinspection.annotations.create
visualinspection.annotations.delete
visualinspection.annotations.get
visualinspection.annotations.list
visualinspection.annotations.update
visualinspection.datasets.create
visualinspection.datasets.delete
visualinspection.datasets.export
visualinspection.datasets.get
visualinspection.datasets.import
visualinspection.datasets.list
visualinspection.datasets.update
visualinspection.images.delete
visualinspection.images.get
visualinspection.images.list
visualinspection.images.update
visualinspection.locations.get
visualinspection.locations.list
visualinspection.locations.reportUsageMetrics
visualinspection.modelEvaluations.get
visualinspection.modelEvaluations.list
visualinspection.models.create
visualinspection.models.delete
visualinspection.models.get
visualinspection.models.list
visualinspection.models.update
visualinspection.models.writePrediction
visualinspection.modules.create
visualinspection.modules.delete
visualinspection.modules.get
visualinspection.modules.list
visualinspection.modules.update
visualinspection.operations.get
visualinspection.operations.list
visualinspection.solutionArtifacts.create
visualinspection.solutionArtifacts.delete
visualinspection.solutionArtifacts.get
visualinspection.solutionArtifacts.list
visualinspection.solutionArtifacts.predict
visualinspection.solutionArtifacts.update
visualinspection.solutions.create
visualinspection.solutions.delete
visualinspection.solutions.get
visualinspection.solutions.list
Visual Inspection AI Supported In Custom Roles visualinspection.annotationSets.create
visualinspection.annotationSets.delete
visualinspection.annotationSets.get
visualinspection.annotationSets.list
visualinspection.annotationSets.update
visualinspection.annotationSpecs.create
visualinspection.annotationSpecs.delete
visualinspection.annotationSpecs.get
visualinspection.annotationSpecs.list
visualinspection.annotations.create
visualinspection.annotations.delete
visualinspection.annotations.get
visualinspection.annotations.list
visualinspection.annotations.update
visualinspection.datasets.create
visualinspection.datasets.delete
visualinspection.datasets.export
visualinspection.datasets.get
visualinspection.datasets.import
visualinspection.datasets.list
visualinspection.datasets.update
visualinspection.images.delete
visualinspection.images.get
visualinspection.images.list
visualinspection.images.update
visualinspection.locations.get
visualinspection.locations.list
visualinspection.locations.reportUsageMetrics
visualinspection.modelEvaluations.get
visualinspection.modelEvaluations.list
visualinspection.models.create
visualinspection.models.delete
visualinspection.models.get
visualinspection.models.list
visualinspection.models.update
visualinspection.models.writePrediction
visualinspection.modules.create
visualinspection.modules.delete
visualinspection.modules.get
visualinspection.modules.list
visualinspection.modules.update
visualinspection.operations.get
visualinspection.operations.list
visualinspection.solutionArtifacts.create
visualinspection.solutionArtifacts.delete
visualinspection.solutionArtifacts.get
visualinspection.solutionArtifacts.list
visualinspection.solutionArtifacts.predict
visualinspection.solutionArtifacts.update
visualinspection.solutions.create
visualinspection.solutions.delete
visualinspection.solutions.get
visualinspection.solutions.list
Visual Inspection AI Now GA visualinspection.annotationSets.create
visualinspection.annotationSets.delete
visualinspection.annotationSets.get
visualinspection.annotationSets.list
visualinspection.annotationSets.update
visualinspection.annotationSpecs.create
visualinspection.annotationSpecs.delete
visualinspection.annotationSpecs.get
visualinspection.annotationSpecs.list
visualinspection.annotations.create
visualinspection.annotations.delete
visualinspection.annotations.get
visualinspection.annotations.list
visualinspection.annotations.update
visualinspection.datasets.create
visualinspection.datasets.delete
visualinspection.datasets.export
visualinspection.datasets.get
visualinspection.datasets.import
visualinspection.datasets.list
visualinspection.datasets.update
visualinspection.images.delete
visualinspection.images.get
visualinspection.images.list
visualinspection.images.update
visualinspection.locations.get
visualinspection.locations.list
visualinspection.locations.reportUsageMetrics
visualinspection.modelEvaluations.get
visualinspection.modelEvaluations.list
visualinspection.models.create
visualinspection.models.delete
visualinspection.models.get
visualinspection.models.list
visualinspection.models.update
visualinspection.models.writePrediction
visualinspection.modules.create
visualinspection.modules.delete
visualinspection.modules.get
visualinspection.modules.list
visualinspection.modules.update
visualinspection.operations.get
visualinspection.operations.list
visualinspection.solutionArtifacts.create
visualinspection.solutionArtifacts.delete
visualinspection.solutionArtifacts.get
visualinspection.solutionArtifacts.list
visualinspection.solutionArtifacts.predict
visualinspection.solutionArtifacts.update
visualinspection.solutions.create
visualinspection.solutions.delete
visualinspection.solutions.get
visualinspection.solutions.list

Cloud IAM changes as of 2021-06-25

Service Change Description
Bare Metal Solution Now GA

The role roles/baremetalsolution.admin (Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.editor (Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.viewer (Viewer) is now GA.

Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.admin (Cloud Functions Admin):

recommender.locations.get
recommender.locations.list
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.developer (Cloud Functions Developer):

recommender.locations.get
recommender.locations.list
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

recommender.locations.get
recommender.locations.list
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.viewer (Cloud Functions Viewer):

recommender.locations.get
recommender.locations.list
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.viewer (Kubernetes Engine Viewer):

container.deployments.getScale
container.statefulSets.getScale
container.storageStates.getStatus
container.storageVersionMigrations.getStatus
container.volumeSnapshotContents.getStatus
Container Threat Detection Role Updated

The following permissions have been added to the role roles/containerthreatdetection.serviceAgent (Container Threat Detection Service Agent):

container.deployments.getScale
container.statefulSets.getScale
container.storageStates.getStatus
container.storageVersionMigrations.getStatus
container.volumeSnapshotContents.getStatus
Data Catalog Role Updated

The following permissions have been added to the role roles/datacatalog.admin (Data Catalog Admin):

bigquery.connections.updateTag
Data Catalog Role Updated

The following permissions have been added to the role roles/datacatalog.tagEditor (Data Catalog Tag Editor):

bigquery.connections.updateTag
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.aamAdmin (AAM Admin):

dialogflow.agents.searchResources
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.aamConversationalArchitect (AAM Conversational Architect):

dialogflow.agents.searchResources
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.aamDialogDesigner (AAM Dialog Designer):

dialogflow.agents.searchResources
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.aamLeadDialogDesigner (AAM Lead Dialog Designer):

dialogflow.agents.searchResources
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.aamViewer (AAM Viewer):

dialogflow.agents.searchResources
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.reader (Dialogflow API Reader):

dialogflow.agents.searchResources
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

dialogflow.agents.searchResources
Eventarc Role Updated

The following permissions have been added to the role roles/eventarc.serviceAgent (Eventarc Service Agent):

storage.buckets.get
storage.buckets.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

recommender.locations.get
recommender.locations.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

recommender.locations.get
recommender.locations.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

recommender.locations.get
recommender.locations.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

recommender.locations.get
recommender.locations.list
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.hubAdmin (Hub & Spoke Admin):

networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.hubViewer (Hub & Spoke Viewer):

networkconnectivity.locations.get
networkconnectivity.locations.list
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.spokeAdmin (Spoke Admin):

networkconnectivity.locations.get
networkconnectivity.locations.list
Cloud Run Role Updated

The following permissions have been added to the role roles/run.admin (Cloud Run Admin):

recommender.locations.get
recommender.locations.list
Cloud Run Role Updated

The following permissions have been added to the role roles/run.developer (Cloud Run Developer):

recommender.locations.get
recommender.locations.list
Cloud Run Role Updated

The following permissions have been removed from the role roles/run.serviceAgent (Cloud Run Service Agent):

pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
Cloud Run Role Updated

The following permissions have been added to the role roles/run.viewer (Cloud Run Viewer):

recommender.locations.get
recommender.locations.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

container.deployments.getScale
container.statefulSets.getScale
container.storageStates.getStatus
container.storageVersionMigrations.getStatus
container.volumeSnapshotContents.getStatus
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

container.deployments.getScale
container.statefulSets.getScale
container.storageStates.getStatus
container.storageVersionMigrations.getStatus
container.volumeSnapshotContents.getStatus
Apigee Added apigee.runtimeconfigs.get
Apigee Supported In Custom Roles apigee.runtimeconfigs.get
Apigee Now GA apigee.runtimeconfigs.get
BigQuery Added bigquery.connections.updateTag
BigQuery Supported In Custom Roles bigquery.connections.updateTag
Dialogflow Added dialogflow.agents.searchResources
Dialogflow Now GA dialogflow.agents.searchResources
Firebase Cloud Messaging Data Added fcmdata.deliverydata.list
Firebase Cloud Messaging Data Supported In Custom Roles fcmdata.deliverydata.list
Live Stream Added livestream.channels.create
livestream.channels.delete
livestream.channels.get
livestream.channels.list
livestream.channels.start
livestream.channels.stop
livestream.channels.update
livestream.events.create
livestream.events.delete
livestream.events.get
livestream.events.list
livestream.inputs.create
livestream.inputs.delete
livestream.inputs.get
livestream.inputs.list
livestream.inputs.update
livestream.locations.get
livestream.locations.list
livestream.operations.cancel
livestream.operations.delete
livestream.operations.get
livestream.operations.list
Live Stream Supported In Custom Roles livestream.channels.create
livestream.channels.delete
livestream.channels.get
livestream.channels.list
livestream.channels.start
livestream.channels.stop
livestream.channels.update
livestream.events.create
livestream.events.delete
livestream.events.get
livestream.events.list
livestream.inputs.create
livestream.inputs.delete
livestream.inputs.get
livestream.inputs.list
livestream.inputs.update
livestream.locations.get
livestream.locations.list
livestream.operations.cancel
livestream.operations.delete
livestream.operations.get
livestream.operations.list
Pub/Sub Lite Added pubsublite.reservations.attachTopic
pubsublite.reservations.create
pubsublite.reservations.delete
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.listTopics
pubsublite.reservations.update
Pub/Sub Lite Now GA pubsublite.reservations.attachTopic
pubsublite.reservations.create
pubsublite.reservations.delete
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.listTopics
pubsublite.reservations.update
Cloud Storage Added storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.listTagBindings
Cloud Storage Now GA storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.listTagBindings

Cloud IAM changes as of 2021-06-18

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.editor (Assured Workloads Editor):

resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.reader (Assured Workloads Reader):

resourcemanager.folders.get
resourcemanager.folders.list
Dialogflow Now GA

The role roles/dialogflow.aamLeadDialogDesigner (AAM Lead Dialog Designer) is now GA.

Firestore Now GA

The role roles/firestore.serviceAgent (Firestore Service Agent) is now GA.

Apigee Added apigee.developerbalances.get
apigee.developerbalances.update
apigee.developermonetizationconfigs.get
apigee.developermonetizationconfigs.update
Apigee Supported In Custom Roles apigee.developerbalances.get
apigee.developerbalances.update
apigee.developermonetizationconfigs.get
apigee.developermonetizationconfigs.update
Apigee Now GA apigee.developerbalances.get
apigee.developerbalances.update
apigee.developermonetizationconfigs.get
apigee.developermonetizationconfigs.update
Dialogflow Added dialogflow.changelogs.get
dialogflow.changelogs.list
Dialogflow Now GA dialogflow.changelogs.get
dialogflow.changelogs.list
Cloud DNS Added dns.networks.bindDNSResponsePolicy
dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update
dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update
Cloud DNS Supported In Custom Roles dns.networks.bindDNSResponsePolicy
dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update
dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update
GKE Multi-Cloud Added gkemulticloud.awsServerConfigs.get
gkemulticloud.azureServerConfigs.get
Managed Service for Microsoft Active Directory Added managedidentities.sqlintegrations.get
managedidentities.sqlintegrations.list
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.sqlintegrations.get
managedidentities.sqlintegrations.list
Recommender Added recommender.iamPolicyLateralMovementInsights.get
recommender.iamPolicyLateralMovementInsights.list
recommender.iamPolicyLateralMovementInsights.update
recommender.resourcemanagerProjectUtilizationInsights.get
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationInsights.update
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.update
Recommender Supported In Custom Roles recommender.iamPolicyLateralMovementInsights.get
recommender.iamPolicyLateralMovementInsights.list
recommender.iamPolicyLateralMovementInsights.update
Recommender Now GA recommender.iamPolicyLateralMovementInsights.get
recommender.iamPolicyLateralMovementInsights.list
recommender.iamPolicyLateralMovementInsights.update

Cloud IAM changes as of 2021-06-11

Service Change Description
BigQuery Now GA

The role roles/bigquery.filteredDataViewer (BigQuery Filtered Data Viewer) is now GA.

FleetEngine Now GA

The role roles/fleetengine.serviceAgent (FleetEngine Service Agent) is now GA.

Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

aiplatform.customJobs.cancel
aiplatform.customJobs.create
aiplatform.customJobs.get
aiplatform.customJobs.list
BigQuery Added bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getFilteredData
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
BigQuery Supported In Custom Roles bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getFilteredData
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
BigQuery Now GA bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getFilteredData
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
Cloud Functions Added cloudfunctions.locations.get
Cloud Functions Now GA cloudfunctions.locations.get
Contact Center AI Insights Added contactcenterinsights.analyses.create
contactcenterinsights.analyses.delete
contactcenterinsights.analyses.get
contactcenterinsights.analyses.list
contactcenterinsights.conversations.create
contactcenterinsights.conversations.delete
contactcenterinsights.conversations.get
contactcenterinsights.conversations.list
contactcenterinsights.conversations.update
contactcenterinsights.issueModels.create
contactcenterinsights.issueModels.delete
contactcenterinsights.issueModels.deploy
contactcenterinsights.issueModels.get
contactcenterinsights.issueModels.list
contactcenterinsights.issueModels.undeploy
contactcenterinsights.issueModels.update
contactcenterinsights.issues.get
contactcenterinsights.issues.list
contactcenterinsights.issues.update
contactcenterinsights.operations.get
contactcenterinsights.operations.list
contactcenterinsights.phraseMatchers.create
contactcenterinsights.phraseMatchers.delete
contactcenterinsights.phraseMatchers.get
contactcenterinsights.phraseMatchers.list
contactcenterinsights.phraseMatchers.update
contactcenterinsights.settings.get
contactcenterinsights.settings.update
Cloud Healthcare API Added healthcare.fhirStores.configureSearch
Cloud Healthcare API Supported In Custom Roles healthcare.fhirStores.configureSearch
Cloud Healthcare API Now GA healthcare.fhirStores.configureSearch
Pub/Sub Lite Added pubsublite.subscriptions.seek
Pub/Sub Lite Now GA pubsublite.subscriptions.seek

Cloud IAM changes as of 2021-06-04

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.runtimeAgent (Apigee Runtime Agent):

apigee.organizations.get
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

artifactregistry.files.get
artifactregistry.files.list
artifactregistry.packages.delete
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.create
artifactregistry.repositories.delete
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.repositories.setIamPolicy
artifactregistry.repositories.update
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.delete
artifactregistry.versions.get
artifactregistry.versions.list
Contact Center AI Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

dialogflow.participants.suggest
Data Catalog Role Updated

The following permissions have been added to the role roles/datacatalog.admin (Data Catalog Admin):

bigquery.routines.updateTag
Data Catalog Role Updated

The following permissions have been added to the role roles/datacatalog.tagEditor (Data Catalog Tag Editor):

bigquery.routines.updateTag
Dialogflow Now GA

The role roles/dialogflow.aamAdmin (AAM Admin) is now GA.

Dialogflow Now GA

The role roles/dialogflow.aamConversationalArchitect (AAM Conversational Architect) is now GA.

Dialogflow Now GA

The role roles/dialogflow.aamDialogDesigner (AAM Dialog Designer) is now GA.

Dialogflow Now GA

The role roles/dialogflow.aamViewer (AAM Viewer) is now GA.

Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.admin (DLP Administrator):

dlp.columnDataProfiles.get
dlp.columnDataProfiles.list
dlp.projectDataProfiles.get
dlp.projectDataProfiles.list
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
Enterprise Knowledge Graph Now GA

The role roles/enterpriseknowledgegraph.serviceAgent (Enterprise Knowledge Graph Service Agent) is now GA.

Essential Contacts Now GA

The role roles/essentialcontacts.admin (Essential Contacts Admin) is now GA.

Essential Contacts Now GA

The role roles/essentialcontacts.viewer (Essential Contacts Viewer) is now GA.

Explore Anthos Role Updated

The following permissions have been added to the role roles/exploreanthos.serviceAgent (Explore Anthos Service Agent):

serviceusage.services.use
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.networkEndpointGroups.get
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.deployments.updateStatus
reCAPTCHA Enterprise Role Updated

The following permissions have been added to the role roles/recaptchaenterprise.admin (reCAPTCHA Enterprise Admin):

monitoring.timeSeries.list
reCAPTCHA Enterprise Role Updated

The following permissions have been added to the role roles/recaptchaenterprise.viewer (reCAPTCHA Enterprise Viewer):

monitoring.timeSeries.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

bigquery.datasets.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent):

bigquery.datasets.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

bigquery.datasets.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.legacyBucketReader (Storage Legacy Bucket Reader):

storage.multipartUploads.list
Vertex AI Added aiplatform.artifacts.create
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.artifacts.update
aiplatform.contexts.addContextArtifactsAndExecutions
aiplatform.contexts.addContextChildren
aiplatform.contexts.create
aiplatform.contexts.delete
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.contexts.queryContextLineageSubgraph
aiplatform.contexts.update
aiplatform.edgeDeploymentJobs.create
aiplatform.edgeDeploymentJobs.delete
aiplatform.edgeDeploymentJobs.get
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDeviceDebugInfo.get
aiplatform.edgeDevices.create
aiplatform.edgeDevices.delete
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.edgeDevices.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.entityTypes.exportFeatureValues
aiplatform.entityTypes.get
aiplatform.entityTypes.importFeatureValues
aiplatform.entityTypes.list
aiplatform.entityTypes.readFeatureValues
aiplatform.entityTypes.streamingReadFeatureValues
aiplatform.entityTypes.update
aiplatform.executions.addExecutionEvents
aiplatform.executions.create
aiplatform.executions.get
aiplatform.executions.list
aiplatform.executions.queryExecutionInputsAndOutputs
aiplatform.executions.update
aiplatform.features.create
aiplatform.features.delete
aiplatform.features.get
aiplatform.features.list
aiplatform.features.update
aiplatform.featurestores.batchReadFeatureValues
aiplatform.featurestores.create
aiplatform.featurestores.delete
aiplatform.featurestores.exportFeatures
aiplatform.featurestores.get
aiplatform.featurestores.importFeatures
aiplatform.featurestores.list
aiplatform.featurestores.readFeatures
aiplatform.featurestores.update
aiplatform.featurestores.writeFeatures
aiplatform.humanInTheLoops.create
aiplatform.humanInTheLoops.delete
aiplatform.humanInTheLoops.get
aiplatform.humanInTheLoops.list
aiplatform.humanInTheLoops.send
aiplatform.humanInTheLoops.update
aiplatform.indexEndpoints.create
aiplatform.indexEndpoints.delete
aiplatform.indexEndpoints.deploy
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.indexEndpoints.undeploy
aiplatform.indexEndpoints.update
aiplatform.indexes.create
aiplatform.indexes.delete
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.indexes.update
aiplatform.metadataSchemas.create
aiplatform.metadataSchemas.get
aiplatform.metadataSchemas.list
aiplatform.metadataStores.create
aiplatform.metadataStores.delete
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.modelDeploymentMonitoringJobs.create
aiplatform.modelDeploymentMonitoringJobs.delete
aiplatform.modelDeploymentMonitoringJobs.get
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelDeploymentMonitoringJobs.pause
aiplatform.modelDeploymentMonitoringJobs.resume
aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
aiplatform.modelDeploymentMonitoringJobs.update
aiplatform.models.update
aiplatform.nasJobs.cancel
aiplatform.nasJobs.create
aiplatform.nasJobs.delete
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.pipelineJobs.cancel
aiplatform.pipelineJobs.create
aiplatform.pipelineJobs.delete
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.tensorboardExperiments.create
aiplatform.tensorboardExperiments.delete
aiplatform.tensorboardExperiments.get
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardExperiments.update
aiplatform.tensorboardRuns.create
aiplatform.tensorboardRuns.delete
aiplatform.tensorboardRuns.get
aiplatform.tensorboardRuns.list
aiplatform.tensorboardRuns.update
aiplatform.tensorboardRuns.write
aiplatform.tensorboardTimeSeries.create
aiplatform.tensorboardTimeSeries.delete
aiplatform.tensorboardTimeSeries.get
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboardTimeSeries.read
aiplatform.tensorboardTimeSeries.update
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
Apigee Added apigee.archivedeployments.create
apigee.archivedeployments.delete
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.archivedeployments.update
apigee.archivedeployments.upload
Apigee Now GA apigee.archivedeployments.create
apigee.archivedeployments.delete
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.archivedeployments.update
apigee.archivedeployments.upload
BigQuery Added bigquery.routines.updateTag
BigQuery Supported In Custom Roles bigquery.routines.updateTag
Cloud Asset Inventory Added cloudasset.assets.listAccessPolicy
cloudasset.assets.listIamPolicy
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listResource
Datastore Supported In Custom Roles datastore.databases.export
datastore.databases.get
datastore.databases.import
datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.create
datastore.indexes.delete
datastore.indexes.get
datastore.indexes.list
datastore.indexes.update
datastore.locations.get
datastore.locations.list
datastore.namespaces.get
datastore.namespaces.list
datastore.operations.cancel
datastore.operations.delete
datastore.operations.get
datastore.operations.list
datastore.statistics.get
datastore.statistics.list
Datastream Added datastream.connectionProfiles.create
datastream.connectionProfiles.delete
datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.setIamPolicy
datastream.connectionProfiles.sourceTypes
datastream.connectionProfiles.update
datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list
datastream.operations.cancel
datastream.operations.delete
datastream.operations.get
datastream.operations.list
datastream.privateConnections.create
datastream.privateConnections.delete
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.setIamPolicy
datastream.routes.create
datastream.routes.delete
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.computeState
datastream.streams.create
datastream.streams.delete
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.pause
datastream.streams.resume
datastream.streams.setIamPolicy
datastream.streams.start
datastream.streams.update
Datastream Supported In Custom Roles datastream.connectionProfiles.create
datastream.connectionProfiles.delete
datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.setIamPolicy
datastream.connectionProfiles.sourceTypes
datastream.connectionProfiles.update
datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list
datastream.operations.cancel
datastream.operations.delete
datastream.operations.get
datastream.operations.list
datastream.privateConnections.create
datastream.privateConnections.delete
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.setIamPolicy
datastream.routes.create
datastream.routes.delete
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.computeState
datastream.streams.create
datastream.streams.delete
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.pause
datastream.streams.resume
datastream.streams.setIamPolicy
datastream.streams.start
datastream.streams.update
Essential Contacts Added essentialcontacts.contacts.send
Essential Contacts Supported In Custom Roles essentialcontacts.contacts.send
Essential Contacts Now GA essentialcontacts.contacts.create
essentialcontacts.contacts.delete
essentialcontacts.contacts.get
essentialcontacts.contacts.list
essentialcontacts.contacts.send
essentialcontacts.contacts.update
Cloud Integrations Added integrations.apigeeAuthConfigs.create
integrations.apigeeAuthConfigs.delete
integrations.apigeeAuthConfigs.get
integrations.apigeeAuthConfigs.list
integrations.apigeeAuthConfigs.update
integrations.apigeeCertificates.get
integrations.apigeeExecutions.list
integrations.apigeeIntegrationVers.create
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrationVers.update
integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list
integrations.apigeeSfdcChannels.create
integrations.apigeeSfdcChannels.delete
integrations.apigeeSfdcChannels.get
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcChannels.update
integrations.apigeeSfdcInstances.create
integrations.apigeeSfdcInstances.delete
integrations.apigeeSfdcInstances.get
integrations.apigeeSfdcInstances.list
integrations.apigeeSfdcInstances.update
integrations.apigeeSuspensions.list
integrations.apigeeSuspensions.resolve
Payments Reseller Subscription Added paymentsresellersubscription.products.list
paymentsresellersubscription.promotions.list
paymentsresellersubscription.subscriptions.cancel
paymentsresellersubscription.subscriptions.extend
paymentsresellersubscription.subscriptions.get
paymentsresellersubscription.subscriptions.provision
paymentsresellersubscription.subscriptions.undoCancel
Payments Reseller Subscription Supported In Custom Roles paymentsresellersubscription.products.list
paymentsresellersubscription.promotions.list
paymentsresellersubscription.subscriptions.cancel
paymentsresellersubscription.subscriptions.extend
paymentsresellersubscription.subscriptions.get
paymentsresellersubscription.subscriptions.provision
paymentsresellersubscription.subscriptions.undoCancel

Cloud IAM changes as of 2021-05-28

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.clusters.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.developerAdmin (Apigee Developer Admin):

apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update
apigee.rateplans.get
apigee.rateplans.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.serviceAgent (Apigee Service Agent):

iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
Content Warehouse Now GA

The role roles/contentwarehouse.serviceAgent (Content Warehouse Service Agent) is now GA.

Resource Settings Now GA

The role roles/resourcesettings.admin (Resource Settings Administrator) is now GA.

Resource Settings Now GA

The role roles/resourcesettings.viewer (Resource Settings Viewer) is now GA.

Cloud Asset Inventory Added cloudasset.assets.analyzeMove
Cloud Asset Inventory Now GA cloudasset.assets.analyzeMove
Dialogflow Added dialogflow.securitySettings.create
dialogflow.securitySettings.delete
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.securitySettings.update
Dialogflow Now GA dialogflow.securitySettings.create
dialogflow.securitySettings.delete
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.securitySettings.update
Cloud DNS Added dns.resourceRecordSets.get
Cloud DNS Supported In Custom Roles dns.resourceRecordSets.get
Cloud DNS Now GA dns.resourceRecordSets.get
Resource Settings Added resourcesettings.settings.get
resourcesettings.settings.list
resourcesettings.settings.update
Resource Settings Supported In Custom Roles resourcesettings.settings.get
resourcesettings.settings.list
Resource Settings Now GA resourcesettings.settings.get
resourcesettings.settings.list
resourcesettings.settings.update

Cloud IAM changes as of 2021-05-14

Service Change Description
Sensitive Data Protection Now GA

The role roles/dlp.columnDataProfilesReader (DLP Column Data Profiles Reader) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.dataProfilesReader (DLP Data Profiles Reader) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.estimatesAdmin (DLP Cost Estimation) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.projectDataProfilesReader (DLP Project Data Profiles Reader) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.tableDataProfilesReader (DLP Table Data Profiles Reader) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.admin (Security Center Admin):

resourcemanager.folders.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.adminEditor (Security Center Admin Editor):

resourcemanager.folders.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.adminViewer (Security Center Admin Viewer):

resourcemanager.folders.get
resourcemanag