IAM permissions change log

This page describes changes to the public IAM permissions for all Generally Available and Beta services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is retired or is no longer supported in custom roles, IAM automatically removes the permission from your custom roles. In contrast, when a permission is added, IAM does not automatically add the permission to your custom roles.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM permissions change log

Upcoming Cloud IAM changes for the week of 2022-08-01

Service Change Description
Artifact Registry Role Updated

The following permissions have been added to the role roles/artifactregistry.serviceAgent (Artifact Registry Service Agent):

artifactregistry.versions.delete
Backup and Disaster Recovery Now GA

The role roles/backupdr.admin (Backup and DR Admin) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.user (Backup and DR User) is now GA.

Backup and Disaster Recovery Now GA

The role roles/backupdr.viewer (Backup and DR Viewer) is now GA.

Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

container.customResourceDefinitions.list
Backup and Disaster Recovery Added backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageInternalACL
backupdr.managementServers.setIamPolicy
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list
Backup and Disaster Recovery Supported In Custom Roles backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageInternalACL
backupdr.managementServers.setIamPolicy
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list
Backup and Disaster Recovery Now GA backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageInternalACL
backupdr.managementServers.setIamPolicy
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list
Commerce Offer Catalog Added commerceoffercatalog.documents.get
Cloud Commerce Consumer Procurement Added consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
Maps Admin Added mapsadmin.styleSnapshots.list
mapsadmin.styleSnapshots.update
Maps Admin Now GA mapsadmin.styleSnapshots.list
mapsadmin.styleSnapshots.update

Cloud IAM changes as of 2022-07-29

Service Change Description
Network Management API Role Updated

The following permissions have been added to the role roles/networkmanagement.admin (Network Management Admin):

resourcemanager.organizations.get
Network Management API Role Updated

The following permissions have been added to the role roles/networkmanagement.viewer (Network Management Viewer):

resourcemanager.organizations.get
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

compute.networks.get
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

compute.networks.get
Assured Workloads Added assuredworkloads.violations.update
Assured Workloads Supported In Custom Roles assuredworkloads.violations.update
Assured Workloads Now GA assuredworkloads.violations.update
Cloud Asset Inventory Added cloudasset.assets.exportOSInventories
Cloud Asset Inventory Supported In Custom Roles cloudasset.assets.exportOSInventories
Cloud Asset Inventory Now GA cloudasset.assets.exportOSInventories
Translation Added cloudtranslate.glossaries.update
cloudtranslate.glossaryentries.create
cloudtranslate.glossaryentries.delete
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.glossaryentries.update
Translation Supported In Custom Roles cloudtranslate.glossaries.update
Translation Now GA cloudtranslate.glossaries.update
cloudtranslate.glossaryentries.create
cloudtranslate.glossaryentries.delete
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.glossaryentries.update
Compute Engine Added compute.regionTargetHttpsProxies.update
compute.targetHttpsProxies.update
Compute Engine Now GA compute.regionTargetHttpsProxies.update
compute.targetHttpsProxies.update
Timeseries Insights Added timeseriesinsights.locations.get
timeseriesinsights.locations.list
Timeseries Insights Supported In Custom Roles timeseriesinsights.locations.get
timeseriesinsights.locations.list

Cloud IAM changes as of 2022-07-22

Service Change Description
Cloud Billing Role Updated

The following permissions have been added to the role roles/billing.admin (Billing Account Administrator):

cloudsupport.properties.get
cloudsupport.techCases.create
cloudsupport.techCases.escalate
cloudsupport.techCases.get
cloudsupport.techCases.list
cloudsupport.techCases.update
resourcemanager.projects.get
resourcemanager.projects.list
Workload Certificate Role Updated

The following permissions have been added to the role roles/workloadcertificate.serviceAgent (Workload Certificate Service Agent):

container.customResourceDefinitions.create
container.customResourceDefinitions.get
container.customResourceDefinitions.list
Bare Metal Solution Added baremetalsolution.volumes.resize
Bare Metal Solution Supported In Custom Roles baremetalsolution.volumes.resize
Bare Metal Solution Now GA baremetalsolution.volumes.resize
Eventarc Added eventarc.channels.attach
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
Eventarc Supported In Custom Roles eventarc.channels.attach
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
Firebase Realtime Database Added firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
Firebase Realtime Database Supported In Custom Roles firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
Firebase Realtime Database Now GA firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
Retail API Added retail.servingConfigs.predict
retail.servingConfigs.search

Cloud IAM changes as of 2022-07-15

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
Google Kubernetes Engine Now GA

The role roles/container.nodeServiceAgent (Kubernetes Engine Node Service Agent) is now GA.

Eventarc Role Updated

The following permissions have been added to the role roles/eventarc.serviceAgent (Eventarc Service Agent):

cloudfunctions.functions.get
Identity-Aware Proxy Now GA

The role roles/iap.tunnelDestGroupEditor (IAP-secured Tunnel Destination Group Editor) is now GA.

Identity-Aware Proxy Now GA

The role roles/iap.tunnelDestGroupViewer (IAP-secured Tunnel Destination Group Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.certificateViewer (Certificate Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationAdmin (Application Integration Admin) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationDeployer (Application Integration Deployer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationEditor (Application Integration Editor) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationInvoker (Application Integration Invoker) is now GA.

Cloud Integrations Now GA

The role roles/integrations.integrationViewer (Application Integration Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.sfdcInstanceAdmin (Application Integration SFDC Instance Admin) is now GA.

Cloud Integrations Now GA

The role roles/integrations.sfdcInstanceEditor (Application Integration SFDC Instance Editor) is now GA.

Cloud Integrations Now GA

The role roles/integrations.sfdcInstanceViewer (Application Integration SFDC Instance Viewer) is now GA.

Cloud Integrations Now GA

The role roles/integrations.suspensionResolver (Application Integration Suspension Resolver) is now GA.

Anthos Service Mesh control plane Role Updated

The following permissions have been added to the role roles/meshcontrolplane.serviceAgent (Mesh Managed Control Plane Service Agent):

container.clusters.update
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
AI Platform Added aiplatform.entityTypes.deleteFeatureValues
BeyondCorp Enterprise Added beyondcorp.appConnections.create
beyondcorp.appConnections.delete
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnections.setIamPolicy
beyondcorp.appConnections.update
beyondcorp.appConnectors.create
beyondcorp.appConnectors.delete
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appConnectors.reportStatus
beyondcorp.appConnectors.setIamPolicy
beyondcorp.appConnectors.update
beyondcorp.appGateways.create
beyondcorp.appGateways.delete
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.appGateways.setIamPolicy
beyondcorp.appGateways.update
beyondcorp.clientConnectorServices.access
beyondcorp.clientConnectorServices.create
beyondcorp.clientConnectorServices.delete
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientConnectorServices.setIamPolicy
beyondcorp.clientConnectorServices.update
beyondcorp.clientGateways.create
beyondcorp.clientGateways.delete
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.clientGateways.setIamPolicy
beyondcorp.locations.get
beyondcorp.locations.list
beyondcorp.operations.cancel
beyondcorp.operations.delete
beyondcorp.operations.get
beyondcorp.operations.list
BeyondCorp Enterprise Supported In Custom Roles beyondcorp.appConnections.create
beyondcorp.appConnections.delete
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnections.setIamPolicy
beyondcorp.appConnections.update
beyondcorp.appConnectors.create
beyondcorp.appConnectors.delete
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appConnectors.reportStatus
beyondcorp.appConnectors.setIamPolicy
beyondcorp.appConnectors.update
beyondcorp.appGateways.create
beyondcorp.appGateways.delete
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.appGateways.setIamPolicy
beyondcorp.appGateways.update
beyondcorp.clientConnectorServices.access
beyondcorp.clientConnectorServices.create
beyondcorp.clientConnectorServices.delete
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientConnectorServices.setIamPolicy
beyondcorp.clientConnectorServices.update
beyondcorp.clientGateways.create
beyondcorp.clientGateways.delete
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.clientGateways.setIamPolicy
beyondcorp.locations.get
beyondcorp.locations.list
beyondcorp.operations.cancel
beyondcorp.operations.delete
beyondcorp.operations.get
beyondcorp.operations.list
Identity-Aware Proxy Now GA iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Cloud Integrations Added integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update
integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update
integrations.executions.list
integrations.integrationVersions.create
integrations.integrationVersions.delete
integrations.integrationVersions.deploy
integrations.integrationVersions.get
integrations.integrationVersions.invoke
integrations.integrationVersions.list
integrations.integrationVersions.update
integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.invoke
integrations.integrations.list
integrations.integrations.update
integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update
integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update
integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve
Cloud Integrations Now GA integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update
integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update
integrations.executions.list
integrations.integrationVersions.create
integrations.integrationVersions.delete
integrations.integrationVersions.deploy
integrations.integrationVersions.get
integrations.integrationVersions.invoke
integrations.integrationVersions.list
integrations.integrationVersions.update
integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.invoke
integrations.integrations.list
integrations.integrations.update
integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update
integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update
integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve
Secured Landing Zone Added securedlandingzone.operations.get
securedlandingzone.overwatches.activate
securedlandingzone.overwatches.create
securedlandingzone.overwatches.delete
securedlandingzone.overwatches.get
securedlandingzone.overwatches.list
securedlandingzone.overwatches.suspend
securedlandingzone.overwatches.update
Secured Landing Zone Supported In Custom Roles securedlandingzone.overwatches.activate
securedlandingzone.overwatches.suspend

Cloud IAM changes as of 2022-06-24

Service Change Description
Anthos Config Management Role Updated

The following permissions have been added to the role roles/anthosconfigmanagement.serviceAgent (Anthos Config Management Service Agent):

container.clusters.get
Batch API Now GA

The role roles/batch.serviceAgent (Google Batch Service Agent) is now GA.

Firebase Test Lab Role Updated

The following permissions have been added to the role roles/cloudtestservice.testAdmin (Firebase Test Lab Admin):

storage.objects.delete
Apigee Added apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats
Apigee Now GA apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats

Cloud IAM changes as of 2022-06-17

Service Change Description
Care Studio Now GA

The role roles/carestudio.viewer (Care Studio Patients Viewer) is now GA.

Translation Role Updated

The following permissions have been added to the role roles/cloudtranslate.serviceAgent (Cloud Translation API Service Agent):

automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.models.get
automl.models.list
automl.operations.get
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

resourcemanager.projects.getIamPolicy
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
Cloud DNS Role Updated

The following permissions have been added to the role roles/dns.admin (DNS Administrator):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Document AI Role Updated

The following permissions have been added to the role roles/documentaicore.serviceAgent (DocumentAI Core Service Agent):

documentai.humanReviewConfigs.review
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Cloud Integrations Role Updated

The following permissions have been added to the role roles/integrations.serviceAgent (Integrations Service Agent):

pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.update
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.update
pubsub.topics.updateTag
Service Networking Role Updated

The following permissions have been added to the role roles/servicenetworking.serviceAgent (Service Networking Service Agent):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
Basic Role Role Updated

The following permissions have been removed from the role roles/viewer (Viewer):

apigee.archivedeployments.upload
Bare Metal Solution Added baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Bare Metal Solution Supported In Custom Roles baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Bare Metal Solution Now GA baremetalsolution.instancequotas.list
baremetalsolution.networkquotas.list
baremetalsolution.volumequotas.list
Batch API Added batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.states.report
batch.tasks.get
batch.tasks.list
Batch API Supported In Custom Roles batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list
batch.locations.get
batch.locations.list
batch.operations.get
batch.operations.list
batch.states.report
batch.tasks.get
batch.tasks.list
BigQuery Supported In Custom Roles bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
Cloud Bigtable Added bigtable.tables.undelete
Cloud Bigtable Now GA bigtable.tables.undelete
Care Studio Now GA carestudio.patients.get
carestudio.patients.list
Cloud Integrations Added integrations.apigeeSuspensions.lift
Cloud Integrations Now GA integrations.apigeeSuspensions.lift
Service Networking Added servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.listPeeredDnsDomains
Service Networking Supported In Custom Roles servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.listPeeredDnsDomains
Timeseries Insights Added timeseriesinsights.datasets.create
timeseriesinsights.datasets.delete
timeseriesinsights.datasets.evaluate
timeseriesinsights.datasets.list
timeseriesinsights.datasets.query
timeseriesinsights.datasets.update

Cloud IAM changes as of 2022-06-10

Service Change Description
App Engine Role Updated

The following permissions have been added to the role roles/appengine.appAdmin (App Engine Admin):

appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.admin (Dataplex Administrator):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

cloudasset.assets.analyzeIamPolicy
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.viewer (Dataplex Viewer):

cloudasset.assets.analyzeIamPolicy
Cloud Integrations Now GA

The role roles/integrations.serviceAgent (Integrations Service Agent) is now GA.

Dataproc Metastore Now GA

The role roles/metastore.federationAccessor (Metastore Federation Accessor) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagAdmin (Tag Administrator) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagHoldAdmin (Tag Hold Administrator) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagUser (Tag User) is now GA.

Resource Manager Now GA

The role roles/resourcemanager.tagViewer (Tag Viewer) is now GA.

Access Approval Added accessapproval.requests.invalidate
Access Approval Supported In Custom Roles accessapproval.requests.invalidate
AlloyDB for PostgreSQL Added alloydb.backups.create
alloydb.backups.delete
alloydb.backups.get
alloydb.backups.list
alloydb.backups.update
alloydb.clusters.create
alloydb.clusters.delete
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.failover
alloydb.instances.get
alloydb.instances.list
alloydb.instances.restart
alloydb.instances.update
alloydb.locations.get
alloydb.locations.list
alloydb.operations.cancel
alloydb.operations.delete
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list
Artifact Registry Added artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
Artifact Registry Now GA artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
AutoML Added automl.files.delete
automl.files.list
Bare Metal Solution Added baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Bare Metal Solution Now GA baremetalsolution.instances.attachVolume
baremetalsolution.instances.detachVolume
Cloud Billing Added billing.accounts.getCarbonInformation
Cloud Billing Supported In Custom Roles billing.accounts.getCarbonInformation
Cloud Billing Now GA billing.accounts.getCarbonInformation
Google Cloud Deploy Added clouddeploy.releases.abandon
Google Cloud Deploy Supported In Custom Roles clouddeploy.releases.abandon
Commerce Price Management Added commerceprice.privateoffers.cancel
Commerce Price Management Supported In Custom Roles commerceprice.privateoffers.cancel
Datastream Added datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listTagBindings
datastream.privateConnections.createTagBinding
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.streams.createTagBinding
datastream.streams.deleteTagBinding
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
Cloud DNS Added dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
Cloud DNS Supported In Custom Roles dns.managedZones.getIamPolicy
dns.managedZones.setIamPolicy
Identity and Access Management Added iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Identity and Access Management Supported In Custom Roles iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Identity and Access Management Now GA iam.serviceAccountKeys.disable
iam.serviceAccountKeys.enable
Dataproc Metastore Added metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Dataproc Metastore Supported In Custom Roles metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Dataproc Metastore Now GA metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use
Resource Manager Now GA resourcemanager.hierarchyNodes.createTagBinding
resourcemanager.hierarchyNodes.deleteTagBinding
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagKeys.update
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.create
resourcemanager.tagValues.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcemanager.tagValues.setIamPolicy
resourcemanager.tagValues.update

Cloud IAM changes as of 2022-05-27

Service Change Description
AlloyDB for PostgreSQL Now GA

The role roles/alloydb.serviceAgent (AlloyDB Service Agent) is now GA.

Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.images.useReadOnly
compute.instanceTemplates.useReadOnly
compute.instances.create
compute.instances.createTagBinding
compute.instances.setDeletionProtection
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.updateDisplayDevice
compute.machineImages.useReadOnly
compute.networks.use
compute.networks.useExternalIp
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute.subnetworks.useExternalIp
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.worker (Dataflow Worker):

monitoring.timeSeries.create
Live Stream Role Updated

The following permissions have been added to the role roles/livestream.serviceAgent (Live Stream Service Agent):

storage.objects.get
storage.objects.list
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.subnetworks.get
compute.subnetworks.use
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.subnetworks.get
compute.subnetworks.use
AI Platform Added aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.setIamPolicy
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.setIamPolicy
Container Security Added containersecurity.locations.get
containersecurity.locations.list
Network Management API Added networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Management API Supported In Custom Roles networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Management API Now GA networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
Network Services Added networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
Network Services Supported In Custom Roles networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use
reCAPTCHA Enterprise Added recaptchaenterprise.keys.retrievelegacysecretkey
Transfer Appliance Added transferappliance.appliances.create
transferappliance.appliances.delete
transferappliance.appliances.get
transferappliance.appliances.list
transferappliance.appliances.update
transferappliance.locations.get
transferappliance.locations.list
transferappliance.operations.cancel
transferappliance.operations.delete
transferappliance.operations.get
transferappliance.operations.list
transferappliance.orders.create
transferappliance.orders.delete
transferappliance.orders.get
transferappliance.orders.list
transferappliance.orders.update
Transfer Appliance Supported In Custom Roles transferappliance.appliances.create
transferappliance.appliances.delete
transferappliance.appliances.get
transferappliance.appliances.list
transferappliance.appliances.update
transferappliance.locations.get
transferappliance.locations.list
transferappliance.operations.cancel
transferappliance.operations.delete
transferappliance.operations.get
transferappliance.operations.list
transferappliance.orders.create
transferappliance.orders.delete
transferappliance.orders.get
transferappliance.orders.list
transferappliance.orders.update

Cloud IAM changes as of 2022-05-20

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.list
container.jobs.update
Backup for GKE Role Updated

The following permissions have been added to the role roles/gkebackup.serviceAgent (Backup for GKE Service Agent):

compute.disks.list
compute.disks.setLabels
AI Platform Added aiplatform.humanInTheLoops.queryAnnotationStats
Bare Metal Solution Added baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
Bare Metal Solution Supported In Custom Roles baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
Bare Metal Solution Now GA baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.update
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
BigQuery Added bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
BigQuery Supported In Custom Roles bigquery.datasets.createTagBinding
bigquery.datasets.deleteTagBinding
bigquery.datasets.listTagBindings
Recommender Added recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
Recommender Supported In Custom Roles recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update
recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update
Service Security Insights Added servicesecurityinsights.securityInfo.list
Service Security Insights Supported In Custom Roles servicesecurityinsights.securityInfo.list

Cloud IAM changes as of 2022-05-13

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

logging.cmekSettings.update
Maps Admin Now GA

The role roles/mapsadmin.admin (Maps API Admin) is now GA.

Maps Admin Now GA

The role roles/mapsadmin.viewer (Maps API Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

orgpolicy.policies.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

orgpolicy.policies.list
Service Security Insights Role Added

The role roles/servicesecurityinsights.securityInsightsViewer (Security Insights Viewer) has been added with the following permissions:

servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.clusters.get
servicesecurityinsights.clusters.list
servicesecurityinsights.googleapis.com/clusterSecurityInfo.get
servicesecurityinsights.googleapis.com/clusterSecurityInfo.list
servicesecurityinsights.googleapis.com/clusters.get
servicesecurityinsights.googleapis.com/clusters.list
servicesecurityinsights.googleapis.com/locations.get
servicesecurityinsights.googleapis.com/locations.list
servicesecurityinsights.googleapis.com/namespaces.get
servicesecurityinsights.googleapis.com/namespaces.list
servicesecurityinsights.googleapis.com/policies.get
servicesecurityinsights.googleapis.com/policyTypes.get
servicesecurityinsights.googleapis.com/policyTypes.list
servicesecurityinsights.googleapis.com/projectStates.get
servicesecurityinsights.googleapis.com/securityInfo.list
servicesecurityinsights.googleapis.com/securityViews.get
servicesecurityinsights.googleapis.com/workloadPolicies.list
servicesecurityinsights.googleapis.com/workloadSecurityInfo.get
servicesecurityinsights.googleapis.com/workloadTypes.get
servicesecurityinsights.googleapis.com/workloadTypes.list
servicesecurityinsights.googleapis.com/workloads.get
servicesecurityinsights.googleapis.com/workloads.list
servicesecurityinsights.locations.get
servicesecurityinsights.locations.list
servicesecurityinsights.namespaces.get
servicesecurityinsights.namespaces.list
servicesecurityinsights.policies.get
servicesecurityinsights.policyTypes.get
servicesecurityinsights.policyTypes.list
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityInfo.list
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get
servicesecurityinsights.workloadTypes.get
servicesecurityinsights.workloadTypes.list
servicesecurityinsights.workloads.get
servicesecurityinsights.workloads.list
Apigee Added apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Apigee Supported In Custom Roles apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Apigee Now GA apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
Artifact Registry Added artifactregistry.locations.get
artifactregistry.locations.list
Artifact Registry Supported In Custom Roles artifactregistry.locations.get
artifactregistry.locations.list
Artifact Registry Now GA artifactregistry.locations.get
artifactregistry.locations.list
Care Studio Added carestudio.patients.get
carestudio.patients.list
Identity-Aware Proxy Added iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Identity-Aware Proxy Supported In Custom Roles iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.list
iap.tunnelDestGroups.setIamPolicy
iap.tunnelDestGroups.update
iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy
Maps Admin Added mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Maps Admin Supported In Custom Roles mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Maps Admin Now GA mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
Certificate Authority Service Added privateca.caPools.use
Certificate Authority Service Now GA privateca.caPools.use

Cloud IAM changes as of 2022-05-06

Service Change Description
Cloud Billing Now GA

The role roles/billing.carbonViewer (Carbon Footprint Viewer) is now GA.

Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.developer (Cloud Functions Developer):

run.operations.delete
run.operations.get
run.operations.list
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

run.operations.delete
run.operations.get
run.operations.list
Firebase App Check Now GA

The role roles/firebaseappcheck.admin (Firebase App Check Admin) is now GA.

Firebase App Check Now GA

The role roles/firebaseappcheck.viewer (Firebase App Check Viewer) is now GA.

Recommender Now GA

The role roles/recommender.gmpAdmin (Google Maps Platform Insights/Recommendations Admin) is now GA.

Recommender Now GA

The role roles/recommender.gmpViewer (Google Maps Platform Insights/Recommendations Viewer) is now GA.

Cloud Run Role Updated

The following permissions have been added to the role roles/run.developer (Cloud Run Developer):

run.operations.delete
run.operations.get
run.operations.list
Container Security Added containersecurity.clusterSummaries.list
containersecurity.workloadConfigAudits.list
Container Security Supported In Custom Roles containersecurity.clusterSummaries.list
containersecurity.workloadConfigAudits.list
Eventarc Added eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
Eventarc Supported In Custom Roles eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
Firebase App Check Added firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
Firebase App Check Now GA firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.extendSchema
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.domains.extendSchema
Recommender Added recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Recommender Supported In Custom Roles recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Recommender Now GA recommender.gmpProjectManagementInsights.get
recommender.gmpProjectManagementInsights.list
recommender.gmpProjectManagementInsights.update
recommender.gmpProjectManagementRecommendations.get
recommender.gmpProjectManagementRecommendations.list
recommender.gmpProjectManagementRecommendations.update
recommender.gmpProjectProductSuggestionsInsights.get
recommender.gmpProjectProductSuggestionsInsights.list
recommender.gmpProjectProductSuggestionsInsights.update
recommender.gmpProjectProductSuggestionsRecommendations.get
recommender.gmpProjectProductSuggestionsRecommendations.list
recommender.gmpProjectProductSuggestionsRecommendations.update
recommender.gmpProjectQuotaInsights.get
recommender.gmpProjectQuotaInsights.list
recommender.gmpProjectQuotaInsights.update
recommender.gmpProjectQuotaRecommendations.get
recommender.gmpProjectQuotaRecommendations.list
recommender.gmpProjectQuotaRecommendations.update
Cloud Run Added run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.setIamPolicy
run.jobs.update
run.tasks.get
run.tasks.list
Cloud Run Supported In Custom Roles run.jobs.run
run.jobs.update
Cloud Run Now GA run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.setIamPolicy
run.jobs.update
run.tasks.get
run.tasks.list
Service Security Insights Added servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.policies.get
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get

Cloud IAM changes as of 2022-04-29

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiAdminV2 (Apigee API Admin):

apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
Content Warehouse Role Updated

The following permissions have been removed from the role roles/contentwarehouse.documentEditor (Content Warehouse Document Editor):

contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.setIamPolicy
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.admin (Dataflow Admin):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.developer (Dataflow Developer):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list
recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
serviceusage.services.use
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

iam.serviceAccounts.actAs
Speech-to-Text Role Updated

The following permissions have been added to the role roles/speech.client (Cloud Speech Client):

speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
Apigee Added apigee.datalocation.get
Apigee Supported In Custom Roles apigee.datalocation.get
Apigee Now GA apigee.datalocation.get
Compute Engine Added compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listTagBindings
Compute Engine Now GA compute.instances.createTagBinding
compute.instances.deleteTagBinding
compute.instances.listTagBindings
Eventarc Added eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
Eventarc Supported In Custom Roles eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
Firebase App Check Added firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
Firebase App Check Supported In Custom Roles firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
Recommender Added recommender.costInsights.get
recommender.costInsights.list
recommender.costInsights.update
recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update
Recommender Supported In Custom Roles recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update
Recommender Now GA recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update
recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

Cloud IAM changes as of 2022-04-22

Service Change Description
BigQuery Migration API Now GA

The role roles/bigquerymigration.editor (MigrationWorkflow Editor) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.orchestrator (Task Orchestrator) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.translationUser (Migration Translation User) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.viewer (MigrationWorkflow Viewer) is now GA.

BigQuery Migration API Now GA

The role roles/bigquerymigration.worker (Task Worker) is now GA.

Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

serviceusage.services.use
Storage Transfer Service Role Updated

The following permissions have been removed from the role roles/storagetransfer.transferAgent (Storage Transfer Agent):

pubsub.snapshots.seek
BigQuery Migration API Now GA bigquerymigration.locations.get
bigquerymigration.locations.list
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.create
bigquerymigration.subtasks.executeTask
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.translation.translate
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.update
bigquerymigration.workflows.writeLogs
Cloud Key Management Service Added cloudkms.keyRings.listEffectiveTags
Cloud Key Management Service Now GA cloudkms.keyRings.listEffectiveTags
Cloud Optimization Added cloudoptimization.operations.create
cloudoptimization.operations.get
Cloud Optimization Supported In Custom Roles cloudoptimization.operations.create
cloudoptimization.operations.get
Cloud SQL Added cloudsql.instances.listEffectiveTags
cloudsql.users.get
Cloud SQL Supported In Custom Roles cloudsql.users.get
Cloud SQL Now GA cloudsql.instances.listEffectiveTags
cloudsql.users.get
Compute Engine Added compute.disks.listEffectiveTags
compute.images.listEffectiveTags
compute.instances.listEffectiveTags
compute.snapshots.listEffectiveTags
Google Kubernetes Engine Added container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
Google Kubernetes Engine Now GA container.clusters.createTagBinding
container.clusters.deleteTagBinding
container.clusters.listEffectiveTags
container.clusters.listTagBindings
Cloud Domains Added domains.registrations.listEffectiveTags
Cloud Domains Now GA domains.registrations.listEffectiveTags
Filestore Added file.backups.listEffectiveTags
file.instances.listEffectiveTags
file.snapshots.listEffectiveTags
GKE Hub Supported In Custom Roles gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
Managed Service for Microsoft Active Directory Added managedidentities.domains.listEffectiveTags
Managed Service for Microsoft Active Directory Now GA managedidentities.domains.listEffectiveTags
Recommender Added recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update
Recommender Supported In Custom Roles recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update
Recommender Now GA recommender.computeInstanceCpuUsageInsights.get
recommender.computeInstanceCpuUsageInsights.list
recommender.computeInstanceCpuUsageInsights.update
recommender.computeInstanceCpuUsagePredictionInsights.get
recommender.computeInstanceCpuUsagePredictionInsights.list
recommender.computeInstanceCpuUsagePredictionInsights.update
recommender.computeInstanceCpuUsageTrendInsights.get
recommender.computeInstanceCpuUsageTrendInsights.list
recommender.computeInstanceCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerCpuUsageInsights.get
recommender.computeInstanceGroupManagerCpuUsageInsights.list
recommender.computeInstanceGroupManagerCpuUsageInsights.update
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list
recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.update
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list
recommender.computeInstanceGroupManagerCpuUsageTrendInsights.update
recommender.computeInstanceGroupManagerMemoryUsageInsights.get
recommender.computeInstanceGroupManagerMemoryUsageInsights.list
recommender.computeInstanceGroupManagerMemoryUsageInsights.update
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list
recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.update
recommender.computeInstanceMemoryUsageInsights.get
recommender.computeInstanceMemoryUsageInsights.list
recommender.computeInstanceMemoryUsageInsights.update
recommender.computeInstanceMemoryUsagePredictionInsights.get
recommender.computeInstanceMemoryUsagePredictionInsights.list
recommender.computeInstanceMemoryUsagePredictionInsights.update
recommender.computeInstanceNetworkThroughputInsights.get
recommender.computeInstanceNetworkThroughputInsights.list
recommender.computeInstanceNetworkThroughputInsights.update
Resource Manager Added resourcemanager.hierarchyNodes.listEffectiveTags
Cloud Spanner Added spanner.backups.copy
Cloud Spanner Supported In Custom Roles spanner.backups.copy
Cloud Spanner Now GA spanner.backups.copy
Cloud Storage Added storage.buckets.listEffectiveTags
Cloud Storage Now GA storage.buckets.listEffectiveTags

Cloud IAM changes as of 2022-04-15

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer):

aiplatform.entityTypes.exportFeatureValues
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer):

aiplatform.entityTypes.exportFeatureValues
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.operations.get
cloudfunctions.operations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

dataplex.tasks.create
dataplex.tasks.update
Speech-to-Text Now GA

The role roles/speech.serviceAgent (Cloud Speech-to-Text Service Agent) is now GA.

BigQuery Added bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.maskedGet
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
BigQuery Migration API Added bigquerymigration.locations.get
bigquerymigration.locations.list
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.create
bigquerymigration.subtasks.executeTask
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.translation.translate
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.update
bigquerymigration.workflows.writeLogs
Compute Engine Added compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
Compute Engine Now GA compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list

Cloud IAM changes as of 2022-04-08

Service Change Description
Assured Workloads Role Updated

The following permissions have been removed from the role roles/assuredworkloads.serviceAgent (Assured Workloads Service Agent):

cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.get
container.clusters.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.escalate
Recommender Now GA

The role roles/recommender.errorReportingAdmin (Error Reporting Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.errorReportingViewer (Error Reporting Recommender Viewer) is now GA.

Apigee Registry Added apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update
Apigee Registry Supported In Custom Roles apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update
Anthos clusters on VMware (GKE on-prem) Added gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Anthos clusters on VMware (GKE on-prem) Supported In Custom Roles gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.update
Memorystore for Memcached Added memcache.instances.rescheduleMaintenance
Memorystore for Memcached Supported In Custom Roles memcache.instances.rescheduleMaintenance
Memorystore for Memcached Now GA memcache.instances.rescheduleMaintenance
Recommender Now GA recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Resource Manager Added resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list
Resource Manager Supported In Custom Roles resourcemanager.tagHolds.create
resourcemanager.tagHolds.delete
resourcemanager.tagHolds.list

Cloud IAM changes as of 2022-04-01

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.admin (Apigee Organization Admin):

monitoring.timeSeries.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.readOnlyAdmin (Apigee Read-only Admin):

monitoring.timeSeries.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.admin (Bare Metal Solution Admin):

baremetalsolution.luns.get
baremetalsolution.luns.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Bare Metal Solution Editor):

baremetalsolution.luns.get
baremetalsolution.luns.list
Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.viewer (Bare Metal Solution Viewer):

baremetalsolution.luns.get
baremetalsolution.luns.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.admin (Dataflow Admin):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.developer (Dataflow Developer):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.viewer (Dataflow Viewer):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
Filestore Added file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listTagBindings
file.instances.createTagBinding
file.instances.deleteTagBinding
file.instances.listTagBindings
file.snapshots.createTagBinding
file.snapshots.deleteTagBinding
file.snapshots.listTagBindings
GKE Hub Available In Custom Roles gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
Notebooks Added notebooks.runtimes.update
Notebooks Now GA notebooks.runtimes.update

Cloud IAM changes as of 2022-03-25

Service Change Description
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.admin (Recommendations AI Admin):

retail.retailProjects.get
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.adminViewer (Recommendations AI Admin Viewer):

retail.retailProjects.get
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.editor (Recommendations AI Editor):

retail.retailProjects.get
Recommendations AI Role Updated

The following permissions have been added to the role roles/automlrecommendations.viewer (Recommendations AI Viewer):

retail.retailProjects.get
Firewall Insights Role Updated

The following permissions have been added to the role roles/firewallinsights.serviceAgent (Cloud Firewall Insights Service Agent):

compute.networks.getEffectiveFirewalls
Cloud Run Role Updated

The following permissions have been added to the role roles/run.serviceAgent (Cloud Run Service Agent):

binaryauthorization.platformPolicies.evaluatePolicy
Cloud Run Role Updated

The following permissions have been added to the role roles/serverless.serviceAgent (Cloud Run Service Agent):

binaryauthorization.platformPolicies.evaluatePolicy
Advisory Notifications Added advisorynotifications.notifications.get
advisorynotifications.notifications.list
Analytics Hub Added analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Analytics Hub Supported In Custom Roles analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.subscribe
analyticshub.listings.update
Apigee Added apigee.keyvaluemapentries.list
Apigee Supported In Custom Roles apigee.keyvaluemapentries.list
Apigee Now GA apigee.keyvaluemapentries.list
Artifact Registry Added artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
Artifact Registry Supported In Custom Roles artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
Artifact Registry Now GA artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
BigQuery Added bigquery.tables.createIndex
bigquery.tables.deleteIndex
BigQuery Supported In Custom Roles bigquery.tables.createIndex
bigquery.tables.deleteIndex
Compute Engine Added compute.backendBuckets.setSecurityPolicy
Compute Engine Now GA compute.backendBuckets.setSecurityPolicy
Datastore Supported In Custom Roles datastore.databases.create
datastore.databases.getMetadata
datastore.databases.list
datastore.databases.update
Cloud Domains Added domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
Cloud Domains Now GA domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
Retail API Added retail.retailProjects.get
Cloud Run Added run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
Cloud Run Supported In Custom Roles run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
Cloud Run Now GA run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings

Cloud IAM changes as of 2022-03-18

Service Change Description
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.admin (Assured Workloads Administrator):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.editor (Assured Workloads Editor):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.reader (Assured Workloads Reader):

assuredworkloads.violations.get
assuredworkloads.violations.list
Bare Metal Solution Now GA

The role roles/baremetalsolution.lunsadmin (Luns Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.lunsviewer (Luns Viewer) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfssharesadmin (NFS Shares Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfsshareseditor (NFS Shares Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.nfssharesviewer (NFS Shares Viewer) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumesadmin (Volume Admin) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumeseditor (Volumes Editor) is now GA.

Bare Metal Solution Now GA

The role roles/baremetalsolution.volumessviewer (Volumes Viewer) is now GA.

Bare Metal Solution Role Updated

The following permissions have been added to the role roles/baremetalsolution.editor (Bare Metal Solution Editor):

baremetalsolution.instances.start
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

assuredworkloads.violations.get
assuredworkloads.violations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

assuredworkloads.violations.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

assuredworkloads.violations.list
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

assuredworkloads.violations.get
assuredworkloads.violations.list
Recommender Now GA

The role roles/recommender.dataflowDiagnosticsAdmin (Dataflow Diagnostics Admin) is now GA.

Recommender Now GA

The role roles/recommender.dataflowDiagnosticsViewer (Dataflow Diagnostics Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

assuredworkloads.violations.get
assuredworkloads.violations.list
Assured Workloads Added assuredworkloads.violations.get
assuredworkloads.violations.list
Bare Metal Solution Added baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Bare Metal Solution Supported In Custom Roles baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Bare Metal Solution Now GA baremetalsolution.instances.start
baremetalsolution.instances.update
baremetalsolution.networks.update
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.update
Recommender Added recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Recommender Supported In Custom Roles recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update
recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingInsights.update
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.errorReportingRecommendations.update
Recommender Now GA recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update

Cloud IAM changes as of 2022-03-11

Service Change Description
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.list
Edge Container Now GA

The role roles/edgecontainer.admin (Edge Container Admin) is now GA.

Edge Container Now GA

The role roles/edgecontainer.machineUser (Edge Container Machine User) is now GA.

Edge Container Now GA

The role roles/edgecontainer.viewer (Edge Container Viewer) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

servicedirectory.networks.attach
Backup for GKE Now GA

The role roles/gkebackup.serviceAgent (Backup for GKE Service Agent) is now GA.

Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

servicedirectory.networks.attach
Retail API Role Updated

The following permissions have been added to the role roles/retail.viewer (Retail Viewer):

retail.attributesConfigs.exportCatalogAttributes
retail.controls.export
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

retail.attributesConfigs.exportCatalogAttributes
retail.controls.export
Edge Container Added edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Edge Container Supported In Custom Roles edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Edge Container Now GA edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update
Retail API Added retail.attributesConfigs.addCatalogAttribute
retail.attributesConfigs.batchRemoveCatalogAttributes
retail.attributesConfigs.exportCatalogAttributes
retail.attributesConfigs.importCatalogAttributes
retail.attributesConfigs.removeCatalogAttribute
retail.attributesConfigs.replaceCatalogAttribute
retail.controls.export
retail.controls.import
Storage Transfer Service Added storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.report
Storage Transfer Service Now GA storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.report

Cloud IAM changes as of 2022-03-04

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityAdmin (Apigee Security Admin):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.securityViewer (Apigee Security Viewer):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.editor (Dataplex Editor):

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
Dataplex Role Updated

The following permissions have been added to the role roles/dataplex.viewer (Dataplex Viewer):

dataplex.operations.get
dataplex.operations.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

storage.buckets.list
FleetEngine Now GA

The role roles/fleetengine.deliveryConsumer (Fleet Engine Delivery Consumer User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryFleetReader (Fleet Engine Delivery Fleet Reader User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliverySuperUser (Fleet Engine Delivery Super User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryTrustedDriver (Fleet Engine Delivery Trusted Driver User) is now GA.

FleetEngine Now GA

The role roles/fleetengine.deliveryUntrustedDriver (Fleet Engine Delivery Untrusted Driver User) is now GA.

Identity and Access Management Now GA

The role roles/iam.serviceAccountViewer (View Service Accounts) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.domaincontrollerOperator (Google Cloud Managed Identities Domain Controller Operator) is now GA.

Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

iam.serviceAccounts.getAccessToken
AI Platform Added aiplatform.deploymentResourcePools.create
aiplatform.deploymentResourcePools.delete
aiplatform.deploymentResourcePools.get
aiplatform.deploymentResourcePools.list
aiplatform.deploymentResourcePools.queryDeployedModels
aiplatform.deploymentResourcePools.update
BigQuery Added bigquery.connections.delegate
bigquery.jobs.listExecutionMetadata
BigQuery Supported In Custom Roles bigquery.connections.delegate
bigquery.jobs.listExecutionMetadata
Cloud Key Management Service Now GA cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
FleetEngine Added fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
FleetEngine Supported In Custom Roles fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update
FleetEngine Now GA fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update

Cloud IAM changes as of 2022-02-25

Service Change Description
Dataform Now GA

The role roles/dataform.serviceAgent (Dataform Service Agent) is now GA.

Firestore Role Updated

The following permissions have been added to the role roles/firestore.serviceAgent (Firestore Service Agent):

storage.objects.delete
KRM API Hosting Now GA

The role roles/krmapihosting.admin (Config Controller Admin) is now GA.

KRM API Hosting Now GA

The role roles/krmapihosting.viewer (Config Controller Viewer) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.backupAdmin (Google Cloud Managed Identities Backup Admin) is now GA.

Managed Service for Microsoft Active Directory Now GA

The role roles/managedidentities.backupViewer (Google Cloud Managed Identities Backup Viewer) is now GA.

Dataform Now GA

The role roles/sqlx.serviceAgent (Dataform Service Agent) is now GA.

Dialogflow Added dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
Dialogflow Now GA dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
Cloud Data Loss Prevention Added dlp.locations.get
dlp.locations.list
Cloud Data Loss Prevention Supported In Custom Roles dlp.locations.get
dlp.locations.list
Cloud Data Loss Prevention Now GA dlp.locations.get
dlp.locations.list
Eventarc Added eventarc.providers.get
eventarc.providers.list
Eventarc Supported In Custom Roles eventarc.providers.get
eventarc.providers.list
Eventarc Now GA eventarc.providers.get
eventarc.providers.list
KRM API Hosting Now GA krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
Managed Service for Microsoft Active Directory Added managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
managedidentities.domains.restore
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.restore
Managed Service for Microsoft Active Directory Now GA managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
managedidentities.domains.restore

Cloud IAM changes as of 2022-02-18

Service Change Description
Datastore Role Updated

The following permissions have been added to the role roles/datastore.importExportAdmin (Cloud Datastore Import Export Admin):

datastore.databases.getMetadata
Datastore Role Updated

The following permissions have been added to the role roles/datastore.indexAdmin (Cloud Datastore Index Admin):

datastore.databases.getMetadata
Datastore Role Updated

The following permissions have been added to the role roles/datastore.keyVisualizerViewer (Cloud Datastore Key Visualizer Viewer):

datastore.databases.getMetadata
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

appengine.applications.get
cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
cloudtasks.tasks.create
cloudtasks.tasks.fullView
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

gkehub.fleet.create
gkehub.fleet.get
Binary Authorization Added binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace
binaryauthorization.policy.evaluatePolicy
Binary Authorization Supported In Custom Roles binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace
binaryauthorization.policy.evaluatePolicy
Compute Engine Added compute.networks.getRegionEffectiveFirewalls
compute.networks.setFirewallPolicy
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
Compute Engine Now GA compute.networks.getRegionEffectiveFirewalls
compute.networks.setFirewallPolicy
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
KRM API Hosting Added krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
KRM API Hosting Supported In Custom Roles krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list
Cloud OS Config Added osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
Cloud OS Config Now GA osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
Service Networking Added servicenetworking.services.use

Cloud IAM changes as of 2022-02-11

Service Change Description
AI Platform Role Added

The role roles/aiplatform.tensorboardWebAppUser (Vertex AI Tensorboard Web App User) has been added with the following permissions:

aiplatform.googleapis.com/tensorboards.recordAccess
aiplatform.tensorboards.recordAccess
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.admin (Vertex AI Administrator):

aiplatform.tensorboards.recordAccess
App Engine flexible environment Role Updated

The following permissions have been added to the role roles/appengineflex.serviceAgent (App Engine flexible environment Service Agent):

compute.routes.get
compute.subnetworks.get
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

cloudasset.assets.exportResource
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

datastore.databases.getMetadata
Firebase Role Updated

The following permissions have been added to the role roles/firebase.managementServiceAgent (Firebase Service Management Service Agent):

serviceusage.services.use
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

datastore.databases.getMetadata
Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

dataproc.clusters.use
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallAdmin (Firewall Recommender Admin):

monitoring.timeSeries.list
Recommender Role Updated

The following permissions have been added to the role roles/recommender.firewallViewer (Firewall Recommender Viewer):

monitoring.timeSeries.list
Security Command Center Now GA

The role roles/securitycenter.bigQueryExportsEditor (Security Center BigQuery Exports Editor) is now GA.

Security Command Center Now GA

The role roles/securitycenter.bigQueryExportsViewer (Security Center BigQuery Exports Viewer) is now GA.

Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

aiplatform.tensorboards.recordAccess
AI Platform Added aiplatform.tensorboards.recordAccess
Cloud Healthcare API Added healthcare.nlpservice.analyzeEntities
Cloud Healthcare API Now GA healthcare.nlpservice.analyzeEntities
Dataproc Metastore Added metastore.services.use
Dataproc Metastore Supported In Custom Roles metastore.services.use
Security Command Center Added securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Command Center Supported In Custom Roles securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Command Center Now GA securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Cloud TPU Added tpu.nodes.update
Cloud TPU Supported In Custom Roles tpu.nodes.update
Cloud TPU Now GA tpu.nodes.update

Cloud IAM changes as of 2022-01-28

Service Change Description
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.environmentAndStorageObjectAdmin (Environment and Storage Object Administrator):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Dataplex Now GA

The role roles/dataplex.serviceAgent (Cloud Dataplex Service Agent) is now GA.

Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

bigquery.config.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

dataproc.clusters.get
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectAdmin (Storage Object Admin):

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Data Pipelines Added datapipelines.jobs.list
Data Pipelines Supported In Custom Roles datapipelines.jobs.list
Data Pipelines Now GA datapipelines.jobs.list
Dataproc Added dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Dataproc Supported In Custom Roles dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Dataproc Now GA dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
Identity and Access Management Supported In Custom Roles iam.denypolicies.get
iam.denypolicies.list
Dataproc Metastore Added metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update
Dataproc Metastore Supported In Custom Roles metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update
Workflows Added workflows.callbacks.send
Workflows Supported In Custom Roles workflows.callbacks.send
Workflows Now GA workflows.callbacks.send

Cloud IAM changes as of 2022-01-14

Service Change Description
Data Catalog Now GA

The role roles/datacatalog.categoryAdmin (Policy Tag Admin) is now GA.

Data Catalog Now GA

The role roles/datacatalog.categoryFineGrainedReader (Fine-Grained Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.admin (Dataplex Administrator) is now GA.

Dataplex Now GA

The role roles/dataplex.dataOwner (Dataplex Data Owner) is now GA.

Dataplex Now GA

The role roles/dataplex.dataReader (Dataplex Data Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.dataWriter (Dataplex Data Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.developer (Dataplex Developer) is now GA.

Dataplex Now GA

The role roles/dataplex.editor (Dataplex Editor) is now GA.

Dataplex Now GA

The role roles/dataplex.metadataReader (Dataplex Metadata Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.metadataWriter (Dataplex Metadata Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataOwner (Dataplex Storage Data Owner) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataReader (Dataplex Storage Data Reader) is now GA.

Dataplex Now GA

The role roles/dataplex.storageDataWriter (Dataplex Storage Data Writer) is now GA.

Dataplex Now GA

The role roles/dataplex.viewer (Dataplex Viewer) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
Firebase Mods Role Updated

The following permissions have been added to the role roles/firebasemods.serviceAgent (Firebase Extensions API Service Agent):

artifactregistry.packages.delete
Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentAdmin (OSPolicyAssignment Admin) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentEditor (OSPolicyAssignment Editor) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentReportViewer (OSPolicyAssignmentReport Viewer) is now GA.

Cloud OS Config Now GA

The role roles/osconfig.osPolicyAssignmentViewer (OSPolicyAssignment Viewer) is now GA.

Recommender Now GA

The role roles/recommender.projectUtilAdmin (Project Utilization Recommender Admin) is now GA.

Recommender Now GA

The role roles/recommender.projectUtilViewer (Project Utilization Recommender Viewer) is now GA.

Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityResponseServiceAgent (Google Cloud Security Response Service Agent):

compute.instances.get
Cloud Functions Added cloudfunctions.runtimes.list
Cloud Functions Now GA cloudfunctions.runtimes.list
Cloud Key Management Service Added cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
Data Catalog Supported In Custom Roles datacatalog.categories.fineGrainedGet
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update
Data Catalog Now GA datacatalog.categories.fineGrainedGet
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update
Dataflow Supported In Custom Roles dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Dataflow Now GA dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Dataplex Added dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.assets.writeData
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Dataplex Supported In Custom Roles dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Dataplex Now GA dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.assets.writeData
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.get
dataplex.locations.list
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
Eventarc Added eventarc.events.receiveEvent
Eventarc Now GA eventarc.events.receiveEvent
Cloud OS Config Now GA osconfig.osPolicyAssignmentReports.get
osconfig.osPolicyAssignmentReports.list
osconfig.osPolicyAssignments.create
osconfig.osPolicyAssignments.delete
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
Recommender Now GA recommender.resourcemanagerProjectUtilizationInsights.get
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationInsights.update
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.update
Security Command Center Added securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
Security Command Center Supported In Custom Roles securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
Security Command Center Now GA securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update

Cloud IAM changes as of 2021-12-03

Service Change Description
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.namespaces.create
Apigee Now GA

The role roles/apigee.apiAdminV2 (Apigee API Admin) is now GA.

Apigee Now GA

The role roles/apigee.apiReaderV2 (Apigee API Reader) is now GA.

Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.builds.builder (Cloud Build Service Account):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
Cloud Build Role Updated

The following permissions have been added to the role roles/cloudbuild.serviceAgent (Cloud Build Service Agent):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.environmentAndStorageObjectAdmin (Environment and Storage Object Administrator):

orgpolicy.policy.get
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
orgpolicy.policy.get
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

orgpolicy.policy.get
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

orgpolicy.policy.get
Data Pipelines Role Updated

The following permissions have been added to the role roles/datapipelines.serviceAgent (Datapipelines Service Agent):

orgpolicy.policy.get
Dataprep by Trifacta Role Updated

The following permissions have been added to the role roles/dataprep.serviceAgent (Dataprep Service Agent):

orgpolicy.policy.get
Dataproc Role Updated

The following permissions have been added to the role roles/dataproc.serviceAgent (Dataproc Service Agent):

orgpolicy.policy.get
Cloud Data Loss Prevention Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

orgpolicy.policy.get
Firebase Role Updated

The following permissions have been added to the role roles/firebase.sdkAdminServiceAgent (Firebase Admin SDK Administrator Service Agent):

orgpolicy.policy.get
AI Platform Role Updated

The following permissions have been added to the role roles/ml.serviceAgent (AI Platform Service Agent):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.admin (Storage Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.hmacKeyAdmin (Storage HMAC Key Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectAdmin (Storage Object Admin):

orgpolicy.policy.get
Cloud Storage Role Updated

The following permissions have been added to the role roles/storage.objectCreator (Storage Object Creator):

orgpolicy.policy.get
Visual Inspection AI Role Updated

The following permissions have been added to the role roles/visualinspection.serviceAgent (Visual Inspection AI Service Agent):

orgpolicy.policy.get
Certificate Manager Added certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
Certificate Manager Supported In Custom Roles certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
Compute Engine Added compute.commitments.update
Compute Engine Supported In Custom Roles compute.commitments.update
Compute Engine Now GA compute.commitments.update
Cloud Commerce Consumer Procurement Added consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
Cloud Commerce Consumer Procurement Supported In Custom Roles consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
Data Connectors Added dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list
Data Connectors Supported In Custom Roles dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list
Dataflow Added dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update
Network Services Added networkservices.serviceBindings.create
networkservices.serviceBindings.delete
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.serviceBindings.update
VM Migration Added vmmigration.datacenterConnectors.update
VM Migration Supported In Custom Roles vmmigration.datacenterConnectors.update

Cloud IAM changes as of 2021-11-12

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataViewer (Vertex AI Feature Store Data Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreDataWriter (Vertex AI Feature Store Data Writer):

resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreResourceEditor (Vertex AI Feature Store Resource Editor):

resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.featurestoreResourceViewer (Vertex AI Feature Store Resource Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Anthos Service Mesh Role Updated

The following permissions have been added to the role roles/anthosservicemesh.serviceAgent (Anthos Service Mesh Service Agent):

container.clusterRoles.update
Apigee Now GA

The role roles/apigee.securityAdmin (Apigee Security Admin) is now GA.

Apigee Now GA

The role roles/apigee.securityViewer (Apigee Security Viewer) is now GA.

Apigee Role Updated

The following permissions have been added to the role roles/apigee.environmentAdmin (Apigee Environment Admin):

apigee.environments.update
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.serviceAgent (Binary Authorization Service Agent):

cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.loadBalancerAdmin (Compute Load Balancer Admin):

networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
Datastore Now GA

The role roles/datastore.keyVisualizerViewer (Cloud Datastore Key Visualizer Viewer) is now GA.

Dialogflow Role Updated

The following permissions have been added to the role roles/dialogflow.serviceAgent (Dialogflow Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
Cloud Data Loss Prevention Role Updated

The following permissions have been added to the role roles/dlp.serviceAgent (DLP API Service Agent):

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
Google Earth Engine Role Updated