IAM permissions change log

This page describes changes to the public Identity and Access Management (IAM) permissions for all Generally Available (GA) and Preview services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is added, IAM does not automatically add the permission to your custom roles.

For changes that occurred before 2022, see Archived permissions change log.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

Upcoming IAM changes for the week of 2024-11-12

Service Description
Vertex AI

The Vertex AI Online Prediction Service Agent role (roles/aiplatform.onlinePredictionServiceAgent) has reached General Availability (GA).

Vertex AI

The following permissions have been added to the Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent):

documentai.processorVersions.processOnline
documentai.processors.get
documentai.processors.processOnline

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Google Security Operations Service Management

The following permissions have been added to the Chronicle Service Admin role (roles/chroniclesm.admin):

chroniclesm.gcpAssociations.list

Google Security Operations Service Management

The following permissions have been added to the Chronicle Service Viewer role (roles/chroniclesm.viewer):

chroniclesm.gcpAssociations.list

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

dialogflow.conversationProfiles.create
dialogflow.conversationProfiles.delete
dialogflow.conversationProfiles.update

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

alloydb.backups.get
alloydb.backups.list
alloydb.clusters.export
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.get
alloydb.locations.list
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list
alloydb.users.get
alloydb.users.list
alloydb.users.login
cloudaicompanion.entitlements.get
recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

alloydb.backups.get
alloydb.backups.list
alloydb.clusters.export
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.get
alloydb.locations.list
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list
alloydb.users.get
alloydb.users.list
alloydb.users.login
cloudaicompanion.entitlements.get
recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list

Basic Role

The following permissions have been added to the Editor role (roles/editor):

chroniclesm.gcpAssociations.list
policyanalyzer.resourceAuthorizationActivities.query

Identity and Access Management

The following permissions have been added to the Deny Admin role (roles/iam.denyAdmin):

cloudasset.assets.listResource
policyanalyzer.resourceAuthorizationActivities.query
policysimulator.accessPolicySimulationResults.list
policysimulator.accessPolicySimulations.create
policysimulator.accessPolicySimulations.get
policysimulator.accessPolicySimulations.list

Identity and Access Management

The following permissions have been added to the Principal Access Boundary Policy Admin role (roles/iam.principalAccessBoundaryAdmin):

cloudasset.assets.searchAllResources

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

chroniclesm.gcpAssociations.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

chroniclesm.gcpAssociations.list

Cloud License Manager

The Cloud License Manager Admin role (roles/licensemanager.admin) has reached General Availability (GA).

Cloud License Manager

The Cloud License Manager Viewer role (roles/licensemanager.viewer) has reached General Availability (GA).

Google Cloud NetApp Volumes

The following permissions have been added to the Google Cloud NetApp Volumes Admin role (roles/netapp.admin):

netapp.storagePools.validateDirectoryService

Basic Role

The following permissions have been added to the Owner role (roles/owner):

chroniclesm.gcpAssociations.list
policyanalyzer.resourceAuthorizationActivities.query
storage.buckets.restore

Policy Analyzer

The following permissions have been added to the Activity Analysis Viewer role (roles/policyanalyzer.activityAnalysisViewer):

policyanalyzer.resourceAuthorizationActivities.query

Policy Simulator

The following permissions have been added to the Simulator Admin role (roles/policysimulator.admin):

policysimulator.accessPolicySimulationResults.list
policysimulator.accessPolicySimulations.create
policysimulator.accessPolicySimulations.get
policysimulator.accessPolicySimulations.list

Risk Manager

The following permissions have been added to the Risk Manager Service Agent role (roles/riskmanager.serviceAgent):

securitycentermanagement.securityCommandCenter.checkActivationOperation

Cloud Run

The Cloud Run Jobs Executor role (roles/run.jobsExecutor) has reached General Availability (GA).

Cloud Run

The Cloud Run Jobs Executor With Overrides role (roles/run.jobsExecutorWithOverrides) has reached General Availability (GA).

Cloud Run

The Cloud Run Service Invoker role (roles/run.servicesInvoker) has reached General Availability (GA).

Security Command Center

The following permissions have been added to the Security Center Admin Editor role (roles/securitycenter.adminEditor):

securitycentermanagement.securityCommandCenter.checkActivationOperation

Security Command Center

The following permissions have been added to the Security Center Admin Viewer role (roles/securitycenter.adminViewer):

securitycentermanagement.securityCommandCenter.checkActivationOperation

Security Command Center

The following permissions have been added to the Security Center Settings Viewer role (roles/securitycenter.settingsViewer):

securitycentermanagement.securityCommandCenter.checkActivationOperation

Security Center Management API

The following permissions have been added to the Security Center Management Settings Viewer role (roles/securitycentermanagement.settingsViewer):

securitycentermanagement.securityCommandCenter.checkActivationOperation

Security Center Management API

The following permissions have been added to the Security Center Management Viewer role (roles/securitycentermanagement.viewer):

securitycentermanagement.securityCommandCenter.checkActivationOperation

Spanner

The Cloud Spanner Database Reader with DataBoost role (roles/spanner.databaseReaderWithDataBoost) has reached General Availability (GA).

Spanner

The following permissions have been added to the Cloud Spanner Admin role (roles/spanner.admin):

monitoring.timeSeries.create

Spanner

The following permissions have been added to the Cloud Spanner Database Admin role (roles/spanner.databaseAdmin):

monitoring.timeSeries.create

Spanner

The following permissions have been added to the Cloud Spanner Database Reader role (roles/spanner.databaseReader):

monitoring.timeSeries.create

Spanner

The following permissions have been added to the Cloud Spanner Database User role (roles/spanner.databaseUser):

monitoring.timeSeries.create

Cloud Storage

The following permissions have been added to the Storage Legacy Bucket Owner role (roles/storage.legacyBucketOwner):

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

chroniclesm.gcpAssociations.list
policyanalyzer.resourceAuthorizationActivities.query

Google Security Operations

The following permissions have been added:

chronicle.enrichmentControls.create
chronicle.enrichmentControls.delete
chronicle.enrichmentControls.get
chronicle.enrichmentControls.list

Google Security Operations

The following permissions are supported in custom roles:

chronicle.enrichmentControls.create
chronicle.enrichmentControls.delete
chronicle.enrichmentControls.get
chronicle.enrichmentControls.list

Google Security Operations Service Management

The following permissions have been added:

chroniclesm.gcpAssociations.list

Gemini for Google Cloud API

The following permissions have been added:

cloudaicompanion.licenses.selfAssign

Gemini for Google Cloud API

The following permissions are supported in custom roles:

cloudaicompanion.licenses.selfAssign

Compute Engine

The following permissions have been added:

compute.networkProfiles.get
compute.networkProfiles.list
compute.spotAssistants.get
compute.subnetworks.usePeerMigration

Compute Engine

The following permissions are supported in custom roles:

compute.networkProfiles.get
compute.networkProfiles.list

Compute Engine

The following permissions have reached General Availability (GA):

compute.subnetworks.usePeerMigration

Dataplex

The following permissions have been added:

dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update

Dataplex

The following permissions are supported in custom roles:

dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update

Discovery Engine

The following permissions have been added:

discoveryengine.sitemaps.create
discoveryengine.sitemaps.delete
discoveryengine.sitemaps.fetch

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.sitemaps.create
discoveryengine.sitemaps.delete
discoveryengine.sitemaps.fetch

Cloud License Manager

The following permissions have been added:

licensemanager.configurations.aggregateUsage
licensemanager.configurations.create
licensemanager.configurations.delete
licensemanager.configurations.get
licensemanager.configurations.list
licensemanager.configurations.queryLicenseUsage
licensemanager.configurations.update
licensemanager.instances.get
licensemanager.instances.list
licensemanager.locations.get
licensemanager.locations.list
licensemanager.operations.cancel
licensemanager.operations.delete
licensemanager.operations.get
licensemanager.operations.list
licensemanager.products.get
licensemanager.products.list

Cloud License Manager

The following permissions are supported in custom roles:

licensemanager.configurations.aggregateUsage
licensemanager.configurations.create
licensemanager.configurations.delete
licensemanager.configurations.get
licensemanager.configurations.list
licensemanager.configurations.queryLicenseUsage
licensemanager.configurations.update
licensemanager.instances.get
licensemanager.instances.list
licensemanager.locations.get
licensemanager.locations.list
licensemanager.operations.cancel
licensemanager.operations.delete
licensemanager.operations.get
licensemanager.operations.list
licensemanager.products.get
licensemanager.products.list

Cloud License Manager

The following permissions have reached General Availability (GA):

licensemanager.configurations.aggregateUsage
licensemanager.configurations.create
licensemanager.configurations.delete
licensemanager.configurations.get
licensemanager.configurations.list
licensemanager.configurations.queryLicenseUsage
licensemanager.configurations.update
licensemanager.instances.get
licensemanager.instances.list
licensemanager.locations.get
licensemanager.locations.list
licensemanager.operations.cancel
licensemanager.operations.delete
licensemanager.operations.get
licensemanager.operations.list
licensemanager.products.get
licensemanager.products.list

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.storagePools.validateDirectoryService

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.storagePools.validateDirectoryService

Payments Reseller Subscription

The following permissions have been added:

paymentsresellersubscription.userSessions.generate

Payments Reseller Subscription

The following permissions are supported in custom roles:

paymentsresellersubscription.userSessions.generate

Policy Analyzer

The following permissions have been added:

policyanalyzer.resourceAuthorizationActivities.query

Policy Simulator

The following permissions have been added:

policysimulator.accessPolicySimulationResults.list
policysimulator.accessPolicySimulations.create
policysimulator.accessPolicySimulations.get
policysimulator.accessPolicySimulations.list

Memorystore for Redis

The following permissions have been added:

redis.backupCollections.create
redis.backupCollections.delete
redis.backupCollections.get
redis.backupCollections.list
redis.backups.create
redis.backups.delete
redis.backups.export
redis.backups.get
redis.backups.list
redis.clusters.backup

Memorystore for Redis

The following permissions have reached General Availability (GA):

redis.backupCollections.create
redis.backupCollections.delete
redis.backupCollections.get
redis.backupCollections.list
redis.backups.create
redis.backups.delete
redis.backups.export
redis.backups.get
redis.backups.list
redis.clusters.backup

IAM changes as of 2024-11-01

Service Description
Artifact Registry

The Container Registry -> Artifact Registry Migration Admin role (roles/artifactregistry.containerRegistryMigrationAdmin) has reached General Availability (GA).

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

certificatemanager.certs.list
certificatemanager.trustconfigs.list
cloudkms.cryptoKeys.list
cloudsql.instances.get
compute.firewallPolicies.list
compute.instances.get
container.clusters.get
dns.managedZones.list
iam.serviceAccounts.getIamPolicy
privateca.certificates.list

Dataplex

The Dataplex Discovery BigLake Publishing Service Agent role (roles/dataplex.discoveryBigLakePublishingServiceAgent) has reached General Availability (GA).

Dataplex

The Dataplex Discovery Publishing Service Agent role (roles/dataplex.discoveryPublishingServiceAgent) has reached General Availability (GA).

Dataplex

The Dataplex Discovery Service Agent role (roles/dataplex.discoveryServiceAgent) has reached General Availability (GA).

Application Design Center

The DesignCenter Service Agent role (roles/designcenter.serviceAgent) has reached General Availability (GA).

Parallelstore

The Parallelstore Admin role (roles/parallelstore.admin) has reached General Availability (GA).

Parallelstore

The Parallelstore Viewer role (roles/parallelstore.viewer) has reached General Availability (GA).

Compute Engine

The following permissions have been added:

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

Compute Engine

The following permissions are supported in custom roles:

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

Network Services

The following permissions have been added:

networkservices.wasmPlugins.create
networkservices.wasmPlugins.delete
networkservices.wasmPlugins.get
networkservices.wasmPlugins.list
networkservices.wasmPlugins.update
networkservices.wasmPlugins.use

Network Services

The following permissions are supported in custom roles:

networkservices.wasmPlugins.create
networkservices.wasmPlugins.delete
networkservices.wasmPlugins.get
networkservices.wasmPlugins.list
networkservices.wasmPlugins.update
networkservices.wasmPlugins.use

Cloud OS Config

The following permissions have been added:

osconfig.locations.get
osconfig.locations.list
osconfig.operations.cancel
osconfig.operations.delete
osconfig.operations.get
osconfig.operations.list
osconfig.policyOrchestrators.create
osconfig.policyOrchestrators.delete
osconfig.policyOrchestrators.get
osconfig.policyOrchestrators.list
osconfig.policyOrchestrators.update

Cloud OS Config

The following permissions are supported in custom roles:

osconfig.locations.get
osconfig.locations.list
osconfig.operations.cancel
osconfig.operations.delete
osconfig.operations.get
osconfig.operations.list
osconfig.policyOrchestrators.create
osconfig.policyOrchestrators.delete
osconfig.policyOrchestrators.get
osconfig.policyOrchestrators.list
osconfig.policyOrchestrators.update

Parallelstore

The following permissions have been added:

parallelstore.instances.create
parallelstore.instances.delete
parallelstore.instances.exportData
parallelstore.instances.get
parallelstore.instances.importData
parallelstore.instances.list
parallelstore.instances.update
parallelstore.locations.get
parallelstore.locations.list
parallelstore.operations.cancel
parallelstore.operations.delete
parallelstore.operations.get
parallelstore.operations.list

Parallelstore

The following permissions are supported in custom roles:

parallelstore.instances.create
parallelstore.instances.delete
parallelstore.instances.exportData
parallelstore.instances.get
parallelstore.instances.importData
parallelstore.instances.list
parallelstore.instances.update
parallelstore.locations.get
parallelstore.locations.list
parallelstore.operations.cancel
parallelstore.operations.delete
parallelstore.operations.get
parallelstore.operations.list

Parallelstore

The following permissions have reached General Availability (GA):

parallelstore.instances.create
parallelstore.instances.delete
parallelstore.instances.exportData
parallelstore.instances.get
parallelstore.instances.importData
parallelstore.instances.list
parallelstore.instances.update
parallelstore.locations.get
parallelstore.locations.list
parallelstore.operations.cancel
parallelstore.operations.delete
parallelstore.operations.get
parallelstore.operations.list

Secure Source Manager

The following permissions have been added:

securesourcemanager.repositories.approvePullRequests

Secure Source Manager

The following permissions are supported in custom roles:

securesourcemanager.repositories.approvePullRequests

IAM changes as of 2024-10-25

Service Description
Anthos Support

The following permissions have been added to the Anthos Support Service Agent role (roles/anthossupport.serviceAgent):

gkehub.gateway.generateCredentials

Batch

The following permissions have been added to the Google Batch Service Agent role (roles/batch.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Cloud TPU

The following permissions have been added to the Cloud TPU V2 API Service Agent role (roles/cloudtpu.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Compute Engine

The following permissions have been added to the Compute Admin role (roles/compute.admin):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Compute Engine

The following permissions have been added to the Compute Instance Admin (beta) role (roles/compute.instanceAdmin):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Compute Engine

The following permissions have been added to the Compute Instance Admin (v1) role (roles/compute.instanceAdmin.v1):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Google Kubernetes Engine

The following permissions have been added to the Kubernetes Engine Service Agent role (roles/container.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.instances.export

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance
servicemanagement.services.bind
serviceusage.services.enable

Data Security Posture Management

The following permissions have been added to the DSPM Service Agent role (roles/dspm.serviceAgent):

securityposture.postureDeployments.delete

Cloud Life Sciences

The following permissions have been added to the Genomics Service Agent role (roles/genomics.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Cloud Life Sciences

The following permissions have been added to the Cloud Life Sciences Service Agent role (roles/lifesciences.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Notebooks

The following permissions have been added to the Notebooks Legacy Admin role (roles/notebooks.legacyAdmin):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Notebooks

The following permissions have been added to the AI Platform Notebooks Service Agent role (roles/notebooks.serviceAgent):

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupPlans.useForComputeInstance

Conversational Insights

The following permissions have been added:

contactcenterinsights.qaScorecardRevisions.undeploy

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.qaScorecardRevisions.undeploy

Conversational Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.download
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update
contactcenterinsights.feedbackLabels.upload
contactcenterinsights.operations.cancel
contactcenterinsights.qaQuestions.create
contactcenterinsights.qaQuestions.delete
contactcenterinsights.qaQuestions.get
contactcenterinsights.qaQuestions.list
contactcenterinsights.qaQuestions.update
contactcenterinsights.qaScorecardRevisions.create
contactcenterinsights.qaScorecardRevisions.delete
contactcenterinsights.qaScorecardRevisions.deploy
contactcenterinsights.qaScorecardRevisions.get
contactcenterinsights.qaScorecardRevisions.list
contactcenterinsights.qaScorecardRevisions.tune
contactcenterinsights.qaScorecards.create
contactcenterinsights.qaScorecards.delete
contactcenterinsights.qaScorecards.get
contactcenterinsights.qaScorecards.list
contactcenterinsights.qaScorecards.update

Network Connectivity Center

The following permissions have been added:

networkconnectivity.hubs.queryStatus

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.hubs.queryStatus

Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.hubs.queryStatus

IAM changes as of 2024-10-18

Service Description
Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.instances.createTagBinding
compute.instances.pscInterfaceCreate
compute.instances.setDeletionProtection
compute.instances.updateDisplayDevice
compute.resourcePolicies.use

BigQuery Data Policy

The BigQuery Data Policy Admin role (roles/bigquerydatapolicy.admin) has reached General Availability (GA).

BigQuery Data Policy

The BigQuery Data Policy Viewer role (roles/bigquerydatapolicy.viewer) has reached General Availability (GA).

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

networkmanagement.connectivitytests.list

Dataplex

The following permissions have been added to the Dataplex Aspect Type Owner role (roles/dataplex.aspectTypeOwner):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Aspect Type User role (roles/dataplex.aspectTypeUser):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Catalog Admin role (roles/dataplex.catalogAdmin):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Catalog Editor role (roles/dataplex.catalogEditor):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Catalog Viewer role (roles/dataplex.catalogViewer):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Entry Group Owner role (roles/dataplex.entryGroupOwner):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Entry Owner role (roles/dataplex.entryOwner):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Entry Type Owner role (roles/dataplex.entryTypeOwner):

datacatalog.migrationConfig.get

Dataplex

The following permissions have been added to the Dataplex Entry Type User role (roles/dataplex.entryTypeUser):

datacatalog.migrationConfig.get

FleetEngine

The following permissions have been added to the FleetEngine Service Agent role (roles/fleetengine.serviceAgent):

bigquery.datasets.create
serviceusage.services.enable

Service Usage

The following permissions have been added to the API Keys Admin role (roles/serviceusage.apiKeysAdmin):

orgpolicy.policy.get

Audit Manager

The following permissions have been added:

auditmanager.billingSettings.get

Audit Manager

The following permissions are supported in custom roles:

auditmanager.billingSettings.get

Blockchain Validator Manager

The following permissions have been added:

blockchainvalidatormanager.blockchainValidatorConfigs.create
blockchainvalidatormanager.blockchainValidatorConfigs.delete
blockchainvalidatormanager.blockchainValidatorConfigs.get
blockchainvalidatormanager.blockchainValidatorConfigs.list
blockchainvalidatormanager.blockchainValidatorConfigs.update
blockchainvalidatormanager.locations.get
blockchainvalidatormanager.locations.list
blockchainvalidatormanager.operations.cancel
blockchainvalidatormanager.operations.delete
blockchainvalidatormanager.operations.get
blockchainvalidatormanager.operations.list

Blockchain Validator Manager

The following permissions are supported in custom roles:

blockchainvalidatormanager.blockchainValidatorConfigs.create
blockchainvalidatormanager.blockchainValidatorConfigs.delete
blockchainvalidatormanager.blockchainValidatorConfigs.get
blockchainvalidatormanager.blockchainValidatorConfigs.list
blockchainvalidatormanager.blockchainValidatorConfigs.update
blockchainvalidatormanager.locations.get
blockchainvalidatormanager.locations.list
blockchainvalidatormanager.operations.cancel
blockchainvalidatormanager.operations.delete
blockchainvalidatormanager.operations.get
blockchainvalidatormanager.operations.list

Compute Engine

The following permissions have been added:

compute.networkEdgeSecurityServices.createTagBinding
compute.networkEdgeSecurityServices.deleteTagBinding
compute.networkEdgeSecurityServices.listEffectiveTags
compute.networkEdgeSecurityServices.listTagBindings

Database Migration Service

The following permissions have been added:

datamigration.objects.get
datamigration.objects.list

Database Migration Service

The following permissions have reached General Availability (GA):

datamigration.objects.get
datamigration.objects.list

IAM changes as of 2024-10-11

Service Description
Backup and Disaster Recovery

The Backup and DR Backup Vault Accessor role (roles/backupdr.backupvaultAccessor) has reached General Availability (GA).

Backup and Disaster Recovery

The Backup and DR Backup Vault Admin role (roles/backupdr.backupvaultAdmin) has reached General Availability (GA).

Backup and Disaster Recovery

The Backup and DR Backup Vault Lister role (roles/backupdr.backupvaultLister) has reached General Availability (GA).

Backup and Disaster Recovery

The Backup and DR Backup Vault Viewer role (roles/backupdr.backupvaultViewer) has reached General Availability (GA).

Google Security Operations

The following permissions have been added to the Chronicle SOAR Service Agent role (roles/chronicle.soarServiceAgent):

cloudasset.assets.exportIamPolicy
cloudasset.assets.exportResource

Cloud Controls Partner API

The Cloud Controls Partner Support Case Service Agent role (roles/cloudcontrolspartner.supportCaseServiceAgent) has reached General Availability (GA).

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

iam.serviceAccounts.getOpenIdToken

Google Kubernetes Engine

The Kubernetes Engine KMS Crypto Key User role (roles/container.cloudKmsKeyUser) has reached General Availability (GA).

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

dns.networks.targetWithPeeringZone

Dataproc Resource Manager

The Dataproc Resource Manager Node Service Agent role (roles/dataprocrm.nodeServiceAgent) has reached General Availability (GA).

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

eventarc.messageBuses.publish

Oracle Database@Google Cloud service agent

The Oracle Database@Google Cloud Service Agent role (roles/oci.serviceAgent) has reached General Availability (GA).

Oracle Database@Google Cloud

The following permissions have been added to the Oracle Database@Google Cloud VM Cluster Admin role (roles/oracledatabase.cloudVmClusterAdmin):

oracledatabase.cloudExadataInfrastructures.list
oracledatabase.dbServers.list
oracledatabase.giVersions.list

Backup and Disaster Recovery

The following permissions have reached General Availability (GA):

backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update
backupdr.bvbackups.delete
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvbackups.update
backupdr.bvdataSources.abandonBackup
backupdr.bvdataSources.fetchAccessToken
backupdr.bvdataSources.finalizeBackup
backupdr.bvdataSources.get
backupdr.bvdataSources.initiateBackup
backupdr.bvdataSources.list
backupdr.bvdataSources.remove
backupdr.bvdataSources.setInternalStatus
backupdr.bvdataSources.update

Cloud Controls Partner API

The following permissions have been added:

cloudcontrolspartner.customers.create
cloudcontrolspartner.customers.delete

Cloud Controls Partner API

The following permissions are supported in custom roles:

cloudcontrolspartner.customers.create
cloudcontrolspartner.customers.delete

Eventarc

The following permissions have been added:

eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.enrollments.getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.setIamPolicy
eventarc.enrollments.update
eventarc.googleApiSources.create
eventarc.googleApiSources.delete
eventarc.googleApiSources.get
eventarc.googleApiSources.getIamPolicy
eventarc.googleApiSources.list
eventarc.googleApiSources.setIamPolicy
eventarc.googleApiSources.update
eventarc.messageBuses.create
eventarc.messageBuses.delete
eventarc.messageBuses.get
eventarc.messageBuses.getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.setIamPolicy
eventarc.messageBuses.update
eventarc.messageBuses.use
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.pipelines.getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.setIamPolicy
eventarc.pipelines.update

Cloud Integrations

The following permissions have been added:

integrations.executions.cancel
integrations.integrations.generateOpenApiSpec
integrations.testCases.create
integrations.testCases.delete
integrations.testCases.get
integrations.testCases.invoke
integrations.testCases.list
integrations.testCases.update

Cloud Integrations

The following permissions have reached General Availability (GA):

integrations.executions.cancel
integrations.integrations.generateOpenApiSpec
integrations.testCases.create
integrations.testCases.delete
integrations.testCases.get
integrations.testCases.invoke
integrations.testCases.list
integrations.testCases.update

Cloud Logging

The following permissions have been added:

logging.sqlAlerts.create
logging.sqlAlerts.update

Cloud Logging

The following permissions are supported in custom roles:

logging.sqlAlerts.create
logging.sqlAlerts.update

Recommender

The following permissions have reached General Availability (GA):

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update
recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

IAM changes as of 2024-10-04

Service Description
Cloud Billing

The following permissions have been added to the Billing Account Administrator role (roles/billing.admin):

consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update

Cloud Build

The following permissions have been added to the Cloud Build Service Agent role (roles/cloudbuild.serviceAgent):

developerconnect.connections.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

connectors.operations.get
discoveryengine.dataStores.create

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.annotationSpecs.list
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.contexts.queryContextLineageSubgraph
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.dataLabelingJobs.get
aiplatform.dataLabelingJobs.list
aiplatform.datasetVersions.get
aiplatform.datasetVersions.list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.deploymentResourcePools.get
aiplatform.deploymentResourcePools.list
aiplatform.deploymentResourcePools.queryDeployedModels
aiplatform.edgeDeploymentJobs.get
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDeviceDebugInfo.get
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform.executions.queryExecutionInputsAndOutputs
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.humanInTheLoops.list
aiplatform.hyperparameterTuningJobs.get
aiplatform.hyperparameterTuningJobs.list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.indexEndpoints.queryVectors
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.metadataSchemas.list
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.modelDeploymentMonitoringJobs.get
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
aiplatform.modelEvaluationSlices.get
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.get
aiplatform.modelEvaluations.list
aiplatform.modelMonitoringJobs.get
aiplatform.modelMonitoringJobs.list
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.modelMonitors.searchModelMonitoringAlerts
aiplatform.modelMonitors.searchModelMonitoringStats
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
aiplatform.notebookExecutionJobs.get
aiplatform.notebookExecutionJobs.list
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.operations.list
aiplatform.persistentResources.get
aiplatform.persistentResources.list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.reasoningEngines.get
aiplatform.reasoningEngines.list
aiplatform.reasoningEngines.query
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.specialistPools.update
aiplatform.studies.get
aiplatform.studies.list
aiplatform.tensorboardExperiments.get
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardRuns.get
aiplatform.tensorboardRuns.list
aiplatform.tensorboardTimeSeries.batchRead
aiplatform.tensorboardTimeSeries.get
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboardTimeSeries.read
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.annotationSpecs.list
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.contexts.queryContextLineageSubgraph
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.dataLabelingJobs.get
aiplatform.dataLabelingJobs.list
aiplatform.datasetVersions.get
aiplatform.datasetVersions.list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.deploymentResourcePools.get
aiplatform.deploymentResourcePools.list
aiplatform.deploymentResourcePools.queryDeployedModels
aiplatform.edgeDeploymentJobs.get
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDeviceDebugInfo.get
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform.executions.queryExecutionInputsAndOutputs
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.humanInTheLoops.list
aiplatform.hyperparameterTuningJobs.get
aiplatform.hyperparameterTuningJobs.list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.indexEndpoints.queryVectors
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.metadataSchemas.list
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.modelDeploymentMonitoringJobs.get
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
aiplatform.modelEvaluationSlices.get
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.get
aiplatform.modelEvaluations.list
aiplatform.modelMonitoringJobs.get
aiplatform.modelMonitoringJobs.list
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.modelMonitors.searchModelMonitoringAlerts
aiplatform.modelMonitors.searchModelMonitoringStats
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
aiplatform.notebookExecutionJobs.get
aiplatform.notebookExecutionJobs.list
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.operations.list
aiplatform.persistentResources.get
aiplatform.persistentResources.list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.reasoningEngines.get
aiplatform.reasoningEngines.list
aiplatform.reasoningEngines.query
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.specialistPools.update
aiplatform.studies.get
aiplatform.studies.list
aiplatform.tensorboardExperiments.get
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardRuns.get
aiplatform.tensorboardRuns.list
aiplatform.tensorboardTimeSeries.batchRead
aiplatform.tensorboardTimeSeries.get
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboardTimeSeries.read
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list

Spanner

The following permissions have been added to the Cloud Spanner Backup Admin role (roles/spanner.backupAdmin):

spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backupSchedules.update

Spanner

The following permissions have been added to the Cloud Spanner Backup Writer role (roles/spanner.backupWriter):

spanner.backupSchedules.create
spanner.backupSchedules.get
spanner.backupSchedules.list

Vertex AI

The following permissions have been added:

aiplatform.cachedContents.create
aiplatform.cachedContents.delete
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.cachedContents.update

BigQuery Migration API

The following permissions have been added:

bigquerymigration.taskTypes.writeLogs

BigQuery Migration API

The following permissions have reached General Availability (GA):

bigquerymigration.taskTypes.writeLogs

Cloud SQL

The following permissions have been added:

cloudsql.backups.create
cloudsql.backups.delete
cloudsql.backups.get
cloudsql.backups.list
cloudsql.backups.update
cloudsql.operations.get
cloudsql.operations.list

Cloud SQL

The following permissions are supported in custom roles:

cloudsql.backups.create
cloudsql.backups.delete
cloudsql.backups.get
cloudsql.backups.list
cloudsql.backups.update
cloudsql.operations.get
cloudsql.operations.list

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.backups.create
cloudsql.backups.delete
cloudsql.backups.get
cloudsql.backups.list
cloudsql.backups.update
cloudsql.operations.get
cloudsql.operations.list

Cloud Trace

The following permissions have been added:

cloudtrace.traceScopes.create
cloudtrace.traceScopes.delete
cloudtrace.traceScopes.get
cloudtrace.traceScopes.list
cloudtrace.traceScopes.update

Cloud Trace

The following permissions are supported in custom roles:

cloudtrace.traceScopes.create
cloudtrace.traceScopes.delete
cloudtrace.traceScopes.get
cloudtrace.traceScopes.list
cloudtrace.traceScopes.update

Cloud Logging

The following permissions have been added:

logging.buckets.createTagBinding
logging.buckets.deleteTagBinding
logging.buckets.listEffectiveTags
logging.buckets.listTagBindings

Cloud Logging

The following permissions are supported in custom roles:

logging.buckets.createTagBinding
logging.buckets.deleteTagBinding
logging.buckets.listEffectiveTags
logging.buckets.listTagBindings

Cloud Logging

The following permissions have reached General Availability (GA):

logging.buckets.createTagBinding
logging.buckets.deleteTagBinding
logging.buckets.listEffectiveTags
logging.buckets.listTagBindings

Network Security

The following permissions have been added:

networksecurity.mirroringDeploymentGroups.create
networksecurity.mirroringDeploymentGroups.delete
networksecurity.mirroringDeploymentGroups.get
networksecurity.mirroringDeploymentGroups.list
networksecurity.mirroringDeploymentGroups.update
networksecurity.mirroringDeploymentGroups.use
networksecurity.mirroringDeployments.create
networksecurity.mirroringDeployments.delete
networksecurity.mirroringDeployments.get
networksecurity.mirroringDeployments.list
networksecurity.mirroringDeployments.update
networksecurity.mirroringEndpointGroupAssociations.create
networksecurity.mirroringEndpointGroupAssociations.delete
networksecurity.mirroringEndpointGroupAssociations.get
networksecurity.mirroringEndpointGroupAssociations.list
networksecurity.mirroringEndpointGroupAssociations.update
networksecurity.mirroringEndpointGroups.create
networksecurity.mirroringEndpointGroups.delete
networksecurity.mirroringEndpointGroups.get
networksecurity.mirroringEndpointGroups.list
networksecurity.mirroringEndpointGroups.update
networksecurity.mirroringEndpointGroups.use

Network Security

The following permissions are supported in custom roles:

networksecurity.mirroringDeploymentGroups.create
networksecurity.mirroringDeploymentGroups.delete
networksecurity.mirroringDeploymentGroups.get
networksecurity.mirroringDeploymentGroups.list
networksecurity.mirroringDeploymentGroups.update
networksecurity.mirroringDeploymentGroups.use
networksecurity.mirroringDeployments.create
networksecurity.mirroringDeployments.delete
networksecurity.mirroringDeployments.get
networksecurity.mirroringDeployments.list
networksecurity.mirroringDeployments.update
networksecurity.mirroringEndpointGroupAssociations.create
networksecurity.mirroringEndpointGroupAssociations.delete
networksecurity.mirroringEndpointGroupAssociations.get
networksecurity.mirroringEndpointGroupAssociations.list
networksecurity.mirroringEndpointGroupAssociations.update
networksecurity.mirroringEndpointGroups.create
networksecurity.mirroringEndpointGroups.delete
networksecurity.mirroringEndpointGroups.get
networksecurity.mirroringEndpointGroups.list
networksecurity.mirroringEndpointGroups.update
networksecurity.mirroringEndpointGroups.use

Cloud Storage

The following permissions have been added:

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

Cloud Storage

The following permissions have reached General Availability (GA):

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

Google Cloud VMware Engine

The following permissions have been added:

vmwareengine.projectState.get

Google Cloud VMware Engine

The following permissions are supported in custom roles:

vmwareengine.projectState.get

Google Cloud VMware Engine

The following permissions have reached General Availability (GA):

vmwareengine.projectState.get

IAM changes as of 2024-09-27

Service Description
Vertex AI

The following permissions have been added to the Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent):

aiplatform.indexEndpoints.create
aiplatform.indexEndpoints.delete
aiplatform.indexEndpoints.deploy
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.indexEndpoints.queryVectors
aiplatform.indexEndpoints.undeploy
aiplatform.indexEndpoints.update
aiplatform.indexes.create
aiplatform.indexes.delete
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.indexes.update

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

iam.serviceAccounts.getOpenIdToken

Cloud Key Management Service

The Cloud KMS Autokey Admin role (roles/cloudkms.autokeyAdmin) has reached General Availability (GA).

Cloud Key Management Service

The Cloud KMS Autokey User role (roles/cloudkms.autokeyUser) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement License Pool Editor role (roles/consumerprocurement.licensePoolEditor) has been added with the following permissions:

consumerprocurement.googleapis.com/licensePools.assign
consumerprocurement.googleapis.com/licensePools.enumerateLicensedUsers
consumerprocurement.googleapis.com/licensePools.get
consumerprocurement.googleapis.com/licensePools.unassign
consumerprocurement.googleapis.com/licensePools.update
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update

Cloud Commerce Consumer Procurement

The Consumer Procurement License Pool Viewer role (roles/consumerprocurement.licensePoolViewer) has been added with the following permissions:

consumerprocurement.googleapis.com/licensePools.enumerateLicensedUsers
consumerprocurement.googleapis.com/licensePools.get
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get

Cloud Commerce Consumer Procurement

The following permissions have been added to the Consumer Procurement Order Viewer role (roles/consumerprocurement.orderViewer):

consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get

Cloud Commerce Consumer Procurement

The following permissions have been added to the Consumer Procurement Viewer role (roles/consumerprocurement.procurementViewer):

consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get

Conversational Insights

The following permissions have been added to the Contact Center AI Insights editor role (roles/contactcenterinsights.editor):

contactcenterinsights.operations.cancel

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.instances.executeSql

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.connections.generateOpenAPISpec
connectors.connections.get
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
connectors.versions.get

Oracle Database@Google Cloud

The Oracle Database@Google Cloud admin role (roles/oracledatabase.admin) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud Autonomous Database Admin role (roles/oracledatabase.autonomousDatabaseAdmin) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud Autonomous Database Viewer role (roles/oracledatabase.autonomousDatabaseViewer) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud Exadata Infrastructure Admin role (roles/oracledatabase.cloudExadataInfrastructureAdmin) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud Exadata Infrastructure Viewer role (roles/oracledatabase.cloudExadataInfrastructureViewer) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud VM Cluster Admin role (roles/oracledatabase.cloudVmClusterAdmin) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud VM Cluster Viewer role (roles/oracledatabase.cloudVmClusterViewer) has reached General Availability (GA).

Oracle Database@Google Cloud

The Oracle Database@Google Cloud viewer role (roles/oracledatabase.viewer) has reached General Availability (GA).

Apigee

The following permissions have been added:

apigee.securityProfilesV2.create
apigee.securityProfilesV2.delete
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securityProfilesV2.update

Apigee

The following permissions are supported in custom roles:

apigee.securityProfilesV2.create
apigee.securityProfilesV2.delete
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securityProfilesV2.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityProfilesV2.create
apigee.securityProfilesV2.delete
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securityProfilesV2.update

Artifact Registry

The following permissions have been added:

artifactregistry.rules.create
artifactregistry.rules.delete
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.rules.update

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.rules.create
artifactregistry.rules.delete
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.rules.update

Backup and Disaster Recovery

The following permissions have been added:

backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlans.useForComputeInstance

Cloud Key Management Service

The following permissions have reached General Availability (GA):

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update
cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list
cloudkms.projects.showEffectiveAutokeyConfig

Compute Engine

The following permissions have been added:

compute.addresses.createTagBinding
compute.addresses.deleteTagBinding
compute.addresses.listEffectiveTags
compute.addresses.listTagBindings
compute.globalAddresses.createTagBinding
compute.globalAddresses.deleteTagBinding
compute.globalAddresses.listEffectiveTags
compute.globalAddresses.listTagBindings
compute.networkAttachments.createTagBinding
compute.networkAttachments.deleteTagBinding
compute.networkAttachments.listEffectiveTags
compute.networkAttachments.listTagBindings
compute.publicDelegatedPrefixes.createTagBinding
compute.publicDelegatedPrefixes.deleteTagBinding
compute.publicDelegatedPrefixes.listEffectiveTags
compute.publicDelegatedPrefixes.listTagBindings
compute.serviceAttachments.createTagBinding
compute.serviceAttachments.deleteTagBinding
compute.serviceAttachments.listEffectiveTags
compute.serviceAttachments.listTagBindings

Compute Engine

The following permissions have reached General Availability (GA):

compute.addresses.createTagBinding
compute.addresses.deleteTagBinding
compute.addresses.listEffectiveTags
compute.addresses.listTagBindings
compute.globalAddresses.createTagBinding
compute.globalAddresses.deleteTagBinding
compute.globalAddresses.listEffectiveTags
compute.globalAddresses.listTagBindings
compute.networkAttachments.createTagBinding
compute.networkAttachments.deleteTagBinding
compute.networkAttachments.listEffectiveTags
compute.networkAttachments.listTagBindings
compute.publicDelegatedPrefixes.createTagBinding
compute.publicDelegatedPrefixes.deleteTagBinding
compute.publicDelegatedPrefixes.listEffectiveTags
compute.publicDelegatedPrefixes.listTagBindings
compute.serviceAttachments.createTagBinding
compute.serviceAttachments.deleteTagBinding
compute.serviceAttachments.listEffectiveTags
compute.serviceAttachments.listTagBindings

Connectors

The following permissions have been added:

connectors.connections.generateOpenAPISpec

Connectors

The following permissions are supported in custom roles:

connectors.connections.generateOpenAPISpec

Connectors

The following permissions have reached General Availability (GA):

connectors.connections.generateOpenAPISpec

Cloud Commerce Consumer Procurement

The following permissions have been added:

consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update

Cloud Commerce Consumer Procurement

The following permissions are supported in custom roles:

consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update

Cloud Commerce Consumer Procurement

The following permissions have reached General Availability (GA):

consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update

Conversational Insights

The following permissions have been added:

contactcenterinsights.operations.cancel

Dataplex

The following permissions have been added:

dataplex.entryGroups.export

Dataplex

The following permissions are supported in custom roles:

dataplex.entryGroups.export

Dataproc

The following permissions have been added:

dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite

Dataproc

The following permissions are supported in custom roles:

dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite

Dataproc

The following permissions have reached General Availability (GA):

dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.replications.establishPeering
netapp.replications.sync

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.replications.establishPeering
netapp.replications.sync

Google Cloud Observability

The following permissions are supported in custom roles:

observability.scopes.get
observability.scopes.update

Oracle Database@Google Cloud

The following permissions have been added:

oracledatabase.autonomousDatabaseBackups.create
oracledatabase.autonomousDatabaseBackups.delete
oracledatabase.autonomousDatabaseBackups.get
oracledatabase.autonomousDatabaseBackups.list
oracledatabase.autonomousDatabaseCharacterSets.list
oracledatabase.autonomousDatabases.create
oracledatabase.autonomousDatabases.delete
oracledatabase.autonomousDatabases.generateWallet
oracledatabase.autonomousDatabases.get
oracledatabase.autonomousDatabases.list
oracledatabase.autonomousDatabases.restore
oracledatabase.autonomousDbVersions.list
oracledatabase.cloudExadataInfrastructures.create
oracledatabase.cloudExadataInfrastructures.delete
oracledatabase.cloudExadataInfrastructures.get
oracledatabase.cloudExadataInfrastructures.list
oracledatabase.cloudExadataInfrastructures.update
oracledatabase.cloudExadataInfrastructures.use
oracledatabase.cloudVmClusters.create
oracledatabase.cloudVmClusters.delete
oracledatabase.cloudVmClusters.get
oracledatabase.cloudVmClusters.list
oracledatabase.cloudVmClusters.update
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.giVersions.list
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list

Oracle Database@Google Cloud

The following permissions are supported in custom roles:

oracledatabase.autonomousDatabaseBackups.create
oracledatabase.autonomousDatabaseBackups.delete
oracledatabase.autonomousDatabaseBackups.get
oracledatabase.autonomousDatabaseBackups.list
oracledatabase.autonomousDatabaseCharacterSets.list
oracledatabase.autonomousDatabases.create
oracledatabase.autonomousDatabases.delete
oracledatabase.autonomousDatabases.generateWallet
oracledatabase.autonomousDatabases.get
oracledatabase.autonomousDatabases.list
oracledatabase.autonomousDatabases.restore
oracledatabase.autonomousDbVersions.list
oracledatabase.cloudExadataInfrastructures.create
oracledatabase.cloudExadataInfrastructures.delete
oracledatabase.cloudExadataInfrastructures.get
oracledatabase.cloudExadataInfrastructures.list
oracledatabase.cloudExadataInfrastructures.update
oracledatabase.cloudExadataInfrastructures.use
oracledatabase.cloudVmClusters.create
oracledatabase.cloudVmClusters.delete
oracledatabase.cloudVmClusters.get
oracledatabase.cloudVmClusters.list
oracledatabase.cloudVmClusters.update
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.giVersions.list
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list

Oracle Database@Google Cloud

The following permissions have reached General Availability (GA):

oracledatabase.autonomousDatabaseBackups.create
oracledatabase.autonomousDatabaseBackups.delete
oracledatabase.autonomousDatabaseBackups.get
oracledatabase.autonomousDatabaseBackups.list
oracledatabase.autonomousDatabaseCharacterSets.list
oracledatabase.autonomousDatabases.create
oracledatabase.autonomousDatabases.delete
oracledatabase.autonomousDatabases.generateWallet
oracledatabase.autonomousDatabases.get
oracledatabase.autonomousDatabases.list
oracledatabase.autonomousDatabases.restore
oracledatabase.autonomousDbVersions.list
oracledatabase.cloudExadataInfrastructures.create
oracledatabase.cloudExadataInfrastructures.delete
oracledatabase.cloudExadataInfrastructures.get
oracledatabase.cloudExadataInfrastructures.list
oracledatabase.cloudExadataInfrastructures.update
oracledatabase.cloudExadataInfrastructures.use
oracledatabase.cloudVmClusters.create
oracledatabase.cloudVmClusters.delete
oracledatabase.cloudVmClusters.get
oracledatabase.cloudVmClusters.list
oracledatabase.cloudVmClusters.update
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.giVersions.list
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list

Recommender

The following permissions have been added:

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update
recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update
recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

Cloud Storage

The following permissions have been added:

storage.managementHubs.get
storage.managementHubs.update

Cloud Storage

The following permissions are supported in custom roles:

storage.managementHubs.get
storage.managementHubs.update

IAM changes as of 2024-09-20

Service Description
Vertex AI

The Vertex AI Batch Prediction Service Agent role (roles/aiplatform.batchPredictionServiceAgent) has reached General Availability (GA).

Google Security Operations

The following permissions have been added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.dataTableOperationErrors.get

Google Security Operations

The following permissions have been added to the Chronicle API Editor role (roles/chronicle.editor):

chronicle.dataTableOperationErrors.get

Google Security Operations

The following permissions have been added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.dataTableOperationErrors.get

Cloud SQL

The Cloud SQL Studio User role (roles/cloudsql.studioUser) has reached General Availability (GA).

Cloud Trace

The following permissions have been added to the Cloud Trace Admin role (roles/cloudtrace.admin):

observability.scopes.get

Cloud Trace

The following permissions have been added to the Cloud Trace User role (roles/cloudtrace.user):

observability.scopes.get

Firebase

The following permissions have been added to the Firebase Develop Viewer role (roles/firebase.developViewer):

apikeys.keys.get
apikeys.keys.list
serviceusage.apiKeys.get
serviceusage.apiKeys.list

Firebase

The following permissions have been added to the Firebase Grow Admin role (roles/firebase.growthAdmin):

apikeys.keys.get
apikeys.keys.list
serviceusage.apiKeys.get
serviceusage.apiKeys.list

Firebase

The following permissions have been added to the Firebase Grow Viewer role (roles/firebase.growthViewer):

apikeys.keys.get
apikeys.keys.list
serviceusage.apiKeys.get
serviceusage.apiKeys.list

Firebase

The following permissions have been added to the Firebase Quality Admin role (roles/firebase.qualityAdmin):

apikeys.keys.get
apikeys.keys.list
serviceusage.apiKeys.get
serviceusage.apiKeys.list

Firebase

The following permissions have been added to the Firebase Quality Viewer role (roles/firebase.qualityViewer):

apikeys.keys.get
apikeys.keys.list
serviceusage.apiKeys.get
serviceusage.apiKeys.list

Firebase

The following permissions have been added to the Firebase Viewer role (roles/firebase.viewer):

apikeys.keys.get
apikeys.keys.list
serviceusage.apiKeys.get
serviceusage.apiKeys.list

Dataproc Metastore

The following permissions have been added to the Dataproc Metastore Service Agent role (roles/metastore.serviceAgent):

metastore.federations.use

Artifact Registry

The following permissions have been added:

artifactregistry.attachments.create
artifactregistry.attachments.delete
artifactregistry.attachments.get
artifactregistry.attachments.list
artifactregistry.files.upload

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.attachments.create
artifactregistry.attachments.delete
artifactregistry.attachments.get
artifactregistry.attachments.list
artifactregistry.files.upload

Assured Workloads

The following permissions have been added:

assuredworkloads.updates.list
assuredworkloads.updates.update

Assured Workloads

The following permissions have reached General Availability (GA):

assuredworkloads.updates.list
assuredworkloads.updates.update

BigQuery

The following permissions are supported in custom roles:

bigquery.config.get
bigquery.config.update

Google Security Operations

The following permissions have been added:

chronicle.dataTableOperationErrors.get

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataTableOperationErrors.get

Google Security Operations Service Management

The following permissions have been added:

chroniclesm.gcpLogFlowFilters.get
chroniclesm.gcpLogFlowFilters.update

Google Security Operations Service Management

The following permissions have reached General Availability (GA):

chroniclesm.gcpLogFlowFilters.get
chroniclesm.gcpLogFlowFilters.update

Cloud SQL

The following permissions have been added:

cloudsql.instances.addServerCertificate
cloudsql.instances.listServerCertificates
cloudsql.instances.rotateServerCertificate

Cloud SQL

The following permissions are supported in custom roles:

cloudsql.instances.addServerCertificate
cloudsql.instances.listServerCertificates
cloudsql.instances.rotateServerCertificate

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.instances.addServerCertificate
cloudsql.instances.listServerCertificates
cloudsql.instances.rotateServerCertificate

Conversational Insights

The following permissions have been added:

contactcenterinsights.analysisRules.create
contactcenterinsights.analysisRules.delete
contactcenterinsights.analysisRules.get
contactcenterinsights.analysisRules.list
contactcenterinsights.analysisRules.update

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.analysisRules.create
contactcenterinsights.analysisRules.delete
contactcenterinsights.analysisRules.get
contactcenterinsights.analysisRules.list
contactcenterinsights.analysisRules.update

Security Command Center

The following permissions have been added:

securitycenter.billingtier.update

Security Command Center

The following permissions are supported in custom roles:

securitycenter.billingtier.update

Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.billingtier.update

IAM changes as of 2024-09-13

Service Description
Apigee

The Apigee Deployment Invoker role (roles/apigee.deploymentInvoker) has reached General Availability (GA).

Cloud Key Management Service

The following permissions have been added to the Cloud KMS Autokey User role (roles/cloudkms.autokeyUser):

cloudkms.operations.get

Data Catalog

The following permissions have been added to the DataCatalog Glossary Owner role (roles/datacatalog.glossaryOwner):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog Glossary User role (roles/datacatalog.glossaryUser):

dataplex.projects.search

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

discoveryengine.collections.list
discoveryengine.dataStores.list
discoveryengine.engines.create
discoveryengine.engines.update

Google Cloud Managed Service for Apache Kafka

The following permissions have been added to the Managed Kafka Service Agent role (roles/managedkafka.serviceAgent):

privateca.caPools.get

Cloud Run

The following permissions have been removed from the Cloud Run Service Agent role (roles/run.serviceAgent):

compute.regionOperations.get
compute.zoneOperations.get

SecLM

The following permissions have been added to the SecLM Service Agent role (roles/seclm.serviceAgent):

aiplatform.endpoints.predict

SecLM

The following permissions have been removed from the SecLM Service Agent role (roles/seclm.serviceAgent):

storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list

Cloud Run

The following permissions have been removed from the Cloud Run Service Agent role (roles/serverless.serviceAgent):

compute.regionOperations.get
compute.zoneOperations.get

Apigee

The following permissions have been added:

apigee.deployments.getIamPolicy
apigee.deployments.invoke
apigee.deployments.setIamPolicy

Apigee

The following permissions are supported in custom roles:

apigee.deployments.getIamPolicy
apigee.deployments.invoke
apigee.deployments.setIamPolicy

Apigee

The following permissions have reached General Availability (GA):

apigee.deployments.getIamPolicy
apigee.deployments.invoke
apigee.deployments.setIamPolicy

Compute Engine

The following permissions have been added:

compute.instanceGroups.createTagBinding
compute.instanceGroups.deleteTagBinding
compute.instanceGroups.listEffectiveTags
compute.instanceGroups.listTagBindings
compute.packetMirrorings.createTagBinding
compute.packetMirrorings.deleteTagBinding
compute.packetMirrorings.listEffectiveTags
compute.packetMirrorings.listTagBindings
compute.regionSslPolicies.createTagBinding
compute.regionSslPolicies.deleteTagBinding
compute.regionSslPolicies.listEffectiveTags
compute.regionSslPolicies.listTagBindings
compute.regionTargetTcpProxies.createTagBinding
compute.regionTargetTcpProxies.deleteTagBinding
compute.regionTargetTcpProxies.listEffectiveTags
compute.regionTargetTcpProxies.listTagBindings
compute.targetGrpcProxies.createTagBinding
compute.targetGrpcProxies.deleteTagBinding
compute.targetGrpcProxies.listEffectiveTags
compute.targetGrpcProxies.listTagBindings

Compute Engine

The following permissions have reached General Availability (GA):

compute.instanceGroups.createTagBinding
compute.instanceGroups.deleteTagBinding
compute.instanceGroups.listEffectiveTags
compute.instanceGroups.listTagBindings
compute.packetMirrorings.createTagBinding
compute.packetMirrorings.deleteTagBinding
compute.packetMirrorings.listEffectiveTags
compute.packetMirrorings.listTagBindings
compute.regionSslPolicies.createTagBinding
compute.regionSslPolicies.deleteTagBinding
compute.regionSslPolicies.listEffectiveTags
compute.regionSslPolicies.listTagBindings
compute.regionTargetTcpProxies.createTagBinding
compute.regionTargetTcpProxies.deleteTagBinding
compute.regionTargetTcpProxies.listEffectiveTags
compute.regionTargetTcpProxies.listTagBindings
compute.targetGrpcProxies.createTagBinding
compute.targetGrpcProxies.deleteTagBinding
compute.targetGrpcProxies.listEffectiveTags
compute.targetGrpcProxies.listTagBindings

IAM changes as of 2024-09-06

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent):

aiplatform.tuningJobs.cancel
aiplatform.tuningJobs.create
aiplatform.tuningJobs.delete
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
aiplatform.tuningJobs.vertexTune

Compute Engine

The following permissions have been added to the Compute Load Balancer Services User role (roles/compute.loadBalancerServiceUser):

compute.backendBuckets.get
compute.backendBuckets.list
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendBuckets.use

Discovery Engine

The following permissions have been added to the Discovery Engine Admin role (roles/discoveryengine.admin):

discoveryengine.documents.batchGetDocumentsMetadata

Discovery Engine

The following permissions have been added to the Discovery Engine Editor role (roles/discoveryengine.editor):

discoveryengine.documents.batchGetDocumentsMetadata

Discovery Engine

The following permissions have been added to the Discovery Engine Viewer role (roles/discoveryengine.viewer):

discoveryengine.documents.batchGetDocumentsMetadata

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

serviceusage.services.enable

Cloud Run

The following permissions have been added to the Cloud Run Service Agent role (roles/run.serviceAgent):

compute.regionOperations.get
compute.zoneOperations.get

SecLM

The following permissions have been added to the SecLM Service Agent role (roles/seclm.serviceAgent):

aiplatform.locations.get
discoveryengine.servingConfigs.search

Cloud Run

The following permissions have been added to the Cloud Run Service Agent role (roles/serverless.serviceAgent):

compute.regionOperations.get
compute.zoneOperations.get

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode
cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText

Compute Engine

The following permissions are supported in custom roles:

compute.backendBuckets.use

Discovery Engine

The following permissions have been added:

discoveryengine.documents.batchGetDocumentsMetadata

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.documents.batchGetDocumentsMetadata

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.locations.get
netapp.locations.list
netapp.operations.cancel
netapp.operations.delete
netapp.operations.get
netapp.operations.list
netapp.storagePools.switch

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.locations.get
netapp.locations.list
netapp.operations.cancel
netapp.operations.delete
netapp.operations.get
netapp.operations.list
netapp.storagePools.switch

Spanner

The following permissions have been added:

spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.getIamPolicy
spanner.backupSchedules.list
spanner.backupSchedules.setIamPolicy
spanner.backupSchedules.update

Spanner

The following permissions are supported in custom roles:

spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.getIamPolicy
spanner.backupSchedules.list
spanner.backupSchedules.setIamPolicy
spanner.backupSchedules.update

Spanner

The following permissions have reached General Availability (GA):

spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.getIamPolicy
spanner.backupSchedules.list
spanner.backupSchedules.setIamPolicy
spanner.backupSchedules.update

IAM changes as of 2024-08-30

Service Description
Datastore

The Cloud Datastore Bulk Admin role (roles/datastore.bulkAdmin) has reached General Availability (GA).

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

cloudnotifications.activities.list
kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.groups.get
monitoring.groups.list
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
stackdriver.projects.get
stackdriver.resourceMetadata.list

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Service Agent role (roles/edgecontainer.serviceAgent):

gkehub.memberships.list

Identity and Access Management

The following permissions have been added to the Principal Access Boundary Policy Admin role (roles/iam.principalAccessBoundaryAdmin):

cloudasset.assets.listResource

BigQuery Engine for Apache Flink

The Managed Flink Service Agent role (roles/managedflink.serviceAgent) has reached General Availability (GA).

Remoting Cloud

The Remoting Cloud Service Agent role (roles/remotingcloud.serviceAgent) has reached General Availability (GA).

BigQuery

The following permissions have been added:

bigquery.dataPolicies.getRawData

BigQuery

The following permissions are supported in custom roles:

bigquery.dataPolicies.getRawData

Gemini for Google Cloud API

The following permissions have been added:

cloudaicompanion.codeRepositoryIndexes.create
cloudaicompanion.codeRepositoryIndexes.delete
cloudaicompanion.codeRepositoryIndexes.get
cloudaicompanion.codeRepositoryIndexes.list
cloudaicompanion.codeRepositoryIndexes.update
cloudaicompanion.operations.cancel
cloudaicompanion.operations.delete
cloudaicompanion.operations.get
cloudaicompanion.operations.list
cloudaicompanion.repositoryGroups.create
cloudaicompanion.repositoryGroups.delete
cloudaicompanion.repositoryGroups.get
cloudaicompanion.repositoryGroups.getIamPolicy
cloudaicompanion.repositoryGroups.list
cloudaicompanion.repositoryGroups.setIamPolicy
cloudaicompanion.repositoryGroups.update
cloudaicompanion.repositoryGroups.use

Gemini for Google Cloud API

The following permissions are supported in custom roles:

cloudaicompanion.codeRepositoryIndexes.create
cloudaicompanion.codeRepositoryIndexes.delete
cloudaicompanion.codeRepositoryIndexes.get
cloudaicompanion.codeRepositoryIndexes.list
cloudaicompanion.codeRepositoryIndexes.update
cloudaicompanion.operations.cancel
cloudaicompanion.operations.delete
cloudaicompanion.operations.get
cloudaicompanion.operations.list
cloudaicompanion.repositoryGroups.create
cloudaicompanion.repositoryGroups.delete
cloudaicompanion.repositoryGroups.get
cloudaicompanion.repositoryGroups.getIamPolicy
cloudaicompanion.repositoryGroups.list
cloudaicompanion.repositoryGroups.update

Datastore

The following permissions have been added:

datastore.databases.bulkDelete

Datastore

The following permissions have reached General Availability (GA):

datastore.databases.bulkDelete

BigQuery Engine for Apache Flink

The following permissions have been added:

managedflink.sessions.create
managedflink.sessions.delete
managedflink.sessions.get
managedflink.sessions.list
managedflink.sessions.update

BigQuery Engine for Apache Flink

The following permissions are supported in custom roles:

managedflink.sessions.create
managedflink.sessions.delete
managedflink.sessions.get
managedflink.sessions.list
managedflink.sessions.update

Network Services

The following permissions have been added:

networkservices.authzExtensions.create
networkservices.authzExtensions.delete
networkservices.authzExtensions.get
networkservices.authzExtensions.list
networkservices.authzExtensions.update
networkservices.authzExtensions.use

Network Services

The following permissions are supported in custom roles:

networkservices.authzExtensions.create
networkservices.authzExtensions.delete
networkservices.authzExtensions.get
networkservices.authzExtensions.list
networkservices.authzExtensions.update
networkservices.authzExtensions.use

Secure Source Manager

The following permissions have been added:

securesourcemanager.branchRules.create
securesourcemanager.branchRules.delete
securesourcemanager.branchRules.get
securesourcemanager.branchRules.list
securesourcemanager.branchRules.update

Secure Source Manager

The following permissions are supported in custom roles:

securesourcemanager.branchRules.create
securesourcemanager.branchRules.delete
securesourcemanager.branchRules.get
securesourcemanager.branchRules.list
securesourcemanager.branchRules.update

IAM changes as of 2024-08-23

Service Description
Compute Engine

The following permissions have been added to the Compute Organization Firewall Policy Admin role (roles/compute.orgFirewallPolicyAdmin):

compute.firewallPolicies.copyRules

Cloud Integrations

The following permissions have been added to the Application Integration Editor role (roles/integrations.integrationEditor):

integrations.executions.replay

Service Networking

The following permissions have been added to the Service Networking Service Agent role (roles/servicenetworking.serviceAgent):

compute.networks.create
compute.networks.delete
compute.networks.update
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
networkconnectivity.internalRanges.list

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.networks.use
compute.networks.useExternalIp

Cloud Integrations

The following permissions have been added:

integrations.executions.replay

Cloud Integrations

The following permissions have reached General Availability (GA):

integrations.executions.replay

Google Cloud Migration Center

The following permissions have been added:

migrationcenter.relations.get
migrationcenter.relations.list

Network Security

The following permissions have been added:

networksecurity.authzPolicies.create
networksecurity.authzPolicies.delete
networksecurity.authzPolicies.get
networksecurity.authzPolicies.getIamPolicy
networksecurity.authzPolicies.list
networksecurity.authzPolicies.setIamPolicy
networksecurity.authzPolicies.update

Network Security

The following permissions are supported in custom roles:

networksecurity.authzPolicies.create
networksecurity.authzPolicies.delete
networksecurity.authzPolicies.get
networksecurity.authzPolicies.getIamPolicy
networksecurity.authzPolicies.list
networksecurity.authzPolicies.setIamPolicy
networksecurity.authzPolicies.update

Recommender

The following permissions have been added:

recommender.firestoreDatabaseReliabilityInsights.get
recommender.firestoreDatabaseReliabilityInsights.list
recommender.firestoreDatabaseReliabilityInsights.update
recommender.firestoreDatabaseReliabilityRecommendations.get
recommender.firestoreDatabaseReliabilityRecommendations.list
recommender.firestoreDatabaseReliabilityRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.firestoreDatabaseReliabilityInsights.get
recommender.firestoreDatabaseReliabilityInsights.list
recommender.firestoreDatabaseReliabilityInsights.update
recommender.firestoreDatabaseReliabilityRecommendations.get
recommender.firestoreDatabaseReliabilityRecommendations.list
recommender.firestoreDatabaseReliabilityRecommendations.update

Security Command Center

The following permissions have been added:

securitycenter.complianceReports.aggregate

Security Command Center

The following permissions are supported in custom roles:

securitycenter.complianceReports.aggregate

IAM changes as of 2024-08-16

Service Description
Vertex AI

The following permissions have been added to the Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent):

bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData

Vertex AI

The following permissions have been added to the Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent):

aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.instances.useReadOnly

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Service Agent role (roles/backupdr.serviceAgent):

compute.instances.useReadOnly

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.clusters.upgrade

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.clusters.upgrade

Artifact Registry

The following permissions have been added:

artifactregistry.files.update
artifactregistry.packages.update
artifactregistry.versions.update

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.files.update
artifactregistry.packages.update
artifactregistry.versions.update

Database Migration Service

The following permissions have been added:

datamigration.migrationjobs.demoteDestination

Database Migration Service

The following permissions are supported in custom roles:

datamigration.migrationjobs.demoteDestination

Database Migration Service

The following permissions have reached General Availability (GA):

datamigration.migrationjobs.demoteDestination

IAM changes as of 2024-08-09

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Reasoning Engine Service Agent role (roles/aiplatform.reasoningEngineServiceAgent):

cloudtrace.traces.patch

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Backup Vault Admin role (roles/backupdr.backupvaultAdmin):

backupdr.compute.restoreFromBackupVault

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Restore User role (roles/backupdr.restoreUser):

backupdr.compute.restoreFromBackupVault

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR User V2 role (roles/backupdr.userv2):

backupdr.bvbackups.restore
backupdr.compute.restoreFromBackupVault

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

compute.futureReservations.get
compute.futureReservations.list
compute.reservations.get
compute.reservations.list

Google Kubernetes Engine

The Kubernetes Engine Default Node Service Account role (roles/container.defaultNodeServiceAccount) has reached General Availability (GA).

Google Kubernetes Engine

The following permissions have been added to the Kubernetes Engine Service Agent role (roles/container.serviceAgent):

autoscaling.sites.readRecommendations
autoscaling.sites.writeMetrics
autoscaling.sites.writeState

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.completionConfigs.completeQuery
discoveryengine.servingConfigs.answer

Dataproc Metastore

The following permissions have been added to the Dataproc Metastore Managed Migration Admin role (roles/metastore.migrationAdmin):

datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob

Cloud Monitoring

The following permissions have been added to the Monitoring Service Agent role (roles/monitoring.notificationServiceAgent):

logging.links.list

Service Networking

The following permissions have been removed from the Service Networking Service Agent role (roles/servicenetworking.serviceAgent):

compute.networks.create
compute.networks.delete
compute.networks.update
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
networkconnectivity.internalRanges.list

Cloud Key Management Service

The following permissions have been added:

cloudkms.operations.get

Compute Engine

The following permissions have reached General Availability (GA):

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.getIamPolicy
compute.futureReservations.list
compute.futureReservations.setIamPolicy
compute.futureReservations.update

Conversational Insights

The following permissions have been added:

contactcenterinsights.feedbackLabels.download
contactcenterinsights.feedbackLabels.upload
contactcenterinsights.qaScorecardRevisions.delete
contactcenterinsights.qaScorecardRevisions.tune

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.feedbackLabels.download
contactcenterinsights.feedbackLabels.upload
contactcenterinsights.qaScorecardRevisions.tune

BigQuery Engine for Apache Flink

The following permissions have been added:

managedflink.deployments.create
managedflink.deployments.delete
managedflink.deployments.get
managedflink.deployments.list
managedflink.deployments.update
managedflink.jobs.create
managedflink.jobs.delete
managedflink.jobs.get
managedflink.jobs.list
managedflink.jobs.update
managedflink.locations.get
managedflink.locations.list
managedflink.operations.cancel
managedflink.operations.delete
managedflink.operations.get
managedflink.operations.list

BigQuery Engine for Apache Flink

The following permissions are supported in custom roles:

managedflink.deployments.create
managedflink.deployments.delete
managedflink.deployments.get
managedflink.deployments.list
managedflink.deployments.update
managedflink.jobs.create
managedflink.jobs.delete
managedflink.jobs.get
managedflink.jobs.list
managedflink.jobs.update
managedflink.locations.get
managedflink.locations.list
managedflink.operations.cancel
managedflink.operations.delete
managedflink.operations.get
managedflink.operations.list

Network Management API

The following permissions have been added:

networkmanagement.vpcflowlogsconfigs.create
networkmanagement.vpcflowlogsconfigs.delete
networkmanagement.vpcflowlogsconfigs.get
networkmanagement.vpcflowlogsconfigs.list
networkmanagement.vpcflowlogsconfigs.update

Network Management API

The following permissions are supported in custom roles:

networkmanagement.vpcflowlogsconfigs.create
networkmanagement.vpcflowlogsconfigs.delete
networkmanagement.vpcflowlogsconfigs.get
networkmanagement.vpcflowlogsconfigs.list
networkmanagement.vpcflowlogsconfigs.update

Network Management API

The following permissions have reached General Availability (GA):

networkmanagement.vpcflowlogsconfigs.create
networkmanagement.vpcflowlogsconfigs.delete
networkmanagement.vpcflowlogsconfigs.get
networkmanagement.vpcflowlogsconfigs.list
networkmanagement.vpcflowlogsconfigs.update

IAM changes as of 2024-08-02

Service Description
Google Security Operations

The following permissions have been added to the Chronicle SOAR Service Agent role (roles/chronicle.soarServiceAgent):

compute.firewalls.get
compute.firewalls.update
compute.instances.deleteAccessConfig
compute.instances.updateNetworkInterface
compute.networks.updatePolicy
securitycenter.notificationconfig.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update

Cloud Controls Partner API

The following permissions have been added to the Cloud Controls Partner Admin role (roles/cloudcontrolspartner.admin):

cloudcontrolspartner.customers.get

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.entities.get

Dataproc

The following permissions have been added to the Dataproc Worker role (roles/dataproc.worker):

cloudprofiler.profiles.create
cloudprofiler.profiles.update

Data Security Posture Management

The DSPM Service Agent role (roles/dspm.serviceAgent) has reached General Availability (GA).

Backup and Disaster Recovery

The following permissions have been added:

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.get
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupVaults.associate
backupdr.compute.restoreFromBackupVault

Backup and Disaster Recovery

The following permissions are supported in custom roles:

backupdr.backupPlanAssociations.create
backupdr.backupPlanAssociations.delete
backupdr.backupPlanAssociations.get
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackup
backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.useComputeInstanceOnly
backupdr.backupVaults.associate
backupdr.compute.restoreFromBackupVault

Chrome Enterprise Premium

The following permissions have been added:

beyondcorp.subscriptions.terminate
beyondcorp.subscriptions.update

Data Catalog

The following permissions have been added:

datacatalog.migrationConfig.get
datacatalog.migrationConfig.set

Data Catalog

The following permissions are supported in custom roles:

datacatalog.migrationConfig.get
datacatalog.migrationConfig.set

Dataform

The following permissions have been added:

dataform.config.get
dataform.config.update

Dataform

The following permissions are supported in custom roles:

dataform.config.get
dataform.config.update

Dataform

The following permissions have reached General Availability (GA):

dataform.config.get
dataform.config.update

Discovery Engine

The following permissions have been added:

discoveryengine.aclConfigs.get
discoveryengine.aclConfigs.update

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.aclConfigs.get
discoveryengine.aclConfigs.update

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.aclConfigs.get
discoveryengine.aclConfigs.update

Memorystore

The following permissions have been added:

memorystore.instances.connect
memorystore.instances.create
memorystore.instances.delete
memorystore.instances.get
memorystore.instances.list
memorystore.instances.update
memorystore.locations.get
memorystore.locations.list
memorystore.operations.cancel
memorystore.operations.delete
memorystore.operations.get
memorystore.operations.list

Memorystore

The following permissions are supported in custom roles:

memorystore.instances.create
memorystore.instances.delete
memorystore.instances.get
memorystore.instances.list
memorystore.instances.update
memorystore.locations.get
memorystore.locations.list
memorystore.operations.cancel
memorystore.operations.delete
memorystore.operations.get
memorystore.operations.list

IAM changes as of 2024-07-26

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Extension Service Agent role (roles/aiplatform.extensionServiceAgent):

aiplatform.locations.get

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use

BigQuery

The following permissions have been added to the BigQuery Admin role (roles/bigquery.admin):

dataplex.projects.search

BigQuery

The following permissions have been added to the BigQuery Metadata Viewer role (roles/bigquery.metadataViewer):

dataplex.projects.search

BigQuery

The following permissions have been added to the BigQuery Studio Admin role (roles/bigquery.studioAdmin):

dataplex.projects.search

BigQuery

The following permissions have been added to the BigQuery Studio User role (roles/bigquery.studioUser):

dataplex.projects.search

BigQuery

The following permissions have been added to the BigQuery User role (roles/bigquery.user):

dataplex.projects.search

Google Security Operations

The following permissions have been added to the Chronicle API Limited Viewer role (roles/chronicle.limitedViewer):

chronicle.dataAccessScopes.list

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dashboardCharts.get
chronicle.dashboardCharts.list
chronicle.dashboardQueries.execute
chronicle.dashboardQueries.get
chronicle.dashboardQueries.list
chronicle.nativeDashboards.get
chronicle.nativeDashboards.list

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

observability.scopes.get

Data Catalog

The following permissions have been added to the Data Catalog Admin role (roles/datacatalog.admin):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog Data Steward role (roles/datacatalog.dataSteward):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog EntryGroup Creator role (roles/datacatalog.entryGroupCreator):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog EntryGroup Owner role (roles/datacatalog.entryGroupOwner):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog Entry Owner role (roles/datacatalog.entryOwner):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog Entry Viewer role (roles/datacatalog.entryViewer):

dataplex.projects.search

Data Catalog

The following permissions have been added to the DataCatalog Search Admin role (roles/datacatalog.searchAdmin):

dataplex.projects.search

Data Catalog

The following permissions have been added to the Data Catalog TagTemplate Creator role (roles/datacatalog.tagTemplateCreator):

dataplex.projects.search

Data Catalog

The following permissions have been added to the Data Catalog TagTemplate Owner role (roles/datacatalog.tagTemplateOwner):

dataplex.projects.search

Data Catalog

The following permissions have been added to the Data Catalog TagTemplate User role (roles/datacatalog.tagTemplateUser):

dataplex.projects.search

Data Catalog

The following permissions have been added to the Data Catalog TagTemplate Viewer role (roles/datacatalog.tagTemplateViewer):

dataplex.projects.search

Data Catalog

The following permissions have been added to the Data Catalog Viewer role (roles/datacatalog.viewer):

dataplex.projects.search

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

dataplex.projects.search
observability.scopes.get

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

dataplex.projects.search

Dataprep by Trifacta

The following permissions have been added to the Dataprep Service Agent role (roles/dataprep.serviceAgent):

dataplex.projects.search

Dataproc

The following permissions have been added to the Dataproc Hub Agent role (roles/dataproc.hubAgent):

observability.scopes.get

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

dataplex.projects.search

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

dataplex.projects.search

Sensitive Data Protection

The following permissions have been added to the DLP API Service Agent role (roles/dlp.serviceAgent):

dataplex.projects.search

Firebase App Hosting

The Firebase App Hosting Service Agent role (roles/firebaseapphosting.serviceAgent) has reached General Availability (GA).

Cloud Logging

The following permissions have been added to the Logging Admin role (roles/logging.admin):

observability.scopes.get

Cloud Logging

The following permissions have been added to the Logs Configuration Writer role (roles/logging.configWriter):

observability.scopes.get

Cloud Logging

The following permissions have been added to the Private Logs Viewer role (roles/logging.privateLogViewer):

observability.scopes.get

Cloud Logging

The following permissions have been added to the Logs Viewer role (roles/logging.viewer):

observability.scopes.get

Memorystore

The Cloud Memorystore Service Agent role (roles/memorystore.serviceAgent) has reached General Availability (GA).

Telco Automation API

The following permissions have been added to the Telco Automation Admin role (roles/telcoautomation.admin):

observability.scopes.get

Telco Automation API

The following permissions have been added to the Telco Automation Tier 1 Operations Admin role (roles/telcoautomation.opsAdminTier1):

observability.scopes.get

Telco Automation API

The following permissions have been added to the Telco Automation Tier 4 Operations Admin role (roles/telcoautomation.opsAdminTier4):

observability.scopes.get

Apigee

The following permissions have been added:

apigee.securityAssessmentResults.compute

Apigee

The following permissions are supported in custom roles:

apigee.securityAssessmentResults.compute

Apigee

The following permissions have reached General Availability (GA):

apigee.securityAssessmentResults.compute

Google Security Operations

The following permissions have been added:

chronicle.ingestionLogLabels.get
chronicle.ingestionLogLabels.list
chronicle.ingestionLogNamespaces.get
chronicle.ingestionLogNamespaces.list

Google Security Operations

The following permissions are supported in custom roles:

chronicle.ingestionLogLabels.get
chronicle.ingestionLogLabels.list
chronicle.ingestionLogNamespaces.get
chronicle.ingestionLogNamespaces.list

Compute Engine

The following permissions have been added:

compute.externalVpnGateways.createTagBinding
compute.externalVpnGateways.deleteTagBinding
compute.externalVpnGateways.listEffectiveTags
compute.externalVpnGateways.listTagBindings
compute.interconnectAttachments.createTagBinding
compute.interconnectAttachments.deleteTagBinding
compute.interconnectAttachments.listEffectiveTags
compute.interconnectAttachments.listTagBindings
compute.interconnects.createTagBinding
compute.interconnects.deleteTagBinding
compute.interconnects.listEffectiveTags
compute.interconnects.listTagBindings
compute.routers.createTagBinding
compute.routers.deleteTagBinding
compute.routers.listEffectiveTags
compute.routers.listTagBindings
compute.targetVpnGateways.createTagBinding
compute.targetVpnGateways.deleteTagBinding
compute.targetVpnGateways.listEffectiveTags
compute.targetVpnGateways.listTagBindings
compute.vpnGateways.createTagBinding
compute.vpnGateways.deleteTagBinding
compute.vpnGateways.listEffectiveTags
compute.vpnGateways.listTagBindings
compute.vpnTunnels.createTagBinding
compute.vpnTunnels.deleteTagBinding
compute.vpnTunnels.listEffectiveTags
compute.vpnTunnels.listTagBindings

Compute Engine

The following permissions are supported in custom roles:

compute.interconnectAttachments.createTagBinding
compute.interconnectAttachments.deleteTagBinding
compute.interconnectAttachments.listEffectiveTags
compute.interconnectAttachments.listTagBindings
compute.interconnects.createTagBinding
compute.interconnects.deleteTagBinding
compute.interconnects.listEffectiveTags
compute.interconnects.listTagBindings
compute.vpnGateways.createTagBinding
compute.vpnGateways.deleteTagBinding
compute.vpnGateways.listEffectiveTags
compute.vpnGateways.listTagBindings

Compute Engine

The following permissions have reached General Availability (GA):

compute.externalVpnGateways.createTagBinding
compute.externalVpnGateways.deleteTagBinding
compute.externalVpnGateways.listEffectiveTags
compute.externalVpnGateways.listTagBindings
compute.interconnectAttachments.createTagBinding
compute.interconnectAttachments.deleteTagBinding
compute.interconnectAttachments.listEffectiveTags
compute.interconnectAttachments.listTagBindings
compute.interconnects.createTagBinding
compute.interconnects.deleteTagBinding
compute.interconnects.listEffectiveTags
compute.interconnects.listTagBindings
compute.routers.createTagBinding
compute.routers.deleteTagBinding
compute.routers.listEffectiveTags
compute.routers.listTagBindings
compute.targetVpnGateways.createTagBinding
compute.targetVpnGateways.deleteTagBinding
compute.targetVpnGateways.listEffectiveTags
compute.targetVpnGateways.listTagBindings
compute.vpnGateways.createTagBinding
compute.vpnGateways.deleteTagBinding
compute.vpnGateways.listEffectiveTags
compute.vpnGateways.listTagBindings
compute.vpnTunnels.createTagBinding
compute.vpnTunnels.deleteTagBinding
compute.vpnTunnels.listEffectiveTags
compute.vpnTunnels.listTagBindings

Conversational Insights

The following permissions have been added:

contactcenterinsights.qaQuestions.create
contactcenterinsights.qaQuestions.delete
contactcenterinsights.qaQuestions.update
contactcenterinsights.qaScorecardRevisions.create
contactcenterinsights.qaScorecardRevisions.deploy
contactcenterinsights.qaScorecardRevisions.list
contactcenterinsights.qaScorecards.create
contactcenterinsights.qaScorecards.delete
contactcenterinsights.qaScorecards.update

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.qaQuestions.create
contactcenterinsights.qaQuestions.delete
contactcenterinsights.qaQuestions.update
contactcenterinsights.qaScorecardRevisions.create
contactcenterinsights.qaScorecardRevisions.deploy
contactcenterinsights.qaScorecardRevisions.list
contactcenterinsights.qaScorecards.create
contactcenterinsights.qaScorecards.delete
contactcenterinsights.qaScorecards.update

Dataplex

The following permissions have been added:

dataplex.entryGroups.import
dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.projects.search

Dataplex

The following permissions are supported in custom roles:

dataplex.entryGroups.import
dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.projects.search

Dataplex

The following permissions have reached General Availability (GA):

dataplex.projects.search

GDC Hardware Management API

The following permissions have been added:

gdchardwaremanagement.hardware.create
gdchardwaremanagement.hardware.delete

GDC Hardware Management API

The following permissions are supported in custom roles:

gdchardwaremanagement.hardware.create
gdchardwaremanagement.hardware.delete

Identity and Access Management

The following permissions have been added:

iam.serviceAccounts.createTagBinding
iam.serviceAccounts.deleteTagBinding
iam.serviceAccounts.listEffectiveTags
iam.serviceAccounts.listTagBindings

Identity and Access Management

The following permissions are supported in custom roles:

iam.serviceAccounts.createTagBinding
iam.serviceAccounts.deleteTagBinding
iam.serviceAccounts.listEffectiveTags
iam.serviceAccounts.listTagBindings

Retail API

The following permissions have been added:

retail.alertConfigs.get
retail.alertConfigs.update
retail.branches.get
retail.branches.list

Retail API

The following permissions have reached General Availability (GA):

retail.catalogs.exportAnalyticsMetrics

Secret Manager

The following permissions have been added:

secretmanager.secrets.createTagBinding
secretmanager.secrets.deleteTagBinding
secretmanager.secrets.listEffectiveTags
secretmanager.secrets.listTagBindings

Secret Manager

The following permissions have reached General Availability (GA):

secretmanager.secrets.createTagBinding
secretmanager.secrets.deleteTagBinding
secretmanager.secrets.listEffectiveTags
secretmanager.secrets.listTagBindings

IAM changes as of 2024-07-19

Service Description
Vertex AI

The following permissions have been added to the Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent):

aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.sync
aiplatform.featureViews.update

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

serviceusage.services.list

Vertex AI

The following permissions have been added to the Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent):

aiplatform.models.update

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.regions.list
compute.zones.list

Batch

The Batch Administrator role (roles/batch.admin) has reached General Availability (GA).

Batch

The Batch Agent Reporter role (roles/batch.agentReporter) has reached General Availability (GA).

Batch

The Batch Job Editor role (roles/batch.jobsEditor) has reached General Availability (GA).

Batch

The Batch Job Viewer role (roles/batch.jobsViewer) has reached General Availability (GA).

Batch

The Batch ResourceAllowance Editor role (roles/batch.resourceAllowancesEditor) has reached General Availability (GA).

Batch

The Batch ResourceAllowance Viewer role (roles/batch.resourceAllowancesViewer) has reached General Availability (GA).

Recommender

The BigQuery Materialized View Recommender Admin role (roles/recommender.bigqueryMaterializedViewAdmin) has reached General Availability (GA).

Recommender

The BigQuery Materialized View Recommender Viewer role (roles/recommender.bigqueryMaterializedViewViewer) has reached General Availability (GA).

Spectrum Access System (SAS)

The following permissions have been added to the Spectrum SAS Service Agent role (roles/spectrumsas.serviceAgent):

pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Workload Manager

The following permissions have been added to the Workload Manager Workload Viewer role (roles/workloadmanager.workloadViewer):

resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.tuningJobs.cancel
aiplatform.tuningJobs.create
aiplatform.tuningJobs.delete
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
aiplatform.tuningJobs.vertexTune

Batch

The following permissions have been added:

batch.resourceAllowances.create
batch.resourceAllowances.delete
batch.resourceAllowances.get
batch.resourceAllowances.list
batch.resourceAllowances.update

Batch

The following permissions have reached General Availability (GA):

batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.resourceAllowances.create
batch.resourceAllowances.delete
batch.resourceAllowances.get
batch.resourceAllowances.list
batch.resourceAllowances.update
batch.states.report
batch.tasks.get
batch.tasks.list

Cloud Deploy

The following permissions have been added:

clouddeploy.deployPolicies.create
clouddeploy.deployPolicies.delete
clouddeploy.deployPolicies.get
clouddeploy.deployPolicies.list
clouddeploy.deployPolicies.override
clouddeploy.deployPolicies.update

Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.deployPolicies.create
clouddeploy.deployPolicies.delete
clouddeploy.deployPolicies.get
clouddeploy.deployPolicies.list
clouddeploy.deployPolicies.override
clouddeploy.deployPolicies.update

Discovery Engine

The following permissions have been added:

discoveryengine.groundingConfigs.check

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.groundingConfigs.check

Google Cloud Managed Service for Apache Kafka

The following permissions have been added:

managedkafka.clusters.connect
managedkafka.clusters.create
managedkafka.clusters.delete
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
managedkafka.consumerGroups.delete
managedkafka.consumerGroups.get
managedkafka.consumerGroups.list
managedkafka.consumerGroups.update
managedkafka.locations.get
managedkafka.locations.list
managedkafka.operations.cancel
managedkafka.operations.delete
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.create
managedkafka.topics.delete
managedkafka.topics.get
managedkafka.topics.list
managedkafka.topics.update

Google Cloud Managed Service for Apache Kafka

The following permissions are supported in custom roles:

managedkafka.clusters.connect
managedkafka.clusters.create
managedkafka.clusters.delete
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
managedkafka.consumerGroups.delete
managedkafka.consumerGroups.get
managedkafka.consumerGroups.list
managedkafka.consumerGroups.update
managedkafka.locations.get
managedkafka.locations.list
managedkafka.operations.cancel
managedkafka.operations.delete
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.create
managedkafka.topics.delete
managedkafka.topics.get
managedkafka.topics.list
managedkafka.topics.update

Recommender

The following permissions have reached General Availability (GA):

recommender.bigqueryMaterializedViewInsights.get
recommender.bigqueryMaterializedViewInsights.list
recommender.bigqueryMaterializedViewInsights.update
recommender.bigqueryMaterializedViewRecommendations.get
recommender.bigqueryMaterializedViewRecommendations.list
recommender.bigqueryMaterializedViewRecommendations.update

IAM changes as of 2024-07-12

Service Description
Gemini for Google Cloud API

The following permissions have been added to the Cloud AI Companion Service Agent role (roles/cloudaicompanion.serviceAgent):

monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create

Cloud Commerce Consumer Procurement

The following permissions have been added to the Consumer Procurement Entitlement Manager role (roles/consumerprocurement.entitlementManager):

commerceoffercatalog.offers.get

Cloud Commerce Consumer Procurement

The following permissions have been added to the Consumer Procurement Entitlement Viewer role (roles/consumerprocurement.entitlementViewer):

commerceoffercatalog.offers.get

Cloud Run

The following permissions have been added to the Cloud Run Service Agent role (roles/run.serviceAgent):

networkservices.meshes.get

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.clusters.import

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.clusters.import

API Management

The following permissions have been added:

apim.apiObservations.batchEditTags
apim.locations.listApiObservationTags

API Management

The following permissions are supported in custom roles:

apim.apiObservations.batchEditTags
apim.locations.listApiObservationTags

Spanner

The following permissions have been added:

spanner.databases.changequorum

Spanner

The following permissions have reached General Availability (GA):

spanner.databases.changequorum

IAM changes as of 2024-07-05

Service Description
Cloud TPU

The following permissions have been added to the Cloud TPU V2 API Service Agent role (roles/cloudtpu.serviceAgent):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list
resourcemanager.hierarchyNodes.listEffectiveTags

Compute Engine

The following permissions have been added to the Compute Network Admin role (roles/compute.networkAdmin):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list

Compute Engine

The following permissions have been added to the Compute Network User role (roles/compute.networkUser):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list

Compute Engine

The following permissions have been added to the Compute Network Viewer role (roles/compute.networkViewer):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list

Google Kubernetes Engine

The following permissions have been added to the Kubernetes Engine Service Agent role (roles/container.serviceAgent):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list
resourcemanager.hierarchyNodes.listEffectiveTags

Cloud Data Fusion

The following permissions have been added to the Cloud Data Fusion API Service Agent role (roles/datafusion.serviceAgent):

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.list
resourcemanager.hierarchyNodes.listEffectiveTags

Data Pipelines

The following permissions have been added to the Datapipelines Service Agent role (roles/datapipelines.serviceAgent):

resourcemanager.hierarchyNodes.listEffectiveTags

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

resourcemanager.hierarchyNodes.listEffectiveTags

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

resourcemanager.hierarchyNodes.listEffectiveTags

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

alloydb.backups.createTagBinding
alloydb.backups.deleteTagBinding
alloydb.backups.listEffectiveTags
alloydb.backups.listTagBindings
alloydb.clusters.createTagBinding
alloydb.clusters.deleteTagBinding
alloydb.clusters.listEffectiveTags
alloydb.clusters.listTagBindings
artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listEffectiveTags
bigquery.datasets.listTagBindings
bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigtable.authorizedViews.createTagBinding
bigtable.authorizedViews.deleteTagBinding
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.instances.createTagBinding
bigtable.instances.deleteTagBinding
bigtable.instances.listEffectiveTags
bigtable.instances.listTagBindings
clouddeploy.deliveryPipelines.createTagBinding
clouddeploy.deliveryPipelines.deleteTagBinding
clouddeploy.deliveryPipelines.listEffectiveTags
clouddeploy.deliveryPipelines.listTagBindings
clouddeploy.targets.createTagBinding
clouddeploy.targets.deleteTagBinding
clouddeploy.targets.listEffectiveTags
clouddeploy.targets.listTagBindings
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudsql.instances.createTagBinding
cloudsql.instances.deleteTagBinding
cloudsql.instances.listEffectiveTags
cloudsql.instances.listTagBindings
compute.backendBuckets.createTagBinding
compute.backendBuckets.deleteTagBinding
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendServices.createTagBinding
compute.backendServices.deleteTagBinding
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.createTagBinding
compute.firewalls.deleteTagBinding
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.createTagBinding
compute.forwardingRules.deleteTagBinding
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalForwardingRules.createTagBinding
compute.globalForwardingRules.deleteTagBinding
compute.globalForwardingRules.listEffectiveTags
compute.globalForwardingRules.listTagBindings
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.createTagBinding
compute.healthChecks.deleteTagBinding
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.createTagBinding
compute.httpHealthChecks.deleteTagBinding
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.createTagBinding
compute.httpsHealthChecks.deleteTagBinding
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings
compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networks.createTagBinding
compute.networks.deleteTagBinding
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.regionBackendServices.createTagBinding
compute.regionBackendServices.deleteTagBinding
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionFirewallPolicies.createTagBinding
compute.regionFirewallPolicies.deleteTagBinding
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionHealthChecks.createTagBinding
compute.regionHealthChecks.deleteTagBinding
compute.regionHealthChecks.listEffectiveTags
compute.regionHealthChecks.listTagBindings
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionSecurityPolicies.createTagBinding
compute.regionSecurityPolicies.deleteTagBinding
compute.regionSecurityPolicies.listEffectiveTags
compute.regionSecurityPolicies.listTagBindings
compute.regionSslCertificates.createTagBinding
compute.regionSslCertificates.deleteTagBinding
compute.regionSslCertificates.listEffectiveTags
compute.regionSslCertificates.listTagBindings
compute.regionTargetHttpProxies.createTagBinding
compute.regionTargetHttpProxies.deleteTagBinding
compute.regionTargetHttpProxies.listEffectiveTags
compute.regionTargetHttpProxies.listTagBindings
compute.regionTargetHttpsProxies.createTagBinding
compute.regionTargetHttpsProxies.deleteTagBinding
compute.regionTargetHttpsProxies.listEffectiveTags
compute.regionTargetHttpsProxies.listTagBindings
compute.regionUrlMaps.createTagBinding
compute.regionUrlMaps.deleteTagBinding
compute.regionUrlMaps.listEffectiveTags
compute.regionUrlMaps.listTagBindings
compute.routes.createTagBinding
compute.routes.deleteTagBinding
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.createTagBinding
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.createTagBinding
compute.sslCertificates.deleteTagBinding
compute.sslCertificates.listEffectiveTags
compute.sslCertificates.listTagBindings
compute.sslPolicies.createTagBinding
compute.sslPolicies.deleteTagBinding
compute.sslPolicies.listEffectiveTags
compute.sslPolicies.listTagBindings
compute.subnetworks.createTagBinding
compute.subnetworks.deleteTagBinding
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.targetHttpProxies.createTagBinding
compute.targetHttpProxies.deleteTagBinding
compute.targetHttpProxies.listEffectiveTags
compute.targetHttpProxies.listTagBindings
compute.targetHttpsProxies.createTagBinding
compute.targetHttpsProxies.deleteTagBinding
compute.targetHttpsProxies.listEffectiveTags
compute.targetHttpsProxies.listTagBindings
compute.targetInstances.createTagBinding
compute.targetInstances.deleteTagBinding
compute.targetInstances.listEffectiveTags
compute.targetInstances.listTagBindings
compute.targetPools.createTagBinding
compute.targetPools.deleteTagBinding
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.targetSslProxies.createTagBinding
compute.targetSslProxies.deleteTagBinding
compute.targetSslProxies.listEffectiveTags
compute.targetSslProxies.listTagBindings
compute.targetTcpProxies.createTagBinding
compute.targetTcpProxies.deleteTagBinding
compute.targetTcpProxies.listEffectiveTags
compute.targetTcpProxies.listTagBindings
compute.urlMaps.createTagBinding
compute.urlMaps.deleteTagBinding
compute.urlMaps.listEffectiveTags
compute.urlMaps.listTagBindings
container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
datafusion.instances.createTagBinding
datafusion.instances.deleteTagBinding
datafusion.instances.listEffectiveTags
datafusion.instances.listTagBindings
datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listTagBindings
datastream.privateConnections.createTagBinding
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.streams.createTagBinding
datastream.streams.deleteTagBinding
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listEffectiveTags
domains.registrations.listTagBindings
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.createTagBinding
file.instances.deleteTagBinding
file.instances.listEffectiveTags
file.instances.listTagBindings
file.snapshots.createTagBinding
file.snapshots.deleteTagBinding
file.snapshots.listEffectiveTags
file.snapshots.listTagBindings
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listEffectiveTags
managedidentities.domains.listTagBindings
redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings
resourcemanager.hierarchyNodes.createTagBinding
resourcemanager.hierarchyNodes.deleteTagBinding
resourcemanager.hierarchyNodes.listEffectiveTags
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

alloydb.backups.createTagBinding
alloydb.backups.deleteTagBinding
alloydb.backups.listEffectiveTags
alloydb.backups.listTagBindings
alloydb.clusters.createTagBinding
alloydb.clusters.deleteTagBinding
alloydb.clusters.listEffectiveTags
alloydb.clusters.listTagBindings
artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listEffectiveTags
bigquery.datasets.listTagBindings
bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigtable.authorizedViews.createTagBinding
bigtable.authorizedViews.deleteTagBinding
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.instances.createTagBinding
bigtable.instances.deleteTagBinding
bigtable.instances.listEffectiveTags
bigtable.instances.listTagBindings
clouddeploy.deliveryPipelines.createTagBinding
clouddeploy.deliveryPipelines.deleteTagBinding
clouddeploy.deliveryPipelines.listEffectiveTags
clouddeploy.deliveryPipelines.listTagBindings
clouddeploy.targets.createTagBinding
clouddeploy.targets.deleteTagBinding
clouddeploy.targets.listEffectiveTags
clouddeploy.targets.listTagBindings
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudsql.instances.createTagBinding
cloudsql.instances.deleteTagBinding
cloudsql.instances.listEffectiveTags
cloudsql.instances.listTagBindings
compute.backendBuckets.createTagBinding
compute.backendBuckets.deleteTagBinding
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendServices.createTagBinding
compute.backendServices.deleteTagBinding
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.createTagBinding
compute.firewalls.deleteTagBinding
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.createTagBinding
compute.forwardingRules.deleteTagBinding
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalForwardingRules.createTagBinding
compute.globalForwardingRules.deleteTagBinding
compute.globalForwardingRules.listEffectiveTags
compute.globalForwardingRules.listTagBindings
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.createTagBinding
compute.healthChecks.deleteTagBinding
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.createTagBinding
compute.httpHealthChecks.deleteTagBinding
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.createTagBinding
compute.httpsHealthChecks.deleteTagBinding
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings
compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networks.createTagBinding
compute.networks.deleteTagBinding
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.regionBackendServices.createTagBinding
compute.regionBackendServices.deleteTagBinding
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionFirewallPolicies.createTagBinding
compute.regionFirewallPolicies.deleteTagBinding
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionHealthChecks.createTagBinding
compute.regionHealthChecks.deleteTagBinding
compute.regionHealthChecks.listEffectiveTags
compute.regionHealthChecks.listTagBindings
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionSecurityPolicies.createTagBinding
compute.regionSecurityPolicies.deleteTagBinding
compute.regionSecurityPolicies.listEffectiveTags
compute.regionSecurityPolicies.listTagBindings
compute.regionSslCertificates.createTagBinding
compute.regionSslCertificates.deleteTagBinding
compute.regionSslCertificates.listEffectiveTags
compute.regionSslCertificates.listTagBindings
compute.regionTargetHttpProxies.createTagBinding
compute.regionTargetHttpProxies.deleteTagBinding
compute.regionTargetHttpProxies.listEffectiveTags
compute.regionTargetHttpProxies.listTagBindings
compute.regionTargetHttpsProxies.createTagBinding
compute.regionTargetHttpsProxies.deleteTagBinding
compute.regionTargetHttpsProxies.listEffectiveTags
compute.regionTargetHttpsProxies.listTagBindings
compute.regionUrlMaps.createTagBinding
compute.regionUrlMaps.deleteTagBinding
compute.regionUrlMaps.listEffectiveTags
compute.regionUrlMaps.listTagBindings
compute.routes.createTagBinding
compute.routes.deleteTagBinding
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.createTagBinding
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.createTagBinding
compute.sslCertificates.deleteTagBinding
compute.sslCertificates.listEffectiveTags
compute.sslCertificates.listTagBindings
compute.sslPolicies.createTagBinding
compute.sslPolicies.deleteTagBinding
compute.sslPolicies.listEffectiveTags
compute.sslPolicies.listTagBindings
compute.subnetworks.createTagBinding
compute.subnetworks.deleteTagBinding
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.targetHttpProxies.createTagBinding
compute.targetHttpProxies.deleteTagBinding
compute.targetHttpProxies.listEffectiveTags
compute.targetHttpProxies.listTagBindings
compute.targetHttpsProxies.createTagBinding
compute.targetHttpsProxies.deleteTagBinding
compute.targetHttpsProxies.listEffectiveTags
compute.targetHttpsProxies.listTagBindings
compute.targetInstances.createTagBinding
compute.targetInstances.deleteTagBinding
compute.targetInstances.listEffectiveTags
compute.targetInstances.listTagBindings
compute.targetPools.createTagBinding
compute.targetPools.deleteTagBinding
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.targetSslProxies.createTagBinding
compute.targetSslProxies.deleteTagBinding
compute.targetSslProxies.listEffectiveTags
compute.targetSslProxies.listTagBindings
compute.targetTcpProxies.createTagBinding
compute.targetTcpProxies.deleteTagBinding
compute.targetTcpProxies.listEffectiveTags
compute.targetTcpProxies.listTagBindings
compute.urlMaps.createTagBinding
compute.urlMaps.deleteTagBinding
compute.urlMaps.listEffectiveTags
compute.urlMaps.listTagBindings
container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
datafusion.instances.createTagBinding
datafusion.instances.deleteTagBinding
datafusion.instances.listEffectiveTags
datafusion.instances.listTagBindings
datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listTagBindings
datastream.privateConnections.createTagBinding
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.streams.createTagBinding
datastream.streams.deleteTagBinding
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listEffectiveTags
domains.registrations.listTagBindings
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.createTagBinding
file.instances.deleteTagBinding
file.instances.listEffectiveTags
file.instances.listTagBindings
file.snapshots.createTagBinding
file.snapshots.deleteTagBinding
file.snapshots.listEffectiveTags
file.snapshots.listTagBindings
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listEffectiveTags
managedidentities.domains.listTagBindings
redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings
resourcemanager.hierarchyNodes.createTagBinding
resourcemanager.hierarchyNodes.deleteTagBinding
resourcemanager.hierarchyNodes.listEffectiveTags
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings

Sensitive Data Protection

The following permissions have been added to the DLP API Service Agent role (roles/dlp.serviceAgent):

resourcemanager.hierarchyNodes.listEffectiveTags

Firebase

The following permissions have been added to the Firebase Admin role (roles/firebase.admin):

resourcemanager.hierarchyNodes.listEffectiveTags

Firebase

The following permissions have been added to the Firebase Develop Admin role (roles/firebase.developAdmin):

resourcemanager.hierarchyNodes.listEffectiveTags

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.update
logging.queries.usePrivate

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.update
logging.queries.usePrivate

Dataproc Metastore

The Dataproc Metastore Managed Migration Admin role (roles/metastore.migrationAdmin) has reached General Availability (GA).

Dataproc Metastore

The following permissions have been added to the Dataproc Metastore Managed Migration Admin role (roles/metastore.migrationAdmin):

compute.regionHealthChecks.use

AI Platform

The following permissions have been added to the AI Platform Service Agent role (roles/ml.serviceAgent):

resourcemanager.hierarchyNodes.listEffectiveTags

Cloud Monitoring

The following permissions have been added to the Monitoring Service Agent role (roles/monitoring.notificationServiceAgent):

bigquery.jobs.create

Cloud Storage

The following permissions have been added to the Storage Admin role (roles/storage.admin):

resourcemanager.hierarchyNodes.listEffectiveTags

Vision AI

The following permissions have been added to the Cloud Vision AI Service Agent role (roles/visionai.serviceAgent):

aiplatform.endpoints.predict

Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

resourcemanager.hierarchyNodes.listEffectiveTags

Vertex AI

The following permissions have been added:

aiplatform.modelMonitoringJobs.create
aiplatform.modelMonitoringJobs.delete
aiplatform.modelMonitoringJobs.get
aiplatform.modelMonitoringJobs.list
aiplatform.modelMonitors.create
aiplatform.modelMonitors.delete
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.modelMonitors.searchModelMonitoringAlerts
aiplatform.modelMonitors.searchModelMonitoringStats
aiplatform.modelMonitors.update

Bare Metal Solution

The following permissions have been added:

baremetalsolution.pods.list

Bare Metal Solution

The following permissions are supported in custom roles:

baremetalsolution.pods.list

Bare Metal Solution

The following permissions have reached General Availability (GA):

baremetalsolution.pods.list

Bigtable

The following permissions have been added:

bigtable.instances.executeQuery

Discovery Engine

The following permissions have been added:

discoveryengine.answers.get
discoveryengine.completionConfigs.completeQuery
discoveryengine.evaluations.create
discoveryengine.evaluations.get
discoveryengine.evaluations.list
discoveryengine.rankingConfigs.rank
discoveryengine.sampleQueries.create
discoveryengine.sampleQueries.delete
discoveryengine.sampleQueries.get
discoveryengine.sampleQueries.import
discoveryengine.sampleQueries.list
discoveryengine.sampleQueries.update
discoveryengine.sampleQuerySets.create
discoveryengine.sampleQuerySets.delete
discoveryengine.sampleQuerySets.get
discoveryengine.sampleQuerySets.list
discoveryengine.sampleQuerySets.update
discoveryengine.servingConfigs.answer
discoveryengine.sessions.create
discoveryengine.sessions.delete
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.sessions.update

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.answers.get
discoveryengine.completionConfigs.completeQuery
discoveryengine.evaluations.create
discoveryengine.evaluations.get
discoveryengine.evaluations.list
discoveryengine.rankingConfigs.rank
discoveryengine.sampleQueries.create
discoveryengine.sampleQueries.delete
discoveryengine.sampleQueries.get
discoveryengine.sampleQueries.import
discoveryengine.sampleQueries.list
discoveryengine.sampleQueries.update
discoveryengine.sampleQuerySets.create
discoveryengine.sampleQuerySets.delete
discoveryengine.sampleQuerySets.get
discoveryengine.sampleQuerySets.list
discoveryengine.sampleQuerySets.update
discoveryengine.servingConfigs.answer
discoveryengine.sessions.create
discoveryengine.sessions.delete
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.sessions.update

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.answers.get
discoveryengine.servingConfigs.answer
discoveryengine.sessions.create
discoveryengine.sessions.delete
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.sessions.update

Firebase Data Connect

The following permissions have been added:

firebasedataconnect.connectorRevisions.delete
firebasedataconnect.connectorRevisions.get
firebasedataconnect.connectorRevisions.list
firebasedataconnect.connectors.create
firebasedataconnect.connectors.delete
firebasedataconnect.connectors.get
firebasedataconnect.connectors.list
firebasedataconnect.connectors.update
firebasedataconnect.locations.get
firebasedataconnect.locations.list
firebasedataconnect.operations.cancel
firebasedataconnect.operations.delete
firebasedataconnect.operations.get
firebasedataconnect.operations.list
firebasedataconnect.schemaRevisions.delete
firebasedataconnect.schemaRevisions.get
firebasedataconnect.schemaRevisions.list
firebasedataconnect.schemas.create
firebasedataconnect.schemas.delete
firebasedataconnect.schemas.get
firebasedataconnect.schemas.list
firebasedataconnect.schemas.update
firebasedataconnect.services.create
firebasedataconnect.services.delete
firebasedataconnect.services.executeGraphql
firebasedataconnect.services.executeGraphqlRead
firebasedataconnect.services.get
firebasedataconnect.services.list
firebasedataconnect.services.update

Firebase Data Connect

The following permissions are supported in custom roles:

firebasedataconnect.connectorRevisions.delete
firebasedataconnect.connectorRevisions.get
firebasedataconnect.connectorRevisions.list
firebasedataconnect.connectors.create
firebasedataconnect.connectors.delete
firebasedataconnect.connectors.get
firebasedataconnect.connectors.list
firebasedataconnect.connectors.update
firebasedataconnect.locations.get
firebasedataconnect.locations.list
firebasedataconnect.operations.cancel
firebasedataconnect.operations.delete
firebasedataconnect.operations.get
firebasedataconnect.operations.list
firebasedataconnect.schemaRevisions.delete
firebasedataconnect.schemaRevisions.get
firebasedataconnect.schemaRevisions.list
firebasedataconnect.schemas.create
firebasedataconnect.schemas.delete
firebasedataconnect.schemas.get
firebasedataconnect.schemas.list
firebasedataconnect.schemas.update
firebasedataconnect.services.create
firebasedataconnect.services.delete
firebasedataconnect.services.executeGraphql
firebasedataconnect.services.executeGraphqlRead
firebasedataconnect.services.get
firebasedataconnect.services.list
firebasedataconnect.services.update

Identity and Access Management

The following permissions have been added:

iam.operations.get
iam.policybindings.get
iam.policybindings.list
iam.principalaccessboundarypolicies.bind
iam.principalaccessboundarypolicies.create
iam.principalaccessboundarypolicies.delete
iam.principalaccessboundarypolicies.get
iam.principalaccessboundarypolicies.list
iam.principalaccessboundarypolicies.searchPolicyBindings
iam.principalaccessboundarypolicies.unbind
iam.principalaccessboundarypolicies.update
iam.workforcePools.createPolicyBinding
iam.workforcePools.deletePolicyBinding
iam.workforcePools.searchPolicyBindings
iam.workforcePools.updatePolicyBinding
iam.workloadIdentityPools.createPolicyBinding
iam.workloadIdentityPools.deletePolicyBinding
iam.workloadIdentityPools.searchPolicyBindings
iam.workloadIdentityPools.updatePolicyBinding
iam.workspacePools.createPolicyBinding
iam.workspacePools.deletePolicyBinding
iam.workspacePools.searchPolicyBindings
iam.workspacePools.updatePolicyBinding

Identity and Access Management

The following permissions have been added:

iam.googleapis.com/workforcePools.createPolicyBinding
iam.googleapis.com/workforcePools.deletePolicyBinding
iam.googleapis.com/workforcePools.searchPolicyBindings
iam.googleapis.com/workforcePools.updatePolicyBinding
iam.googleapis.com/workspacePools.createPolicyBinding
iam.googleapis.com/workspacePools.deletePolicyBinding
iam.googleapis.com/workspacePools.searchPolicyBindings
iam.googleapis.com/workspacePools.updatePolicyBinding

Dataproc Metastore

The following permissions have reached General Availability (GA):

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

Google Cloud Observability

The following permissions have been added:

observability.scopes.get
observability.scopes.update

Resource Manager

The following permissions have been added:

resourcemanager.folders.createPolicyBinding
resourcemanager.folders.deletePolicyBinding
resourcemanager.folders.searchPolicyBinding
resourcemanager.folders.searchPolicyBindings
resourcemanager.folders.updatePolicyBinding
resourcemanager.organizations.createPolicyBinding
resourcemanager.organizations.deletePolicyBinding
resourcemanager.organizations.searchPolicyBinding
resourcemanager.organizations.searchPolicyBindings
resourcemanager.organizations.updatePolicyBinding
resourcemanager.projects.createPolicyBinding
resourcemanager.projects.deletePolicyBinding
resourcemanager.projects.searchPolicyBinding
resourcemanager.projects.searchPolicyBindings
resourcemanager.projects.updatePolicyBinding

IAM changes as of 2024-06-14

Service Description
Config Management

The following permissions have been added to the Anthos Config Management Service Agent role (roles/anthosconfigmanagement.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

GKE Identity Service

The following permissions have been added to the Anthos Identity Service Agent role (roles/anthosidentityservice.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Policy Controller

The following permissions have been added to the Anthos Policy Controller Service Agent role (roles/anthospolicycontroller.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

gkehub.gateway.generateCredentials

App Development Experience

The following permissions have been added to the App Development Experience Service Agent role (roles/appdevelopmentexperience.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Backup and Disaster Recovery

The Backup and DR Management Server Accessor role (roles/backupdr.managementServerAccessor) has been added with the following permissions:

backupdr.googleapis.com/managementServers.createConnection
backupdr.managementServers.createConnection

Google Security Operations

The following permissions have been removed from the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list

Google Security Operations

The following permissions have been added to the Chronicle Service Agent role (roles/chronicle.serviceAgent):

bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
storage.objects.delete

Google Security Operations

The following permissions have been added to the Chronicle SOAR Admin role (roles/chronicle.soarAdmin):

cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.simulations.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list

Google Security Operations

The following permissions have been added to the Chronicle SOAR Service Agent role (roles/chronicle.soarServiceAgent):

securitycenter.findings.setMute
securitycenter.findings.update
securitycenter.sources.list

Google Security Operations

The following permissions have been added to the Chronicle SOAR Threat Manager role (roles/chronicle.soarThreatManager):

cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.simulations.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list

Google Security Operations

The following permissions have been added to the Chronicle SOAR Vulnerability Manager role (roles/chronicle.soarVulnerabilityManager):

cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.simulations.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list

Config Delivery

The following permissions have been added to the Config Delivery Service Agent role (roles/configdelivery.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get

GKE Hub

The following permissions have been added to the GKE Hub Service Agent role (roles/gkehub.serviceAgent):

gkehub.gateway.generateCredentials

Multi-Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Multi-Cluster Metering

The following permissions have been added to the Multi-cluster metering Service Agent role (roles/multiclustermetering.serviceAgent):

gkehub.gateway.generateCredentials

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Network Connectivity Center

The Regional Endpoint Admin role (roles/networkconnectivity.regionalEndpointAdmin) has reached General Availability (GA).

Network Connectivity Center

The Regional Endpoint Viewer role (roles/networkconnectivity.regionalEndpointViewer) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Admin role (roles/privilegedaccessmanager.admin) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Viewer role (roles/privilegedaccessmanager.viewer) has reached General Availability (GA).

Secure Source Manager

The Secure Source Manager Service Agent role (roles/securesourcemanager.serviceAgent) has reached General Availability (GA).

Service Directory

The following permissions have been added to the Service Directory Service Agent role (roles/servicedirectory.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Personalized Service Health

The Personalized Service Health Viewer role (roles/servicehealth.viewer) has reached General Availability (GA).

Spectrum Access System (SAS)

The Spectrum SAS Service Agent role (roles/spectrumsas.serviceAgent) has reached General Availability (GA).

Google Security Operations

The following permissions have been added:

chronicle.dashboardCharts.get
chronicle.dashboardCharts.list
chronicle.dashboardQueries.execute
chronicle.dashboardQueries.get
chronicle.dashboardQueries.list
chronicle.nativeDashboards.create
chronicle.nativeDashboards.delete
chronicle.nativeDashboards.duplicate
chronicle.nativeDashboards.get
chronicle.nativeDashboards.list
chronicle.nativeDashboards.update

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dashboardCharts.get
chronicle.dashboardCharts.list
chronicle.dashboardQueries.execute
chronicle.dashboardQueries.get
chronicle.dashboardQueries.list
chronicle.nativeDashboards.create
chronicle.nativeDashboards.delete
chronicle.nativeDashboards.duplicate
chronicle.nativeDashboards.get
chronicle.nativeDashboards.list
chronicle.nativeDashboards.update

Config Delivery

The following permissions have been added:

configdelivery.fleetPackages.create
configdelivery.fleetPackages.delete
configdelivery.fleetPackages.get
configdelivery.fleetPackages.list
configdelivery.fleetPackages.update
configdelivery.locations.get
configdelivery.locations.list
configdelivery.operations.cancel
configdelivery.operations.delete
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.delete
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.resourceBundles.create
configdelivery.resourceBundles.delete
configdelivery.resourceBundles.get
configdelivery.resourceBundles.list
configdelivery.resourceBundles.update
configdelivery.rollouts.abort
configdelivery.rollouts.get
configdelivery.rollouts.list
configdelivery.rollouts.resume
configdelivery.rollouts.suspend

Config Delivery

The following permissions are supported in custom roles:

configdelivery.fleetPackages.create
configdelivery.fleetPackages.delete
configdelivery.fleetPackages.get
configdelivery.fleetPackages.list
configdelivery.fleetPackages.update
configdelivery.locations.get
configdelivery.locations.list
configdelivery.operations.cancel
configdelivery.operations.delete
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.delete
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.resourceBundles.create
configdelivery.resourceBundles.delete
configdelivery.resourceBundles.get
configdelivery.resourceBundles.list
configdelivery.resourceBundles.update
configdelivery.rollouts.abort
configdelivery.rollouts.get
configdelivery.rollouts.list
configdelivery.rollouts.resume
configdelivery.rollouts.suspend

Dataproc Resource Manager

The following permissions have been added:

dataprocrm.locations.get
dataprocrm.locations.list
dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update
dataprocrm.operations.cancel
dataprocrm.operations.delete
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

Dataproc Resource Manager

The following permissions are supported in custom roles:

dataprocrm.locations.get
dataprocrm.locations.list
dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update
dataprocrm.operations.cancel
dataprocrm.operations.delete
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

GKE Hub

The following permissions have been added:

gkehub.gateway.generateCredentials

GKE Hub

The following permissions are supported in custom roles:

gkehub.gateway.generateCredentials

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.gateway.generateCredentials

Maps Analytics

The following permissions have been added:

mapsanalytics.metricData.queryMobilitySolutionsOverageData

Maps Analytics

The following permissions are supported in custom roles:

mapsanalytics.metricData.queryMobilitySolutionsOverageData

Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Privileged Access Manager

The following permissions have reached General Availability (GA):

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.checkOnboardingStatus
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

Personalized Service Health

The following permissions have reached General Availability (GA):

servicehealth.events.get
servicehealth.events.list
servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list

Spanner

The following permissions have been added:

spanner.instancePartitionOperations.cancel
spanner.instancePartitionOperations.delete
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list
spanner.instancePartitions.create
spanner.instancePartitions.delete
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instancePartitions.update

Spanner

The following permissions are supported in custom roles:

spanner.instancePartitionOperations.cancel
spanner.instancePartitionOperations.delete
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list
spanner.instancePartitions.create
spanner.instancePartitions.delete
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instancePartitions.update

Workload Manager

The following permissions have been added:

workloadmanager.discoveredprofiles.get
workloadmanager.discoveredprofiles.getHealth
workloadmanager.discoveredprofiles.list

IAM changes as of 2024-05-31

Service Description
Assured Workloads

The following permissions have been added to the Assured Workloads Administrator role (roles/assuredworkloads.admin):

orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update

Assured Workloads

The following permissions have been added to the Assured Workloads Editor role (roles/assuredworkloads.editor):

orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update

Assured Workloads

The following permissions have been added to the Assured Workloads Reader role (roles/assuredworkloads.reader):

orgpolicy.policies.list

Google Cloud Support

The following permissions have been added to the Tech Support Editor role (roles/cloudsupport.techSupportEditor):

billing.resourceAssociations.list

Config Delivery

The Config Delivery Service Agent role (roles/configdelivery.serviceAgent) has reached General Availability (GA).

Workload Manager

The following permissions have been added to the Workload Manager Service Agent role (roles/workloadmanager.serviceAgent):

cloudasset.assets.listAccessPolicy
cloudasset.assets.listIamPolicy
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listResource
serviceusage.services.use

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings

BigQuery

The following permissions have been added:

bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings

BigQuery

The following permissions are supported in custom roles:

bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings

BigQuery

The following permissions have reached General Availability (GA):

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings

Cloud Logging

The following permissions have been added:

logging.queries.usePrivate

Cloud Logging

The following permissions are supported in custom roles:

logging.queries.usePrivate

Cloud Logging

The following permissions have reached General Availability (GA):

logging.queries.usePrivate

IAM changes as of 2024-05-24

Service Description
Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

secretmanager.secrets.list

Gemini for Google Cloud API

The Cloud AI Companion Service Agent role (roles/cloudaicompanion.serviceAgent) has been added with the following permissions:

cloudbuild.connections.get
cloudbuild.googleapis.com/connections.get
cloudbuild.googleapis.com/repositories.accessReadToken
cloudbuild.googleapis.com/repositories.fetchGitRefs
cloudbuild.googleapis.com/repositories.get
cloudbuild.googleapis.com/repositories.list
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list
developerconnect.connections.get
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.googleapis.com/connections.get
developerconnect.googleapis.com/gitRepositoryLinks.fetchGitRefs
developerconnect.googleapis.com/gitRepositoryLinks.fetchReadToken
developerconnect.googleapis.com/gitRepositoryLinks.get
developerconnect.googleapis.com/gitRepositoryLinks.list
logging.googleapis.com/logEntries.create
logging.googleapis.com/logEntries.route
logging.logEntries.create
logging.logEntries.route
serviceusage.googleapis.com/services.use
serviceusage.services.use

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

dataproc.sessionTemplates.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

eventarc.operations.get

GKE Hub

The following permissions have been added to the Fleet Project-level Scope Viewer role (roles/gkehub.scopeViewerProjectLevel):

monitoring.timeSeries.list

GKE Hub

The following permissions have been added to the GKE Hub Service Agent role (roles/gkehub.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Multi-Cluster Metering

The following permissions have been added to the Multi-cluster metering Service Agent role (roles/multiclustermetering.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Basic Role

The following permissions have been added to the Owner role (roles/owner):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Route Optimization

The Route Optimization Editor role (roles/routeoptimization.editor) has reached General Availability (GA).

Route Optimization

The Route Optimization Viewer role (roles/routeoptimization.viewer) has reached General Availability (GA).

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Command Center

The following permissions have been added to the Security Center Settings Admin role (roles/securitycenter.settingsAdmin):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Command Center

The following permissions have been added to the Security Center Settings Editor role (roles/securitycenter.settingsEditor):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Center Management API

The Security Center Management Services Editor role (roles/securitycentermanagement.securityCenterServicesEditor) has reached General Availability (GA).

Security Center Management API

The Security Center Management Services Viewer role (roles/securitycentermanagement.securityCenterServicesViewer) has reached General Availability (GA).

Security Center Management API

The following permissions have been added to the Security Center Management Admin role (roles/securitycentermanagement.admin):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Center Management API

The following permissions have been added to the Security Center Management Settings Editor role (roles/securitycentermanagement.settingsEditor):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

chronicle.logs.import

Vertex AI

The following permissions have been added:

aiplatform.featureOnlineStores.getIamPolicy
aiplatform.featureOnlineStores.setIamPolicy
aiplatform.featureViews.getIamPolicy
aiplatform.featureViews.setIamPolicy

Google Security Operations

The following permissions have been added:

chronicle.dataTableRows.asyncBulkCreate
chronicle.dataTableRows.asyncBulkReplace
chronicle.dataTableRows.asyncBulkUpdate
chronicle.dataTableRows.bulkCreate
chronicle.dataTableRows.bulkReplace
chronicle.dataTableRows.bulkUpdate
chronicle.dataTables.bulkCreateDataTableAsync

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataTableRows.asyncBulkCreate
chronicle.dataTableRows.asyncBulkReplace
chronicle.dataTableRows.asyncBulkUpdate
chronicle.dataTableRows.bulkCreate
chronicle.dataTableRows.bulkReplace
chronicle.dataTableRows.bulkUpdate
chronicle.dataTables.bulkCreateDataTableAsync

Cloud Data Fusion

The following permissions have been added:

datafusion.instances.createTagBinding
datafusion.instances.deleteTagBinding
datafusion.instances.listEffectiveTags
datafusion.instances.listTagBindings

Cloud Data Fusion

The following permissions have reached General Availability (GA):

datafusion.instances.createTagBinding
datafusion.instances.deleteTagBinding
datafusion.instances.listEffectiveTags
datafusion.instances.listTagBindings

Live Stream

The following permissions have been added:

livestream.clips.create
livestream.clips.get
livestream.clips.list

Live Stream

The following permissions are supported in custom roles:

livestream.clips.create
livestream.clips.get
livestream.clips.list

Live Stream

The following permissions have reached General Availability (GA):

livestream.clips.create
livestream.clips.get
livestream.clips.list

Cloud Logging

The following permissions have been added:

logging.queries.deleteShared
logging.queries.getShared

Cloud Logging

The following permissions are supported in custom roles:

logging.queries.deleteShared
logging.queries.getShared

Cloud Logging

The following permissions have reached General Availability (GA):

logging.queries.deleteShared
logging.queries.getShared

Network Services

The following permissions have been added:

networkservices.route_views.get
networkservices.route_views.list

reCAPTCHA

The following permissions have been added:

recaptchaenterprise.firewallpolicies.create
recaptchaenterprise.firewallpolicies.delete
recaptchaenterprise.firewallpolicies.get
recaptchaenterprise.firewallpolicies.list
recaptchaenterprise.firewallpolicies.update

reCAPTCHA

The following permissions are supported in custom roles:

recaptchaenterprise.firewallpolicies.create
recaptchaenterprise.firewallpolicies.delete
recaptchaenterprise.firewallpolicies.get
recaptchaenterprise.firewallpolicies.list
recaptchaenterprise.firewallpolicies.update

Route Optimization

The following permissions have been added:

routeoptimization.locations.use
routeoptimization.operations.create
routeoptimization.operations.get

Route Optimization

The following permissions are supported in custom roles:

routeoptimization.locations.use
routeoptimization.operations.create
routeoptimization.operations.get

Route Optimization

The following permissions have reached General Availability (GA):

routeoptimization.locations.use
routeoptimization.operations.create
routeoptimization.operations.get

Security Center Management API

The following permissions have been added:

securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update

IAM changes as of 2024-05-10

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.cacheConfigs.update
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have been added to the Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin):

aiplatform.notebookRuntimeTemplates.update

Vertex AI

The following permissions have been added to the Vertex AI Colab Service Agent role (roles/aiplatform.colabServiceAgent):

compute.instances.getGuestAttributes

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have been added to the Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin):

aiplatform.notebookRuntimeTemplates.update

Vertex AI

The following permissions have been added to the Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent):

aiplatform.endpoints.get
aiplatform.models.get

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune
compute.instances.getGuestAttributes

Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have been added to the Vertex AI Viewer role (roles/aiplatform.viewer):

aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list

API Hub

The following permissions have been added to the Cloud API Hub Editor role (roles/apihub.editor):

apihub.operations.get
apihub.operations.list

API Hub

The following permissions have been removed from the Cloud API Hub Editor role (roles/apihub.editor):

apihub.styleGuides.update

API Hub

The following permissions have been added to the Cloud API hub Provisioning Admin role (roles/apihub.provisioningAdmin):

apihub.operations.cancel
apihub.operations.delete
apihub.operations.get
apihub.operations.list

API Hub

The following permissions have been added to the Cloud API hub Viewer role (roles/apihub.viewer):

apihub.operations.get
apihub.operations.list

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

bigquery.datasets.get

BigQuery

The following permissions have been added to the BigQuery Studio Admin role (roles/bigquery.studioAdmin):

aiplatform.notebookRuntimeTemplates.update

Blockchain Node Engine

The Blockchain Node Engine Service Agent role (roles/blockchainnodeengine.serviceAgent) has reached General Availability (GA).

Google Security Operations

The following permissions have been added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.instances.logTypeClassifier

Google Security Operations

The following permissions have been added to the Chronicle API Editor role (roles/chronicle.editor):

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.instances.logTypeClassifier
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

Google Security Operations

The following permissions have been removed from the Chronicle API Editor role (roles/chronicle.editor):

chronicle.instances.generateWorkspaceConnectionToken

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list

Google Security Operations

The following permissions have been removed from the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.instances.generateWorkspaceConnectionToken

Google Security Operations

The following permissions have been added to the Chronicle Service Agent role (roles/chronicle.serviceAgent):

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use
bigquery.datasets.create
bigquery.tables.update
bigquery.tables.updateData
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.create
storage.objects.get

Google Security Operations

The following permissions have been added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.instances.logTypeClassifier
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

Google Security Operations

The following permissions have been removed from the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.instances.generateWorkspaceConnectionToken

Cloud Build

The following permissions have been added to the Cloud Build Service Agent role (roles/cloudbuild.serviceAgent):

compute.networkAttachments.get
compute.networkAttachments.update
compute.regionOperations.get

Conversational Insights

The following permissions have been added to the Contact Center AI Insights editor role (roles/contactcenterinsights.editor):

contactcenterinsights.qaScorecardRevisions.get

Conversational Insights

The following permissions have been added to the Contact Center AI Insights viewer role (roles/contactcenterinsights.viewer):

contactcenterinsights.qaScorecardRevisions.get

Dataform

The Code Creator role (roles/dataform.codeCreator) has reached General Availability (GA).

Dataform

The Code Editor role (roles/dataform.codeEditor) has reached General Availability (GA).

Dataform

The Code Owner role (roles/dataform.codeOwner) has reached General Availability (GA).

Dataform

The Code Viewer role (roles/dataform.codeViewer) has reached General Availability (GA).

Discovery Engine

The following permissions have been added to the Discovery Engine Admin role (roles/discoveryengine.admin):

resourcemanager.projects.get
resourcemanager.projects.list

Discovery Engine

The following permissions have been added to the Discovery Engine Editor role (roles/discoveryengine.editor):

resourcemanager.projects.get
resourcemanager.projects.list

Discovery Engine

The following permissions have been added to the Discovery Engine Viewer role (roles/discoveryengine.viewer):

resourcemanager.projects.get
resourcemanager.projects.list

Sensitive Data Protection

The DLP File Store Data Profiles Admin role (roles/dlp.fileStoreProfilesAdmin) has reached General Availability (GA).

Sensitive Data Protection

The DLP File Store Data Profiles Reader role (roles/dlp.fileStoreProfilesReader) has reached General Availability (GA).

Sensitive Data Protection

The following permissions have been added to the DLP Administrator role (roles/dlp.admin):

dlp.fileStoreProfiles.delete
dlp.tableDataProfiles.delete

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

dlp.fileStoreProfiles.delete
dlp.tableDataProfiles.delete

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

dlp.fileStoreProfiles.delete
dlp.tableDataProfiles.delete

Cloud DNS

The Cloud DNS Service Agent role (roles/dns.serviceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

GKE Hub

The Fleet Scope Admin role (roles/gkehub.scopeAdmin) has reached General Availability (GA).

GKE Hub

The Fleet Scope Editor role (roles/gkehub.scopeEditor) has reached General Availability (GA).

GKE Hub

The Fleet Project-level Scope Editor role (roles/gkehub.scopeEditorProjectLevel) has reached General Availability (GA).

GKE Hub

The Fleet Project-level Scope Viewer role (roles/gkehub.scopeViewerProjectLevel) has reached General Availability (GA).

Google Cloud Managed Service for Apache Kafka

The Managed Kafka Service Agent role (roles/managedkafka.serviceAgent) has reached General Availability (GA).

Progressive Rollout

The Progressive Rollout Service Agent role (roles/progressiverollout.serviceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

datamigration.conversionworkspaces.commit

Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.cacheConfigs.update
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

serviceusage.services.get

Vertex AI

The following permissions have been added:

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.cacheConfigs.update
aiplatform.consents.get
aiplatform.consents.update
aiplatform.notebookExecutionJobs.create
aiplatform.notebookExecutionJobs.delete
aiplatform.notebookExecutionJobs.get
aiplatform.notebookExecutionJobs.list
aiplatform.reasoningEngines.create
aiplatform.reasoningEngines.delete
aiplatform.reasoningEngines.get
aiplatform.reasoningEngines.list
aiplatform.reasoningEngines.query
aiplatform.reasoningEngines.update
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.cancel
aiplatform.tuningJobs.create
aiplatform.tuningJobs.delete
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.notebookRuntimeTemplates.update

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.clusters.export

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.clusters.export

Google Security Operations

The following permissions have been added:

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.instances.generateCollectionAgentAuth
chronicle.instances.logTypeClassifier

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.instances.generateCollectionAgentAuth
chronicle.instances.logTypeClassifier

Cloud Key Management Service

The following permissions have been added:

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update
cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list
cloudkms.projects.showEffectiveAutokeyConfig

Conversational Insights

The following permissions have been added:

contactcenterinsights.qaQuestions.get
contactcenterinsights.qaQuestions.list
contactcenterinsights.qaScorecardRevisions.get
contactcenterinsights.qaScorecards.get
contactcenterinsights.qaScorecards.list

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.qaQuestions.get
contactcenterinsights.qaQuestions.list
contactcenterinsights.qaScorecardRevisions.get
contactcenterinsights.qaScorecards.get
contactcenterinsights.qaScorecards.list

Developer Connect

The following permissions have been added:

developerconnect.connections.constructGitHubAppManifest
developerconnect.connections.create
developerconnect.connections.delete
developerconnect.connections.fetchGitHubInstallations
developerconnect.connections.fetchLinkableGitRepositories
developerconnect.connections.generateGitHubStateToken
developerconnect.connections.get
developerconnect.connections.list
developerconnect.connections.processGitHubAppCreationCallback
developerconnect.connections.processGitHubOAuthCallback
developerconnect.connections.update
developerconnect.gitRepositoryLinks.create
developerconnect.gitRepositoryLinks.delete
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.fetchReadWriteToken
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.locations.get
developerconnect.locations.list
developerconnect.operations.cancel
developerconnect.operations.delete
developerconnect.operations.get
developerconnect.operations.list

Developer Connect

The following permissions are supported in custom roles:

developerconnect.connections.constructGitHubAppManifest
developerconnect.connections.create
developerconnect.connections.delete
developerconnect.connections.fetchGitHubInstallations
developerconnect.connections.fetchLinkableGitRepositories
developerconnect.connections.generateGitHubStateToken
developerconnect.connections.get
developerconnect.connections.list
developerconnect.connections.processGitHubAppCreationCallback
developerconnect.connections.processGitHubOAuthCallback
developerconnect.connections.update
developerconnect.gitRepositoryLinks.create
developerconnect.gitRepositoryLinks.delete
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.fetchReadWriteToken
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.locations.get
developerconnect.locations.list
developerconnect.operations.cancel
developerconnect.operations.delete
developerconnect.operations.get
developerconnect.operations.list

Sensitive Data Protection

The following permissions have been added:

dlp.fileStoreProfiles.delete
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.fileStoreProfiles.delete
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list

GKE Hub

The following permissions have been added:

gke.fleets.create
gke.fleets.delete
gke.fleets.get
gke.fleets.update

reCAPTCHA

The following permissions have been added:

recaptchaenterprise.projectmetadata.get
recaptchaenterprise.projectmetadata.update

Security Command Center

The following permissions have been added:

securitycenter.vulnerabilitysnapshots.list

IAM changes as of 2024-04-26

Service Description
API Hub

The API-Hub Runtime Project Service Agent role (roles/apihub.runtimeProjectServiceAgent) has reached General Availability (GA).

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

resourcemanager.folders.get

Cloud Infrastructure Entitlement Management (CIEM)

The CIEM Service Agent role (roles/ciem.serviceAgent) has reached General Availability (GA).

Cloud Deploy

The Cloud Deploy Custom Target Type Admin role (roles/clouddeploy.customTargetTypeAdmin) has reached General Availability (GA).

Compute Engine

The following permissions have been added to the Compute Instance Admin (beta) role (roles/compute.instanceAdmin):

compute.resourcePolicies.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

compute.resourcePolicies.list

Firebase Data Connect

The Firebase Data Connect Service Agent role (roles/firebasedataconnect.serviceAgent) has reached General Availability (GA).

Cloud OS Config

The following permissions have been added to the Cloud OS Config Service Agent role (roles/osconfig.serviceAgent):

compute.projects.get
compute.projects.setCommonInstanceMetadata
osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

securitycentermanagement.securityCommandCenter.activate

Security Command Center

The following permissions have been added to the Security Center Settings Admin role (roles/securitycenter.settingsAdmin):

securitycentermanagement.securityCommandCenter.activate

Security Command Center

The following permissions have been added to the Security Center Settings Editor role (roles/securitycenter.settingsEditor):

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions have been added to the Security Center Management Admin role (roles/securitycentermanagement.admin):

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions have been added to the Security Center Management Settings Editor role (roles/securitycentermanagement.settingsEditor):

securitycentermanagement.securityCommandCenter.activate

API Management

The following permissions have been added:

apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.get
apim.apiOperations.list
apim.locations.get
apim.locations.list
apim.observationJobs.create
apim.observationJobs.delete
apim.observationJobs.disable
apim.observationJobs.enable
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.create
apim.observationSources.delete
apim.observationSources.get
apim.observationSources.list
apim.operations.cancel
apim.operations.delete
apim.operations.get
apim.operations.list

API Management

The following permissions are supported in custom roles:

apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.get
apim.apiOperations.list
apim.locations.get
apim.locations.list
apim.observationJobs.create
apim.observationJobs.delete
apim.observationJobs.disable
apim.observationJobs.enable
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.create
apim.observationSources.delete
apim.observationSources.get
apim.observationSources.list
apim.operations.cancel
apim.operations.delete
apim.operations.get
apim.operations.list

Cloud Deploy

The following permissions have reached General Availability (GA):

clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.setIamPolicy
clouddeploy.customTargetTypes.update

Security Center Management API

The following permissions have been added:

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.securityCommandCenter.activate

Video Stitcher API

The following permissions have been added:

videostitcher.vodConfigs.create
videostitcher.vodConfigs.delete
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodConfigs.update

Video Stitcher API

The following permissions are supported in custom roles:

videostitcher.vodConfigs.create
videostitcher.vodConfigs.delete
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodConfigs.update

Video Stitcher API

The following permissions have reached General Availability (GA):

videostitcher.vodConfigs.create
videostitcher.vodConfigs.delete
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodConfigs.update

IAM changes as of 2024-04-19

Service Description
Vertex AI

The Vertex AI Model Monitoring Service Agent role (roles/aiplatform.modelMonitoringServiceAgent) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Admin role (roles/alloydb.admin):

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceInsights.update
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterPerformanceRecommendations.update
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityInsights.update
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list
recommender.alloydbClusterReliabilityRecommendations.update
recommender.alloydbInstanceSecurityInsights.get
recommender.alloydbInstanceSecurityInsights.list
recommender.alloydbInstanceSecurityInsights.update
recommender.alloydbInstanceSecurityRecommendations.get
recommender.alloydbInstanceSecurityRecommendations.list
recommender.alloydbInstanceSecurityRecommendations.update

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Viewer role (roles/alloydb.viewer):

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list

API Management

The APIM API Discovery Service Agent role (roles/apim.apiDiscoveryServiceAgent) has been added with the following permissions:

compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.googleapis.com/backendServices.create
compute.googleapis.com/backendServices.delete
compute.googleapis.com/backendServices.get
compute.googleapis.com/backendServices.list
compute.googleapis.com/backendServices.update
compute.googleapis.com/backendServices.use
compute.googleapis.com/globalOperations.get
compute.googleapis.com/networks.use
compute.googleapis.com/regionBackendServices.create
compute.googleapis.com/regionBackendServices.delete
compute.googleapis.com/regionBackendServices.get
compute.googleapis.com/regionBackendServices.list
compute.googleapis.com/regionBackendServices.update
compute.googleapis.com/regionBackendServices.use
compute.googleapis.com/regionNetworkEndpointGroups.attachNetworkEndpoints
compute.googleapis.com/regionNetworkEndpointGroups.create
compute.googleapis.com/regionNetworkEndpointGroups.delete
compute.googleapis.com/regionNetworkEndpointGroups.detachNetworkEndpoints
compute.googleapis.com/regionNetworkEndpointGroups.get
compute.googleapis.com/regionNetworkEndpointGroups.list
compute.googleapis.com/regionNetworkEndpointGroups.use
compute.googleapis.com/regionOperations.get
compute.googleapis.com/subnetworks.use
compute.networks.use
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionOperations.get
compute.subnetworks.use
networkservices.googleapis.com/operations.cancel
networkservices.googleapis.com/operations.delete
networkservices.googleapis.com/operations.get
networkservices.googleapis.com/operations.list
networkservices.googleapis.com/projectLbObservabilityExtensions.create
networkservices.googleapis.com/projectLbObservabilityExtensions.delete
networkservices.googleapis.com/projectLbObservabilityExtensions.get
networkservices.googleapis.com/projectLbObservabilityExtensions.list
networkservices.googleapis.com/projectLbObservabilityExtensions.update
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list
networkservices.projectLbObservabilityExtensions.create
networkservices.projectLbObservabilityExtensions.delete
networkservices.projectLbObservabilityExtensions.get
networkservices.projectLbObservabilityExtensions.list
networkservices.projectLbObservabilityExtensions.update

Assured Open Source Software

The following permissions have been added to the Assured OSS Admin role (roles/assuredoss.admin):

iam.serviceAccountKeys.create
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
serviceusage.quotas.get
serviceusage.services.list

Assured Open Source Software

The following permissions have been added to the Assured OSS Project Admin role (roles/assuredoss.projectAdmin):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
serviceusage.quotas.get
serviceusage.services.list

Assured Open Source Software

The following permissions have been added to the Assured OSS Reader role (roles/assuredoss.reader):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Assured Workloads

The following permissions have been added to the Assured Workloads Service Agent role (roles/assuredworkloads.serviceAgent):

orgpolicy.policies.list
orgpolicy.policy.get

Audit Manager

The following permissions have been added to the Audit Manager Admin role (roles/auditmanager.admin):

cloudasset.assets.searchAllResources

Audit Manager

The following permissions have been added to the Audit Manager Auditor role (roles/auditmanager.auditor):

cloudasset.assets.searchAllResources

Compliance Scanning

The Compliance Scanning Service Agent role (roles/compliancescanning.serviceAgent) has reached General Availability (GA).

Cloud Config Manager API

The following permissions have been added to the Cloud Infrastructure Manager Agent role (roles/config.agent):

monitoring.timeSeries.list

Conversational Insights

The following permissions have been added to the Contact Center AI Insights editor role (roles/contactcenterinsights.editor):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Conversational Insights

The following permissions have been added to the Contact Center AI Insights viewer role (roles/contactcenterinsights.viewer):

contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.databases.list

Dataplex

The Dataplex Catalog Admin role (roles/dataplex.catalogAdmin) has reached General Availability (GA).

Dataplex

The Dataplex Catalog Editor role (roles/dataplex.catalogEditor) has reached General Availability (GA).

Dataplex

The Dataplex Catalog Viewer role (roles/dataplex.catalogViewer) has reached General Availability (GA).

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

aiplatform.extensions.execute
aiplatform.extensions.get

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

alloydb.databases.list
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Service Agent role (roles/edgecontainer.serviceAgent):

serviceusage.services.list

Basic Role

The following permissions have been added to the Editor role (roles/editor):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

serviceusage.services.list

ML Kit for Firebase

The Firebase Machine Learning Service Agent role (roles/firebaseml.serviceAgent) has reached General Availability (GA).

GKE Hub

The Fleet Scope Viewer role (roles/gkehub.scopeViewer) has reached General Availability (GA).

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

contactcenterinsights.feedbackLabels.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

contactcenterinsights.feedbackLabels.list

Cloud OS Config

The Project Feature Settings Editor role (roles/osconfig.projectFeatureSettingsEditor) has reached General Availability (GA).

Cloud OS Config

The Project Feature Settings Viewer role (roles/osconfig.projectFeatureSettingsViewer) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Owner role (roles/owner):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

iam.serviceAccountKeys.create
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list

Security Command Center

The following permissions have been added to the Security Center Admin Editor role (roles/securitycenter.adminEditor):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list

Security Command Center

The following permissions have been added to the Security Center Admin Viewer role (roles/securitycenter.adminViewer):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list

Security Center Management API

The Security Center Management Admin role (roles/securitycentermanagement.admin) has reached General Availability (GA).

Security Center Management API

The Security Center Management Settings Editor role (roles/securitycentermanagement.settingsEditor) has reached General Availability (GA).

Security Center Management API

The Security Center Management Settings Viewer role (roles/securitycentermanagement.settingsViewer) has reached General Availability (GA).

Security Center Management API

The Security Center Management Viewer role (roles/securitycentermanagement.viewer) has reached General Availability (GA).

Service Networking

The following permissions have been added to the Service Networking Service Agent role (roles/servicenetworking.serviceAgent):

networkconnectivity.internalRanges.list

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list

Gemini for Google Cloud API

The following permissions have been added:

cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText

Gemini for Google Cloud API

The following permissions are supported in custom roles:

cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText

Compute Engine

The following permissions have reached General Availability (GA):

compute.nodeGroups.performMaintenance

Conversational Insights

The following permissions have been added:

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Google Kubernetes Engine

The following permissions have been added:

container.clusters.connect

Google Kubernetes Engine

The following permissions have reached General Availability (GA):

container.clusters.connect

Database Center

The following permissions have been added:

databasecenter.fleetHealthStats.list
databasecenter.fleetStats.list
databasecenter.locations.list
databasecenter.products.list
databasecenter.resourceGroups.list
databasecenter.userLabels.list

Database Center

The following permissions are supported in custom roles:

databasecenter.fleetHealthStats.list
databasecenter.fleetStats.list
databasecenter.locations.list
databasecenter.products.list
databasecenter.resourceGroups.list
databasecenter.userLabels.list

Dataproc

The following permissions have been added:

dataproc.batches.analyze

Dataproc

The following permissions are supported in custom roles:

dataproc.batches.analyze

Dataproc

The following permissions have reached General Availability (GA):

dataproc.batches.analyze

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.dataStores.create
discoveryengine.dataStores.delete
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.dataStores.update
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.engines.update
discoveryengine.servingConfigs.recommend

Identity and Access Management

The following permissions have been added:

iam.oauthClientCredentials.create
iam.oauthClientCredentials.delete
iam.oauthClientCredentials.get
iam.oauthClientCredentials.list
iam.oauthClientCredentials.update
iam.oauthClients.create
iam.oauthClients.delete
iam.oauthClients.get
iam.oauthClients.list
iam.oauthClients.undelete
iam.oauthClients.update

Identity and Access Management

The following permissions are supported in custom roles:

iam.oauthClientCredentials.create
iam.oauthClientCredentials.delete
iam.oauthClientCredentials.get
iam.oauthClientCredentials.list
iam.oauthClientCredentials.update
iam.oauthClients.create
iam.oauthClients.delete
iam.oauthClients.get
iam.oauthClients.list
iam.oauthClients.undelete
iam.oauthClients.update

Identity and Access Management

The following permissions have been added:

iam.googleapis.com/oauthClientCredentials.create
iam.googleapis.com/oauthClientCredentials.delete
iam.googleapis.com/oauthClientCredentials.get
iam.googleapis.com/oauthClientCredentials.list
iam.googleapis.com/oauthClientCredentials.update
iam.googleapis.com/oauthClients.create
iam.googleapis.com/oauthClients.delete
iam.googleapis.com/oauthClients.get
iam.googleapis.com/oauthClients.list
iam.googleapis.com/oauthClients.undelete
iam.googleapis.com/oauthClients.update

Identity and Access Management

The following permissions are supported in custom roles:

iam.googleapis.com/oauthClientCredentials.create
iam.googleapis.com/oauthClientCredentials.delete
iam.googleapis.com/oauthClientCredentials.get
iam.googleapis.com/oauthClientCredentials.list
iam.googleapis.com/oauthClientCredentials.update
iam.googleapis.com/oauthClients.create
iam.googleapis.com/oauthClients.delete
iam.googleapis.com/oauthClients.get
iam.googleapis.com/oauthClients.list
iam.googleapis.com/oauthClients.undelete
iam.googleapis.com/oauthClients.update

Cloud Logging

The following permissions have been added:

logging.views.getIamPolicy
logging.views.setIamPolicy

Cloud Logging

The following permissions have reached General Availability (GA):

logging.views.getIamPolicy
logging.views.setIamPolicy

Cloud OS Config

The following permissions have been added:

osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Cloud OS Config

The following permissions are supported in custom roles:

osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Cloud OS Config

The following permissions have reached General Availability (GA):

osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Recommender

The following permissions have been added:

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceInsights.update
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterPerformanceRecommendations.update
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityInsights.update
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list
recommender.alloydbClusterReliabilityRecommendations.update
recommender.alloydbInstanceSecurityInsights.get
recommender.alloydbInstanceSecurityInsights.list
recommender.alloydbInstanceSecurityInsights.update
recommender.alloydbInstanceSecurityRecommendations.get
recommender.alloydbInstanceSecurityRecommendations.list
recommender.alloydbInstanceSecurityRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceInsights.update
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterPerformanceRecommendations.update
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityInsights.update
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list
recommender.alloydbClusterReliabilityRecommendations.update
recommender.alloydbInstanceSecurityInsights.get
recommender.alloydbInstanceSecurityInsights.list
recommender.alloydbInstanceSecurityInsights.update
recommender.alloydbInstanceSecurityRecommendations.get
recommender.alloydbInstanceSecurityRecommendations.list
recommender.alloydbInstanceSecurityRecommendations.update

Security Center Management API

The following permissions have been added:

securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update

IAM changes as of 2024-03-29

Service Description
Vertex AI

The Vertex AI Extension Custom Code Service Agent role (roles/aiplatform.extensionCustomCodeServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI Rapid Eval Service Agent role (roles/aiplatform.rapidevalServiceAgent) has reached General Availability (GA).

Vertex AI

The following permissions have been added to the Vertex AI Colab Service Agent role (roles/aiplatform.colabServiceAgent):

iam.serviceAccounts.actAs

Vertex AI

The following permissions have been added to the Vertex AI Extension Service Agent role (roles/aiplatform.extensionServiceAgent):

serviceusage.services.use

Vertex AI

The following permissions have been added to the Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent):

aiplatform.locations.get

API Hub

The API hub attribute admin role (roles/apihub.attributeAdmin) has been added with the following permissions:

apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.googleapis.com/attributes.create
apihub.googleapis.com/attributes.delete
apihub.googleapis.com/attributes.get
apihub.googleapis.com/attributes.list
apihub.googleapis.com/attributes.update
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

API Hub

The API hub plugin admin role (roles/apihub.pluginAdmin) has been added with the following permissions:

apihub.googleapis.com/plugins.disable
apihub.googleapis.com/plugins.enable
apihub.googleapis.com/plugins.get
apihub.googleapis.com/plugins.list
apihub.googleapis.com/specs.lint
apihub.googleapis.com/styleGuides.get
apihub.googleapis.com/styleGuides.update
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.specs.lint
apihub.styleGuides.get
apihub.styleGuides.update
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

API Hub

The API hub all permissions related to provisioning role (roles/apihub.provisioningAdmin) has been added with the following permissions:

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.googleapis.com/apiHubInstances.create
apihub.googleapis.com/apiHubInstances.delete
apihub.googleapis.com/apiHubInstances.get
apihub.googleapis.com/apiHubInstances.list
apihub.googleapis.com/hostProjectRegistrations.create
apihub.googleapis.com/hostProjectRegistrations.delete
apihub.googleapis.com/hostProjectRegistrations.get
apihub.googleapis.com/hostProjectRegistrations.list
apihub.googleapis.com/hostProjectRegistrations.register
apihub.googleapis.com/runTimeProjectAttachments.attach
apihub.googleapis.com/runTimeProjectAttachments.create
apihub.googleapis.com/runTimeProjectAttachments.delete
apihub.googleapis.com/runTimeProjectAttachments.get
apihub.googleapis.com/runTimeProjectAttachments.list
apihub.googleapis.com/runTimeProjectAttachments.lookup
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.runTimeProjectAttachments.attach
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

Assured Open Source Software

The Assured OSS Admin role (roles/assuredoss.admin) has reached General Availability (GA).

Assured Open Source Software

The Assured OSS Reader role (roles/assuredoss.reader) has reached General Availability (GA).

Assured Open Source Software

The Assured OSS User role (roles/assuredoss.user) has reached General Availability (GA).

Google Security Operations

The following permissions have been removed from the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.riskConfigs.get
chronicle.watchlists.get
chronicle.watchlists.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.databases.delete
cloudsql.databases.get
serviceusage.services.use

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

storage.buckets.getIamPolicy
storage.buckets.setIamPolicy

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

gkehub.endpoints.connect
gkehub.features.create
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.get
gkehub.locations.list
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list
serviceusage.services.list

Basic Role

The following permissions have been added to the Editor role (roles/editor):

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apiOperations.update
apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.definitions.get
apihub.definitions.list
apihub.definitions.update
apihub.dependencies.create
apihub.dependencies.delete
apihub.dependencies.get
apihub.dependencies.list
apihub.dependencies.update
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.get
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.create
apihub.externalApis.delete
apihub.externalApis.get
apihub.externalApis.list
apihub.externalApis.update
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.llmEnablements.deregister
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.llmEnablements.register
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.specs.lint
apihub.styleGuides.get
apihub.styleGuides.update

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.hostProjectRegistrations.list
apihub.llmEnablements.list
apihub.plugins.list
apihub.runTimeProjectAttachments.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.hostProjectRegistrations.list
apihub.llmEnablements.list
apihub.plugins.list
apihub.runTimeProjectAttachments.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apiOperations.update
apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.definitions.get
apihub.definitions.list
apihub.definitions.update
apihub.dependencies.create
apihub.dependencies.delete
apihub.dependencies.get
apihub.dependencies.list
apihub.dependencies.update
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.get
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.create
apihub.externalApis.delete
apihub.externalApis.get
apihub.externalApis.list
apihub.externalApis.update
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.llmEnablements.deregister
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.llmEnablements.register
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.attach
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.specs.lint
apihub.styleGuides.get
apihub.styleGuides.update

Privileged Access Manager

The Privileged Access Manager Service Agent role (roles/privilegedaccessmanager.serviceAgent) has reached General Availability (GA).

Cloud Run

The following permissions have been removed from the Cloud Run Invoker role (roles/run.invoker):

run.executions.cancel

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.attributes.get
apihub.attributes.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.externalApis.get
apihub.externalApis.list
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.styleGuides.get

API Hub

The following permissions have been added:

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apiOperations.update
apihub.apis.create
apihub.apis.delete
apihub.apis.get
apihub.apis.list
apihub.apis.update
apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.definitions.get
apihub.definitions.list
apihub.definitions.update
apihub.dependencies.create
apihub.dependencies.delete
apihub.dependencies.get
apihub.dependencies.list
apihub.dependencies.update
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.get
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.create
apihub.externalApis.delete
apihub.externalApis.get
apihub.externalApis.list
apihub.externalApis.update
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.llmEnablements.deregister
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.llmEnablements.register
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.operations.cancel
apihub.operations.delete
apihub.operations.get
apihub.operations.list
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.attach
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.specs.create
apihub.specs.delete
apihub.specs.get
apihub.specs.lint
apihub.specs.list
apihub.specs.update
apihub.styleGuides.get
apihub.styleGuides.update
apihub.versions.create
apihub.versions.delete
apihub.versions.get
apihub.versions.list
apihub.versions.update

API Hub

The following permissions are supported in custom roles:

apihub.apis.create
apihub.apis.delete
apihub.apis.get
apihub.apis.list
apihub.apis.update
apihub.operations.cancel
apihub.operations.delete
apihub.operations.get
apihub.operations.list
apihub.specs.create
apihub.specs.delete
apihub.specs.get
apihub.specs.list
apihub.specs.update
apihub.versions.create
apihub.versions.delete
apihub.versions.get
apihub.versions.list
apihub.versions.update

Artifact Registry

The following permissions have been added:

artifactregistry.files.delete

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.files.delete

Assured Open Source Software

The following permissions have reached General Availability (GA):

assuredoss.customers.create
assuredoss.locations.get
assuredoss.locations.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Google Security Operations

The following permissions have been added:

chronicle.instances.generateWorkspaceConnectionToken

Google Security Operations

The following permissions are supported in custom roles:

chronicle.instances.generateWorkspaceConnectionToken

Commerce Org Governance

The following permissions have been added:

commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.services.get
commerceorggovernance.services.request

Commerce Org Governance

The following permissions are supported in custom roles:

commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.services.get
commerceorggovernance.services.request

GDC Hardware Management API

The following permissions have been added:

gdchardwaremanagement.zones.create
gdchardwaremanagement.zones.delete
gdchardwaremanagement.zones.get
gdchardwaremanagement.zones.list
gdchardwaremanagement.zones.update

GDC Hardware Management API

The following permissions are supported in custom roles:

gdchardwaremanagement.zones.create
gdchardwaremanagement.zones.delete
gdchardwaremanagement.zones.get
gdchardwaremanagement.zones.list
gdchardwaremanagement.zones.update

Privileged Access Manager

The following permissions have been added:

privilegedaccessmanager.locations.checkOnboardingStatus

Privileged Access Manager

The following permissions are supported in custom roles:

privilegedaccessmanager.locations.checkOnboardingStatus

Security Posture API

The following permissions have been added:

securityposture.reports.get
securityposture.reports.list

Security Posture API

The following permissions are supported in custom roles:

securityposture.reports.get
securityposture.reports.list

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.reports.get
securityposture.reports.list

IAM changes as of 2024-03-22

Service Description
Vertex AI

The Vertex AI Extension Service Agent role (roles/aiplatform.extensionServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI Reasoning Engine Service Agent role (roles/aiplatform.reasoningEngineServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent) has reached General Availability (GA).

BigQuery

The BigQuery Studio Admin role (roles/bigquery.studioAdmin) has reached General Availability (GA).

BigQuery

The BigQuery Studio User role (roles/bigquery.studioUser) has reached General Availability (GA).

Google Security Operations

The Chronicle SOAR Service Agent role (roles/chronicle.soarServiceAgent) has reached General Availability (GA).

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

spanner.databases.useDataBoost

Multi-Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

compute.regionSslPolicies.use

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

aiplatform.extensions.execute

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.machineImages.create
compute.machineImages.get

Vertex AI

The following permissions have been added:

aiplatform.extensions.delete
aiplatform.extensions.execute
aiplatform.extensions.get
aiplatform.extensions.import
aiplatform.extensions.list
aiplatform.extensions.update

Assured Open Source Software

The following permissions have been added:

assuredoss.customers.create

Assured Open Source Software

The following permissions are supported in custom roles:

assuredoss.customers.create

Bigtable

The following permissions have been added:

bigtable.authorizedViews.create
bigtable.authorizedViews.createTagBinding
bigtable.authorizedViews.delete
bigtable.authorizedViews.deleteTagBinding
bigtable.authorizedViews.get
bigtable.authorizedViews.getIamPolicy
bigtable.authorizedViews.list
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.authorizedViews.mutateRows
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.authorizedViews.setIamPolicy
bigtable.authorizedViews.update

Bigtable

The following permissions have reached General Availability (GA):

bigtable.authorizedViews.create
bigtable.authorizedViews.createTagBinding
bigtable.authorizedViews.delete
bigtable.authorizedViews.deleteTagBinding
bigtable.authorizedViews.get
bigtable.authorizedViews.getIamPolicy
bigtable.authorizedViews.list
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.authorizedViews.mutateRows
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.authorizedViews.setIamPolicy
bigtable.authorizedViews.update

Cloud SQL

The following permissions have been added:

cloudsql.instances.executeSql

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.instances.executeSql

Compute Engine

The following permissions have been added:

compute.routers.deleteRoutePolicy
compute.routers.getRoutePolicy
compute.routers.listBgpRoutes
compute.routers.listRoutePolicies
compute.routers.updateRoutePolicy

Dataproc Metastore

The following permissions have been added:

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

Dataproc Metastore

The following permissions are supported in custom roles:

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

Recommender

The following permissions have been added:

recommender.bigqueryMaterializedViewInsights.get
recommender.bigqueryMaterializedViewInsights.list
recommender.bigqueryMaterializedViewInsights.update
recommender.bigqueryMaterializedViewRecommendations.get
recommender.bigqueryMaterializedViewRecommendations.list
recommender.bigqueryMaterializedViewRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.bigqueryMaterializedViewInsights.get
recommender.bigqueryMaterializedViewInsights.list
recommender.bigqueryMaterializedViewInsights.update
recommender.bigqueryMaterializedViewRecommendations.get
recommender.bigqueryMaterializedViewRecommendations.list
recommender.bigqueryMaterializedViewRecommendations.update

IAM changes as of 2024-03-15

Service Description
Vertex AI

The Vertex AI Colab Service Agent role (roles/aiplatform.colabServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Admin role (roles/alloydb.admin):

cloudaicompanion.entitlements.get

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Viewer role (roles/alloydb.viewer):

cloudaicompanion.entitlements.get

Assured Open Source Software

The following permissions have been added to the Assured OSS Admin role (roles/assuredoss.admin):

iam.serviceAccounts.create
iam.serviceAccounts.get
serviceusage.services.enable
serviceusage.services.get

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Backup User role (roles/backupdr.backupUser):

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Mount User role (roles/backupdr.mountUser):

backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Restore User role (roles/backupdr.restoreUser):

backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR User V2 role (roles/backupdr.userv2):

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection

Google Security Operations

The following permissions have been added to the Chronicle API Limited Viewer role (roles/chronicle.limitedViewer):

chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats
chronicle.multitenantDirectories.get
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.referenceLists.verifyReferenceList

Cloud Config Manager API

The following permissions have been added to the Cloud Infrastructure Manager Agent role (roles/config.agent):

cloudquotas.quotas.get

Container Security

The following permissions have been added to the GKE Security Posture Viewer role (roles/containersecurity.viewer):

container.clusters.list

Database Migration Service

The following permissions have been added to the Database Migration Admin role (roles/datamigration.admin):

cloudaicompanion.entitlements.get

Dialogflow

The following permissions have been added to the Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient):

dialogflow.messages.list

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

datastore.databases.getMetadata

Distributed Cloud Edge Container

The following permissions have been removed from the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

gkehub.endpoints.connect
gkehub.features.create
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.get
gkehub.locations.list
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list
serviceusage.services.list

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.create
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
iam.serviceAccounts.create
iam.serviceAccounts.get
serviceusage.services.enable

Security Command Center

The following permissions have been added to the Security Center Admin Editor role (roles/securitycenter.adminEditor):

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list

Security Command Center

The following permissions have been added to the Security Center Admin Viewer role (roles/securitycenter.adminViewer):

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list

Cloud Storage

The Storage Folder Admin role (roles/storage.folderAdmin) has reached General Availability (GA).

Backup and Disaster Recovery

The following permissions have been added:

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions are supported in custom roles:

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have reached General Availability (GA):

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/bireservations.get
bigqueryreservation.googleapis.com/bireservations.update

Google Security Operations

The following permissions have been added:

chronicle.bigQueryAccess.provide
chronicle.dataExports.cancel
chronicle.dataExports.create
chronicle.dataExports.fetchLogTypesAvailableForExport
chronicle.dataExports.get
chronicle.dataTaps.create
chronicle.dataTaps.delete
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle.dataTaps.update
chronicle.feeds.generateSecret
chronicle.instances.generateSoarAuthJwt
chronicle.instances.soarAdmin
chronicle.instances.soarThreatManager
chronicle.instances.soarVulnerabilityManager
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection
chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats

Google Security Operations

The following permissions are supported in custom roles:

chronicle.bigQueryAccess.provide
chronicle.dataExports.cancel
chronicle.dataExports.create
chronicle.dataExports.fetchLogTypesAvailableForExport
chronicle.dataExports.get
chronicle.dataTaps.create
chronicle.dataTaps.delete
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle.dataTaps.update
chronicle.feeds.generateSecret
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection
chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats

Compute Engine

The following permissions have been added:

compute.projects.setCloudArmorTier
compute.storagePools.setIamPolicy
compute.storagePools.use

Compute Engine

The following permissions are supported in custom roles:

compute.storagePools.use

Compute Engine

The following permissions have reached General Availability (GA):

compute.instanceSettings.get
compute.instanceSettings.update
compute.projects.setCloudArmorTier
compute.storagePools.setIamPolicy
compute.storagePools.use

Discovery Engine

The following permissions have been added:

discoveryengine.schemas.preview
discoveryengine.schemas.validate

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.schemas.preview
discoveryengine.schemas.validate

GKE Hub

The following permissions have been added:

gkehub.scopes.listBoundMemberships

GKE Hub

The following permissions are supported in custom roles:

gkehub.scopes.listBoundMemberships

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.scopes.listBoundMemberships

Google Cloud Migration Center

The following permissions have been added:

migrationcenter.discoveryClients.create
migrationcenter.discoveryClients.delete
migrationcenter.discoveryClients.get
migrationcenter.discoveryClients.list
migrationcenter.discoveryClients.sendHeartbeat
migrationcenter.discoveryClients.update

Privileged Access Manager

The following permissions have been added:

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.approve
privilegedaccessmanager.grants.create
privilegedaccessmanager.grants.deny
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

Privileged Access Manager

The following permissions are supported in custom roles:

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

Cloud Storage

The following permissions have been added:

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

Cloud Storage

The following permissions are supported in custom roles:

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

Cloud Storage

The following permissions have reached General Availability (GA):

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Workload Manager

The following permissions have been added:

workloadmanager.insights.export

IAM changes as of 2024-03-08

Service Description
Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get

Assured Open Source Software

The Assured OSS Project Admin role (roles/assuredoss.projectAdmin) has been added with the following permissions:

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.googleapis.com/dockerimages.get
artifactregistry.googleapis.com/dockerimages.list
artifactregistry.googleapis.com/files.download
artifactregistry.googleapis.com/files.get
artifactregistry.googleapis.com/files.list
artifactregistry.googleapis.com/locations.get
artifactregistry.googleapis.com/locations.list
artifactregistry.googleapis.com/mavenartifacts.get
artifactregistry.googleapis.com/mavenartifacts.list
artifactregistry.googleapis.com/npmpackages.get
artifactregistry.googleapis.com/npmpackages.list
artifactregistry.googleapis.com/packages.get
artifactregistry.googleapis.com/packages.list
artifactregistry.googleapis.com/projectsettings.get
artifactregistry.googleapis.com/pythonpackages.get
artifactregistry.googleapis.com/pythonpackages.list
artifactregistry.googleapis.com/repositories.create
artifactregistry.googleapis.com/repositories.downloadArtifacts
artifactregistry.googleapis.com/repositories.get
artifactregistry.googleapis.com/repositories.list
artifactregistry.googleapis.com/repositories.listEffectiveTags
artifactregistry.googleapis.com/repositories.listTagBindings
artifactregistry.googleapis.com/repositories.readViaVirtualRepository
artifactregistry.googleapis.com/rules.get
artifactregistry.googleapis.com/rules.list
artifactregistry.googleapis.com/tags.get
artifactregistry.googleapis.com/tags.list
artifactregistry.googleapis.com/versions.get
artifactregistry.googleapis.com/versions.list
artifactregistry.googleapis.com/vpcscconfigs.get
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.create
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.vpcscconfigs.get
assuredoss.config.get
assuredoss.customers.create
assuredoss.googleapis.com/config.get
assuredoss.googleapis.com/customers.create
assuredoss.googleapis.com/locations.get
assuredoss.googleapis.com/locations.list
assuredoss.googleapis.com/metadata.get
assuredoss.googleapis.com/metadata.list
assuredoss.googleapis.com/operations.cancel
assuredoss.googleapis.com/operations.delete
assuredoss.googleapis.com/operations.get
assuredoss.googleapis.com/operations.list
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
iam.googleapis.com/serviceAccounts.create
iam.googleapis.com/serviceAccounts.get
iam.serviceAccounts.create
iam.serviceAccounts.get
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.googleapis.com/services.enable
serviceusage.googleapis.com/services.get
serviceusage.services.enable
serviceusage.services.get

BigQuery Continuous Query

The BigQuery Continuous Query Service Agent role (roles/bigquerycontinuousquery.serviceAgent) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Admin role (roles/cloudcontrolspartner.admin) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Editor role (roles/cloudcontrolspartner.editor) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Inspectability Reader role (roles/cloudcontrolspartner.inspectabilityReader) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Monitoring Reader role (roles/cloudcontrolspartner.monitoringReader) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Reader role (roles/cloudcontrolspartner.reader) has reached General Availability (GA).

Cloud Deployment Manager

The Cloud Deployment Manager Service Agent role (roles/clouddeploymentmanager.serviceAgent) has reached General Availability (GA).

Cloud SQL

The following permissions have been added to the Cloud SQL Admin role (roles/cloudsql.admin):

cloudaicompanion.entitlements.get

Cloud SQL

The following permissions have been added to the Cloud SQL Editor role (roles/cloudsql.editor):

cloudaicompanion.entitlements.get

Cloud SQL

The following permissions have been added to the Cloud SQL Viewer role (roles/cloudsql.viewer):

cloudaicompanion.entitlements.get

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

cloudaicompanion.entitlements.get

Route Optimization

The Route Optimization Service Agent role (roles/routeoptimization.serviceAgent) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.clusters.promote

Apigee

The following permissions have been added:

apigee.securityFeedback.create
apigee.securityFeedback.delete
apigee.securityFeedback.get
apigee.securityFeedback.list

Apigee

The following permissions are supported in custom roles:

apigee.securityFeedback.create
apigee.securityFeedback.delete
apigee.securityFeedback.get
apigee.securityFeedback.list

Apigee

The following permissions have reached General Availability (GA):

apigee.securityFeedback.create
apigee.securityFeedback.delete
apigee.securityFeedback.get
apigee.securityFeedback.list

Cloud Controls Partner API

The following permissions have reached General Availability (GA):

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list
cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.partnerpermissions.get
cloudcontrolspartner.partners.get
cloudcontrolspartner.platformcontrols.get
cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list

Compute Engine

The following permissions have been added:

compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings

Compute Engine

The following permissions are supported in custom roles:

compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings

Compute Engine

The following permissions have reached General Availability (GA):

compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings

Cloud Config Manager API

The following permissions have been added:

config.terraformversions.get
config.terraformversions.list

Cloud Config Manager API

The following permissions are supported in custom roles:

config.terraformversions.get
config.terraformversions.list

Database Insights

The following permissions have been added:

databaseinsights.activeQueries.fetch
databaseinsights.activeQuery.terminate
databaseinsights.activitySummary.fetch
databaseinsights.aggregatedEvents.query
databaseinsights.aggregatedStats.query
databaseinsights.clusterEvents.query
databaseinsights.instanceEvents.query
databaseinsights.locations.get
databaseinsights.locations.list
databaseinsights.recommendations.query
databaseinsights.resourceRecommendations.query
databaseinsights.timeSeries.query
databaseinsights.workloadRecommendations.fetch

Database Insights

The following permissions are supported in custom roles:

databaseinsights.activeQueries.fetch
databaseinsights.activeQuery.terminate
databaseinsights.activitySummary.fetch
databaseinsights.aggregatedEvents.query
databaseinsights.aggregatedStats.query
databaseinsights.clusterEvents.query
databaseinsights.instanceEvents.query
databaseinsights.locations.get
databaseinsights.locations.list
databaseinsights.recommendations.query
databaseinsights.resourceRecommendations.query
databaseinsights.timeSeries.query
databaseinsights.workloadRecommendations.fetch

Sensitive Data Protection

The following permissions have been added:

dlp.charts.get

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.charts.get

Backup for GKE

The following permissions have been added:

gkebackup.backups.getBackupIndex

Backup for GKE

The following permissions have reached General Availability (GA):

gkebackup.backups.getBackupIndex

Cloud Run

The following permissions have been added:

run.executions.cancel

Cloud Run

The following permissions have reached General Availability (GA):

run.executions.cancel

IAM changes as of 2024-03-01

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

run.executions.delete
run.executions.get
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.run
run.jobs.update
run.operations.delete
run.operations.get

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

resourcemanager.organizations.get

Cloud Run functions

The following permissions have been added to the Cloud Functions Admin role (roles/cloudfunctions.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run functions

The following permissions have been added to the Cloud Functions Developer role (roles/cloudfunctions.developer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run functions

The following permissions have been added to the Cloud Functions Service Agent role (roles/cloudfunctions.serviceAgent):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run functions

The following permissions have been added to the Cloud Functions Viewer role (roles/cloudfunctions.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Compute Engine

The following permissions have been added to the Compute Load Balancer Admin role (roles/compute.loadBalancerAdmin):

compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list

Dataplex

The Dataplex Aspect Type Owner role (roles/dataplex.aspectTypeOwner) has reached General Availability (GA).

Dataplex

The Dataplex Aspect Type User role (roles/dataplex.aspectTypeUser) has reached General Availability (GA).

Dataplex

The Dataplex Entry Group Owner role (roles/dataplex.entryGroupOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Owner role (roles/dataplex.entryOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Type Owner role (roles/dataplex.entryTypeOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Type User role (roles/dataplex.entryTypeUser) has reached General Availability (GA).

Dataplex

The following permissions have been removed from the Dataplex Administrator role (roles/dataplex.admin):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions have been removed from the Dataplex Editor role (roles/dataplex.editor):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update

Dataplex

The following permissions have been removed from the Dataplex Metadata Reader role (roles/dataplex.metadataReader):

dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.list

Dataplex

The following permissions have been removed from the Dataplex Metadata Writer role (roles/dataplex.metadataWriter):

dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.get
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use

Dataplex

The following permissions have been removed from the Dataplex Viewer role (roles/dataplex.viewer):

dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

alloydb.instances.get
alloydb.operations.get
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
cloudsql.databases.get
cloudsql.instances.export
cloudsql.instances.get
datastore.databases.export
datastore.databases.get
datastore.operations.get
spanner.databases.beginReadOnlyTransaction
spanner.databases.partitionQuery
spanner.databases.select
spanner.sessions.create

Firebase

The following permissions have been added to the Firebase Admin role (roles/firebase.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Firebase

The following permissions have been added to the Firebase Develop Admin role (roles/firebase.developAdmin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Firebase

The following permissions have been added to the Firebase Develop Viewer role (roles/firebase.developViewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Firebase

The following permissions have been added to the Firebase Viewer role (roles/firebase.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Cloud Run

The following permissions have been added to the Cloud Run Admin role (roles/run.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run

The following permissions have been added to the Cloud Run Developer role (roles/run.developer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run

The following permissions have been added to the Cloud Run Viewer role (roles/run.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Security Command Center

The Attack Surface Management Scanner Service Agent role (roles/securitycenter.attackSurfaceManagementScannerServiceAgent) has reached General Availability (GA).

BigQuery

The following permissions have been added:

bigquery.tables.setColumnDataPolicy

Bigtable

The following permissions have been added:

bigtable.instances.executeQuery

Bigtable

The following permissions are supported in custom roles:

bigtable.instances.executeQuery

Cloud Controls Partner API

The following permissions have been added:

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.partnerpermissions.get

Cloud Controls Partner API

The following permissions are supported in custom roles:

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.partnerpermissions.get

Dataplex

The following permissions have been added:

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions are supported in custom roles:

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions have reached General Availability (GA):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Recommender

The following permissions have been added:

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Recommender

The following permissions have reached General Availability (GA):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Security Posture API

The following permissions have been added:

securityposture.reports.create

Security Posture API

The following permissions are supported in custom roles:

securityposture.reports.create

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.reports.create

IAM changes as of 2024-02-23

Service Description
App Hub

The App Hub Admin role (roles/apphub.admin) has reached General Availability (GA).

App Hub

The App Hub Editor role (roles/apphub.editor) has reached General Availability (GA).

App Hub

The App Hub Viewer role (roles/apphub.viewer) has reached General Availability (GA).

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

compute.autoscalers.list
compute.globalForwardingRules.list
compute.instanceGroupManagers.list
compute.regionSslPolicies.list
compute.regionTargetHttpProxies.list
compute.regionUrlMaps.list
compute.urlMaps.list
container.clusters.list
monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.list
storage.buckets.get

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.instances.listEffectiveTags

Cloud SQL

The Cloud SQL Schema Viewer role (roles/cloudsql.schemaViewer) has reached General Availability (GA).

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Folder Service Agent role (roles/privilegedaccessmanager.folderServiceAgent):

resourcemanager.folders.get

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Organization Service Agent role (roles/privilegedaccessmanager.organizationServiceAgent):

resourcemanager.organizations.get

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Project Service Agent role (roles/privilegedaccessmanager.projectServiceAgent):

resourcemanager.projects.get

Recommender

The RecentChange RecommenderConfig Admin role (roles/recommender.recentChangeConfigAdmin) has reached General Availability (GA).

Recommender

The Recent Change Risk Recommender Admin role (roles/recommender.recentchangeriskAdmin) has reached General Availability (GA).

Recommender

The Recent Change Risk Recommender Viewer role (roles/recommender.recentchangeriskViewer) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.backups.createTagBinding
alloydb.backups.deleteTagBinding
alloydb.backups.listEffectiveTags
alloydb.backups.listTagBindings
alloydb.clusters.createTagBinding
alloydb.clusters.deleteTagBinding
alloydb.clusters.listEffectiveTags
alloydb.clusters.listTagBindings

App Hub

The following permissions have reached General Availability (GA):

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

Cloud SQL

The following permissions have been added:

cloudsql.schemas.view

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.schemas.view

Compute Engine

The following permissions have been added:

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Compute Engine

The following permissions are supported in custom roles:

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Recommender

The following permissions have been added:

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Recommender

The following permissions have reached General Availability (GA):

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Cloud Storage

The following permissions have been added:

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.restore
storage.objects.restore

Cloud Storage

The following permissions have reached General Availability (GA):

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.restore
storage.objects.restore

IAM changes as of 2024-02-16

Service Description
Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

compute.vpnGateways.list
logging.buckets.list
serviceusage.services.get
storage.buckets.getIamPolicy

BigQuery

The following permissions have been added to the BigQuery Admin role (roles/bigquery.admin):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

BigQuery

The following permissions have been added to the BigQuery Job User role (roles/bigquery.jobUser):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

BigQuery

The following permissions have been added to the BigQuery User role (roles/bigquery.user):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

BigQuery Data Transfer Service

The following permissions have been added to the BigQuery Data Transfer Service Agent role (roles/bigquerydatatransfer.serviceAgent):

compute.regionOperations.get
compute.subnetworks.use
dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Cloud Data Fusion

The following permissions have been added to the Cloud Data Fusion API Service Agent role (roles/datafusion.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Dataprep by Trifacta

The following permissions have been added to the Dataprep Service Agent role (roles/dataprep.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP API Service Agent role (roles/dlp.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Enterprise Knowledge Graph

The following permissions have been added to the Enterprise Knowledge Graph Service Agent role (roles/enterpriseknowledgegraph.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

FleetEngine

The following permissions have been added to the FleetEngine Service Agent role (roles/fleetengine.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Security Posture API

The following permissions have been added to the Security Posture Shift-Left Validator role (roles/securityposture.reportCreator):

securityposture.operations.get

Google Security Operations

The following permissions have been added:

chronicle.events.searchRawLogs
chronicle.logTypes.list

Google Security Operations

The following permissions are supported in custom roles:

chronicle.events.searchRawLogs
chronicle.logTypes.list

Firebase Test Lab

The following permissions have been added:

cloudtestservice.devicesession.cancel
cloudtestservice.devicesession.create
cloudtestservice.devicesession.get
cloudtestservice.devicesession.list
cloudtestservice.devicesession.update
cloudtestservice.devicesession.use

Firebase Test Lab

The following permissions are supported in custom roles:

cloudtestservice.devicesession.cancel
cloudtestservice.devicesession.create
cloudtestservice.devicesession.get
cloudtestservice.devicesession.list
cloudtestservice.devicesession.update
cloudtestservice.devicesession.use

Conversational Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.issueModels.import

Discovery Engine

The following permissions have been added:

discoveryengine.collections.delete
discoveryengine.collections.get
discoveryengine.collections.list

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.collections.delete
discoveryengine.collections.get
discoveryengine.collections.list

IAM changes as of 2024-02-09

Service Description
Advisory Notifications

The Advisory Notifications Admin role (roles/advisorynotifications.admin) has reached General Availability (GA).

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create

App Engine

The following permissions have been added to the App Engine Code Viewer role (roles/appengine.codeViewer):

appengine.applications.listRuntimes

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

cloudsql.instances.list
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
orgpolicy.policy.get
storage.buckets.list

Advisory Notifications

The following permissions have reached General Availability (GA):

advisorynotifications.settings.get
advisorynotifications.settings.update

App Engine

The following permissions have been added:

appengine.applications.listRuntimes

App Engine

The following permissions have reached General Availability (GA):

appengine.applications.listRuntimes

Artifact Registry

The following permissions have been added:

artifactregistry.files.download

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.files.download

Cloud Deploy

The following permissions have been added:

clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.setIamPolicy

Cloud Composer

The following permissions have been added:

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Cloud Composer

The following permissions are supported in custom roles:

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Cloud Composer

The following permissions have reached General Availability (GA):

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Dialogflow

The following permissions have been added:

dialogflow.encryptionspec.get
dialogflow.encryptionspec.update
dialogflow.examples.create
dialogflow.examples.delete
dialogflow.examples.get
dialogflow.examples.list
dialogflow.examples.update
dialogflow.playbooks.create
dialogflow.playbooks.delete
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.playbooks.update
dialogflow.tools.create
dialogflow.tools.delete
dialogflow.tools.get
dialogflow.tools.list
dialogflow.tools.update

Dialogflow

The following permissions have reached General Availability (GA):

dialogflow.encryptionspec.get
dialogflow.encryptionspec.update
dialogflow.examples.create
dialogflow.examples.delete
dialogflow.examples.get
dialogflow.examples.list
dialogflow.examples.update
dialogflow.playbooks.create
dialogflow.playbooks.delete
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.playbooks.update
dialogflow.tools.create
dialogflow.tools.delete
dialogflow.tools.get
dialogflow.tools.list
dialogflow.tools.update

IAM changes as of 2024-02-02

Service Description
Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataAccessScopes.list

Google Security Operations

The following permissions have been added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.dataAccessScopes.list

Cloud Key Management Service

The Cloud KMS KACLS Service Agent role (roles/cloudkmskacls.serviceAgent) has reached General Availability (GA).

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

firebaseabt.experiments.delete

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

dns.managedZones.list
resourcemanager.projects.getIamPolicy
storage.objects.list

Workload Manager

The following permissions have been added to the Workload Manager Deployment Admin role (roles/workloadmanager.deploymentAdmin):

dns.managedZones.list
resourcemanager.projects.getIamPolicy
storage.objects.list

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.databases.list

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.databases.list

Audit Manager

The following permissions have been added:

auditmanager.auditReports.generate
auditmanager.auditScopeReports.generate
auditmanager.locations.enrollResource
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.get
auditmanager.operations.list

Audit Manager

The following permissions are supported in custom roles:

auditmanager.auditReports.generate
auditmanager.auditScopeReports.generate
auditmanager.locations.enrollResource
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.get
auditmanager.operations.list

Google Security Operations

The following permissions have been added:

chronicle.entities.batchCreate
chronicle.entities.batchDelete
chronicle.entities.batchValidate
chronicle.entities.create
chronicle.entities.delete
chronicle.entities.list
chronicle.entities.modifyEntityRiskScore
chronicle.operations.streamSearch
chronicle.watchlists.create
chronicle.watchlists.delete
chronicle.watchlists.get
chronicle.watchlists.list
chronicle.watchlists.update

Google Security Operations

The following permissions are supported in custom roles:

chronicle.entities.batchCreate
chronicle.entities.batchDelete
chronicle.entities.batchValidate
chronicle.entities.create
chronicle.entities.delete
chronicle.entities.list
chronicle.entities.modifyEntityRiskScore
chronicle.operations.streamSearch
chronicle.watchlists.create
chronicle.watchlists.delete
chronicle.watchlists.get
chronicle.watchlists.list
chronicle.watchlists.update

IAM changes as of 2024-01-26

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Feature Store Resource Viewer role (roles/aiplatform.featurestoreResourceViewer):

aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.get
aiplatform.featureViews.list

Audit Manager

The Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent) has reached General Availability (GA).

Gemini for Google Cloud API

The following permissions have been added to the Cloud AI Companion User role (roles/cloudaicompanion.user):

cloudaicompanion.entitlements.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.models.get
run.jobs.run
run.routes.invoke

Sensitive Data Protection

The following permissions have been added to the DLP Administrator role (roles/dlp.admin):

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update
resourcemanager.projects.get
resourcemanager.projects.list

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

cloudaicompanion.entitlements.get

Basic Role

The following permissions have been added to the Owner role (roles/owner):

cloudaicompanion.entitlements.get

Policy Simulator

The following permissions have been added to the OrgPolicy Simulator Admin role (roles/policysimulator.orgPolicyAdmin):

cloudasset.assets.analyzeOrgPolicy

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

cloudaicompanion.entitlements.get

Google Cloud VMware Engine

The following permissions have been added to the VMware Engine Service Agent role (roles/vmwareengine.serviceAgent):

vmwareengine.nodes.get
vmwareengine.nodes.list

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.instances.executeSql

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.instances.executeSql

Gemini for Google Cloud API

The following permissions have been added:

cloudaicompanion.entitlements.get

Discovery Engine

The following permissions have been added:

discoveryengine.branches.get
discoveryengine.branches.list
discoveryengine.documentProcessingConfigs.get
discoveryengine.documentProcessingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.documentProcessingConfigs.get
discoveryengine.documentProcessingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus

Retail API

The following permissions have been added:

retail.catalogs.exportAnalyticsMetrics

IAM changes as of 2024-01-19

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Feature Store EntityType owner role (roles/aiplatform.entityTypeOwner):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Admin role (roles/aiplatform.featurestoreAdmin):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Viewer role (roles/aiplatform.featurestoreDataViewer):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Writer role (roles/aiplatform.featurestoreDataWriter):

aiplatform.featureViews.searchNearestEntities

Artifact Registry

The following permissions have been added to the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent):

artifactregistry.repositories.get

Assured Open Source Software

The Assured OSS User role (roles/assuredoss.user) has been added with the following permissions:

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.googleapis.com/dockerimages.get
artifactregistry.googleapis.com/dockerimages.list
artifactregistry.googleapis.com/files.download
artifactregistry.googleapis.com/files.get
artifactregistry.googleapis.com/files.list
artifactregistry.googleapis.com/locations.get
artifactregistry.googleapis.com/locations.list
artifactregistry.googleapis.com/mavenartifacts.get
artifactregistry.googleapis.com/mavenartifacts.list
artifactregistry.googleapis.com/npmpackages.get
artifactregistry.googleapis.com/npmpackages.list
artifactregistry.googleapis.com/packages.get
artifactregistry.googleapis.com/packages.list
artifactregistry.googleapis.com/projectsettings.get
artifactregistry.googleapis.com/pythonpackages.get
artifactregistry.googleapis.com/pythonpackages.list
artifactregistry.googleapis.com/repositories.downloadArtifacts
artifactregistry.googleapis.com/repositories.get
artifactregistry.googleapis.com/repositories.list
artifactregistry.googleapis.com/repositories.listEffectiveTags
artifactregistry.googleapis.com/repositories.listTagBindings
artifactregistry.googleapis.com/repositories.readViaVirtualRepository
artifactregistry.googleapis.com/tags.get
artifactregistry.googleapis.com/tags.list
artifactregistry.googleapis.com/versions.get
artifactregistry.googleapis.com/versions.list
artifactregistry.googleapis.com/vpcscconfigs.get
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.vpcscconfigs.get
assuredoss.googleapis.com/locations.get
assuredoss.googleapis.com/locations.list
assuredoss.googleapis.com/metadata.get
assuredoss.googleapis.com/metadata.list
assuredoss.googleapis.com/operations.get
assuredoss.googleapis.com/operations.list
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Connectors

The following permissions have been added to the Connector Admin role (roles/connectors.admin):

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Discovery Engine

The Discovery Engine Admin role (roles/discoveryengine.admin) has reached General Availability (GA).

Discovery Engine

The Discovery Engine Editor role (roles/discoveryengine.editor) has reached General Availability (GA).

Discovery Engine

The Discovery Engine Viewer role (roles/discoveryengine.viewer) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

GKE Hub

The following permissions have been added to the Connect Gateway Admin role (roles/gkehub.gatewayAdmin):

gkehub.memberships.get

GKE Hub

The following permissions have been added to the Connect Gateway Editor role (roles/gkehub.gatewayEditor):

gkehub.memberships.get

GKE Hub

The following permissions have been added to the Connect Gateway Reader role (roles/gkehub.gatewayReader):

gkehub.memberships.get

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Container Service Agent role (roles/gkemulticloud.containerServiceAgent):

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

assuredoss.metadata.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

assuredoss.metadata.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

Serverless Integrations

The following permissions have been added to the Serverless Integrations Service Agent role (roles/runapps.serviceAgent):

cloudsql.databases.get
cloudsql.instances.get
cloudsql.users.get

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.instances.createTagBinding
compute.instances.deleteTagBinding
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

Assured Open Source Software

The following permissions have been added:

assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Assured Open Source Software

The following permissions are supported in custom roles:

assuredoss.locations.get
assuredoss.locations.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Database Migration Service

The following permissions have been added:

datamigration.conversionworkspaces.apply

Database Migration Service

The following permissions have reached General Availability (GA):

datamigration.conversionworkspaces.apply

Discovery Engine

The following permissions have been added:

discoveryengine.analytics.acquireDashboardSession
discoveryengine.analytics.refreshDashboardSessionTokens
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.cmekConfigs.update
discoveryengine.dataStores.trainCustomModel
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.locations.estimateDataSize
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.analytics.acquireDashboardSession
discoveryengine.analytics.refreshDashboardSessionTokens
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.cmekConfigs.update
discoveryengine.dataStores.trainCustomModel
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.locations.estimateDataSize
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.conversations.converse
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.purge
discoveryengine.documents.update
discoveryengine.operations.get
discoveryengine.operations.list
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.update
discoveryengine.servingConfigs.search
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge
discoveryengine.userEvents.create
discoveryengine.userEvents.import
discoveryengine.userEvents.purge

Cloud Healthcare API

The following permissions have been added:

healthcare.fhirStores.explainDataAccess

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.explainDataAccess

IAM changes as of 2024-01-05

Service Description
API Gateway

The following permissions have been added to the ApiGateway Admin role (roles/apigateway.admin):

serviceusage.services.get

API Gateway

The following permissions have been added to the ApiGateway Viewer role (roles/apigateway.viewer):

serviceusage.services.get

Assured Workloads

The following permissions have been added to the Assured Workloads Service Agent role (roles/assuredworkloads.serviceAgent):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Admin role (roles/automl.admin):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Editor role (roles/automl.editor):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Viewer role (roles/automl.viewer):

serviceusage.services.get

Google Security Operations

The following permissions have been added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.rules.delete

Cloud Run functions

The following permissions have been added to the Cloud Functions Service Agent role (roles/cloudfunctions.serviceAgent):

serviceusage.services.get

Cloud Commerce Consumer Procurement

The Consumer Procurement Entitlement Manager role (roles/consumerprocurement.entitlementManager) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Entitlement Viewer role (roles/consumerprocurement.entitlementViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Events Viewer role (roles/consumerprocurement.eventsViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Order Administrator role (roles/consumerprocurement.orderAdmin) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Order Viewer role (roles/consumerprocurement.orderViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Administrator role (roles/consumerprocurement.procurementAdmin) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Viewer role (roles/consumerprocurement.procurementViewer) has reached General Availability (GA).

AI Platform Data Labeling Service

The following permissions have been added to the Data Labeling Service Agent role (roles/datalabeling.serviceAgent):

serviceusage.services.get

Dialogflow

The following permissions have been added to the Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient):

dialogflow.generators.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

discoveryengine.engines.delete
discoveryengine.engines.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

securityposture.postures.extract
securityposture.reports.create

Firebase

The following permissions have been added to the Firebase SDK Provisioning Service Agent role (roles/firebase.sdkProvisioningServiceAgent):

serviceusage.services.get

Firewall Insights

The following permissions have been added to the Cloud Firewall Insights Service Agent role (roles/firewallinsights.serviceAgent):

compute.regionTargetTcpProxies.list

Cloud Service Mesh

The following permissions have been added to the Mesh Config Service Agent role (roles/meshconfig.serviceAgent):

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

Cloud Monitoring

The following permissions have been added to the Monitoring Admin role (roles/monitoring.admin):

serviceusage.services.get

Cloud Monitoring

The following permissions have been added to the Monitoring Editor role (roles/monitoring.editor):

serviceusage.services.get

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

Network Management API

The following permissions have been added to the GCP Network Management Service Agent role (roles/networkmanagement.serviceAgent):

compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

securityposture.postures.extract
securityposture.reports.create

Security Command Center

The following permissions have been added to the Security Center Automation Service Agent role (roles/securitycenter.automationServiceAgent):

serviceusage.services.get

Security Posture API

The Security Posture Shift-Left Validator role (roles/securityposture.reportCreator) has been added with the following permissions:

securityposture.googleapis.com/reports.create
securityposture.reports.create

Security Posture API

The Security Posture Admin role (roles/securityposture.admin) has reached General Availability (GA).

Security Posture API

The Security Posture Deployer role (roles/securityposture.postureDeployer) has reached General Availability (GA).

Security Posture API

The Security Posture Deployments Viewer role (roles/securityposture.postureDeploymentsViewer) has reached General Availability (GA).

Security Posture API

The Security Posture Resource Editor role (roles/securityposture.postureEditor) has reached General Availability (GA).

Security Posture API

The Security Posture Resource Viewer role (roles/securityposture.postureViewer) has reached General Availability (GA).

Security Posture API

The Security Posture Viewer role (roles/securityposture.viewer) has reached General Availability (GA).

Google Cloud Observability

The following permissions have been added to the Stackdriver Accounts Editor role (roles/stackdriver.accounts.editor):

serviceusage.services.get

Apigee

The following permissions have been added:

apigee.keyvaluemapentries.update

Apigee

The following permissions have reached General Availability (GA):

apigee.keyvaluemapentries.update

BigQuery

The following permissions have been added:

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding

BigQuery

The following permissions are supported in custom roles:

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/capacityCommitments.create
bigqueryreservation.googleapis.com/capacityCommitments.delete
bigqueryreservation.googleapis.com/capacityCommitments.get
bigqueryreservation.googleapis.com/capacityCommitments.list
bigqueryreservation.googleapis.com/capacityCommitments.update
bigqueryreservation.googleapis.com/reservationAssignments.create
bigqueryreservation.googleapis.com/reservationAssignments.delete
bigqueryreservation.googleapis.com/reservationAssignments.list
bigqueryreservation.googleapis.com/reservationAssignments.search

Google Security Operations

The following permissions have been added:

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entities.queryEntityRiskScoreModifications
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.get
chronicle.errorNotificationConfigs.list
chronicle.errorNotificationConfigs.update
chronicle.feedServiceAccounts.fetch
chronicle.findingsRefinementDeployments.get
chronicle.findingsRefinementDeployments.list
chronicle.findingsRefinementDeployments.update
chronicle.findingsRefinements.computeActivity
chronicle.findingsRefinements.computeAllActivities
chronicle.findingsRefinements.create
chronicle.findingsRefinements.get
chronicle.findingsRefinements.list
chronicle.findingsRefinements.test
chronicle.findingsRefinements.update
chronicle.legacies.legacyGetDetection
chronicle.legacies.legacySearchAlerts
chronicle.legacies.legacySearchCuratedDetections
chronicle.legacies.legacySearchDetections
chronicle.legacies.legacySearchEnterpriseWideAlerts
chronicle.legacies.legacySearchEnterpriseWideIoCs
chronicle.legacies.legacyStreamDetectionAlerts
chronicle.legacies.legacyTestRuleStreaming
chronicle.legacies.legacyUpdateAlert
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.parsers.generateEventTypesSuggestions
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.rules.delete
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Google Security Operations

The following permissions are supported in custom roles:

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entities.queryEntityRiskScoreModifications
chronicle.feedServiceAccounts.fetch
chronicle.legacies.legacyGetDetection
chronicle.legacies.legacySearchCuratedDetections
chronicle.legacies.legacySearchDetections
chronicle.legacies.legacySearchEnterpriseWideAlerts
chronicle.legacies.legacySearchEnterpriseWideIoCs
chronicle.legacies.legacyStreamDetectionAlerts
chronicle.legacies.legacyTestRuleStreaming
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.parsers.generateEventTypesSuggestions
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.rules.delete
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Google Security Operations

The following permissions have reached General Availability (GA):

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.get
chronicle.errorNotificationConfigs.list
chronicle.errorNotificationConfigs.update
chronicle.feedServiceAccounts.fetch
chronicle.findingsRefinementDeployments.get
chronicle.findingsRefinementDeployments.list
chronicle.findingsRefinementDeployments.update
chronicle.findingsRefinements.computeActivity
chronicle.findingsRefinements.computeAllActivities
chronicle.findingsRefinements.create
chronicle.findingsRefinements.get
chronicle.findingsRefinements.list
chronicle.findingsRefinements.test
chronicle.findingsRefinements.update
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Translation

The following permissions have been added:

cloudtranslate.adaptiveMtDatasets.create
cloudtranslate.adaptiveMtDatasets.delete
cloudtranslate.adaptiveMtDatasets.get
cloudtranslate.adaptiveMtDatasets.import
cloudtranslate.adaptiveMtDatasets.list
cloudtranslate.adaptiveMtDatasets.predict
cloudtranslate.adaptiveMtFiles.delete
cloudtranslate.adaptiveMtFiles.get
cloudtranslate.adaptiveMtFiles.list
cloudtranslate.adaptiveMtSentences.list

Compute Engine

The following permissions have been added:

compute.networkAttachments.update

Compute Engine

The following permissions are supported in custom roles:

compute.networkAttachments.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.networkAttachments.update

Cloud Config Manager API

The following permissions have been added:

config.artifacts.import
config.previews.create
config.previews.delete
config.previews.export
config.previews.get
config.previews.list
config.previews.upload

Cloud Config Manager API

The following permissions are supported in custom roles:

config.artifacts.import
config.previews.create
config.previews.delete
config.previews.export
config.previews.get
config.previews.list
config.previews.upload

Cloud Commerce Consumer Procurement

The following permissions have reached General Availability (GA):

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

Enterprise Purchasing API

The following permissions have been added:

enterprisepurchasing.gcveCuds.create
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.get
enterprisepurchasing.locations.list
enterprisepurchasing.operations.cancel
enterprisepurchasing.operations.delete
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list

Enterprise Purchasing API

The following permissions are supported in custom roles:

enterprisepurchasing.gcveCuds.create
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.get
enterprisepurchasing.locations.list
enterprisepurchasing.operations.cancel
enterprisepurchasing.operations.delete
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list

Mandiant

The following permissions have been added:

mandiant.genericAttackSurfaceManagements.create
mandiant.genericAttackSurfaceManagements.delete
mandiant.genericAttackSurfaceManagements.get
mandiant.genericAttackSurfaceManagements.update
mandiant.genericDigitalThreatMonitorings.create
mandiant.genericDigitalThreatMonitorings.get
mandiant.genericDigitalThreatMonitorings.update
mandiant.genericExpertiseOnDemands.create
mandiant.genericExpertiseOnDemands.delete
mandiant.genericExpertiseOnDemands.get
mandiant.genericExpertiseOnDemands.update
mandiant.genericPlatforms.create
mandiant.genericPlatforms.delete
mandiant.genericPlatforms.get
mandiant.genericPlatforms.update
mandiant.genericThreatIntels.create
mandiant.genericThreatIntels.delete
mandiant.genericThreatIntels.get
mandiant.genericThreatIntels.update
mandiant.genericValidations.create
mandiant.genericValidations.delete
mandiant.genericValidations.get
mandiant.genericValidations.update

Mandiant

The following permissions are supported in custom roles:

mandiant.genericAttackSurfaceManagements.create
mandiant.genericAttackSurfaceManagements.delete
mandiant.genericAttackSurfaceManagements.get
mandiant.genericAttackSurfaceManagements.update
mandiant.genericDigitalThreatMonitorings.create
mandiant.genericDigitalThreatMonitorings.get
mandiant.genericDigitalThreatMonitorings.update
mandiant.genericExpertiseOnDemands.create
mandiant.genericExpertiseOnDemands.delete
mandiant.genericExpertiseOnDemands.get
mandiant.genericExpertiseOnDemands.update
mandiant.genericPlatforms.create
mandiant.genericPlatforms.delete
mandiant.genericPlatforms.get
mandiant.genericPlatforms.update
mandiant.genericThreatIntels.create
mandiant.genericThreatIntels.delete
mandiant.genericThreatIntels.get
mandiant.genericThreatIntels.update
mandiant.genericValidations.create
mandiant.genericValidations.delete
mandiant.genericValidations.get
mandiant.genericValidations.update

Marketplace Solutions API

The following permissions have been added:

marketplacesolutions.locations.get
marketplacesolutions.locations.list
marketplacesolutions.operations.cancel
marketplacesolutions.operations.delete
marketplacesolutions.operations.get
marketplacesolutions.operations.list
marketplacesolutions.powerImages.get
marketplacesolutions.powerImages.list
marketplacesolutions.powerInstances.applyPowerAction
marketplacesolutions.powerInstances.create
marketplacesolutions.powerInstances.delete
marketplacesolutions.powerInstances.get
marketplacesolutions.powerInstances.list
marketplacesolutions.powerInstances.reset
marketplacesolutions.powerInstances.update
marketplacesolutions.powerNetworks.get
marketplacesolutions.powerNetworks.list
marketplacesolutions.powerSshKeys.get
marketplacesolutions.powerSshKeys.list
marketplacesolutions.powerVolumes.get
marketplacesolutions.powerVolumes.list

Marketplace Solutions API

The following permissions are supported in custom roles:

marketplacesolutions.locations.get
marketplacesolutions.locations.list
marketplacesolutions.operations.cancel
marketplacesolutions.operations.delete
marketplacesolutions.operations.get
marketplacesolutions.operations.list
marketplacesolutions.powerImages.get
marketplacesolutions.powerImages.list
marketplacesolutions.powerInstances.applyPowerAction
marketplacesolutions.powerInstances.create
marketplacesolutions.powerInstances.delete
marketplacesolutions.powerInstances.get
marketplacesolutions.powerInstances.list
marketplacesolutions.powerInstances.reset
marketplacesolutions.powerInstances.update
marketplacesolutions.powerNetworks.get
marketplacesolutions.powerNetworks.list
marketplacesolutions.powerSshKeys.get
marketplacesolutions.powerSshKeys.list
marketplacesolutions.powerVolumes.get
marketplacesolutions.powerVolumes.list

Memorystore for Redis

The following permissions have been added:

redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings

Memorystore for Redis

The following permissions have reached General Availability (GA):

redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings

Security Command Center

The following permissions have been added:

securitycenter.compliancesnapshots.list

Security Posture API

The following permissions have been added:

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update
securityposture.reports.create

Security Posture API

The following permissions are supported in custom roles:

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Personalized Service Health

The following permissions have been added:

servicehealth.statuses.get

Personalized Service Health

The following permissions are supported in custom roles:

servicehealth.statuses.get

IAM changes as of 2023-12-15

Service Description
Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

Apigee

The following permissions have been added to the Apigee Security Admin role (roles/apigee.securityAdmin):

apigee.addonsconfig.get

Apigee

The following permissions have been added to the Apigee Security Viewer role (roles/apigee.securityViewer):

apigee.addonsconfig.get

Connectors

The Connector Event Listener role (roles/connectors.listener) has been added with the following permissions:

connectors.connections.listenEvent
connectors.googleapis.com/connections.listenEvent

Artifact Analysis

The following permissions have been removed from the Container Analysis Service Agent role (roles/containeranalysis.ServiceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update

Container Scanning

The following permissions have been removed from the Container Scanner Service Agent role (roles/containerscanning.ServiceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update

Basic Role

The following permissions have been added to the Editor role (roles/editor):

connectors.connections.listenEvent

Cloud Integrations

The following permissions have been added to the Application Integration Service Agent role (roles/integrations.serviceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

container.thirdPartyObjects.update

Basic Role

The following permissions have been added to the Owner role (roles/owner):

connectors.connections.listenEvent

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

compute.disks.useReadOnly

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

compute.disks.useReadOnly

BigQuery

The following permissions have reached General Availability (GA):

bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag

Cloud Billing

The following permissions have been added:

billing.billingAccountPrices.list

Cloud Billing

The following permissions have reached General Availability (GA):

billing.billingAccountPrices.list

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

Connectors

The following permissions have been added:

connectors.connections.listenEvent

Firebase Storage

The following permissions have been added:

firebasestorage.defaultBucket.create
firebasestorage.defaultBucket.delete
firebasestorage.defaultBucket.get

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.backupPolicies.create
netapp.backupPolicies.delete
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupPolicies.update
netapp.backupVaults.create
netapp.backupVaults.delete
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backupVaults.update
netapp.backups.create
netapp.backups.delete
netapp.backups.get
netapp.backups.list
netapp.backups.update

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.backupPolicies.create
netapp.backupPolicies.delete
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupPolicies.update
netapp.backupVaults.create
netapp.backupVaults.delete
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backupVaults.update
netapp.backups.create
netapp.backups.delete
netapp.backups.get
netapp.backups.list
netapp.backups.update

IAM changes as of 2023-12-08

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

compute.snapshots.useReadOnly

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.healthChecks.useReadOnly
compute.networks.updatePolicy

Apigee

The following permissions have been added to the Apigee Organization Admin role (roles/apigee.admin):

apigee.securitySettings.get
apigee.securitySettings.update

Apigee

The following permissions have been added to the Apigee Read-only Admin role (roles/apigee.readOnlyAdmin):

apigee.securitySettings.get

Apigee

The following permissions have been added to the Apigee Security Admin role (roles/apigee.securityAdmin):

apigee.securitySettings.get
apigee.securitySettings.update

Apigee

The following permissions have been added to the Apigee Security Viewer role (roles/apigee.securityViewer):

apigee.securitySettings.get

Binary Authorization

The following permissions have been added to the Binary Authorization Service Agent role (roles/binaryauthorization.serviceAgent):

artifactregistry.dockerimages.get

Blockchain Node Engine

The Blockchain Node Engine Admin role (roles/blockchainnodeengine.admin) has reached General Availability (GA).

Blockchain Node Engine

The Blockchain Node Engine Viewer role (roles/blockchainnodeengine.viewer) has reached General Availability (GA).

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

cloudquotas.quotas.get

Connectors

The Custom Connectors Admin role (roles/connectors.customConnectorAdmin) has been added with the following permissions:

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update
connectors.googleapis.com/customConnectorVersions.create
connectors.googleapis.com/customConnectorVersions.delete
connectors.googleapis.com/customConnectorVersions.get
connectors.googleapis.com/customConnectorVersions.getIamPolicy
connectors.googleapis.com/customConnectorVersions.list
connectors.googleapis.com/customConnectorVersions.setIamPolicy
connectors.googleapis.com/customConnectorVersions.update
connectors.googleapis.com/customConnectors.create
connectors.googleapis.com/customConnectors.delete
connectors.googleapis.com/customConnectors.get
connectors.googleapis.com/customConnectors.getIamPolicy
connectors.googleapis.com/customConnectors.list
connectors.googleapis.com/customConnectors.setIamPolicy
connectors.googleapis.com/customConnectors.update
connectors.googleapis.com/locations.get
connectors.googleapis.com/locations.list
connectors.locations.get
connectors.locations.list

Connectors

The Custom Connector Viewer role (roles/connectors.customConnectorViewer) has been added with the following permissions:

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.googleapis.com/customConnectorVersions.get
connectors.googleapis.com/customConnectorVersions.getIamPolicy
connectors.googleapis.com/customConnectorVersions.list
connectors.googleapis.com/customConnectors.get
connectors.googleapis.com/customConnectors.getIamPolicy
connectors.googleapis.com/customConnectors.list
connectors.googleapis.com/locations.get
connectors.googleapis.com/locations.list
connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connector Admin role (roles/connectors.admin):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.list

Connectors

The following permissions have been added to the Connectors Viewer role (roles/connectors.viewer):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.instances.import
storage.objects.list

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

datacatalog.entries.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

apigee.securitySettings.get
apigee.securitySettings.update
connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.update

FleetEngine

The Fleet Engine Delivery Admin role (roles/fleetengine.deliveryAdmin) has reached General Availability (GA).

FleetEngine

The Fleet Engine On-Demand Admin role (roles/fleetengine.ondemandAdmin) has reached General Availability (GA).

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Control Plane Machine Service Agent role (roles/gkemulticloud.controlPlaneMachineServiceAgent):

serviceusage.services.use

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Node Pool Machine Service Agent role (roles/gkemulticloud.nodePoolMachineServiceAgent):

serviceusage.services.use

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

apigee.securitySettings.get
apigee.securitySettings.update
connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Security Center Management API

The Security Center Management Custom Modules Editor role (roles/securitycentermanagement.customModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.create
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.delete
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.update
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.create
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.delete
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.update
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The Security Center Management Custom Modules Viewer role (roles/securitycentermanagement.customModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test

Security Center Management API

The Security Center Management Custom ETD Modules Editor role (roles/securitycentermanagement.etdCustomModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.create
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.delete
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.update
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.locations.get
securitycentermanagement.locations.list

Security Center Management API

The Security Center Management ETD Custom Modules Viewer role (roles/securitycentermanagement.etdCustomModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.locations.get
securitycentermanagement.locations.list

Security Center Management API

The Security Center Management SHA Custom Modules Editor role (roles/securitycentermanagement.shaCustomModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.create
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.delete
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.update
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The Security Center Management SHA Custom Modules Viewer role (roles/securitycentermanagement.shaCustomModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

apigee.securitySettings.get
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Vision AI

The following permissions have been added to the Cloud Vision AI Service Agent role (roles/visionai.serviceAgent):

visionai.assets.analyze
visionai.assets.generateHlsUri
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.create
visionai.corpora.import
visionai.corpora.suggest
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Workflows

The following permissions have been added to the Workflows Invoker role (roles/workflows.invoker):

workflows.stepEntries.get
workflows.stepEntries.list

Workload Manager

The following permissions have been added to the Workload Manager Worker role (roles/workloadmanager.worker):

workloadmanager.insights.write

Apigee

The following permissions have been added:

apigee.securitySettings.get
apigee.securitySettings.update

Blockchain Node Engine

The following permissions have reached General Availability (GA):

blockchainnodeengine.blockchainNodes.create
blockchainnodeengine.blockchainNodes.delete
blockchainnodeengine.blockchainNodes.get
blockchainnodeengine.blockchainNodes.list
blockchainnodeengine.blockchainNodes.update
blockchainnodeengine.locations.get
blockchainnodeengine.locations.list
blockchainnodeengine.operations.cancel
blockchainnodeengine.operations.delete
blockchainnodeengine.operations.get
blockchainnodeengine.operations.list

Cloud Deploy

The following permissions have been added:

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.update

Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.update

Connectors

The following permissions have been added:

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Firebase App Check

The following permissions have been added:

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

Firebase App Check

The following permissions are supported in custom roles:

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

Firebase App Check

The following permissions have reached General Availability (GA):

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

FleetEngine

The following permissions have been added:

fleetengine.deliveryvehicles.allowAllActions
fleetengine.tasks.allowAllActions
fleetengine.tasktrackinginfo.allowAllActions
fleetengine.trips.allowAllActions
fleetengine.vehicles.allowAllActions

FleetEngine

The following permissions have reached General Availability (GA):

fleetengine.deliveryvehicles.allowAllActions
fleetengine.tasks.allowAllActions
fleetengine.tasktrackinginfo.allowAllActions
fleetengine.trips.allowAllActions
fleetengine.vehicles.allowAllActions

Kubernetes Metadata API

The following permissions have been added:

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Kubernetes Metadata API

The following permissions are supported in custom roles:

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Live Stream

The following permissions have been added:

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Live Stream

The following permissions are supported in custom roles:

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Live Stream

The following permissions have reached General Availability (GA):

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Maps Analytics

The following permissions have been added:

mapsanalytics.metricData.query
mapsanalytics.metricMetadata.list

Maps Analytics

The following permissions are supported in custom roles:

mapsanalytics.metricData.query
mapsanalytics.metricMetadata.list

Network Connectivity Center

The following permissions have been added:

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Recommender

The following permissions have been added:

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

Recommender

The following permissions are supported in custom roles:

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

Security Center Management API

The following permissions have been added:

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Cloud Storage

The following permissions have been added:

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Cloud Storage

The following permissions are supported in custom roles:

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Cloud Storage

The following permissions have reached General Availability (GA):

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Video Stitcher API

The following permissions have been added:

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Video Stitcher API

The following permissions are supported in custom roles:

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Video Stitcher API

The following permissions have reached General Availability (GA):

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Workflows

The following permissions have been added:

workflows.stepEntries.get
workflows.stepEntries.list

Workflows

The following permissions are supported in custom roles:

workflows.stepEntries.get
workflows.stepEntries.list

Workflows

The following permissions have reached General Availability (GA):

workflows.stepEntries.get
workflows.stepEntries.list

Workload Manager

The following permissions have been added:

workloadmanager.insights.write

Workload Manager

The following permissions are supported in custom roles:

workloadmanager.insights.write

IAM changes as of 2023-11-17

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

compute.disks.createSnapshot
compute.globalOperations.get
compute.instances.useReadOnly
compute.snapshots.create
compute.snapshots.delete

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.addresses.use

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Service Agent role (roles/backupdr.serviceAgent):

compute.addresses.use

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

orgpolicy.policy.get

Workload Manager

The following permissions have been added to the Workload Manager Viewer role (roles/workloadmanager.viewer):

orgpolicy.policy.get

Workload Manager

The following permissions have been added to the Workload Manager Worker role (roles/workloadmanager.worker):

orgpolicy.policy.get

Dataform

The following permissions have been added:

dataform.workspaces.searchFiles

Dataform

The following permissions have reached General Availability (GA):

dataform.workspaces.searchFiles

Identity-Aware Proxy

The following permissions have been added:

iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap.webServiceVersions.remediate

IAM changes as of 2023-11-10

Service Description
Content Warehouse

The following permissions have been added to the Content Warehouse Admin role (roles/contentwarehouse.admin):

contentwarehouse.documents.list

Content Warehouse

The following permissions have been added to the Content Warehouse Document Admin role (roles/contentwarehouse.documentAdmin):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse document creator role (roles/contentwarehouse.documentCreator):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse Document Editor role (roles/contentwarehouse.documentEditor):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse document schema viewer role (roles/contentwarehouse.documentSchemaViewer):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse Viewer role (roles/contentwarehouse.documentViewer):

contentwarehouse.locations.getStatus

GKE Multi-Cloud

The Anthos Multi-Cloud Container Service Agent role (roles/gkemulticloud.containerServiceAgent) has reached General Availability (GA).

GKE Multi-Cloud

The Anthos Multi-Cloud Control Plane Machine Service Agent role (roles/gkemulticloud.controlPlaneMachineServiceAgent) has reached General Availability (GA).

GKE Multi-Cloud

The Anthos Multi-Cloud Node Pool Machine Service Agent role (roles/gkemulticloud.nodePoolMachineServiceAgent) has reached General Availability (GA).

Cloud Run

The following permissions have been added to the Cloud Run Service Agent role (roles/run.serviceAgent):

artifactregistry.repositories.uploadArtifacts

Storage Insights

The Storage Insights Analyst role (roles/storageinsights.analyst) has reached General Availability (GA).

App Hub

The following permissions have been added:

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

App Hub

The following permissions are supported in custom roles:

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

Commerce Org Governance

The following permissions have been added:

commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update

Commerce Org Governance

The following permissions are supported in custom roles:

commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update

Content Warehouse

The following permissions have been added:

contentwarehouse.corpora.create
contentwarehouse.corpora.delete
contentwarehouse.corpora.get
contentwarehouse.corpora.list
contentwarehouse.corpora.update
contentwarehouse.documents.list
contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have reached General Availability (GA):

contentwarehouse.corpora.create
contentwarehouse.corpora.delete
contentwarehouse.corpora.get
contentwarehouse.corpora.list
contentwarehouse.corpora.update
contentwarehouse.documents.list
contentwarehouse.locations.getStatus

Looker Studio

The following permissions are supported in custom roles:

lookerstudio.pro.manage

Network Security

The following permissions have been added:

networksecurity.addressGroups.create
networksecurity.addressGroups.delete
networksecurity.addressGroups.get
networksecurity.addressGroups.getIamPolicy
networksecurity.addressGroups.list
networksecurity.addressGroups.setIamPolicy
networksecurity.addressGroups.update
networksecurity.addressGroups.use

Network Security

The following permissions are supported in custom roles:

networksecurity.addressGroups.create
networksecurity.addressGroups.delete
networksecurity.addressGroups.get
networksecurity.addressGroups.getIamPolicy
networksecurity.addressGroups.list
networksecurity.addressGroups.setIamPolicy
networksecurity.addressGroups.update
networksecurity.addressGroups.use

Storage Insights

The following permissions have been added:

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

Storage Insights

The following permissions are supported in custom roles:

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

Storage Insights

The following permissions have reached General Availability (GA):

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

IAM changes as of 2023-11-03

Service Description
Google Security Operations

The following permissions have been added to the Chronicle API Limited Viewer role (roles/chronicle.limitedViewer):

chronicle.dashboards.schedule
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.findUdmFieldValues
chronicle.events.get
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchIoCInsights
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchUserEvents
chronicle.logTypeSchemas.list
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph

Gemini for Google Cloud API

The following permissions have been added to the Cloud AI Companion User role (roles/cloudaicompanion.user):

resourcemanager.projects.get
resourcemanager.projects.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

compute.disks.createTagBinding

Distributed Cloud Edge Container

The Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent) has reached General Availability (GA).

Distributed Cloud Edge Container

The Edge Container Cluster offline Credential User role (roles/edgecontainer.offlineCredentialUser) has reached General Availability (GA).

Looker

The Looker Service Agent role (roles/looker.serviceAgent) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Admin role (roles/readerrevenuesubscriptionlinking.admin) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Entitlements Viewer role (roles/readerrevenuesubscriptionlinking.entitlementsViewer) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Viewer role (roles/readerrevenuesubscriptionlinking.viewer) has reached General Availability (GA).

Apigee

The following permissions have been added:

apigee.securityIncidents.update

Apigee

The following permissions are supported in custom roles:

apigee.securityIncidents.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityIncidents.update

Google Security Operations

The following permissions have been added:

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchIoCInsights

Google Security Operations

The following permissions are supported in custom roles:

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchIoCInsights

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.clusters.generateOfflineCredential

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.clusters.generateOfflineCredential

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.clusters.generateOfflineCredential

Subscription Linking

The following permissions have been added:

readerrevenuesubscriptionlinking.readerEntitlements.get
readerrevenuesubscriptionlinking.readerEntitlements.update
readerrevenuesubscriptionlinking.readers.delete
readerrevenuesubscriptionlinking.readers.get

Subscription Linking

The following permissions have reached General Availability (GA):

readerrevenuesubscriptionlinking.readerEntitlements.get
readerrevenuesubscriptionlinking.readerEntitlements.update
readerrevenuesubscriptionlinking.readers.delete
readerrevenuesubscriptionlinking.readers.get

Security Command Center

The following permissions have been added:

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

Security Command Center

The following permissions are supported in custom roles:

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

IAM changes as of 2023-10-27

Service Description
BigQuery

The following permissions have been added to the Bigquery Studio User role (roles/bigquery.studioUser):

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

BigQuery Data Transfer Service

The following permissions have been added to the BigQuery Data Transfer Service Agent role (roles/bigquerydatatransfer.serviceAgent):

compute.networkAttachments.get

Cloud Asset Inventory

The Other Cloud Config Service Agent role (roles/cloudasset.otherCloudConfigServiceAgent) has reached General Availability (GA).

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

composer.dags.get
composer.environments.get
iam.serviceAccounts.getAccessToken

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.actions.list
connectors.entityTypes.list

Datastream

The Datastream Admin role (roles/datastream.admin) has reached General Availability (GA).

Datastream

The Datastream Viewer role (roles/datastream.viewer) has reached General Availability (GA).

Looker Studio

The following permissions have been added to the Data Studio Workspace Content Manager role (roles/datastudio.contentManager):

datastudio.datasources.move
datastudio.reports.move

GKE Hub

The GKE Hub Cross Project Service Agent role (roles/gkehub.crossProjectServiceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

dialogflow.sessions.detectIntent
dialogflow.sessions.streamingDetectIntent

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.setLabels

Capacity Planner

The following permissions have been added:

capacityplanner.forecasts.list
capacityplanner.usageHistories.list
capacityplanner.usageHistories.summarize

Cloud Key Management Service

The following permissions have been added:

cloudkms.locations.optOutKeyDeletionMsa

Cloud Key Management Service

The following permissions have reached General Availability (GA):

cloudkms.locations.optOutKeyDeletionMsa

Cloud Tasks

The following permissions have been added:

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update

Cloud Tasks

The following permissions are supported in custom roles:

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update

Datastream

The following permissions have reached General Availability (GA):

datastream.connectionProfiles.create
datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.delete
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.listTagBindings
datastream.connectionProfiles.setIamPolicy
datastream.connectionProfiles.sourceTypes
datastream.connectionProfiles.update
datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list
datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob
datastream.operations.cancel
datastream.operations.delete
datastream.operations.get
datastream.operations.list
datastream.privateConnections.create
datastream.privateConnections.createTagBinding
datastream.privateConnections.delete
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.privateConnections.setIamPolicy
datastream.routes.create
datastream.routes.delete
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.computeState
datastream.streams.create
datastream.streams.createTagBinding
datastream.streams.delete
datastream.streams.deleteTagBinding
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
datastream.streams.pause
datastream.streams.resume
datastream.streams.setIamPolicy
datastream.streams.start
datastream.streams.update

Financial Services

The following permissions have been added:

financialservices.locations.get
financialservices.locations.list
financialservices.operations.cancel
financialservices.operations.delete
financialservices.operations.get
financialservices.operations.list
financialservices.v1backtests.create
financialservices.v1backtests.delete
financialservices.v1backtests.exportMetadata
financialservices.v1backtests.get
financialservices.v1backtests.list
financialservices.v1backtests.update
financialservices.v1datasets.create
financialservices.v1datasets.delete
financialservices.v1datasets.get
financialservices.v1datasets.list
financialservices.v1datasets.update
financialservices.v1engineconfigs.create
financialservices.v1engineconfigs.delete
financialservices.v1engineconfigs.exportMetadata
financialservices.v1engineconfigs.get
financialservices.v1engineconfigs.list
financialservices.v1engineconfigs.update
financialservices.v1engineversions.get
financialservices.v1engineversions.list
financialservices.v1instances.create
financialservices.v1instances.delete
financialservices.v1instances.exportRegisteredParties
financialservices.v1instances.get
financialservices.v1instances.importRegisteredParties
financialservices.v1instances.list
financialservices.v1instances.update
financialservices.v1models.create
financialservices.v1models.delete
financialservices.v1models.exportMetadata
financialservices.v1models.get
financialservices.v1models.list
financialservices.v1models.update
financialservices.v1predictions.create
financialservices.v1predictions.delete
financialservices.v1predictions.exportMetadata
financialservices.v1predictions.get
financialservices.v1predictions.list
financialservices.v1predictions.update

GKE Hub

The following permissions have been added:

gkehub.fleet.createFreeTrial
gkehub.fleet.getFreeTrial
gkehub.fleet.updateFreeTrial

GKE Hub

The following permissions are supported in custom roles:

gkehub.fleet.createFreeTrial
gkehub.fleet.getFreeTrial
gkehub.fleet.updateFreeTrial

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.fleet.createFreeTrial
gkehub.fleet.getFreeTrial
gkehub.fleet.updateFreeTrial

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.applyConsents

IAM changes as of 2023-10-20

Service Description
Vertex AI

The following permissions have been added to the Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin):

aiplatform.operations.list

Vertex AI

The following permissions have been added to the Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser):

aiplatform.operations.list

Vertex AI

The following permissions have been added to the Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin):

aiplatform.operations.list

Vertex AI

The following permissions have been added to the Notebook Runtime User role (roles/aiplatform.notebookRuntimeUser):

aiplatform.operations.list

BigQuery

The following permissions have been added to the Bigquery Studio Admin role (roles/bigquery.studioAdmin):

aiplatform.operations.list

BigQuery

The following permissions have been added to the Bigquery Studio User role (roles/bigquery.studioUser):

aiplatform.operations.list

BigQuery

The following permissions have been removed from the Bigquery Studio User role (roles/bigquery.studioUser):

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.translation.translate
bigqueryreservation.googleapis.com/reservations.get
bigqueryreservation.googleapis.com/reservations.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

serviceusage.services.use

Dialogflow

The Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient) has reached General Availability (GA).

Sensitive Data Protection

The DLP Data Profiles Admin role (roles/dlp.dataProfilesAdmin) has reached General Availability (GA).

Sensitive Data Protection

The DLP Table Data Profiles Admin role (roles/dlp.tableDataProfilesAdmin) has reached General Availability (GA).

Storage Insights

The following permissions have been added to the StorageInsights Service Agent role (roles/storageinsights.serviceAgent):

bigquery.datasets.create
serviceusage.services.use

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.snapshotSettings.get
compute.snapshotSettings.update

Sensitive Data Protection

The following permissions have been added:

dlp.tableDataProfiles.delete

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.tableDataProfiles.delete

Looker Studio

The following permissions have been added:

lookerstudio.pro.manage

Cloud Storage

The following permissions have been added:

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Cloud Storage

The following permissions are supported in custom roles:

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Telco Automation API

The following permissions have been added:

telcoautomation.blueprints.approve
telcoautomation.blueprints.create
telcoautomation.blueprints.delete
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.blueprints.propose
telcoautomation.blueprints.update
telcoautomation.deployments.apply
telcoautomation.deployments.computeStatus
telcoautomation.deployments.create
telcoautomation.deployments.delete
telcoautomation.deployments.get
telcoautomation.deployments.list
telcoautomation.deployments.rollback
telcoautomation.deployments.update
telcoautomation.edgeSlms.create
telcoautomation.edgeSlms.delete
telcoautomation.edgeSlms.get
telcoautomation.edgeSlms.list
telcoautomation.hydratedDeployments.apply
telcoautomation.hydratedDeployments.get
telcoautomation.hydratedDeployments.list
telcoautomation.hydratedDeployments.update
telcoautomation.locations.get
telcoautomation.locations.list
telcoautomation.operations.cancel
telcoautomation.operations.delete
telcoautomation.operations.get
telcoautomation.operations.list
telcoautomation.orchestrationClusters.create
telcoautomation.orchestrationClusters.delete
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
telcoautomation.publicBlueprints.get
telcoautomation.publicBlueprints.list

Telco Automation API

The following permissions are supported in custom roles:

telcoautomation.blueprints.approve
telcoautomation.blueprints.create
telcoautomation.blueprints.delete
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.blueprints.propose
telcoautomation.blueprints.update
telcoautomation.deployments.apply
telcoautomation.deployments.computeStatus
telcoautomation.deployments.create
telcoautomation.deployments.delete
telcoautomation.deployments.get
telcoautomation.deployments.list
telcoautomation.deployments.rollback
telcoautomation.deployments.update
telcoautomation.edgeSlms.delete
telcoautomation.edgeSlms.get
telcoautomation.edgeSlms.list
telcoautomation.hydratedDeployments.apply
telcoautomation.hydratedDeployments.get
telcoautomation.hydratedDeployments.list
telcoautomation.hydratedDeployments.update
telcoautomation.locations.get
telcoautomation.locations.list
telcoautomation.operations.cancel
telcoautomation.operations.delete
telcoautomation.operations.get
telcoautomation.operations.list
telcoautomation.orchestrationClusters.create
telcoautomation.orchestrationClusters.delete
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
telcoautomation.publicBlueprints.get
telcoautomation.publicBlueprints.list

IAM changes as of 2023-10-13

Service Description
Vertex AI

The following permissions have been added to the Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin):

aiplatform.pipelineJobs.create
aiplatform.schedules.create
aiplatform.schedules.delete
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.schedules.update

Vertex AI

The following permissions have been added to the Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser):

aiplatform.pipelineJobs.create
aiplatform.schedules.create
aiplatform.schedules.delete
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.schedules.update

App Engine

The following permissions have been added to the App Engine Standard Environment Service Agent role (roles/appengine.serviceAgent):

artifactregistry.aptartifacts.create
artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.kfpartifacts.create
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.create

Cloud Deploy

The following permissions have been added to the Cloud Deploy Approver role (roles/clouddeploy.approver):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Developer role (roles/clouddeploy.developer):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Runner role (roles/clouddeploy.jobRunner):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Operator role (roles/clouddeploy.operator):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Releaser role (roles/clouddeploy.releaser):

clouddeploy.config.get

Compute Engine

The following permissions have been added to the Compute Engine Service Agent role (roles/compute.serviceAgent):

iam.serviceAccounts.implicitDelegation

Vision AI

The following permissions have been added to the VisionAI Editor role (roles/visionai.editor):

visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get

Cloud Config Manager API

The following permissions have been added:

config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.lock
config.deployments.unlock
config.deployments.updateState
config.revisions.getState

Cloud Config Manager API

The following permissions are supported in custom roles:

config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.lock
config.deployments.unlock
config.deployments.updateState
config.revisions.getState

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.clusters.upgrade

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.clusters.upgrade

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.clusters.upgrade

Vision AI

The following permissions have been added:

visionai.assets.analyze
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.import
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Vision AI

The following permissions are supported in custom roles:

visionai.assets.analyze
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.import
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Google Cloud VMware Engine

The following permissions have been added:

vmwareengine.dnsBindPermission.get
vmwareengine.dnsBindPermission.grant
vmwareengine.dnsBindPermission.revoke
vmwareengine.dnsForwarding.get
vmwareengine.dnsForwarding.update
vmwareengine.externalAccessRules.create
vmwareengine.externalAccessRules.delete
vmwareengine.externalAccessRules.get
vmwareengine.externalAccessRules.list
vmwareengine.externalAccessRules.update
vmwareengine.externalAddresses.create
vmwareengine.externalAddresses.delete
vmwareengine.externalAddresses.get
vmwareengine.externalAddresses.list
vmwareengine.externalAddresses.update
vmwareengine.loggingServers.create
vmwareengine.loggingServers.delete
vmwareengine.loggingServers.get
vmwareengine.loggingServers.list
vmwareengine.loggingServers.update
vmwareengine.managementDnsZoneBindings.create
vmwareengine.managementDnsZoneBindings.delete
vmwareengine.managementDnsZoneBindings.get
vmwareengine.managementDnsZoneBindings.list
vmwareengine.managementDnsZoneBindings.repair
vmwareengine.managementDnsZoneBindings.update
vmwareengine.networkPeerings.create
vmwareengine.networkPeerings.delete
vmwareengine.networkPeerings.get
vmwareengine.networkPeerings.list
vmwareengine.networkPeerings.listPeeringRoutes
vmwareengine.networkPeerings.update
vmwareengine.networkPolicies.fetchExternalAddresses
vmwareengine.nodes.get
vmwareengine.nodes.list

Google Cloud VMware Engine

The following permissions are supported in custom roles:

vmwareengine.dnsBindPermission.get
vmwareengine.dnsBindPermission.grant
vmwareengine.dnsBindPermission.revoke
vmwareengine.dnsForwarding.get
vmwareengine.dnsForwarding.update
vmwareengine.externalAccessRules.create
vmwareengine.externalAccessRules.delete
vmwareengine.externalAccessRules.get
vmwareengine.externalAccessRules.list
vmwareengine.externalAccessRules.update
vmwareengine.externalAddresses.create
vmwareengine.externalAddresses.delete
vmwareengine.externalAddresses.get
vmwareengine.externalAddresses.list
vmwareengine.externalAddresses.update
vmwareengine.loggingServers.create
vmwareengine.loggingServers.delete
vmwareengine.loggingServers.get
vmwareengine.loggingServers.list
vmwareengine.loggingServers.update
vmwareengine.managementDnsZoneBindings.create
vmwareengine.managementDnsZoneBindings.delete
vmwareengine.managementDnsZoneBindings.get
vmwareengine.managementDnsZoneBindings.list
vmwareengine.managementDnsZoneBindings.repair
vmwareengine.managementDnsZoneBindings.update
vmwareengine.networkPeerings.create
vmwareengine.networkPeerings.delete
vmwareengine.networkPeerings.get
vmwareengine.networkPeerings.list
vmwareengine.networkPeerings.listPeeringRoutes
vmwareengine.networkPeerings.update
vmwareengine.networkPolicies.fetchExternalAddresses
vmwareengine.nodes.get
vmwareengine.nodes.list

Google Cloud VMware Engine

The following permissions have reached General Availability (GA):

vmwareengine.dnsBindPermission.get
vmwareengine.dnsBindPermission.grant
vmwareengine.dnsBindPermission.revoke
vmwareengine.dnsForwarding.get
vmwareengine.dnsForwarding.update
vmwareengine.externalAccessRules.create
vmwareengine.externalAccessRules.delete
vmwareengine.externalAccessRules.get
vmwareengine.externalAccessRules.list
vmwareengine.externalAccessRules.update
vmwareengine.externalAddresses.create
vmwareengine.externalAddresses.delete
vmwareengine.externalAddresses.get
vmwareengine.externalAddresses.list
vmwareengine.externalAddresses.update
vmwareengine.loggingServers.create
vmwareengine.loggingServers.delete
vmwareengine.loggingServers.get
vmwareengine.loggingServers.list
vmwareengine.loggingServers.update
vmwareengine.managementDnsZoneBindings.create
vmwareengine.managementDnsZoneBindings.delete
vmwareengine.managementDnsZoneBindings.get
vmwareengine.managementDnsZoneBindings.list
vmwareengine.managementDnsZoneBindings.repair
vmwareengine.managementDnsZoneBindings.update
vmwareengine.networkPeerings.create
vmwareengine.networkPeerings.delete
vmwareengine.networkPeerings.get
vmwareengine.networkPeerings.list
vmwareengine.networkPeerings.listPeeringRoutes
vmwareengine.networkPeerings.update
vmwareengine.networkPolicies.fetchExternalAddresses
vmwareengine.nodes.get
vmwareengine.nodes.list

IAM changes as of 2023-10-06

Service Description
Advisory Notifications

The following permissions have been added to the Advisory Notifications Admin role (roles/advisorynotifications.admin):

resourcemanager.projects.get

Advisory Notifications

The following permissions have been added to the Advisory Notifications Viewer role (roles/advisorynotifications.viewer):

resourcemanager.projects.get

Policy Controller

The Anthos Policy Controller Service Agent role (roles/anthospolicycontroller.serviceAgent) has reached General Availability (GA).

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.networkEndpointGroups.list

Spark connector for BigQuery

The BigQuery Spark Service Agent role (roles/bigqueryspark.serviceAgent) has reached General Availability (GA).

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

alloydb.clusters.generateClientCertificate

Recommender

The Network Analyzer GKE Service Account Insights Recommender Admin role (roles/recommender.networkAnalyzerGkeServiceAccountAdmin) has reached General Availability (GA).

Recommender

The Network Analyzer GKE Service Account Insights Recommender Viewer role (roles/recommender.networkAnalyzerGkeServiceAccountViewer) has reached General Availability (GA).

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.globalOperations.get
compute.globalOperations.list

Vertex AI

The following permissions have been added:

aiplatform.datasetVersions.create
aiplatform.datasetVersions.delete
aiplatform.datasetVersions.get
aiplatform.datasetVersions.list
aiplatform.datasetVersions.restore

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.datasetVersions.create
aiplatform.datasetVersions.delete
aiplatform.datasetVersions.get
aiplatform.datasetVersions.list
aiplatform.datasetVersions.restore

Cloud Billing

The following permissions have been added:

billing.resourcebudgets.read
billing.resourcebudgets.write

Cloud Billing

The following permissions are supported in custom roles:

billing.resourcebudgets.read
billing.resourcebudgets.write

Cloud Billing

The following permissions have reached General Availability (GA):

billing.resourcebudgets.read
billing.resourcebudgets.write

Compute Engine

The following permissions have been added:

compute.instances.pscInterfaceCreate

Compute Engine

The following permissions are supported in custom roles:

compute.instances.pscInterfaceCreate

Compute Engine

The following permissions have reached General Availability (GA):

compute.instances.pscInterfaceCreate

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.serverconfig.get

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.serverconfig.get

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.serverconfig.get

Recommender

The following permissions have been added:

recommender.networkAnalyzerGkeServiceAccountInsights.get
recommender.networkAnalyzerGkeServiceAccountInsights.list
recommender.networkAnalyzerGkeServiceAccountInsights.update

Recommender

The following permissions are supported in custom roles:

recommender.networkAnalyzerGkeServiceAccountInsights.get
recommender.networkAnalyzerGkeServiceAccountInsights.list
recommender.networkAnalyzerGkeServiceAccountInsights.update

Recommender

The following permissions have reached General Availability (GA):

recommender.networkAnalyzerGkeServiceAccountInsights.get
recommender.networkAnalyzerGkeServiceAccountInsights.list
recommender.networkAnalyzerGkeServiceAccountInsights.update

Retail API

The following permissions have been added:

retail.experiments.create
retail.experiments.delete
retail.experiments.get
retail.experiments.list
retail.experiments.loadExperimentLookerDashboard
retail.experiments.queryTrafficMetrics
retail.experiments.update

IAM changes as of 2023-09-29

Service Description
Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.events.findUdmFieldValues

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

alloydb.instances.connect

Dataproc Metastore

The Dataproc Metastore Metadata Editor role (roles/metastore.metadataEditor) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata Mutate Admin role (roles/metastore.metadataMutateAdmin) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Data Owner role (roles/metastore.metadataOwner) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata Query Admin role (roles/metastore.metadataQueryAdmin) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata User role (roles/metastore.metadataUser) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata Viewer role (roles/metastore.metadataViewer) has reached General Availability (GA).

Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.subnetworks.getIamPolicy

Privileged Access Manager

The Privileged Access Manager Folder Service Agent role (roles/privilegedaccessmanager.folderServiceAgent) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Organization Service Agent role (roles/privilegedaccessmanager.organizationServiceAgent) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Project Service Agent role (roles/privilegedaccessmanager.projectServiceAgent) has reached General Availability (GA).

Rapid Migration Assessment

The following permissions have been added to the RMA Service Agent role (roles/rapidmigrationassessment.serviceAgent):

migrationcenter.sources.list

Google Security Operations

The following permissions have been added:

chronicle.events.findUdmFieldValues

Google Security Operations

The following permissions are supported in custom roles:

chronicle.events.findUdmFieldValues

Memorystore for Memcached

The following permissions have been added:

memcache.instances.upgrade

Memorystore for Memcached

The following permissions have reached General Availability (GA):

memcache.instances.upgrade

Dataproc Metastore

The following permissions have reached General Availability (GA):

metastore.services.mutateMetadata
metastore.services.queryMetadata

IAM changes as of 2023-09-22

Service Description
Vertex AI

The Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin) has reached General Availability (GA).

Vertex AI

The Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser) has reached General Availability (GA).

Vertex AI

The Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin) has reached General Availability (GA).

Vertex AI

The Notebook Runtime User role (roles/aiplatform.notebookRuntimeUser) has reached General Availability (GA).

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.networkEndpointGroups.use
networksecurity.authorizationPolicies.create
networksecurity.authorizationPolicies.delete
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.update
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.update
networksecurity.clientTlsPolicies.use
networksecurity.operations.cancel
networksecurity.operations.delete
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.update
networksecurity.serverTlsPolicies.use
networkservices.endpointPolicies.create
networkservices.endpointPolicies.delete
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.endpointPolicies.update
networkservices.endpointPolicies.use
networkservices.gateways.create
networkservices.gateways.delete
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.update
networkservices.gateways.use
networkservices.grpcRoutes.create
networkservices.grpcRoutes.delete
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.grpcRoutes.update
networkservices.grpcRoutes.use
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.update
networkservices.httpFilters.use
networkservices.httpRoutes.create
networkservices.httpRoutes.delete
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpRoutes.update
networkservices.httpRoutes.use
networkservices.meshes.create
networkservices.meshes.delete
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.update
networkservices.meshes.use
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list
networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update
networkservices.tcpRoutes.create
networkservices.tcpRoutes.delete
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tcpRoutes.update
networkservices.tcpRoutes.use
networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use

Dataform

The Dataform Admin role (roles/dataform.admin) has reached General Availability (GA).

Dataform

The Dataform Editor role (roles/dataform.editor) has reached General Availability (GA).

Dataform

The Dataform Viewer role (roles/dataform.viewer) has reached General Availability (GA).

Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Developer role (roles/datafusion.developer):

datafusion.instances.runtime

Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Operator role (roles/datafusion.operator):

datafusion.instances.runtime

Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Viewer role (roles/datafusion.viewer):

datafusion.instances.runtime

Dataplex

The Dataplex DataScan Creator role (roles/dataplex.dataScanCreator) has reached General Availability (GA).

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

datafusion.instances.runtime

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.useReadOnly

Cloud Workstations

The following permissions have been added to the Cloud Workstations Admin role (roles/workstations.admin):

compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.zones.get
compute.zones.list

Advisory Notifications

The following permissions have been added:

advisorynotifications.settings.get
advisorynotifications.settings.update

Advisory Notifications

The following permissions are supported in custom roles:

advisorynotifications.settings.get
advisorynotifications.settings.update

Vertex AI

The following permissions have been added:

aiplatform.featureGroups.create
aiplatform.featureGroups.delete
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureGroups.update

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade

Apigee

The following permissions have been added:

apigee.addonsconfig.get
apigee.addonsconfig.update

Apigee

The following permissions are supported in custom roles:

apigee.addonsconfig.get
apigee.addonsconfig.update

Apigee

The following permissions have reached General Availability (GA):

apigee.addonsconfig.get
apigee.addonsconfig.update

Google Security Operations

The following permissions have been added:

chronicle.dataAccessLabels.create
chronicle.dataAccessLabels.delete
chronicle.dataAccessLabels.get
chronicle.dataAccessLabels.list
chronicle.dataAccessLabels.update
chronicle.dataAccessScopes.create
chronicle.dataAccessScopes.delete
chronicle.dataAccessScopes.get
chronicle.dataAccessScopes.list
chronicle.dataAccessScopes.permit
chronicle.dataAccessScopes.update
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.import
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.get
chronicle.events.import
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.globalDataAccessScopes.permit
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataAccessLabels.create
chronicle.dataAccessLabels.delete
chronicle.dataAccessLabels.get
chronicle.dataAccessLabels.list
chronicle.dataAccessLabels.update
chronicle.dataAccessScopes.create
chronicle.dataAccessScopes.delete
chronicle.dataAccessScopes.get
chronicle.dataAccessScopes.list
chronicle.dataAccessScopes.permit
chronicle.dataAccessScopes.update
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.import
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.get
chronicle.events.import
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.globalDataAccessScopes.permit
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents

Compute Engine

The following permissions have been added:

compute.instanceSettings.get
compute.instanceSettings.update
compute.interconnects.getMacsecConfig
compute.projects.setManagedProtectionTier

Compute Engine

The following permissions are supported in custom roles:

compute.instanceSettings.get
compute.instanceSettings.update
compute.interconnects.getMacsecConfig

Compute Engine

The following permissions have reached General Availability (GA):

compute.interconnects.getMacsecConfig
compute.projects.setManagedProtectionTier

Dataform

The following permissions are supported in custom roles:

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.list
dataform.repositories.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.writeFile

Dataform

The following permissions have reached General Availability (GA):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Dialogflow

The following permissions have been added:

dialogflow.generators.create
dialogflow.generators.delete
dialogflow.generators.get
dialogflow.generators.list
dialogflow.generators.update

Dialogflow

The following permissions have reached General Availability (GA):

dialogflow.generators.create
dialogflow.generators.delete
dialogflow.generators.get
dialogflow.generators.list
dialogflow.generators.update

Network Services

The following permissions have been added:

networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update

Network Services

The following permissions are supported in custom roles:

networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update

Cloud OS Config

The following permissions have been added:

osconfig.osPolicyAssignmentReports.searchSummaries
osconfig.osPolicyAssignments.searchPolicies
osconfig.upgradeReports.get
osconfig.upgradeReports.getSummary
osconfig.upgradeReports.list
osconfig.upgradeReports.searchSummaries

Cloud OS Config

The following permissions are supported in custom roles:

osconfig.osPolicyAssignmentReports.searchSummaries
osconfig.osPolicyAssignments.searchPolicies
osconfig.upgradeReports.get
osconfig.upgradeReports.getSummary
osconfig.upgradeReports.list
osconfig.upgradeReports.searchSummaries

Policy Remediator Manager

The following permissions have been added:

policyremediatormanager.locations.get
policyremediatormanager.locations.list
policyremediatormanager.operations.cancel
policyremediatormanager.operations.delete
policyremediatormanager.operations.get
policyremediatormanager.operations.list
policyremediatormanager.remediatorServices.disable
policyremediatormanager.remediatorServices.enable
policyremediatormanager.remediatorServices.get

Policy Remediator Manager

The following permissions are supported in custom roles:

policyremediatormanager.locations.get
policyremediatormanager.locations.list
policyremediatormanager.operations.cancel
policyremediatormanager.operations.delete
policyremediatormanager.operations.get
policyremediatormanager.operations.list
policyremediatormanager.remediatorServices.disable
policyremediatormanager.remediatorServices.enable
policyremediatormanager.remediatorServices.get

Workflows

The following permissions have been added:

workflows.callbacks.list
workflows.workflows.listRevision

Workflows

The following permissions have reached General Availability (GA):

workflows.callbacks.list
workflows.workflows.listRevision

IAM changes as of 2023-09-17

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics

Assured Workloads

The Assured Workloads Monitoring Service Agent role (roles/assuredworkloads.monitoringServiceAgent) has reached General Availability (GA).

Assured Workloads

The following permissions have been added to the Assured Workloads Reader role (roles/assuredworkloads.reader):

orgpolicy.policy.get

Bare Metal Solution

The following permissions have been added to the Bare Metal Solution Editor role (roles/baremetalsolution.editor):

baremetalsolution.osimages.list

Bare Metal Solution

The following permissions have been added to the Bare Metal Solution Instances Admin role (roles/baremetalsolution.instancesadmin):

baremetalsolution.osimages.list

Google Security Operations

The Chronicle API Restricted Data Access role (roles/chronicle.restrictedDataAccess) has been added with the following permissions:

chronicle.dataAccessScopes.permit
chronicle.googleapis.com/dataAccessScopes.permit

Google Security Operations

The Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer) has been added with the following permissions:

chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.events.batchGet
chronicle.events.get
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.googleapis.com/entities.find
chronicle.googleapis.com/entities.findRelatedEntities
chronicle.googleapis.com/entities.get
chronicle.googleapis.com/entities.searchEntities
chronicle.googleapis.com/entities.summarize
chronicle.googleapis.com/entities.summarizeFromQuery
chronicle.googleapis.com/entityRiskScores.queryEntityRiskScores
chronicle.googleapis.com/events.batchGet
chronicle.googleapis.com/events.get
chronicle.googleapis.com/events.queryProductSourceStats
chronicle.googleapis.com/events.udmSearch
chronicle.googleapis.com/events.validateQuery
chronicle.googleapis.com/instances.get
chronicle.googleapis.com/instances.report
chronicle.googleapis.com/legacies.legacyBatchGetCases
chronicle.googleapis.com/legacies.legacyCalculateAlertStats
chronicle.googleapis.com/legacies.legacyFetchAlertsView
chronicle.googleapis.com/legacies.legacyFetchUdmSearchCsv
chronicle.googleapis.com/legacies.legacyFetchUdmSearchView
chronicle.googleapis.com/legacies.legacyFindAssetEvents
chronicle.googleapis.com/legacies.legacyFindRawLogs
chronicle.googleapis.com/legacies.legacyFindUdmEvents
chronicle.googleapis.com/legacies.legacyGetAlert
chronicle.googleapis.com/legacies.legacyGetFinding
chronicle.googleapis.com/legacies.legacyGetRuleCounts
chronicle.googleapis.com/legacies.legacyGetRulesTrends
chronicle.googleapis.com/legacies.legacyRunTestRule
chronicle.googleapis.com/legacies.legacySearchArtifactEvents
chronicle.googleapis.com/legacies.legacySearchAssetEvents
chronicle.googleapis.com/legacies.legacySearchFindings
chronicle.googleapis.com/legacies.legacySearchRawLogs
chronicle.googleapis.com/legacies.legacySearchRuleDetectionCountBuckets
chronicle.googleapis.com/legacies.legacySearchRuleDetectionEvents
chronicle.googleapis.com/legacies.legacySearchRuleResults
chronicle.googleapis.com/legacies.legacySearchRulesAlerts
chronicle.googleapis.com/legacies.legacySearchUserEvents
chronicle.googleapis.com/logs.get
chronicle.googleapis.com/logs.list
chronicle.googleapis.com/operations.get
chronicle.googleapis.com/operations.list
chronicle.googleapis.com/operations.wait
chronicle.googleapis.com/retrohunts.get
chronicle.googleapis.com/retrohunts.list
chronicle.googleapis.com/ruleDeployments.get
chronicle.googleapis.com/ruleDeployments.list
chronicle.googleapis.com/ruleExecutionErrors.list
chronicle.googleapis.com/rules.get
chronicle.googleapis.com/rules.list
chronicle.googleapis.com/rules.listRevisions
chronicle.googleapis.com/rules.verifyRuleText
chronicle.googleapis.com/signalGraphs.exploreNode
chronicle.googleapis.com/signalGraphs.initializeGraph
chronicle.instances.get
chronicle.instances.report
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents
chronicle.logs.get
chronicle.logs.list
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.ruleExecutionErrors.list
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.signalGraphs.exploreNode
chronicle.signalGraphs.initializeGraph
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Controls Partner API

The Cloud Controls Partner Access Approval Service Agent role (roles/cloudcontrolspartner.accessApprovalServiceAgent) has reached General Availability (GA).

Cloud Controls Partner API

The following permissions have been added to the Cloud Controls Partner Admin role (roles/cloudcontrolspartner.admin):

cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.platformcontrols.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Service Agent role (roles/clouddeploy.serviceAgent):

storage.objects.get

Commerce Price Management

The following permissions have been added to the Commerce Price Management Private Offers Admin role (roles/commercepricemanagement.privateOffersAdmin):

commerceprice.privateoffers.sendEmail

Compute Engine

The Compute Future Reservation Admin role (roles/compute.futureReservationAdmin) has been added with the following permissions:

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.googleapis.com/futureReservations.cancel
compute.googleapis.com/futureReservations.create
compute.googleapis.com/futureReservations.delete
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
compute.googleapis.com/futureReservations.update
compute.googleapis.com/reservations.create
compute.reservations.create

Compute Engine

The Compute Future Reservation User role (roles/compute.futureReservationUser) has been added with the following permissions:

compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.googleapis.com/futureReservations.create
compute.googleapis.com/futureReservations.delete
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
compute.googleapis.com/futureReservations.update
compute.googleapis.com/reservations.create
compute.reservations.create

Compute Engine

The Compute Future Reservation Viewer role (roles/compute.futureReservationViewer) has been added with the following permissions:

compute.futureReservations.get
compute.futureReservations.list
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list

Connectors

The following permissions have been added to the Connectors Endpoint Attachment Admin role (roles/connectors.endpointAttachmentAdmin):

connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connectors Endpoint Attachment Viewer role (roles/connectors.endpointAttachmentViewer):

connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connectors Managed Zone Admin role (roles/connectors.managedZoneAdmin):

connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connectors Managed Zone Viewer role (roles/connectors.managedZoneViewer):

connectors.locations.get
connectors.locations.list

Data Catalog

The following permissions have been added to the DataCatalog Data Steward role (roles/datacatalog.dataSteward):

datacatalog.relationships.list

Data Catalog

The following permissions have been added to the DataCatalog Entry Viewer role (roles/datacatalog.entryViewer):

datacatalog.relationships.list

Dataplex

The following permissions have been added to the Dataplex Metadata Reader role (roles/dataplex.metadataReader):

resourcemanager.projects.get
resourcemanager.projects.list

Dataplex

The following permissions have been added to the Dataplex Metadata Writer role (roles/dataplex.metadataWriter):

resourcemanager.projects.get
resourcemanager.projects.list

Datastore

The Cloud Datastore Backups Admin role (roles/datastore.backupsAdmin) has reached General Availability (GA).

Datastore

The Cloud Datastore Backup Schedules Admin role (roles/datastore.backupSchedulesAdmin) has reached General Availability (GA).

Datastore

The Cloud Datastore Backup Schedules Viewer role (roles/datastore.backupSchedulesViewer) has reached General Availability (GA).

Datastore

The Cloud Datastore Backups Viewer role (roles/datastore.backupsViewer) has reached General Availability (GA).

Datastore

The Cloud Datastore Restore Admin role (roles/datastore.restoreAdmin) has reached General Availability (GA).

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.conversations.create

Sensitive Data Protection

The DLP Connections Admin role (roles/dlp.connectionsAdmin) has reached General Availability (GA).

Sensitive Data Protection

The DLP Connections Viewer role (roles/dlp.connectionsReader) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

commerceprice.privateoffers.sendEmail

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

bigquery.datasets.update

Multi-Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

compute.networkEndpointGroups.list

Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.subnetworks.setIamPolicy

Basic Role

The following permissions have been added to the Owner role (roles/owner):

commerceprice.privateoffers.sendEmail

Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.create
compute.images.get

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.disks.useReadOnly

Vertex AI

The following permissions have been added:

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimeTemplates.update
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade

Chrome Enterprise Premium

The following permissions have been added:

beyondcorp.partnerTenants.create
beyondcorp.partnerTenants.delete
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.partnerTenants.update
beyondcorp.proxyConfigs.create
beyondcorp.proxyConfigs.delete
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
beyondcorp.proxyConfigs.update

Chrome Enterprise Premium

The following permissions are supported in custom roles:

beyondcorp.partnerTenants.create
beyondcorp.partnerTenants.delete
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.partnerTenants.update
beyondcorp.proxyConfigs.create
beyondcorp.proxyConfigs.delete
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
beyondcorp.proxyConfigs.update

Certificate Manager

The following permissions have reached General Availability (GA):

certificatemanager.trustconfigs.create
certificatemanager.trustconfigs.delete
certificatemanager.trustconfigs.get
certificatemanager.trustconfigs.list
certificatemanager.trustconfigs.update
certificatemanager.trustconfigs.use

Gemini for Google Cloud API

The following permissions have been added:

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

Gemini for Google Cloud API

The following permissions are supported in custom roles:

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

Cloud Deploy

The following permissions have been added:

clouddeploy.rollouts.rollback

Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.rollouts.rollback

Cloud Deploy

The following permissions have reached General Availability (GA):

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.retryJob

Cloud Quotas

The following permissions have been added:

cloudquotas.quotas.get
cloudquotas.quotas.update

Cloud Quotas

The following permissions are supported in custom roles:

cloudquotas.quotas.get
cloudquotas.quotas.update

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.resellerDiscountConfig.get

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.resellerDiscountConfig.get

Commerce Price Management

The following permissions have been added:

commerceprice.privateoffers.sendEmail

Compute Engine

The following permissions have been added:

compute.nodeGroups.performMaintenance

Compute Engine

The following permissions are supported in custom roles:

compute.nodeGroups.performMaintenance

Compute Engine

The following permissions have reached General Availability (GA):

compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly

Google Cloud Contact Center as a Service

The following permissions have reached General Availability (GA):

contactcenteraiplatform.contactCenters.program

Conversational Insights

The following permissions have been added:

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
contactcenterinsights.issueModels.import

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
contactcenterinsights.issueModels.import

Conversational Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update

Dataproc

The following permissions have been added:

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate

Dataproc

The following permissions are supported in custom roles:

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate

Dataproc

The following permissions have reached General Availability (GA):

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate

Datastore

The following permissions have been added:

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase

Datastore

The following permissions are supported in custom roles:

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase

Datastore

The following permissions have reached General Availability (GA):

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase

Sensitive Data Protection

The following permissions have been added:

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update

GDC Hardware Management API

The following permissions have been added:

gdchardwaremanagement.changeLogEntries.get
gdchardwaremanagement.changeLogEntries.list
gdchardwaremanagement.comments.create
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardware.update
gdchardwaremanagement.hardwareGroups.create
gdchardwaremanagement.hardwareGroups.delete
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.hardwareGroups.update
gdchardwaremanagement.locations.get
gdchardwaremanagement.locations.list
gdchardwaremanagement.operations.cancel
gdchardwaremanagement.operations.delete
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.delete
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.submit
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.create
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.sites.update
gdchardwaremanagement.skus.get
gdchardwaremanagement.skus.list

GDC Hardware Management API

The following permissions are supported in custom roles:

gdchardwaremanagement.changeLogEntries.get
gdchardwaremanagement.changeLogEntries.list
gdchardwaremanagement.comments.create
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardware.update
gdchardwaremanagement.hardwareGroups.create
gdchardwaremanagement.hardwareGroups.delete
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.hardwareGroups.update
gdchardwaremanagement.locations.get
gdchardwaremanagement.locations.list
gdchardwaremanagement.operations.cancel
gdchardwaremanagement.operations.delete
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.delete
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.submit
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.create
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.sites.update
gdchardwaremanagement.skus.get
gdchardwaremanagement.skus.list

Cloud Healthcare API

The following permissions have been added:

healthcare.fhirStores.applyConsents
healthcare.fhirStores.rollback

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.rollback

Payment Gateway issuer switch

The following permissions have been added:

issuerswitch.accountManagerTransactions.update
issuerswitch.managedAccounts.get
issuerswitch.managedAccounts.update

Payment Gateway issuer switch

The following permissions are supported in custom roles:

issuerswitch.accountManagerTransactions.update
issuerswitch.managedAccounts.get
issuerswitch.managedAccounts.update

Network Services

The following permissions have been added:

networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update

Network Services

The following permissions are supported in custom roles:

networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update

Recommender

The following permissions have been added:

recommender.cloudDeprecationGeneralInsights.get
recommender.cloudDeprecationGeneralInsights.list
recommender.cloudDeprecationGeneralInsights.update
recommender.cloudDeprecationGeneralRecommendations.get
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudDeprecationGeneralInsights.get
recommender.cloudDeprecationGeneralInsights.list
recommender.cloudDeprecationGeneralInsights.update
recommender.cloudDeprecationGeneralRecommendations.get
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.update

Cloud Run

The following permissions have been added:

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings

Cloud Run

The following permissions are supported in custom roles:

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings

Cloud Run

The following permissions have reached General Availability (GA):

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings

Secure Source Manager

The following permissions have been added:

securesourcemanager.instances.access
securesourcemanager.instances.create
securesourcemanager.instances.createRepository
securesourcemanager.instances.delete
securesourcemanager.instances.get
securesourcemanager.instances.getIamPolicy
securesourcemanager.instances.list
securesourcemanager.instances.setIamPolicy
securesourcemanager.locations.get
securesourcemanager.locations.list
securesourcemanager.operations.cancel
securesourcemanager.operations.delete
securesourcemanager.operations.get
securesourcemanager.operations.list
securesourcemanager.repositories.create
securesourcemanager.repositories.delete
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.getIamPolicy
securesourcemanager.repositories.list
securesourcemanager.repositories.push
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
securesourcemanager.repositories.setIamPolicy
securesourcemanager.repositories.update
securesourcemanager.repositories.writeIssues
securesourcemanager.repositories.writePullRequests
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.createAny
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.deleteAny
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
securesourcemanager.sshkeys.listAny

Secure Source Manager

The following permissions are supported in custom roles:

securesourcemanager.instances.access
securesourcemanager.instances.create
securesourcemanager.instances.createRepository
securesourcemanager.instances.delete
securesourcemanager.instances.get
securesourcemanager.instances.getIamPolicy
securesourcemanager.instances.list
securesourcemanager.instances.setIamPolicy
securesourcemanager.locations.get
securesourcemanager.locations.list
securesourcemanager.operations.cancel
securesourcemanager.operations.delete
securesourcemanager.operations.get
securesourcemanager.operations.list
securesourcemanager.repositories.create
securesourcemanager.repositories.delete
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.getIamPolicy
securesourcemanager.repositories.list
securesourcemanager.repositories.push
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
securesourcemanager.repositories.setIamPolicy
securesourcemanager.repositories.update
securesourcemanager.repositories.writeIssues
securesourcemanager.repositories.writePullRequests
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.createAny
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.deleteAny
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
securesourcemanager.sshkeys.listAny

Workload Manager

The following permissions have been added:

workloadmanager.actuations.create
workloadmanager.actuations.delete
workloadmanager.actuations.get
workloadmanager.actuations.list
workloadmanager.deployments.create
workloadmanager.deployments.delete
workloadmanager.deployments.get
workloadmanager.deployments.list

IAM changes as of 2023-08-18

Service Description
Cloud Deploy

The following permissions have been added to the Cloud Deploy Service Agent role (roles/clouddeploy.serviceAgent):

iam.serviceAccounts.getAccessToken

Conversational Insights

The following permissions have been added to the Contact Center AI Insights Service Agent role (roles/contactcenterinsights.serviceAgent):

storage.objects.create
storage.objects.update

Dataplex

The following permissions have been added to the Dataplex DataScan Administrator role (roles/dataplex.dataScanAdmin):

dataplex.operations.get
dataplex.operations.list

Dataplex

The following permissions have been added to the Dataplex DataScan Editor role (roles/dataplex.dataScanEditor):

dataplex.operations.get
dataplex.operations.list

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

compute.regionOperations.get

Cloud Storage

The Storage Object User role (roles/storage.objectUser) has reached General Availability (GA).

Vertex AI

The following permissions have been added:

aiplatform.endpoints.getIamPolicy
aiplatform.endpoints.setIamPolicy

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update

Google Cloud Contact Center as a Service

The following permissions have been added:

contactcenteraiplatform.contactCenters.program

Google Cloud Contact Center as a Service

The following permissions are supported in custom roles:

contactcenteraiplatform.contactCenters.program

GKE Hub

The following permissions have been added:

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update

GKE Hub

The following permissions are supported in custom roles:

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update

Payment Gateway issuer switch

The following permissions have been added:

issuerswitch.accountManagerTransactions.list
issuerswitch.issuerParticipants.get
issuerswitch.issuerParticipants.update

Payment Gateway issuer switch

The following permissions are supported in custom roles:

issuerswitch.accountManagerTransactions.list
issuerswitch.issuerParticipants.get
issuerswitch.issuerParticipants.update

Recommender

The following permissions have been added:

recommender.iamPolicyChangeRiskInsights.get
recommender.iamPolicyChangeRiskInsights.list
recommender.iamPolicyChangeRiskInsights.update
recommender.iamPolicyChangeRiskRecommendations.get
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.update
recommender.iamServiceAccountChangeRiskInsights.get
recommender.iamServiceAccountChangeRiskInsights.list
recommender.iamServiceAccountChangeRiskInsights.update
recommender.iamServiceAccountChangeRiskRecommendations.get
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.update
recommender.resourcemanagerProjectChangeRiskInsights.get
recommender.resourcemanagerProjectChangeRiskInsights.list
recommender.resourcemanagerProjectChangeRiskInsights.update
recommender.resourcemanagerProjectChangeRiskRecommendations.get
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.iamPolicyChangeRiskInsights.get
recommender.iamPolicyChangeRiskInsights.list
recommender.iamPolicyChangeRiskInsights.update
recommender.iamPolicyChangeRiskRecommendations.get
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.update
recommender.iamServiceAccountChangeRiskInsights.get
recommender.iamServiceAccountChangeRiskInsights.list
recommender.iamServiceAccountChangeRiskInsights.update
recommender.iamServiceAccountChangeRiskRecommendations.get
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.update
recommender.resourcemanagerProjectChangeRiskInsights.get
recommender.resourcemanagerProjectChangeRiskInsights.list
recommender.resourcemanagerProjectChangeRiskInsights.update
recommender.resourcemanagerProjectChangeRiskRecommendations.get
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.update

IAM changes as of 2023-08-11

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

run.routes.invoke
run.services.create
run.services.delete
run.services.get

Firebase Remote Config

The following permissions have been removed from the Cloud Config Service Agent role (roles/cloudconfig.serviceAgent):

krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.get
krmapihosting.operations.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

compute.networks.list
compute.routers.list

Google Cloud Migration Center

The following permissions have been added to the Migration Center Admin role (roles/migrationcenter.admin):

serviceusage.quotas.get

Google Cloud Migration Center

The following permissions have been added to the Migration Center Viewer role (roles/migrationcenter.viewer):

serviceusage.quotas.get

Serverless Integrations

The following permissions have been added to the Serverless Integrations Service Agent role (roles/runapps.serviceAgent):

run.jobs.get
run.jobs.list

Security Command Center

The Security Center Attack Paths Reader role (roles/securitycenter.attackPathsViewer) has reached General Availability (GA).

Security Command Center

The Security Center Resource Value Configurations Editor role (roles/securitycenter.resourceValueConfigsEditor) has reached General Availability (GA).

Security Command Center

The Security Center Resource Value Configurations Viewer role (roles/securitycenter.resourceValueConfigsViewer) has reached General Availability (GA).

Security Command Center

The Security Center Simulations Reader role (roles/securitycenter.simulationsViewer) has reached General Availability (GA).

Security Command Center

The Security Center Valued Resources Reader role (roles/securitycenter.valuedResourcesViewer) has reached General Availability (GA).

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/reservations.create
bigqueryreservation.googleapis.com/reservations.delete
bigqueryreservation.googleapis.com/reservations.get
bigqueryreservation.googleapis.com/reservations.list
bigqueryreservation.googleapis.com/reservations.update

Commerce Agreement Publishing

The following permissions have been added:

commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update

Compute Engine

The following permissions have been added:

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.getIamPolicy
compute.futureReservations.list
compute.futureReservations.setIamPolicy
compute.futureReservations.update
compute.networkAttachments.getIamPolicy
compute.networkAttachments.setIamPolicy

Compute Engine

The following permissions are supported in custom roles:

compute.futureReservations.getIamPolicy
compute.futureReservations.setIamPolicy
compute.networkAttachments.getIamPolicy
compute.networkAttachments.setIamPolicy
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.getIamPolicy
compute.networkAttachments.list
compute.networkAttachments.setIamPolicy
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.detachNetworkEndpoints

Conversational Insights

The following permissions have been added:

contactcenterinsights.issueModels.export

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.issueModels.export

Conversational Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.issueModels.export

Datastore

The following permissions have been added:

datastore.databases.delete

Datastore

The following permissions have reached General Availability (GA):

datastore.databases.delete

Recommender

The following permissions have been added:

recommender.cloudCostGeneralInsights.get
recommender.cloudCostGeneralInsights.list
recommender.cloudCostGeneralInsights.update
recommender.cloudCostGeneralRecommendations.get
recommender.cloudCostGeneralRecommendations.list
recommender.cloudCostGeneralRecommendations.update
recommender.cloudManageabilityGeneralInsights.get
recommender.cloudManageabilityGeneralInsights.list
recommender.cloudManageabilityGeneralInsights.update
recommender.cloudManageabilityGeneralRecommendations.get
recommender.cloudManageabilityGeneralRecommendations.list
recommender.cloudManageabilityGeneralRecommendations.update
recommender.cloudPerformanceGeneralInsights.get
recommender.cloudPerformanceGeneralInsights.list
recommender.cloudPerformanceGeneralInsights.update
recommender.cloudPerformanceGeneralRecommendations.get
recommender.cloudPerformanceGeneralRecommendations.list
recommender.cloudPerformanceGeneralRecommendations.update
recommender.cloudReliabilityGeneralInsights.get
recommender.cloudReliabilityGeneralInsights.list
recommender.cloudReliabilityGeneralInsights.update
recommender.cloudReliabilityGeneralRecommendations.get
recommender.cloudReliabilityGeneralRecommendations.list
recommender.cloudReliabilityGeneralRecommendations.update
recommender.cloudSecurityGeneralInsights.get
recommender.cloudSecurityGeneralInsights.list
recommender.cloudSecurityGeneralInsights.update
recommender.cloudSecurityGeneralRecommendations.get
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudSecurityGeneralRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudCostGeneralInsights.get
recommender.cloudCostGeneralInsights.list
recommender.cloudCostGeneralInsights.update
recommender.cloudCostGeneralRecommendations.get
recommender.cloudCostGeneralRecommendations.list
recommender.cloudCostGeneralRecommendations.update
recommender.cloudManageabilityGeneralInsights.get
recommender.cloudManageabilityGeneralInsights.list
recommender.cloudManageabilityGeneralInsights.update
recommender.cloudManageabilityGeneralRecommendations.get
recommender.cloudManageabilityGeneralRecommendations.list
recommender.cloudManageabilityGeneralRecommendations.update
recommender.cloudPerformanceGeneralInsights.get
recommender.cloudPerformanceGeneralInsights.list
recommender.cloudPerformanceGeneralInsights.update
recommender.cloudPerformanceGeneralRecommendations.get
recommender.cloudPerformanceGeneralRecommendations.list
recommender.cloudPerformanceGeneralRecommendations.update
recommender.cloudReliabilityGeneralInsights.get
recommender.cloudReliabilityGeneralInsights.list
recommender.cloudReliabilityGeneralInsights.update
recommender.cloudReliabilityGeneralRecommendations.get
recommender.cloudReliabilityGeneralRecommendations.list
recommender.cloudReliabilityGeneralRecommendations.update
recommender.cloudSecurityGeneralInsights.get
recommender.cloudSecurityGeneralInsights.list
recommender.cloudSecurityGeneralInsights.update
recommender.cloudSecurityGeneralRecommendations.get
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudSecurityGeneralRecommendations.update

Security Command Center

The following permissions have been added:

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

Security Command Center

The following permissions are supported in custom roles:

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

IAM changes as of 2023-08-04

Service Description
Cloud Billing

The following permissions have been added to the Billing Account Administrator role (roles/billing.admin):

cloudasset.assets.searchAllResources

Firebase Remote Config

The following permissions have been added to the Cloud Config Service Agent role (roles/cloudconfig.serviceAgent):

iam.serviceAccounts.actAs

Google Cloud Support

The following permissions have been added to the Tech Support Editor role (roles/cloudsupport.techSupportEditor):

cloudasset.assets.searchAllResources

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

bigquery.jobs.create
bigquery.tables.getData

Discovery Engine

The following permissions have been added to the Discovery Engine Admin role (roles/discoveryengine.admin):

discoveryengine.engines.update

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

iam.serviceAccounts.getOpenIdToken

GKE Dataplane Management

The Warp Run Service Agent role (roles/gkedataplanemanagement.warpRunServiceAgent) has reached General Availability (GA).

Cloud Integrations

The following permissions have been added to the Application Integration Service Agent role (roles/integrations.serviceAgent):

cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.get
cloudscheduler.locations.list

Recommender

The Recommendations Exporter role (roles/recommender.exporter) has reached General Availability (GA).

Workload Manager

The following permissions have been added to the Workload Manager Service Agent role (roles/workloadmanager.serviceAgent):

config.resources.list

Cloud Workstations

The following permissions have been added to the Cloud Workstations User role (roles/workstations.user):

workstations.workstations.update

Apigee

The following permissions have been added:

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update

Apigee

The following permissions are supported in custom roles:

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update

Content Warehouse

The following permissions have been added:

contentwarehouse.dataExportJobs.create
contentwarehouse.dataExportJobs.update
contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update
contentwarehouse.schemas.create
contentwarehouse.schemas.delete
contentwarehouse.schemas.get
contentwarehouse.schemas.list
contentwarehouse.schemas.update

Content Warehouse

The following permissions have reached General Availability (GA):

contentwarehouse.dataExportJobs.create
contentwarehouse.dataExportJobs.update
contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update
contentwarehouse.schemas.create
contentwarehouse.schemas.delete
contentwarehouse.schemas.get
contentwarehouse.schemas.list
contentwarehouse.schemas.update

Discovery Engine

The following permissions have been added:

discoveryengine.completionConfigs.get
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.controls.update
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.dataStores.create
discoveryengine.dataStores.delete
discoveryengine.dataStores.enrollSolutions
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.dataStores.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.update
discoveryengine.models.create
discoveryengine.models.delete
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.models.pause
discoveryengine.models.resume
discoveryengine.models.tune
discoveryengine.models.update
discoveryengine.projects.get
discoveryengine.projects.provision
discoveryengine.projects.reportConsentChange
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.update
discoveryengine.servingConfigs.create
discoveryengine.servingConfigs.delete
discoveryengine.servingConfigs.get
discoveryengine.servingConfigs.list
discoveryengine.servingConfigs.update
discoveryengine.siteSearchEngines.get
discoveryengine.targetSites.batchCreate
discoveryengine.targetSites.create
discoveryengine.targetSites.delete
discoveryengine.targetSites.get
discoveryengine.targetSites.list
discoveryengine.targetSites.update
discoveryengine.userEvents.fetchStats
discoveryengine.userEvents.purge
discoveryengine.widgetConfigs.get
discoveryengine.widgetConfigs.update

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.completionConfigs.get
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.controls.update
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.update
discoveryengine.targetSites.batchCreate
discoveryengine.widgetConfigs.get
discoveryengine.widgetConfigs.update

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.use

Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.use

Recommender

The following permissions have reached General Availability (GA):

recommender.resources.export

IAM changes as of 2023-07-28

Service Description
Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.userEvents.create

Apigee

The following permissions have been added:

apigee.securityActions.create
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActions.update
apigee.securityActionsConfig.get
apigee.securityActionsConfig.update

Apigee

The following permissions are supported in custom roles:

apigee.securityActions.create
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActions.update
apigee.securityActionsConfig.get
apigee.securityActionsConfig.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityActions.create
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActions.update
apigee.securityActionsConfig.get
apigee.securityActionsConfig.update

BigQuery

The following permissions have been added:

bigquery.tables.replicateData

BigQuery

The following permissions are supported in custom roles:

bigquery.tables.replicateData

Compute Engine

The following permissions are supported in custom roles:

compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.list

Compute Engine

The following permissions have reached General Availability (GA):

compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.update
compute.serviceAttachments.use

IAM changes as of 2023-07-21

Service Description
Vertex AI

The Vertex AI Notebook Service Agent role (roles/aiplatform.notebookServiceAgent) has reached General Availability (GA).

Analytics Hub

The Analytics Hub Subscription Owner role (roles/analyticshub.subscriptionOwner) has reached General Availability (GA).

Assured Workloads

The following permissions have been added to the Assured Workloads Editor role (roles/assuredworkloads.editor):

logging.cmekSettings.update
logging.googleapis.com/settings.update
logging.settings.update

Bare Metal Solution

The OS Images Viewer role (roles/baremetalsolution.osimagesviewer) has reached General Availability (GA).

Cloud Billing

The following permissions have been added to the Billing Account Administrator role (roles/billing.admin):

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceRecommendations.get
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.get
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.get
recommender.computeInstanceMachineTypeRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list

Cloud Asset Inventory

The Effective Policies Service Agent role (roles/cloudasset.effectivePolicyServiceAgent) has reached General Availability (GA).

Cloud Build

The Cloud Build Connection Admin role (roles/cloudbuild.connectionAdmin) has reached General Availability (GA).

Cloud Build

The Cloud Build Connection Viewer role (roles/cloudbuild.connectionViewer) has reached General Availability (GA).

Cloud Build

The Cloud Build Read Only Token Accessor role (roles/cloudbuild.readTokenAccessor) has reached General Availability (GA).

Cloud Build

The Cloud Build Token Accessor role (roles/cloudbuild.tokenAccessor) has reached General Availability (GA).

Commerce Business Enablement

The following permissions have been added to the Commerce Business Enablement PaymentConfig Admin role (roles/commercebusinessenablement.paymentConfigAdmin):

commercebusinessenablement.partnerInfo.get

Commerce Business Enablement

The following permissions have been added to the Commerce Business Enablement PaymentConfig Viewer role (roles/commercebusinessenablement.paymentConfigViewer):

commercebusinessenablement.partnerInfo.get

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.conversations.converse

Basic Role

The following permissions have been added to the Editor role (roles/editor):

datastore.operations.get
datastore.operations.list

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

datastore.operations.get
datastore.operations.list

Analytics Hub

The following permissions have been added:

analyticshub.dataExchanges.subscribe
analyticshub.dataExchanges.viewSubscriptions
analyticshub.listings.viewSubscriptions
analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update

Analytics Hub

The following permissions are supported in custom roles:

analyticshub.dataExchanges.subscribe
analyticshub.dataExchanges.viewSubscriptions
analyticshub.listings.viewSubscriptions
analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update

Analytics Hub

The following permissions have reached General Availability (GA):

analyticshub.dataExchanges.subscribe
analyticshub.dataExchanges.viewSubscriptions
analyticshub.listings.viewSubscriptions
analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update

Bare Metal Solution

The following permissions have been added:

baremetalsolution.osimages.list

Bare Metal Solution

The following permissions are supported in custom roles:

baremetalsolution.osimages.list

Bare Metal Solution

The following permissions have reached General Availability (GA):

baremetalsolution.osimages.list

Cloud Billing

The following permissions have been added:

billing.billingAccountPrice.get
billing.billingAccountServices.get
billing.billingAccountServices.list
billing.billingAccountSkuGroupSkus.get
billing.billingAccountSkuGroupSkus.list
billing.billingAccountSkuGroups.get
billing.billingAccountSkuGroups.list
billing.billingAccountSkus.get
billing.billingAccountSkus.list

Cloud Billing

The following permissions are supported in custom roles:

billing.billingAccountPrice.get
billing.billingAccountServices.get
billing.billingAccountServices.list
billing.billingAccountSkuGroupSkus.get
billing.billingAccountSkuGroupSkus.list
billing.billingAccountSkuGroups.get
billing.billingAccountSkuGroups.list
billing.billingAccountSkus.get
billing.billingAccountSkus.list

Cloud Billing

The following permissions have reached General Availability (GA):

billing.billingAccountPrice.get
billing.billingAccountServices.get
billing.billingAccountServices.list
billing.billingAccountSkuGroupSkus.get
billing.billingAccountSkuGroupSkus.list
billing.billingAccountSkuGroups.get
billing.billingAccountSkuGroups.list
billing.billingAccountSkus.get
billing.billingAccountSkus.list

Cloud Build

The following permissions have been added:

cloudbuild.operations.get
cloudbuild.operations.list

Cloud Build

The following permissions are supported in custom roles:

cloudbuild.operations.get
cloudbuild.operations.list

Cloud Build

The following permissions have reached General Availability (GA):

cloudbuild.connections.create
cloudbuild.connections.delete
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild.connections.getIamPolicy
cloudbuild.connections.list
cloudbuild.connections.setIamPolicy
cloudbuild.connections.update
cloudbuild.operations.get
cloudbuild.operations.list
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.accessReadWriteToken
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild.repositories.fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list

Compute Engine

The following permissions have been added:

compute.backendBuckets.createTagBinding
compute.backendBuckets.deleteTagBinding
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendServices.createTagBinding
compute.backendServices.deleteTagBinding
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.createTagBinding
compute.firewalls.deleteTagBinding
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.createTagBinding
compute.forwardingRules.deleteTagBinding
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalForwardingRules.createTagBinding
compute.globalForwardingRules.deleteTagBinding
compute.globalForwardingRules.listEffectiveTags
compute.globalForwardingRules.listTagBindings
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.createTagBinding
compute.healthChecks.deleteTagBinding
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.createTagBinding
compute.httpHealthChecks.deleteTagBinding
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.createTagBinding
compute.httpsHealthChecks.deleteTagBinding
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networks.createTagBinding
compute.networks.deleteTagBinding
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.regionBackendServices.createTagBinding
compute.regionBackendServices.deleteTagBinding
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionFirewallPolicies.createTagBinding
compute.regionFirewallPolicies.deleteTagBinding
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionHealthChecks.createTagBinding
compute.regionHealthChecks.deleteTagBinding
compute.regionHealthChecks.listEffectiveTags
compute.regionHealthChecks.listTagBindings
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionSecurityPolicies.createTagBinding
compute.regionSecurityPolicies.deleteTagBinding
compute.regionSecurityPolicies.listEffectiveTags
compute.regionSecurityPolicies.listTagBindings
compute.regionSslCertificates.createTagBinding
compute.regionSslCertificates.deleteTagBinding
compute.regionSslCertificates.listEffectiveTags
compute.regionSslCertificates.listTagBindings
compute.regionTargetHttpProxies.createTagBinding
compute.regionTargetHttpProxies.deleteTagBinding
compute.regionTargetHttpProxies.listEffectiveTags
compute.regionTargetHttpProxies.listTagBindings
compute.regionTargetHttpsProxies.createTagBinding
compute.regionTargetHttpsProxies.deleteTagBinding
compute.regionTargetHttpsProxies.listEffectiveTags
compute.regionTargetHttpsProxies.listTagBindings
compute.regionUrlMaps.createTagBinding
compute.regionUrlMaps.deleteTagBinding
compute.regionUrlMaps.listEffectiveTags
compute.regionUrlMaps.listTagBindings
compute.routes.createTagBinding
compute.routes.deleteTagBinding
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.createTagBinding
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.sslCertificates.createTagBinding
compute.sslCertificates.deleteTagBinding
compute.sslCertificates.listEffectiveTags
compute.sslCertificates.listTagBindings
compute.sslPolicies.createTagBinding
compute.sslPolicies.deleteTagBinding
compute.sslPolicies.listEffectiveTags
compute.sslPolicies.listTagBindings
compute.subnetworks.createTagBinding
compute.subnetworks.deleteTagBinding
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.targetHttpProxies.createTagBinding
compute.targetHttpProxies.deleteTagBinding
compute.targetHttpProxies.listEffectiveTags
compute.targetHttpProxies.listTagBindings
compute.targetHttpsProxies.createTagBinding
compute.targetHttpsProxies.deleteTagBinding
compute.targetHttpsProxies.listEffectiveTags
compute.targetHttpsProxies.listTagBindings
compute.targetInstances.createTagBinding
compute.targetInstances.deleteTagBinding
compute.targetInstances.listEffectiveTags
compute.targetInstances.listTagBindings
compute.targetPools.createTagBinding
compute.targetPools.deleteTagBinding
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.targetSslProxies.createTagBinding
compute.targetSslProxies.deleteTagBinding
compute.targetSslProxies.listEffectiveTags
compute.targetSslProxies.listTagBindings
compute.targetTcpProxies.createTagBinding
compute.targetTcpProxies.deleteTagBinding
compute.targetTcpProxies.listEffectiveTags
compute.targetTcpProxies.listTagBindings
compute.urlMaps.createTagBinding
compute.urlMaps.deleteTagBinding
compute.urlMaps.listEffectiveTags
compute.urlMaps.listTagBindings

Compute Engine

The following permissions have reached General Availability (GA):

compute.backendBuckets.createTagBinding
compute.backendBuckets.deleteTagBinding
compute.backendBuckets.listEffectiveTags
compute.backendBuckets.listTagBindings
compute.backendServices.createTagBinding
compute.backendServices.deleteTagBinding
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.createTagBinding
compute.firewalls.deleteTagBinding
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.createTagBinding
compute.forwardingRules.deleteTagBinding
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalForwardingRules.createTagBinding
compute.globalForwardingRules.deleteTagBinding
compute.globalForwardingRules.listEffectiveTags
compute.globalForwardingRules.listTagBindings
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.createTagBinding
compute.healthChecks.deleteTagBinding
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.createTagBinding
compute.httpHealthChecks.deleteTagBinding
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.createTagBinding
compute.httpsHealthChecks.deleteTagBinding
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networks.createTagBinding
compute.networks.deleteTagBinding
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.regionBackendServices.createTagBinding
compute.regionBackendServices.deleteTagBinding
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionFirewallPolicies.createTagBinding
compute.regionFirewallPolicies.deleteTagBinding
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionHealthChecks.createTagBinding
compute.regionHealthChecks.deleteTagBinding
compute.regionHealthChecks.listEffectiveTags
compute.regionHealthChecks.listTagBindings
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionSslCertificates.createTagBinding
compute.regionSslCertificates.deleteTagBinding
compute.regionSslCertificates.listEffectiveTags
compute.regionSslCertificates.listTagBindings
compute.regionTargetHttpProxies.createTagBinding
compute.regionTargetHttpProxies.deleteTagBinding
compute.regionTargetHttpProxies.listEffectiveTags
compute.regionTargetHttpProxies.listTagBindings
compute.regionTargetHttpsProxies.createTagBinding
compute.regionTargetHttpsProxies.deleteTagBinding
compute.regionTargetHttpsProxies.listEffectiveTags
compute.regionTargetHttpsProxies.listTagBindings
compute.regionUrlMaps.createTagBinding
compute.regionUrlMaps.deleteTagBinding
compute.regionUrlMaps.listEffectiveTags
compute.regionUrlMaps.listTagBindings
compute.routes.createTagBinding
compute.routes.deleteTagBinding
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.createTagBinding
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.sslCertificates.createTagBinding
compute.sslCertificates.deleteTagBinding
compute.sslCertificates.listEffectiveTags
compute.sslCertificates.listTagBindings
compute.sslPolicies.createTagBinding
compute.sslPolicies.deleteTagBinding
compute.sslPolicies.listEffectiveTags
compute.sslPolicies.listTagBindings
compute.subnetworks.createTagBinding
compute.subnetworks.deleteTagBinding
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.targetHttpProxies.createTagBinding
compute.targetHttpProxies.deleteTagBinding
compute.targetHttpProxies.listEffectiveTags
compute.targetHttpProxies.listTagBindings
compute.targetHttpsProxies.createTagBinding
compute.targetHttpsProxies.deleteTagBinding
compute.targetHttpsProxies.listEffectiveTags
compute.targetHttpsProxies.listTagBindings
compute.targetInstances.createTagBinding
compute.targetInstances.deleteTagBinding
compute.targetInstances.listEffectiveTags
compute.targetInstances.listTagBindings
compute.targetPools.createTagBinding
compute.targetPools.deleteTagBinding
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.targetSslProxies.createTagBinding
compute.targetSslProxies.deleteTagBinding
compute.targetSslProxies.listEffectiveTags
compute.targetSslProxies.listTagBindings
compute.targetTcpProxies.createTagBinding
compute.targetTcpProxies.deleteTagBinding
compute.targetTcpProxies.listEffectiveTags
compute.targetTcpProxies.listTagBindings
compute.urlMaps.createTagBinding
compute.urlMaps.deleteTagBinding
compute.urlMaps.listEffectiveTags
compute.urlMaps.listTagBindings

Data Catalog

The following permissions have been added:

datacatalog.entries.createGlossaryCategory
datacatalog.entries.deleteGlossaryCategory
datacatalog.entries.updateGlossaryCategory
datacatalog.operations.list
datacatalog.relationships.createBelongsTo
datacatalog.relationships.deleteBelongsTo

Data Catalog

The following permissions are supported in custom roles:

datacatalog.entries.createGlossaryCategory
datacatalog.entries.deleteGlossaryCategory
datacatalog.entries.updateGlossaryCategory
datacatalog.relationships.createBelongsTo
datacatalog.relationships.deleteBelongsTo

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.activeDirectories.create
netapp.activeDirectories.delete
netapp.activeDirectories.get
netapp.activeDirectories.list
netapp.activeDirectories.update
netapp.kmsConfigs.create
netapp.kmsConfigs.delete
netapp.kmsConfigs.encrypt
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.kmsConfigs.update
netapp.kmsConfigs.verify
netapp.replications.create
netapp.replications.delete
netapp.replications.get
netapp.replications.list
netapp.replications.resume
netapp.replications.reverse
netapp.replications.stop
netapp.replications.update
netapp.snapshots.create
netapp.snapshots.delete
netapp.snapshots.get
netapp.snapshots.list
netapp.snapshots.update
netapp.storagePools.create
netapp.storagePools.delete
netapp.storagePools.get
netapp.storagePools.list
netapp.storagePools.update
netapp.volumes.create
netapp.volumes.delete
netapp.volumes.get
netapp.volumes.list
netapp.volumes.revert
netapp.volumes.update

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.kmsConfigs.create
netapp.kmsConfigs.delete
netapp.kmsConfigs.encrypt
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.kmsConfigs.update
netapp.kmsConfigs.verify
netapp.replications.create
netapp.replications.delete
netapp.replications.get
netapp.replications.list
netapp.replications.resume
netapp.replications.reverse
netapp.replications.stop
netapp.replications.update

Policy Simulator

The following permissions have been added:

policysimulator.orgPolicyViolations.list
policysimulator.orgPolicyViolationsPreviews.create
policysimulator.orgPolicyViolationsPreviews.get
policysimulator.orgPolicyViolationsPreviews.list

Recommender

The following permissions have been added:

recommender.runServiceCostInsights.get
recommender.runServiceCostInsights.list
recommender.runServiceCostInsights.update
recommender.runServiceCostRecommendations.get
recommender.runServiceCostRecommendations.list
recommender.runServiceCostRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.runServiceCostInsights.get
recommender.runServiceCostInsights.list
recommender.runServiceCostInsights.update
recommender.runServiceCostRecommendations.get
recommender.runServiceCostRecommendations.list
recommender.runServiceCostRecommendations.update

Recommender

The following permissions have reached General Availability (GA):

recommender.runServiceCostInsights.get
recommender.runServiceCostInsights.list
recommender.runServiceCostInsights.update
recommender.runServiceCostRecommendations.get
recommender.runServiceCostRecommendations.list
recommender.runServiceCostRecommendations.update

IAM changes as of 2023-07-14

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store EntityType owner role (roles/aiplatform.entityTypeOwner):

aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Admin role (roles/aiplatform.featurestoreAdmin):

aiplatform.featureOnlineStores.create
aiplatform.featureOnlineStores.delete
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureOnlineStores.update
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.sync
aiplatform.featureViews.update

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Viewer role (roles/aiplatform.featurestoreDataViewer):

aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Writer role (roles/aiplatform.featurestoreDataWriter):

aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Viewer role (roles/aiplatform.viewer):

aiplatform.featureViews.searchNearestEntities

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Mount User role (roles/backupdr.mountUser):

backupdr.managementServers.viewBackupPlans

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Restore User role (roles/backupdr.restoreUser):

backupdr.managementServers.viewBackupPlans

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Service Agent role (roles/backupdr.serviceAgent):

compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.regionOperations.get
compute.regions.get
compute.snapshots.delete
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Compute Engine

The following permissions have been removed from the Compute Engine Service Agent role (roles/compute.serviceAgent):

compute.zoneOperations.get

Connectors

The Connectors Event Subscriptions Admin role (roles/connectors.eventSubscriptionAdmin) has reached General Availability (GA).

Connectors

The Connectors Event Subscriptions Viewer role (roles/connectors.eventSubscriptionViewer) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

aiplatform.featureViews.searchNearestEntities

Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.projects.get

Basic Role

The following permissions have been added to the Owner role (roles/owner):

aiplatform.featureViews.searchNearestEntities

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

aiplatform.featureViews.searchNearestEntities

Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added:

aiplatform.featureOnlineStores.create
aiplatform.featureOnlineStores.delete
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureOnlineStores.update
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.featureViews.fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.searchNearestEntities
aiplatform.featureViews.sync
aiplatform.featureViews.update

Commerce Offer Catalog

The following permissions have been added:

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.list

Commerce Offer Catalog

The following permissions are supported in custom roles:

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.list

Connectors

The following permissions have been added:

connectors.eventSubscriptions.create
connectors.eventSubscriptions.delete
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
connectors.eventSubscriptions.update
connectors.eventtypes.get
connectors.eventtypes.list

Connectors

The following permissions have reached General Availability (GA):

connectors.eventSubscriptions.create
connectors.eventSubscriptions.delete
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
connectors.eventSubscriptions.update
connectors.eventtypes.get
connectors.eventtypes.list

Data Catalog

The following permissions have been added:

datacatalog.catalogs.searchAll

Discovery Engine

The following permissions have been added:

discoveryengine.conversations.converse
discoveryengine.servingConfigs.search

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.conversations.converse

Network Connectivity Center

The following permissions have been added:

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

Personalized Service Health

The following permissions have been added:

servicehealth.events.get
servicehealth.events.list
servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list

Personalized Service Health

The following permissions are supported in custom roles:

servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list

IAM changes as of 2023-06-30

Service Description
Cloud Key Management Service

The Cloud KMS Expert Raw AES-CBC Key Manager role (roles/cloudkms.expertRawAesCbc) has reached General Availability (GA).

Cloud Key Management Service

The Cloud KMS Expert Raw AES-CTR Key Manager role (roles/cloudkms.expertRawAesCtr) has reached General Availability (GA).

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

compute.networkAttachments.get
dns.networks.targetWithPeeringZone

Network Connectivity Center

The Group User role (roles/networkconnectivity.groupUser) has reached General Availability (GA).

Workload Certificate

The following permissions have been added to the Workload Certificate Service Agent role (roles/workloadcertificate.serviceAgent):

container.thirdPartyObjects.update

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
storage.buckets.list

BigQuery

The following permissions have been added:

bigquery.datasets.listSharedDatasetUsage

BigQuery

The following permissions are supported in custom roles:

bigquery.datasets.listSharedDatasetUsage

Cloud Key Management Service

The following permissions have been added:

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

Cloud Key Management Service

The following permissions have reached General Availability (GA):

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

Translation

The following permissions have been added:

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list

Translation

The following permissions are supported in custom roles:

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list

Translation

The following permissions have reached General Availability (GA):

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list

Cloud Config Manager API

The following permissions have been added:

config.resources.get
config.resources.list

Cloud Config Manager API

The following permissions are supported in custom roles:

config.resources.get
config.resources.list

Network Connectivity Center

The following permissions have been added:

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy
networkconnectivity.hubs.listSpokes

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.setIamPolicy
networkconnectivity.hubs.listSpokes

Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.setIamPolicy
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy
networkconnectivity.hubs.listSpokes

Network Security

The following permissions have been added:

networksecurity.firewallEndpointAssociations.create
networksecurity.firewallEndpointAssociations.delete
networksecurity.firewallEndpointAssociations.get
networksecurity.firewallEndpointAssociations.list
networksecurity.firewallEndpointAssociations.update
networksecurity.firewallEndpoints.create
networksecurity.firewallEndpoints.delete
networksecurity.firewallEndpoints.get
networksecurity.firewallEndpoints.list
networksecurity.firewallEndpoints.update
networksecurity.firewallEndpoints.use
networksecurity.securityProfileGroups.create
networksecurity.securityProfileGroups.delete
networksecurity.securityProfileGroups.get
networksecurity.securityProfileGroups.list
networksecurity.securityProfileGroups.update
networksecurity.securityProfileGroups.use
networksecurity.securityProfiles.create
networksecurity.securityProfiles.delete
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.update
networksecurity.securityProfiles.use

Spanner

The following permissions are supported in custom roles:

spanner.databases.update

IAM changes as of 2023-06-23

Service Description
Access Approval

The Access Approval Approver role (roles/accessapproval.approver) has reached General Availability (GA).

Access Approval

The Access Approval Config Editor role (roles/accessapproval.configEditor) has reached General Availability (GA).

Access Approval

The Access Approval Invalidator role (roles/accessapproval.invalidator) has reached General Availability (GA).

Access Approval

The Access Approval Viewer role (roles/accessapproval.viewer) has reached General Availability (GA).

Compute Engine

The following permissions have been added to the Compute Security Admin role (roles/compute.securityAdmin):

compute.routers.get
compute.routers.list

Security Command Center

The following permissions have been removed from the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
cloudsql.instances.get
compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.diskTypes.list
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.list
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.get
container.operations.list
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
dlp.jobs.get
dlp.jobs.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.get
logging.locations.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.alertPolicies.get
recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
securitycenter.assets.group
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.setWorkflowState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list

Security Command Center

The following permissions have been removed from the Security Health Analytics Service Agent role (roles/securitycenter.securityHealthAnalyticsServiceAgent):

apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
cloudsql.instances.get
compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.diskTypes.list
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
container.clusters.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.get
logging.locations.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.alertPolicies.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.update
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.setWorkflowState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.create
securitycenter.notificationconfig.delete
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.notificationconfig.update
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list

Security Command Center

The following permissions have been removed from the Security Center Service Agent role (roles/securitycenter.serviceAgent):

apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
cloudsql.instances.get
compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.diskTypes.list
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.list
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.get
container.operations.list
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
dlp.jobs.get
dlp.jobs.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.get
logging.locations.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.alertPolicies.get
recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
securitycenter.assets.group
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.setWorkflowState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list

Access Approval

The following permissions have reached General Availability (GA):

accessapproval.requests.approve
accessapproval.requests.dismiss
accessapproval.requests.get
accessapproval.requests.invalidate
accessapproval.requests.list
accessapproval.serviceAccounts.get
accessapproval.settings.delete
accessapproval.settings.get
accessapproval.settings.update

Cloud Billing

The following permissions have been added:

billing.finOpsBenchmarkInformation.get
billing.finOpsHealthInformation.get

Cloud Billing

The following permissions are supported in custom roles:

billing.finOpsBenchmarkInformation.get
billing.finOpsHealthInformation.get

Cloud Billing

The following permissions have reached General Availability (GA):

billing.finOpsBenchmarkInformation.get
billing.finOpsHealthInformation.get

Cloud Controls Partner API

The following permissions have been added:

cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.platformcontrols.get

Cloud Controls Partner API

The following permissions are supported in custom roles:

cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.platformcontrols.get

Conversational Insights

The following permissions have been added:

contactcenterinsights.conversations.upload

Conversational Insights

The following permissions are supported in custom roles:

contactcenterinsights.conversations.upload

Conversational Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.conversations.upload

Google Cloud Migration Center

The following permissions have been added:

migrationcenter.reportConfigs.create
migrationcenter.reportConfigs.delete
migrationcenter.reportConfigs.get
migrationcenter.reportConfigs.list
migrationcenter.reports.create
migrationcenter.reports.delete
migrationcenter.reports.get
migrationcenter.reports.list

Google Cloud Migration Center

The following permissions are supported in custom roles:

migrationcenter.reportConfigs.create
migrationcenter.reportConfigs.delete
migrationcenter.reportConfigs.get
migrationcenter.reportConfigs.list
migrationcenter.reports.create
migrationcenter.reports.delete
migrationcenter.reports.get
migrationcenter.reports.list

Spanner

The following permissions are available in custom roles:

spanner.databases.update

IAM changes as of 2023-06-16

Service Description
Cloud Build

The following permissions have been added to the Cloud Build Token Accessor role (roles/cloudbuild.tokenAccessor):

cloudbuild.repositories.list

Cloud Controls Partner API

The Cloud Controls Partner EKM Service Agent role (roles/cloudcontrolspartner.ekmServiceAgent) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Monitoring Service Agent role (roles/cloudcontrolspartner.monitoringServiceAgent) has reached General Availability (GA).

Conversational Insights

The following permissions have been added to the Contact Center AI Insights Service Agent role (roles/contactcenterinsights.serviceAgent):

speech.customClasses.get
speech.phraseSets.get

Resource Manager

The following permissions have been added to the Folder Admin role (roles/resourcemanager.folderAdmin):

essentialcontacts.contacts.create
essentialcontacts.contacts.delete
essentialcontacts.contacts.get
essentialcontacts.contacts.list
essentialcontacts.contacts.send
essentialcontacts.contacts.update

Resource Manager

The following permissions have been added to the Folder Creator role (roles/resourcemanager.folderCreator):

essentialcontacts.contacts.get
essentialcontacts.contacts.list

Resource Manager

The following permissions have been added to the Folder Editor role (roles/resourcemanager.folderEditor):

essentialcontacts.contacts.get
essentialcontacts.contacts.list

Resource Manager

The following permissions have been added to the Folder Viewer role (roles/resourcemanager.folderViewer):

essentialcontacts.contacts.get
essentialcontacts.contacts.list

Resource Manager

The following permissions have been added to the Organization Administrator role (roles/resourcemanager.organizationAdmin):

essentialcontacts.contacts.create
essentialcontacts.contacts.delete
essentialcontacts.contacts.get
essentialcontacts.contacts.list
essentialcontacts.contacts.send
essentialcontacts.contacts.update

Rapid Migration Assessment

The Rapid Migration Assessment Admin role (roles/rma.admin) has reached General Availability (GA).

Rapid Migration Assessment

The Rapid Migration Assessment Runner role (roles/rma.runner) has reached General Availability (GA).

Rapid Migration Assessment

The Rapid Migration Assessment Viewer role (roles/rma.viewer) has reached General Availability (GA).

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

iam.googleapis.com/workloadIdentityPoolProviders.list
iam.googleapis.com/workloadIdentityPools.list
iam.workloadIdentityPoolProviders.list
iam.workloadIdentityPools.list
monitoring.timeSeries.list
serviceusage.operations.cancel
serviceusage.operations.delete
serviceusage.operations.get
serviceusage.operations.list
serviceusage.services.disable

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

iam.googleapis.com/workloadIdentityPoolProviders.list
iam.googleapis.com/workloadIdentityPools.list
iam.workloadIdentityPoolProviders.list
iam.workloadIdentityPools.list
monitoring.timeSeries.list
serviceusage.operations.cancel
serviceusage.operations.delete
serviceusage.operations.get
serviceusage.operations.list
serviceusage.services.disable
serviceusage.services.enable

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.users.login

Firebase Extensions Publisher

The following permissions have been added:

firebaseextensionspublisher.extensions.create
firebaseextensionspublisher.extensions.delete
firebaseextensionspublisher.extensions.get
firebaseextensionspublisher.extensions.list

Firebase Extensions Publisher

The following permissions are supported in custom roles:

firebaseextensionspublisher.extensions.create
firebaseextensionspublisher.extensions.delete
firebaseextensionspublisher.extensions.get
firebaseextensionspublisher.extensions.list

Rapid Migration Assessment

The following permissions have reached General Availability (GA):

rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list

IAM changes as of 2023-06-09

Service Change Description
Firebase Remote Config Role Updated

The following permissions have been added to the role roles/cloudconfig.serviceAgent (Cloud Config Service Agent):

cloudbuild.workerpools.use
Cloud SQL Role Updated

The following permissions have been removed from the role roles/cloudsql.editor (Cloud SQL Editor):

recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update
recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update
Cloud SQL Role Updated

The following permissions have been removed from the role roles/cloudsql.viewer (Cloud SQL Viewer):

recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent):

dataplex.environments.list
Discovery Engine Role Updated

The following permissions have been added to the role roles/discoveryengine.serviceAgent (Discovery Engine Service Agent):

discoveryengine.dataStores.completeQuery
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.serviceAgent (Network Connectivity Service Agent):

networkconnectivity.operations.get
Serverless Integrations Role Updated

The following permissions have been added to the role roles/runapps.serviceAgent (Serverless Integrations Service Agent):

compute.targetHttpProxies.get
compute.targetHttpProxies.list
Speaker ID Now GA

The role roles/speakerid.admin (Speaker ID Admin) is now GA.

Speaker ID Now GA

The role roles/speakerid.editor (Speaker ID Editor) is now GA.

Speaker ID Now GA

The role roles/speakerid.verifier (Speaker ID Verifier) is now GA.

Speaker ID Now GA

The role roles/speakerid.viewer (Speaker ID Viewer) is now GA.

Workload Manager Role Updated

The following permissions have been added to the role roles/workloadmanager.serviceAgent (Workload Manager Service Agent):

config.deployments.create
config.locations.get
config.locations.list
config.operations.cancel
config.operations.delete
config.operations.get
config.operations.list
Vertex AI Added aiplatform.modelEvaluationSlices.import
aiplatform.modelEvaluations.import
aiplatform.schedules.create
aiplatform.schedules.delete
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.schedules.update
Cloud Asset Inventory Added cloudasset.assets.analyzeOrgPolicy
Compute Engine Added compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
Datastore Added datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
Datastore Now GA datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
Discovery Engine Added discoveryengine.dataStores.completeQuery
Discovery Engine Supported In Custom Roles discoveryengine.dataStores.completeQuery
Google Cloud Migration Center Added migrationcenter.errorFrames.get
migrationcenter.errorFrames.list
migrationcenter.importDataFiles.create
migrationcenter.importDataFiles.delete
migrationcenter.importDataFiles.get
migrationcenter.importDataFiles.list
Google Cloud Migration Center Supported In Custom Roles migrationcenter.errorFrames.get
migrationcenter.errorFrames.list
migrationcenter.importDataFiles.create
migrationcenter.importDataFiles.delete
migrationcenter.importDataFiles.get
migrationcenter.importDataFiles.list
Recommender Added recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update
recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update
Recommender Supported In Custom Roles recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update
recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update
Speaker ID Added speakerid.phrases.create
speakerid.phrases.delete
speakerid.phrases.get
speakerid.phrases.list
speakerid.settings.get
speakerid.settings.update
speakerid.speakers.create
speakerid.speakers.delete
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify
Speaker ID Now GA speakerid.phrases.create
speakerid.phrases.delete
speakerid.phrases.get
speakerid.phrases.list
speakerid.settings.get
speakerid.settings.update
speakerid.speakers.create
speakerid.speakers.delete
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify

Cloud IAM changes as of 2023-06-02

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.networks.use
compute.networks.useExternalIp
AlloyDB for PostgreSQL Role Updated

The following permissions have been added to the role roles/alloydb.admin (Cloud AlloyDB Admin):

alloydb.instances.injectFault
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.create
compute.routes.delete
Backup and Disaster Recovery Now GA

The role roles/backupdr.backupUser (Backup and DR Backup User) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.mountUser (Backup and DR Mount User) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.restoreUser (Backup and DR Restore User) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.userv2 (Backup and DR User V2) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.maintenanceeventsadmin (Maintenance Events Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.maintenanceeventseditor (Maintenance Events Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.maintenanceeventsviewer (Maintenance Events Viewer) is now GA.

Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

artifactregistry.repositories.downloadArtifacts
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.policy.evaluatePolicy
storage.objects.list
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.builds.builder (Cloud Build Service Account):

artifactregistry.repositories.deleteArtifacts
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

artifactregistry.repositories.deleteArtifacts
Artifact Analysis Role Updated

The following permissions have been added to the role roles/containeranalysis.ServiceAgent (Container Analysis Service Agent):

storage.objects.update
Container Scanning Role Updated

The following permissions have been added to the role roles/containerscanning.ServiceAgent (Container Scanner Service Agent):

storage.objects.update
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

alloydb.instances.injectFault
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationAdminRole (Apigee Integration Admin):

integrations.executions.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationEditorRole (Apigee Integration Editor):

integrations.executions.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationInvokerRole (Apigee Integration Invoker):

integrations.executions.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationsViewer (Apigee Integration Viewer):

integrations.executions.get
Cloud Monitoring Now GA

The role roles/monitoring.snoozeEditor (Monitoring Snooze Editor) is now GA.

Cloud Monitoring Now GA

The role roles/monitoring.snoozeViewer (Monitoring Snooze Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

alloydb.instances.injectFault
Basic Role Role Updated

The following permissions have been removed from the role roles/viewer (Viewer):

integrations.certificates.create
integrations.certificates.delete
integrations.certificates.update
Vision AI Role Updated

The following permissions have been added to the role roles/visionai.corpusWriter (VisionAI Warehouse Corpus Writer):

visionai.annotations.get
visionai.annotations.list
visionai.assets.clip
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.list
visionai.assets.search
Cloud Workstations Now GA

The role roles/workstations.admin (Cloud Workstations Admin) is now GA.

Cloud Workstations Now GA

The role roles/workstations.networkAdmin (Cloud Workstations Network Admin) is now GA.

Cloud Workstations Now GA

The role roles/workstations.operationViewer (Cloud Workstations Operation Viewer) is now GA.

Cloud Workstations Now GA

The role roles/workstations.user (Cloud Workstations User) is now GA.

Cloud Workstations Now GA

The role roles/workstations.workstationCreator (Cloud Workstations Creator) is now GA.

Cloud Workstations Now GA

The role roles/workstations.workstationUser (Cloud Workstations User (Deprecated)) is now GA.

AlloyDB for PostgreSQL Added alloydb.instances.injectFault
Backup and Disaster Recovery Supported In Custom Roles backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
Backup and Disaster Recovery Now GA backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
Cloud Integrations Added integrations.securityIntegrationVers.delete
Cloud Monitoring Now GA monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
Recommender Added recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update
recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update
Recommender Supported In Custom Roles recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update
recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update
Recommender Now GA recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update
recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update
Cloud Workstations Now GA workstations.operations.get
workstations.workstationClusters.create
workstations.workstationClusters.delete
workstations.workstationClusters.get
workstations.workstationClusters.list
workstations.workstationClusters.update
workstations.workstationConfigs.create
workstations.workstationConfigs.delete
workstations.workstationConfigs.get
workstations.workstationConfigs.getIamPolicy
workstations.workstationConfigs.list
workstations.workstationConfigs.setIamPolicy
workstations.workstationConfigs.update
workstations.workstations.create
workstations.workstations.delete
workstations.workstations.get
workstations.workstations.getIamPolicy
workstations.workstations.list
workstations.workstations.setIamPolicy
workstations.workstations.start
workstations.workstations.stop
workstations.workstations.update
workstations.workstations.use

Cloud IAM changes as of 2023-05-26

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.zoneOperations.get
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.mountUser (Backup and DR Mount User):

backupdr.managementServers.viewStorage
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.restoreUser (Backup and DR Restore User):

backupdr.managementServers.viewStorage
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

dns.managedZones.get
dns.managedZones.list
dns.networks.targetWithPeeringZone
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.sharedVpcAgent (Composer Shared VPC Agent):

dns.managedZones.get
dns.managedZones.list
dns.networks.targetWithPeeringZone
Compute Engine Now GA

The role roles/compute.loadBalancerAdmin (Compute Load Balancer Admin) is now GA.

Compute Engine Now GA

The role roles/compute.loadBalancerServiceUser (Compute Load Balancer Services User) is now GA.

Data Lineage API Now GA

The role roles/datalineage.admin (Data Lineage Administrator) is now GA.

Data Lineage API Now GA

The role roles/datalineage.editor (Data Lineage Editor) is now GA.

Data Lineage API Now GA

The role roles/datalineage.producer (Data Lineage Events Producer) is now GA.

Data Lineage API Now GA

The role roles/datalineage.viewer (Data Lineage Viewer) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.subscriptionsAdmin (DLP Subscription Admin) is now GA.

Sensitive Data Protection Now GA

The role roles/dlp.subscriptionsReader (DLP Subscription Viewer) is now GA.

Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.serviceAgent (Network Connectivity Service Agent):

compute.forwardingRules.get
compute.regionOperations.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.admin (Security Center Admin):

cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.adminEditor (Security Center Admin Editor):

cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.adminViewer (Security Center Admin Viewer):

cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.assetsViewer (Security Center Assets Viewer):

cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Vision AI Role Updated

The following permissions have been added to the role roles/visionai.serviceAgent (Cloud Vision AI Service Agent):

visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.list
visionai.operators.update
Compute Engine Now GA compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.resourcePolicies.useReadOnly
Data Lineage API Now GA datalineage.events.create
datalineage.events.delete
datalineage.events.get
datalineage.events.list
datalineage.locations.searchLinks
datalineage.operations.get
datalineage.processes.create
datalineage.processes.delete
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.delete
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update
Sensitive Data Protection Added dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update
Sensitive Data Protection Supported In Custom Roles dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update
Sensitive Data Protection Now GA dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Cloud IAM changes as of 2023-05-19

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.networks.get
compute.subnetworks.list
Backup and Disaster Recovery Now GA

The role roles/backupdr.serviceAgent (Backup and DR Service Agent) is now GA.

Cloud Build Role Updated

The following permissions have been removed from the role roles/cloudbuild.builds.builder (Cloud Build Service Account):

logging.privateLogEntries.list
Cloud Build Role Updated

The following permissions have been removed from the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

logging.privateLogEntries.list
Cloud Composer Role Updated

The following permissions have been removed from the role roles/composer.worker (Composer Worker):

logging.privateLogEntries.list
Artifact Analysis Role Updated

The following permissions have been added to the role roles/containeranalysis.ServiceAgent (Container Analysis Service Agent):

containeranalysis.notes.list
Container Scanning Role Updated

The following permissions have been added to the role roles/containerscanning.ServiceAgent (Container Scanner Service Agent):

containeranalysis.notes.list
AlloyDB for PostgreSQL Added alloydb.users.create
alloydb.users.delete
alloydb.users.get
alloydb.users.list
alloydb.users.update
Apigee Added apigee.appgroupapps.create
apigee.appgroupapps.delete
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroupapps.manage
apigee.appgroups.create
apigee.appgroups.delete
apigee.appgroups.get
apigee.appgroups.list
apigee.appgroups.update
Apigee Supported In Custom Roles apigee.appgroupapps.create
apigee.appgroupapps.delete
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroupapps.manage
apigee.appgroups.create
apigee.appgroups.delete
apigee.appgroups.get
apigee.appgroups.list
apigee.appgroups.update
Apigee Now GA apigee.appgroupapps.create
apigee.appgroupapps.delete
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroupapps.manage
apigee.appgroups.create
apigee.appgroups.delete
apigee.appgroups.get
apigee.appgroups.list
apigee.appgroups.update
Commerce Price Management Added commerceprice.events.get
commerceprice.events.list
Compute Engine Added compute.instances.setSecurityPolicy
compute.targetInstances.setSecurityPolicy
compute.targetPools.setSecurityPolicy
Compute Engine Supported In Custom Roles compute.instances.setSecurityPolicy
compute.targetInstances.setSecurityPolicy
compute.targetPools.setSecurityPolicy
Cloud Commerce Consumer Procurement Added consumerprocurement.events.get
consumerprocurement.events.list
Cloud Logging Now GA logging.logEntries.route
Google Cloud VMware Engine Added vmwareengine.privateConnections.create
vmwareengine.privateConnections.delete
vmwareengine.privateConnections.get
vmwareengine.privateConnections.list
vmwareengine.privateConnections.listPeeringRoutes
vmwareengine.privateConnections.update
vmwareengine.subnets.get
vmwareengine.subnets.update
Google Cloud VMware Engine Supported In Custom Roles vmwareengine.privateConnections.create
vmwareengine.privateConnections.delete
vmwareengine.privateConnections.get
vmwareengine.privateConnections.list
vmwareengine.privateConnections.listPeeringRoutes
vmwareengine.privateConnections.update
vmwareengine.subnets.get
vmwareengine.subnets.update
Google Cloud VMware Engine Now GA vmwareengine.privateConnections.create
vmwareengine.privateConnections.delete
vmwareengine.privateConnections.get
vmwareengine.privateConnections.list
vmwareengine.privateConnections.listPeeringRoutes
vmwareengine.privateConnections.update
vmwareengine.subnets.get
vmwareengine.subnets.update

Cloud IAM changes as of 2023-05-12

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.instances.attachDisk
compute.instances.detachDisk
compute.instances.start
compute.instances.stop
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.serviceAgent (Network Connectivity Service Agent):

dns.managedZones.create
dns.networks.bindPrivateDNSZone
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Cloud Composer Added composer.environments.executeAirflowCommand
Cloud Composer Now GA composer.environments.executeAirflowCommand
Compute Engine Added compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly
Compute Engine Supported In Custom Roles compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly
Security Command Center Added securitycenter.securityhealthanalyticscustommodules.create
securitycenter.securityhealthanalyticscustommodules.delete
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticscustommodules.update
Security Command Center Now GA securitycenter.securityhealthanalyticscustommodules.create
securitycenter.securityhealthanalyticscustommodules.delete
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticscustommodules.update

Cloud IAM changes as of 2023-05-05

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.analyticsEditor (Apigee Analytics Editor):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.analyticsViewer (Apigee Analytics Viewer):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiAdminV2 (Apigee API Admin):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiReaderV2 (Apigee API Reader):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.developerAdmin (Apigee Developer Admin):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.environmentAdmin (Apigee Environment Admin):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.monetizationAdmin (Apigee Monetization Admin):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.portalAdmin (Apigee Portal Admin):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.runtimeAgent (Apigee Runtime Agent):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityAdmin (Apigee Security Admin):

apigee.entitlements.get
apigee.projectorganizations.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityViewer (Apigee Security Viewer):

apigee.entitlements.get
apigee.projectorganizations.get
Cloud Composer Now GA

The role roles/composer.environmentAndStorageObjectUser (Environment and Storage Object User) is now GA.

Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.sharedVpcAgent (Composer Shared VPC Agent):

compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
Google Distributed Cloud Role Updated

The following permissions have been added to the role roles/gkeonprem.serviceAgent (GKE On-Prem Service Agent):

gkehub.memberships.delete
Looker Now GA

The role roles/looker.admin (Looker Admin) is now GA.

Looker Now GA

The role roles/looker.instanceUser (Looker Instance User) is now GA.

Looker Now GA

The role roles/looker.viewer (Looker Viewer) is now GA.

Cloud Monitoring Now GA

The role roles/monitoring.alertPolicyEditor (Monitoring AlertPolicy Editor) is now GA.

Cloud Monitoring Now GA

The role roles/monitoring.alertPolicyViewer (Monitoring AlertPolicy Viewer) is now GA.

Vision AI Role Updated

The following permissions have been added to the role roles/visionai.serviceAgent (Cloud Vision AI Service Agent):

visionai.events.create
visionai.events.update
Cloud Controls Partner API Added cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list
cloudcontrolspartner.partners.get
cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list
Cloud Controls Partner API Supported In Custom Roles cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list
cloudcontrolspartner.partners.get
cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list
Looker Added looker.backups.create
looker.backups.delete
looker.backups.get
looker.backups.list
looker.backups.restore
looker.instances.create
looker.instances.delete
looker.instances.export
looker.instances.get
looker.instances.import
looker.instances.list
looker.instances.login
looker.instances.update
looker.locations.get
looker.locations.list
looker.operations.cancel
looker.operations.delete
looker.operations.get
looker.operations.list
Looker Supported In Custom Roles looker.backups.create
looker.backups.delete
looker.backups.get
looker.backups.list
looker.backups.restore
looker.instances.create
looker.instances.delete
looker.instances.export
looker.instances.get
looker.instances.import
looker.instances.list
looker.instances.login
looker.instances.update
looker.locations.get
looker.locations.list
looker.operations.cancel
looker.operations.delete
looker.operations.get
looker.operations.list
Looker Now GA looker.backups.create
looker.backups.delete
looker.backups.get
looker.backups.list
looker.backups.restore
looker.instances.create
looker.instances.delete
looker.instances.export
looker.instances.get
looker.instances.import
looker.instances.list
looker.instances.login
looker.instances.update
looker.locations.get
looker.locations.list
looker.operations.cancel
looker.operations.delete
looker.operations.get
looker.operations.list
Cloud Monitoring Supported In Custom Roles monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
Cloud Monitoring Now GA monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
Security Command Center Added securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.integratedvulnerabilityscannersettings.update
Security Command Center Supported In Custom Roles securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.integratedvulnerabilityscannersettings.update
Security Command Center Now GA securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.integratedvulnerabilityscannersettings.update

Cloud IAM changes as of 2023-04-28

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.subnetworks.get
Bare Metal Solution Now GA

The role roles/baremetalsolution.procurementsadmin (Procurements Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.procurementseditor (Procurements Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.procurementsviewer (Procurements Viewer) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.protectedResourcesViewer (Cloud KMS Protected Resources Viewer) is now GA.

Commerce Business Enablement Role Updated

The following permissions have been added to the role roles/commercebusinessenablement.admin (Commerce Business Enablement Configuration Admin):

resourcemanager.organizations.get
Commerce Business Enablement Role Updated

The following permissions have been added to the role roles/commercebusinessenablement.resellerDiscountAdmin (Commerce Business Enablement Reseller Discount Admin):

resourcemanager.organizations.get
Commerce Business Enablement Role Updated

The following permissions have been added to the role roles/commercebusinessenablement.resellerDiscountViewer (Commerce Business Enablement Reseller Discount Viewer):

resourcemanager.organizations.get
Commerce Business Enablement Role Updated

The following permissions have been added to the role roles/commercebusinessenablement.viewer (Commerce Business Enablement Configuration Viewer):

resourcemanager.organizations.get
Cloud Commerce Consumer Procurement Role Updated

The following permissions have been added to the role roles/consumerprocurement.entitlementManager (Consumer Procurement Entitlement Manager):

consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
orgpolicy.policy.get
Cloud Commerce Consumer Procurement Role Updated

The following permissions have been added to the role roles/consumerprocurement.entitlementViewer (Consumer Procurement Entitlement Viewer):

consumerprocurement.consents.check
consumerprocurement.consents.list
orgpolicy.policy.get
Cloud Commerce Consumer Procurement Role Updated

The following permissions have been added to the role roles/consumerprocurement.procurementAdmin (Consumer Procurement Administrator):

orgpolicy.policy.get
Cloud Commerce Consumer Procurement Role Updated

The following permissions have been added to the role roles/consumerprocurement.procurementViewer (Consumer Procurement Viewer):

orgpolicy.policy.get
Firebase App Check Now GA

The role roles/firebaseappcheck.tokenVerifier (Firebase App Check Token Verifier) is now GA.

Workflows Role Updated

The following permissions have been added to the role roles/workflows.serviceAgent (Cloud Workflows Service Agent):

serviceusage.services.use
Workload Certificate Role Updated

The following permissions have been added to the role roles/workloadcertificate.serviceAgent (Workload Certificate Service Agent):

workloadcertificate.workloadRegistrations.list
Bare Metal Solution Added baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Bare Metal Solution Now GA baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Certificate Manager Now GA certificatemanager.certissuanceconfigs.create
certificatemanager.certissuanceconfigs.delete
certificatemanager.certissuanceconfigs.get
certificatemanager.certissuanceconfigs.list
certificatemanager.certissuanceconfigs.update
certificatemanager.certissuanceconfigs.use
Cloud Build Added cloudbuild.repositories.fetchGitRefs
Cloud Build Supported In Custom Roles cloudbuild.repositories.fetchGitRefs
Cloud Key Management Service Now GA cloudkms.protectedResources.search
Firebase App Check Added firebaseappcheck.appCheckTokens.verify
Firebase App Check Supported In Custom Roles firebaseappcheck.appCheckTokens.verify
Firebase App Check Now GA firebaseappcheck.appCheckTokens.verify

Cloud IAM changes as of 2023-04-21

Service Change Description
BigLake Now GA

The role roles/biglake.admin (BigLake Admin) is now GA.

BigLake Now GA

The role roles/biglake.viewer (BigLake Viewer) is now GA.

Google Security Operations Role Updated

The following permissions have been added to the role roles/chronicle.editor (Chronicle API Editor):

chronicle.operations.cancel
Service Catalog Role Updated

The following permissions have been added to the role roles/cloudprivatecatalogproducer.orgAdmin (Catalog Org Admin):

commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
Connectors Now GA

The role roles/connectors.endpointAttachmentAdmin (Connectors Endpoint Attachment Admin) is now GA.

Connectors Now GA

The role roles/connectors.endpointAttachmentViewer (Connectors Endpoint Attachment Viewer) is now GA.

Connectors Now GA

The role roles/connectors.managedZoneAdmin (Connectors Managed Zone Admin) is now GA.

Connectors Now GA

The role roles/connectors.managedZoneViewer (Connectors Managed Zone Viewer) is now GA.

Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

advisorynotifications.notifications.get
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

advisorynotifications.notifications.get
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.serviceAgent (Network Connectivity Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
Pub/Sub Lite Role Updated

The following permissions have been added to the role roles/pubsublite.serviceAgent (Pub/Sub Lite Service Agent):

pubsublite.topics.computeHeadCursor
Serverless Integrations Role Updated

The following permissions have been added to the role roles/runapps.serviceAgent (Serverless Integrations Service Agent):

firebasehosting.sites.get
Cloud Storage Now GA

The role roles/storage.insightsCollectorService (Storage Insights Collector Service) is now GA.

BigLake Now GA biglake.catalogs.create
biglake.catalogs.delete
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.create
biglake.databases.delete
biglake.databases.get
biglake.databases.list
biglake.databases.update
biglake.locks.check
biglake.locks.create
biglake.locks.delete
biglake.locks.list
biglake.tables.create
biglake.tables.delete
biglake.tables.get
biglake.tables.list
biglake.tables.lock
biglake.tables.update
Google Security Operations Added chronicle.dashboards.edit
chronicle.dashboards.schedule
Google Security Operations Supported In Custom Roles chronicle.dashboards.edit
chronicle.dashboards.schedule
Commerce Business Enablement Added commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
Commerce Business Enablement Supported In Custom Roles commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
Connectors Added connectors.endpointAttachments.create
connectors.endpointAttachments.delete
connectors.endpointAttachments.get
connectors.endpointAttachments.getIamPolicy
connectors.endpointAttachments.list
connectors.endpointAttachments.setIamPolicy
connectors.endpointAttachments.update
connectors.managedZones.create
connectors.managedZones.delete
connectors.managedZones.get
connectors.managedZones.getIamPolicy
connectors.managedZones.list
connectors.managedZones.setIamPolicy
connectors.managedZones.update
Connectors Now GA connectors.endpointAttachments.create
connectors.endpointAttachments.delete
connectors.endpointAttachments.get
connectors.endpointAttachments.getIamPolicy
connectors.endpointAttachments.list
connectors.endpointAttachments.setIamPolicy
connectors.endpointAttachments.update
connectors.managedZones.create
connectors.managedZones.delete
connectors.managedZones.get
connectors.managedZones.getIamPolicy
connectors.managedZones.list
connectors.managedZones.setIamPolicy
connectors.managedZones.update
Dataform Added dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
Datastore Supported In Custom Roles datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
Transfer Appliance Added transferappliance.credentials.get

Cloud IAM changes as of 2023-04-14

Service Change Description
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.admin (Backup and DR Admin):

backupdr.managementServers.viewBackupServers
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.user (Backup and DR User):

backupdr.managementServers.viewBackupServers
Backup and Disaster Recovery Role Updated

The following permissions have been removed from the role roles/backupdr.user (Backup and DR User):

backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.testFailOvers
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.userv2 (Backup and DR User V2):

backupdr.managementServers.viewBackupServers
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.viewer (Backup and DR Viewer):

backupdr.managementServers.viewBackupServers
Google Security Operations Now GA

The role roles/chronicle.limitedViewer (Chronicle API Limited Viewer) is now GA.

Google Security Operations Role Updated

The following permissions have been added to the role roles/chronicle.serviceAgent (Chronicle Service Agent):

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
Cloud Run functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.viewer (Cloud Functions Viewer):

cloudfunctions.functions.getIamPolicy
Dataform Role Updated

The following permissions have been added to the role roles/dataform.admin (Dataform Admin):

dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
Dataform Role Updated

The following permissions have been added to the role roles/dataform.editor (Dataform Editor):

dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
Dataform Role Updated

The following permissions have been added to the role roles/dataform.viewer (Dataform Viewer):

dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

backupdr.managementServers.viewBackupServers
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

cloudfunctions.functions.getIamPolicy
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

cloudfunctions.functions.getIamPolicy
Google Distributed Cloud Role Updated

The following permissions have been added to the role roles/gkeonprem.serviceAgent (GKE On-Prem Service Agent):

gkeonprem.operations.get
gkeonprem.operations.list
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

backupdr.managementServers.viewBackupServers
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
Storage Insights Now GA

The role roles/storageinsights.serviceAgent (StorageInsights Service Agent) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

backupdr.managementServers.viewBackupServers
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
Artifact Registry Added artifactregistry.repositories.readViaVirtualRepository
Artifact Registry Supported In Custom Roles artifactregistry.repositories.readViaVirtualRepository
Artifact Registry Now GA artifactregistry.repositories.readViaVirtualRepository
Backup and Disaster Recovery Added backupdr.managementServers.viewBackupServers
Cloud SQL Added cloudsql.instances.reencrypt
Cloud SQL Supported In Custom Roles cloudsql.instances.reencrypt
Cloud SQL Now GA cloudsql.instances.reencrypt
Dataform Added dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile

Cloud IAM changes as of 2023-04-07

Service Change Description
Firebase Remote Config Role Updated

The following permissions have been added to the role roles/cloudconfig.serviceAgent (Cloud Config Service Agent):

logging.logEntries.create
logging.logEntries.route
Google Distributed Cloud Role Updated

The following permissions have been added to the role roles/gkeonprem.serviceAgent (GKE On-Prem Service Agent):

gkeonprem.bareMetalAdminClusters.get
gkeonprem.bareMetalClusters.get
gkeonprem.bareMetalNodePools.get
gkeonprem.vmwareAdminClusters.get
gkeonprem.vmwareClusters.get
gkeonprem.vmwareNodePools.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.serviceAgent (Application Integration Service Agent):

iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
Cloud Service Mesh control plane Role Updated

The following permissions have been added to the role roles/meshcontrolplane.serviceAgent (Mesh Managed Control Plane Service Agent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Security Command Center Now GA

The role roles/securitycenter.securityHealthAnalyticsCustomModulesTester (Security Health Analytics Custom Modules Tester) is now GA.

Cloud TPU Role Updated

The following permissions have been added to the role roles/tpu.xpnAgent (TPU Shared VPC Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
Compute Engine Added compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
Compute Engine Supported In Custom Roles compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
Compute Engine Now GA compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
Network Security Added networksecurity.gatewaySecurityPolicies.create
networksecurity.gatewaySecurityPolicies.delete
networksecurity.gatewaySecurityPolicies.get
networksecurity.gatewaySecurityPolicies.list
networksecurity.gatewaySecurityPolicies.update
networksecurity.gatewaySecurityPolicies.use
networksecurity.gatewaySecurityPolicyRules.create
networksecurity.gatewaySecurityPolicyRules.delete
networksecurity.gatewaySecurityPolicyRules.get
networksecurity.gatewaySecurityPolicyRules.list
networksecurity.gatewaySecurityPolicyRules.update
networksecurity.gatewaySecurityPolicyRules.use
networksecurity.tlsInspectionPolicies.create
networksecurity.tlsInspectionPolicies.delete
networksecurity.tlsInspectionPolicies.get
networksecurity.tlsInspectionPolicies.list
networksecurity.tlsInspectionPolicies.update
networksecurity.tlsInspectionPolicies.use
networksecurity.urlLists.create
networksecurity.urlLists.delete
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.update
networksecurity.urlLists.use
Network Security Supported In Custom Roles networksecurity.gatewaySecurityPolicies.create
networksecurity.gatewaySecurityPolicies.delete
networksecurity.gatewaySecurityPolicies.get
networksecurity.gatewaySecurityPolicies.list
networksecurity.gatewaySecurityPolicies.update
networksecurity.gatewaySecurityPolicies.use
networksecurity.gatewaySecurityPolicyRules.create
networksecurity.gatewaySecurityPolicyRules.delete
networksecurity.gatewaySecurityPolicyRules.get
networksecurity.gatewaySecurityPolicyRules.list
networksecurity.gatewaySecurityPolicyRules.update
networksecurity.gatewaySecurityPolicyRules.use
networksecurity.tlsInspectionPolicies.create
networksecurity.tlsInspectionPolicies.delete
networksecurity.tlsInspectionPolicies.get
networksecurity.tlsInspectionPolicies.list
networksecurity.tlsInspectionPolicies.update
networksecurity.tlsInspectionPolicies.use
networksecurity.urlLists.create
networksecurity.urlLists.delete
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.update
networksecurity.urlLists.use
Cloud Storage Added storage.buckets.getObjectInsights
Cloud Storage Now GA storage.buckets.getObjectInsights

Cloud IAM changes as of 2023-03-31

Service Change Description
Appliance Activation Service Role Updated

The following permissions have been added to the role roles/applianceactivation.approver (Appliance troubleshooting commands approver):

applianceactivation.rttCommands.get
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

bigquery.config.update
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.editor (Assured Workloads Editor):

bigquery.config.update
Bigtable Role Updated

The following permissions have been added to the role roles/bigtable.admin (Bigtable Administrator):

monitoring.timeSeries.create
Bigtable Role Updated

The following permissions have been added to the role roles/bigtable.reader (Bigtable Reader):

monitoring.timeSeries.create
Bigtable Role Updated

The following permissions have been added to the role roles/bigtable.user (Bigtable User):

monitoring.timeSeries.create
Google Security Operations Now GA

The role roles/chronicle.editor (Chronicle API Editor) is now GA.

Conversational Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

dialogflow.conversationProfiles.get
Cloud Data Fusion Now GA

The role roles/datafusion.admin (Cloud Data Fusion Admin) is now GA.

Cloud Data Fusion Now GA

The role roles/datafusion.runner (Cloud Data Fusion Runner) is now GA.

Cloud Data Fusion Now GA

The role roles/datafusion.viewer (Cloud Data Fusion Viewer) is now GA.

Google Distributed Cloud Role Updated

The following permissions have been added to the role roles/gkeonprem.serviceAgent (GKE On-Prem Service Agent):

gkeonprem.bareMetalAdminClusters.enroll
gkeonprem.bareMetalAdminClusters.unenroll
gkeonprem.bareMetalClusters.enroll
gkeonprem.bareMetalClusters.unenroll
gkeonprem.bareMetalNodePools.enroll
gkeonprem.bareMetalNodePools.unenroll
gkeonprem.vmwareAdminClusters.enroll
gkeonprem.vmwareAdminClusters.unenroll
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareNodePools.enroll
gkeonprem.vmwareNodePools.unenroll
Backup and Disaster Recovery Added backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
Google Security Operations Added chronicle.collectors.create
chronicle.collectors.delete
chronicle.collectors.get
chronicle.collectors.list
chronicle.collectors.update
chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
chronicle.curatedRuleSetCategories.get
chronicle.curatedRuleSetCategories.list
chronicle.curatedRuleSetDeployments.batchUpdate
chronicle.curatedRuleSetDeployments.get
chronicle.curatedRuleSetDeployments.list
chronicle.curatedRuleSetDeployments.update
chronicle.curatedRuleSets.countCuratedRuleSetDetections
chronicle.curatedRuleSets.get
chronicle.curatedRuleSets.list
chronicle.curatedRules.get
chronicle.curatedRules.list
chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.extensionValidationReports.get
chronicle.extensionValidationReports.list
chronicle.feedSourceTypeSchemas.list
chronicle.feeds.create
chronicle.feeds.delete
chronicle.feeds.disable
chronicle.feeds.enable
chronicle.feeds.get
chronicle.feeds.list
chronicle.feeds.update
chronicle.forwarders.create
chronicle.forwarders.delete
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.forwarders.update
chronicle.instances.get
chronicle.instances.report
chronicle.legacies.legacyGetCuratedRulesTrends
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyUpdateFinding
chronicle.logTypeSchemas.list
chronicle.multitenantDirectories.get
chronicle.operations.cancel
chronicle.operations.delete
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
chronicle.parserExtensions.activate
chronicle.parserExtensions.create
chronicle.parserExtensions.delete
chronicle.parserExtensions.generateKeyValueMappings
chronicle.parserExtensions.get
chronicle.parserExtensions.legacySubmitParserExtension
chronicle.parserExtensions.list
chronicle.parserExtensions.removeSyslog
chronicle.parsers.activate
chronicle.parsers.activateReleaseCandidate
chronicle.parsers.copyPrebuiltParser
chronicle.parsers.create
chronicle.parsers.deactivate
chronicle.parsers.delete
chronicle.parsers.get
chronicle.parsers.list
chronicle.parsers.runParser
chronicle.parsingErrors.list
chronicle.referenceLists.create
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.referenceLists.update
chronicle.referenceLists.verifyReferenceList
chronicle.retrohunts.create
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.ruleDeployments.update
chronicle.ruleExecutionErrors.list
chronicle.rules.create
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.update
chronicle.rules.verifyRuleText
chronicle.validationErrors.list
chronicle.validationReports.get
Google Security Operations Supported In Custom Roles chronicle.collectors.create
chronicle.collectors.delete
chronicle.collectors.get
chronicle.collectors.list
chronicle.collectors.update
chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.forwarders.create
chronicle.forwarders.delete
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.forwarders.update
chronicle.multitenantDirectories.get
chronicle.parserExtensions.activate
chronicle.parserExtensions.legacySubmitParserExtension
chronicle.parsers.activateReleaseCandidate
chronicle.parsers.create
chronicle.parsers.deactivate
chronicle.parsers.get
chronicle.parsingErrors.list
chronicle.validationReports.get
Cloud Data Fusion Now GA datafusion.instances.create
datafusion.instances.delete
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.restart
datafusion.instances.runtime
datafusion.instances.setIamPolicy
datafusion.instances.update
datafusion.instances.upgrade
datafusion.locations.get
datafusion.locations.list
datafusion.operations.cancel
datafusion.operations.delete
datafusion.operations.get
datafusion.operations.list

Cloud IAM changes as of 2023-03-24

Service Change Description
App Engine Role Updated

The following permissions have been added to the role roles/appengine.deployer (App Engine Deployer):

artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.uploadArtifacts
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.instancesadmin (Bare Metal Solution Instances Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.instancesviewer (Bare Metal Solution Instances Viewer):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.lunsadmin (Luns Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.lunsviewer (Luns Viewer):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.networksadmin (Networks Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.nfssharesadmin (NFS Shares Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.nfsshareseditor (NFS Shares Editor):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.nfssharesviewer (NFS Shares Viewer):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.storageadmin (Bare Metal Solution Storage Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.volumesadmin (Volume Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.volumeseditor (Volumes Editor):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.volumesnapshotsadmin (Snapshots Admin):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.volumesnapshotseditor (Snapshots Editor):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.volumesnapshotsviewer (Snapshots Viewer):

baremetalsolution.operations.get
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.volumessviewer (Volumes Viewer):

baremetalsolution.operations.get
Artifact Analysis Role Updated

The following permissions have been added to the role roles/containeranalysis.ServiceAgent (Container Analysis Service Agent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
Container Scanning Role Updated

The following permissions have been added to the role roles/containerscanning.ServiceAgent (Container Scanner Service Agent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

dataproc.operations.cancel
Live Stream Now GA

The role roles/livestream.editor (Live Stream Editor) is now GA.

Live Stream Now GA

The role roles/livestream.viewer (Live Stream Viewer) is now GA.

Cloud Workstations Role Updated

The following permissions have been added to the role roles/workstations.serviceAgent (Workstations Service Agent):

compute.instances.getGuestAttributes
Appliance Activation Service Added applianceactivation.rttCommands.approve
applianceactivation.rttCommands.create
applianceactivation.rttCommands.get
applianceactivation.rttCommands.list
applianceactivation.rttCommands.sendResult
Appliance Activation Service Supported In Custom Roles applianceactivation.rttCommands.approve
applianceactivation.rttCommands.create
applianceactivation.rttCommands.get
applianceactivation.rttCommands.list
applianceactivation.rttCommands.sendResult
Bare Metal Solution Added baremetalsolution.operations.get
Bare Metal Solution Supported In Custom Roles baremetalsolution.operations.get
Bare Metal Solution Now GA baremetalsolution.operations.get
Cloud SQL Added cloudsql.instances.getDiskShrinkConfig
cloudsql.instances.performDiskShrink
cloudsql.instances.resetReplicaSize
Cloud SQL Supported In Custom Roles cloudsql.instances.getDiskShrinkConfig
cloudsql.instances.performDiskShrink
cloudsql.instances.resetReplicaSize
Cloud SQL Now GA cloudsql.instances.getDiskShrinkConfig
cloudsql.instances.performDiskShrink
cloudsql.instances.resetReplicaSize
Conversational Insights Now GA contactcenterinsights.issues.create
Database Migration Service Added datamigration.migrationjobs.generateTcpProxyScript
Database Migration Service Supported In Custom Roles datamigration.migrationjobs.generateTcpProxyScript
Database Migration Service Now GA datamigration.migrationjobs.generateTcpProxyScript
Google Distributed Cloud Added gkeonprem.bareMetalNodePools.enroll
gkeonprem.bareMetalNodePools.unenroll
gkeonprem.vmwareNodePools.enroll
gkeonprem.vmwareNodePools.unenroll
Google Distributed Cloud Now GA gkeonprem.bareMetalNodePools.enroll
gkeonprem.bareMetalNodePools.unenroll
gkeonprem.vmwareNodePools.enroll
gkeonprem.vmwareNodePools.unenroll
Live Stream Now GA livestream.channels.create
livestream.channels.delete
livestream.channels.get
livestream.channels.list
livestream.channels.start
livestream.channels.stop
livestream.channels.update
livestream.events.create
livestream.events.delete
livestream.events.get
livestream.events.list
livestream.inputs.create
livestream.inputs.delete
livestream.inputs.get
livestream.inputs.list
livestream.inputs.update
livestream.locations.get
livestream.locations.list
livestream.operations.cancel
livestream.operations.delete
livestream.operations.get
livestream.operations.list
Maps Platform Datasets Added mapsplatformdatasets.datasets.export
Maps Platform Datasets Supported In Custom Roles mapsplatformdatasets.datasets.export
Google Cloud Migration Center Added migrationcenter.preferenceSets.create
migrationcenter.preferenceSets.delete
migrationcenter.preferenceSets.get
migrationcenter.preferenceSets.list
migrationcenter.preferenceSets.update
migrationcenter.settings.get
migrationcenter.settings.update
Google Cloud Migration Center Supported In Custom Roles migrationcenter.preferenceSets.create
migrationcenter.preferenceSets.delete
migrationcenter.preferenceSets.get
migrationcenter.preferenceSets.list
migrationcenter.preferenceSets.update
migrationcenter.settings.get
migrationcenter.settings.update
Spanner Added spanner.databases.updateTag
spanner.databases.useDataBoost
spanner.instances.updateTag
Spanner Now GA spanner.databases.useDataBoost

Cloud IAM changes as of 2023-03-17

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.indexEndpoints.queryVectors
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.customCodeServiceAgent (Vertex AI Custom Code Service Agent):

aiplatform.indexEndpoints.queryVectors
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

aiplatform.indexEndpoints.queryVectors
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.user (Vertex AI User):

aiplatform.indexEndpoints.queryVectors
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.viewer (Vertex AI Viewer):

aiplatform.indexEndpoints.queryVectors
Apigee Role Updated

The following permissions have been added to the role roles/apigee.developerAdmin (Apigee Developer Admin):

apigee.environments.list
Google Security Operations Role Updated

The following permissions have been removed from the role roles/chronicle.serviceAgent (Chronicle Service Agent):

logging.logEntries.create
storage.buckets.get
storage.objects.create
storage.objects.get
Cloud Key Management Service Now GA

The role roles/cloudkms.ekmConnectionsAdmin (Cloud KMS EkmConnections Admin) is now GA.

Conversational Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.locations.list
speech.recognizers.update
Content Warehouse Role Updated

The following permissions have been added to the role roles/contentwarehouse.serviceAgent (Content Warehouse Service Agent):

documentai.datasets.createDocuments
documentai.processors.get
documentai.processors.processBatch
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.indexEndpoints.queryVectors
Vertex AI Added aiplatform.indexEndpoints.queryVectors
Cloud Key Management Service Added cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConfigs.setIamPolicy
cloudkms.ekmConfigs.update
Cloud Key Management Service Now GA cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConfigs.setIamPolicy
cloudkms.ekmConfigs.update
Commerce Business Enablement Added commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.resellerConfig.get
Commerce Business Enablement Supported In Custom Roles commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.resellerConfig.get
Connectors Added connectors.settings.get
connectors.settings.update
Connectors Supported In Custom Roles connectors.settings.get
connectors.settings.update
Connectors Now GA connectors.settings.get
connectors.settings.update
Cloud DNS Added dns.networks.useHealthSignals
Cloud DNS Supported In Custom Roles dns.networks.useHealthSignals
Cloud DNS Now GA dns.networks.useHealthSignals
Identity and Access Management Added iam.workforcePoolProviderKeys.create
iam.workforcePoolProviderKeys.delete
iam.workforcePoolProviderKeys.get
iam.workforcePoolProviderKeys.list
iam.workforcePoolProviderKeys.undelete
iam.workloadIdentityPoolProviderKeys.create
iam.workloadIdentityPoolProviderKeys.delete
iam.workloadIdentityPoolProviderKeys.get
iam.workloadIdentityPoolProviderKeys.list
iam.workloadIdentityPoolProviderKeys.undelete
Identity and Access Management Supported In Custom Roles iam.workforcePoolProviderKeys.create
iam.workforcePoolProviderKeys.delete
iam.workforcePoolProviderKeys.get
iam.workforcePoolProviderKeys.list
iam.workforcePoolProviderKeys.undelete
iam.workloadIdentityPoolProviderKeys.create
iam.workloadIdentityPoolProviderKeys.delete
iam.workloadIdentityPoolProviderKeys.get
iam.workloadIdentityPoolProviderKeys.list
iam.workloadIdentityPoolProviderKeys.undelete
Identity and Access Management Added iam.googleapis.com/workforcePoolProviderKeys.create
iam.googleapis.com/workforcePoolProviderKeys.delete
iam.googleapis.com/workforcePoolProviderKeys.get
iam.googleapis.com/workforcePoolProviderKeys.list
iam.googleapis.com/workforcePoolProviderKeys.undelete
iam.googleapis.com/workloadIdentityPoolProviderKeys.create
iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
iam.googleapis.com/workloadIdentityPoolProviderKeys.get
iam.googleapis.com/workloadIdentityPoolProviderKeys.list
iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
Identity and Access Management Supported In Custom Roles iam.googleapis.com/workforcePoolProviderKeys.create
iam.googleapis.com/workforcePoolProviderKeys.delete
iam.googleapis.com/workforcePoolProviderKeys.get
iam.googleapis.com/workforcePoolProviderKeys.list
iam.googleapis.com/workforcePoolProviderKeys.undelete
iam.googleapis.com/workloadIdentityPoolProviderKeys.create
iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
iam.googleapis.com/workloadIdentityPoolProviderKeys.get
iam.googleapis.com/workloadIdentityPoolProviderKeys.list
iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
Cloud Run Added run.jobs.runWithOverrides
Cloud Run Now GA run.jobs.runWithOverrides

Cloud IAM changes as of 2023-03-10

Service Change Description
App Engine Role Updated

The following permissions have been added to the role roles/appengine.serviceAgent (App Engine Standard Environment Service Agent):

serviceusage.services.enable
serviceusage.services.get
Commerce Business Enablement Role Updated

The following permissions have been added to the role roles/commercebusinessenablement.admin (Commerce Business Enablement Configuration Admin):

commercebusinessenablement.partnerInfo.get
Commerce Business Enablement Role Updated

The following permissions have been added to the role roles/commercebusinessenablement.viewer (Commerce Business Enablement Configuration Viewer):

commercebusinessenablement.partnerInfo.get
Confidential Computing Now GA

The role roles/confidentialcomputing.workloadUser (Confidential Space Workload User) is now GA.

Conversational Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.editor (Contact Center AI Insights editor):

contactcenterinsights.issues.create
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

bigquery.tables.get
bigtable.tables.get
pubsub.schemas.get
pubsub.topics.get
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

contactcenterinsights.issues.create
FleetEngine Role Updated

The following permissions have been added to the role roles/fleetengine.deliveryFleetReader (Fleet Engine Delivery Fleet Reader User):

fleetengine.tasktrackinginfo.get
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

contactcenterinsights.issues.create
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.serviceAgent (Cloud Speech-to-Text Service Agent):

storage.buckets.get
storage.buckets.list
Bare Metal Solution Added baremetalsolution.luns.evict
baremetalsolution.volumes.evict
Bare Metal Solution Supported In Custom Roles baremetalsolution.luns.evict
baremetalsolution.volumes.evict
Bare Metal Solution Now GA baremetalsolution.luns.evict
baremetalsolution.volumes.evict
Cloud Deploy Added clouddeploy.jobRuns.terminate
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.ignoreJob
Cloud Deploy Supported In Custom Roles clouddeploy.jobRuns.terminate
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.ignoreJob
Commerce Business Enablement Added commercebusinessenablement.partnerInfo.get
Compute Engine Added compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.resourcePolicies.useReadOnly
Compute Engine Supported In Custom Roles compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.resourcePolicies.useReadOnly
Confidential Computing Supported In Custom Roles confidentialcomputing.challenges.create
confidentialcomputing.challenges.verify
confidentialcomputing.locations.get
confidentialcomputing.locations.list
Confidential Computing Now GA confidentialcomputing.challenges.create
confidentialcomputing.challenges.verify
confidentialcomputing.locations.get
confidentialcomputing.locations.list
Conversational Insights Added contactcenterinsights.issues.create
Retail API Now GA retail.models.get
Spanner Added spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Spanner Now GA spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Transfer Appliance Added transferappliance.savedAddresses.create
transferappliance.savedAddresses.delete
transferappliance.savedAddresses.get
transferappliance.savedAddresses.list
transferappliance.savedAddresses.update
Transfer Appliance Supported In Custom Roles transferappliance.savedAddresses.create
transferappliance.savedAddresses.delete
transferappliance.savedAddresses.get
transferappliance.savedAddresses.list
transferappliance.savedAddresses.update

Cloud IAM changes as of 2023-03-03

Service Change Description
Conversational Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

dlp.kms.encrypt
dlp.locations.get
speech.operations.get
speech.recognizers.create
speech.recognizers.get
speech.recognizers.recognize
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.nodeServiceAccount (Kubernetes Engine Node Service Account):

monitoring.timeSeries.list
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.nodeServiceAgent (Kubernetes Engine Node Service Agent):

monitoring.timeSeries.list
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

speech.locations.get
speech.locations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

speech.locations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

speech.locations.list
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.serviceAgent (Network Connectivity Service Agent):

compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

speech.locations.get
speech.locations.list
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.admin (Cloud Speech Administrator):

speech.locations.get
speech.locations.list
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.client (Cloud Speech Client):

speech.locations.get
speech.locations.list
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.editor (Cloud Speech Editor):

speech.locations.get
speech.locations.list
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

speech.locations.get
speech.locations.list
Workload Certificate Role Updated

The following permissions have been added to the role roles/workloadcertificate.serviceAgent (Workload Certificate Service Agent):

container.operations.get
Chrome Enterprise Premium Added beyondcorp.subscriptions.create
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
Chrome Enterprise Premium Supported In Custom Roles beyondcorp.subscriptions.create
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
Compute Engine Now GA compute.nodeGroups.simulateMaintenanceEvent
Conversational Insights Now GA contactcenterinsights.issues.delete
Google Kubernetes Engine Added container.clusters.impersonate
Dataform Added dataform.repositories.getIamPolicy
dataform.repositories.setIamPolicy
dataform.workspaces.getIamPolicy
dataform.workspaces.setIamPolicy
Speech-to-Text Added speech.locations.get
speech.locations.list

Cloud IAM changes as of 2023-02-24

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

monitoring.notificationChannels.get
Apigee Role Updated

The following permissions have been added to the role roles/apigee.environmentAdmin (Apigee Environment Admin):

apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.disks.create
compute.subnetworks.use
compute.subnetworks.useExternalIp
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.builds.builder (Cloud Build Service Account):

artifactregistry.repositories.createOnPush
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

artifactregistry.repositories.createOnPush
Firebase Remote Config Role Updated

The following permissions have been added to the role roles/cloudconfig.serviceAgent (Cloud Config Service Agent):

iam.serviceAccounts.getAccessToken
Cloud Deploy Role Updated

The following permissions have been added to the role roles/clouddeploy.serviceAgent (Cloud Deploy Service Agent):

cloudbuild.builds.update
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

artifactregistry.repositories.createOnPush
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.buckets.update
logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
logging.views.create
logging.views.get
logging.views.list
logging.views.update
Identity and Access Management Now GA

The role roles/iam.workforcePoolAdmin (IAM Workforce Pool Admin) is now GA.

Identity and Access Management Now GA

The role roles/iam.workforcePoolEditor (IAM Workforce Pool Editor) is now GA.

Identity and Access Management Now GA

The role roles/iam.workforcePoolViewer (IAM Workforce Pool Viewer) is now GA.

Cloud Logging Now GA

The role roles/logging.linkViewer (Log Link Accessor) is now GA.

Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.serviceAgent (Network Connectivity Service Agent):

compute.addresses.create
compute.addresses.delete
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.subnetworks.use
Certificate Authority Service Now GA

The role roles/privateca.poolReader (CA Service Pool Reader) is now GA.

Pub/Sub Lite Role Updated

The following permissions have been added to the role roles/pubsublite.serviceAgent (Pub/Sub Lite Service Agent):

pubsublite.subscriptions.getCursor
Apigee Added apigee.nataddresses.activate
apigee.nataddresses.create
apigee.nataddresses.delete
apigee.nataddresses.get
apigee.nataddresses.list
apigee.securityIncidents.get
apigee.securityIncidents.list
Apigee Supported In Custom Roles apigee.nataddresses.activate
apigee.nataddresses.create
apigee.nataddresses.delete
apigee.nataddresses.get
apigee.nataddresses.list
apigee.securityIncidents.get
apigee.securityIncidents.list
Apigee Now GA apigee.nataddresses.activate
apigee.nataddresses.create
apigee.nataddresses.delete
apigee.nataddresses.get
apigee.nataddresses.list
apigee.securityIncidents.get
apigee.securityIncidents.list
Bare Metal Solution Added baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Bare Metal Solution Now GA baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Compute Engine Now GA compute.instances.setName
Confidential Computing Added confidentialcomputing.challenges.create
confidentialcomputing.challenges.verify
confidentialcomputing.locations.get
confidentialcomputing.locations.list
Dialogflow Added dialogflow.deployments.get
dialogflow.deployments.list
dialogflow.environments.runContinuousTest
Cloud DNS Added dns.gkeClusters.bindDNSResponsePolicy
dns.gkeClusters.bindPrivateDNSZone
Cloud DNS Supported In Custom Roles dns.gkeClusters.bindDNSResponsePolicy
dns.gkeClusters.bindPrivateDNSZone
Cloud DNS Now GA dns.gkeClusters.bindDNSResponsePolicy
dns.gkeClusters.bindPrivateDNSZone
dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
dns.networks.bindDNSResponsePolicy
dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update
dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update
Distributed Cloud Edge Network Added edgenetwork.routes.create
edgenetwork.routes.delete
edgenetwork.routes.get
edgenetwork.routes.list
Distributed Cloud Edge Network Now GA edgenetwork.routes.create
edgenetwork.routes.delete
edgenetwork.routes.get
edgenetwork.routes.list
FleetEngine Added fleetengine.tasktrackinginfo.get
FleetEngine Supported In Custom Roles fleetengine.tasktrackinginfo.get
Google Distributed Cloud Added gkeonprem.bareMetalAdminClusters.connect
gkeonprem.vmwareAdminClusters.connect
Google Distributed Cloud Supported In Custom Roles gkeonprem.bareMetalAdminClusters.connect
gkeonprem.vmwareAdminClusters.connect
Google Distributed Cloud Now GA gkeonprem.bareMetalAdminClusters.connect
gkeonprem.vmwareAdminClusters.connect
Identity and Access Management Now GA iam.workforcePoolProviders.create
iam.workforcePoolProviders.delete
iam.workforcePoolProviders.get
iam.workforcePoolProviders.list
iam.workforcePoolProviders.undelete
iam.workforcePoolProviders.update
iam.workforcePoolSubjects.delete
iam.workforcePoolSubjects.undelete
iam.workforcePools.create
iam.workforcePools.delete
iam.workforcePools.get
iam.workforcePools.getIamPolicy
iam.workforcePools.list
iam.workforcePools.setIamPolicy
iam.workforcePools.undelete
iam.workforcePools.update
Identity and Access Management Now GA iam.googleapis.com/workforcePoolProviders.create
iam.googleapis.com/workforcePoolProviders.delete
iam.googleapis.com/workforcePoolProviders.get
iam.googleapis.com/workforcePoolProviders.list
iam.googleapis.com/workforcePoolProviders.undelete
iam.googleapis.com/workforcePoolProviders.update
iam.googleapis.com/workforcePoolSubjects.delete
iam.googleapis.com/workforcePoolSubjects.undelete
iam.googleapis.com/workforcePools.create
iam.googleapis.com/workforcePools.delete
iam.googleapis.com/workforcePools.get
iam.googleapis.com/workforcePools.getIamPolicy
iam.googleapis.com/workforcePools.list
iam.googleapis.com/workforcePools.setIamPolicy
iam.googleapis.com/workforcePools.undelete
iam.googleapis.com/workforcePools.update
Cloud Logging Now GA logging.links.create
logging.links.delete
logging.links.get
logging.links.list
Recommender Added recommender.resourcemanagerServiceLimitInsights.get
recommender.resourcemanagerServiceLimitInsights.list
recommender.resourcemanagerServiceLimitInsights.update
recommender.resourcemanagerServiceLimitRecommendations.get
recommender.resourcemanagerServiceLimitRecommendations.list
recommender.resourcemanagerServiceLimitRecommendations.update
Recommender Supported In Custom Roles recommender.resourcemanagerServiceLimitInsights.get
recommender.resourcemanagerServiceLimitInsights.list
recommender.resourcemanagerServiceLimitInsights.update
recommender.resourcemanagerServiceLimitRecommendations.get
recommender.resourcemanagerServiceLimitRecommendations.list
recommender.resourcemanagerServiceLimitRecommendations.update
Risk Manager Added riskmanager.controlScoreBreakdowns.get
riskmanager.controlScoreBreakdowns.list
Risk Manager Supported In Custom Roles riskmanager.controlScoreBreakdowns.get
riskmanager.controlScoreBreakdowns.list
Security Command Center Added securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
Security Command Center Supported In Custom Roles securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
Security Command Center Now GA securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list

Cloud IAM changes as of 2023-02-17

Service Change Description
Advisory Notifications Now GA

The role roles/advisorynotifications.viewer (Advisory Notifications Viewer) is now GA.

Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.disks.createTagBinding
compute.instances.createTagBinding
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
Cloud Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

workloadcertificate.locations.get
workloadcertificate.locations.list
workloadcertificate.operations.get
workloadcertificate.workloadCertificateFeature.get
workloadcertificate.workloadRegistrations.create
workloadcertificate.workloadRegistrations.get
workloadcertificate.workloadRegistrations.list
Artifact Registry Now GA

The role roles/artifactregistry.createOnPushRepoAdmin () is now GA.

Artifact Registry Now GA

The role roles/artifactregistry.createOnPushWriter () is now GA.

Certificate Manager Now GA

The role roles/certificatemanager.serviceAgent (Certificate Manager Service Agent) is now GA.

Google Security Operations Now GA

The role roles/chronicle.serviceAgent (Chronicle Service Agent) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.loggingServiceAgent (Cloud Build Logging Service Agent) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

compute.disks.createTagBinding
Dataform Role Updated

The following permissions have been added to the role roles/dataform.serviceAgent (Dataform Service Agent):

dataform.compilationResults.create
dataform.workflowInvocations.create
Database Migration Service Role Updated

The following permissions have been added to the role roles/datamigration.serviceAgent (Database Migration Service Agent):

cloudsql.instances.demoteMaster
Firebase Realtime Database Now GA

The role roles/firebasedatabase.serviceAgent (Firebase Realtime Database Service Agent) is now GA.

Backup for GKE Role Updated

The following permissions have been added to the role roles/gkebackup.serviceAgent (Backup for GKE Service Agent):

container.clusters.update
container.operations.get
container.operations.list
Google Distributed Cloud Now GA

The role roles/gkeonprem.serviceAgent (GKE On-Prem Service Agent) is now GA.

Identity Toolkit Now GA

The role roles/identitytoolkit.serviceAgent (Identity Platform Service Agent) is now GA.

Cloud Workstations Now GA

The role roles/workstations.serviceAgent (Workstations Service Agent) is now GA.

Access Context Manager Added accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update
Access Context Manager Supported In Custom Roles accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update
Access Context Manager Now GA accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update
Advisory Notifications Now GA advisorynotifications.notifications.get
advisorynotifications.notifications.list
Artifact Registry Added artifactregistry.repositories.createOnPush
Artifact Registry Supported In Custom Roles artifactregistry.repositories.createOnPush
Artifact Registry Now GA artifactregistry.repositories.createOnPush
Bare Metal Solution Added baremetalsolution.storageaggregatepools.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.storageaggregatepools.list
Bare Metal Solution Now GA baremetalsolution.storageaggregatepools.list
BigQuery Added bigquery.datasets.listEffectiveTags
BigQuery Now GA bigquery.datasets.listEffectiveTags
Cloud Logging Added logging.logEntries.route
Cloud Logging Supported In Custom Roles logging.logEntries.route

Cloud IAM changes as of 2023-02-03

Service Change Description
Connectors Now GA

The role roles/connectors.serviceAgent (Connectors Platform Service Agent) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.viewer (Kubernetes Engine Viewer):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
Container Threat Detection Role Updated

The following permissions have been added to the role roles/containerthreatdetection.serviceAgent (Container Threat Detection Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
Identity and Access Management Now GA

The role roles/iam.denyAdmin (Deny Admin) is now GA.

Identity and Access Management Now GA

The role roles/iam.denyReviewer (Deny Reviewer) is now GA.

Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationAdminRole (Apigee Integration Admin):

connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationEditorRole (Apigee Integration Editor):

connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.apigeeIntegrationInvokerRole (Apigee Integration Invoker):

connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
Service Extensions Now GA

The role roles/networkactions.serviceAgent (Network Actions Service Agent) is now GA.

Pub/Sub Lite Role Updated

The following permissions have been added to the role roles/pubsublite.serviceAgent (Pub/Sub Lite Service Agent):

pubsublite.subscriptions.get
Recommender Now GA

The role roles/recommender.viewer (Recommender Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
Service Management Role Updated

The following permissions have been added to the role roles/servicemanagement.quotaAdmin (Quota Administrator):

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
BigLake Added biglake.catalogs.create
biglake.catalogs.delete
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.create
biglake.databases.delete
biglake.databases.get
biglake.databases.list
biglake.databases.update
biglake.locks.check
biglake.locks.create
biglake.locks.delete
biglake.locks.list
biglake.tables.create
biglake.tables.delete
biglake.tables.get
biglake.tables.list
biglake.tables.lock
biglake.tables.update
Blockchain Node Engine Added blockchainnodeengine.blockchainNodes.create
blockchainnodeengine.blockchainNodes.delete
blockchainnodeengine.blockchainNodes.get
blockchainnodeengine.blockchainNodes.list
blockchainnodeengine.blockchainNodes.update
blockchainnodeengine.locations.get
blockchainnodeengine.locations.list
blockchainnodeengine.operations.cancel
blockchainnodeengine.operations.delete
blockchainnodeengine.operations.get
blockchainnodeengine.operations.list
Identity and Access Management Now GA iam.denypolicies.create
iam.denypolicies.delete
iam.denypolicies.get
iam.denypolicies.list
iam.denypolicies.replace
iam.denypolicies.update
Identity and Access Management Now GA iam.googleapis.com/denypolicies.create
iam.googleapis.com/denypolicies.delete
iam.googleapis.com/denypolicies.get
iam.googleapis.com/denypolicies.list
iam.googleapis.com/denypolicies.replace
Serverless VPC Access Added vpcaccess.connectors.update
Serverless VPC Access Supported In Custom Roles vpcaccess.connectors.update

Cloud IAM changes as of 2023-01-27

Service Change Description
Batch Role Updated

The following permissions have been added to the role roles/batch.serviceAgent (Google Batch Service Agent):

compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.disks.addResourcePolicies
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.getIamPolicy
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.getIamPolicy
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setLabels
compute.images.update
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.create
compute.licenses.delete
compute.licenses.getIamPolicy
compute.networkAttachments.get
compute.networkAttachments.list
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
Firebase Remote Config Now GA

The role roles/cloudconfig.serviceAgent (Cloud Config Service Agent) is now GA.

Dataplex Now GA

The role roles/dataplex.bindingAdmin (Dataplex Binding Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.securityAdmin (Dataplex Security Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.taxonomyAdmin (Dataplex Taxonomy Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.taxonomyViewer (Dataplex Taxonomy Viewer) is now GA.

Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

oauthconfig.verification.get
oauthpolicymetadata.brandpolicy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

oauthconfig.verification.get
oauthpolicymetadata.brandpolicy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

oauthconfig.verification.get
oauthpolicymetadata.brandpolicy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

oauthconfig.verification.get
oauthpolicymetadata.brandpolicy.get
BigQuery Now GA bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
Cloud SQL Added cloudsql.instances.migrate
Cloud SQL Supported In Custom Roles cloudsql.instances.migrate
Cloud SQL Now GA cloudsql.instances.migrate
Dataplex Added dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update
Dataplex Now GA dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update
Dialogflow Added dialogflow.experiments.create
dialogflow.experiments.delete
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.experiments.update
dialogflow.testcases.calculateCoverage
dialogflow.testcases.create
dialogflow.testcases.delete
dialogflow.testcases.export
dialogflow.testcases.get
dialogflow.testcases.import
dialogflow.testcases.list
dialogflow.testcases.run
dialogflow.testcases.update
Pub/Sub Added pubsub.schemas.commit
pubsub.schemas.listRevisions
pubsub.schemas.rollback
Pub/Sub Now GA pubsub.schemas.commit
pubsub.schemas.listRevisions
pubsub.schemas.rollback
Pub/Sub Lite Added pubsublite.locations.openKafkaStream
Pub/Sub Lite Now GA pubsublite.locations.openKafkaStream
Workload Certificate Added workloadcertificate.locations.get
workloadcertificate.locations.list
workloadcertificate.operations.cancel
workloadcertificate.operations.delete
workloadcertificate.operations.get
workloadcertificate.operations.list
workloadcertificate.workloadCertificateFeature.get
workloadcertificate.workloadCertificateFeature.update
workloadcertificate.workloadRegistrations.create
workloadcertificate.workloadRegistrations.delete
workloadcertificate.workloadRegistrations.get
workloadcertificate.workloadRegistrations.list
workloadcertificate.workloadRegistrations.update

Cloud IAM changes as of 2023-01-20

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.humanInTheLoops.cancel
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.customCodeServiceAgent (Vertex AI Custom Code Service Agent):

aiplatform.humanInTheLoops.cancel
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

aiplatform.humanInTheLoops.cancel
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.subnetworks.use
compute.subnetworks.useExternalIp
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.user (Vertex AI User):

aiplatform.humanInTheLoops.cancel
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

pubsub.topics.get
Distributed Cloud Edge Network Now GA

The role roles/edgenetwork.admin (Edge Network Admin) is now GA.

Distributed Cloud Edge Network Now GA

The role roles/edgenetwork.viewer (Edge Network Viewer) is now GA.

Firebase Security Rules Now GA

The role roles/firebaserules.system (Firebase Rules System) is now GA.

Maps Platform Datasets Role Updated

The following permissions have been added to the role roles/mapsplatformdatasets.admin (Maps Platform Datasets Admin):

mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
Maps Platform Datasets Role Updated

The following permissions have been added to the role roles/mapsplatformdatasets.viewer (Maps Platform Datasets Viewer):

mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
Cloud Monitoring Role Updated

The following permissions have been added to the role roles/monitoring.notificationServiceAgent (Monitoring Service Agent):

monitoring.timeSeries.list
Stream Now GA

The role roles/stream.serviceAgent (Stream Service Agent) is now GA.

Vision AI Now GA

The role roles/visionai.serviceAgent (Cloud Vision AI Service Agent) is now GA.

Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.humanInTheLoops.cancel
Vertex AI Added aiplatform.humanInTheLoops.cancel
Apigee Added apigee.entitlements.get
apigee.projectorganizations.get
apigee.setupcontexts.get
apigee.setupcontexts.update
Apigee Now GA apigee.entitlements.get
apigee.projectorganizations.get
apigee.setupcontexts.get
apigee.setupcontexts.update
Recommendations Added automlrecommendations.eventStores.list
automlrecommendations.events.get
Recommendations Supported In Custom Roles automlrecommendations.eventStores.list
automlrecommendations.events.get
Google Security Operations Added chronicle.parserExtensions.create
chronicle.parserExtensions.delete
chronicle.parserExtensions.get
chronicle.parserExtensions.list
Google Security Operations Now GA chronicle.parserExtensions.create
chronicle.parserExtensions.delete
chronicle.parserExtensions.get
chronicle.parserExtensions.list
Compute Engine Added compute.resourcePolicies.update
Compute Engine Supported In Custom Roles compute.resourcePolicies.update
Compute Engine Now GA compute.resourcePolicies.update
Data Catalog Added datacatalog.entries.createGlossary
datacatalog.entries.createGlossaryTerm
datacatalog.entries.deleteGlossary
datacatalog.entries.deleteGlossaryTerm
datacatalog.entries.updateGlossary
datacatalog.entries.updateGlossaryTerm
datacatalog.relationships.create
datacatalog.relationships.createIsDescribedBy
datacatalog.relationships.createIsRelatedTo
datacatalog.relationships.createIsSynonymousTo
datacatalog.relationships.delete
datacatalog.relationships.deleteIsDescribedBy
datacatalog.relationships.deleteIsRelatedTo
datacatalog.relationships.deleteIsSynonymousTo
datacatalog.relationships.list
Data Catalog Supported In Custom Roles datacatalog.entries.createGlossary
datacatalog.entries.createGlossaryTerm
datacatalog.entries.deleteGlossary
datacatalog.entries.deleteGlossaryTerm
datacatalog.entries.updateGlossary
datacatalog.entries.updateGlossaryTerm
datacatalog.relationships.create
datacatalog.relationships.createIsDescribedBy
datacatalog.relationships.createIsRelatedTo
datacatalog.relationships.createIsSynonymousTo
datacatalog.relationships.delete
datacatalog.relationships.deleteIsDescribedBy
datacatalog.relationships.deleteIsRelatedTo
datacatalog.relationships.deleteIsSynonymousTo
datacatalog.relationships.list
Database Migration Service Added datamigration.locations.fetchStaticIps
Database Migration Service Supported In Custom Roles datamigration.locations.fetchStaticIps
Database Migration Service Now GA datamigration.locations.fetchStaticIps
Distributed Cloud Edge Network Added edgenetwork.interconnectAttachments.create
edgenetwork.interconnectAttachments.delete
edgenetwork.interconnectAttachments.get
edgenetwork.interconnectAttachments.getIamPolicy
edgenetwork.interconnectAttachments.list
edgenetwork.interconnectAttachments.setIamPolicy
edgenetwork.interconnectAttachments.update
edgenetwork.interconnects.get
edgenetwork.interconnects.getDiagnostics
edgenetwork.interconnects.getIamPolicy
edgenetwork.interconnects.list
edgenetwork.interconnects.setIamPolicy
edgenetwork.locations.get
edgenetwork.locations.list
edgenetwork.networks.create
edgenetwork.networks.delete
edgenetwork.networks.get
edgenetwork.networks.getIamPolicy
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.networks.setIamPolicy
edgenetwork.networks.update
edgenetwork.operations.cancel
edgenetwork.operations.delete
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.create
edgenetwork.routers.delete
edgenetwork.routers.get
edgenetwork.routers.getIamPolicy
edgenetwork.routers.getRouterStatus
edgenetwork.routers.list
edgenetwork.routers.patch
edgenetwork.routers.setIamPolicy
edgenetwork.routers.update
edgenetwork.subnetworks.create
edgenetwork.subnetworks.delete
edgenetwork.subnetworks.get
edgenetwork.subnetworks.getIamPolicy
edgenetwork.subnetworks.getStatus
edgenetwork.subnetworks.list
edgenetwork.subnetworks.setIamPolicy
edgenetwork.subnetworks.update
edgenetwork.zones.get
edgenetwork.zones.initialize
edgenetwork.zones.list
Distributed Cloud Edge Network Supported In Custom Roles edgenetwork.interconnectAttachments.create
edgenetwork.interconnectAttachments.delete
edgenetwork.interconnectAttachments.get
edgenetwork.interconnectAttachments.getIamPolicy
edgenetwork.interconnectAttachments.list
edgenetwork.interconnectAttachments.setIamPolicy
edgenetwork.interconnectAttachments.update
edgenetwork.interconnects.get
edgenetwork.interconnects.getDiagnostics
edgenetwork.interconnects.getIamPolicy
edgenetwork.interconnects.list
edgenetwork.interconnects.setIamPolicy
edgenetwork.locations.get
edgenetwork.locations.list
edgenetwork.networks.create
edgenetwork.networks.delete
edgenetwork.networks.get
edgenetwork.networks.getIamPolicy
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.networks.setIamPolicy
edgenetwork.networks.update
edgenetwork.operations.cancel
edgenetwork.operations.delete
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.create
edgenetwork.routers.delete
edgenetwork.routers.get
edgenetwork.routers.getIamPolicy
edgenetwork.routers.getRouterStatus
edgenetwork.routers.list
edgenetwork.routers.patch
edgenetwork.routers.setIamPolicy
edgenetwork.routers.update
edgenetwork.subnetworks.create
edgenetwork.subnetworks.delete
edgenetwork.subnetworks.get
edgenetwork.subnetworks.getIamPolicy
edgenetwork.subnetworks.getStatus
edgenetwork.subnetworks.list
edgenetwork.subnetworks.setIamPolicy
edgenetwork.subnetworks.update
edgenetwork.zones.get
edgenetwork.zones.initialize
edgenetwork.zones.list
Distributed Cloud Edge Network Now GA edgenetwork.interconnectAttachments.create
edgenetwork.interconnectAttachments.delete
edgenetwork.interconnectAttachments.get
edgenetwork.interconnectAttachments.getIamPolicy
edgenetwork.interconnectAttachments.list
edgenetwork.interconnectAttachments.setIamPolicy
edgenetwork.interconnectAttachments.update
edgenetwork.interconnects.get
edgenetwork.interconnects.getDiagnostics
edgenetwork.interconnects.getIamPolicy
edgenetwork.interconnects.list
edgenetwork.interconnects.setIamPolicy
edgenetwork.locations.get
edgenetwork.locations.list
edgenetwork.networks.create
edgenetwork.networks.delete
edgenetwork.networks.get
edgenetwork.networks.getIamPolicy
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.networks.setIamPolicy
edgenetwork.networks.update
edgenetwork.operations.cancel
edgenetwork.operations.delete
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.create
edgenetwork.routers.delete
edgenetwork.routers.get
edgenetwork.routers.getIamPolicy
edgenetwork.routers.getRouterStatus
edgenetwork.routers.list
edgenetwork.routers.patch
edgenetwork.routers.setIamPolicy
edgenetwork.routers.update
edgenetwork.subnetworks.create
edgenetwork.subnetworks.delete
edgenetwork.subnetworks.get
edgenetwork.subnetworks.getIamPolicy
edgenetwork.subnetworks.getStatus
edgenetwork.subnetworks.list
edgenetwork.subnetworks.setIamPolicy
edgenetwork.subnetworks.update
edgenetwork.zones.get
edgenetwork.zones.initialize
edgenetwork.zones.list
Firebase Authentication Added firebaseauth.configs.getSecret
Firebase Authentication Supported In Custom Roles firebaseauth.configs.getSecret
Firebase Authentication Now GA firebaseauth.configs.getSecret
Notebooks Added notebooks.runtimes.upgrade
Notebooks Now GA notebooks.runtimes.upgrade
Recommender Added recommender.bigqueryPartitionClusterRecommendations.get
recommender.bigqueryPartitionClusterRecommendations.list
recommender.bigqueryPartitionClusterRecommendations.update
recommender.bigqueryTableStatsInsights.get
recommender.bigqueryTableStatsInsights.list
recommender.bigqueryTableStatsInsights.update
Recommender Supported In Custom Roles recommender.bigqueryPartitionClusterRecommendations.get
recommender.bigqueryPartitionClusterRecommendations.list
recommender.bigqueryPartitionClusterRecommendations.update
recommender.bigqueryTableStatsInsights.get
recommender.bigqueryTableStatsInsights.list
recommender.bigqueryTableStatsInsights.update
Retail API Added retail.models.get
Retail API Now GA retail.models.create
retail.models.delete
retail.models.list
retail.models.pause
retail.models.resume
retail.models.tune
retail.models.update

Cloud IAM changes as of 2023-01-06

Service Change Description
Vertex AI Now GA

The role roles/aiplatform.entityTypeOwner (Vertex AI Feature Store EntityType owner) is now GA.

Vertex AI Now GA

The role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer) is now GA.

Vertex AI Now GA

The role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer) is now GA.

Vertex AI Now GA

The role roles/aiplatform.featurestoreInstanceCreator (Vertex AI Feature Store Instance Creator) is now GA.

Vertex AI Now GA

The role roles/aiplatform.featurestoreResourceViewer (Vertex AI Feature Store Resource Viewer) is now GA.

Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.computeEngineOperator (Backup and DR Compute Engine Operator):

compute.regionOperations.get
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.readTokenAccessor (Cloud Build Read Only Token Accessor):

cloudbuild.repositories.get
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.tokenAccessor (Cloud Build Token Accessor):

cloudbuild.repositories.get
Connectors Role Updated

The following permissions have been added to the role roles/connectors.admin (Connector Admin):

secretmanager.secrets.getIamPolicy
Google Cloud Contact Center as a Service Role Updated

The following permissions have been added to the role roles/contactcenteraiplatform.admin (Contact Center AI Platform Admin):

contactcenteraiplatform.contactCenters.queryQuota
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

contactcenteraiplatform.contactCenters.queryQuota
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

container.operations.get
Cloud Monitoring Role Updated

The following permissions have been added to the role roles/monitoring.notificationServiceAgent (Monitoring Service Agent):

cloudfunctions.functions.get
cloudtrace.traces.patch
run.routes.invoke
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

contactcenteraiplatform.contactCenters.queryQuota
Recommender Now GA

The role roles/recommender.containerDiagnosisAdmin (GKE Diagnosis Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.containerDiagnosisViewer (GKE Diagnosis Recommender Viewer) is now GA.

Recommender Role Updated

The following permissions have been added to the role roles/recommender.computeAdmin (Compute Recommender Admin):

recommender.computeInstanceIdleResourceRecommenderConfig.get
recommender.computeInstanceIdleResourceRecommenderConfig.update
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

contactcenteraiplatform.contactCenters.queryQuota
Compute Engine Now GA compute.backendServices.getIamPolicy
compute.backendServices.setIamPolicy
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.setIamPolicy
Google Cloud Contact Center as a Service Added contactcenteraiplatform.contactCenters.queryQuota
Cloud Data Fusion Added datafusion.artifacts.create
datafusion.artifacts.delete
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.artifacts.update
datafusion.pipelineConnections.create
datafusion.pipelineConnections.delete
datafusion.pipelineConnections.get
datafusion.pipelineConnections.list
datafusion.pipelineConnections.update
datafusion.pipelineConnections.use
datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.preview
datafusion.pipelines.update
datafusion.profiles.create
datafusion.profiles.delete
datafusion.profiles.get
datafusion.profiles.list
datafusion.profiles.update
datafusion.secureKeys.create
datafusion.secureKeys.delete
datafusion.secureKeys.getSecret
datafusion.secureKeys.list
datafusion.secureKeys.update
Data Lineage API Added datalineage.events.create
datalineage.events.delete
datalineage.events.get
datalineage.events.list
datalineage.locations.searchLinks
datalineage.operations.get
datalineage.processes.create
datalineage.processes.delete
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.delete
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update
Data Lineage API Supported In Custom Roles datalineage.operations.get
Database Migration Service Added datamigration.conversionworkspaces.commit
datamigration.conversionworkspaces.convert
datamigration.conversionworkspaces.create
datamigration.conversionworkspaces.delete
datamigration.conversionworkspaces.get
datamigration.conversionworkspaces.getIamPolicy
datamigration.conversionworkspaces.list
datamigration.conversionworkspaces.rollback
datamigration.conversionworkspaces.seed
datamigration.conversionworkspaces.setIamPolicy
datamigration.conversionworkspaces.update
datamigration.mappingrules.getIamPolicy
datamigration.mappingrules.import
datamigration.mappingrules.setIamPolicy
datamigration.privateconnections.create
datamigration.privateconnections.delete
datamigration.privateconnections.get
datamigration.privateconnections.getIamPolicy
datamigration.privateconnections.list
datamigration.privateconnections.setIamPolicy
Database Migration Service Supported In Custom Roles datamigration.privateconnections.create
datamigration.privateconnections.delete
datamigration.privateconnections.get
datamigration.privateconnections.getIamPolicy
datamigration.privateconnections.list
datamigration.privateconnections.setIamPolicy
Database Migration Service Now GA datamigration.conversionworkspaces.commit
datamigration.conversionworkspaces.convert
datamigration.conversionworkspaces.create
datamigration.conversionworkspaces.delete
datamigration.conversionworkspaces.get
datamigration.conversionworkspaces.getIamPolicy
datamigration.conversionworkspaces.list
datamigration.conversionworkspaces.rollback
datamigration.conversionworkspaces.seed
datamigration.conversionworkspaces.setIamPolicy
datamigration.conversionworkspaces.update
datamigration.mappingrules.getIamPolicy
datamigration.mappingrules.import
datamigration.mappingrules.setIamPolicy
datamigration.privateconnections.create
datamigration.privateconnections.delete
datamigration.privateconnections.get
datamigration.privateconnections.getIamPolicy
datamigration.privateconnections.list
datamigration.privateconnections.setIamPolicy
Dialogflow Added dialogflow.knowledgeBases.update
Dialogflow Supported In Custom Roles dialogflow.knowledgeBases.update
Dialogflow Now GA dialogflow.knowledgeBases.update
Google Earth Engine Added earthengine.featureviews.create
ML Kit for Firebase Added firebaseml.models.update
ML Kit for Firebase Supported In Custom Roles firebaseml.models.update
Network Management API Added networkmanagement.topologygraphs.read
Network Management API Supported In Custom Roles networkmanagement.topologygraphs.read
Network Management API Now GA networkmanagement.topologygraphs.read
Recommender Added recommender.computeInstanceIdleResourceRecommenderConfig.get
recommender.computeInstanceIdleResourceRecommenderConfig.update
recommender.iamPolicyRecommenderConfig.get
recommender.iamPolicyRecommenderConfig.update
recommender.spendBasedCommitmentRecommenderConfig.get
recommender.spendBasedCommitmentRecommenderConfig.update
Recommender Supported In Custom Roles recommender.computeInstanceIdleResourceRecommenderConfig.get
recommender.computeInstanceIdleResourceRecommenderConfig.update
recommender.iamPolicyRecommenderConfig.get
recommender.iamPolicyRecommenderConfig.update
recommender.spendBasedCommitmentRecommenderConfig.get
recommender.spendBasedCommitmentRecommenderConfig.update
Recommender Now GA recommender.computeInstanceIdleResourceRecommenderConfig.get
recommender.computeInstanceIdleResourceRecommenderConfig.update
recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.iamPolicyRecommenderConfig.get
recommender.iamPolicyRecommenderConfig.update

Cloud IAM changes as of 2022-12-16

Service Change Description
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.admin (Kubernetes Engine Admin):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.developer (Kubernetes Engine Developer):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

compute.networks.getEffectiveFirewalls
iam.serviceAccounts.getAccessToken
Datastore Role Updated

The following permissions have been added to the role roles/datastore.user (Cloud Datastore User):

datastore.databases.list
Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

datastore.databases.list
Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
Backup for GKE Role Updated

The following permissions have been added to the role roles/gkebackup.serviceAgent (Backup for GKE Service Agent):

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
recommender.locations.get
recommender.locations.list
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
VM Migration Role Updated

The following permissions have been added to the role roles/vmmigration.admin (VM Migration Administrator):

resourcemanager.projects.get
resourcemanager.projects.list
VM Migration Role Updated

The following permissions have been added to the role roles/vmmigration.viewer (VM Migration Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Added cloud.locations.get
cloud.locations.list
Google Cloud Supported In Custom Roles cloud.locations.get
cloud.locations.list
Cloud Asset Inventory Added cloudasset.assets.exportBeyondCorpAppGateways
cloudasset.assets.listBeyondCorpAppGateways
Cloud Asset Inventory Supported In Custom Roles cloudasset.assets.exportBeyondCorpAppGateways
cloudasset.assets.listBeyondCorpAppGateways
Cloud Key Management Service Added cloudkms.protectedResources.search
GKE Multi-Cloud Added gkemulticloud.attachedClusters.create
gkemulticloud.attachedClusters.delete
gkemulticloud.attachedClusters.generateInstallManifest
gkemulticloud.attachedClusters.get
gkemulticloud.attachedClusters.import
gkemulticloud.attachedClusters.list
gkemulticloud.attachedClusters.update
gkemulticloud.attachedServerConfigs.get
GKE Multi-Cloud Now GA gkemulticloud.attachedClusters.create
gkemulticloud.attachedClusters.delete
gkemulticloud.attachedClusters.generateInstallManifest
gkemulticloud.attachedClusters.get
gkemulticloud.attachedClusters.import
gkemulticloud.attachedClusters.list
gkemulticloud.attachedClusters.update
gkemulticloud.attachedServerConfigs.get

Cloud IAM changes as of 2022-12-09

Service Change Description
Cloud Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.validatingWebhookConfigurations.delete
App Engine Now GA

The role roles/appengine.debugger (App Engine Managed VM Debug Access) is now GA.

App Engine Role Updated

The following permissions have been added to the role roles/appengine.serviceAgent (App Engine Standard Environment Service Agent):

storage.buckets.create
storage.buckets.get
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.instanceGroups.use
Bare Metal Solution Now GA

The role roles/baremetalsolution.serviceAgent (Bare Metal Solution Service Agent) is now GA.

Cloud Optimization Now GA

The role roles/cloudoptimization.admin (Cloud Optimization AI Admin) is now GA.

Cloud Optimization Now GA

The role roles/cloudoptimization.editor (Cloud Optimization AI Editor) is now GA.

Cloud Optimization Now GA

The role roles/cloudoptimization.viewer (Cloud Optimization AI Viewer) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

iam.serviceAccounts.actAs
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.nodeServiceAccount (Kubernetes Engine Node Service Account):

serviceusage.services.use
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.nodeServiceAgent (Kubernetes Engine Node Service Agent):

serviceusage.services.use
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent):

datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.list
datacatalog.taxonomies.update
Dataplex Role Updated

The following permissions have been removed from the role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent):

dataproc.autoscalingPolicies.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.workflowTemplates.instantiateInline
Distributed Cloud Edge Container Now GA

The role roles/edgecontainer.serviceAgent (Edge Container Service Agent) is now GA.

Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

bigquery.datasets.create
bigquery.datasets.get
bigquery.transfers.get
bigquery.transfers.update
Firebase Security Rules Now GA

The role roles/firebaserules.firestoreServiceAgent (Firebase Rules Firestore Service Agent) is now GA.

FleetEngine Role Updated

The following permissions have been removed from the role roles/fleetengine.serviceSuperUser (Fleet Engine Service Super User):

fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
Backup for GKE Now GA

The role roles/gkebackup.admin (Backup for GKE Admin) is now GA.

Backup for GKE Now GA

The role roles/gkebackup.backupAdmin (Backup for GKE Backup Admin) is now GA.

Backup for GKE Now GA

The role roles/gkebackup.delegatedBackupAdmin (Backup for GKE Delegated Backup Admin) is now GA.

Backup for GKE Now GA

The role roles/gkebackup.delegatedRestoreAdmin (Backup for GKE Delegated Restore Admin) is now GA.

Backup for GKE Now GA

The role roles/gkebackup.restoreAdmin (Backup for GKE Restore Admin) is now GA.

Backup for GKE Now GA

The role roles/gkebackup.viewer (Backup for GKE Viewer) is now GA.

Dataproc Metastore Role Updated

The following permissions have been added to the role roles/metastore.serviceAgent (Dataproc Metastore Service Agent):

dns.changes.create
dns.changes.get
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.resourceRecordSets.update
Nest Console Now GA

The role roles/nestconsole.homeDeveloperAdmin (Google Home Developer Console Admin) is now GA.

Nest Console Now GA

The role roles/nestconsole.homeDeveloperEditor (Google Home Developer Console Editor) is now GA.

Nest Console Now GA

The role roles/nestconsole.homeDeveloperViewer (Google Home Developer Console Reader) is now GA.

Pub/Sub Lite Now GA

The role roles/pubsublite.serviceAgent (Pub/Sub Lite Service Agent) is now GA.

Storage Insights Now GA

The role roles/storageinsights.admin (Storage Insights Admin) is now GA.

Storage Insights Now GA

The role roles/storageinsights.viewer (Storage Insights Viewer) is now GA.

Workload Certificate Role Updated

The following permissions have been added to the role roles/workloadcertificate.serviceAgent (Workload Certificate Service Agent):

gkehub.fleet.create
gkehub.fleet.get
gkehub.operations.get
Apigee Added apigee.instances.update
apigee.projects.migrate
apigee.projects.previewMigration
apigee.traceconfig.get
apigee.traceconfig.update
apigee.traceconfigoverrides.create
apigee.traceconfigoverrides.delete
apigee.traceconfigoverrides.get
apigee.traceconfigoverrides.list
apigee.traceconfigoverrides.update
Apigee Supported In Custom Roles apigee.instances.update
apigee.projects.migrate
apigee.projects.previewMigration
Apigee Now GA apigee.instances.update
apigee.projects.migrate
apigee.projects.previewMigration
apigee.traceconfig.get
apigee.traceconfig.update
apigee.traceconfigoverrides.create
apigee.traceconfigoverrides.delete
apigee.traceconfigoverrides.get
apigee.traceconfigoverrides.list
apigee.traceconfigoverrides.update
App Engine Added appengine.instances.enableDebug
App Engine Supported In Custom Roles appengine.instances.enableDebug
App Engine Now GA appengine.instances.enableDebug
Cloud Asset Inventory Added cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
Cloud Build Added cloudbuild.connections.create
cloudbuild.connections.delete
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild.connections.getIamPolicy
cloudbuild.connections.list
cloudbuild.connections.setIamPolicy
cloudbuild.connections.update
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.accessReadWriteToken
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild.repositories.get
cloudbuild.repositories.list
Cloud Build Supported In Custom Roles cloudbuild.connections.create
cloudbuild.connections.delete
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild.connections.getIamPolicy
cloudbuild.connections.list
cloudbuild.connections.setIamPolicy
cloudbuild.connections.update
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.accessReadWriteToken
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild.repositories.get
cloudbuild.repositories.list
Cloud Optimization Now GA cloudoptimization.operations.create
cloudoptimization.operations.get
Compute Engine Added compute.instances.simulateMaintenanceEvent
compute.nodeGroups.simulateMaintenanceEvent
Compute Engine Supported In Custom Roles compute.instances.simulateMaintenanceEvent
compute.nodeGroups.simulateMaintenanceEvent
Compute Engine Now GA compute.instances.simulateMaintenanceEvent
Connectors Added connectors.schemaMetadata.refresh
Connectors Now GA connectors.schemaMetadata.refresh
Cloud Commerce Consumer Procurement Added consumerprocurement.consents.allowProjectGrant
Cloud Commerce Consumer Procurement Supported In Custom Roles consumerprocurement.consents.allowProjectGrant
Conversational Insights Added contactcenterinsights.issues.delete
Cloud Data Fusion Added datafusion.operations.delete
Dataplex Added dataplex.tasks.run
Dataplex Supported In Custom Roles dataplex.tasks.run
Dataplex Now GA dataplex.tasks.run
Dataproc Added dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update
Dataproc Supported In Custom Roles dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update
Dataproc Now GA dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update
Google Analytics Added firebaseanalytics.resources.googleAnalyticsAdditionalAccess
firebaseanalytics.resources.googleAnalyticsRestrictedAccess
Google Analytics Supported In Custom Roles firebaseanalytics.resources.googleAnalyticsAdditionalAccess
firebaseanalytics.resources.googleAnalyticsRestrictedAccess
Backup for GKE Now GA gkebackup.backupPlans.create
gkebackup.backupPlans.delete
gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backupPlans.setIamPolicy
gkebackup.backupPlans.update
gkebackup.backups.create
gkebackup.backups.delete
gkebackup.backups.get
gkebackup.backups.list
gkebackup.backups.update
gkebackup.locations.get
gkebackup.locations.list
gkebackup.operations.cancel
gkebackup.operations.delete
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.create
gkebackup.restorePlans.delete
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restorePlans.setIamPolicy
gkebackup.restorePlans.update
gkebackup.restores.create
gkebackup.restores.delete
gkebackup.restores.get
gkebackup.restores.list
gkebackup.restores.update
gkebackup.volumeBackups.get
gkebackup.volumeBackups.list
gkebackup.volumeRestores.get
gkebackup.volumeRestores.list
Cloud Logging Added logging.settings.get
logging.settings.update
Cloud Logging Added logging.googleapis.com/settings.get
logging.googleapis.com/settings.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.domainJoinMachine
Maps Platform Datasets Added mapsplatformdatasets.datasets.create
mapsplatformdatasets.datasets.delete
mapsplatformdatasets.datasets.get
mapsplatformdatasets.datasets.import
mapsplatformdatasets.datasets.list
mapsplatformdatasets.datasets.update
Cloud Monitoring Added monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
Cloud Monitoring Supported In Custom Roles monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
Nest Console Added nestconsole.smarthomePreviews.update
nestconsole.smarthomeProjects.create
nestconsole.smarthomeProjects.delete
nestconsole.smarthomeProjects.get
nestconsole.smarthomeProjects.update
nestconsole.smarthomeVersions.create
nestconsole.smarthomeVersions.get
nestconsole.smarthomeVersions.submit
Nest Console Now GA nestconsole.smarthomePreviews.update
nestconsole.smarthomeProjects.create
nestconsole.smarthomeProjects.delete
nestconsole.smarthomeProjects.get
nestconsole.smarthomeProjects.update
nestconsole.smarthomeVersions.create
nestconsole.smarthomeVersions.get
nestconsole.smarthomeVersions.submit
Network Connectivity Center Added networkconnectivity.internalRanges.create
networkconnectivity.internalRanges.delete
networkconnectivity.internalRanges.get
networkconnectivity.internalRanges.getIamPolicy
networkconnectivity.internalRanges.list
networkconnectivity.internalRanges.setIamPolicy
networkconnectivity.internalRanges.update
Network Connectivity Center Supported In Custom Roles networkconnectivity.internalRanges.create
networkconnectivity.internalRanges.delete
networkconnectivity.internalRanges.get
networkconnectivity.internalRanges.getIamPolicy
networkconnectivity.internalRanges.list
networkconnectivity.internalRanges.setIamPolicy
networkconnectivity.internalRanges.update
Network Connectivity Center Now GA networkconnectivity.internalRanges.create
networkconnectivity.internalRanges.delete
networkconnectivity.internalRanges.get
networkconnectivity.internalRanges.getIamPolicy
networkconnectivity.internalRanges.list
networkconnectivity.internalRanges.setIamPolicy
networkconnectivity.internalRanges.update
Recommender Added recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update
Recommender Supported In Custom Roles recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update
Recommender Now GA recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.get
recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.update
recommender.resourcemanagerProjectUtilizationRecommenderConfigs.get
recommender.resourcemanagerProjectUtilizationRecommenderConfigs.update
Retail API Added retail.models.pause
retail.models.resume
retail.models.tune
retail.models.update
Google Cloud Observability Added stackdriver.resourceMetadata.list
Google Cloud Observability Supported In Custom Roles stackdriver.resourceMetadata.list
Storage Insights Added storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.cancel
storageinsights.operations.delete
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.create
storageinsights.reportConfigs.delete
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportConfigs.update
storageinsights.reportDetails.get
storageinsights.reportDetails.list
Storage Insights Now GA storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.cancel
storageinsights.operations.delete
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.create
storageinsights.reportConfigs.delete
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportConfigs.update
storageinsights.reportDetails.get
storageinsights.reportDetails.list
VM Migration Added vmmigration.replicationCycles.get
vmmigration.replicationCycles.list

Cloud IAM changes as of 2022-12-02

Service Change Description
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.viewer (Backup and DR Viewer):

backupdr.managementServers.backupAccess
Cloud Billing Role Updated

The following permissions have been added to the role roles/billing.admin (Billing Account Administrator):

compute.commitments.create
compute.commitments.get
compute.commitments.list
compute.commitments.update
compute.commitments.updateReservations
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

iam.serviceAccounts.getOpenIdToken
Cloud Commerce Consumer Procurement Role Updated

The following permissions have been added to the role roles/consumerprocurement.orderAdmin (Consumer Procurement Order Administrator):

billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
Cloud Commerce Consumer Procurement Role Updated

The following permissions have been added to the role roles/consumerprocurement.orderViewer (Consumer Procurement Order Viewer):

billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.serviceAgent (Cloud Logging Service Agent):

bigquery.datasets.get
RISC Configuration Service Role Updated

The following permissions have been added to the role roles/riscconfigs.admin (RISC Configuration Admin):

clientauthconfig.clients.list
RISC Configuration Service Role Updated

The following permissions have been added to the role roles/riscconfigs.viewer (RISC Configuration Viewer):

clientauthconfig.clients.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

iam.denypolicies.get
iam.denypolicies.list
iam.googleapis.com/denypolicies.get
iam.googleapis.com/denypolicies.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

iam.denypolicies.get
iam.denypolicies.list
iam.googleapis.com/denypolicies.get
iam.googleapis.com/denypolicies.list
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

backupdr.managementServers.backupAccess
Commerce Business Enablement Added commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update
commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update
Google Distributed Cloud Added gkeonprem.bareMetalAdminClusters.create
gkeonprem.bareMetalAdminClusters.enroll
gkeonprem.bareMetalAdminClusters.get
gkeonprem.bareMetalAdminClusters.getIamPolicy
gkeonprem.bareMetalAdminClusters.list
gkeonprem.bareMetalAdminClusters.queryVersionConfig
gkeonprem.bareMetalAdminClusters.setIamPolicy
gkeonprem.bareMetalAdminClusters.unenroll
gkeonprem.bareMetalAdminClusters.update
gkeonprem.vmwareAdminClusters.enroll
gkeonprem.vmwareAdminClusters.get
gkeonprem.vmwareAdminClusters.getIamPolicy
gkeonprem.vmwareAdminClusters.list
gkeonprem.vmwareAdminClusters.setIamPolicy
gkeonprem.vmwareAdminClusters.unenroll
gkeonprem.vmwareAdminClusters.update
Google Distributed Cloud Supported In Custom Roles gkeonprem.bareMetalAdminClusters.create
gkeonprem.bareMetalAdminClusters.enroll
gkeonprem.bareMetalAdminClusters.get
gkeonprem.bareMetalAdminClusters.getIamPolicy
gkeonprem.bareMetalAdminClusters.list
gkeonprem.bareMetalAdminClusters.queryVersionConfig
gkeonprem.bareMetalAdminClusters.setIamPolicy
gkeonprem.bareMetalAdminClusters.unenroll
gkeonprem.bareMetalAdminClusters.update
gkeonprem.vmwareAdminClusters.enroll
gkeonprem.vmwareAdminClusters.get
gkeonprem.vmwareAdminClusters.getIamPolicy
gkeonprem.vmwareAdminClusters.list
gkeonprem.vmwareAdminClusters.setIamPolicy
gkeonprem.vmwareAdminClusters.unenroll
gkeonprem.vmwareAdminClusters.update
Google Distributed Cloud Now GA gkeonprem.bareMetalAdminClusters.create
gkeonprem.bareMetalAdminClusters.enroll
gkeonprem.bareMetalAdminClusters.get
gkeonprem.bareMetalAdminClusters.getIamPolicy
gkeonprem.bareMetalAdminClusters.list
gkeonprem.bareMetalAdminClusters.queryVersionConfig
gkeonprem.bareMetalAdminClusters.setIamPolicy
gkeonprem.bareMetalAdminClusters.unenroll
gkeonprem.bareMetalAdminClusters.update
gkeonprem.vmwareAdminClusters.enroll
gkeonprem.vmwareAdminClusters.get
gkeonprem.vmwareAdminClusters.getIamPolicy
gkeonprem.vmwareAdminClusters.list
gkeonprem.vmwareAdminClusters.setIamPolicy
gkeonprem.vmwareAdminClusters.unenroll
gkeonprem.vmwareAdminClusters.update
Network Connectivity Center Added networkconnectivity.policyBasedRoutes.create
networkconnectivity.policyBasedRoutes.delete
networkconnectivity.policyBasedRoutes.get
networkconnectivity.policyBasedRoutes.getIamPolicy
networkconnectivity.policyBasedRoutes.list
networkconnectivity.policyBasedRoutes.setIamPolicy
Network Connectivity Center Now GA networkconnectivity.policyBasedRoutes.create
networkconnectivity.policyBasedRoutes.delete
networkconnectivity.policyBasedRoutes.get
networkconnectivity.policyBasedRoutes.getIamPolicy
networkconnectivity.policyBasedRoutes.list
networkconnectivity.policyBasedRoutes.setIamPolicy
VM Migration Supported In Custom Roles vmmigration.migratingVms.get

Cloud IAM changes as of 2022-11-04

Service Change Description
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.computeEngineOperator (Backup and DR Compute Engine Operator):

compute.snapshots.delete
resourcemanager.projects.list
Cloud Deploy Now GA

The role roles/clouddeploy.admin (Cloud Deploy Admin) is now GA.

Cloud Deploy Now GA

The role roles/clouddeploy.approver (Cloud Deploy Approver) is now GA.

Cloud Deploy Now GA

The role roles/clouddeploy.developer (Cloud Deploy Developer) is now GA.

Cloud Deploy Now GA

The role roles/clouddeploy.jobRunner (Cloud Deploy Runner) is now GA.

Cloud Deploy Now GA

The role roles/clouddeploy.operator (Cloud Deploy Operator) is now GA.

Cloud Deploy Now GA

The role roles/clouddeploy.releaser (Cloud Deploy Releaser) is now GA.

Cloud Deploy Now GA

The role roles/clouddeploy.viewer (Cloud Deploy Viewer) is now GA.

Cloud Deploy Role Updated

The following permissions have been added to the role roles/clouddeploy.developer (Cloud Deploy Developer):

clouddeploy.deliveryPipelines.delete
Cloud Deploy Role Updated

The following permissions have been added to the role roles/clouddeploy.operator (Cloud Deploy Operator):

clouddeploy.deliveryPipelines.delete
clouddeploy.targets.delete
Firebase installations Now GA

The role roles/firebaseinstallations.admin (Firebase Installations Admin) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.admin (Security Center Admin):

resourcemanager.tagValues.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.adminEditor (Security Center Admin Editor):

resourcemanager.tagValues.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.adminViewer (Security Center Admin Viewer):

resourcemanager.tagValues.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

resourcemanager.tagValues.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent):

resourcemanager.tagValues.get
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

resourcemanager.tagValues.get
Cloud Deploy Now GA clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.approve
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update
Cloud Composer Added composer.dags.getSourceCode
Cloud Composer Now GA composer.dags.getSourceCode
Compute Engine Added compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use
Compute Engine Now GA compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use
Firebase installations Added firebaseinstallations.instances.delete
Firebase installations Now GA firebaseinstallations.instances.delete
Remote Build Execution Added remotebuildexecution.instances.update
Remote Build Execution Supported In Custom Roles remotebuildexecution.instances.update

Cloud IAM changes as of 2022-10-28

Service Change Description
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

logging.buckets.create
logging.buckets.get
logging.buckets.list
Dataplex Now GA

The role roles/dataplex.dataScanAdmin (Dataplex DataScan Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.dataScanDataViewer (Dataplex DataScan DataViewer) is now GA.

Dataplex Now GA

The role roles/dataplex.dataScanEditor (Dataplex DataScan Editor) is now GA.

Dataplex Now GA

The role roles/dataplex.dataScanViewer (Dataplex DataScan Viewer) is now GA.

Document AI Role Updated

The following permissions have been added to the role roles/documentai.admin (Document AI Administrator):

documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments
Document AI Role Updated

The following permissions have been added to the role roles/documentai.editor (Document AI Editor):

documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments
Document AI Role Updated

The following permissions have been added to the role roles/documentai.viewer (Document AI Viewer):

documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments
Serverless Integrations Role Updated

The following permissions have been added to the role roles/runapps.serviceAgent (Serverless Integrations Service Agent):

storage.objects.delete
Google Cloud VMware Engine Now GA

The role roles/vmwareengine.serviceAgent (VMware Engine Service Agent) is now GA.

Artifact Registry Added artifactregistry.projectsettings.get
artifactregistry.projectsettings.update
Artifact Registry Supported In Custom Roles artifactregistry.projectsettings.get
artifactregistry.projectsettings.update
Artifact Registry Now GA artifactregistry.projectsettings.get
artifactregistry.projectsettings.update
Bigtable Added bigtable.backups.read
Bigtable Supported In Custom Roles bigtable.backups.read
Bigtable Now GA bigtable.backups.read
Commerce Org Governance Added commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.services.list
Compute Engine Added compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.getIamPolicy
compute.backendBuckets.setIamPolicy
compute.backendServices.addSignedUrlKey
compute.backendServices.deleteSignedUrlKey
compute.regionTargetHttpProxies.update
compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.setIamPolicy
compute.targetHttpProxies.update
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
Compute Engine Supported In Custom Roles compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.setIamPolicy
Compute Engine Now GA compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.deleteSignedUrlKey
compute.backendServices.addSignedUrlKey
compute.backendServices.deleteSignedUrlKey
compute.regionTargetHttpProxies.update
compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.setIamPolicy
compute.targetHttpProxies.update
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
Data Catalog Added datacatalog.entryGroups.updateTag
Data Catalog Supported In Custom Roles datacatalog.entryGroups.updateTag
Data Catalog Now GA datacatalog.entryGroups.updateTag
Dataplex Added dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update
Dataplex Now GA dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update
Discovery Engine Added discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.update
discoveryengine.operations.get
discoveryengine.operations.list
discoveryengine.servingConfigs.recommend
discoveryengine.userEvents.create
discoveryengine.userEvents.import
Document AI Added documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments
Enterprise Knowledge Graph Added enterpriseknowledgegraph.cloudKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.cloudKnowledgeGraphEntities.search
enterpriseknowledgegraph.publicKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.publicKnowledgeGraphEntities.search
Identity Toolkit Added identitytoolkit.tenants.create
identitytoolkit.tenants.delete
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
identitytoolkit.tenants.setIamPolicy
identitytoolkit.tenants.update
Identity Toolkit Supported In Custom Roles identitytoolkit.tenants.create
identitytoolkit.tenants.delete
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
identitytoolkit.tenants.setIamPolicy
identitytoolkit.tenants.update
Identity Toolkit Now GA identitytoolkit.tenants.create
identitytoolkit.tenants.delete
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
identitytoolkit.tenants.setIamPolicy
identitytoolkit.tenants.update
Dataproc Metastore Added metastore.services.mutateMetadata
metastore.services.queryMetadata
Dataproc Metastore Supported In Custom Roles metastore.services.mutateMetadata
metastore.services.queryMetadata
Recommender Supported In Custom Roles recommender.costInsights.get
recommender.costInsights.list
recommender.costInsights.update
Retail API Added retail.products.purge
Retail API Now GA retail.products.purge
Cloud Run Supported In Custom Roles run.routes.invoke
Vision AI Added visionai.corpora.suggest
visionai.uistreams.create
visionai.uistreams.delete
visionai.uistreams.generateStreamThumbnails
visionai.uistreams.get
visionai.uistreams.list
Google Cloud VMware Engine Added vmwareengine.clusters.create
vmwareengine.clusters.delete
vmwareengine.clusters.get
vmwareengine.clusters.getIamPolicy
vmwareengine.clusters.list
vmwareengine.clusters.setIamPolicy
vmwareengine.clusters.update
vmwareengine.hcxActivationKeys.create
vmwareengine.hcxActivationKeys.get
vmwareengine.hcxActivationKeys.getIamPolicy
vmwareengine.hcxActivationKeys.list
vmwareengine.hcxActivationKeys.setIamPolicy
vmwareengine.locations.get
vmwareengine.locations.list
vmwareengine.networkPolicies.create
vmwareengine.networkPolicies.delete
vmwareengine.networkPolicies.get
vmwareengine.networkPolicies.list
vmwareengine.networkPolicies.update
vmwareengine.nodeTypes.get
vmwareengine.nodeTypes.list
vmwareengine.operations.delete
vmwareengine.operations.get
vmwareengine.operations.list
vmwareengine.privateClouds.create
vmwareengine.privateClouds.delete
vmwareengine.privateClouds.get
vmwareengine.privateClouds.getIamPolicy
vmwareengine.privateClouds.list
vmwareengine.privateClouds.resetNsxCredentials
vmwareengine.privateClouds.resetVcenterCredentials
vmwareengine.privateClouds.setIamPolicy
vmwareengine.privateClouds.showNsxCredentials
vmwareengine.privateClouds.showVcenterCredentials
vmwareengine.privateClouds.undelete
vmwareengine.privateClouds.update
vmwareengine.subnets.list
vmwareengine.vmwareEngineNetworks.create
vmwareengine.vmwareEngineNetworks.delete
vmwareengine.vmwareEngineNetworks.get
vmwareengine.vmwareEngineNetworks.list
vmwareengine.vmwareEngineNetworks.update
Google Cloud VMware Engine Supported In Custom Roles vmwareengine.clusters.create
vmwareengine.clusters.delete
vmwareengine.clusters.get
vmwareengine.clusters.getIamPolicy
vmwareengine.clusters.list
vmwareengine.clusters.setIamPolicy
vmwareengine.clusters.update
vmwareengine.hcxActivationKeys.create
vmwareengine.hcxActivationKeys.get
vmwareengine.hcxActivationKeys.getIamPolicy
vmwareengine.hcxActivationKeys.list
vmwareengine.hcxActivationKeys.setIamPolicy
vmwareengine.locations.get
vmwareengine.locations.list
vmwareengine.networkPolicies.create
vmwareengine.networkPolicies.delete
vmwareengine.networkPolicies.get
vmwareengine.networkPolicies.list
vmwareengine.networkPolicies.update
vmwareengine.nodeTypes.get
vmwareengine.nodeTypes.list
vmwareengine.operations.delete
vmwareengine.operations.get
vmwareengine.operations.list
vmwareengine.privateClouds.create
vmwareengine.privateClouds.delete
vmwareengine.privateClouds.get
vmwareengine.privateClouds.getIamPolicy
vmwareengine.privateClouds.list
vmwareengine.privateClouds.resetNsxCredentials
vmwareengine.privateClouds.resetVcenterCredentials
vmwareengine.privateClouds.setIamPolicy
vmwareengine.privateClouds.showNsxCredentials
vmwareengine.privateClouds.showVcenterCredentials
vmwareengine.privateClouds.undelete
vmwareengine.privateClouds.update
vmwareengine.subnets.list
vmwareengine.vmwareEngineNetworks.create
vmwareengine.vmwareEngineNetworks.delete
vmwareengine.vmwareEngineNetworks.get
vmwareengine.vmwareEngineNetworks.list
vmwareengine.vmwareEngineNetworks.update
Google Cloud VMware Engine Now GA vmwareengine.clusters.create
vmwareengine.clusters.delete
vmwareengine.clusters.get
vmwareengine.clusters.getIamPolicy
vmwareengine.clusters.list
vmwareengine.clusters.setIamPolicy
vmwareengine.clusters.update
vmwareengine.hcxActivationKeys.create
vmwareengine.hcxActivationKeys.get
vmwareengine.hcxActivationKeys.getIamPolicy
vmwareengine.hcxActivationKeys.list
vmwareengine.hcxActivationKeys.setIamPolicy
vmwareengine.locations.get
vmwareengine.locations.list
vmwareengine.networkPolicies.create
vmwareengine.networkPolicies.delete
vmwareengine.networkPolicies.get
vmwareengine.networkPolicies.list
vmwareengine.networkPolicies.update
vmwareengine.nodeTypes.get
vmwareengine.nodeTypes.list
vmwareengine.operations.delete
vmwareengine.operations.get
vmwareengine.operations.list
vmwareengine.privateClouds.create
vmwareengine.privateClouds.delete
vmwareengine.privateClouds.get
vmwareengine.privateClouds.getIamPolicy
vmwareengine.privateClouds.list
vmwareengine.privateClouds.resetNsxCredentials
vmwareengine.privateClouds.resetVcenterCredentials
vmwareengine.privateClouds.setIamPolicy
vmwareengine.privateClouds.showNsxCredentials
vmwareengine.privateClouds.showVcenterCredentials
vmwareengine.privateClouds.undelete
vmwareengine.privateClouds.update
vmwareengine.subnets.list
vmwareengine.vmwareEngineNetworks.create
vmwareengine.vmwareEngineNetworks.delete
vmwareengine.vmwareEngineNetworks.get
vmwareengine.vmwareEngineNetworks.list
vmwareengine.vmwareEngineNetworks.update

Cloud IAM changes as of 2022-10-21

Service Change Description
Backup and Disaster Recovery Role Updated

The following permissions have been added to the role roles/backupdr.computeEngineOperator (Backup and DR Compute Engine Operator):

compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.regions.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
BigQuery Data Policy Now GA

The role roles/bigquerydatapolicy.maskedReader (Masked Reader) is now GA.

Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Compute Engine Now GA

The role roles/compute.soleTenantViewer (Compute Sole Tenant Viewer) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

compute.zoneOperations.get
Conversational Insights Now GA

The role roles/contactcenterinsights.editor (Contact Center AI Insights editor) is now GA.

Conversational Insights Now GA

The role roles/contactcenterinsights.viewer (Contact Center AI Insights viewer) is now GA.

Conversational Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

serviceusage.services.use
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Discovery Engine Now GA

The role roles/discoveryengine.serviceAgent (Discovery Engine Service Agent) is now GA.

Sensitive Data Protection Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.integrationAdmin (Application Integration Admin):

integrations.executions.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.integrationEditor (Application Integration Editor):

integrations.executions.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.integrationInvoker (Application Integration Invoker):

integrations.executions.get
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.integrationViewer (Application Integration Viewer):

integrations.executions.get
Dataproc Metastore Role Updated

The following permissions have been added to the role roles/metastore.serviceAgent (Dataproc Metastore Service Agent):

metastore.databases.get
metastore.databases.update
metastore.tables.get
metastore.tables.update
AI Platform Role Updated

The following permissions have been added to the role roles/ml.serviceAgent (AI Platform Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Recommender Now GA

The role roles/recommender.networkAnalyzerAdmin (Network Analyzer Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerCloudSqlAdmin (Network Analyzer Cloud SQL Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerCloudSqlViewer (Network Analyzer Cloud SQL Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerDynamicRouteAdmin (Network Analyzer Dynamic Route Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerDynamicRouteViewer (Network Analyzer Dynamic Route Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerGkeConnectivityAdmin (Network Analyzer GKE Connectivity Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerGkeConnectivityViewer (Network Analyzer GKE Connectivity Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerGkeIpAddressAdmin (Network Analyzer GKE IP Address Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerGkeIpAddressViewer (Network Analyzer GKE IP Address Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerIpAddressAdmin (Network Analyzer IP Address Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerIpAddressViewer (Network Analyzer IP Address Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerLoadBalancerAdmin (Network Analyzer Load Balancer Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerLoadBalancerViewer (Network Analyzer Load Balancer Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerViewer (Network Analyzer Recommender Viewer) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerVpcConnectivityAdmin (Network Analyzer VPC Connectivity Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.networkAnalyzerVpcConnectivityViewer (Network Analyzer VPC Connectivity Recommender Viewer) is now GA.

Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.admin (Storage Admin):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update
AutoML Added automl.examples.update
AutoML Supported In Custom Roles automl.examples.update
Bare Metal Solution Added baremetalsolution.instances.disableInteractiveSerialConsole
baremetalsolution.instances.enableInteractiveSerialConsole
baremetalsolution.instances.stop
baremetalsolution.sshKeys.create
baremetalsolution.sshKeys.delete
baremetalsolution.sshKeys.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.disableInteractiveSerialConsole
baremetalsolution.instances.enableInteractiveSerialConsole
baremetalsolution.instances.stop
baremetalsolution.sshKeys.create
baremetalsolution.sshKeys.delete
baremetalsolution.sshKeys.list
Bare Metal Solution Now GA baremetalsolution.instances.disableInteractiveSerialConsole
baremetalsolution.instances.enableInteractiveSerialConsole
baremetalsolution.instances.stop
baremetalsolution.sshKeys.create
baremetalsolution.sshKeys.delete
baremetalsolution.sshKeys.list
BigQuery Now GA bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
Bigtable Added bigtable.hotTablets.list
Bigtable Supported In Custom Roles bigtable.hotTablets.list
Bigtable Now GA bigtable.hotTablets.list
NetApp Cloud Volumes Service Added cloudvolumesgcp-api.netapp.com/volumereplication.authorize
cloudvolumesgcp-api.netapp.com/volumereplication.break
cloudvolumesgcp-api.netapp.com/volumereplication.create
cloudvolumesgcp-api.netapp.com/volumereplication.delete
cloudvolumesgcp-api.netapp.com/volumereplication.get
cloudvolumesgcp-api.netapp.com/volumereplication.list
cloudvolumesgcp-api.netapp.com/volumereplication.release
cloudvolumesgcp-api.netapp.com/volumereplication.resync
cloudvolumesgcp-api.netapp.com/volumereplication.update
Compute Engine Added compute.instances.setName
compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.list
Compute Engine Supported In Custom Roles compute.instances.setName
compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.list
Conversational Insights Added contactcenterinsights.conversations.export
contactcenterinsights.views.create
contactcenterinsights.views.delete
contactcenterinsights.views.get
contactcenterinsights.views.list
contactcenterinsights.views.update
Conversational Insights Now GA contactcenterinsights.analyses.create
contactcenterinsights.analyses.delete
contactcenterinsights.analyses.get
contactcenterinsights.analyses.list
contactcenterinsights.conversations.create
contactcenterinsights.conversations.delete
contactcenterinsights.conversations.export
contactcenterinsights.conversations.get
contactcenterinsights.conversations.list
contactcenterinsights.conversations.update
contactcenterinsights.issueModels.create
contactcenterinsights.issueModels.delete
contactcenterinsights.issueModels.deploy
contactcenterinsights.issueModels.get
contactcenterinsights.issueModels.list
contactcenterinsights.issueModels.undeploy
contactcenterinsights.issueModels.update
contactcenterinsights.issues.get
contactcenterinsights.issues.list
contactcenterinsights.issues.update
contactcenterinsights.operations.get
contactcenterinsights.operations.list
contactcenterinsights.phraseMatchers.create
contactcenterinsights.phraseMatchers.delete
contactcenterinsights.phraseMatchers.get
contactcenterinsights.phraseMatchers.list
contactcenterinsights.phraseMatchers.update
contactcenterinsights.settings.get
contactcenterinsights.settings.update
contactcenterinsights.views.create
contactcenterinsights.views.delete
contactcenterinsights.views.get
contactcenterinsights.views.list
contactcenterinsights.views.update
Dataflow Added dataflow.streamingWorkItems.ImportState
dataflow.streamingWorkItems.getWorkerMetadata
Dataflow Supported In Custom Roles dataflow.streamingWorkItems.ImportState
dataflow.streamingWorkItems.getWorkerMetadata
Dataflow Now GA dataflow.streamingWorkItems.ImportState
dataflow.streamingWorkItems.getWorkerMetadata
Cloud Integrations Added integrations.executions.get
Cloud Integrations Now GA integrations.executions.get
Recommender Added recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update
recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update
Recommender Supported In Custom Roles recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update
recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update
Recommender Now GA recommender.networkAnalyzerCloudSqlInsights.get
recommender.networkAnalyzerCloudSqlInsights.list
recommender.networkAnalyzerCloudSqlInsights.update
recommender.networkAnalyzerDynamicRouteInsights.get
recommender.networkAnalyzerDynamicRouteInsights.list
recommender.networkAnalyzerDynamicRouteInsights.update
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
recommender.networkAnalyzerIpAddressInsights.get
recommender.networkAnalyzerIpAddressInsights.list
recommender.networkAnalyzerIpAddressInsights.update
recommender.networkAnalyzerLoadBalancerInsights.get
recommender.networkAnalyzerLoadBalancerInsights.list
recommender.networkAnalyzerLoadBalancerInsights.update
recommender.networkAnalyzerVpcConnectivityInsights.get
recommender.networkAnalyzerVpcConnectivityInsights.list
recommender.networkAnalyzerVpcConnectivityInsights.update
recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update
recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update
RISC Configuration Service Added riscconfigurationservice.riscconfigs.createOrUpdate
riscconfigurationservice.riscconfigs.delete
riscconfigurationservice.riscconfigs.get
RISC Configuration Service Supported In Custom Roles riscconfigurationservice.riscconfigs.createOrUpdate
riscconfigurationservice.riscconfigs.delete
riscconfigurationservice.riscconfigs.get
Service Usage Supported In Custom Roles serviceusage.services.use
Service Usage Now GA serviceusage.services.use
Cloud TPU Added tpu.nodes.simulateMaintenanceEvent
tpu.runtimeversions.get
tpu.runtimeversions.list
Cloud TPU Supported In Custom Roles tpu.nodes.simulateMaintenanceEvent
tpu.runtimeversions.get
tpu.runtimeversions.list
Cloud TPU Now GA tpu.nodes.simulateMaintenanceEvent
tpu.runtimeversions.get
tpu.runtimeversions.list

Cloud IAM changes as of 2022-09-30

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.customCodeServiceAgent (Vertex AI Custom Code Service Agent):

aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.user (Vertex AI User):

aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.viewer (Vertex AI Viewer):

aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
Backup and Disaster Recovery Now GA

The role roles/backupdr.cloudStorageOperator (Backup and DR Cloud Storage Operator) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.computeEngineOperator (Backup and DR Compute Engine Operator) is now GA.

Chrome Enterprise Premium Role Updated

The following permissions have been added to the role roles/beyondcorp.viewer (Cloud BeyondCorp Viewer):

resourcemanager.organizations.get
Google Security Operations Now GA

The role roles/chronicle.admin (Chronicle Data Plane API Admin) is now GA.

Google Security Operations Now GA

The role roles/chronicle.viewer (Chronicle Data Plane API Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

managedidentities.domains.checkMigrationPermission
managedidentities.domains.disableMigration
managedidentities.domains.enableMigration
Managed Service for Microsoft Active Directory Role Updated

The following permissions have been added to the role roles/managedidentities.admin (Google Cloud Managed Identities Admin):

managedidentities.domains.checkMigrationPermission
managedidentities.domains.disableMigration
managedidentities.domains.enableMigration
Managed Service for Microsoft Active Directory Role Updated

The following permissions have been added to the role roles/managedidentities.domainAdmin (Google Cloud Managed Identities Domain Admin):

managedidentities.domains.checkMigrationPermission
managedidentities.domains.disableMigration
managedidentities.domains.enableMigration
Google Cloud Migration Center Role Updated

The following permissions have been added to the role roles/migrationcenter.viewer (Migration Center Viewer):

rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.get
rma.locations.list
rma.operations.get
rma.operations.list
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

managedidentities.domains.checkMigrationPermission
managedidentities.domains.disableMigration
managedidentities.domains.enableMigration
Serverless Integrations Now GA

The role roles/runapps.serviceAgent (Serverless Integrations Service Agent) is now GA.

Video Stitcher API Now GA

The role roles/videostitcher.admin (Video Stitcher Admin) is now GA.

Video Stitcher API Now GA

The role roles/videostitcher.user (Video Stitcher User) is now GA.

Video Stitcher API Now GA

The role roles/videostitcher.viewer (Video Stitcher Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

managedidentities.domains.checkMigrationPermission
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
Vertex AI Added aiplatform.nasTrialDetails.get
aiplatform.nasTrialDetails.list
API Keys Added apikeys.keys.getKeyString
apikeys.keys.undelete
API Keys Supported In Custom Roles apikeys.keys.getKeyString
apikeys.keys.undelete
API Keys Now GA apikeys.keys.getKeyString
apikeys.keys.undelete
Artifact Registry Added artifactregistry.kfpartifacts.create
Artifact Registry Now GA artifactregistry.kfpartifacts.create
Bare Metal Solution Added baremetalsolution.instances.attachNetwork
baremetalsolution.instances.detachNetwork
baremetalsolution.networks.create
baremetalsolution.networks.delete
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.attachNetwork
baremetalsolution.instances.detachNetwork
baremetalsolution.networks.create
baremetalsolution.networks.delete
Bare Metal Solution Now GA baremetalsolution.instances.attachNetwork
baremetalsolution.instances.detachNetwork
baremetalsolution.networks.create
baremetalsolution.networks.delete
Bigtable Added bigtable.instances.ping
Bigtable Now GA bigtable.instances.ping
Certificate Manager Added certificatemanager.certissuanceconfigs.create
certificatemanager.certissuanceconfigs.delete
certificatemanager.certissuanceconfigs.get
certificatemanager.certissuanceconfigs.list
certificatemanager.certissuanceconfigs.update
certificatemanager.certissuanceconfigs.use
Certificate Manager Supported In Custom Roles certificatemanager.certissuanceconfigs.create
certificatemanager.certissuanceconfigs.delete
certificatemanager.certissuanceconfigs.get
certificatemanager.certissuanceconfigs.list
certificatemanager.certissuanceconfigs.update
certificatemanager.certissuanceconfigs.use
Google Security Operations Added chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.multitenantDirectories.get
Google Security Operations Supported In Custom Roles chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.get
chronicle.dashboards.list
Google Security Operations Now GA chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.multitenantDirectories.get
Cloud Asset Inventory Added cloudasset.assets.exportAiplatformBatchPredictionJobs
cloudasset.assets.exportAiplatformCustomJobs
cloudasset.assets.exportAiplatformDataLabelingJobs
cloudasset.assets.exportAiplatformDatasets
cloudasset.assets.exportAiplatformEndpoints
cloudasset.assets.exportAiplatformHyperparameterTuningJobs
cloudasset.assets.exportAiplatformMetadataStores
cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.exportAiplatformModels
cloudasset.assets.exportAiplatformPipelineJobs
cloudasset.assets.exportAiplatformSpecialistPools
cloudasset.assets.exportAiplatformTrainingPipelines
cloudasset.assets.exportAnthosConnectedCluster
cloudasset.assets.exportAnthosedgeCluster
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportApikeysKeys
cloudasset.assets.exportArtifactregistryDockerImages
cloudasset.assets.exportArtifactregistryRepositories
cloudasset.assets.exportAssuredWorkloadsWorkloads
cloudasset.assets.exportBeyondCorpApiGateways
cloudasset.assets.exportBeyondCorpAppConnections
cloudasset.assets.exportBeyondCorpAppConnectors
cloudasset.assets.exportBeyondCorpClientConnectorServices
cloudasset.assets.exportBeyondCorpClientGateways
cloudasset.assets.exportBigqueryModels
cloudasset.assets.exportBigtableAppProfile
cloudasset.assets.exportBigtableBackup
cloudasset.assets.exportCloudAssetFeeds
cloudasset.assets.exportCloudDeployDeliveryPipelines
cloudasset.assets.exportCloudDeployReleases
cloudasset.assets.exportCloudDeployRollouts
cloudasset.assets.exportCloudDeployTargets
cloudasset.assets.exportCloudDocumentAIEvaluation
cloudasset.assets.exportCloudDocumentAIHumanReviewConfig
cloudasset.assets.exportCloudDocumentAILabelerPool
cloudasset.assets.exportCloudDocumentAIProcessor
cloudasset.assets.exportCloudDocumentAIProcessorVersion
cloudasset.assets.exportCloudbillingProjectBillingInfos
cloudasset.assets.exportCloudfunctionsFunctions
cloudasset.assets.exportCloudfunctionsGen2Functions
cloudasset.assets.exportCloudkmsEkmConnections
cloudasset.assets.exportCloudmemcacheInstances
cloudasset.assets.exportCloudresourcemanagerTagBindings
cloudasset.assets.exportCloudresourcemanagerTagKeys
cloudasset.assets.exportCloudresourcemanagerTagValues
cloudasset.assets.exportComposerEnvironments
cloudasset.assets.exportComputeCommitments
cloudasset.assets.exportComputeExternalVpnGateways
cloudasset.assets.exportComputeFirewallPolicies
cloudasset.assets.exportComputeNetworkEndpointGroups
cloudasset.assets.exportComputeNodeGroups
cloudasset.assets.exportComputeNodeTemplates
cloudasset.assets.exportComputePacketMirrorings
cloudasset.assets.exportComputeReservations
cloudasset.assets.exportComputeResourcePolicies
cloudasset.assets.exportComputeServiceAttachments
cloudasset.assets.exportComputeSslPolicies
cloudasset.assets.exportComputeVpnGateways
cloudasset.assets.exportConnectorsConnections
cloudasset.assets.exportConnectorsConnectorVersions
cloudasset.assets.exportConnectorsConnectors
cloudasset.assets.exportConnectorsProviders
cloudasset.assets.exportConnectorsRuntimeConfigs
cloudasset.assets.exportContainerAppsDeployment
cloudasset.assets.exportContainerAppsReplicaSets
cloudasset.assets.exportContainerBatchJobs
cloudasset.assets.exportContainerExtensionsIngresses
cloudasset.assets.exportContainerJobs
cloudasset.assets.exportContainerNetworkingIngresses
cloudasset.assets.exportContainerNetworkingNetworkPolicies
cloudasset.assets.exportContainerReplicaSets
cloudasset.assets.exportContainerServices
cloudasset.assets.exportDataMigrationConnectionProfiles
cloudasset.assets.exportDataMigrationMigrationJobs
cloudasset.assets.exportDataflowJobs
cloudasset.assets.exportDataplexAssets
cloudasset.assets.exportDataplexLakes
cloudasset.assets.exportDataplexTasks
cloudasset.assets.exportDataplexZones
cloudasset.assets.exportDataprocAutoscalingPolicies
cloudasset.assets.exportDataprocBatches
cloudasset.assets.exportDataprocSessions
cloudasset.assets.exportDataprocWorkflowTemplates
cloudasset.assets.exportDatastreamConnectionProfile
cloudasset.assets.exportDatastreamPrivateConnection
cloudasset.assets.exportDatastreamStream
cloudasset.assets.exportDialogflowAgents
cloudasset.assets.exportDialogflowConversationProfiles
cloudasset.assets.exportDialogflowKnowledgeBases
cloudasset.assets.exportDialogflowLocationSettings
cloudasset.assets.exportDlpDeidentifyTemplates
cloudasset.assets.exportDlpDlpJobs
cloudasset.assets.exportDlpInspectTemplates
cloudasset.assets.exportDlpJobTriggers
cloudasset.assets.exportDlpStoredInfoTypes
cloudasset.assets.exportDomainsRegistrations
cloudasset.assets.exportEventarcTriggers
cloudasset.assets.exportFileBackups
cloudasset.assets.exportFileInstances
cloudasset.assets.exportFirebaseAppInfos
cloudasset.assets.exportFirebaseProjects
cloudasset.assets.exportFirestoreDatabases
cloudasset.assets.exportGKEHubFeatures
cloudasset.assets.exportGKEHubMemberships
cloudasset.assets.exportGameservicesGameServerClusters
cloudasset.assets.exportGameservicesGameServerConfigs
cloudasset.assets.exportGameservicesGameServerDeployments
cloudasset.assets.exportGameservicesRealms
cloudasset.assets.exportGkeBackupBackupPlans
cloudasset.assets.exportGkeBackupBackups
cloudasset.assets.exportGkeBackupRestorePlans
cloudasset.assets.exportGkeBackupRestores
cloudasset.assets.exportGkeBackupVolumeBackups
cloudasset.assets.exportGkeBackupVolumeRestores
cloudasset.assets.exportHealthcareConsentStores
cloudasset.assets.exportHealthcareDatasets
cloudasset.assets.exportHealthcareDicomStores
cloudasset.assets.exportHealthcareFhirStores
cloudasset.assets.exportHealthcareHl7V2Stores
cloudasset.assets.exportIapTunnel
cloudasset.assets.exportIapTunnelInstances
cloudasset.assets.exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset.assets.exportIapWebServiceVersion
cloudasset.assets.exportIapWebServices
cloudasset.assets.exportIapWebType
cloudasset.assets.exportIdsEndpoints
cloudasset.assets.exportIntegrationsAuthConfigs
cloudasset.assets.exportIntegrationsCertificates
cloudasset.assets.exportIntegrationsExecutions
cloudasset.assets.exportIntegrationsIntegrationVersions
cloudasset.assets.exportIntegrationsIntegrations
cloudasset.assets.exportIntegrationsSfdcChannels
cloudasset.assets.exportIntegrationsSfdcInstances
cloudasset.assets.exportIntegrationsSuspensions
cloudasset.assets.exportLoggingLogMetrics
cloudasset.assets.exportLoggingLogSinks
cloudasset.assets.exportMetastoreBackups
cloudasset.assets.exportMetastoreMetadataImports
cloudasset.assets.exportMetastoreServices
cloudasset.assets.exportMonitoringAlertPolicies
cloudasset.assets.exportNetworkConnectivityHubs
cloudasset.assets.exportNetworkConnectivitySpokes
cloudasset.assets.exportNetworkManagementConnectivityTests
cloudasset.assets.exportNetworkServicesEndpointPolicies
cloudasset.assets.exportNetworkServicesGateways
cloudasset.assets.exportNetworkServicesGrpcRoutes
cloudasset.assets.exportNetworkServicesHttpRoutes
cloudasset.assets.exportNetworkServicesMeshes
cloudasset.assets.exportNetworkServicesServiceBindings
cloudasset.assets.exportNetworkServicesTcpRoutes
cloudasset.assets.exportNetworkServicesTlsRoutes
cloudasset.assets.exportOSConfigOSPolicyAssignmentReports
cloudasset.assets.exportOSConfigOSPolicyAssignments
cloudasset.assets.exportOSConfigVulnerabilityReports
cloudasset.assets.exportPatchDeployments
cloudasset.assets.exportPubsubSnapshots
cloudasset.assets.exportRedisInstances
cloudasset.assets.exportServiceDirectoryNamespaces
cloudasset.assets.exportServiceconsumermanagementConsumerProperty
cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.exportServiceconsumermanagementConsumers
cloudasset.assets.exportServiceconsumermanagementProducerOverrides
cloudasset.assets.exportServiceconsumermanagementTenancyUnits
cloudasset.assets.exportServiceconsumermanagementVisibility
cloudasset.assets.exportServiceusageAdminOverrides
cloudasset.assets.exportServiceusageConsumerOverrides
cloudasset.assets.exportServiceusageServices
cloudasset.assets.exportSpannerBackups
cloudasset.assets.exportSpeakerIdPhrases
cloudasset.assets.exportSpeakerIdSettings
cloudasset.assets.exportSpeakerIdSpeakers
cloudasset.assets.exportSpeechCustomClasses
cloudasset.assets.exportSpeechPhraseSets
cloudasset.assets.exportSqladminBackupRuns
cloudasset.assets.exportTpuNodes
cloudasset.assets.exportVpcaccessConnector
cloudasset.assets.listAccessLevel
cloudasset.assets.listAiplatformBatchPredictionJobs
cloudasset.assets.listAiplatformCustomJobs
cloudasset.assets.listAiplatformDataLabelingJobs
cloudasset.assets.listAiplatformDatasets
cloudasset.assets.listAiplatformEndpoints
cloudasset.assets.listAiplatformHyperparameterTuningJobs
cloudasset.assets.listAiplatformMetadataStores
cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.listAiplatformModels
cloudasset.assets.listAiplatformPipelineJobs
cloudasset.assets.listAiplatformSpecialistPools
cloudasset.assets.listAiplatformTrainingPipelines
cloudasset.assets.listAllAccessPolicy
cloudasset.assets.listAnthosConnectedCluster
cloudasset.assets.listAnthosedgeCluster
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.listApikeysKeys
cloudasset.assets.listAppengineApplications
cloudasset.assets.listAppengineServices
cloudasset.assets.listAppengineVersions
cloudasset.assets.listArtifactregistryDockerImages
cloudasset.assets.listArtifactregistryRepositories
cloudasset.assets.listAssuredWorkloadsWorkloads
cloudasset.assets.listBeyondCorpApiGateways
cloudasset.assets.listBeyondCorpAppConnections
cloudasset.assets.listBeyondCorpAppConnectors
cloudasset.assets.listBeyondCorpClientConnectorServices
cloudasset.assets.listBeyondCorpClientGateways
cloudasset.assets.listBigqueryDatasets
cloudasset.assets.listBigqueryModels
cloudasset.assets.listBigqueryTables
cloudasset.assets.listBigtableAppProfile
cloudasset.assets.listBigtableBackup
cloudasset.assets.listBigtableCluster
cloudasset.assets.listBigtableInstance
cloudasset.assets.listBigtableTable
cloudasset.assets.listCloudAssetFeeds
cloudasset.assets.listCloudDeployDeliveryPipelines
cloudasset.assets.listCloudDeployReleases
cloudasset.assets.listCloudDeployRollouts
cloudasset.assets.listCloudDeployTargets
cloudasset.assets.listCloudDocumentAIEvaluation
cloudasset.assets.listCloudDocumentAIHumanReviewConfig
cloudasset.assets.listCloudDocumentAILabelerPool
cloudasset.assets.listCloudDocumentAIProcessor
cloudasset.assets.listCloudDocumentAIProcessorVersion
cloudasset.assets.listCloudbillingBillingAccounts
cloudasset.assets.listCloudbillingProjectBillingInfos
cloudasset.assets.listCloudfunctionsFunctions
cloudasset.assets.listCloudfunctionsGen2Functions
cloudasset.assets.listCloudkmsCryptoKeyVersions
cloudasset.assets.listCloudkmsEkmConnections
cloudasset.assets.listCloudkmsImportJobs
cloudasset.assets.listCloudkmsKeyRings
cloudasset.assets.listCloudmemcacheInstances
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listCloudresourcemanagerTagBindings
cloudasset.assets.listCloudresourcemanagerTagKeys
cloudasset.assets.listCloudresourcemanagerTagValues
cloudasset.assets.listComposerEnvironments
cloudasset.assets.listComputeAddress
cloudasset.assets.listComputeAutoscalers
cloudasset.assets.listComputeBackendBuckets
cloudasset.assets.listComputeBackendServices
cloudasset.assets.listComputeCommitments
cloudasset.assets.listComputeDisks
cloudasset.assets.listComputeExternalVpnGateways
cloudasset.assets.listComputeFirewallPolicies
cloudasset.assets.listComputeFirewalls
cloudasset.assets.listComputeForwardingRules
cloudasset.assets.listComputeGlobalAddress
cloudasset.assets.listComputeGlobalForwardingRules
cloudasset.assets.listComputeHealthChecks
cloudasset.assets.listComputeHttpHealthChecks
cloudasset.assets.listComputeHttpsHealthChecks
cloudasset.assets.listComputeImages
cloudasset.assets.listComputeInstanceGroupManagers
cloudasset.assets.listComputeInstanceGroups
cloudasset.assets.listComputeInstanceTemplates
cloudasset.assets.listComputeInstances
cloudasset.assets.listComputeInterconnect
cloudasset.assets.listComputeInterconnectAttachment
cloudasset.assets.listComputeLicenses
cloudasset.assets.listComputeNetworkEndpointGroups
cloudasset.assets.listComputeNetworks
cloudasset.assets.listComputeNodeGroups
cloudasset.assets.listComputeNodeTemplates
cloudasset.assets.listComputePacketMirrorings
cloudasset.assets.listComputeProjects
cloudasset.assets.listComputeRegionAutoscaler
cloudasset.assets.listComputeRegionBackendServices
cloudasset.assets.listComputeRegionDisk
cloudasset.assets.listComputeRegionInstanceGroup
cloudasset.assets.listComputeRegionInstanceGroupManager
cloudasset.assets.listComputeReservations
cloudasset.assets.listComputeResourcePolicies
cloudasset.assets.listComputeRouters
cloudasset.assets.listComputeRoutes
cloudasset.assets.listComputeSecurityPolicy
cloudasset.assets.listComputeServiceAttachments
cloudasset.assets.listComputeSnapshots
cloudasset.assets.listComputeSslCertificates
cloudasset.assets.listComputeSslPolicies
cloudasset.assets.listComputeSubnetworks
cloudasset.assets.listComputeTargetHttpProxies
cloudasset.assets.listComputeTargetHttpsProxies
cloudasset.assets.listComputeTargetInstances
cloudasset.assets.listComputeTargetPools
cloudasset.assets.listComputeTargetSslProxies
cloudasset.assets.listComputeTargetTcpProxies
cloudasset.assets.listComputeTargetVpnGateways
cloudasset.assets.listComputeUrlMaps
cloudasset.assets.listComputeVpnGateways
cloudasset.assets.listComputeVpnTunnels
cloudasset.assets.listConnectorsConnections
cloudasset.assets.listConnectorsConnectorVersions
cloudasset.assets.listConnectorsConnectors
cloudasset.assets.listConnectorsProviders
cloudasset.assets.listConnectorsRuntimeConfigs
cloudasset.assets.listContainerAppsDeployment
cloudasset.assets.listContainerAppsReplicaSets
cloudasset.assets.listContainerBatchJobs
cloudasset.assets.listContainerClusterrole
cloudasset.assets.listContainerClusterrolebinding
cloudasset.assets.listContainerClusters
cloudasset.assets.listContainerExtensionsIngresses
cloudasset.assets.listContainerJobs
cloudasset.assets.listContainerNamespace
cloudasset.assets.listContainerNetworkingIngresses
cloudasset.assets.listContainerNetworkingNetworkPolicies
cloudasset.assets.listContainerNode
cloudasset.assets.listContainerNodepool
cloudasset.assets.listContainerPod
cloudasset.assets.listContainerReplicaSets
cloudasset.assets.listContainerRole
cloudasset.assets.listContainerRolebinding
cloudasset.assets.listContainerServices
cloudasset.assets.listContainerregistryImage
cloudasset.assets.listDataMigrationConnectionProfiles
cloudasset.assets.listDataMigrationMigrationJobs
cloudasset.assets.listDataflowJobs
cloudasset.assets.listDatafusionInstance
cloudasset.assets.listDataplexAssets
cloudasset.assets.listDataplexLakes
cloudasset.assets.listDataplexTasks
cloudasset.assets.listDataplexZones
cloudasset.assets.listDataprocAutoscalingPolicies
cloudasset.assets.listDataprocBatches
cloudasset.assets.listDataprocClusters
cloudasset.assets.listDataprocJobs
cloudasset.assets.listDataprocSessions
cloudasset.assets.listDataprocWorkflowTemplates
cloudasset.assets.listDatastreamConnectionProfile
cloudasset.assets.listDatastreamPrivateConnection
cloudasset.assets.listDatastreamStream
cloudasset.assets.listDialogflowAgents
cloudasset.assets.listDialogflowConversationProfiles
cloudasset.assets.listDialogflowKnowledgeBases
cloudasset.assets.listDialogflowLocationSettings
cloudasset.assets.listDlpDeidentifyTemplates
cloudasset.assets.listDlpDlpJobs
cloudasset.assets.listDlpInspectTemplates
cloudasset.assets.listDlpJobTriggers
cloudasset.assets.listDlpStoredInfoTypes
cloudasset.assets.listDnsManagedZones
cloudasset.assets.listDnsPolicies
cloudasset.assets.listDomainsRegistrations
cloudasset.assets.listEventarcTriggers
cloudasset.assets.listFileBackups
cloudasset.assets.listFileInstances
cloudasset.assets.listFirebaseAppInfos
cloudasset.assets.listFirebaseProjects
cloudasset.assets.listFirestoreDatabases
cloudasset.assets.listGKEHubFeatures
cloudasset.assets.listGKEHubMemberships
cloudasset.assets.listGameservicesGameServerClusters
cloudasset.assets.listGameservicesGameServerConfigs
cloudasset.assets.listGameservicesGameServerDeployments
cloudasset.assets.listGameservicesRealms
cloudasset.assets.listGkeBackupBackupPlans
cloudasset.assets.listGkeBackupBackups
cloudasset.assets.listGkeBackupRestorePlans
cloudasset.assets.listGkeBackupRestores
cloudasset.assets.listGkeBackupVolumeBackups
cloudasset.assets.listGkeBackupVolumeRestores
cloudasset.assets.listHealthcareConsentStores
cloudasset.assets.listHealthcareDatasets
cloudasset.assets.listHealthcareDicomStores
cloudasset.assets.listHealthcareFhirStores
cloudasset.assets.listHealthcareHl7V2Stores
cloudasset.assets.listIamRoles
cloudasset.assets.listIamServiceAccountKeys
cloudasset.assets.listIamServiceAccounts
cloudasset.assets.listIapTunnel
cloudasset.assets.listIapTunnelInstances
cloudasset.assets.listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset.assets.listIapWebServiceVersion
cloudasset.assets.listIapWebServices
cloudasset.assets.listIapWebType
cloudasset.assets.listIdsEndpoints
cloudasset.assets.listIntegrationsAuthConfigs
cloudasset.assets.listIntegrationsCertificates
cloudasset.assets.listIntegrationsExecutions
cloudasset.assets.listIntegrationsIntegrationVersions
cloudasset.assets.listIntegrationsIntegrations
cloudasset.assets.listIntegrationsSfdcChannels
cloudasset.assets.listIntegrationsSfdcInstances
cloudasset.assets.listIntegrationsSuspensions
cloudasset.assets.listLoggingLogMetrics
cloudasset.assets.listLoggingLogSinks
cloudasset.assets.listManagedidentitiesDomain
cloudasset.assets.listMetastoreBackups
cloudasset.assets.listMetastoreMetadataImports
cloudasset.assets.listMetastoreServices
cloudasset.assets.listMonitoringAlertPolicies
cloudasset.assets.listNetworkConnectivityHubs
cloudasset.assets.listNetworkConnectivitySpokes
cloudasset.assets.listNetworkManagementConnectivityTests
cloudasset.assets.listNetworkServicesEndpointPolicies
cloudasset.assets.listNetworkServicesGateways
cloudasset.assets.listNetworkServicesGrpcRoutes
cloudasset.assets.listNetworkServicesHttpRoutes
cloudasset.assets.listNetworkServicesMeshes
cloudasset.assets.listNetworkServicesServiceBindings
cloudasset.assets.listNetworkServicesTcpRoutes
cloudasset.assets.listNetworkServicesTlsRoutes
cloudasset.assets.listOSConfigOSPolicyAssignmentReports
cloudasset.assets.listOSConfigOSPolicyAssignments
cloudasset.assets.listOSConfigVulnerabilityReports
cloudasset.assets.listPatchDeployments
cloudasset.assets.listPubsubSnapshots
cloudasset.assets.listPubsubSubscriptions
cloudasset.assets.listPubsubTopics
cloudasset.assets.listRedisInstances
cloudasset.assets.listRunDomainMapping
cloudasset.assets.listRunRevision
cloudasset.assets.listRunService
cloudasset.assets.listServiceDirectoryNamespaces
cloudasset.assets.listServicePerimeter
cloudasset.assets.listServiceconsumermanagementConsumerProperty
cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.listServiceconsumermanagementConsumers
cloudasset.assets.listServiceconsumermanagementProducerOverrides
cloudasset.assets.listServiceconsumermanagementTenancyUnits
cloudasset.assets.listServiceconsumermanagementVisibility
cloudasset.assets.listServicemanagementServices
cloudasset.assets.listServiceusageAdminOverrides
cloudasset.assets.listServiceusageConsumerOverrides
cloudasset.assets.listServiceusageServices
cloudasset.assets.listSpannerBackups
cloudasset.assets.listSpannerDatabases
cloudasset.assets.listSpannerInstances
cloudasset.assets.listSpeakerIdPhrases
cloudasset.assets.listSpeakerIdSettings
cloudasset.assets.listSpeakerIdSpeakers
cloudasset.assets.listSpeechCustomClasses
cloudasset.assets.listSpeechPhraseSets
cloudasset.assets.listSqladminBackupRuns
cloudasset.assets.listSqladminInstances
cloudasset.assets.listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset.assets.listVpcaccessConnector
Cloud Asset Inventory Supported In Custom Roles cloudasset.assets.exportAccessLevel
cloudasset.assets.exportAiplatformBatchPredictionJobs
cloudasset.assets.exportAiplatformCustomJobs
cloudasset.assets.exportAiplatformDataLabelingJobs
cloudasset.assets.exportAiplatformDatasets
cloudasset.assets.exportAiplatformEndpoints
cloudasset.assets.exportAiplatformHyperparameterTuningJobs
cloudasset.assets.exportAiplatformMetadataStores
cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.exportAiplatformModels
cloudasset.assets.exportAiplatformPipelineJobs
cloudasset.assets.exportAiplatformSpecialistPools
cloudasset.assets.exportAiplatformTrainingPipelines
cloudasset.assets.exportAllAccessPolicy
cloudasset.assets.exportAnthosConnectedCluster
cloudasset.assets.exportAnthosedgeCluster
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportApikeysKeys
cloudasset.assets.exportAppengineApplications
cloudasset.assets.exportAppengineServices
cloudasset.assets.exportAppengineVersions
cloudasset.assets.exportArtifactregistryDockerImages
cloudasset.assets.exportArtifactregistryRepositories
cloudasset.assets.exportAssuredWorkloadsWorkloads
cloudasset.assets.exportBeyondCorpApiGateways
cloudasset.assets.exportBeyondCorpAppConnections
cloudasset.assets.exportBeyondCorpAppConnectors
cloudasset.assets.exportBeyondCorpClientConnectorServices
cloudasset.assets.exportBeyondCorpClientGateways
cloudasset.assets.exportBigqueryDatasets
cloudasset.assets.exportBigqueryModels
cloudasset.assets.exportBigqueryTables
cloudasset.assets.exportBigtableAppProfile
cloudasset.assets.exportBigtableBackup
cloudasset.assets.exportBigtableCluster
cloudasset.assets.exportBigtableInstance
cloudasset.assets.exportBigtableTable
cloudasset.assets.exportCloudAssetFeeds
cloudasset.assets.exportCloudDeployDeliveryPipelines
cloudasset.assets.exportCloudDeployReleases
cloudasset.assets.exportCloudDeployRollouts
cloudasset.assets.exportCloudDeployTargets
cloudasset.assets.exportCloudDocumentAIEvaluation
cloudasset.assets.exportCloudDocumentAIHumanReviewConfig
cloudasset.assets.exportCloudDocumentAILabelerPool
cloudasset.assets.exportCloudDocumentAIProcessor
cloudasset.assets.exportCloudDocumentAIProcessorVersion
cloudasset.assets.exportCloudbillingBillingAccounts
cloudasset.assets.exportCloudbillingProjectBillingInfos
cloudasset.assets.exportCloudfunctionsFunctions
cloudasset.assets.exportCloudfunctionsGen2Functions
cloudasset.assets.exportCloudkmsCryptoKeyVersions
cloudasset.assets.exportCloudkmsCryptoKeys
cloudasset.assets.exportCloudkmsEkmConnections
cloudasset.assets.exportCloudkmsKeyRings
cloudasset.assets.exportCloudmemcacheInstances
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportCloudresourcemanagerTagBindings
cloudasset.assets.exportCloudresourcemanagerTagKeys
cloudasset.assets.exportCloudresourcemanagerTagValues
cloudasset.assets.exportComposerEnvironments
cloudasset.assets.exportComputeAddress
cloudasset.assets.exportComputeAutoscalers
cloudasset.assets.exportComputeBackendBuckets
cloudasset.assets.exportComputeBackendServices
cloudasset.assets.exportComputeCommitments
cloudasset.assets.exportComputeDisks
cloudasset.assets.exportComputeExternalVpnGateways
cloudasset.assets.exportComputeFirewallPolicies
cloudasset.assets.exportComputeFirewalls
cloudasset.assets.exportComputeForwardingRules
cloudasset.assets.exportComputeGlobalAddress
cloudasset.assets.exportComputeGlobalForwardingRules
cloudasset.assets.exportComputeHealthChecks
cloudasset.assets.exportComputeHttpHealthChecks
cloudasset.assets.exportComputeHttpsHealthChecks
cloudasset.assets.exportComputeImages
cloudasset.assets.exportComputeInstanceGroupManagers
cloudasset.assets.exportComputeInstanceGroups
cloudasset.assets.exportComputeInstanceTemplates
cloudasset.assets.exportComputeInstances
cloudasset.assets.exportComputeInterconnect
cloudasset.assets.exportComputeInterconnectAttachment
cloudasset.assets.exportComputeLicenses
cloudasset.assets.exportComputeNetworkEndpointGroups
cloudasset.assets.exportComputeNetworks
cloudasset.assets.exportComputeNodeGroups
cloudasset.assets.exportComputeNodeTemplates
cloudasset.assets.exportComputePacketMirrorings
cloudasset.assets.exportComputeProjects
cloudasset.assets.exportComputeRegionAutoscaler
cloudasset.assets.exportComputeRegionBackendServices
cloudasset.assets.exportComputeRegionDisk
cloudasset.assets.exportComputeRegionInstanceGroup
cloudasset.assets.exportComputeRegionInstanceGroupManager
cloudasset.assets.exportComputeReservations
cloudasset.assets.exportComputeResourcePolicies
cloudasset.assets.exportComputeRouters
cloudasset.assets.exportComputeRoutes
cloudasset.assets.exportComputeSecurityPolicy
cloudasset.assets.exportComputeServiceAttachments
cloudasset.assets.exportComputeSnapshots
cloudasset.assets.exportComputeSslCertificates
cloudasset.assets.exportComputeSslPolicies
cloudasset.assets.exportComputeSubnetworks
cloudasset.assets.exportComputeTargetHttpProxies
cloudasset.assets.exportComputeTargetHttpsProxies
cloudasset.assets.exportComputeTargetInstances
cloudasset.assets.exportComputeTargetPools
cloudasset.assets.exportComputeTargetSslProxies
cloudasset.assets.exportComputeTargetTcpProxies
cloudasset.assets.exportComputeTargetVpnGateways
cloudasset.assets.exportComputeUrlMaps
cloudasset.assets.exportComputeVpnGateways
cloudasset.assets.exportComputeVpnTunnels
cloudasset.assets.exportConnectorsConnections
cloudasset.assets.exportConnectorsConnectorVersions
cloudasset.assets.exportConnectorsConnectors
cloudasset.assets.exportConnectorsProviders
cloudasset.assets.exportConnectorsRuntimeConfigs
cloudasset.assets.exportContainerAppsDeployment
cloudasset.assets.exportContainerAppsReplicaSets
cloudasset.assets.exportContainerBatchJobs
cloudasset.assets.exportContainerClusterrole
cloudasset.assets.exportContainerClusterrolebinding
cloudasset.assets.exportContainerClusters
cloudasset.assets.exportContainerExtensionsIngresses
cloudasset.assets.exportContainerJobs
cloudasset.assets.exportContainerNamespace
cloudasset.assets.exportContainerNetworkingIngresses
cloudasset.assets.exportContainerNetworkingNetworkPolicies
cloudasset.assets.exportContainerNode
cloudasset.assets.exportContainerNodepool
cloudasset.assets.exportContainerPod
cloudasset.assets.exportContainerReplicaSets
cloudasset.assets.exportContainerRole
cloudasset.assets.exportContainerRolebinding
cloudasset.assets.exportContainerServices
cloudasset.assets.exportContainerregistryImage
cloudasset.assets.exportDataMigrationConnectionProfiles
cloudasset.assets.exportDataMigrationMigrationJobs
cloudasset.assets.exportDataflowJobs
cloudasset.assets.exportDatafusionInstance
cloudasset.assets.exportDataplexAssets
cloudasset.assets.exportDataplexLakes
cloudasset.assets.exportDataplexTasks
cloudasset.assets.exportDataplexZones
cloudasset.assets.exportDataprocAutoscalingPolicies
cloudasset.assets.exportDataprocBatches
cloudasset.assets.exportDataprocClusters
cloudasset.assets.exportDataprocJobs
cloudasset.assets.exportDataprocSessions
cloudasset.assets.exportDataprocWorkflowTemplates
cloudasset.assets.exportDatastreamConnectionProfile
cloudasset.assets.exportDatastreamPrivateConnection
cloudasset.assets.exportDatastreamStream
cloudasset.assets.exportDialogflowAgents
cloudasset.assets.exportDialogflowConversationProfiles
cloudasset.assets.exportDialogflowKnowledgeBases
cloudasset.assets.exportDialogflowLocationSettings
cloudasset.assets.exportDlpDeidentifyTemplates
cloudasset.assets.exportDlpDlpJobs
cloudasset.assets.exportDlpInspectTemplates
cloudasset.assets.exportDlpJobTriggers
cloudasset.assets.exportDlpStoredInfoTypes
cloudasset.assets.exportDnsManagedZones
cloudasset.assets.exportDnsPolicies
cloudasset.assets.exportDomainsRegistrations
cloudasset.assets.exportEventarcTriggers
cloudasset.assets.exportFileBackups
cloudasset.assets.exportFileInstances
cloudasset.assets.exportFirebaseAppInfos
cloudasset.assets.exportFirebaseProjects
cloudasset.assets.exportFirestoreDatabases
cloudasset.assets.exportGKEHubFeatures
cloudasset.assets.exportGKEHubMemberships
cloudasset.assets.exportGameservicesGameServerClusters
cloudasset.assets.exportGameservicesGameServerConfigs
cloudasset.assets.exportGameservicesGameServerDeployments
cloudasset.assets.exportGameservicesRealms
cloudasset.assets.exportGkeBackupBackupPlans
cloudasset.assets.exportGkeBackupBackups
cloudasset.assets.exportGkeBackupRestorePlans
cloudasset.assets.exportGkeBackupRestores
cloudasset.assets.exportGkeBackupVolumeBackups
cloudasset.assets.exportGkeBackupVolumeRestores
cloudasset.assets.exportHealthcareConsentStores
cloudasset.assets.exportHealthcareDatasets
cloudasset.assets.exportHealthcareDicomStores
cloudasset.assets.exportHealthcareFhirStores
cloudasset.assets.exportHealthcareHl7V2Stores
cloudasset.assets.exportIamRoles
cloudasset.assets.exportIamServiceAccountKeys
cloudasset.assets.exportIamServiceAccounts
cloudasset.assets.exportIdsEndpoints
cloudasset.assets.exportIntegrationsAuthConfigs
cloudasset.assets.exportIntegrationsCertificates
cloudasset.assets.exportIntegrationsExecutions
cloudasset.assets.exportIntegrationsIntegrationVersions
cloudasset.assets.exportIntegrationsIntegrations
cloudasset.assets.exportIntegrationsSfdcChannels
cloudasset.assets.exportIntegrationsSfdcInstances
cloudasset.assets.exportIntegrationsSuspensions
cloudasset.assets.exportManagedidentitiesDomain
cloudasset.assets.exportMetastoreBackups
cloudasset.assets.exportMetastoreMetadataImports
cloudasset.assets.exportMetastoreServices
cloudasset.assets.exportMonitoringAlertPolicies
cloudasset.assets.exportNetworkConnectivityHubs
cloudasset.assets.exportNetworkConnectivitySpokes
cloudasset.assets.exportNetworkManagementConnectivityTests
cloudasset.assets.exportNetworkServicesEndpointPolicies
cloudasset.assets.exportNetworkServicesGateways
cloudasset.assets.exportNetworkServicesGrpcRoutes
cloudasset.assets.exportNetworkServicesHttpRoutes
cloudasset.assets.exportNetworkServicesMeshes
cloudasset.assets.exportNetworkServicesServiceBindings
cloudasset.assets.exportNetworkServicesTcpRoutes
cloudasset.assets.exportNetworkServicesTlsRoutes
cloudasset.assets.exportOSConfigOSPolicyAssignmentReports
cloudasset.assets.exportOSConfigOSPolicyAssignments
cloudasset.assets.exportOSConfigVulnerabilityReports
cloudasset.assets.exportPatchDeployments
cloudasset.assets.exportPubsubSnapshots
cloudasset.assets.exportPubsubSubscriptions
cloudasset.assets.exportPubsubTopics
cloudasset.assets.exportRedisInstances
cloudasset.assets.exportServiceDirectoryNamespaces
cloudasset.assets.exportServicePerimeter
cloudasset.assets.exportServiceconsumermanagementConsumerProperty
cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.exportServiceconsumermanagementConsumers
cloudasset.assets.exportServiceconsumermanagementProducerOverrides
cloudasset.assets.exportServiceconsumermanagementTenancyUnits
cloudasset.assets.exportServiceconsumermanagementVisibility
cloudasset.assets.exportServicemanagementServices
cloudasset.assets.exportServiceusageAdminOverrides
cloudasset.assets.exportServiceusageConsumerOverrides
cloudasset.assets.exportServiceusageServices
cloudasset.assets.exportSpannerBackups
cloudasset.assets.exportSpannerDatabases
cloudasset.assets.exportSpannerInstances
cloudasset.assets.exportSpeakerIdPhrases
cloudasset.assets.exportSpeakerIdSettings
cloudasset.assets.exportSpeakerIdSpeakers
cloudasset.assets.exportSpeechCustomClasses
cloudasset.assets.exportSpeechPhraseSets
cloudasset.assets.exportSqladminBackupRuns
cloudasset.assets.exportSqladminInstances
cloudasset.assets.exportStorageBuckets
cloudasset.assets.exportTpuNodes
cloudasset.assets.exportVpcaccessConnector
cloudasset.assets.listAccessLevel
cloudasset.assets.listAiplatformBatchPredictionJobs
cloudasset.assets.listAiplatformCustomJobs
cloudasset.assets.listAiplatformDataLabelingJobs
cloudasset.assets.listAiplatformDatasets
cloudasset.assets.listAiplatformEndpoints
cloudasset.assets.listAiplatformHyperparameterTuningJobs
cloudasset.assets.listAiplatformMetadataStores
cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.listAiplatformModels
cloudasset.assets.listAiplatformPipelineJobs
cloudasset.assets.listAiplatformSpecialistPools
cloudasset.assets.listAiplatformTrainingPipelines
cloudasset.assets.listAllAccessPolicy
cloudasset.assets.listAnthosConnectedCluster
cloudasset.assets.listAnthosedgeCluster
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.listApikeysKeys
cloudasset.assets.listAppengineApplications
cloudasset.assets.listAppengineServices
cloudasset.assets.listAppengineVersions
cloudasset.assets.listArtifactregistryDockerImages
cloudasset.assets.listArtifactregistryRepositories
cloudasset.assets.listAssuredWorkloadsWorkloads
cloudasset.assets.listBeyondCorpApiGateways
cloudasset.assets.listBeyondCorpAppConnections
cloudasset.assets.listBeyondCorpAppConnectors
cloudasset.assets.listBeyondCorpClientConnectorServices
cloudasset.assets.listBeyondCorpClientGateways
cloudasset.assets.listBigqueryDatasets
cloudasset.assets.listBigqueryModels
cloudasset.assets.listBigqueryTables
cloudasset.assets.listBigtableAppProfile
cloudasset.assets.listBigtableBackup
cloudasset.assets.listBigtableCluster
cloudasset.assets.listBigtableInstance
cloudasset.assets.listBigtableTable
cloudasset.assets.listCloudAssetFeeds
cloudasset.assets.listCloudDeployDeliveryPipelines
cloudasset.assets.listCloudDeployReleases
cloudasset.assets.listCloudDeployRollouts
cloudasset.assets.listCloudDeployTargets
cloudasset.assets.listCloudDocumentAIEvaluation
cloudasset.assets.listCloudDocumentAIHumanReviewConfig
cloudasset.assets.listCloudDocumentAILabelerPool
cloudasset.assets.listCloudDocumentAIProcessor
cloudasset.assets.listCloudDocumentAIProcessorVersion
cloudasset.assets.listCloudbillingBillingAccounts
cloudasset.assets.listCloudbillingProjectBillingInfos
cloudasset.assets.listCloudfunctionsFunctions
cloudasset.assets.listCloudfunctionsGen2Functions
cloudasset.assets.listCloudkmsCryptoKeyVersions
cloudasset.assets.listCloudkmsEkmConnections
cloudasset.assets.listCloudkmsImportJobs
cloudasset.assets.listCloudkmsKeyRings
cloudasset.assets.listCloudmemcacheInstances
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listCloudresourcemanagerTagBindings
cloudasset.assets.listCloudresourcemanagerTagKeys
cloudasset.assets.listCloudresourcemanagerTagValues
cloudasset.assets.listComposerEnvironments
cloudasset.assets.listComputeAddress
cloudasset.assets.listComputeAutoscalers
cloudasset.assets.listComputeBackendBuckets
cloudasset.assets.listComputeBackendServices
cloudasset.assets.listComputeCommitments
cloudasset.assets.listComputeDisks
cloudasset.assets.listComputeExternalVpnGateways
cloudasset.assets.listComputeFirewallPolicies
cloudasset.assets.listComputeFirewalls
cloudasset.assets.listComputeForwardingRules
cloudasset.assets.listComputeGlobalAddress
cloudasset.assets.listComputeGlobalForwardingRules
cloudasset.assets.listComputeHealthChecks
cloudasset.assets.listComputeHttpHealthChecks
cloudasset.assets.listComputeHttpsHealthChecks
cloudasset.assets.listComputeImages
cloudasset.assets.listComputeInstanceGroupManagers
cloudasset.assets.listComputeInstanceGroups
cloudasset.assets.listComputeInstanceTemplates
cloudasset.assets.listComputeInstances
cloudasset.assets.listComputeInterconnect
cloudasset.assets.listComputeInterconnectAttachment
cloudasset.assets.listComputeLicenses
cloudasset.assets.listComputeNetworkEndpointGroups
cloudasset.assets.listComputeNetworks
cloudasset.assets.listComputeNodeGroups
cloudasset.assets.listComputeNodeTemplates
cloudasset.assets.listComputePacketMirrorings
cloudasset.assets.listComputeProjects
cloudasset.assets.listComputeRegionAutoscaler
cloudasset.assets.listComputeRegionBackendServices
cloudasset.assets.listComputeRegionDisk
cloudasset.assets.listComputeRegionInstanceGroup
cloudasset.assets.listComputeRegionInstanceGroupManager
cloudasset.assets.listComputeReservations
cloudasset.assets.listComputeResourcePolicies
cloudasset.assets.listComputeRouters
cloudasset.assets.listComputeRoutes
cloudasset.assets.listComputeSecurityPolicy
cloudasset.assets.listComputeServiceAttachments
cloudasset.assets.listComputeSnapshots
cloudasset.assets.listComputeSslCertificates
cloudasset.assets.listComputeSslPolicies
cloudasset.assets.listComputeSubnetworks
cloudasset.assets.listComputeTargetHttpProxies
cloudasset.assets.listComputeTargetHttpsProxies
cloudasset.assets.listComputeTargetInstances
cloudasset.assets.listComputeTargetPools
cloudasset.assets.listComputeTargetSslProxies
cloudasset.assets.listComputeTargetTcpProxies
cloudasset.assets.listComputeTargetVpnGateways
cloudasset.assets.listComputeUrlMaps
cloudasset.assets.listComputeVpnGateways
cloudasset.assets.listComputeVpnTunnels
cloudasset.assets.listConnectorsConnections
cloudasset.assets.listConnectorsConnectorVersions
cloudasset.assets.listConnectorsConnectors
cloudasset.assets.listConnectorsProviders
cloudasset.assets.listConnectorsRuntimeConfigs
cloudasset.assets.listContainerAppsDeployment
cloudasset.assets.listContainerAppsReplicaSets
cloudasset.assets.listContainerBatchJobs
cloudasset.assets.listContainerClusterrole
cloudasset.assets.listContainerClusterrolebinding
cloudasset.assets.listContainerClusters
cloudasset.assets.listContainerExtensionsIngresses
cloudasset.assets.listContainerJobs
cloudasset.assets.listContainerNamespace
cloudasset.assets.listContainerNetworkingIngresses
cloudasset.assets.listContainerNetworkingNetworkPolicies
cloudasset.assets.listContainerNode
cloudasset.assets.listContainerNodepool
cloudasset.assets.listContainerPod
cloudasset.assets.listContainerReplicaSets
cloudasset.assets.listContainerRole
cloudasset.assets.listContainerRolebinding
cloudasset.assets.listContainerServices
cloudasset.assets.listContainerregistryImage
cloudasset.assets.listDataMigrationConnectionProfiles
cloudasset.assets.listDataMigrationMigrationJobs
cloudasset.assets.listDataflowJobs
cloudasset.assets.listDatafusionInstance
cloudasset.assets.listDataplexAssets
cloudasset.assets.listDataplexLakes
cloudasset.assets.listDataplexTasks
cloudasset.assets.listDataplexZones
cloudasset.assets.listDataprocAutoscalingPolicies
cloudasset.assets.listDataprocBatches
cloudasset.assets.listDataprocClusters
cloudasset.assets.listDataprocJobs
cloudasset.assets.listDataprocSessions
cloudasset.assets.listDataprocWorkflowTemplates
cloudasset.assets.listDatastreamConnectionProfile
cloudasset.assets.listDatastreamPrivateConnection
cloudasset.assets.listDatastreamStream
cloudasset.assets.listDialogflowAgents
cloudasset.assets.listDialogflowConversationProfiles
cloudasset.assets.listDialogflowKnowledgeBases
cloudasset.assets.listDialogflowLocationSettings
cloudasset.assets.listDlpDeidentifyTemplates
cloudasset.assets.listDlpDlpJobs
cloudasset.assets.listDlpInspectTemplates
cloudasset.assets.listDlpJobTriggers
cloudasset.assets.listDlpStoredInfoTypes
cloudasset.assets.listDnsManagedZones
cloudasset.assets.listDnsPolicies
cloudasset.assets.listDomainsRegistrations
cloudasset.assets.listEventarcTriggers
cloudasset.assets.listFileBackups
cloudasset.assets.listFileInstances
cloudasset.assets.listFirebaseAppInfos
cloudasset.assets.listFirebaseProjects
cloudasset.assets.listFirestoreDatabases
cloudasset.assets.listGKEHubFeatures
cloudasset.assets.listGKEHubMemberships
cloudasset.assets.listGameservicesGameServerClusters
cloudasset.assets.listGameservicesGameServerConfigs
cloudasset.assets.listGameservicesGameServerDeployments
cloudasset.assets.listGameservicesRealms
cloudasset.assets.listGkeBackupBackupPlans
cloudasset.assets.listGkeBackupBackups
cloudasset.assets.listGkeBackupRestorePlans
cloudasset.assets.listGkeBackupRestores
cloudasset.assets.listGkeBackupVolumeBackups
cloudasset.assets.listGkeBackupVolumeRestores
cloudasset.assets.listHealthcareConsentStores
cloudasset.assets.listHealthcareDatasets
cloudasset.assets.listHealthcareDicomStores
cloudasset.assets.listHealthcareFhirStores
cloudasset.assets.listHealthcareHl7V2Stores
cloudasset.assets.listIamRoles
cloudasset.assets.listIamServiceAccountKeys
cloudasset.assets.listIamServiceAccounts
cloudasset.assets.listIdsEndpoints
cloudasset.assets.listIntegrationsAuthConfigs
cloudasset.assets.listIntegrationsCertificates
cloudasset.assets.listIntegrationsExecutions
cloudasset.assets.listIntegrationsIntegrationVersions
cloudasset.assets.listIntegrationsIntegrations
cloudasset.assets.listIntegrationsSfdcChannels
cloudasset.assets.listIntegrationsSfdcInstances
cloudasset.assets.listIntegrationsSuspensions
cloudasset.assets.listManagedidentitiesDomain
cloudasset.assets.listMetastoreBackups
cloudasset.assets.listMetastoreMetadataImports
cloudasset.assets.listMetastoreServices
cloudasset.assets.listMonitoringAlertPolicies
cloudasset.assets.listNetworkConnectivityHubs
cloudasset.assets.listNetworkConnectivitySpokes
cloudasset.assets.listNetworkManagementConnectivityTests
cloudasset.assets.listNetworkServicesEndpointPolicies
cloudasset.assets.listNetworkServicesGateways
cloudasset.assets.listNetworkServicesGrpcRoutes
cloudasset.assets.listNetworkServicesHttpRoutes
cloudasset.assets.listNetworkServicesMeshes
cloudasset.assets.listNetworkServicesServiceBindings
cloudasset.assets.listNetworkServicesTcpRoutes
cloudasset.assets.listNetworkServicesTlsRoutes
cloudasset.assets.listOSConfigOSPolicyAssignmentReports
cloudasset.assets.listOSConfigOSPolicyAssignments
cloudasset.assets.listOSConfigVulnerabilityReports
cloudasset.assets.listPatchDeployments
cloudasset.assets.listPubsubSnapshots
cloudasset.assets.listPubsubSubscriptions
cloudasset.assets.listPubsubTopics
cloudasset.assets.listRedisInstances
cloudasset.assets.listRunDomainMapping
cloudasset.assets.listRunRevision
cloudasset.assets.listRunService
cloudasset.assets.listServiceDirectoryNamespaces
cloudasset.assets.listServicePerimeter
cloudasset.assets.listServiceconsumermanagementConsumerProperty
cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.listServiceconsumermanagementConsumers
cloudasset.assets.listServiceconsumermanagementProducerOverrides
cloudasset.assets.listServiceconsumermanagementTenancyUnits
cloudasset.assets.listServiceconsumermanagementVisibility
cloudasset.assets.listServicemanagementServices
cloudasset.assets.listServiceusageAdminOverrides
cloudasset.assets.listServiceusageConsumerOverrides
cloudasset.assets.listServiceusageServices
cloudasset.assets.listSpannerBackups
cloudasset.assets.listSpannerDatabases
cloudasset.assets.listSpannerInstances
cloudasset.assets.listSpeakerIdPhrases
cloudasset.assets.listSpeakerIdSettings
cloudasset.assets.listSpeakerIdSpeakers
cloudasset.assets.listSpeechCustomClasses
cloudasset.assets.listSpeechPhraseSets
cloudasset.assets.listSqladminBackupRuns
cloudasset.assets.listSqladminInstances
cloudasset.assets.listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset.assets.listVpcaccessConnector
Compute Engine Added compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.use
Compute Engine Supported In Custom Roles compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.use
Looker Studio Added datastudio.datasources.delete
datastudio.datasources.get
datastudio.datasources.getIamPolicy
datastudio.datasources.move
datastudio.datasources.restoreTrash
datastudio.datasources.search
datastudio.datasources.setIamPolicy
datastudio.datasources.settingsShare
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.delete
datastudio.reports.get
datastudio.reports.getIamPolicy
datastudio.reports.move
datastudio.reports.restoreTrash
datastudio.reports.search
datastudio.reports.setIamPolicy
datastudio.reports.settingsShare
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio.workspaces.createUnder
datastudio.workspaces.delete
datastudio.workspaces.get
datastudio.workspaces.getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.moveOut
datastudio.workspaces.restoreTrash
datastudio.workspaces.search
datastudio.workspaces.setIamPolicy
datastudio.workspaces.trash
datastudio.workspaces.update
Enterprise Knowledge Graph Added enterpriseknowledgegraph.entityReconciliationJobs.cancel
enterpriseknowledgegraph.entityReconciliationJobs.create
enterpriseknowledgegraph.entityReconciliationJobs.delete
enterpriseknowledgegraph.entityReconciliationJobs.get
enterpriseknowledgegraph.entityReconciliationJobs.list
Enterprise Knowledge Graph Supported In Custom Roles enterpriseknowledgegraph.entityReconciliationJobs.delete
Google Distributed Cloud Added gkeonprem.bareMetalClusters.queryVersionConfig
gkeonprem.vmwareClusters.queryVersionConfig
Google Distributed Cloud Supported In Custom Roles gkeonprem.bareMetalClusters.queryVersionConfig
gkeonprem.vmwareClusters.queryVersionConfig
Google Distributed Cloud Now GA gkeonprem.bareMetalClusters.queryVersionConfig
gkeonprem.vmwareClusters.queryVersionConfig
Managed Service for Microsoft Active Directory Added managedidentities.domains.checkMigrationPermission
managedidentities.domains.disableMigration
managedidentities.domains.enableMigration
Dataproc Metastore Added metastore.backups.getIamPolicy
metastore.backups.setIamPolicy
Dataproc Metastore Supported In Custom Roles metastore.backups.getIamPolicy
metastore.backups.setIamPolicy
Dataproc Metastore Now GA metastore.backups.getIamPolicy
metastore.backups.setIamPolicy
Public Certificate Authority Added publicca.externalAccountKeys.create
Recommender Added recommender.computeFirewallInsightTypeConfigs.get
recommender.computeFirewallInsightTypeConfigs.update
recommender.gmpGuidedExperienceInsights.get
recommender.gmpGuidedExperienceInsights.list
recommender.gmpGuidedExperienceInsights.update
recommender.gmpGuidedExperienceRecommendations.get
recommender.gmpGuidedExperienceRecommendations.list
recommender.gmpGuidedExperienceRecommendations.update
Recommender Supported In Custom Roles recommender.computeFirewallInsightTypeConfigs.get
recommender.computeFirewallInsightTypeConfigs.update
recommender.gmpGuidedExperienceInsights.get
recommender.gmpGuidedExperienceInsights.list
recommender.gmpGuidedExperienceInsights.update
recommender.gmpGuidedExperienceRecommendations.get
recommender.gmpGuidedExperienceRecommendations.list
recommender.gmpGuidedExperienceRecommendations.update
Recommender Now GA recommender.computeFirewallInsightTypeConfigs.get
recommender.computeFirewallInsightTypeConfigs.update
recommender.gmpGuidedExperienceInsights.get
recommender.gmpGuidedExperienceInsights.list
recommender.gmpGuidedExperienceInsights.update
recommender.gmpGuidedExperienceRecommendations.get
recommender.gmpGuidedExperienceRecommendations.list
recommender.gmpGuidedExperienceRecommendations.update
Service Networking Added servicenetworking.services.addDnsRecordSet
servicenetworking.services.addDnsZone
servicenetworking.services.deleteConnection
servicenetworking.services.disableVpcServiceControls
servicenetworking.services.enableVpcServiceControls
servicenetworking.services.getConsumerConfig
servicenetworking.services.removeDnsRecordSet
servicenetworking.services.removeDnsZone
servicenetworking.services.updateConsumerConfig
servicenetworking.services.updateDnsRecordSet
Service Networking Supported In Custom Roles servicenetworking.services.addDnsRecordSet
servicenetworking.services.addDnsZone
servicenetworking.services.deleteConnection
servicenetworking.services.disableVpcServiceControls
servicenetworking.services.enableVpcServiceControls
servicenetworking.services.getConsumerConfig
servicenetworking.services.removeDnsRecordSet
servicenetworking.services.removeDnsZone
servicenetworking.services.updateConsumerConfig
servicenetworking.services.updateDnsRecordSet
Spanner Added spanner.instanceConfigOperations.cancel
spanner.instanceConfigOperations.delete
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list
spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.update
Spanner Supported In Custom Roles spanner.instanceConfigOperations.cancel
spanner.instanceConfigOperations.delete
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list
spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.update
Spanner Now GA spanner.instanceConfigOperations.cancel
spanner.instanceConfigOperations.delete
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list
spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.update
Video Stitcher API Now GA videostitcher.cdnKeys.create
videostitcher.cdnKeys.delete
videostitcher.cdnKeys.get
videostitcher.cdnKeys.list
videostitcher.cdnKeys.update
videostitcher.liveAdTagDetails.get
videostitcher.liveAdTagDetails.list
videostitcher.liveSessions.create
videostitcher.liveSessions.get
videostitcher.slates.create
videostitcher.slates.delete
videostitcher.slates.get
videostitcher.slates.list
videostitcher.slates.update
videostitcher.vodAdTagDetails.get
videostitcher.vodAdTagDetails.list
videostitcher.vodSessions.create
videostitcher.vodSessions.get
videostitcher.vodStitchDetails.get
videostitcher.vodStitchDetails.list
Vision AI Added visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.setIamPolicy
visionai.analyses.update
visionai.annotations.create
visionai.annotations.delete
visionai.annotations.get
visionai.annotations.list
visionai.annotations.update
visionai.applications.create
visionai.applications.delete
visionai.applications.deploy
visionai.applications.get
visionai.applications.list
visionai.applications.undeploy
visionai.applications.update
visionai.assets.clip
visionai.assets.create
visionai.assets.delete
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.ingest
visionai.assets.list
visionai.assets.search
visionai.assets.update
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.setIamPolicy
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.create
visionai.corpora.delete
visionai.corpora.get
visionai.corpora.list
visionai.corpora.update
visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.update
visionai.dataSchemas.validate
visionai.drafts.create
visionai.drafts.delete
visionai.drafts.get
visionai.drafts.list
visionai.drafts.update
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.events.setIamPolicy
visionai.events.update
visionai.instances.get
visionai.instances.list
visionai.locations.get
visionai.locations.list
visionai.operations.cancel
visionai.operations.delete
visionai.operations.get
visionai.operations.list
visionai.operations.wait
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.getIamPolicy
visionai.operators.list
visionai.operators.setIamPolicy
visionai.operators.update
visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.listPrebuilt
visionai.processors.update
visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.searchConfigs.update
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.setIamPolicy
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.setIamPolicy
visionai.streams.update
Vision AI Supported In Custom Roles visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.setIamPolicy
visionai.analyses.update
visionai.applications.create
visionai.applications.delete
visionai.applications.deploy
visionai.applications.get
visionai.applications.list
visionai.applications.undeploy
visionai.applications.update
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.setIamPolicy
visionai.clusters.update
visionai.drafts.create
visionai.drafts.delete
visionai.drafts.get
visionai.drafts.list
visionai.drafts.update
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.events.setIamPolicy
visionai.events.update
visionai.instances.get
visionai.instances.list
visionai.locations.get
visionai.locations.list
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.getIamPolicy
visionai.operators.list
visionai.operators.setIamPolicy
visionai.operators.update
visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.listPrebuilt
visionai.processors.update
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.series.setIamPolicy
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.setIamPolicy
visionai.streams.update

Cloud IAM changes as of 2022-09-23

Service Change Description
Bare Metal Solution Now GA

The role roles/baremetalsolution.volumesnapshotsadmin (Snapshots Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumesnapshotseditor (Snapshots Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumesnapshotsviewer (Snapshots Viewer) is now GA.

Content Warehouse Now GA

The role roles/contentwarehouse.admin (Content Warehouse Admin) is now GA.

Content Warehouse Now GA

The role roles/contentwarehouse.documentAdmin (Content Warehouse Document Admin) is now GA.

Content Warehouse Now GA

The role roles/contentwarehouse.documentCreator (Content Warehouse document creator) is now GA.

Content Warehouse Now GA

The role roles/contentwarehouse.documentEditor (Content Warehouse Document Editor) is now GA.

Content Warehouse Now GA

The role roles/contentwarehouse.documentSchemaViewer (Content Warehouse document schema viewer) is now GA.

Content Warehouse Now GA

The role roles/contentwarehouse.documentViewer (Content Warehouse Viewer) is now GA.

Basic Role Role Updated

The following permissions have been removed from the role roles/editor (Editor):

workstations.workstations.use
Multi-Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

serviceusage.services.use
Basic Role Role Updated

The following permissions have been removed from the role roles/owner (Owner):

workstations.workstations.use
Cloud Workstations Role Updated

The following permissions have been removed from the role roles/workstations.admin (Cloud Workstations Admin):

workstations.workstations.use
Bare Metal Solution Added baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
Bare Metal Solution Supported In Custom Roles baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
Bare Metal Solution Now GA baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
Compute Engine Added compute.networkEdgeSecurityServices.create
compute.networkEdgeSecurityServices.delete
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEdgeSecurityServices.update
compute.regionSecurityPolicies.create
compute.regionSecurityPolicies.delete
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSecurityPolicies.update
compute.regionSecurityPolicies.use
compute.securityPolicies.setLabels
Compute Engine Supported In Custom Roles compute.securityPolicies.setLabels
Compute Engine Now GA compute.disks.listEffectiveTags
compute.images.listEffectiveTags
compute.instances.listEffectiveTags
compute.securityPolicies.setLabels
compute.snapshots.listEffectiveTags
Container Security Added containersecurity.findings.list
Content Warehouse Now GA contentwarehouse.documentSchemas.create
contentwarehouse.documentSchemas.delete
contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
contentwarehouse.documentSchemas.update
contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.documents.update
contentwarehouse.locations.initialize
contentwarehouse.operations.get
contentwarehouse.rawDocuments.download
contentwarehouse.rawDocuments.upload
contentwarehouse.ruleSets.create
contentwarehouse.ruleSets.delete
contentwarehouse.ruleSets.get
contentwarehouse.ruleSets.list
contentwarehouse.ruleSets.update
contentwarehouse.synonymSets.create
contentwarehouse.synonymSets.delete
contentwarehouse.synonymSets.get
contentwarehouse.synonymSets.list
contentwarehouse.synonymSets.update
Document AI Added documentai.evaluationDocuments.get
Managed Service for Microsoft Active Directory Now GA managedidentities.domains.extendSchema
Organization Policy Service Added orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
Organization Policy Service Supported In Custom Roles orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
Recommender Added recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.get
recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.update
recommender.resourcemanagerProjectUtilizationRecommenderConfigs.get
recommender.resourcemanagerProjectUtilizationRecommenderConfigs.update
Recommender Supported In Custom Roles recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.get
recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.update
recommender.resourcemanagerProjectUtilizationRecommenderConfigs.get
recommender.resourcemanagerProjectUtilizationRecommenderConfigs.update
Resource Manager Now GA resourcemanager.hierarchyNodes.listEffectiveTags

Cloud IAM changes as of 2022-09-10

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.serviceAgent (Apigee Service Agent):

apigee.developers.delete
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

bigquery.tables.get
bigquery.tables.updateData
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

monitoring.metricsScopes.link
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Monitoring Role Updated

The following permissions have been added to the role roles/monitoring.notificationServiceAgent (Monitoring Service Agent):

monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
Storage Transfer Service Now GA

The role roles/storagetransfer.serviceAgent (Storage Transfer Service Agent) is now GA.

Access Approval Added accessapproval.serviceAccounts.get
Document AI Added documentai.dataLabelingJobs.cancel
documentai.dataLabelingJobs.create
documentai.dataLabelingJobs.delete
documentai.dataLabelingJobs.list
documentai.dataLabelingJobs.update
documentai.datasets.createDocuments
documentai.datasets.deleteDocuments
documentai.datasets.getDocuments
documentai.datasets.listDocuments
documentai.datasets.updateDocuments
Notebooks Added notebooks.instances.diagnose
notebooks.runtimes.diagnose
Notebooks Now GA notebooks.instances.diagnose
notebooks.runtimes.diagnose
Recommender Added recommender.networkAnalyzerCloudSqlInsights.get
recommender.networkAnalyzerCloudSqlInsights.list
recommender.networkAnalyzerCloudSqlInsights.update
recommender.networkAnalyzerDynamicRouteInsights.get
recommender.networkAnalyzerDynamicRouteInsights.list
recommender.networkAnalyzerDynamicRouteInsights.update
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
recommender.networkAnalyzerIpAddressInsights.get
recommender.networkAnalyzerIpAddressInsights.list
recommender.networkAnalyzerIpAddressInsights.update
recommender.networkAnalyzerLoadBalancerInsights.get
recommender.networkAnalyzerLoadBalancerInsights.list
recommender.networkAnalyzerLoadBalancerInsights.update
recommender.networkAnalyzerVpcConnectivityInsights.get
recommender.networkAnalyzerVpcConnectivityInsights.list
recommender.networkAnalyzerVpcConnectivityInsights.update
Recommender Supported In Custom Roles recommender.networkAnalyzerCloudSqlInsights.get
recommender.networkAnalyzerCloudSqlInsights.list
recommender.networkAnalyzerCloudSqlInsights.update
recommender.networkAnalyzerDynamicRouteInsights.get
recommender.networkAnalyzerDynamicRouteInsights.list
recommender.networkAnalyzerDynamicRouteInsights.update
recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update
recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update
recommender.networkAnalyzerIpAddressInsights.get
recommender.networkAnalyzerIpAddressInsights.list
recommender.networkAnalyzerIpAddressInsights.update
recommender.networkAnalyzerLoadBalancerInsights.get
recommender.networkAnalyzerLoadBalancerInsights.list
recommender.networkAnalyzerLoadBalancerInsights.update
recommender.networkAnalyzerVpcConnectivityInsights.get
recommender.networkAnalyzerVpcConnectivityInsights.list
recommender.networkAnalyzerVpcConnectivityInsights.update

Cloud IAM changes as of 2022-09-02

Service Change Description
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.securityAdmin (Compute Security Admin):

compute.backendBuckets.list
compute.backendServices.list
compute.instances.list
compute.regionBackendServices.list
compute.targetInstances.list
compute.targetPools.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent):

dataplex.environments.execute
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

batch.jobs.create
Firebase App Distribution Now GA

The role roles/firebaseappdistro.admin (Firebase App Distribution Admin) is now GA.

Firebase App Distribution Now GA

The role roles/firebaseappdistro.viewer (Firebase App Distribution Viewer) is now GA.

Google Distributed Cloud Now GA

The role roles/gkeonprem.admin (GKE on-prem Admin) is now GA.

Google Distributed Cloud Now GA

The role roles/gkeonprem.viewer (GKE on-prem Viewer) is now GA.

Rapid Migration Assessment Now GA

The role roles/rapidmigrationassessment.serviceAgent (RMA Service Agent) is now GA.

Spanner Now GA

The role roles/spanner.databaseRoleUser (Cloud Spanner Database Role User) is now GA.

Spanner Now GA

The role roles/spanner.fineGrainedAccessUser (Cloud Spanner Fine-grained Access User) is now GA.

Stream Now GA

The role roles/stream.admin (Stream Admin) is now GA.

Stream Now GA

The role roles/stream.contentAdmin (Stream Content Admin) is now GA.

Stream Now GA

The role roles/stream.contentBuilder (Stream Content Builder) is now GA.

Stream Now GA

The role roles/stream.instanceAdmin (Stream Instance Admin) is now GA.

Stream Now GA

The role roles/stream.viewer (Stream Viewer) is now GA.

Data Catalog Added datacatalog.entries.updateContacts
datacatalog.entries.updateOverview
Data Catalog Supported In Custom Roles datacatalog.entries.updateContacts
datacatalog.entries.updateOverview
Firebase App Distribution Now GA firebaseappdistro.groups.list
firebaseappdistro.groups.update
firebaseappdistro.releases.list
firebaseappdistro.releases.update
firebaseappdistro.testers.list
firebaseappdistro.testers.update
Google Distributed Cloud Now GA gkeonprem.bareMetalClusters.create
gkeonprem.bareMetalClusters.delete
gkeonprem.bareMetalClusters.enroll
gkeonprem.bareMetalClusters.get
gkeonprem.bareMetalClusters.getIamPolicy
gkeonprem.bareMetalClusters.list
gkeonprem.bareMetalClusters.setIamPolicy
gkeonprem.bareMetalClusters.unenroll
gkeonprem.bareMetalClusters.update
gkeonprem.bareMetalNodePools.create
gkeonprem.bareMetalNodePools.delete
gkeonprem.bareMetalNodePools.get
gkeonprem.bareMetalNodePools.getIamPolicy
gkeonprem.bareMetalNodePools.list
gkeonprem.bareMetalNodePools.setIamPolicy
gkeonprem.bareMetalNodePools.update
gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Payment Gateway issuer switch Added issuerswitch.complaintTransactions.list
issuerswitch.complaints.create
issuerswitch.complaints.resolve
issuerswitch.disputes.create
issuerswitch.disputes.resolve
issuerswitch.financialTransactions.list
issuerswitch.mandateTransactions.list
issuerswitch.metadataTransactions.list
issuerswitch.operations.cancel
issuerswitch.operations.delete
issuerswitch.operations.get
issuerswitch.operations.list
issuerswitch.operations.wait
issuerswitch.ruleMetadata.list
issuerswitch.ruleMetadataValues.create
issuerswitch.ruleMetadataValues.delete
issuerswitch.ruleMetadataValues.list
issuerswitch.rules.list
Recommender Added recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update
recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update
Recommender Supported In Custom Roles recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update
recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update
Rapid Migration Assessment Added rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list
Rapid Migration Assessment Supported In Custom Roles rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list
Spanner Added spanner.databaseRoles.list
spanner.databaseRoles.use
spanner.databases.useRoleBasedAccess
Spanner Now GA spanner.databaseRoles.list
spanner.databaseRoles.use
spanner.databases.useRoleBasedAccess
Speech-to-Text Added speech.config.get
speech.config.update
speech.customClasses.undelete
speech.operations.cancel
speech.operations.delete
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.undelete
speech.recognizers.create
speech.recognizers.delete
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
speech.recognizers.undelete
speech.recognizers.update
Speech-to-Text Now GA speech.config.get
speech.config.update
speech.customClasses.undelete
speech.operations.cancel
speech.operations.delete
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.undelete
speech.recognizers.create
speech.recognizers.delete
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
speech.recognizers.undelete
speech.recognizers.update
Stream Added stream.locations.get
stream.locations.list
stream.operations.cancel
stream.operations.delete
stream.operations.get
stream.operations.list
stream.streamContents.build
stream.streamContents.create
stream.streamContents.delete
stream.streamContents.get
stream.streamContents.list
stream.streamContents.update
stream.streamInstances.create
stream.streamInstances.delete
stream.streamInstances.get
stream.streamInstances.list
stream.streamInstances.rollout
stream.streamInstances.update
Stream Supported In Custom Roles stream.locations.get
stream.locations.list
stream.operations.cancel
stream.operations.delete
stream.operations.get
stream.operations.list
stream.streamContents.build
stream.streamContents.create
stream.streamContents.delete
stream.streamContents.get
stream.streamContents.list
stream.streamContents.update
stream.streamInstances.create
stream.streamInstances.delete
stream.streamInstances.get
stream.streamInstances.list
stream.streamInstances.rollout
stream.streamInstances.update
Stream Now GA stream.locations.get
stream.locations.list
stream.operations.cancel
stream.operations.delete
stream.operations.get
stream.operations.list
stream.streamContents.build
stream.streamContents.create
stream.streamContents.delete
stream.streamContents.get
stream.streamContents.list
stream.streamContents.update
stream.streamInstances.create
stream.streamInstances.delete
stream.streamInstances.get
stream.streamInstances.list
stream.streamInstances.rollout
stream.streamInstances.update

Cloud IAM changes as of 2022-08-26

Service Change Description
App Engine Now GA

The role roles/appengine.memcacheDataAdmin (App Engine Memcache Data Admin) is now GA.

Container Threat Detection Role Updated

The following permissions have been added to the role roles/containerthreatdetection.serviceAgent (Container Threat Detection Service Agent):

container.clusterRoles.escalate
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.update
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.update
Identity and Access Management Now GA

The role roles/iam.serviceAccountOpenIdTokenCreator (Service Account OpenID Connect Identity Token Creator) is now GA.

Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.serviceAgent (Integrations Service Agent):

run.jobs.run
run.routes.invoke
Workload Manager Now GA

The role roles/workloadmanager.serviceAgent (Workload Manager Service Agent) is now GA.

Firebase In-App Messaging Campaigns Added firebasemessagingcampaigns.campaigns.create
firebasemessagingcampaigns.campaigns.delete
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list
firebasemessagingcampaigns.campaigns.start
firebasemessagingcampaigns.campaigns.stop
firebasemessagingcampaigns.campaigns.update
Firebase In-App Messaging Campaigns Supported In Custom Roles firebasemessagingcampaigns.campaigns.create
firebasemessagingcampaigns.campaigns.delete
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list
firebasemessagingcampaigns.campaigns.start
firebasemessagingcampaigns.campaigns.stop
firebasemessagingcampaigns.campaigns.update
Cloud Logging Added logging.links.create
logging.links.delete
logging.links.get
logging.links.list
Recommender Added recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update
recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update
Recommender Supported In Custom Roles recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update
recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update
Retail API Now GA retail.controls.create
retail.controls.delete
retail.controls.get
retail.controls.list
retail.controls.update
retail.servingConfigs.create
retail.servingConfigs.delete
retail.servingConfigs.get
retail.servingConfigs.list
retail.servingConfigs.update

Cloud IAM changes as of 2022-08-19

Service Change Description
Analytics Hub Now GA

The role roles/analyticshub.admin (Analytics Hub Admin) is now GA.

Analytics Hub Now GA

The role roles/analyticshub.listingAdmin (Analytics Hub Listing Admin) is now GA.

Analytics Hub Now GA

The role roles/analyticshub.publisher (Analytics Hub Publisher) is now GA.

Analytics Hub Now GA

The role roles/analyticshub.subscriber (Analytics Hub Subscriber) is now GA.

Analytics Hub Now GA

The role roles/analyticshub.viewer (Analytics Hub Viewer) is now GA.

Cloud Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.clusters.update
container.operations.get
gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
serviceusage.services.get
serviceusage.services.use
Recommendations Role Updated

The following permissions have been added to the role roles/automlrecommendations.serviceAgent (Recommendations AI Service Agent):

bigquery.tables.update
Google Cloud Contact Center as a Service Now GA

The role roles/contactcenteraiplatform.admin (Contact Center AI Platform Admin) is now GA.

Google Cloud Contact Center as a Service Now GA

The role roles/contactcenteraiplatform.viewer (Contact Center AI Platform Viewer) is now GA.

Google Kubernetes Engine Now GA

The role roles/container.nodeServiceAccount (Kubernetes Engine Node Service Account) is now GA.

Retail API Role Updated

The following permissions have been added to the role roles/retail.serviceAgent (Retail Service Agent):

bigquery.tables.update
Storage Transfer Service Role Updated

The following permissions have been added to the role roles/storagetransfer.transferAgent (Storage Transfer Agent):

monitoring.timeSeries.create
Analytics Hub Now GA analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Bare Metal Solution Added baremetalsolution.instances.detachLun
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.detachLun
Bare Metal Solution Now GA baremetalsolution.instances.detachLun
Cloud Deploy Added clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.rollouts.retryJob
Cloud Deploy Supported In Custom Roles clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.rollouts.retryJob
Google Cloud Contact Center as a Service Added contactcenteraiplatform.contactCenters.create
contactcenteraiplatform.contactCenters.delete
contactcenteraiplatform.contactCenters.get
contactcenteraiplatform.contactCenters.list
contactcenteraiplatform.contactCenters.update
contactcenteraiplatform.locations.get
contactcenteraiplatform.locations.list
contactcenteraiplatform.operations.cancel
contactcenteraiplatform.operations.delete
contactcenteraiplatform.operations.get
contactcenteraiplatform.operations.list
Google Cloud Contact Center as a Service Now GA contactcenteraiplatform.contactCenters.create
contactcenteraiplatform.contactCenters.delete
contactcenteraiplatform.contactCenters.get
contactcenteraiplatform.contactCenters.list
contactcenteraiplatform.contactCenters.update
contactcenteraiplatform.locations.get
contactcenteraiplatform.locations.list
contactcenteraiplatform.operations.cancel
contactcenteraiplatform.operations.delete
contactcenteraiplatform.operations.get
contactcenteraiplatform.operations.list
Content Warehouse Added contentwarehouse.operations.get
Firebase Added firebase.clients.undelete
Firebase Now GA firebase.clients.undelete
Identity and Access Management Added iam.workforcePoolProviders.create
iam.workforcePoolProviders.delete
iam.workforcePoolProviders.get
iam.workforcePoolProviders.list
iam.workforcePoolProviders.undelete
iam.workforcePoolProviders.update
iam.workforcePoolSubjects.delete
iam.workforcePoolSubjects.undelete
iam.workforcePools.create
iam.workforcePools.delete
iam.workforcePools.get
iam.workforcePools.getIamPolicy
iam.workforcePools.list
iam.workforcePools.setIamPolicy
iam.workforcePools.undelete
iam.workforcePools.update
Identity and Access Management Supported In Custom Roles iam.workforcePoolProviders.create
iam.workforcePoolProviders.delete
iam.workforcePoolProviders.get
iam.workforcePoolProviders.list
iam.workforcePoolProviders.undelete
iam.workforcePoolProviders.update
iam.workforcePoolSubjects.delete
iam.workforcePoolSubjects.undelete
iam.workforcePools.create
iam.workforcePools.delete
iam.workforcePools.get
iam.workforcePools.getIamPolicy
iam.workforcePools.list
iam.workforcePools.setIamPolicy
iam.workforcePools.undelete
iam.workforcePools.update
Identity and Access Management Added iam.googleapis.com/workforcePoolProviders.create
iam.googleapis.com/workforcePoolProviders.delete
iam.googleapis.com/workforcePoolProviders.get
iam.googleapis.com/workforcePoolProviders.list
iam.googleapis.com/workforcePoolProviders.undelete
iam.googleapis.com/workforcePoolProviders.update
iam.googleapis.com/workforcePoolSubjects.delete
iam.googleapis.com/workforcePoolSubjects.undelete
iam.googleapis.com/workforcePools.create
iam.googleapis.com/workforcePools.delete
iam.googleapis.com/workforcePools.get
iam.googleapis.com/workforcePools.getIamPolicy
iam.googleapis.com/workforcePools.list
iam.googleapis.com/workforcePools.setIamPolicy
iam.googleapis.com/workforcePools.undelete
iam.googleapis.com/workforcePools.update
Identity and Access Management Supported In Custom Roles iam.googleapis.com/workforcePoolProviders.create
iam.googleapis.com/workforcePoolProviders.delete
iam.googleapis.com/workforcePoolProviders.get
iam.googleapis.com/workforcePoolProviders.list
iam.googleapis.com/workforcePoolProviders.undelete
iam.googleapis.com/workforcePoolProviders.update
iam.googleapis.com/workforcePoolSubjects.delete
iam.googleapis.com/workforcePoolSubjects.undelete
iam.googleapis.com/workforcePools.create
iam.googleapis.com/workforcePools.delete
iam.googleapis.com/workforcePools.get
iam.googleapis.com/workforcePools.getIamPolicy
iam.googleapis.com/workforcePools.list
iam.googleapis.com/workforcePools.setIamPolicy
iam.googleapis.com/workforcePools.undelete
iam.googleapis.com/workforcePools.update
VM Migration Supported In Custom Roles vmmigration.cloneJobs.create
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cloneJobs.update
vmmigration.cutoverJobs.create
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.cutoverJobs.update
vmmigration.datacenterConnectors.create
vmmigration.datacenterConnectors.delete
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.groups.create
vmmigration.groups.delete
vmmigration.groups.get
vmmigration.groups.list
vmmigration.groups.update
vmmigration.locations.get
vmmigration.locations.list
vmmigration.migratingVms.create
vmmigration.migratingVms.delete
vmmigration.migratingVms.list
vmmigration.migratingVms.update
vmmigration.operations.cancel
vmmigration.operations.delete
vmmigration.operations.get
vmmigration.operations.list
vmmigration.sources.create
vmmigration.sources.delete
vmmigration.sources.get
vmmigration.sources.list
vmmigration.sources.update
vmmigration.targets.create
vmmigration.targets.delete
vmmigration.targets.get
vmmigration.targets.list
vmmigration.targets.update
vmmigration.utilizationReports.create
vmmigration.utilizationReports.delete
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list
Workload Manager Added workloadmanager.evaluations.create
workloadmanager.evaluations.delete
workloadmanager.evaluations.get
workloadmanager.evaluations.list
workloadmanager.evaluations.run
workloadmanager.evaluations.update
workloadmanager.executions.delete
workloadmanager.executions.get
workloadmanager.executions.list
workloadmanager.locations.get
workloadmanager.locations.list
workloadmanager.operations.cancel
workloadmanager.operations.delete
workloadmanager.operations.get
workloadmanager.operations.list
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Supported In Custom Roles workloadmanager.evaluations.create
workloadmanager.evaluations.delete
workloadmanager.evaluations.get
workloadmanager.evaluations.list
workloadmanager.evaluations.run
workloadmanager.evaluations.update
workloadmanager.executions.delete
workloadmanager.executions.get
workloadmanager.executions.list
workloadmanager.locations.get
workloadmanager.locations.list
workloadmanager.operations.cancel
workloadmanager.operations.delete
workloadmanager.operations.get
workloadmanager.operations.list
workloadmanager.results.list
workloadmanager.rules.list

Cloud IAM changes as of 2022-08-12

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

bigquery.models.create
bigquery.models.getData
bigquery.readsessions.getData
Connectors Now GA

The role roles/connectors.invoker (Connector Invoker) is now GA.

Firebase App Check Role Updated

The following permissions have been added to the role roles/firebaseappcheck.serviceAgent (Firebase App Check Service Agent):

serviceusage.services.use
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.serviceAgent (Integrations Service Agent):

connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
integrations.apigeeSuspensions.lift
integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update
integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update
integrations.executions.list
integrations.integrationVersions.create
integrations.integrationVersions.delete
integrations.integrationVersions.deploy
integrations.integrationVersions.get
integrations.integrationVersions.list
integrations.integrationVersions.update
integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.list
integrations.integrations.update
integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update
integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update
integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve
pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.topics.attachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Google Cloud Migration Center Now GA

The role roles/migrationcenter.serviceAgent (Migration Center Service Agent) is now GA.

Bigtable Added bigtable.instances.createTagBinding
bigtable.instances.deleteTagBinding
bigtable.instances.listEffectiveTags
bigtable.instances.listTagBindings
Bigtable Now GA bigtable.instances.createTagBinding
bigtable.instances.deleteTagBinding
bigtable.instances.listEffectiveTags
bigtable.instances.listTagBindings
Connectors Added connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
Connectors Supported In Custom Roles connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
Connectors Now GA connectors.actions.execute
connectors.actions.list
connectors.connections.executeSqlQuery
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
Google Cloud Migration Center Added migrationcenter.assets.create
migrationcenter.assets.delete
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.assets.reportFrames
migrationcenter.assets.update
migrationcenter.groups.create
migrationcenter.groups.delete
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.groups.update
migrationcenter.importJobs.create
migrationcenter.importJobs.delete
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.importJobs.update
migrationcenter.locations.get
migrationcenter.locations.list
migrationcenter.operations.cancel
migrationcenter.operations.delete
migrationcenter.operations.get
migrationcenter.operations.list
migrationcenter.sources.create
migrationcenter.sources.delete
migrationcenter.sources.get
migrationcenter.sources.list
migrationcenter.sources.update
Google Cloud Migration Center Supported In Custom Roles migrationcenter.assets.create
migrationcenter.assets.delete
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.assets.reportFrames
migrationcenter.assets.update
migrationcenter.groups.create
migrationcenter.groups.delete
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.groups.update
migrationcenter.importJobs.create
migrationcenter.importJobs.delete
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.importJobs.update
migrationcenter.locations.get
migrationcenter.locations.list
migrationcenter.operations.cancel
migrationcenter.operations.delete
migrationcenter.operations.get
migrationcenter.operations.list
migrationcenter.sources.create
migrationcenter.sources.delete
migrationcenter.sources.get
migrationcenter.sources.list
migrationcenter.sources.update
Retail API Now GA retail.attributesConfigs.addCatalogAttribute
retail.attributesConfigs.get
retail.attributesConfigs.removeCatalogAttribute
retail.attributesConfigs.replaceCatalogAttribute
retail.attributesConfigs.update

Cloud IAM changes as of 2022-08-05

Service Change Description
Artifact Registry Role Updated

The following permissions have been added to the role roles/artifactregistry.serviceAgent (Artifact Registry Service Agent):

artifactregistry.versions.delete
Backup and Disaster Recovery Now GA

The role roles/backupdr.admin (Backup and DR Admin) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.user (Backup and DR User) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.viewer (Backup and DR Viewer) is now GA.

Multi-Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

container.customResourceDefinitions.list
Backup and Disaster Recovery Added backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageInternalACL
backupdr.managementServers.setIamPolicy
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list
Backup and Disaster Recovery Supported In Custom Roles backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageInternalACL
backupdr.managementServers.setIamPolicy
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list
Backup and Disaster Recovery Now GA backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageInternalACL
backupdr.managementServers.setIamPolicy
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list
Commerce Offer Catalog Added commerceoffercatalog.documents.get
Cloud Commerce Consumer Procurement Added consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
Maps Admin Added mapsadmin.styleSnapshots.list
mapsadmin.styleSnapshots.update
Maps Admin Now GA mapsadmin.styleSnapshots.list
mapsadmin.styleSnapshots.update

Cloud IAM changes as of 2022-07-29

Service Change Description
Network Management API Role Updated

The following permissions have been added to the role roles/networkmanagement.admin (Network Management Admin):

resourcemanager.organizations.get
Network Management API Role Updated

The following permissions have been added to the role roles/networkmanagement.viewer (Network Management Viewer):

resourcemanager.organizations.get
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

compute.networks.get
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

compute.networks.get
Assured Workloads Added assuredworkloads.violations.update
Assured Workloads Supported In Custom Roles assuredworkloads.violations.update
Assured Workloads Now GA assuredworkloads.violations.update
Cloud Asset Inventory Added cloudasset.assets.exportOSInventories
Cloud Asset Inventory Supported In Custom Roles cloudasset.assets.exportOSInventories
Cloud Asset Inventory Now GA cloudasset.assets.exportOSInventories
Translation Added cloudtranslate.glossaries.update
cloudtranslate.glossaryentries.create
cloudtranslate.glossaryentries.delete
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.glossaryentries.update
Translation Supported In Custom Roles cloudtranslate.glossaries.update
Translation Now GA cloudtranslate.glossaries.update
cloudtranslate.glossaryentries.create
cloudtranslate.glossaryentries.delete
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.glossaryentries.update
Compute Engine Added compute.regionTargetHttpsProxies.update
compute.targetHttpsProxies.update
Compute Engine Now GA compute.regionTargetHttpsProxies.update
compute.targetHttpsProxies.update
Timeseries Insights API Added timeseriesinsights.locations.get
timeseriesinsights.locations.list
Timeseries Insights API Supported In Custom Roles timeseriesinsights.locations.get
timeseriesinsights.locations.list

Cloud IAM changes as of 2022-07-22

Service Change Description
Cloud Billing Role Updated

The following permissions have been added to the role roles/billing.admin (Billing Account Administrator):

cloudsupport.properties.get
cloudsupport.techCases.create
cloudsupport.techCases.escalate
cloudsupport.techCases.get
cloudsupport.techCases.list
cloudsupport.techCases.update
resourcemanager.projects.get
resourcemanager.projects.list
Workload Certificate Role Updated

The following permissions have been added to the role roles/workloadcertificate.serviceAgent (Workload Certificate Service Agent):

container.customResourceDefinitions.create
container.customResourceDefinitions.get
container.customResourceDefinitions.list
Bare Metal Solution Added baremetalsolution.volumes.resize
Bare Metal Solution Supported In Custom Roles baremetalsolution.volumes.resize
Bare Metal Solution Now GA baremetalsolution.volumes.resize
Eventarc Added eventarc.channels.attach
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
Eventarc Supported In Custom Roles eventarc.channels.attach
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
Firebase Realtime Database Added firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
Firebase Realtime Database Supported In Custom Roles firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
Firebase Realtime Database Now GA firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
Retail API Added retail.servingConfigs.predict
retail.servingConfigs.search

Cloud IAM changes as of 2022-07-15

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
Google Kubernetes Engine Now GA

The role roles/container.nodeServiceAgent (Kubernetes Engine Node Service Agent) is now GA.

Eventarc Role Updated

The following permissions have been added to the role roles/eventarc.serviceAgent (Eventarc Service Agent):

cloudfunctions.functions.get
Identity-Aware Proxy Now GA

The role roles/iap.tunnelDestGroupEditor (IAP-secured Tunnel Destination Group Editor) is now GA.

Identity-Aware Proxy Now GA

The role roles/iap.tunnelDestGroupViewer (IAP-secured Tunnel Destination Group Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.certificateViewer (Certificate Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationAdmin (Application Integration Admin) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationDeployer (Application Integration Deployer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationEditor (Application Integration Editor) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationInvoker (Application Integration Invoker) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationViewer (Application Integration Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.sfdcInstanceAdmin (Application Integration SFDC Instance Admin) is now GA.

Cloud Integrations Now GA

The role roles/integrations.sfdcInstanceEditor (Application Integration SFDC Instance Editor) is now GA.

Cloud Integrations Now GA

The role roles/integrations.sfdcInstanceViewer (Application Integration SFDC Instance Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.suspensionResolver (Application Integration Suspension Resolver) is now GA.

Cloud Service Mesh control plane Role Updated

The following permissions have been added to the role roles/meshcontrolplane.serviceAgent (Mesh Managed Control Plane Service Agent):

container.clusters.update
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
Vertex AI Added aiplatform.entityTypes.deleteFeatureValues
Chrome Enterprise Premium Added beyondcorp.appConnections.create
beyondcorp.appConnections.delete
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnections.setIamPolicy
beyondcorp.appConnections.update
beyondcorp.appConnectors.create
beyondcorp.appConnectors.delete
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appConnectors.reportStatus
beyondcorp.appConnectors.setIamPolicy
beyondcorp.appConnectors.update
beyondcorp.appGateways.create
beyondcorp.appGateways.delete
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.appGateways.setIamPolicy
beyondcorp.appGateways.update
beyondcorp.clientConnectorServices.access
beyondcorp.clientConnectorServices.create
beyondcorp.clientConnectorServices.delete
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientConnectorServices.setIamPolicy
beyondcorp.clientConnectorServices.update
beyondcorp.clientGateways.create
beyondcorp.clientGateways.delete
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.clientGateways.setIamPolicy
beyondcorp.locations.get
beyondcorp.locations.list
beyondcorp.operations.cancel
beyondcorp.operations.delete
beyondcorp.operations.get
beyondcorp.operations.list
Chrome Enterprise Premium Supported In Custom Roles beyondcorp.appConnections.create
beyondcorp.appConnections.delete
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnections.setIamPolicy
beyondcorp.appConnections.update
beyondcorp.appConnectors.create
beyondcorp.appConnectors.delete
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appConnectors.reportStatus
beyondcorp.appConnectors.setIamPolicy
beyondcorp.appConnectors.update
beyondcorp.appGateways.create
beyondcorp.appGateways.delete
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.appGateways.setIamPolicy
beyondcorp.appGateways.update
beyondcorp.clientConnectorServices.access
beyondcorp.clientConnectorServices.create
beyondcorp.clientConnectorServices.delete
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientConnectorServices.setIamPolicy
beyondcorp.clientConnectorServices.update
beyondcorp.clientGateways.create
beyondcorp.clientGateways.delete
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.clientGateways.setIamPolicy
beyondcorp.locations.get
beyondcorp.locations.list
beyondcorp.operations.cancel
beyondcorp.operations.delete
beyondcorp.operations.get
beyondcorp.operations.list
Identity-Aware Proxy Now GA iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Cloud Integrations Added integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update
integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update
integrations.executions.list
integrations.integrationVersions.create
integrations.integrationVersions.delete
integrations.integrationVersions.deploy
integrations.integrationVersions.get
integrations.integrationVersions.invoke
integrations.integrationVersions.list
integrations.integrationVersions.update
integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.invoke
integrations.integrations.list
integrations.integrations.update
integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update
integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update
integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve
Cloud Integrations Now GA integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update
integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update
integrations.executions.list
integrations.integrationVersions.create
integrations.integrationVersions.delete
integrations.integrationVersions.deploy
integrations.integrationVersions.get
integrations.integrationVersions.invoke
integrations.integrationVersions.list
integrations.integrationVersions.update
integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.invoke
integrations.integrations.list
integrations.integrations.update
integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update
integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update
integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve
Secured Landing Zone Added securedlandingzone.operations.get
securedlandingzone.overwatches.activate
securedlandingzone.overwatches.create
securedlandingzone.overwatches.delete
securedlandingzone.overwatches.get
securedlandingzone.overwatches.list
securedlandingzone.overwatches.suspend
securedlandingzone.overwatches.update
Secured Landing Zone Supported In Custom Roles securedlandingzone.overwatches.activate
securedlandingzone.overwatches.suspend

Cloud IAM changes as of 2022-06-24

Service Change Description
Config Management Role Updated

The following permissions have been added to the role roles/anthosconfigmanagement.serviceAgent (Anthos Config Management Service Agent):

container.clusters.get
Batch Now GA

The role roles/batch.serviceAgent (Google Batch Service Agent) is now GA.

Firebase Test Lab Role Updated

The following permissions have been added to the role roles/cloudtestservice.testAdmin (Firebase Test Lab Admin):

storage.objects.delete
Apigee Added apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats
Apigee Now GA apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats

Cloud IAM changes as of 2022-06-17

Service Change Description
Care Studio Now GA

The role roles/carestudio.viewer (Care Studio Patients Viewer) is now GA.

Translation Role Updated

The following permissions have been added to the role roles/cloudtranslate.serviceAgent (Cloud Translation API Service Agent):

automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.models.get
automl.models.list
automl.operations.get
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

resourcemanager.projects.getIamPolicy
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
Cloud DNS Role Updated

The following permissions have been added to the role roles/dns.admin (DNS Administrator):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Document AI Role Updated

The following permissions have been added to the role roles/documentaicore.serviceAgent (DocumentAI Core Service Agent):

documentai.humanReviewConfigs.review
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.serviceAgent (Integrations Service Agent):

pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.update
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.update
pubsub.topics.updateTag
Service Networking Role Updated

The following permissions have been added to the role roles/servicenetworking.serviceAgent (Service Networking Service Agent):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Basic Role Role Updated

The following permissions have been removed from the role roles/viewer (Viewer):

apigee.archivedeployments.upload
Bare Metal Solution Added baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Bare Metal Solution Now GA baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Batch Added batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.states.report
batch.tasks.get
batch.tasks.list
Batch Supported In Custom Roles batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.states.report
batch.tasks.get
batch.tasks.list
BigQuery Supported In Custom Roles bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
Bigtable Added bigtable.tables.undelete
Bigtable Now GA bigtable.tables.undelete
Care Studio Now GA carestudio.patients.get
carestudio.patients.list
Cloud Integrations Added integrations.apigeeSuspensions.lift
Cloud Integrations Now GA integrations.apigeeSuspensions.lift
Service Networking Added servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.listPeeredDnsDomains
Service Networking Supported In Custom Roles servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.listPeeredDnsDomains
Timeseries Insights API Added timeseriesinsights.datasets.create
timeseriesinsights.datasets.delete
timeseriesinsights.datasets.evaluate
timeseriesinsights.datasets.list
timeseriesinsights.datasets.query
timeseriesinsights.datasets.update

Cloud IAM changes as of 2022-06-10

Service Change Description
App Engine Role Updated

The following permissions have been added to the role roles/appengine.appAdmin (App Engine Admin):

appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.admin (Dataplex Administrator):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

cloudasset.assets.analyzeIamPolicy
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.viewer (Dataplex Viewer):

cloudasset.assets.analyzeIamPolicy
Cloud Integrations Now GA

The role roles/integrations.serviceAgent (Integrations Service Agent) is now GA.

Dataproc Metastore Now GA

The role roles/metastore.federationAccessor (Metastore Federation Accessor) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagAdmin (Tag Administrator) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagHoldAdmin (Tag Hold Administrator) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagUser (Tag User) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagViewer (Tag Viewer) is now GA.

Access Approval Added accessapproval.requests.invalidate
Access Approval Supported In Custom Roles accessapproval.requests.invalidate
AlloyDB for PostgreSQL Added alloydb.backups.create
alloydb.backups.delete
alloydb.backups.get
alloydb.backups.list
alloydb.backups.update
alloydb.clusters.create
alloydb.clusters.delete
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.failover
alloydb.instances.get
alloydb.instances.list
alloydb.instances.restart
alloydb.instances.update
alloydb.locations.get
alloydb.locations.list
alloydb.operations.cancel
alloydb.operations.delete
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list
Artifact Registry Added artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
Artifact Registry Now GA artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
AutoML Added automl.files.delete
automl.files.list
Bare Metal Solution Added baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Bare Metal Solution Now GA baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Cloud Billing Added billing.accounts.getCarbonInformation
Cloud Billing Supported In Custom Roles billing.accounts.getCarbonInformation
Cloud Billing Now GA billing.accounts.getCarbonInformation
Cloud Deploy Added clouddeploy.releases.abandon
Cloud Deploy Supported In Custom Roles clouddeploy.releases.abandon
Commerce Price Management Added commerceprice.privateoffers.cancel
Commerce Price Management Supported In Custom Roles commerceprice.privateoffers.cancel
Datastream Added datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listTagBindings
datastream.privateConnections.createTagBinding
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.streams.createTagBinding
datastream.streams.deleteTagBinding
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
Cloud DNS Added dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
Cloud DNS Supported In Custom Roles dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
Identity and Access Management Added iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Identity and Access Management Supported In Custom Roles iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Identity and Access Management Now GA iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Dataproc Metastore Added metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Dataproc Metastore Supported In Custom Roles metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Dataproc Metastore Now GA metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Resource Manager Now GA resourcemanager.hierarchyNodes.createTagBinding
resourcemanager.hierarchyNodes.deleteTagBinding
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagKeys.update
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.create
resourcemanager.tagValues.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcemanager.tagValues.setIamPolicy
resourcemanager.tagValues.update

Cloud IAM changes as of 2022-05-27

Service Change Description
AlloyDB for PostgreSQL Now GA

The role roles/alloydb.serviceAgent (AlloyDB Service Agent) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.images.useReadOnly
compute.instanceTemplates.useReadOnly
compute.instances.create
compute.instances.createTagBinding
compute.instances.setDeletionProtection
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.updateDisplayDevice
compute.machineImages.useReadOnly
compute.networks.use
compute.networks.useExternalIp
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute.subnetworks.useExternalIp
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.worker (Dataflow Worker):

monitoring.timeSeries.create
Live Stream Role Updated

The following permissions have been added to the role roles/livestream.serviceAgent (Live Stream Service Agent):

storage.objects.get
storage.objects.list
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.subnetworks.get
compute.subnetworks.use
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.subnetworks.get
compute.subnetworks.use
Vertex AI Added aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
Container Security Added containersecurity.locations.get
containersecurity.locations.list
Network Management API Added networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Management API Supported In Custom Roles networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Management API Now GA networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Services Added networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
Network Services Supported In Custom Roles networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
reCAPTCHA Added recaptchaenterprise.keys.retrievelegacysecretkey
Transfer Appliance Added transferappliance.appliances.create
transferappliance.appliances.delete
transferappliance.appliances.get
transferappliance.appliances.list
transferappliance.appliances.update
transferappliance.locations.get
transferappliance.locations.list
transferappliance.operations.cancel
transferappliance.operations.delete
transferappliance.operations.get
transferappliance.operations.list
transferappliance.orders.create
transferappliance.orders.delete
transferappliance.orders.get
transferappliance.orders.list
transferappliance.orders.update
Transfer Appliance Supported In Custom Roles transferappliance.appliances.create
transferappliance.appliances.delete
transferappliance.appliances.get
transferappliance.appliances.list
transferappliance.appliances.update
transferappliance.locations.get
transferappliance.locations.list
transferappliance.operations.cancel
transferappliance.operations.delete
transferappliance.operations.get
transferappliance.operations.list
transferappliance.orders.create
transferappliance.orders.delete
transferappliance.orders.get
transferappliance.orders.list
transferappliance.orders.update

Cloud IAM changes as of 2022-05-20

Service Change Description
Cloud Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.list
container.jobs.update
Backup for GKE Role Updated

The following permissions have been added to the role roles/gkebackup.serviceAgent (Backup for GKE Service Agent):

compute.disks.list
compute.disks.setLabels
Vertex AI Added aiplatform.humanInTheLoops.queryAnnotationStats
Bare Metal Solution Added baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
Bare Metal Solution Supported In Custom Roles baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
Bare Metal Solution Now GA baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
BigQuery Added bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
BigQuery Supported In Custom Roles bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
Recommender Added recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
Recommender Supported In Custom Roles recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
Service Security Insights Added servicesecurityinsights.securityInfo.list
Service Security Insights Supported In Custom Roles servicesecurityinsights.securityInfo.list

Cloud IAM changes as of 2022-05-13

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

logging.cmekSettings.update
Maps Admin Now GA

The role roles/mapsadmin.admin (Maps API Admin) is now GA.

Maps Admin Now GA

The role roles/mapsadmin.viewer (Maps API Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

orgpolicy.policies.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

orgpolicy.policies.list
Service Security Insights Role Added

The role roles/servicesecurityinsights.securityInsightsViewer (Security Insights Viewer) has been added with the following permissions:

servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.clusters.get
servicesecurityinsights.clusters.list
servicesecurityinsights.googleapis.com/clusterSecurityInfo.get
servicesecurityinsights.googleapis.com/clusterSecurityInfo.list
servicesecurityinsights.googleapis.com/clusters.get
servicesecurityinsights.googleapis.com/clusters.list
servicesecurityinsights.googleapis.com/locations.get
servicesecurityinsights.googleapis.com/locations.list
servicesecurityinsights.googleapis.com/namespaces.get
servicesecurityinsights.googleapis.com/namespaces.list
servicesecurityinsights.googleapis.com/policies.get
servicesecurityinsights.googleapis.com/policyTypes.get
servicesecurityinsights.googleapis.com/policyTypes.list
servicesecurityinsights.googleapis.com/projectStates.get
servicesecurityinsights.googleapis.com/securityInfo.list
servicesecurityinsights.googleapis.com/securityViews.get
servicesecurityinsights.googleapis.com/workloadPolicies.list
servicesecurityinsights.googleapis.com/workloadSecurityInfo.get
servicesecurityinsights.googleapis.com/workloadTypes.get
servicesecurityinsights.googleapis.com/workloadTypes.list
servicesecurityinsights.googleapis.com/workloads.get
servicesecurityinsights.googleapis.com/workloads.list
servicesecurityinsights.locations.get
servicesecurityinsights.locations.list
servicesecurityinsights.namespaces.get
servicesecurityinsights.namespaces.list
servicesecurityinsights.policies.get
servicesecurityinsights.policyTypes.get
servicesecurityinsights.policyTypes.list
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityInfo.list
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get
servicesecurityinsights.workloadTypes.get
servicesecurityinsights.workloadTypes.list
servicesecurityinsights.workloads.get
servicesecurityinsights.workloads.list
Apigee Added apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Apigee Supported In Custom Roles apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Apigee Now GA apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Artifact Registry Added artifactregistry.locations.get
artifactregistry.locations.list
Artifact Registry Supported In Custom Roles artifactregistry.locations.get
artifactregistry.locations.list
Artifact Registry Now GA artifactregistry.locations.get
artifactregistry.locations.list
Care Studio Added carestudio.patients.get
carestudio.patients.list
Identity-Aware Proxy Added iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Identity-Aware Proxy Supported In Custom Roles iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Maps Admin Added mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Maps Admin Supported In Custom Roles mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Maps Admin Now GA mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Certificate Authority Service Added privateca.caPools.use
Certificate Authority Service Now GA privateca.caPools.use

Cloud IAM changes as of 2022-05-06

Service Change Description
Cloud Billing Now GA

The role roles/billing.carbonViewer (Carbon Footprint Viewer) is now GA.

Cloud Run functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.developer (Cloud Functions Developer):

run.operations.delete
run.operations.get
run.operations.list
Cloud Run functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

run.operations.delete
run.operations.get
run.operations.list
Firebase App Check Now GA

The role roles/firebaseappcheck.admin (Firebase App Check Admin) is now GA.

Firebase App Check Now GA

The role roles/firebaseappcheck.viewer (Firebase App Check Viewer) is now GA.

Recommender Now GA

The role roles/recommender.gmpAdmin (Google Maps Platform Insights/Recommendations Admin) is now GA.

Recommender Now GA

The role roles/recommender.gmpViewer (Google Maps Platform Insights/Recommendations Viewer) is now GA.

Cloud Run Role Updated

The following permissions have been added to the role roles/run.developer (Cloud Run Developer):

run.operations.delete
run.operations.get
run.operations.list
Container Security Added containersecurity.clusterSummaries.list
containersecurity.workloadConfigAudits.list
Container Security Supported In Custom Roles containersecurity.clusterSummaries.list
containersecurity.workloadConfigAudits.list
Eventarc Added eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
Eventarc Supported In Custom Roles eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
Firebase App Check Added firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
Firebase App Check Now GA firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.extendSchema
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.domains.extendSchema
Recommender Added recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Recommender Supported In Custom Roles recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Recommender Now GA recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Cloud Run Added run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.setIamPolicy
run.jobs.update
run.tasks.get
run.tasks.list
Cloud Run Supported In Custom Roles run.jobs.run
run.jobs.update
Cloud Run Now GA run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.setIamPolicy
run.jobs.update
run.tasks.get
run.tasks.list
Service Security Insights Added servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.policies.get
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get

Cloud IAM changes as of 2022-04-29

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiAdminV2 (Apigee API Admin):

apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
Content Warehouse Role Updated

The following permissions have been removed from the role roles/contentwarehouse.documentEditor (Content Warehouse Document Editor):

contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.setIamPolicy
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.admin (Dataflow Admin):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.developer (Dataflow Developer):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list
recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
serviceusage.services.use
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

iam.serviceAccounts.actAs
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.client (Cloud Speech Client):

speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
Apigee Added apigee.datalocation.get
Apigee Supported In Custom Roles apigee.datalocation.get
Apigee Now GA apigee.datalocation.get
Compute Engine Added compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listTagBindings
Compute Engine Now GA compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listTagBindings
Eventarc Added eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
Eventarc Supported In Custom Roles eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
Firebase App Check Added firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
Firebase App Check Supported In Custom Roles firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
Recommender Added recommender.costInsights.get
recommender.costInsights.list
recommender.costInsights.update
recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update
Recommender Supported In Custom Roles recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update
Recommender Now GA recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

Cloud IAM changes as of 2022-04-22

Service Change Description
BigQuery Migration API Now GA

The role roles/bigquerymigration.editor (MigrationWorkflow Editor) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.orchestrator (Task Orchestrator) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.translationUser (Migration Translation User) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.viewer (MigrationWorkflow Viewer) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.worker (Task Worker) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

serviceusage.services.use
Storage Transfer Service Role Updated

The following permissions have been removed from the role roles/storagetransfer.transferAgent (Storage Transfer Agent):

pubsub.snapshots.seek
BigQuery Migration API Now GA bigquerymigration.locations.get
bigquerymigration.locations.list
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.create
bigquerymigration.subtasks.executeTask
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.translation.translate
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.update
bigquerymigration.workflows.writeLogs
Cloud Key Management Service Added cloudkms.keyRings.listEffectiveTags
Cloud Key Management Service Now GA cloudkms.keyRings.listEffectiveTags
Cloud Optimization Added cloudoptimization.operations.create
cloudoptimization.operations.get
Cloud Optimization Supported In Custom Roles cloudoptimization.operations.create
cloudoptimization.operations.get
Cloud SQL Added cloudsql.instances.listEffectiveTags
cloudsql.users.get
Cloud SQL Supported In Custom Roles cloudsql.users.get
Cloud SQL Now GA cloudsql.instances.listEffectiveTags
cloudsql.users.get
Compute Engine Added compute.disks.listEffectiveTags
compute.images.listEffectiveTags
compute.instances.listEffectiveTags
compute.snapshots.listEffectiveTags
Google Kubernetes Engine Added container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
Google Kubernetes Engine Now GA container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
Cloud Domains Added domains.registrations.listEffectiveTags
Cloud Domains Now GA domains.registrations.listEffectiveTags
Filestore Added file.backups.listEffectiveTags
file.instances.listEffectiveTags
file.snapshots.listEffectiveTags
GKE Hub Supported In Custom Roles gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.listEffectiveTags
Managed Service for Microsoft Active Directory Now GA managedidentities.domains.listEffectiveTags
Recommender Added recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update
Recommender Supported In Custom Roles recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update
Recommender Now GA recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
Resource Manager Added resourcemanager.hierarchyNodes.listEffectiveTags
Spanner Added spanner.backups.copy
Spanner Supported In Custom Roles spanner.backups.copy
Spanner Now GA spanner.backups.copy
Cloud Storage Added storage.buckets.listEffectiveTags
Cloud Storage Now GA storage.buckets.listEffectiveTags

Cloud IAM changes as of 2022-04-15

Service Change Description
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer):

aiplatform.entityTypes.exportFeatureValues
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer):

aiplatform.entityTypes.exportFeatureValues
Cloud Run functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.operations.get
cloudfunctions.operations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

dataplex.tasks.create
dataplex.tasks.update
Speech-to-Text Now GA

The role roles/speech.serviceAgent (Cloud Speech-to-Text Service Agent) is now GA.

BigQuery Added bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
BigQuery Migration API Added bigquerymigration.locations.get
bigquerymigration.locations.list
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.create
bigquerymigration.subtasks.executeTask
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.translation.translate
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.update
bigquerymigration.workflows.writeLogs
Compute Engine Added compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
Compute Engine Now GA compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list

Cloud IAM changes as of 2022-04-08

Service Change Description
Assured Workloads Role Updated

The following permissions have been removed from the role roles/assuredworkloads.serviceAgent (Assured Workloads Service Agent):

cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.get
container.clusters.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.escalate
Recommender Now GA

The role roles/recommender.errorReportingAdmin (Error Reporting Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.errorReportingViewer (Error Reporting Recommender Viewer) is now GA.

Apigee Registry Added apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update
Apigee Registry Supported In Custom Roles apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update
Google Distributed Cloud Added gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Google Distributed Cloud Supported In Custom Roles gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Memorystore for Memcached Added memcache.instances.rescheduleMaintenance
Memorystore for Memcached Supported In Custom Roles memcache.instances.rescheduleMaintenance
Memorystore for Memcached Now GA memcache.instances.rescheduleMaintenance
Recommender Now GA recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Resource Manager Added resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list
Resource Manager Supported In Custom Roles resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list

Cloud IAM changes as of 2022-04-01

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.admin (Apigee Organization Admin):

monitoring.timeSeries.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.readOnlyAdmin (Apigee Read-only Admin):

monitoring.timeSeries.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.admin (Bare Metal Solution Admin):

baremetalsolution.luns.get
baremetalsolution.luns.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Bare Metal Solution Editor):

baremetalsolution.luns.get
baremetalsolution.luns.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.viewer (Bare Metal Solution Viewer):

baremetalsolution.luns.get
baremetalsolution.luns.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.admin (Dataflow Admin):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.developer (Dataflow Developer):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.viewer (Dataflow Viewer):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Filestore Added file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listTagBindings
file.instances.createTagBinding
file.instances.deleteTagBinding
file.instances.listTagBindings
file.snapshots.createTagBinding
file.snapshots.deleteTagBinding
file.snapshots.listTagBindings
GKE Hub Available In Custom Roles gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
Notebooks Added notebooks.runtimes.update
Notebooks Now GA notebooks.runtimes.update

Cloud IAM changes as of 2022-03-25

Service Change Description
Recommendations Role Updated

The following permissions have been added to the role roles/automlrecommendations.admin (Recommendations AI Admin):

retail.retailProjects.get
Recommendations Role Updated

The following permissions have been added to the role roles/automlrecommendations.adminViewer (Recommendations AI Admin Viewer):

retail.retailProjects.get
Recommendations Role Updated

The following permissions have been added to the role roles/automlrecommendations.editor (Recommendations AI Editor):

retail.retailProjects.get
Recommendations Role Updated

The following permissions have been added to the role roles/automlrecommendations.viewer (Recommendations AI Viewer):

retail.retailProjects.get
Firewall Insights Role Updated

The following permissions have been added to the role roles/firewallinsights.serviceAgent (Cloud Firewall Insights Service Agent):

compute.networks.getEffectiveFirewalls
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

binaryauthorization.platformPolicies.evaluatePolicy
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

binaryauthorization.platformPolicies.evaluatePolicy
Advisory Notifications Added advisorynotifications.notifications.get
advisorynotifications.notifications.list
Analytics Hub Added analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Analytics Hub Supported In Custom Roles analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Apigee Added apigee.keyvaluemapentries.list
Apigee Supported In Custom Roles apigee.keyvaluemapentries.list
Apigee Now GA apigee.keyvaluemapentries.list
Artifact Registry Added artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
Artifact Registry Supported In Custom Roles artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
Artifact Registry Now GA artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
BigQuery Added bigquery.tables.createIndex
bigquery.tables.deleteIndex
BigQuery Supported In Custom Roles bigquery.tables.createIndex
bigquery.tables.deleteIndex
Compute Engine Added compute.backendBuckets.setSecurityPolicy
Compute Engine Now GA compute.backendBuckets.setSecurityPolicy
Datastore Supported In Custom Roles datastore.databases.create
datastore.databases.getMetadata
datastore.databases.list
datastore.databases.update
Cloud Domains Added domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
Cloud Domains Now GA domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
Retail API Added retail.retailProjects.get
Cloud Run Added run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
Cloud Run Supported In Custom Roles run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
Cloud Run Now GA run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings

Cloud IAM changes as of 2022-03-18

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.editor (Assured Workloads Editor):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.reader (Assured Workloads Reader):

assuredworkloads.violations.get
assuredworkloads.violations.list
Bare Metal Solution Now GA

The role roles/baremetalsolution.lunsadmin (Luns Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.lunsviewer (Luns Viewer) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfssharesadmin (NFS Shares Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfsshareseditor (NFS Shares Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfssharesviewer (NFS Shares Viewer) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumesadmin (Volume Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumeseditor (Volumes Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumessviewer (Volumes Viewer) is now GA.

Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Bare Metal Solution Editor):

baremetalsolution.instances.start
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

assuredworkloads.violations.get
assuredworkloads.violations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

assuredworkloads.violations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

assuredworkloads.violations.list
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

assuredworkloads.violations.get
assuredworkloads.violations.list
Recommender Now GA

The role roles/recommender.dataflowDiagnosticsAdmin (Dataflow Diagnostics Admin) is now GA.

Recommender Now GA

The role roles/recommender.dataflowDiagnosticsViewer (Dataflow Diagnostics Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Added assuredworkloads.violations.get
assuredworkloads.violations.list
Bare Metal Solution Added baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Bare Metal Solution Now GA baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Recommender Added recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Recommender Supported In Custom Roles recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Recommender Now GA recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update

Cloud IAM changes as of 2022-03-11

Service Change Description
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.list
Distributed Cloud Edge Container Now GA

The role roles/edgecontainer.admin (Edge Container Admin) is now GA.

Distributed Cloud Edge Container Now GA

The role roles/edgecontainer.machineUser (Edge Container Machine User) is now GA.

Distributed Cloud Edge Container Now GA

The role roles/edgecontainer.viewer (Edge Container Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

servicedirectory.networks.attach
Backup for GKE Now GA

The role roles/gkebackup.serviceAgent (Backup for GKE Service Agent) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

servicedirectory.networks.attach
Retail API Role Updated

The following permissions have been added to the role roles/retail.viewer (Retail Viewer):

retail.attributesConfigs.exportCatalogAttributes
retail.controls.export
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

retail.attributesConfigs.exportCatalogAttributes
retail.controls.export
Distributed Cloud Edge Container Added edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Distributed Cloud Edge Container Supported In Custom Roles edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Distributed Cloud Edge Container Now GA edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Retail API Added retail.attributesConfigs.addCatalogAttribute
retail.attributesConfigs.batchRemoveCatalogAttributes
retail.attributesConfigs.exportCatalogAttributes
retail.attributesConfigs.importCatalogAttributes
retail.attributesConfigs.removeCatalogAttribute
retail.attributesConfigs.replaceCatalogAttribute
retail.controls.export
retail.controls.import
Storage Transfer Service Added storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.report
Storage Transfer Service Now GA storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.report

Cloud IAM changes as of 2022-03-04

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityAdmin (Apigee Security Admin):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityViewer (Apigee Security Viewer):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.viewer (Dataplex Viewer):

dataplex.operations.get
dataplex.operations.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

storage.buckets.list
FleetEngine Now GA

The role roles/fleetengine.deliveryConsumer (Fleet Engine Delivery Consumer User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryFleetReader (Fleet Engine Delivery Fleet Reader User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliverySuperUser (Fleet Engine Delivery Super User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryTrustedDriver (Fleet Engine Delivery Trusted Driver User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryUntrustedDriver (Fleet Engine Delivery Untrusted Driver User) is now GA.

Identity and Access Management Now GA

The role roles/iam.serviceAccountViewer (View Service Accounts) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.domaincontrollerOperator (Google Cloud Managed Identities Domain Controller Operator) is now GA.

Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

iam.serviceAccounts.getAccessToken
Vertex AI Added aiplatform.deploymentResourcePools.create
aiplatform.deploymentResourcePools.delete
aiplatform.deploymentResourcePools.get
aiplatform.deploymentResourcePools.list
aiplatform.deploymentResourcePools.queryDeployedModels
aiplatform.deploymentResourcePools.update
BigQuery Added bigquery.connections.delegate
bigquery.jobs.listExecutionMetadata
BigQuery Supported In Custom Roles bigquery.connections.delegate
bigquery.jobs.listExecutionMetadata
Cloud Key Management Service Now GA cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
FleetEngine Added fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
FleetEngine Supported In Custom Roles fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
FleetEngine Now GA fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update

Cloud IAM changes as of 2022-02-25

Service Change Description
Dataform Now GA

The role roles/dataform.serviceAgent (Dataform Service Agent) is now GA.

Firestore Role Updated

The following permissions have been added to the role roles/firestore.serviceAgent (Firestore Service Agent):

storage.objects.delete
KRM API Hosting Now GA

The role roles/krmapihosting.admin (Config Controller Admin) is now GA.

KRM API Hosting Now GA

The role roles/krmapihosting.viewer (Config Controller Viewer) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.backupAdmin (Google Cloud Managed Identities Backup Admin) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.backupViewer (Google Cloud Managed Identities Backup Viewer) is now GA.

Dataform Now GA

The role roles/sqlx.serviceAgent (Dataform Service Agent) is now GA.

Dialogflow Added dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
Dialogflow Now GA dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
Sensitive Data Protection Added dlp.locations.get
dlp.locations.list
Sensitive Data Protection Supported In Custom Roles dlp.locations.get
dlp.locations.list
Sensitive Data Protection Now GA dlp.locations.get
dlp.locations.list
Eventarc Added eventarc.providers.get
eventarc.providers.list
Eventarc Supported In Custom Roles eventarc.providers.get
eventarc.providers.list
Eventarc Now GA eventarc.providers.get
eventarc.providers.list
KRM API Hosting Now GA krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
Managed Service for Microsoft Active Directory Added managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
managedidentities.domains.restore
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.restore
Managed Service for Microsoft Active Directory Now GA managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
managedidentities.domains.restore

Cloud IAM changes as of 2022-02-18

Service Change Description
Datastore Role Updated

The following permissions have been added to the role roles/datastore.importExportAdmin (Cloud Datastore Import Export Admin):

datastore.databases.getMetadata
Datastore Role Updated

The following permissions have been added to the role roles/datastore.indexAdmin (Cloud Datastore Index Admin):

datastore.databases.getMetadata
Datastore Role Updated

The following permissions have been added to the role roles/datastore.keyVisualizerViewer (Cloud Datastore Key Visualizer Viewer):

datastore.databases.getMetadata
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

appengine.applications.get
cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
cloudtasks.tasks.create
cloudtasks.tasks.fullView
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

gkehub.fleet.create
gkehub.fleet.get
Binary Authorization Added binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace
binaryauthorization.policy.evaluatePolicy
Binary Authorization Supported In Custom Roles binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace
binaryauthorization.policy.evaluatePolicy
Compute Engine Added compute.networks.getRegionEffectiveFirewalls
compute.networks.setFirewallPolicy
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
Compute Engine Now GA compute.networks.getRegionEffectiveFirewalls
compute.networks.setFirewallPolicy
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
KRM API Hosting Added krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
KRM API Hosting Supported In Custom Roles krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
Cloud OS Config Added osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
Cloud OS Config Now GA osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
Service Networking Added servicenetworking.services.use

Cloud IAM changes as of 2022-02-11

Service Change Description
Vertex AI Role Added

The role roles/aiplatform.tensorboardWebAppUser (Vertex AI Tensorboard Web App User) has been added with the following permissions:

aiplatform.googleapis.com/tensorboards.recordAccess
aiplatform.tensorboards.recordAccess
Vertex AI Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.tensorboards.recordAccess
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.get
compute.subnetworks.get
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

cloudasset.assets.exportResource
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

datastore.databases.getMetadata
Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

serviceusage.services.use
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

datastore.databases.getMetadata
Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

dataproc.clusters.use
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallAdmin (Firewall Recommender Admin):

monitoring.timeSeries.list
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallViewer (Firewall Recommender Viewer):

monitoring.timeSeries.list
Security Command Center Now GA

The role roles/securitycenter.bigQueryExportsEditor (Security Center BigQuery Exports Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.bigQueryExportsViewer (Security Center BigQuery Exports Viewer) is now GA.

Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.tensorboards.recordAccess
Vertex AI Added aiplatform.tensorboards.recordAccess
Cloud Healthcare API Added healthcare.nlpservice.analyzeEntities
Cloud Healthcare API Now GA healthcare.nlpservice.analyzeEntities
Dataproc Metastore Added metastore.services.use
Dataproc Metastore Supported In Custom Roles metastore.services.use
Security Command Center Added securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Command Center Supported In Custom Roles securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Command Center Now GA securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Cloud TPU Added tpu.nodes.update
Cloud TPU Supported In Custom Roles tpu.nodes.update
Cloud TPU Now GA tpu.nodes.update

Cloud IAM changes as of 2022-01-28

Service Change Description
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.environmentAndStorageObjectAdmin (Environment and Storage Object Administrator):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Dataplex Now GA

The role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent) is now GA.

Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

bigquery.config.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

dataproc.clusters.get
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectAdmin (Storage Object Admin):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Data Pipelines Added datapipelines.jobs.list
Data Pipelines Supported In Custom Roles datapipelines.jobs.list
Data Pipelines Now GA datapipelines.jobs.list
Dataproc Added dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Dataproc Supported In Custom Roles dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Dataproc Now GA dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Identity and Access Management Supported In Custom Roles iam.denypolicies.get
iam.denypolicies.list
Dataproc Metastore Added metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update
Dataproc Metastore Supported In Custom Roles metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update
Workflows Added workflows.callbacks.send
Workflows Supported In Custom Roles workflows.callbacks.send
Workflows Now GA workflows.callbacks.send

Cloud IAM changes as of 2022-01-14

Service Change Description
Data Catalog Now GA

The role roles/datacatalog.categoryAdmin (Policy Tag Admin) is now GA.

Data Catalog Now GA

The role roles/datacatalog.categoryFineGrainedReader (Fine-Grained Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.admin (Dataplex Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.dataOwner (Dataplex Data Owner) is now GA.

Dataplex Now GA

The role roles/dataplex.dataReader (Dataplex Data Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.dataWriter (Dataplex Data Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.developer (Dataplex Developer) is now GA.

Dataplex Now GA

The role roles/dataplex.editor (Dataplex Editor) is now GA.

Dataplex Now GA

The role roles/dataplex.metadataReader (Dataplex Metadata Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.metadataWriter (Dataplex Metadata Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataOwner (Dataplex Storage Data Owner) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataReader (Dataplex Storage Data Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataWriter (Dataplex Storage Data Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.viewer (Dataplex Viewer) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

artifactregistry.packages.delete
Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentAdmin (OSPolicyAssignment Admin) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentEditor (OSPolicyAssignment Editor) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentReportViewer (OSPolicyAssignmentReport Viewer) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentViewer (OSPolicyAssignment Viewer) is now GA.

Recommender Now GA

The role roles/recommender.projectUtilAdmin (Project Utilization Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.projectUtilViewer (Project Utilization Recommender Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityResponseServiceAgent (Google Cloud Security Response Service Agent):

compute.instances.get
Cloud Run functions Added cloudfunctions.runtimes.list
Cloud Run functions Now GA cloudfunctions.runtimes.list
Cloud Key Management Service Added cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
Data Catalog Supported In Custom Roles datacatalog.categories.fineGrainedGet
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update
Data Catalog Now GA datacatalog.categories.fineGrainedGet
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update
Dataflow Supported In Custom Roles dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Dataflow Now GA dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Dataplex Added dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.assets.writeData
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Dataplex Supported In Custom Roles dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Dataplex Now GA dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.assets.writeData
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Eventarc Added eventarc.events.receiveEvent
Eventarc Now GA eventarc.events.receiveEvent
Cloud OS Config Now GA osconfig.osPolicyAssignmentReports.get
osconfig.osPolicyAssignmentReports.list
osconfig.osPolicyAssignments.create
osconfig.osPolicyAssignments.delete
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
Recommender Now GA recommender.resourcemanagerProjectUtilizationInsights.get
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationInsights.update
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.update
Security Command Center Added securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
Security Command Center Supported In Custom Roles securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
Security Command Center Now GA securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update