IAM permissions change log

This page describes changes to the public IAM permissions for all Generally Available and Beta services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is retired or is no longer supported in custom roles, IAM automatically removes the permission from your custom roles. In contrast, when a permission is added, IAM does not automatically add the permission to your custom roles.

You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM permissions change log

Upcoming Cloud IAM changes for the week of 2021-01-04

Service Change Description
Apigee Now GA

The role roles/apigee.apiAdmin (Apigee API Admin) is now GA.

Apigee Now GA

The role roles/apigee.apiReader (Apigee API Reader) is now GA.

Apigee Now GA

The role roles/apigee.environmentAdmin (Apigee Environment Admin) is now GA.

Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.admin (Error Reporting Admin):

stackdriver.projects.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.user (Error Reporting User):

stackdriver.projects.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.viewer (Error Reporting Viewer):

stackdriver.projects.get
Pub/Sub Role Updated

The following permissions have been added to the role roles/pubsub.serviceAgent (Cloud Pub/Sub Service Agent):

iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Retail API Role Updated

The following permissions have been added to the role roles/retail.admin (Retail Admin):

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update
automlrecommendations.eventStores.getStats
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.events.purge
automlrecommendations.events.rejoin
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
Retail API Role Updated

The following permissions have been added to the role roles/retail.editor (Retail Editor):

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update
automlrecommendations.eventStores.getStats
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
Retail API Role Updated

The following permissions have been added to the role roles/retail.viewer (Retail Viewer):

automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.getStats
automlrecommendations.events.list
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.list
Cloud Autoscaling Added autoscaling.sites.getIamPolicy
autoscaling.sites.readRecommendations
autoscaling.sites.setIamPolicy
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
Cloud Autoscaling Supported In Custom Roles autoscaling.sites.getIamPolicy
autoscaling.sites.readRecommendations
autoscaling.sites.setIamPolicy
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
Binary Authorization Added binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update
Binary Authorization Supported In Custom Roles binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update
Compute Engine Added compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscUpdate
Customer Usage Data Processing Added dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.groupcontrols.get
Customer Usage Data Processing Supported In Custom Roles dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.groupcontrols.get
Customer Usage Data Processing Now GA dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.groupcontrols.get
Google Earth Engine Added earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.assets.setIamPolicy
earthengine.assets.update
earthengine.computations.create
earthengine.exports.create
earthengine.filmstripthumbnails.create
earthengine.filmstripthumbnails.get
earthengine.imports.create
earthengine.maps.create
earthengine.maps.get
earthengine.operations.delete
earthengine.operations.get
earthengine.operations.list
earthengine.operations.update
earthengine.tables.create
earthengine.tables.get
earthengine.thumbnails.create
earthengine.thumbnails.get
earthengine.videothumbnails.create
earthengine.videothumbnails.get

Cloud IAM changes as of 2020-12-18

Service Change Description
Anthos Identity Service Now GA

The role roles/anthosidentityservice.serviceAgent (Anthos Identity Service Agent) is now GA.

API Gateway Now GA

The role roles/apigateway.admin (ApiGateway Admin) is now GA.

API Gateway Now GA

The role roles/apigateway.viewer (ApiGateway Viewer) is now GA.

Apigee Now GA

The role roles/apigee.portalAdmin (Apigee Portal Admin) is now GA.

AutoML Role Updated

The following permissions have been added to the role roles/automl.serviceAgent (AutoML Service Agent):

bigquery.tables.update
Private Catalog Role Updated

The following permissions have been added to the role roles/cloudprivatecatalogproducer.orgAdmin (Catalog Org Admin):

cloudprivatecatalog.targets.get
cloudprivatecatalogproducer.associations.create
cloudprivatecatalogproducer.associations.delete
cloudprivatecatalogproducer.associations.get
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.catalogs.create
cloudprivatecatalogproducer.catalogs.delete
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprivatecatalogproducer.catalogs.undelete
cloudprivatecatalogproducer.catalogs.update
cloudprivatecatalogproducer.producerCatalogs.attachProduct
cloudprivatecatalogproducer.producerCatalogs.create
cloudprivatecatalogproducer.producerCatalogs.delete
cloudprivatecatalogproducer.producerCatalogs.detachProduct
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.update
cloudprivatecatalogproducer.products.create
cloudprivatecatalogproducer.products.delete
cloudprivatecatalogproducer.products.get
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprivatecatalogproducer.products.update
cloudprivatecatalogproducer.targets.associate
cloudprivatecatalogproducer.targets.unassociate
Compute Engine Now GA

The role roles/compute.orgFirewallPolicyAdmin (Compute Organization Firewall Policy Admin) is now GA.

Compute Engine Now GA

The role roles/compute.orgFirewallPolicyUser (Compute Organization Firewall Policy User) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

dns.dnsKeys.get
dns.dnsKeys.list
dns.managedZoneOperations.get
dns.managedZoneOperations.list
dns.managedZones.delete
dns.networks.bindPrivateDNSPolicy
dns.networks.targetWithPeeringZone
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.admin (Error Reporting Admin):

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.user (Error Reporting User):

logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.viewer (Error Reporting Viewer):

logging.notificationRules.get
logging.notificationRules.list
API Gateway Now GA apigateway.apiconfigs.create
apigateway.apiconfigs.delete
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apiconfigs.setIamPolicy
apigateway.apiconfigs.update
apigateway.apis.create
apigateway.apis.delete
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.apis.update
apigateway.gateways.create
apigateway.gateways.delete
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.gateways.setIamPolicy
apigateway.gateways.update
apigateway.locations.get
apigateway.locations.list
apigateway.operations.cancel
apigateway.operations.delete
apigateway.operations.get
apigateway.operations.list
Apigee Added apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
Apigee Supported In Custom Roles apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
Apigee Now GA apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
Filestore Supported In Custom Roles file.operations.cancel
Cloud Logging Added logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Cloud Logging Supported In Custom Roles logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Cloud Logging Now GA logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Recommender Added recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceInsights.update
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceInsights.update
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.update
Recommender Supported In Custom Roles recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceInsights.update
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceInsights.update
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.update
Recommender Now GA recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceInsights.update
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceInsights.update
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.update
Retail API Added retail.catalogs.list
retail.catalogs.update
retail.operations.get
retail.operations.list
retail.placements.predict
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin
Retail API Supported In Custom Roles retail.catalogs.list
retail.catalogs.update
retail.operations.get
retail.operations.list
retail.placements.predict
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin

Cloud IAM changes as of 2020-12-11

Service Change Description
Cloud TPU Role Updated

The following permissions have been added to the role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
Cloud Composer Now GA

The role roles/composer.sharedVpcAgent (Composer Shared VPC Agent) is now GA.

Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Compute Engine Now GA

The role roles/compute.orgSecurityPolicyAdmin (Compute Organization Security Policy Admin) is now GA.

Compute Engine Now GA

The role roles/compute.orgSecurityPolicyUser (Compute Organization Security Policy User) is now GA.

Compute Engine Now GA

The role roles/compute.orgSecurityResourceAdmin (Compute Organization Resource Admin) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.admin (Compute Admin):

compute.firewallPolicies.cloneRules
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.orgSecurityPolicyAdmin (Compute Organization Security Policy Admin):

compute.firewallPolicies.cloneRules
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.securityAdmin (Compute Security Admin):

compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

cloudnotifications.activities.list
compute.instanceGroupManagers.get
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.admin (Kubernetes Engine Admin):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.developer (Kubernetes Engine Developer):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.viewer (Kubernetes Engine Viewer):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
Container Threat Detection Role Updated

The following permissions have been added to the role roles/containerthreatdetection.serviceAgent (Container Threat Detection Service Agent):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.update
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
Dataproc Now GA

The role roles/dataproc.hubAgent (Dataproc Hub Agent) is now GA.

Early Access Center Role Updated

The following permissions have been added to the role roles/earlyaccesscenter.admin (Early Access Center Administrator):

earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
Early Access Center Role Updated

The following permissions have been added to the role roles/earlyaccesscenter.viewer (Early Access Center Viewer):

earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

compute.firewallPolicies.cloneRules
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
metastore.services.export
Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

container.endpointSlices.list
container.frontendConfigs.list
container.storageStates.list
container.storageVersionMigrations.list
container.updateInfos.list
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.list
container.volumeSnapshots.list
earlyaccesscenter.customerAllowlists.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

container.endpointSlices.list
container.frontendConfigs.list
container.storageStates.list
container.storageVersionMigrations.list
container.updateInfos.list
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.list
container.volumeSnapshots.list
earlyaccesscenter.customerAllowlists.list
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.viewer (Logs Viewer):

logging.views.get
logging.views.list
Dataproc Metastore Role Added

The role roles/metastore.metadataOperator (Dataproc Metastore Metadata Operator) has been added with the following permissions:

metastore.imports.create
metastore.imports.delete
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.legacyAdmin (Notebooks Legacy Admin):

compute.firewallPolicies.cloneRules
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

compute.firewallPolicies.cloneRules
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
metastore.services.export
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
logging.views.get
logging.views.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent):

logging.views.get
logging.views.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
logging.views.get
logging.views.list
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
metastore.services.export
Apigee Added apigee.organizations.delete
Apigee Supported In Custom Roles apigee.organizations.delete
Apigee Now GA apigee.organizations.delete
Compute Engine Added compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Compute Engine Supported In Custom Roles compute.firewallPolicies.addAssociation
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Compute Engine Now GA compute.firewallPolicies.addAssociation
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Google Kubernetes Engine Added container.apiServices.getStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container.certificateSigningRequests.getStatus
container.clusterRoles.escalate
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.customResourceDefinitions.getStatus
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.managedCertificates.create
container.managedCertificates.delete
container.managedCertificates.get
container.managedCertificates.list
container.managedCertificates.update
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.finalize
container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update
container.roles.escalate
container.selfSubjectRulesReviews.create
container.serviceAccounts.createToken
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.delete
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
container.volumeAttachments.create
container.volumeAttachments.delete
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeAttachments.update
container.volumeAttachments.updateStatus
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Dataproc Added dataproc.clusters.start
dataproc.clusters.stop
Dataproc Now GA dataproc.clusters.start
dataproc.clusters.stop
Early Access Center Added earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
Cloud Logging Added logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update
Cloud Logging Supported In Custom Roles logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update
Cloud Logging Now GA logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update
Dataproc Metastore Added metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.setIamPolicy
metastore.services.update
Dataproc Metastore Supported In Custom Roles metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.setIamPolicy
metastore.services.update

Cloud IAM changes as of 2020-11-20

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.analyticsEditor (Apigee Analytics Editor):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.analyticsViewer (Apigee Analytics Viewer):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiCreator (Apigee API Creator):

apigee.proxyrevisions.deploy
apigee.proxyrevisions.undeploy
Cloud Logging Role Updated

The following permissions have been removed from the role roles/logging.privateLogViewer (Private Logs Viewer):

logging.views.access
Dell EMC Cloud OneFS Added cloudonefs.isiloncloud.com/clusters.create
cloudonefs.isiloncloud.com/clusters.delete
cloudonefs.isiloncloud.com/clusters.get
cloudonefs.isiloncloud.com/clusters.list
cloudonefs.isiloncloud.com/clusters.update
cloudonefs.isiloncloud.com/clusters.updateAdvancedSettings
cloudonefs.isiloncloud.com/fileshares.create
cloudonefs.isiloncloud.com/fileshares.delete
cloudonefs.isiloncloud.com/fileshares.get
cloudonefs.isiloncloud.com/fileshares.list
cloudonefs.isiloncloud.com/fileshares.update
Private Catalog Added cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.producerCatalogs.attachProduct
cloudprivatecatalogproducer.producerCatalogs.create
cloudprivatecatalogproducer.producerCatalogs.delete
cloudprivatecatalogproducer.producerCatalogs.detachProduct
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.update
cloudprivatecatalogproducer.products.create
cloudprivatecatalogproducer.products.delete
cloudprivatecatalogproducer.products.get
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprivatecatalogproducer.products.update
cloudprivatecatalogproducer.settings.get
cloudprivatecatalogproducer.settings.update

Cloud IAM changes as of 2020-11-06

Service Change Description
Dialogflow Now GA

The role roles/dialogflow.conversationManager (Dialogflow Conversation Manager) is now GA.

Dialogflow Now GA

The role roles/dialogflow.integrationManager (Dialogflow Integration Manager) is now GA.

Service Management Now GA

The role roles/servicemanagement.reporter (Service Reporter) is now GA.

Compute Engine Added compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
Compute Engine Supported In Custom Roles compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
Compute Engine Now GA compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
Document AI Added documentai.humanReviewConfigs.get
documentai.humanReviewConfigs.review
documentai.humanReviewConfigs.update
documentai.labelerPools.create
documentai.labelerPools.delete
documentai.labelerPools.get
documentai.labelerPools.list
documentai.labelerPools.update
documentai.locations.get
documentai.locations.list
documentai.operations.getLegacy
documentai.processorTypes.list
documentai.processorVersions.create
documentai.processorVersions.delete
documentai.processorVersions.get
documentai.processorVersions.list
documentai.processors.create
documentai.processors.delete
documentai.processors.fetchHumanReviewDetails
documentai.processors.get
documentai.processors.list
documentai.processors.processBatch
documentai.processors.processOnline
documentai.processors.update
Cloud Logging Added logging.logEntries.download
Cloud Logging Now GA logging.logEntries.download

Cloud IAM changes as of 2020-10-30

Service Change Description
Compute Engine Added compute.forwardingRules.update
Compute Engine Supported In Custom Roles compute.forwardingRules.update
Compute Engine Now GA compute.forwardingRules.update
Early Access Center Added earlyaccesscenter.campaigns.enroll
earlyaccesscenter.campaigns.get
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerWhitelists.get
earlyaccesscenter.customerWhitelists.list
Early Access Center Supported In Custom Roles earlyaccesscenter.campaigns.enroll
earlyaccesscenter.campaigns.get
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerWhitelists.get
earlyaccesscenter.customerWhitelists.list
GKE Hub Added gkehub.operations.delete
GKE Hub Now GA gkehub.operations.delete
Cloud Logging Added logging.locations.get
logging.locations.list
Cloud Logging Supported In Custom Roles logging.locations.get
logging.locations.list
Cloud Logging Now GA logging.locations.get
logging.locations.list
AI Platform Notebooks Added notebooks.instances.use
AI Platform Notebooks Now GA notebooks.instances.use

Cloud IAM changes as of 2020-10-23

Service Change Description
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

cloudfunctions.functions.invoke
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

container.clusterRoles.bind
Pub/Sub Lite Now GA

The role roles/pubsublite.admin (Pub/Sub Lite Admin) is now GA.

Pub/Sub Lite Now GA

The role roles/pubsublite.editor (Pub/Sub Lite Editor) is now GA.

Pub/Sub Lite Now GA

The role roles/pubsublite.publisher (Pub/Sub Lite Publisher) is now GA.

Pub/Sub Lite Now GA

The role roles/pubsublite.subscriber (Pub/Sub Lite Subscriber) is now GA.

Pub/Sub Lite Now GA

The role roles/pubsublite.viewer (Pub/Sub Lite Viewer) is now GA.

Service Networking Role Updated

The following permissions have been added to the role roles/servicenetworking.serviceAgent (Service Networking Service Agent):

compute.networks.updatePeering
Compute Engine Added compute.instances.useReadOnly
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
Compute Engine Supported In Custom Roles compute.instances.useReadOnly
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
Compute Engine Now GA compute.instances.useReadOnly
Database Migration Service Added datamigration.connectionprofiles.create
datamigration.connectionprofiles.delete
datamigration.connectionprofiles.get
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.connectionprofiles.setIamPolicy
datamigration.connectionprofiles.update
datamigration.locations.get
datamigration.locations.list
datamigration.migrationjobs.create
datamigration.migrationjobs.delete
datamigration.migrationjobs.generateSshScript
datamigration.migrationjobs.get
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.migrationjobs.promote
datamigration.migrationjobs.restart
datamigration.migrationjobs.resume
datamigration.migrationjobs.setIamPolicy
datamigration.migrationjobs.start
datamigration.migrationjobs.stop
datamigration.migrationjobs.update
datamigration.migrationjobs.verify
datamigration.operations.cancel
datamigration.operations.delete
datamigration.operations.get
datamigration.operations.list
Cloud Healthcare API Added healthcare.nlpservice.analyzeEntities
Cloud Healthcare API Supported In Custom Roles healthcare.locations.get
healthcare.locations.list
healthcare.nlpservice.analyzeEntities
Pub/Sub Lite Now GA pubsublite.subscriptions.create
pubsublite.subscriptions.delete
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.list
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.subscriptions.update
pubsublite.topics.computeMessageStats
pubsublite.topics.create
pubsublite.topics.delete
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions
pubsublite.topics.publish
pubsublite.topics.subscribe
pubsublite.topics.update
Traffic Director Added trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Traffic Director Supported In Custom Roles trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics

Cloud IAM changes as of 2020-10-09

Service Change Description
Access Context Manager Now GA

The role roles/accesscontextmanager.gcpAccessAdmin (Cloud Access Binding Admin) is now GA.

Access Context Manager Now GA

The role roles/accesscontextmanager.gcpAccessReader (Cloud Access Binding Reader) is now GA.

Assured Workloads for Government Now GA

The role roles/assuredworkloads.admin (Assured Workloads Administrator) is now GA.

Assured Workloads for Government Now GA

The role roles/assuredworkloads.editor (Assured Workloads Editor) is now GA.

Assured Workloads for Government Now GA

The role roles/assuredworkloads.reader (Assured Workloads Reader) is now GA.

BigQuery Now GA

The role roles/bigquery.connectionAdmin (BigQuery Connection Admin) is now GA.

BigQuery Now GA

The role roles/bigquery.connectionUser (BigQuery Connection User) is now GA.

Cloud Scheduler Now GA

The role roles/cloudscheduler.admin (Cloud Scheduler Admin) is now GA.

Cloud Scheduler Now GA

The role roles/cloudscheduler.jobRunner (Cloud Scheduler Job Runner) is now GA.

Cloud Scheduler Now GA

The role roles/cloudscheduler.viewer (Cloud Scheduler Viewer) is now GA.

Google Cloud Support Role Updated

The following permissions have been added to the role roles/cloudsupport.admin (Support Account Administrator):

resourcemanager.organizations.get
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

notebooks.instances.updateConfig
Game Servers Role Updated

The following permissions have been removed from the role roles/gameservices.serviceAgent (Game Services Service Agent):

gkehub.gateway.get
gkehub.gateway.getIamPolicy
GKE Hub Role Updated

The following permissions have been removed from the role roles/gkehub.viewer (GKE Hub Viewer):

gkehub.gateway.get
gkehub.gateway.getIamPolicy
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.admin (Notebooks Admin):

notebooks.instances.updateConfig
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.legacyAdmin (Notebooks Legacy Admin):

notebooks.instances.updateConfig
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

notebooks.instances.updateConfig
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

notebooks.instances.updateConfig
Service Directory Now GA

The role roles/servicedirectory.admin (Service Directory Admin) is now GA.

Service Directory Now GA

The role roles/servicedirectory.editor (Service Directory Editor) is now GA.

Service Directory Now GA

The role roles/servicedirectory.viewer (Service Directory Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

pubsublite.subscriptions.subscribe
Access Context Manager Added accesscontextmanager.gcpUserAccessBindings.create
accesscontextmanager.gcpUserAccessBindings.delete
accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.gcpUserAccessBindings.update
Access Context Manager Supported In Custom Roles accesscontextmanager.gcpUserAccessBindings.create
accesscontextmanager.gcpUserAccessBindings.delete
accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.gcpUserAccessBindings.update
Access Context Manager Now GA accesscontextmanager.gcpUserAccessBindings.create
accesscontextmanager.gcpUserAccessBindings.delete
accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.gcpUserAccessBindings.update
Assured Workloads for Government Supported In Custom Roles assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
Assured Workloads for Government Now GA assuredworkloads.operations.get
assuredworkloads.operations.list
assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
assuredworkloads.workload.update
BigQuery Now GA bigquery.connections.create
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.use
Cloud Scheduler Supported In Custom Roles cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.get
cloudscheduler.locations.list
Cloud Scheduler Now GA cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
Essential Contacts Added essentialcontacts.contacts.create
essentialcontacts.contacts.delete
essentialcontacts.contacts.get
essentialcontacts.contacts.list
essentialcontacts.contacts.update
Essential Contacts Supported In Custom Roles essentialcontacts.contacts.create
essentialcontacts.contacts.delete
essentialcontacts.contacts.get
essentialcontacts.contacts.list
essentialcontacts.contacts.update
Eventarc Added eventarc.events.receiveAuditLogWritten
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update
Eventarc Supported In Custom Roles eventarc.events.receiveAuditLogWritten
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update
Cloud Healthcare API Added healthcare.attributeDefinitions.create
healthcare.attributeDefinitions.delete
healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.attributeDefinitions.update
healthcare.consentArtifacts.create
healthcare.consentArtifacts.delete
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.create
healthcare.consentStores.delete
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.getIamPolicy
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consentStores.setIamPolicy
healthcare.consentStores.update
healthcare.consents.activate
healthcare.consents.create
healthcare.consents.delete
healthcare.consents.get
healthcare.consents.list
healthcare.consents.reject
healthcare.consents.revoke
healthcare.consents.update
healthcare.userDataMappings.archive
healthcare.userDataMappings.create
healthcare.userDataMappings.delete
healthcare.userDataMappings.get
healthcare.userDataMappings.list
healthcare.userDataMappings.update
Cloud Healthcare API Supported In Custom Roles healthcare.attributeDefinitions.create
healthcare.attributeDefinitions.delete
healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.attributeDefinitions.update
healthcare.consentArtifacts.create
healthcare.consentArtifacts.delete
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.create
healthcare.consentStores.delete
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.getIamPolicy
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consentStores.setIamPolicy
healthcare.consentStores.update
healthcare.consents.activate
healthcare.consents.create
healthcare.consents.delete
healthcare.consents.get
healthcare.consents.list
healthcare.consents.reject
healthcare.consents.revoke
healthcare.consents.update
healthcare.userDataMappings.archive
healthcare.userDataMappings.create
healthcare.userDataMappings.delete
healthcare.userDataMappings.get
healthcare.userDataMappings.list
healthcare.userDataMappings.update
AI Platform Notebooks Added notebooks.instances.updateConfig
Pub/Sub Lite Added pubsublite.topics.computeMessageStats
Pub/Sub Lite Supported In Custom Roles pubsublite.topics.computeMessageStats
Memorystore for Redis Added redis.instances.getAuthString
redis.instances.updateAuth
Memorystore for Redis Supported In Custom Roles redis.instances.getAuthString
redis.instances.updateAuth
Service Directory Now GA servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.setIamPolicy
servicedirectory.endpoints.update
servicedirectory.locations.get
servicedirectory.locations.list
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.setIamPolicy
servicedirectory.namespaces.update
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.setIamPolicy
servicedirectory.services.update

Cloud IAM changes as of 2020-10-02

Service Change Description
Cloud Asset Inventory Role Updated

The following permissions have been added to the role roles/cloudasset.serviceAgent (Cloud Asset Service Agent):

bigquery.tables.update
Talent Solution Role Updated

The following permissions have been added to the role roles/cloudjobdiscovery.jobsEditor (Job Editor):

cloudjobdiscovery.tenants.create
cloudjobdiscovery.tenants.delete
cloudjobdiscovery.tenants.get
cloudjobdiscovery.tenants.update
Talent Solution Role Updated

The following permissions have been added to the role roles/cloudjobdiscovery.jobsViewer (Job Viewer):

cloudjobdiscovery.tenants.get
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

aiplatform.endpoints.explain
aiplatform.endpoints.predict
AI Platform Added aiplatform.annotationSpecs.create
aiplatform.annotationSpecs.delete
aiplatform.annotationSpecs.get
aiplatform.annotationSpecs.list
aiplatform.annotationSpecs.update
aiplatform.annotations.create
aiplatform.annotations.delete
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.annotations.update
aiplatform.batchPredictionJobs.cancel
aiplatform.batchPredictionJobs.create
aiplatform.batchPredictionJobs.delete
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
aiplatform.customJobs.cancel
aiplatform.customJobs.create
aiplatform.customJobs.delete
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.create
aiplatform.dataItems.delete
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.dataItems.update
aiplatform.dataLabelingJobs.cancel
aiplatform.dataLabelingJobs.create
aiplatform.dataLabelingJobs.delete
aiplatform.dataLabelingJobs.get
aiplatform.dataLabelingJobs.list
aiplatform.datasets.create
aiplatform.datasets.delete
aiplatform.datasets.export
aiplatform.datasets.get
aiplatform.datasets.import
aiplatform.datasets.list
aiplatform.datasets.update
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.hyperparameterTuningJobs.cancel
aiplatform.hyperparameterTuningJobs.create
aiplatform.hyperparameterTuningJobs.delete
aiplatform.hyperparameterTuningJobs.get
aiplatform.hyperparameterTuningJobs.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.migratableResources.migrate
aiplatform.migratableResources.search
aiplatform.modelEvaluationSlices.get
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.exportEvaluatedDataItems
aiplatform.modelEvaluations.get
aiplatform.modelEvaluations.list
aiplatform.models.delete
aiplatform.models.export
aiplatform.models.get
aiplatform.models.list
aiplatform.models.upload
aiplatform.operations.list
aiplatform.specialistPools.create
aiplatform.specialistPools.delete
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.specialistPools.update
aiplatform.trainingPipelines.cancel
aiplatform.trainingPipelines.create
aiplatform.trainingPipelines.delete
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
AI Platform Supported In Custom Roles aiplatform.annotationSpecs.create
aiplatform.annotationSpecs.delete
aiplatform.annotationSpecs.get
aiplatform.annotationSpecs.list
aiplatform.annotationSpecs.update
aiplatform.annotations.create
aiplatform.annotations.delete
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.annotations.update
aiplatform.batchPredictionJobs.cancel
aiplatform.batchPredictionJobs.create
aiplatform.batchPredictionJobs.delete
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
aiplatform.customJobs.cancel
aiplatform.customJobs.create
aiplatform.customJobs.delete
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.create
aiplatform.dataItems.delete
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.dataItems.update
aiplatform.dataLabelingJobs.cancel
aiplatform.dataLabelingJobs.create
aiplatform.dataLabelingJobs.delete
aiplatform.dataLabelingJobs.get
aiplatform.dataLabelingJobs.list
aiplatform.datasets.create
aiplatform.datasets.delete
aiplatform.datasets.export
aiplatform.datasets.get
aiplatform.datasets.import
aiplatform.datasets.list
aiplatform.datasets.update
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.hyperparameterTuningJobs.cancel
aiplatform.hyperparameterTuningJobs.create
aiplatform.hyperparameterTuningJobs.delete
aiplatform.hyperparameterTuningJobs.get
aiplatform.hyperparameterTuningJobs.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.migratableResources.migrate
aiplatform.migratableResources.search
aiplatform.modelEvaluationSlices.get
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.exportEvaluatedDataItems
aiplatform.modelEvaluations.get
aiplatform.modelEvaluations.list
aiplatform.models.delete
aiplatform.models.export
aiplatform.models.get
aiplatform.models.list
aiplatform.models.upload
aiplatform.operations.list
aiplatform.specialistPools.create
aiplatform.specialistPools.delete
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.specialistPools.update
aiplatform.trainingPipelines.cancel
aiplatform.trainingPipelines.create
aiplatform.trainingPipelines.delete
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
BigQuery Supported In Custom Roles bigquery.models.create
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
BigQuery Now GA bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata

Cloud IAM changes as of 2020-09-25

Service Change Description
Anthos Now GA

The role roles/anthos.serviceAgent (Anthos Service Agent) is now GA.

Anthos Config Management Now GA

The role roles/anthosconfigmanagement.serviceAgent (Anthos Config Management Service Agent) is now GA.

Apigee Now GA

The role roles/apigee.serviceAgent (Apigee Service Agent) is now GA.

App Engine flexible environment Now GA

The role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent) is now GA.

Artifact Registry Now GA

The role roles/artifactregistry.serviceAgent (Artifact Registry Service Agent) is now GA.

AutoML Now GA

The role roles/automl.serviceAgent (AutoML Service Agent) is now GA.

Recommendations AI Now GA

The role roles/automlrecommendations.serviceAgent (Recommendations AI Service Agent) is now GA.

BigQuery Connection API Now GA

The role roles/bigqueryconnection.serviceAgent (BigQuery Connection Service Agent) is now GA.

BigQuery Data Transfer Service Now GA

The role roles/bigquerydatatransfer.serviceAgent (BigQuery Data Transfer Service Agent) is now GA.

Binary Authorization Now GA

The role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent) is now GA.

Cloud Asset Inventory Now GA

The role roles/cloudasset.serviceAgent (Cloud Asset Service Agent) is now GA.

Cloud Build Now GA

The role roles/cloudbuild.serviceAgent (Cloud Build Service Agent) is now GA.

Cloud Functions Now GA

The role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent) is now GA.

Cloud IoT Now GA

The role roles/cloudiot.serviceAgent (Cloud IoT Core Service Agent) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.serviceAgent (Cloud KMS Service Agent) is now GA.

Cloud Scheduler Now GA

The role roles/cloudscheduler.serviceAgent (Cloud Scheduler Service Agent) is now GA.

Cloud SQL Now GA

The role roles/cloudsql.serviceAgent (Cloud SQL Service Agent) is now GA.

Cloud Tasks Now GA

The role roles/cloudtasks.serviceAgent (Cloud Tasks Service Agent) is now GA.

Cloud Tasks Role Updated

The following permissions have been added to the role roles/cloudtasks.admin (Cloud Tasks Admin):

monitoring.timeSeries.list
Cloud Tasks Role Updated

The following permissions have been added to the role roles/cloudtasks.viewer (Cloud Tasks Viewer):

monitoring.timeSeries.list
Cloud TPU Now GA

The role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent) is now GA.

Cloud Composer Now GA

The role roles/composer.serviceAgent (Cloud Composer API Service Agent) is now GA.

Compute Engine Now GA

The role roles/compute.serviceAgent (Compute Engine Service Agent) is now GA.

Compute Scanning Now GA

The role roles/computescanning.serviceAgent (Compute Scanning Service Agent) is now GA.

Google Kubernetes Engine Now GA

The role roles/container.serviceAgent (Kubernetes Engine Service Agent) is now GA.

Container Analysis Now GA

The role roles/containeranalysis.ServiceAgent (Container Analysis Service Agent) is now GA.

Container Registry Now GA

The role roles/containerregistry.ServiceAgent (Container Registry Service Agent) is now GA.

Container Scanning Now GA

The role roles/containerscanning.ServiceAgent (Container Scanner Service Agent) is now GA.

Container Threat Detection Now GA

The role roles/containerthreatdetection.serviceAgent (Container Threat Detection Service Agent) is now GA.

Dataflow Now GA

The role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent) is now GA.

Cloud Data Fusion Now GA

The role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent) is now GA.

AI Platform Data Labeling Service Now GA

The role roles/datalabeling.serviceAgent (DataLabeling Service Agent) is now GA.

Dataprep by Trifacta Now GA

The role roles/dataprep.serviceAgent (Dataprep Service Agent) is now GA.

Dataproc Now GA

The role roles/dataproc.serviceAgent (Dataproc Service Agent) is now GA.

Google Data Studio Now GA

The role roles/datastudio.serviceAgent (Data Studio Service Agent) is now GA.

Dialogflow Now GA

The role roles/dialogflow.serviceAgent (Dialogflow Service Agent) is now GA.

Cloud Data Loss Prevention Now GA

The role roles/dlp.serviceAgent (DLP API Service Agent) is now GA.

Document AI Now GA

The role roles/documentaicore.serviceAgent (DocumentAI Core Service Agent) is now GA.

Cloud Endpoints Now GA

The role roles/endpoints.serviceAgent (Cloud Endpoints Service Agent) is now GA.

Cloud Endpoints Portal Now GA

The role roles/endpointsportal.serviceAgent (Endpoints Portal Service Agent) is now GA.

Filestore Now GA

The role roles/file.serviceAgent (Cloud Filestore Service Agent) is now GA.

Firebase Now GA

The role roles/firebase.appDistributionSdkServiceAgent (Firebase App Distribution Admin SDK Service Agent) is now GA.

Firebase Now GA

The role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent) is now GA.

Firebase Now GA

The role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent) is now GA.

Firebase Now GA

The role roles/firebase.sdkProvisioningServiceAgent (Firebase SDK Provisioning Service Agent) is now GA.

Firebase Mods Now GA

The role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent) is now GA.

Firebase Storage Now GA

The role roles/firebasestorage.serviceAgent (Cloud Storage for Firebase Service Agent) is now GA.

Firewall Insights Now GA

The role roles/firewallinsights.serviceAgent (Cloud Firewall Insights Service Agent) is now GA.

Game Servers Now GA

The role roles/gameservices.serviceAgent (Game Services Service Agent) is now GA.

Cloud Life Sciences Now GA

The role roles/genomics.serviceAgent (Genomics Service Agent) is now GA.

GKE Hub Now GA

The role roles/gkehub.serviceAgent (GKE Hub Service Agent) is now GA.

Cloud Healthcare API Now GA

The role roles/healthcare.serviceAgent (Healthcare Service Agent) is now GA.

Cloud Life Sciences Now GA

The role roles/lifesciences.serviceAgent (Cloud Life Sciences Service Agent) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.serviceAgent (Cloud Managed Identities Service Agent) is now GA.

Memorystore for Memcached Now GA

The role roles/memcache.serviceAgent (Cloud Memorystore Memcached Service Agent) is now GA.

Mesh Configuration Now GA

The role roles/meshconfig.serviceAgent (Mesh Config Service Agent) is now GA.

Mesh Data Plane Now GA

The role roles/meshdataplane.serviceAgent (Mesh Data Plane Service Agent) is now GA.

AI Platform Now GA

The role roles/ml.serviceAgent (Cloud ML Service Agent) is now GA.

Cloud Monitoring Now GA

The role roles/monitoring.notificationServiceAgent (Monitoring Notification Service Agent) is now GA.

Multi Cluster Ingress Now GA

The role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent) is now GA.

Multi Cluster Metering Now GA

The role roles/multiclustermetering.serviceAgent (Multi-cluster metering Service Agent) is now GA.

Network Management API Now GA

The role roles/networkmanagement.serviceAgent (GCP Network Management Service Agent) is now GA.

AI Platform Notebooks Now GA

The role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.serviceAgent (Cloud OS Config Service Agent) is now GA.

Pub/Sub Now GA

The role roles/pubsub.serviceAgent (Cloud Pub/Sub Service Agent) is now GA.

Memorystore for Redis Now GA

The role roles/redis.serviceAgent (Cloud Memorystore Redis Service Agent) is now GA.

Remote Build Execution Now GA

The role roles/remotebuildexecution.serviceAgent (Remote Build Execution Service Agent) is now GA.

Cloud Run Now GA

The role roles/run.serviceAgent (Cloud Run Service Agent) is now GA.

Security Command Center Now GA

The role roles/securitycenter.automationServiceAgent (Security Center Automation Service Agent) is now GA.

Security Command Center Now GA

The role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent) is now GA.

Security Command Center Now GA

The role roles/securitycenter.notificationServiceAgent (Security Center Notification Service Agent) is now GA.

Security Command Center Now GA

The role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent) is now GA.

Security Command Center Now GA

The role roles/securitycenter.serviceAgent (Security Center Service Agent) is now GA.

Cloud Run Now GA

The role roles/serverless.serviceAgent (Cloud Run Service Agent) is now GA.

Service Networking Now GA

The role roles/servicenetworking.serviceAgent (Service Networking Service Agent) is now GA.

Cloud Source Repositories Now GA

The role roles/sourcerepo.serviceAgent (Cloud Source Repositories Service Agent) is now GA.

Cloud TPU Now GA

The role roles/tpu.serviceAgent (Cloud TPU API Service Agent) is now GA.

Serverless VPC Access Now GA

The role roles/vpcaccess.serviceAgent (Serverless VPC Access Service Agent) is now GA.

Web Security Scanner Now GA

The role roles/websecurityscanner.serviceAgent (Cloud Web Security Scanner Service Agent) is now GA.

Workflows Now GA

The role roles/workflows.serviceAgent (Cloud Workflows Service Agent) is now GA.

BigQuery Added bigquery.capacityCommitments.update
BigQuery Supported In Custom Roles bigquery.capacityCommitments.update
BigQuery Now GA bigquery.capacityCommitments.update
Cloud Domains Added domains.locations.get
domains.locations.list
domains.operations.cancel
domains.operations.get
domains.operations.list
domains.registrations.configureContact
domains.registrations.configureDns
domains.registrations.configureManagement
domains.registrations.create
domains.registrations.delete
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.setIamPolicy
domains.registrations.update
Transcoder API Added transcoder.jobTemplates.create
transcoder.jobTemplates.delete
transcoder.jobTemplates.get
transcoder.jobTemplates.list
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
transcoder.jobs.list
Transcoder API Supported In Custom Roles transcoder.jobTemplates.create
transcoder.jobTemplates.delete
transcoder.jobTemplates.get
transcoder.jobTemplates.list
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
transcoder.jobs.list

Cloud IAM changes as of 2020-09-18

Service Change Description
BigQuery Now GA

The role roles/bigquery.resourceAdmin (BigQuery Resource Admin) is now GA.

BigQuery Now GA

The role roles/bigquery.resourceEditor (BigQuery Resource Editor) is now GA.

BigQuery Now GA

The role roles/bigquery.resourceViewer (BigQuery Resource Viewer) is now GA.

Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallAdmin (Firewall Recommender Admin):

recommender.locations.get
recommender.locations.list
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallViewer (Firewall Recommender Viewer):

recommender.locations.get
recommender.locations.list
Recommender Role Updated

The following permissions have been added to the role roles/recommender.projectCudAdmin (Project Usage Commitment Recommender Admin):

recommender.locations.get
recommender.locations.list
Recommender Role Updated

The following permissions have been added to the role roles/recommender.projectCudViewer (Project Usage Commitment Recommender Viewer):

recommender.locations.get
recommender.locations.list
API Gateway Supported In Custom Roles apigateway.apiconfigs.create
apigateway.apiconfigs.delete
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apiconfigs.setIamPolicy
apigateway.apiconfigs.update
apigateway.apis.create
apigateway.apis.delete
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.apis.update
apigateway.gateways.create
apigateway.gateways.delete
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.gateways.setIamPolicy
apigateway.gateways.update
apigateway.locations.get
apigateway.locations.list
apigateway.operations.cancel
apigateway.operations.delete
apigateway.operations.get
apigateway.operations.list
BigQuery Now GA bigquery.bireservations.get
bigquery.bireservations.update
bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update
Identity and Access Management Added iam.workloadIdentityPoolProviders.create
iam.workloadIdentityPoolProviders.delete
iam.workloadIdentityPoolProviders.get
iam.workloadIdentityPoolProviders.list
iam.workloadIdentityPoolProviders.undelete
iam.workloadIdentityPoolProviders.update
iam.workloadIdentityPools.create
iam.workloadIdentityPools.delete
iam.workloadIdentityPools.get
iam.workloadIdentityPools.list
iam.workloadIdentityPools.undelete
iam.workloadIdentityPools.update
Identity and Access Management Supported In Custom Roles iam.workloadIdentityPoolProviders.create
iam.workloadIdentityPoolProviders.delete
iam.workloadIdentityPoolProviders.get
iam.workloadIdentityPoolProviders.list
iam.workloadIdentityPoolProviders.undelete
iam.workloadIdentityPoolProviders.update
iam.workloadIdentityPools.create
iam.workloadIdentityPools.delete
iam.workloadIdentityPools.get
iam.workloadIdentityPools.list
iam.workloadIdentityPools.undelete
iam.workloadIdentityPools.update

Cloud IAM changes as of 2020-09-11

Service Change Description
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.privateLogViewer (Private Logs Viewer):

logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.update
Security Command Center Added securitycenter.findings.setWorkflowState
Security Command Center Supported In Custom Roles securitycenter.findings.setWorkflowState

Cloud IAM changes as of 2020-09-04

Service Change Description
Apigee Now GA

The role roles/apigee.portalAdmin (Apigee Portal Admin) is now GA.

Cloud Profiler Now GA

The role roles/cloudprofiler.agent (Cloud Profiler Agent) is now GA.

Cloud Profiler Now GA

The role roles/cloudprofiler.user (Cloud Profiler User) is now GA.

Cloud SQL Now GA

The role roles/cloudsql.instanceUser (Cloud SQL Instance User) is now GA.

AI Platform Notebooks Now GA

The role roles/notebooks.admin (Notebooks Admin) is now GA.

AI Platform Notebooks Now GA

The role roles/notebooks.legacyAdmin (Notebooks Legacy Admin) is now GA.

AI Platform Notebooks Now GA

The role roles/notebooks.legacyViewer (Notebooks Legacy Viewer) is now GA.

AI Platform Notebooks Now GA

The role roles/notebooks.runner (Notebooks Runner) is now GA.

AI Platform Notebooks Now GA

The role roles/notebooks.viewer (Notebooks Viewer) is now GA.

Security Command Center Now GA

The role roles/securitycenter.settingsAdmin (Security Center Settings Admin) is now GA.

Security Command Center Now GA

The role roles/securitycenter.settingsEditor (Security Center Settings Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.settingsViewer (Security Center Settings Viewer) is now GA.

BigQuery Added bigquery.models.export
BigQuery Supported In Custom Roles bigquery.models.export
Cloud Profiler Now GA cloudprofiler.profiles.create
cloudprofiler.profiles.list
cloudprofiler.profiles.update
Cloud SQL Added cloudsql.instances.login
Cloud SQL Supported In Custom Roles cloudsql.instances.login
Cloud SQL Now GA cloudsql.instances.login
NetApp Cloud Volumes Service Available In Custom Roles cloudvolumesgcp-api.netapp.com/activeDirectories.create
cloudvolumesgcp-api.netapp.com/activeDirectories.delete
cloudvolumesgcp-api.netapp.com/activeDirectories.get
cloudvolumesgcp-api.netapp.com/activeDirectories.list
cloudvolumesgcp-api.netapp.com/activeDirectories.update
cloudvolumesgcp-api.netapp.com/ipRanges.list
cloudvolumesgcp-api.netapp.com/jobs.get
cloudvolumesgcp-api.netapp.com/jobs.list
cloudvolumesgcp-api.netapp.com/regions.list
cloudvolumesgcp-api.netapp.com/serviceLevels.list
cloudvolumesgcp-api.netapp.com/snapshots.create
cloudvolumesgcp-api.netapp.com/snapshots.delete
cloudvolumesgcp-api.netapp.com/snapshots.get
cloudvolumesgcp-api.netapp.com/snapshots.list
cloudvolumesgcp-api.netapp.com/snapshots.update
cloudvolumesgcp-api.netapp.com/volumes.create
cloudvolumesgcp-api.netapp.com/volumes.delete
cloudvolumesgcp-api.netapp.com/volumes.get
cloudvolumesgcp-api.netapp.com/volumes.list
cloudvolumesgcp-api.netapp.com/volumes.update
AI Platform Notebooks Now GA notebooks.environments.create
notebooks.environments.delete
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.instances.checkUpgradability
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.reset
notebooks.instances.setAccelerator
notebooks.instances.setIamPolicy
notebooks.instances.setLabels
notebooks.instances.setMachineType
notebooks.instances.start
notebooks.instances.stop
notebooks.instances.update
notebooks.instances.upgrade
notebooks.locations.get
notebooks.locations.list
notebooks.operations.cancel
notebooks.operations.delete
notebooks.operations.get
notebooks.operations.list
Security Command Center Added securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.containerthreatdetectionsettings.update
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.update
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycenter.subscription.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycenter.websecurityscannersettings.update
Security Command Center Supported In Custom Roles securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.containerthreatdetectionsettings.update
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.update
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycenter.subscription.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycenter.websecurityscannersettings.update

Cloud IAM changes as of 2020-08-28

Service Change Description
App Engine Now GA

The role roles/appengine.appCreator (App Engine Creator) is now GA.

Cloud Functions Now GA

The role roles/cloudfunctions.admin (Cloud Functions Admin) is now GA.

Cloud Functions Now GA

The role roles/cloudfunctions.developer (Cloud Functions Developer) is now GA.

Cloud Functions Now GA

The role roles/cloudfunctions.invoker (Cloud Functions Invoker) is now GA.

Cloud Functions Now GA

The role roles/cloudfunctions.viewer (Cloud Functions Viewer) is now GA.

Assured Workloads for Government Added assuredworkloads.operations.get
assuredworkloads.operations.list
assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
assuredworkloads.workload.update
Assured Workloads for Government Supported In Custom Roles assuredworkloads.operations.get
assuredworkloads.operations.list
Recommendations AI Added automlrecommendations.catalogs.update
Recommendations AI Supported In Custom Roles automlrecommendations.catalogs.list
automlrecommendations.catalogs.update
automlrecommendations.recommendations.list
Cloud Asset Inventory Now GA cloudasset.assets.analyzeIamPolicy
Cloud Functions Supported In Custom Roles cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.list
cloudfunctions.operations.get
cloudfunctions.operations.list
Cloud Functions Now GA cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.list
cloudfunctions.operations.get
cloudfunctions.operations.list
Cloud Healthcare API Supported In Custom Roles healthcare.hl7V2Stores.import
Cloud Logging Added logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.update
Cloud Logging Supported In Custom Roles logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.update
Cloud Logging Now GA logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.update
Workflows Added workflows.executions.cancel
workflows.executions.create
workflows.executions.get
workflows.executions.list
workflows.locations.get
workflows.locations.list
workflows.operations.cancel
workflows.operations.get
workflows.operations.list
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
workflows.workflows.getIamPolicy
workflows.workflows.list
workflows.workflows.setIamPolicy
workflows.workflows.update
Workflows Supported In Custom Roles workflows.executions.cancel
workflows.executions.create
workflows.executions.get
workflows.executions.list
workflows.locations.get
workflows.locations.list
workflows.operations.cancel
workflows.operations.get
workflows.operations.list
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
workflows.workflows.getIamPolicy
workflows.workflows.list
workflows.workflows.setIamPolicy
workflows.workflows.update

Cloud IAM changes as of 2020-08-21

Service Change Description
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.admin (Dialogflow API Admin):

dialogflow.environments.lookupHistory
dialogflow.versions.load
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.consoleAgentEditor (Dialogflow Console Agent Editor):

dialogflow.environments.lookupHistory
dialogflow.versions.load
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

dialogflow.environments.lookupHistory
dialogflow.versions.load
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

dialogflow.environments.lookupHistory
dialogflow.versions.load
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

dialogflow.environments.lookupHistory
Apigee Added apigee.caches.delete
apigee.caches.list
apigee.canaryevaluations.create
apigee.canaryevaluations.get
apigee.datacollectors.create
apigee.datacollectors.delete
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datacollectors.update
apigee.datastores.create
apigee.datastores.delete
apigee.datastores.get
apigee.datastores.list
apigee.datastores.update
apigee.envgroupattachments.create
apigee.envgroupattachments.delete
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.create
apigee.envgroups.delete
apigee.envgroups.get
apigee.envgroups.list
apigee.envgroups.update
apigee.exports.create
apigee.exports.get
apigee.exports.list
apigee.hostqueries.create
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.create
apigee.instanceattachments.delete
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.instances.create
apigee.instances.delete
apigee.instances.get
apigee.instances.list
apigee.instances.reportStatus
apigee.operations.get
apigee.operations.list
apigee.projects.update
Apigee Supported In Custom Roles apigee.datastores.create
apigee.datastores.delete
apigee.datastores.get
apigee.datastores.list
apigee.datastores.update
apigee.exports.create
apigee.exports.get
apigee.exports.list
Apigee Now GA apigee.caches.delete
apigee.caches.list
apigee.canaryevaluations.create
apigee.canaryevaluations.get
apigee.datacollectors.create
apigee.datacollectors.delete
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datacollectors.update
apigee.datastores.create
apigee.datastores.delete
apigee.datastores.get
apigee.datastores.list
apigee.datastores.update
apigee.envgroupattachments.create
apigee.envgroupattachments.delete
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.create
apigee.envgroups.delete
apigee.envgroups.get
apigee.envgroups.list
apigee.envgroups.update
apigee.exports.create
apigee.exports.get
apigee.exports.list
apigee.hostqueries.create
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.create
apigee.instanceattachments.delete
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.instances.create
apigee.instances.delete
apigee.instances.get
apigee.instances.list
apigee.instances.reportStatus
apigee.operations.get
apigee.operations.list
apigee.projects.update
Compute Engine Now GA compute.images.update
Dialogflow Added dialogflow.agents.list
dialogflow.agents.validate
dialogflow.environments.create
dialogflow.environments.delete
dialogflow.environments.get
dialogflow.environments.getHistory
dialogflow.environments.list
dialogflow.environments.lookupHistory
dialogflow.environments.update
dialogflow.flows.create
dialogflow.flows.delete
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.pages.create
dialogflow.pages.delete
dialogflow.pages.get
dialogflow.pages.list
dialogflow.pages.update
dialogflow.transitionRouteGroups.create
dialogflow.transitionRouteGroups.delete
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.transitionRouteGroups.update
dialogflow.versions.create
dialogflow.versions.delete
dialogflow.versions.get
dialogflow.versions.list
dialogflow.versions.load
dialogflow.versions.update
dialogflow.webhooks.create
dialogflow.webhooks.delete
dialogflow.webhooks.get
dialogflow.webhooks.list
dialogflow.webhooks.update
Dialogflow Supported In Custom Roles dialogflow.environments.create
dialogflow.environments.delete
dialogflow.environments.get
dialogflow.environments.getHistory
dialogflow.environments.list
dialogflow.environments.update
dialogflow.versions.create
dialogflow.versions.delete
dialogflow.versions.get
dialogflow.versions.list
dialogflow.versions.update
Dialogflow Now GA dialogflow.agents.list
dialogflow.agents.validate
dialogflow.environments.create
dialogflow.environments.delete
dialogflow.environments.get
dialogflow.environments.getHistory
dialogflow.environments.list
dialogflow.environments.update
dialogflow.flows.create
dialogflow.flows.delete
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.pages.create
dialogflow.pages.delete
dialogflow.pages.get
dialogflow.pages.list
dialogflow.pages.update
dialogflow.transitionRouteGroups.create
dialogflow.transitionRouteGroups.delete
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.transitionRouteGroups.update
dialogflow.versions.create
dialogflow.versions.delete
dialogflow.versions.get
dialogflow.versions.list
dialogflow.versions.update
dialogflow.webhooks.create
dialogflow.webhooks.delete
dialogflow.webhooks.get
dialogflow.webhooks.list
dialogflow.webhooks.update
Cloud Healthcare API Added healthcare.annotationStores.create
healthcare.annotationStores.delete
healthcare.annotationStores.evaluate
healthcare.annotationStores.export
healthcare.annotationStores.get
healthcare.annotationStores.getIamPolicy
healthcare.annotationStores.import
healthcare.annotationStores.list
healthcare.annotationStores.setIamPolicy
healthcare.annotationStores.update
healthcare.annotations.create
healthcare.annotations.delete
healthcare.annotations.get
healthcare.annotations.list
healthcare.annotations.update
Cloud Healthcare API Supported In Custom Roles healthcare.annotationStores.create
healthcare.annotationStores.delete
healthcare.annotationStores.evaluate
healthcare.annotationStores.export
healthcare.annotationStores.get
healthcare.annotationStores.getIamPolicy
healthcare.annotationStores.import
healthcare.annotationStores.list
healthcare.annotationStores.setIamPolicy
healthcare.annotationStores.update
healthcare.annotations.create
healthcare.annotations.delete
healthcare.annotations.get
healthcare.annotations.list
healthcare.annotations.update

Cloud IAM changes as of 2020-08-14

Service Change Description
Private Catalog Role Updated

The following permissions have been added to the role roles/cloudprivatecatalog.consumer (Catalog Consumer):

resourcemanager.projects.get
resourcemanager.projects.list
Private Catalog Role Updated

The following permissions have been added to the role roles/cloudprivatecatalogproducer.admin (Catalog Admin):

cloudprivatecatalog.targets.get
cloudprivatecatalogproducer.targets.associate
cloudprivatecatalogproducer.targets.unassociate
resourcemanager.projects.get
resourcemanager.projects.list
Private Catalog Role Updated

The following permissions have been added to the role roles/cloudprivatecatalogproducer.manager (Catalog Manager):

resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Added dialogflow.fulfillments.get
dialogflow.fulfillments.update
Dialogflow Now GA dialogflow.fulfillments.get
dialogflow.fulfillments.update

Cloud IAM changes as of 2020-08-07

Service Change Description
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

artifactregistry.packages.delete
artifactregistry.repositories.create
artifactregistry.repositories.delete
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.setIamPolicy
artifactregistry.repositories.update
artifactregistry.tags.delete
artifactregistry.versions.delete
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.viewer (GKE Hub Viewer):

gkehub.features.getIamPolicy
gkehub.gateway.get
gkehub.gateway.getIamPolicy
Cloud Logging Now GA

The role roles/logging.bucketWriter (Logs Bucket Writer) is now GA.

Cloud Logging Now GA

The role roles/logging.viewAccessor (Logs View Accessor) is now GA.

Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.privateLogViewer (Private Logs Viewer):

logging.views.access
Compute Engine Now GA compute.instances.getScreenshot
Identity and Access Management Supported In Custom Roles iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.undelete
Identity and Access Management Now GA iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.undelete
Cloud Logging Added logging.buckets.create
logging.buckets.delete
logging.buckets.undelete
logging.buckets.write
logging.views.access
Cloud Logging Supported In Custom Roles logging.buckets.create
logging.buckets.delete
logging.buckets.undelete
logging.buckets.write
logging.views.access
Cloud Logging Now GA logging.buckets.create
logging.buckets.delete
logging.buckets.undelete
logging.buckets.write
logging.views.access
OAuthConfig Added oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.testusers.update
oauthconfig.verification.get
oauthconfig.verification.submit
oauthconfig.verification.update
OAuthConfig Supported In Custom Roles oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.testusers.update
oauthconfig.verification.get
oauthconfig.verification.submit
oauthconfig.verification.update
OAuthPolicyMetadata Added oauthpolicymetadata.brandpolicy.createOrUpdate
oauthpolicymetadata.brandpolicy.get
oauthpolicymetadata.brandpolicy.submitVerification
oauthpolicymetadata.clientpolicy.get
OAuthPolicyMetadata Supported In Custom Roles oauthpolicymetadata.brandpolicy.createOrUpdate
oauthpolicymetadata.brandpolicy.get
oauthpolicymetadata.brandpolicy.submitVerification
oauthpolicymetadata.clientpolicy.get
OAuthTestApp Added oauthtestapp.userwhitelist.read
oauthtestapp.userwhitelist.write
OAuthTestApp Supported In Custom Roles oauthtestapp.userwhitelist.read
oauthtestapp.userwhitelist.write
Certificate Authority Service Added privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.setIamPolicy
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.create
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.setIamPolicy
privateca.certificateRevocationLists.update
privateca.certificates.create
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.setIamPolicy
privateca.certificates.update
privateca.locations.get
privateca.locations.list
privateca.operations.cancel
privateca.operations.delete
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.setIamPolicy
privateca.reusableConfigs.update
Certificate Authority Service Supported In Custom Roles privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.setIamPolicy
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.create
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.setIamPolicy
privateca.certificateRevocationLists.update
privateca.certificates.create
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.setIamPolicy
privateca.certificates.update
privateca.locations.get
privateca.locations.list
privateca.operations.cancel
privateca.operations.delete
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.setIamPolicy
privateca.reusableConfigs.update
Recommender Added recommender.commitmentUtilizationInsights.get
recommender.commitmentUtilizationInsights.list
recommender.commitmentUtilizationInsights.update
recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list
recommender.usageCommitmentRecommendations.update

Cloud IAM changes as of 2020-07-31

Service Change Description
Apigee Now GA

The role roles/apigee.admin (Apigee Organization Admin) is now GA.

Apigee Now GA

The role roles/apigee.analyticsAgent (Apigee Analytics Agent) is now GA.

Apigee Now GA

The role roles/apigee.analyticsEditor (Apigee Analytics Editor) is now GA.

Apigee Now GA

The role roles/apigee.analyticsViewer (Apigee Analytics Viewer) is now GA.

Apigee Now GA

The role roles/apigee.apiCreator (Apigee API Creator) is now GA.

Apigee Now GA

The role roles/apigee.deployer (Apigee Deployer) is now GA.

Apigee Now GA

The role roles/apigee.developerAdmin (Apigee Developer Admin) is now GA.

Apigee Now GA

The role roles/apigee.readOnlyAdmin (Apigee Read-only Admin) is now GA.

Apigee Now GA

The role roles/apigee.runtimeAgent (Apigee Runtime Agent) is now GA.

Apigee Now GA

The role roles/apigee.synchronizerManager (Apigee Synchronizer Manager) is now GA.

Apigee Connect Now GA

The role roles/apigeeconnect.Admin (Apigee Connect Admin) is now GA.

Apigee Connect Now GA

The role roles/apigeeconnect.Agent (Apigee Connect Agent) is now GA.

Game Servers Now GA

The role roles/gameservices.admin (Game Services API Admin) is now GA.

Game Servers Now GA

The role roles/gameservices.viewer (Game Services API Viewer) is now GA.

Identity and Access Management Role Updated

The following permissions have been removed from the role roles/iam.securityAdmin (Security Admin):

container.secrets.list
Identity and Access Management Role Updated

The following permissions have been removed from the role roles/iam.securityReviewer (Security Reviewer):

container.secrets.list
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.admin (Notebooks Admin):

compute.acceleratorTypes.get
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.get
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.runner (Notebooks Runner):

compute.acceleratorTypes.get
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.get
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.viewer (Notebooks Viewer):

compute.acceleratorTypes.get
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.get
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.get
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.listAssociations
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.get
compute.zones.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Apigee Now GA apigee.apiproductattributes.createOrUpdateAll
apigee.apiproductattributes.delete
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproductattributes.update
apigee.apiproducts.create
apigee.apiproducts.delete
apigee.apiproducts.get
apigee.apiproducts.list
apigee.apiproducts.update
apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.get
apigee.appkeys.manage
apigee.apps.get
apigee.apps.list
apigee.deployments.create
apigee.deployments.delete
apigee.deployments.get
apigee.deployments.list
apigee.deployments.update
apigee.developerappattributes.createOrUpdateAll
apigee.developerappattributes.delete
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerappattributes.update
apigee.developerapps.create
apigee.developerapps.delete
apigee.developerapps.get
apigee.developerapps.list
apigee.developerapps.manage
apigee.developerattributes.createOrUpdateAll
apigee.developerattributes.delete
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developerattributes.update
apigee.developers.create
apigee.developers.delete
apigee.developers.get
apigee.developers.list
apigee.developers.update
apigee.environments.create
apigee.environments.delete
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.environments.manageRuntime
apigee.environments.setIamPolicy
apigee.environments.update
apigee.flowhooks.attachSharedFlow
apigee.flowhooks.detachSharedFlow
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.keystorealiases.create
apigee.keystorealiases.delete
apigee.keystorealiases.exportCertificate
apigee.keystorealiases.generateCSR
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystorealiases.update
apigee.keystores.create
apigee.keystores.delete
apigee.keystores.export
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.maskconfigs.update
apigee.organizations.create
apigee.organizations.get
apigee.organizations.list
apigee.organizations.update
apigee.proxies.create
apigee.proxies.delete
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.delete
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.proxyrevisions.update
apigee.queries.create
apigee.queries.get
apigee.queries.list
apigee.references.create
apigee.references.delete
apigee.references.get
apigee.references.list
apigee.references.update
apigee.reports.create
apigee.reports.delete
apigee.reports.get
apigee.reports.list
apigee.reports.update
apigee.resourcefiles.create
apigee.resourcefiles.delete
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.resourcefiles.update
apigee.sharedflowrevisions.delete
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflowrevisions.update
apigee.sharedflows.create
apigee.sharedflows.delete
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.create
apigee.targetservers.delete
apigee.targetservers.get
apigee.targetservers.list
apigee.targetservers.update
apigee.tracesessions.create
apigee.tracesessions.delete
apigee.tracesessions.get
apigee.tracesessions.list
Apigee Connect Now GA apigeeconnect.connections.list
apigeeconnect.endpoints.connect
Recommendations AI Added automlrecommendations.events.rejoin
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
Recommendations AI Supported In Custom Roles automlrecommendations.events.rejoin
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
BigQuery Supported In Custom Roles bigquery.tables.setCategory
Game Servers Now GA gameservices.gameServerClusters.create
gameservices.gameServerClusters.delete
gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerClusters.update
gameservices.gameServerConfigs.create
gameservices.gameServerConfigs.delete
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.create
gameservices.gameServerDeployments.delete
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.gameServerDeployments.rollout
gameservices.gameServerDeployments.update
gameservices.locations.get
gameservices.locations.list
gameservices.operations.cancel
gameservices.operations.delete
gameservices.operations.get
gameservices.operations.list
gameservices.realms.create
gameservices.realms.delete
gameservices.realms.get
gameservices.realms.list
gameservices.realms.update
Cloud Healthcare API Added healthcare.hl7V2Stores.import
healthcare.locations.get
healthcare.locations.list
Identity and Access Management Added iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.undelete
Identity and Access Management Available In Custom Roles iam.serviceAccounts.undelete
AI Platform Notebooks Added notebooks.instances.checkUpgradability
notebooks.instances.reset
notebooks.instances.setAccelerator
notebooks.instances.setLabels
notebooks.instances.setMachineType
notebooks.instances.start
notebooks.instances.stop
notebooks.instances.upgrade

Cloud IAM changes as of 2020-07-24

Service Change Description
Identity and Access Management Role Updated

The following permissions have been removed from the role roles/iam.securityAdmin (Security Admin):

container.secrets.list
Identity and Access Management Role Updated

The following permissions have been removed from the role roles/iam.securityReviewer (Security Reviewer):

container.secrets.list

Cloud IAM changes as of 2020-07-17

Service Change Description
GKE Hub Now GA

The role roles/gkehub.gatewayAdmin (Connect Gateway Admin) is now GA.

Secret Manager Now GA

The role roles/secretmanager.secretVersionAdder (Secret Manager Secret Version Adder) is now GA.

Secret Manager Now GA

The role roles/secretmanager.secretVersionManager (Secret Manager Secret Version Manager) is now GA.

Cloud Bigtable Added bigtable.backups.create
bigtable.backups.delete
bigtable.backups.get
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.restore
bigtable.backups.setIamPolicy
bigtable.backups.update
Cloud Bigtable Supported In Custom Roles bigtable.backups.create
bigtable.backups.delete
bigtable.backups.get
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.restore
bigtable.backups.setIamPolicy
bigtable.backups.update
Cloud Bigtable Now GA bigtable.backups.create
bigtable.backups.delete
bigtable.backups.get
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.restore
bigtable.backups.setIamPolicy
bigtable.backups.update
Cloud Commerce Consumer Procurement Added consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
Cloud Commerce Consumer Procurement Supported In Custom Roles consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
GKE Hub Added gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.getIamPolicy
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.gateway.setIamPolicy
GKE Hub Now GA gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.getIamPolicy
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.gateway.setIamPolicy

Cloud IAM changes as of 2020-07-10

Service Change Description
Cloud Monitoring Now GA

The role roles/monitoring.servicesEditor (Monitoring Services Editor) is now GA.

Cloud Monitoring Now GA

The role roles/monitoring.servicesViewer (Monitoring Services Viewer) is now GA.

NetApp Cloud Volumes Service Added cloudvolumesgcp-api.netapp.com/activeDirectories.create
cloudvolumesgcp-api.netapp.com/activeDirectories.delete
cloudvolumesgcp-api.netapp.com/activeDirectories.get
cloudvolumesgcp-api.netapp.com/activeDirectories.list
cloudvolumesgcp-api.netapp.com/activeDirectories.update
cloudvolumesgcp-api.netapp.com/ipRanges.list
cloudvolumesgcp-api.netapp.com/jobs.get
cloudvolumesgcp-api.netapp.com/jobs.list
cloudvolumesgcp-api.netapp.com/regions.list
cloudvolumesgcp-api.netapp.com/serviceLevels.list
cloudvolumesgcp-api.netapp.com/snapshots.create
cloudvolumesgcp-api.netapp.com/snapshots.delete
cloudvolumesgcp-api.netapp.com/snapshots.get
cloudvolumesgcp-api.netapp.com/snapshots.list
cloudvolumesgcp-api.netapp.com/snapshots.update
cloudvolumesgcp-api.netapp.com/volumes.create
cloudvolumesgcp-api.netapp.com/volumes.delete
cloudvolumesgcp-api.netapp.com/volumes.get
cloudvolumesgcp-api.netapp.com/volumes.list
cloudvolumesgcp-api.netapp.com/volumes.update
Cloud Monitoring Added monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
Cloud Monitoring Supported In Custom Roles monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
Cloud Monitoring Now GA monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
Network Security Added networksecurity.authorizationPolicies.create
networksecurity.authorizationPolicies.delete
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.getIamPolicy
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.setIamPolicy
networksecurity.authorizationPolicies.update
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.getIamPolicy
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.setIamPolicy
networksecurity.clientTlsPolicies.update
networksecurity.clientTlsPolicies.use
networksecurity.locations.get
networksecurity.locations.list
networksecurity.operations.cancel
networksecurity.operations.delete
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.getIamPolicy
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.setIamPolicy
networksecurity.serverTlsPolicies.update
networksecurity.serverTlsPolicies.use
Network Security Supported In Custom Roles networksecurity.authorizationPolicies.create
networksecurity.authorizationPolicies.delete
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.getIamPolicy
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.setIamPolicy
networksecurity.authorizationPolicies.update
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.getIamPolicy
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.setIamPolicy
networksecurity.clientTlsPolicies.update
networksecurity.clientTlsPolicies.use
networksecurity.locations.get
networksecurity.locations.list
networksecurity.operations.cancel
networksecurity.operations.delete
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.getIamPolicy
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.setIamPolicy
networksecurity.serverTlsPolicies.update
networksecurity.serverTlsPolicies.use
Network Services Added networkservices.endpointConfigSelectors.create
networkservices.endpointConfigSelectors.delete
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.getIamPolicy
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.setIamPolicy
networkservices.endpointConfigSelectors.update
networkservices.endpointConfigSelectors.use
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.getIamPolicy
networkservices.httpFilters.list
networkservices.httpFilters.setIamPolicy
networkservices.httpFilters.update
networkservices.httpFilters.use
networkservices.locations.get
networkservices.locations.list
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list