IAM permissions change log

This page describes changes to the public IAM permissions for all Generally Available and Beta services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is retired or is no longer supported in custom roles, IAM automatically removes the permission from your custom roles. In contrast, when a permission is added, IAM does not automatically add the permission to your custom roles.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM permissions change log

Upcoming Cloud IAM changes for the week of 2022-06-20

Service Change Description
Anthos Config Management Role Updated

The following permissions have been added to the role roles/anthosconfigmanagement.serviceAgent (Anthos Config Management Service Agent):

container.clusters.get
Batch API Now GA

The role roles/batch.serviceAgent (Google Batch Service Agent) is now GA.

Firebase Test Lab Role Updated

The following permissions have been added to the role roles/cloudtestservice.testAdmin (Firebase Test Lab Admin):

storage.objects.delete
Apigee Added apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats
Apigee Now GA apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats

Cloud IAM changes as of 2022-06-17

Service Change Description
Care Studio Now GA

The role roles/carestudio.viewer (Care Studio Patients Viewer) is now GA.

Translation Role Updated

The following permissions have been added to the role roles/cloudtranslate.serviceAgent (Cloud Translation API Service Agent):

automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.models.get
automl.models.list
automl.operations.get
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

resourcemanager.projects.getIamPolicy
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
Cloud DNS Role Updated

The following permissions have been added to the role roles/dns.admin (DNS Administrator):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Document AI Role Updated

The following permissions have been added to the role roles/documentaicore.serviceAgent (DocumentAI Core Service Agent):

documentai.humanReviewConfigs.review
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.serviceAgent (Integrations Service Agent):

pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.update
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.update
pubsub.topics.updateTag
Service Networking Role Updated

The following permissions have been added to the role roles/servicenetworking.serviceAgent (Service Networking Service Agent):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Basic Role Role Updated

The following permissions have been removed from the role roles/viewer (Viewer):

apigee.archivedeployments.upload
Bare Metal Solution Added baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Bare Metal Solution Now GA baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Batch API Added batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.states.report
batch.tasks.get
batch.tasks.list
Batch API Supported In Custom Roles batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.states.report
batch.tasks.get
batch.tasks.list
BigQuery Supported In Custom Roles bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
Cloud Bigtable Added bigtable.tables.undelete
Cloud Bigtable Now GA bigtable.tables.undelete
Care Studio Now GA carestudio.patients.get
carestudio.patients.list
Cloud Integrations Added integrations.apigeeSuspensions.lift
Cloud Integrations Now GA integrations.apigeeSuspensions.lift
Service Networking Added servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.listPeeredDnsDomains
Service Networking Supported In Custom Roles servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.listPeeredDnsDomains
Timeseries Insights Added timeseriesinsights.datasets.create
timeseriesinsights.datasets.delete
timeseriesinsights.datasets.evaluate
timeseriesinsights.datasets.list
timeseriesinsights.datasets.query
timeseriesinsights.datasets.update

Cloud IAM changes as of 2022-06-10

Service Change Description
App Engine Role Updated

The following permissions have been added to the role roles/appengine.appAdmin (App Engine Admin):

appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.admin (Dataplex Administrator):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

cloudasset.assets.analyzeIamPolicy
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.viewer (Dataplex Viewer):

cloudasset.assets.analyzeIamPolicy
Cloud Integrations Now GA

The role roles/integrations.serviceAgent (Integrations Service Agent) is now GA.

Dataproc Metastore Now GA

The role roles/metastore.federationAccessor (Metastore Federation Accessor) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagAdmin (Tag Administrator) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagHoldAdmin (Tag Hold Administrator) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagUser (Tag User) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagViewer (Tag Viewer) is now GA.

Access Approval Added accessapproval.requests.invalidate
Access Approval Supported In Custom Roles accessapproval.requests.invalidate
AlloyDB for PostgreSQL Added alloydb.backups.create
alloydb.backups.delete
alloydb.backups.get
alloydb.backups.list
alloydb.backups.update
alloydb.clusters.create
alloydb.clusters.delete
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.failover
alloydb.instances.get
alloydb.instances.list
alloydb.instances.restart
alloydb.instances.update
alloydb.locations.get
alloydb.locations.list
alloydb.operations.cancel
alloydb.operations.delete
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list
Artifact Registry Added artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
Artifact Registry Now GA artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
AutoML Added automl.files.delete
automl.files.list
Bare Metal Solution Added baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Bare Metal Solution Now GA baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Cloud Billing Added billing.accounts.getCarbonInformation
Cloud Billing Supported In Custom Roles billing.accounts.getCarbonInformation
Cloud Billing Now GA billing.accounts.getCarbonInformation
Google Cloud Deploy Added clouddeploy.releases.abandon
Google Cloud Deploy Supported In Custom Roles clouddeploy.releases.abandon
Commerce Price Management Added commerceprice.privateoffers.cancel
Commerce Price Management Supported In Custom Roles commerceprice.privateoffers.cancel
Datastream Added datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listTagBindings
datastream.privateConnections.createTagBinding
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.streams.createTagBinding
datastream.streams.deleteTagBinding
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
Cloud DNS Added dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
Cloud DNS Supported In Custom Roles dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
Identity and Access Management Added iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Identity and Access Management Supported In Custom Roles iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Identity and Access Management Now GA iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Dataproc Metastore Added metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Dataproc Metastore Supported In Custom Roles metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Dataproc Metastore Now GA metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Resource Manager Now GA resourcemanager.hierarchyNodes.createTagBinding
resourcemanager.hierarchyNodes.deleteTagBinding
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagKeys.update
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.create
resourcemanager.tagValues.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcemanager.tagValues.setIamPolicy
resourcemanager.tagValues.update

Cloud IAM changes as of 2022-05-27

Service Change Description
AlloyDB for PostgreSQL Now GA

The role roles/alloydb.serviceAgent (AlloyDB Service Agent) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.images.useReadOnly
compute.instanceTemplates.useReadOnly
compute.instances.create
compute.instances.createTagBinding
compute.instances.setDeletionProtection
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.updateDisplayDevice
compute.machineImages.useReadOnly
compute.networks.use
compute.networks.useExternalIp
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute.subnetworks.useExternalIp
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.worker (Dataflow Worker):

monitoring.timeSeries.create
Live Stream Role Updated

The following permissions have been added to the role roles/livestream.serviceAgent (Live Stream Service Agent):

storage.objects.get
storage.objects.list
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.subnetworks.get
compute.subnetworks.use
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.subnetworks.get
compute.subnetworks.use
AI Platform Added aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
Container Security Added containersecurity.locations.get
containersecurity.locations.list
Network Management API Added networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Management API Supported In Custom Roles networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Management API Now GA networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Services Added networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
Network Services Supported In Custom Roles networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
reCAPTCHA Enterprise Added recaptchaenterprise.keys.retrievelegacysecretkey
Transfer Appliance Added transferappliance.appliances.create
transferappliance.appliances.delete
transferappliance.appliances.get
transferappliance.appliances.list
transferappliance.appliances.update
transferappliance.locations.get
transferappliance.locations.list
transferappliance.operations.cancel
transferappliance.operations.delete
transferappliance.operations.get
transferappliance.operations.list
transferappliance.orders.create
transferappliance.orders.delete
transferappliance.orders.get
transferappliance.orders.list
transferappliance.orders.update
Transfer Appliance Supported In Custom Roles transferappliance.appliances.create
transferappliance.appliances.delete
transferappliance.appliances.get
transferappliance.appliances.list
transferappliance.appliances.update
transferappliance.locations.get
transferappliance.locations.list
transferappliance.operations.cancel
transferappliance.operations.delete
transferappliance.operations.get
transferappliance.operations.list
transferappliance.orders.create
transferappliance.orders.delete
transferappliance.orders.get
transferappliance.orders.list
transferappliance.orders.update

Cloud IAM changes as of 2022-05-20

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.list
container.jobs.update
Backup for GKE Role Updated

The following permissions have been added to the role roles/gkebackup.serviceAgent (Backup for GKE Service Agent):

compute.disks.list
compute.disks.setLabels
AI Platform Added aiplatform.humanInTheLoops.queryAnnotationStats
Bare Metal Solution Added baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
Bare Metal Solution Supported In Custom Roles baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
Bare Metal Solution Now GA baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
BigQuery Added bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
BigQuery Supported In Custom Roles bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
Recommender Added recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
Recommender Supported In Custom Roles recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
Service Security Insights Added servicesecurityinsights.securityInfo.list
Service Security Insights Supported In Custom Roles servicesecurityinsights.securityInfo.list

Cloud IAM changes as of 2022-05-13

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

logging.cmekSettings.update
Maps Admin Now GA

The role roles/mapsadmin.admin (Maps API Admin) is now GA.

Maps Admin Now GA

The role roles/mapsadmin.viewer (Maps API Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

orgpolicy.policies.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

orgpolicy.policies.list
Service Security Insights Role Added

The role roles/servicesecurityinsights.securityInsightsViewer (Security Insights Viewer) has been added with the following permissions:

servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.clusters.get
servicesecurityinsights.clusters.list
servicesecurityinsights.googleapis.com/clusterSecurityInfo.get
servicesecurityinsights.googleapis.com/clusterSecurityInfo.list
servicesecurityinsights.googleapis.com/clusters.get
servicesecurityinsights.googleapis.com/clusters.list
servicesecurityinsights.googleapis.com/locations.get
servicesecurityinsights.googleapis.com/locations.list
servicesecurityinsights.googleapis.com/namespaces.get
servicesecurityinsights.googleapis.com/namespaces.list
servicesecurityinsights.googleapis.com/policies.get
servicesecurityinsights.googleapis.com/policyTypes.get
servicesecurityinsights.googleapis.com/policyTypes.list
servicesecurityinsights.googleapis.com/projectStates.get
servicesecurityinsights.googleapis.com/securityInfo.list
servicesecurityinsights.googleapis.com/securityViews.get
servicesecurityinsights.googleapis.com/workloadPolicies.list
servicesecurityinsights.googleapis.com/workloadSecurityInfo.get
servicesecurityinsights.googleapis.com/workloadTypes.get
servicesecurityinsights.googleapis.com/workloadTypes.list
servicesecurityinsights.googleapis.com/workloads.get
servicesecurityinsights.googleapis.com/workloads.list
servicesecurityinsights.locations.get
servicesecurityinsights.locations.list
servicesecurityinsights.namespaces.get
servicesecurityinsights.namespaces.list
servicesecurityinsights.policies.get
servicesecurityinsights.policyTypes.get
servicesecurityinsights.policyTypes.list
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityInfo.list
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get
servicesecurityinsights.workloadTypes.get
servicesecurityinsights.workloadTypes.list
servicesecurityinsights.workloads.get
servicesecurityinsights.workloads.list
Apigee Added apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Apigee Supported In Custom Roles apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Apigee Now GA apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Artifact Registry Added artifactregistry.locations.get
artifactregistry.locations.list
Artifact Registry Supported In Custom Roles artifactregistry.locations.get
artifactregistry.locations.list
Artifact Registry Now GA artifactregistry.locations.get
artifactregistry.locations.list
Care Studio Added carestudio.patients.get
carestudio.patients.list
Identity-Aware Proxy Added iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Identity-Aware Proxy Supported In Custom Roles iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Maps Admin Added mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Maps Admin Supported In Custom Roles mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Maps Admin Now GA mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Certificate Authority Service Added privateca.caPools.use
Certificate Authority Service Now GA privateca.caPools.use

Cloud IAM changes as of 2022-05-06

Service Change Description
Cloud Billing Now GA

The role roles/billing.carbonViewer (Carbon Footprint Viewer) is now GA.

Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.developer (Cloud Functions Developer):

run.operations.delete
run.operations.get
run.operations.list
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

run.operations.delete
run.operations.get
run.operations.list
Firebase App Check Now GA

The role roles/firebaseappcheck.admin (Firebase App Check Admin) is now GA.

Firebase App Check Now GA

The role roles/firebaseappcheck.viewer (Firebase App Check Viewer) is now GA.

Recommender Now GA

The role roles/recommender.gmpAdmin (Google Maps Platform Insights/Recommendations Admin) is now GA.

Recommender Now GA

The role roles/recommender.gmpViewer (Google Maps Platform Insights/Recommendations Viewer) is now GA.

Cloud Run Role Updated

The following permissions have been added to the role roles/run.developer (Cloud Run Developer):

run.operations.delete
run.operations.get
run.operations.list
Container Security Added containersecurity.clusterSummaries.list
containersecurity.workloadConfigAudits.list
Container Security Supported In Custom Roles containersecurity.clusterSummaries.list
containersecurity.workloadConfigAudits.list
Eventarc Added eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
Eventarc Supported In Custom Roles eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
Firebase App Check Added firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
Firebase App Check Now GA firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.extendSchema
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.domains.extendSchema
Recommender Added recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Recommender Supported In Custom Roles recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Recommender Now GA recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Cloud Run Added run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.setIamPolicy
run.jobs.update
run.tasks.get
run.tasks.list
Cloud Run Supported In Custom Roles run.jobs.run
run.jobs.update
Cloud Run Now GA run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.setIamPolicy
run.jobs.update
run.tasks.get
run.tasks.list
Service Security Insights Added servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.policies.get
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get

Cloud IAM changes as of 2022-04-29

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiAdminV2 (Apigee API Admin):

apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
Content Warehouse Role Updated

The following permissions have been removed from the role roles/contentwarehouse.documentEditor (Content Warehouse Document Editor):

contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.setIamPolicy
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.admin (Dataflow Admin):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.developer (Dataflow Developer):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list
recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
serviceusage.services.use
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

iam.serviceAccounts.actAs
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.client (Cloud Speech Client):

speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
Apigee Added apigee.datalocation.get
Apigee Supported In Custom Roles apigee.datalocation.get
Apigee Now GA apigee.datalocation.get
Compute Engine Added compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listTagBindings
Compute Engine Now GA compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listTagBindings
Eventarc Added eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
Eventarc Supported In Custom Roles eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
Firebase App Check Added firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
Firebase App Check Supported In Custom Roles firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
Recommender Added recommender.costInsights.get
recommender.costInsights.list
recommender.costInsights.update
recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update
Recommender Supported In Custom Roles recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update
Recommender Now GA recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

Cloud IAM changes as of 2022-04-22

Service Change Description
BigQuery Migration API Now GA

The role roles/bigquerymigration.editor (MigrationWorkflow Editor) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.orchestrator (Task Orchestrator) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.translationUser (Migration Translation User) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.viewer (MigrationWorkflow Viewer) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.worker (Task Worker) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

serviceusage.services.use
Storage Transfer Service Role Updated

The following permissions have been removed from the role roles/storagetransfer.transferAgent (Storage Transfer Agent):

pubsub.snapshots.seek
BigQuery Migration API Now GA bigquerymigration.locations.get
bigquerymigration.locations.list
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.create
bigquerymigration.subtasks.executeTask
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.translation.translate
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.update
bigquerymigration.workflows.writeLogs
Cloud Key Management Service Added cloudkms.keyRings.listEffectiveTags
Cloud Key Management Service Now GA cloudkms.keyRings.listEffectiveTags
Cloud Optimization Added cloudoptimization.operations.create
cloudoptimization.operations.get
Cloud Optimization Supported In Custom Roles cloudoptimization.operations.create
cloudoptimization.operations.get
Cloud SQL Added cloudsql.instances.listEffectiveTags
cloudsql.users.get
Cloud SQL Supported In Custom Roles cloudsql.users.get
Cloud SQL Now GA cloudsql.instances.listEffectiveTags
cloudsql.users.get
Compute Engine Added compute.disks.listEffectiveTags
compute.images.listEffectiveTags
compute.instances.listEffectiveTags
compute.snapshots.listEffectiveTags
Google Kubernetes Engine Added container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
Google Kubernetes Engine Now GA container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
Cloud Domains Added domains.registrations.listEffectiveTags
Cloud Domains Now GA domains.registrations.listEffectiveTags
Filestore Added file.backups.listEffectiveTags
file.instances.listEffectiveTags
file.snapshots.listEffectiveTags
GKE Hub Supported In Custom Roles gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.listEffectiveTags
Managed Service for Microsoft Active Directory Now GA managedidentities.domains.listEffectiveTags
Recommender Added recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update
Recommender Supported In Custom Roles recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update
Recommender Now GA recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
Resource Manager Added resourcemanager.hierarchyNodes.listEffectiveTags
Cloud Spanner Added spanner.backups.copy
Cloud Spanner Supported In Custom Roles spanner.backups.copy
Cloud Spanner Now GA spanner.backups.copy
Cloud Storage Added storage.buckets.listEffectiveTags
Cloud Storage Now GA storage.buckets.listEffectiveTags

Cloud IAM changes as of 2022-04-15

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer):

aiplatform.entityTypes.exportFeatureValues
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer):

aiplatform.entityTypes.exportFeatureValues
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.operations.get
cloudfunctions.operations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

dataplex.tasks.create
dataplex.tasks.update
Speech-to-Text Now GA

The role roles/speech.serviceAgent (Cloud Speech-to-Text Service Agent) is now GA.

BigQuery Added bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
BigQuery Migration API Added bigquerymigration.locations.get
bigquerymigration.locations.list
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.create
bigquerymigration.subtasks.executeTask
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.translation.translate
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.update
bigquerymigration.workflows.writeLogs
Compute Engine Added compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
Compute Engine Now GA compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list

Cloud IAM changes as of 2022-04-08

Service Change Description
Assured Workloads Role Updated

The following permissions have been removed from the role roles/assuredworkloads.serviceAgent (Assured Workloads Service Agent):

cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.get
container.clusters.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.escalate
Recommender Now GA

The role roles/recommender.errorReportingAdmin (Error Reporting Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.errorReportingViewer (Error Reporting Recommender Viewer) is now GA.

Apigee Registry Added apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update
Apigee Registry Supported In Custom Roles apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update
Anthos clusters on VMware (GKE on-prem) Added gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Anthos clusters on VMware (GKE on-prem) Supported In Custom Roles gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Memorystore for Memcached Added memcache.instances.rescheduleMaintenance
Memorystore for Memcached Supported In Custom Roles memcache.instances.rescheduleMaintenance
Memorystore for Memcached Now GA memcache.instances.rescheduleMaintenance
Recommender Now GA recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Resource Manager Added resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list
Resource Manager Supported In Custom Roles resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list

Cloud IAM changes as of 2022-04-01

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.admin (Apigee Organization Admin):

monitoring.timeSeries.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.readOnlyAdmin (Apigee Read-only Admin):

monitoring.timeSeries.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.admin (Bare Metal Solution Admin):

baremetalsolution.luns.get
baremetalsolution.luns.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Bare Metal Solution Editor):

baremetalsolution.luns.get
baremetalsolution.luns.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.viewer (Bare Metal Solution Viewer):

baremetalsolution.luns.get
baremetalsolution.luns.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.admin (Dataflow Admin):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.developer (Dataflow Developer):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.viewer (Dataflow Viewer):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Filestore Added file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listTagBindings
file.instances.createTagBinding
file.instances.deleteTagBinding
file.instances.listTagBindings
file.snapshots.createTagBinding
file.snapshots.deleteTagBinding
file.snapshots.listTagBindings
GKE Hub Available In Custom Roles gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
Notebooks Added notebooks.runtimes.update
Notebooks Now GA notebooks.runtimes.update

Cloud IAM changes as of 2022-03-25

Service Change Description
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.admin (Recommendations AI Admin):

retail.retailProjects.get
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.adminViewer (Recommendations AI Admin Viewer):

retail.retailProjects.get
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.editor (Recommendations AI Editor):

retail.retailProjects.get
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.viewer (Recommendations AI Viewer):

retail.retailProjects.get
Firewall Insights Role Updated

The following permissions have been added to the role roles/firewallinsights.serviceAgent (Cloud Firewall Insights Service Agent):

compute.networks.getEffectiveFirewalls
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

binaryauthorization.platformPolicies.evaluatePolicy
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

binaryauthorization.platformPolicies.evaluatePolicy
Advisory Notifications Added advisorynotifications.notifications.get
advisorynotifications.notifications.list
Analytics Hub Added analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Analytics Hub Supported In Custom Roles analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Apigee Added apigee.keyvaluemapentries.list
Apigee Supported In Custom Roles apigee.keyvaluemapentries.list
Apigee Now GA apigee.keyvaluemapentries.list
Artifact Registry Added artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
Artifact Registry Supported In Custom Roles artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
Artifact Registry Now GA artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
BigQuery Added bigquery.tables.createIndex
bigquery.tables.deleteIndex
BigQuery Supported In Custom Roles bigquery.tables.createIndex
bigquery.tables.deleteIndex
Compute Engine Added compute.backendBuckets.setSecurityPolicy
Compute Engine Now GA compute.backendBuckets.setSecurityPolicy
Datastore Supported In Custom Roles datastore.databases.create
datastore.databases.getMetadata
datastore.databases.list
datastore.databases.update
Cloud Domains Added domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
Cloud Domains Now GA domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
Retail API Added retail.retailProjects.get
Cloud Run Added run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
Cloud Run Supported In Custom Roles run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
Cloud Run Now GA run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings

Cloud IAM changes as of 2022-03-18

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.editor (Assured Workloads Editor):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.reader (Assured Workloads Reader):

assuredworkloads.violations.get
assuredworkloads.violations.list
Bare Metal Solution Now GA

The role roles/baremetalsolution.lunsadmin (Luns Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.lunsviewer (Luns Viewer) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfssharesadmin (NFS Shares Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfsshareseditor (NFS Shares Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfssharesviewer (NFS Shares Viewer) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumesadmin (Volume Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumeseditor (Volumes Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumessviewer (Volumes Viewer) is now GA.

Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Bare Metal Solution Editor):

baremetalsolution.instances.start
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

assuredworkloads.violations.get
assuredworkloads.violations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

assuredworkloads.violations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

assuredworkloads.violations.list
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

assuredworkloads.violations.get
assuredworkloads.violations.list
Recommender Now GA

The role roles/recommender.dataflowDiagnosticsAdmin (Dataflow Diagnostics Admin) is now GA.

Recommender Now GA

The role roles/recommender.dataflowDiagnosticsViewer (Dataflow Diagnostics Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Added assuredworkloads.violations.get
assuredworkloads.violations.list
Bare Metal Solution Added baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Bare Metal Solution Now GA baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Recommender Added recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Recommender Supported In Custom Roles recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Recommender Now GA recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update

Cloud IAM changes as of 2022-03-11

Service Change Description
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.list
Edge Container Now GA

The role roles/edgecontainer.admin (Edge Container Admin) is now GA.

Edge Container Now GA

The role roles/edgecontainer.machineUser (Edge Container Machine User) is now GA.

Edge Container Now GA

The role roles/edgecontainer.viewer (Edge Container Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

servicedirectory.networks.attach
Backup for GKE Now GA

The role roles/gkebackup.serviceAgent (Backup for GKE Service Agent) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

servicedirectory.networks.attach
Retail API Role Updated

The following permissions have been added to the role roles/retail.viewer (Retail Viewer):

retail.attributesConfigs.exportCatalogAttributes
retail.controls.export
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

retail.attributesConfigs.exportCatalogAttributes
retail.controls.export
Edge Container Added edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Edge Container Supported In Custom Roles edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Edge Container Now GA edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Retail API Added retail.attributesConfigs.addCatalogAttribute
retail.attributesConfigs.batchRemoveCatalogAttributes
retail.attributesConfigs.exportCatalogAttributes
retail.attributesConfigs.importCatalogAttributes
retail.attributesConfigs.removeCatalogAttribute
retail.attributesConfigs.replaceCatalogAttribute
retail.controls.export
retail.controls.import
Storage Transfer Service Added storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.report
Storage Transfer Service Now GA storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.report

Cloud IAM changes as of 2022-03-04

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityAdmin (Apigee Security Admin):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityViewer (Apigee Security Viewer):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.viewer (Dataplex Viewer):

dataplex.operations.get
dataplex.operations.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

storage.buckets.list
FleetEngine Now GA

The role roles/fleetengine.deliveryConsumer (Fleet Engine Delivery Consumer User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryFleetReader (Fleet Engine Delivery Fleet Reader User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliverySuperUser (Fleet Engine Delivery Super User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryTrustedDriver (Fleet Engine Delivery Trusted Driver User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryUntrustedDriver (Fleet Engine Delivery Untrusted Driver User) is now GA.

Identity and Access Management Now GA

The role roles/iam.serviceAccountViewer (View Service Accounts) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.domaincontrollerOperator (Google Cloud Managed Identities Domain Controller Operator) is now GA.

Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

iam.serviceAccounts.getAccessToken
AI Platform Added aiplatform.deploymentResourcePools.create
aiplatform.deploymentResourcePools.delete
aiplatform.deploymentResourcePools.get
aiplatform.deploymentResourcePools.list
aiplatform.deploymentResourcePools.queryDeployedModels
aiplatform.deploymentResourcePools.update
BigQuery Added bigquery.connections.delegate
bigquery.jobs.listExecutionMetadata
BigQuery Supported In Custom Roles bigquery.connections.delegate
bigquery.jobs.listExecutionMetadata
Cloud Key Management Service Now GA cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
FleetEngine Added fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
FleetEngine Supported In Custom Roles fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
FleetEngine Now GA fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update

Cloud IAM changes as of 2022-02-25

Service Change Description
Dataform Now GA

The role roles/dataform.serviceAgent (Dataform Service Agent) is now GA.

Firestore Role Updated

The following permissions have been added to the role roles/firestore.serviceAgent (Firestore Service Agent):

storage.objects.delete
KRM API Hosting Now GA

The role roles/krmapihosting.admin (Config Controller Admin) is now GA.

KRM API Hosting Now GA

The role roles/krmapihosting.viewer (Config Controller Viewer) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.backupAdmin (Google Cloud Managed Identities Backup Admin) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.backupViewer (Google Cloud Managed Identities Backup Viewer) is now GA.

Dataform Now GA

The role roles/sqlx.serviceAgent (Dataform Service Agent) is now GA.

Dialogflow Added dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
Dialogflow Now GA dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
Cloud Data Loss Prevention Added dlp.locations.get
dlp.locations.list
Cloud Data Loss Prevention Supported In Custom Roles dlp.locations.get
dlp.locations.list
Cloud Data Loss Prevention Now GA dlp.locations.get
dlp.locations.list
Eventarc Added eventarc.providers.get
eventarc.providers.list
Eventarc Supported In Custom Roles eventarc.providers.get
eventarc.providers.list
Eventarc Now GA eventarc.providers.get
eventarc.providers.list
KRM API Hosting Now GA krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
Managed Service for Microsoft Active Directory Added managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
managedidentities.domains.restore
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.restore
Managed Service for Microsoft Active Directory Now GA managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
managedidentities.domains.restore

Cloud IAM changes as of 2022-02-18

Service Change Description
Datastore Role Updated

The following permissions have been added to the role roles/datastore.importExportAdmin (Cloud Datastore Import Export Admin):

datastore.databases.getMetadata
Datastore Role Updated

The following permissions have been added to the role roles/datastore.indexAdmin (Cloud Datastore Index Admin):

datastore.databases.getMetadata
Datastore Role Updated

The following permissions have been added to the role roles/datastore.keyVisualizerViewer (Cloud Datastore Key Visualizer Viewer):

datastore.databases.getMetadata
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

appengine.applications.get
cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
cloudtasks.tasks.create
cloudtasks.tasks.fullView
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

gkehub.fleet.create
gkehub.fleet.get
Binary Authorization Added binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace
binaryauthorization.policy.evaluatePolicy
Binary Authorization Supported In Custom Roles binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace
binaryauthorization.policy.evaluatePolicy
Compute Engine Added compute.networks.getRegionEffectiveFirewalls
compute.networks.setFirewallPolicy
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
Compute Engine Now GA compute.networks.getRegionEffectiveFirewalls
compute.networks.setFirewallPolicy
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
KRM API Hosting Added krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
KRM API Hosting Supported In Custom Roles krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
Cloud OS Config Added osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
Cloud OS Config Now GA osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
Service Networking Added servicenetworking.services.use

Cloud IAM changes as of 2022-02-11

Service Change Description
AI Platform Role Added

The role roles/aiplatform.tensorboardWebAppUser (Vertex AI Tensorboard Web App User) has been added with the following permissions:

aiplatform.googleapis.com/tensorboards.recordAccess
aiplatform.tensorboards.recordAccess
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.tensorboards.recordAccess
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.get
compute.subnetworks.get
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

cloudasset.assets.exportResource
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

datastore.databases.getMetadata
Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

serviceusage.services.use
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

datastore.databases.getMetadata
Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

dataproc.clusters.use
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallAdmin (Firewall Recommender Admin):

monitoring.timeSeries.list
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallViewer (Firewall Recommender Viewer):

monitoring.timeSeries.list
Security Command Center Now GA

The role roles/securitycenter.bigQueryExportsEditor (Security Center BigQuery Exports Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.bigQueryExportsViewer (Security Center BigQuery Exports Viewer) is now GA.

Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.tensorboards.recordAccess
AI Platform Added aiplatform.tensorboards.recordAccess
Cloud Healthcare API Added healthcare.nlpservice.analyzeEntities
Cloud Healthcare API Now GA healthcare.nlpservice.analyzeEntities
Dataproc Metastore Added metastore.services.use
Dataproc Metastore Supported In Custom Roles metastore.services.use
Security Command Center Added securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Command Center Supported In Custom Roles securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Command Center Now GA securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Cloud TPU Added tpu.nodes.update
Cloud TPU Supported In Custom Roles tpu.nodes.update
Cloud TPU Now GA tpu.nodes.update

Cloud IAM changes as of 2022-01-28

Service Change Description
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.environmentAndStorageObjectAdmin (Environment and Storage Object Administrator):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Dataplex Now GA

The role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent) is now GA.

Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

bigquery.config.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

dataproc.clusters.get
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectAdmin (Storage Object Admin):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Data Pipelines Added datapipelines.jobs.list
Data Pipelines Supported In Custom Roles datapipelines.jobs.list
Data Pipelines Now GA datapipelines.jobs.list
Dataproc Added dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Dataproc Supported In Custom Roles dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Dataproc Now GA dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Identity and Access Management Supported In Custom Roles iam.denypolicies.get
iam.denypolicies.list
Dataproc Metastore Added metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update
Dataproc Metastore Supported In Custom Roles metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update
Workflows Added workflows.callbacks.send
Workflows Supported In Custom Roles workflows.callbacks.send
Workflows Now GA workflows.callbacks.send

Cloud IAM changes as of 2022-01-14

Service Change Description
Data Catalog Now GA

The role roles/datacatalog.categoryAdmin (Policy Tag Admin) is now GA.

Data Catalog Now GA

The role roles/datacatalog.categoryFineGrainedReader (Fine-Grained Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.admin (Dataplex Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.dataOwner (Dataplex Data Owner) is now GA.

Dataplex Now GA

The role roles/dataplex.dataReader (Dataplex Data Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.dataWriter (Dataplex Data Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.developer (Dataplex Developer) is now GA.

Dataplex Now GA

The role roles/dataplex.editor (Dataplex Editor) is now GA.

Dataplex Now GA

The role roles/dataplex.metadataReader (Dataplex Metadata Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.metadataWriter (Dataplex Metadata Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataOwner (Dataplex Storage Data Owner) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataReader (Dataplex Storage Data Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataWriter (Dataplex Storage Data Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.viewer (Dataplex Viewer) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

artifactregistry.packages.delete
Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentAdmin (OSPolicyAssignment Admin) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentEditor (OSPolicyAssignment Editor) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentReportViewer (OSPolicyAssignmentReport Viewer) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentViewer (OSPolicyAssignment Viewer) is now GA.

Recommender Now GA

The role roles/recommender.projectUtilAdmin (Project Utilization Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.projectUtilViewer (Project Utilization Recommender Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityResponseServiceAgent (Google Cloud Security Response Service Agent):

compute.instances.get
Cloud Functions Added cloudfunctions.runtimes.list
Cloud Functions Now GA cloudfunctions.runtimes.list
Cloud Key Management Service Added cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
Data Catalog Supported In Custom Roles datacatalog.categories.fineGrainedGet
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update
Data Catalog Now GA datacatalog.categories.fineGrainedGet
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update
Dataflow Supported In Custom Roles dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Dataflow Now GA dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Dataplex Added dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.assets.writeData
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Dataplex Supported In Custom Roles dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Dataplex Now GA dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.assets.writeData
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Eventarc Added eventarc.events.receiveEvent
Eventarc Now GA eventarc.events.receiveEvent
Cloud OS Config Now GA osconfig.osPolicyAssignmentReports.get
osconfig.osPolicyAssignmentReports.list
osconfig.osPolicyAssignments.create
osconfig.osPolicyAssignments.delete
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
Recommender Now GA recommender.resourcemanagerProjectUtilizationInsights.get
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationInsights.update
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.update
Security Command Center Added securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
Security Command Center Supported In Custom Roles securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
Security Command Center Now GA securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update

Cloud IAM changes as of 2021-12-03

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.namespaces.create
Apigee Now GA

The role roles/apigee.apiAdminV2 (Apigee API Admin) is now GA.

Apigee Now GA

The role roles/apigee.apiReaderV2 (Apigee API Reader) is now GA.

Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.builds.builder (Cloud Build Service Account):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.environmentAndStorageObjectAdmin (Environment and Storage Object Administrator):

orgpolicy.policy.get
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
orgpolicy.policy.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

orgpolicy.policy.get
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

orgpolicy.policy.get
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

orgpolicy.policy.get
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

orgpolicy.policy.get
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

orgpolicy.policy.get
Cloud Data Loss Prevention Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent):

orgpolicy.policy.get
AI Platform Role Updated

The following permissions have been added to the role roles/ml.serviceAgent (AI Platform Service Agent):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.admin (Storage Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.hmacKeyAdmin (Storage HMAC Key Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectAdmin (Storage Object Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectCreator (Storage Object Creator):

orgpolicy.policy.get
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

orgpolicy.policy.get
Certificate Manager Added certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
Certificate Manager Supported In Custom Roles certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
Compute Engine Added compute.commitments.update
Compute Engine Supported In Custom Roles compute.commitments.update
Compute Engine Now GA compute.commitments.update
Cloud Commerce Consumer Procurement Added consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
Cloud Commerce Consumer Procurement Supported In Custom Roles consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
Data Connectors Added dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list
Data Connectors Supported In Custom Roles dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list
Dataflow Added dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Network Services Added networkservices.serviceBindings.create
networkservices.serviceBindings.delete
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.serviceBindings.update
VM Migration Added vmmigration.datacenterConnectors.update
VM Migration Supported In Custom Roles vmmigration.datacenterConnectors.update

Cloud IAM changes as of 2021-11-12

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer):

resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreResourceEditor (Vertex AI Feature Store Resource Editor):

resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreResourceViewer (Vertex AI Feature Store Resource Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.clusterRoles.update
Apigee Now GA

The role roles/apigee.securityAdmin (Apigee Security Admin) is now GA.

Apigee Now GA

The role roles/apigee.securityViewer (Apigee Security Viewer) is now GA.

Apigee Role Updated

The following permissions have been added to the role roles/apigee.environmentAdmin (Apigee Environment Admin):

apigee.environments.update
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.loadBalancerAdmin (Compute Load Balancer Admin):

networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
Datastore Now GA

The role roles/datastore.keyVisualizerViewer (Cloud Datastore Key Visualizer Viewer) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
Cloud Data Loss Prevention Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
Google Earth Engine Role Updated

The following permissions have been added to the role roles/earthengine.appsPublisher (Earth Engine Apps Publisher):

serviceusage.services.get
Enterprise Knowledge Graph Role Updated

The following permissions have been added to the role roles/enterpriseknowledgegraph.serviceAgent (Enterprise Knowledge Graph Service Agent):

bigquery.readsessions.getData
Firebase App Check Now GA

The role roles/firebaseappcheck.serviceAgent (Firebase App Check Service Agent) is now GA.

Anthos Multi-Cloud Now GA

The role roles/gkemulticloud.admin (Anthos Multi-cloud Admin) is now GA.

Anthos Multi-Cloud Now GA

The role roles/gkemulticloud.telemetryWriter (Anthos Multi-cloud Telemetry Writer) is now GA.

Anthos Multi-Cloud Now GA

The role roles/gkemulticloud.viewer (Anthos Multi-cloud Viewer) is now GA.

Dataproc Metastore Role Updated

The following permissions have been added to the role roles/metastore.serviceAgent (Dataproc Metastore Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Cloud Monitoring Role Updated

The following permissions have been added to the role roles/monitoring.notificationServiceAgent (Monitoring Service Agent):

servicedirectory.networks.access
servicedirectory.services.resolve
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.subnetworks.use
Network Connectivity Center Role Updated

The following permissions have been added to the role roles/networkconnectivity.spokeAdmin (Spoke Admin):

networkconnectivity.operations.get
networkconnectivity.operations.list
Security Command Center Now GA

The role roles/securitycenter.externalSystemsEditor (Security Center External Systems Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.findingsBulkMuteEditor (Security Center Findings Bulk Mute Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.findingsMuteSetter (Security Center Findings Mute Setter) is now GA.

Security Command Center Now GA

The role roles/securitycenter.muteConfigsEditor (Security Center Mute Configurations Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.muteConfigsViewer (Security Center Mute Configurations Viewer) is now GA.

Web Security Scanner Role Updated

The following permissions have been added to the role roles/websecurityscanner.serviceAgent (Cloud Web Security Scanner Service Agent):

cloudasset.assets.listResource
AI Platform Added aiplatform.tensorboardRuns.batchCreate
aiplatform.tensorboardTimeSeries.batchCreate
aiplatform.tensorboardTimeSeries.batchRead
Apigee Added apigee.developerbalances.adjust
Apigee Supported In Custom Roles apigee.developerbalances.adjust
Apigee Now GA apigee.developerbalances.adjust
Artifact Registry Added artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
Artifact Registry Now GA artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
Compute Engine Added compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listTagBindings
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings
Compute Engine Now GA compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listTagBindings
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings
Datastore Added datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
Datastore Now GA datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
Datastream Added datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob
Document AI Added documentai.datasetSchemas.get
documentai.datasetSchemas.update
documentai.datasets.get
documentai.datasets.update
documentai.processorTypes.get
Firebase App Check Added firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
Firebase App Check Supported In Custom Roles firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
GKE Hub Added gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.update
GKE Hub Now GA gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.update
Anthos Multi-Cloud Added gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.azureClusters.generateAccessToken
Anthos Multi-Cloud Now GA gkemulticloud.awsClusters.create
gkemulticloud.awsClusters.delete
gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.getAdminKubeconfig
gkemulticloud.awsClusters.list
gkemulticloud.awsClusters.update
gkemulticloud.awsNodePools.create
gkemulticloud.awsNodePools.delete
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.awsNodePools.update
gkemulticloud.awsServerConfigs.get
gkemulticloud.azureClients.create
gkemulticloud.azureClients.delete
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.create
gkemulticloud.azureClusters.delete
gkemulticloud.azureClusters.generateAccessToken
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.getAdminKubeconfig
gkemulticloud.azureClusters.list
gkemulticloud.azureClusters.update
gkemulticloud.azureNodePools.create
gkemulticloud.azureNodePools.delete
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.azureNodePools.update
gkemulticloud.azureServerConfigs.get
gkemulticloud.operations.cancel
gkemulticloud.operations.delete
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
Identity and Access Management Added iam.denypolicies.create
iam.denypolicies.delete
iam.denypolicies.get
iam.denypolicies.list
iam.denypolicies.replace
iam.denypolicies.update
Identity and Access Management Added iam.googleapis.com/denypolicies.create
iam.googleapis.com/denypolicies.delete
iam.googleapis.com/denypolicies.get
iam.googleapis.com/denypolicies.list
iam.googleapis.com/denypolicies.replace
Cloud Run Added run.operations.delete
run.operations.get
run.operations.list
Cloud Run Now GA run.operations.delete
run.operations.get
run.operations.list
Security Command Center Added securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.setMute
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Security Command Center Supported In Custom Roles securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.setMute
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Security Command Center Now GA securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.setMute
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Video Stitcher API Added videostitcher.cdnKeys.create
videostitcher.cdnKeys.delete
videostitcher.cdnKeys.get
videostitcher.cdnKeys.list
videostitcher.cdnKeys.update
videostitcher.liveAdTagDetails.get
videostitcher.liveAdTagDetails.list
videostitcher.liveSessions.create
videostitcher.liveSessions.get
videostitcher.slates.create
videostitcher.slates.delete
videostitcher.slates.get
videostitcher.slates.list
videostitcher.slates.update
videostitcher.vodAdTagDetails.get
videostitcher.vodAdTagDetails.list
videostitcher.vodSessions.create
videostitcher.vodSessions.get
videostitcher.vodStitchDetails.get
videostitcher.vodStitchDetails.list

Cloud IAM changes as of 2021-10-22

Service Change Description
Anthos Support Now GA

The role roles/anthossupport.serviceAgent (Anthos Support Service Agent) is now GA.

Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

source.repos.get
source.repos.list
Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoKeyDecrypterViaDelegation (Cloud KMS CryptoKey Decrypter Via Delegation) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation (Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.cryptoKeyEncrypterViaDelegation (Cloud KMS CryptoKey Encrypter Via Delegation) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.expertRawPKCS1 (Cloud KMS Expert Raw PKCS#1 Key Manager) is now GA.

Cloud Key Management Service Now GA

The role roles/cloudkms.viewer (Cloud KMS Viewer) is now GA.

Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

dataproc.operations.cancel
Data Pipelines Now GA

The role roles/datapipelines.admin (Data pipelines Admin) is now GA.

Data Pipelines Now GA

The role roles/datapipelines.invoker (Data pipelines Invoker) is now GA.

Data Pipelines Now GA

The role roles/datapipelines.viewer (Data pipelines Viewer) is now GA.

Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.editor (Dataproc Editor):

dataproc.operations.cancel
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.update
Customer Usage Data Processing Now GA

The role roles/dataprocessing.dataSourceManager (Data Processing Controls Data Source Manager) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

storage.objects.create
Cloud Domains Now GA

The role roles/domains.admin (Cloud Domains Admin) is now GA.

Cloud Domains Now GA

The role roles/domains.viewer (Cloud Domains Viewer) is now GA.

Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

iam.serviceAccounts.actAs
Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.peeringAdmin (Google Cloud Managed Identities Peering Admin) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.peeringViewer (Google Cloud Managed Identities Peering Viewer) is now GA.

Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.useInternal
Security Command Center Now GA

The role roles/securitycenter.securityResponseServiceAgent (Google Cloud Security Response Service Agent) is now GA.

Cloud Key Management Service Added cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
Cloud Key Management Service Supported In Custom Roles cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
Cloud Key Management Service Now GA cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
Compute Engine Added compute.reservations.update
Compute Engine Supported In Custom Roles compute.reservations.update
Data Pipelines Now GA datapipelines.pipelines.create
datapipelines.pipelines.delete
datapipelines.pipelines.get
datapipelines.pipelines.list
datapipelines.pipelines.run
datapipelines.pipelines.stop
datapipelines.pipelines.update
Cloud Domains Supported In Custom Roles domains.locations.get
domains.locations.list
domains.operations.cancel
domains.operations.get
domains.operations.list
Cloud Domains Now GA domains.locations.get
domains.locations.list
domains.operations.cancel
domains.operations.get
domains.operations.list
domains.registrations.configureContact
domains.registrations.configureDns
domains.registrations.configureManagement
domains.registrations.create
domains.registrations.delete
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.setIamPolicy
domains.registrations.update
Firebase Cloud Messaging Added firebasecloudmessaging.messages.create
Managed Service for Microsoft Active Directory Now GA managedidentities.peerings.create
managedidentities.peerings.delete
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.peerings.update
reCAPTCHA Enterprise Added recaptchaenterprise.relatedaccountgroupmemberships.list
recaptchaenterprise.relatedaccountgroups.list

Cloud IAM changes as of 2021-10-01

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (Vertex AI Service Agent):

compute.machineTypes.get
dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list
Artifact Registry Role Updated

The following permissions have been added to the role roles/artifactregistry.serviceAgent (Artifact Registry Service Agent):

artifactregistry.repositories.downloadArtifacts
Cloud TPU Role Updated

The following permissions have been added to the role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Connectors Now GA

The role roles/connectors.admin (Connector Admin) is now GA.

Connectors Now GA

The role roles/connectors.viewer (Connectors Viewer) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.servic