IAM permissions change log

This page describes changes to the public IAM permissions for all Generally Available and Beta services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is retired or is no longer supported in custom roles, IAM automatically removes the permission from your custom roles. In contrast, when a permission is added, IAM does not automatically add the permission to your custom roles.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, or browse and filter all release notes in the Google Cloud Console.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM permissions change log

Upcoming Cloud IAM changes for the week of 2021-05-03

Service Change Description
Cloud Deploy Now GA

The role roles/clouddeploy.serviceAgent (Cloud Deploy Service Agent) is now GA.
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.admin (Cloud Functions Admin):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.events.receiveAuditLogWritten
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update
remotebuildexecution.blobs.get
resourcemanager.projects.list
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.services.update
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.developer (Cloud Functions Developer):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
remotebuildexecution.blobs.get
resourcemanager.projects.list
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.update
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.viewer (Cloud Functions Viewer):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.locations.get
eventarc.locations.list
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
remotebuildexecution.blobs.get
resourcemanager.projects.list
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.admin (Firebase Admin):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.events.receiveAuditLogWritten
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update
remotebuildexecution.blobs.get
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.services.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developAdmin (Firebase Develop Admin):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.events.receiveAuditLogWritten
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update
remotebuildexecution.blobs.get
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.services.update
Firebase Role Updated

The following permissions have been added to the role roles/firebase.developViewer (Firebase Develop Viewer):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.locations.get
eventarc.locations.list
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
remotebuildexecution.blobs.get
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
Firebase Role Updated

The following permissions have been added to the role roles/firebase.viewer (Firebase Viewer):

cloudbuild.builds.get
cloudbuild.builds.list
eventarc.locations.get
eventarc.locations.list
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
remotebuildexecution.blobs.get
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
GKE Multi-Cloud Now GA

The role roles/gkemulticloud.serviceAgent (Anthos Multi-Cloud Service Agent) is now GA.
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.privateLogViewer (Private Logs Viewer):

logging.views.access
Resource Manager Role Updated

The following permissions have been added to the role roles/resourcemanager.tagUser (Tag User):

resourcemanager.tagKeys.get
Service Directory Now GA

The role roles/servicedirectory.pscAuthorizedService (Private Service Connect Authorized Service) is now GA.
Compute Engine Added compute.instances.addResourcePolicies
compute.instances.removeResourcePolicies
Compute Engine Supported In Custom Roles compute.instances.addResourcePolicies
compute.instances.removeResourcePolicies
Compute Engine Now GA compute.instances.addResourcePolicies
compute.instances.removeResourcePolicies
Service Directory Added servicedirectory.networks.access
Service Directory Now GA servicedirectory.networks.access
Translation Hub Added translationhub.portals.create
translationhub.portals.delete
translationhub.portals.get
translationhub.portals.list
translationhub.portals.update
Translation Hub Supported In Custom Roles translationhub.portals.create
translationhub.portals.delete
translationhub.portals.get
translationhub.portals.list
translationhub.portals.update

Cloud IAM changes as of 2021-04-30

Service Change Description
Cloud SQL Role Updated

The following permissions have been added to the role roles/cloudsql.admin (Cloud SQL Admin):

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
Cloud SQL Role Updated

The following permissions have been added to the role roles/cloudsql.editor (Cloud SQL Editor):

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
Cloud SQL Role Updated

The following permissions have been added to the role roles/cloudsql.viewer (Cloud SQL Viewer):

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
Explore Anthos Role Updated

The following permissions have been added to the role roles/exploreanthos.serviceAgent (Explore Anthos Service Agent):

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container.backendConfigs.create
container.backendConfigs.delete
container.backendConfigs.get
container.backendConfigs.list
container.backendConfigs.update
container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update
container.certificateSigningRequests.approve
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.create
container.clusters.delete
container.clusters.getCredentials
container.clusters.update
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update
container.controllerRevisions.create
container.controllerRevisions.delete
container.controllerRevisions.get
container.controllerRevisions.list
container.controllerRevisions.update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container.cronJobs.updateStatus
container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.customResourceDefinitions.updateStatus
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.daemonSets.updateStatus
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.deployments.updateStatus
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update
container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.horizontalPodAutoscalers.create
container.horizontalPodAutoscalers.delete
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.horizontalPodAutoscalers.update
container.horizontalPodAutoscalers.updateStatus
container.hostServiceAgent.use
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container.ingresses.updateStatus
container.initializerConfigurations.create
container.initializerConfigurations.delete
container.initializerConfigurations.get
container.initializerConfigurations.list
container.initializerConfigurations.update
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update
container.localSubjectAccessReviews.create
container.localSubjectAccessReviews.list
container.managedCertificates.create
container.managedCertificates.delete
container.managedCertificates.get
container.managedCertificates.list
container.managedCertificates.update
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container.namespaces.updateStatus
container.networkPolicies.create
container.networkPolicies.delete
container.networkPolicies.get
container.networkPolicies.list
container.networkPolicies.update
container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus
container.operations.get
container.operations.list
container.persistentVolumeClaims.create
container.persistentVolumeClaims.delete
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumeClaims.update
container.persistentVolumeClaims.updateStatus
container.persistentVolumes.create
container.persistentVolumes.delete
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.persistentVolumes.update
container.persistentVolumes.updateStatus
container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus
container.podDisruptionBudgets.create
container.podDisruptionBudgets.delete
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podDisruptionBudgets.update
container.podDisruptionBudgets.updateStatus
container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update
container.podSecurityPolicies.create
container.podSecurityPolicies.delete
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podSecurityPolicies.update
container.podSecurityPolicies.use
container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update
container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus
container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update
container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicaSets.update
container.replicaSets.updateScale
container.replicaSets.updateStatus
container.replicationControllers.create
container.replicationControllers.delete
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.replicationControllers.update
container.replicationControllers.updateScale
container.replicationControllers.updateStatus
container.resourceQuotas.create
container.resourceQuotas.delete
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.resourceQuotas.update
container.resourceQuotas.updateStatus
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.list
container.roles.update
container.runtimeClasses.create
container.runtimeClasses.delete
container.runtimeClasses.get
container.runtimeClasses.list
container.runtimeClasses.update
container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container.scheduledJobs.updateStatus
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update
container.selfSubjectAccessReviews.create
container.selfSubjectAccessReviews.list
container.selfSubjectRulesReviews.create
container.serviceAccounts.create
container.serviceAccounts.createToken
container.serviceAccounts.delete
container.serviceAccounts.list
container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container.services.updateStatus
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.statefulSets.update
container.statefulSets.updateScale
container.statefulSets.updateStatus
container.storageClasses.create
container.storageClasses.delete
container.storageClasses.get
container.storageClasses.list
container.storageClasses.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.subjectAccessReviews.create
container.subjectAccessReviews.list
container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update
container.thirdPartyResources.create
container.thirdPartyResources.delete
container.thirdPartyResources.get
container.thirdPartyResources.list
container.thirdPartyResources.update
container.tokenReviews.create
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.delete
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
container.volumeAttachments.create
container.volumeAttachments.delete
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeAttachments.update
container.volumeAttachments.updateStatus
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update
gkehub.locations.get
gkehub.locations.list
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list
resourcemanager.projects.list
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.globalAddresses.list
Translation Added cloudtranslate.generalModels.batchDocPredict
cloudtranslate.generalModels.docPredict
cloudtranslate.glossaries.batchDocPredict
cloudtranslate.glossaries.docPredict
Translation Supported In Custom Roles cloudtranslate.generalModels.batchDocPredict
cloudtranslate.glossaries.batchDocPredict
Compute Engine Now GA compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget

Cloud IAM changes as of 2021-04-23

Service Change Description
AI Platform Role Updated

The following permissions have been added to the role roles/aiplatform.serviceAgent (AI Platform Service Agent):

aiplatform.batchPredictionJobs.create
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
Anthos Demo Now GA

The role roles/anthosdemo.serviceAgent (Anthos Demo Service Agent) is now GA.
Apigee Role Updated

The following permissions have been added to the role roles/apigee.serviceAgent (Apigee Service Agent):

cloudtrace.traces.patch
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.policyAdmin (Binary Authorization Policy Administrator):

binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.policyEditor (Binary Authorization Policy Editor):

binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.update
Binary Authorization Role Updated

The following permissions have been added to the role roles/binaryauthorization.policyViewer (Binary Authorization Policy Viewer):

binaryauthorization.continuousValidationConfig.get
Chronicle Service Management Now GA

The role roles/chroniclesm.admin (Chronicle Service Admin) is now GA.
Chronicle Service Management Now GA

The role roles/chroniclesm.viewer (Chronicle Service Viewer) is now GA.
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
run.configurations.get
run.configurations.list
run.locations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.update
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

logging.operations.cancel
logging.operations.get
logging.operations.list
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

compute.instances.updateSecurity
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.packetMirroringAdmin (Compute packet mirroring admin):

compute.instances.updateSecurity
Contact Center AI Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

dialogflow.operations.get
dialogflow.sessions.detectIntent
pubsub.topics.get
pubsub.topics.publish
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

file.backups.create
file.backups.delete
file.backups.get
file.backups.list
file.backups.update
file.instances.create
file.instances.delete
file.instances.get
file.instances.list
file.instances.restore
file.instances.update
file.locations.get
file.locations.list
file.operations.cancel
file.operations.delete
file.operations.get
file.operations.list
file.snapshots.create
file.snapshots.delete
file.snapshots.get
file.snapshots.list
file.snapshots.update
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

logging.operations.cancel
logging.operations.get
logging.operations.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.worker (Dataflow Worker):

storage.buckets.get
Google Earth Engine Role Added

The role roles/earthengine.appsPublisher (Earth Engine Apps Publisher) has been added with the following permissions:

cloudresourcemanager.googleapis.com/projects.get
iam.googleapis.com/serviceAccounts.create
iam.googleapis.com/serviceAccounts.disable
iam.googleapis.com/serviceAccounts.enable
iam.googleapis.com/serviceAccounts.get
iam.googleapis.com/serviceAccounts.getIamPolicy
iam.googleapis.com/serviceAccounts.setIamPolicy
iam.serviceAccounts.create
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
resourcemanager.projects.get
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

logging.buckets.copyLogEntries
logging.operations.cancel
logging.operations.get
logging.operations.list
privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.update
privateca.certificateTemplates.use
privateca.certificates.createForSelf
pubsublite.topics.computeTimeCursor
redis.instances.rescheduleMaintenance
vmmigration.cloneJobs.create
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cloneJobs.update
vmmigration.cutoverJobs.create
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.cutoverJobs.update
vmmigration.datacenterConnectors.create
vmmigration.datacenterConnectors.delete
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.create
vmmigration.migratingVms.delete
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.migratingVms.update
vmmigration.utilizationReports.create
vmmigration.utilizationReports.delete
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list
Explore Anthos Role Updated

The following permissions have been added to the role roles/exploreanthos.serviceAgent (Explore Anthos Service Agent):

container.clusters.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

logging.operations.list
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.setIamPolicy
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.list
vmmigration.utilizationReports.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

logging.operations.list
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.list
vmmigration.utilizationReports.list
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.admin (Logging Admin):

logging.buckets.copyLogEntries
logging.operations.cancel
logging.operations.get
logging.operations.list
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.configWriter (Logs Configuration Writer):

logging.operations.cancel
logging.operations.get
logging.operations.list
Media Asset Role Updated

The following permissions have been added to the role roles/mediaasset.serviceAgent (Media Asset Service Agent):

pubsub.topics.get
pubsub.topics.publish
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.setSecurityPolicy
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

logging.buckets.copyLogEntries
logging.operations.cancel
logging.operations.get
logging.operations.list
privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.caPools.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.setIamPolicy
privateca.certificateTemplates.update
privateca.certificateTemplates.use
privateca.certificates.createForSelf
pubsublite.topics.computeTimeCursor
redis.instances.rescheduleMaintenance
vmmigration.cloneJobs.create
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cloneJobs.update
vmmigration.cutoverJobs.create
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.cutoverJobs.update
vmmigration.datacenterConnectors.create
vmmigration.datacenterConnectors.delete
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.create
vmmigration.migratingVms.delete
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.migratingVms.update
vmmigration.utilizationReports.create
vmmigration.utilizationReports.delete
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list
Certificate Authority Service Role Added

The role roles/privateca.templateUser (CA Service Certificate Template User) has been added with the following permissions:

privateca.certificateTemplates.get
privateca.certificateTemplates.list
privateca.certificateTemplates.use
privateca.googleapis.com/certificateTemplates.get
privateca.googleapis.com/certificateTemplates.list
privateca.googleapis.com/certificateTemplates.use
Certificate Authority Service Role Added

The role roles/privateca.workloadCertificateRequester (CA Service Workload Certificate Requester) has been added with the following permissions:

privateca.certificates.createForSelf
privateca.googleapis.com/certificates.createForSelf
Certificate Authority Service Now GA

The role roles/privateca.admin (CA Service Admin) is now GA.
Certificate Authority Service Now GA

The role roles/privateca.auditor (CA Service Auditor) is now GA.
Certificate Authority Service Now GA

The role roles/privateca.caManager (CA Service Operation Manager) is now GA.
Certificate Authority Service Now GA

The role roles/privateca.certificateManager (CA Service Certificate Manager) is now GA.
Certificate Authority Service Now GA

The role roles/privateca.certificateRequester (CA Service Certificate Requester) is now GA.
Certificate Authority Service Role Updated

The following permissions have been added to the role roles/privateca.admin (CA Service Admin):

privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.caPools.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.setIamPolicy
privateca.certificateTemplates.update
privateca.certificateTemplates.use
privateca.certificates.createForSelf
Certificate Authority Service Role Updated

The following permissions have been added to the role roles/privateca.auditor (CA Service Auditor):

privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
Certificate Authority Service Role Updated

The following permissions have been added to the role roles/privateca.caManager (CA Service Operation Manager):

privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.update
Certificate Authority Service Role Updated

The following permissions have been added to the role roles/privateca.certificateManager (CA Service Certificate Manager):

privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
Pub/Sub Role Updated

The following permissions have been added to the role roles/pubsub.viewer (Pub/Sub Viewer):

pubsub.schemas.validate
Pub/Sub Lite Role Updated

The following permissions have been added to the role roles/pubsublite.admin (Pub/Sub Lite Admin):

pubsublite.topics.computeTimeCursor
Pub/Sub Lite Role Updated

The following permissions have been added to the role roles/pubsublite.editor (Pub/Sub Lite Editor):

pubsublite.topics.computeTimeCursor
Pub/Sub Lite Role Updated

The following permissions have been added to the role roles/pubsublite.subscriber (Pub/Sub Lite Subscriber):

pubsublite.topics.computeTimeCursor
Recommender Now GA

The role roles/recommender.cloudAssetInsightsAdmin (Cloud Asset Insights Admin) is now GA.
Recommender Now GA

The role roles/recommender.cloudAssetInsightsViewer (Cloud Asset Insights Viewer) is now GA.
Memorystore for Redis Role Updated

The following permissions have been added to the role roles/redis.admin (Cloud Memorystore Redis Admin):

redis.instances.rescheduleMaintenance
Cloud Run Now GA

The role roles/run.admin (Cloud Run Admin) is now GA.
Cloud Run Now GA

The role roles/run.developer (Cloud Run Developer) is now GA.
Cloud Run Now GA

The role roles/run.invoker (Cloud Run Invoker) is now GA.
Cloud Run Now GA

The role roles/run.viewer (Cloud Run Viewer) is now GA.
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

logging.buckets.copyLogEntries
logging.operations.get
logging.operations.list
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.use
pubsub.schemas.validate
pubsublite.topics.computeTimeCursor
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list
VM Migration Role Updated

The following permissions have been added to the role roles/vmmigration.admin (VM Migration Administrator):

vmmigration.cloneJobs.create
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cloneJobs.update
vmmigration.cutoverJobs.create
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.cutoverJobs.update
vmmigration.datacenterConnectors.create
vmmigration.datacenterConnectors.delete
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.create
vmmigration.migratingVms.delete
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.migratingVms.update
vmmigration.utilizationReports.create
vmmigration.utilizationReports.delete
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list
VM Migration Role Updated

The following permissions have been added to the role roles/vmmigration.viewer (VM Migration Viewer):

vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list
Google Cloud VMware Engine Role Updated

The following permissions have been added to the role roles/vmwareengine.vmwareengineAdmin (VMware Engine Service Admin):

resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud VMware Engine Role Updated

The following permissions have been added to the role roles/vmwareengine.vmwareengineViewer (VMware Engine Service Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Cloud Billing Added billing.accounts.getPricing
Cloud Billing Supported In Custom Roles billing.accounts.getPricing
Cloud Billing Now GA billing.accounts.getPricing
Chronicle Service Management Added chroniclesm.gcpAssociations.create
chroniclesm.gcpAssociations.delete
chroniclesm.gcpAssociations.get
chroniclesm.gcpSettings.get
chroniclesm.gcpSettings.update
Chronicle Service Management Now GA chroniclesm.gcpAssociations.create
chroniclesm.gcpAssociations.delete
chroniclesm.gcpAssociations.get
chroniclesm.gcpSettings.get
chroniclesm.gcpSettings.update
Commerce Offer Catalog Added commerceoffercatalog.offers.get
Commerce Offer Catalog Supported In Custom Roles commerceoffercatalog.offers.get
Commerce Price Management Added commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.update
Commerce Price Management Supported In Custom Roles commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.update
Compute Engine Added compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.instances.updateSecurity
Compute Engine Supported In Custom Roles compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.instances.updateSecurity
Compute Engine Now GA compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.instances.updateSecurity
Cloud Data Fusion Added datafusion.namespaces.create
datafusion.namespaces.delete
datafusion.namespaces.execute
datafusion.namespaces.get
datafusion.namespaces.getIamPolicy
datafusion.namespaces.list
datafusion.namespaces.setIamPolicy
datafusion.namespaces.update
Firebase App Check Added firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.recaptchaConfig.get
firebaseappcheck.recaptchaConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update
Firebase App Check Supported In Custom Roles firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.recaptchaConfig.get
firebaseappcheck.recaptchaConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update
GKE Multi-Cloud Added gkemulticloud.awsClusters.create
gkemulticloud.awsClusters.delete
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.getAdminKubeconfig
gkemulticloud.awsClusters.list
gkemulticloud.awsClusters.update
gkemulticloud.awsNodePools.create
gkemulticloud.awsNodePools.delete
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.azureClients.create
gkemulticloud.azureClients.delete
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.create
gkemulticloud.azureClusters.delete
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.getAdminKubeconfig
gkemulticloud.azureClusters.list
gkemulticloud.azureClusters.update
gkemulticloud.azureNodePools.create
gkemulticloud.azureNodePools.delete
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.operations.cancel
gkemulticloud.operations.delete
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
Cloud Logging Added logging.buckets.copyLogEntries
logging.operations.cancel
logging.operations.get
logging.operations.list
Dataproc Metastore Added metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
Dataproc Metastore Now GA metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
Network Connectivity Center Added networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update
networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update
AI Platform Notebooks Added notebooks.runtimes.create
notebooks.runtimes.delete
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.runtimes.reset
notebooks.runtimes.setIamPolicy
notebooks.runtimes.start
notebooks.runtimes.stop
notebooks.runtimes.switch
AI Platform Notebooks Now GA notebooks.runtimes.create
notebooks.runtimes.delete
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.runtimes.reset
notebooks.runtimes.setIamPolicy
notebooks.runtimes.start
notebooks.runtimes.stop
notebooks.runtimes.switch
Google Cloud's operations suite Added opsconfigmonitoring.resourceMetadata.list
Cloud OS Config Added osconfig.instanceOSPoliciesCompliances.get
osconfig.instanceOSPoliciesCompliances.list
osconfig.inventories.get
osconfig.inventories.list
osconfig.osPolicyAssignments.create
osconfig.osPolicyAssignments.delete
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
osconfig.vulnerabilityReports.get
osconfig.vulnerabilityReports.list
Cloud OS Config Supported In Custom Roles osconfig.instanceOSPoliciesCompliances.get
osconfig.instanceOSPoliciesCompliances.list
osconfig.inventories.get
osconfig.inventories.list
osconfig.osPolicyAssignments.create
osconfig.osPolicyAssignments.delete
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
osconfig.vulnerabilityReports.get
osconfig.vulnerabilityReports.list
Certificate Authority Service Added privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.caPools.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.setIamPolicy
privateca.certificateTemplates.update
privateca.certificateTemplates.use
privateca.certificates.createForSelf
Certificate Authority Service Now GA privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.setIamPolicy
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.create
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.setIamPolicy
privateca.certificateRevocationLists.update
privateca.certificates.create
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.setIamPolicy
privateca.certificates.update
privateca.locations.get
privateca.locations.list
privateca.operations.cancel
privateca.operations.delete
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.setIamPolicy
privateca.reusableConfigs.update
Pub/Sub Lite Added pubsublite.topics.computeTimeCursor
Recommender Added recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.cloudAssetInsights.update
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
Recommender Supported In Custom Roles recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.cloudAssetInsights.update
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
Recommender Now GA recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.cloudAssetInsights.update
Memorystore for Redis Added redis.instances.rescheduleMaintenance
Resource Manager Added resourcemanager.hierarchyNodes.createTagBinding
resourcemanager.hierarchyNodes.deleteTagBinding
resourcemanager.hierarchyNodes.listTagBindings
Cloud Run Now GA run.configurations.get
run.configurations.list
run.locations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.services.update
Security Command Center Added securitycenter.userinterfacemetadata.get
Security Command Center Supported In Custom Roles securitycenter.userinterfacemetadata.get
Cloud Storage Added storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
Cloud Storage Now GA storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
VM Migration Added vmmigration.cloneJobs.create
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cloneJobs.update
vmmigration.cutoverJobs.create
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.cutoverJobs.update
vmmigration.datacenterConnectors.create
vmmigration.datacenterConnectors.delete
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.groups.create
vmmigration.groups.delete
vmmigration.groups.get
vmmigration.groups.list
vmmigration.groups.update
vmmigration.locations.get
vmmigration.locations.list
vmmigration.migratingVms.create
vmmigration.migratingVms.delete
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.migratingVms.update
vmmigration.operations.cancel
vmmigration.operations.delete
vmmigration.operations.get
vmmigration.operations.list
vmmigration.sources.create
vmmigration.sources.delete
vmmigration.sources.get
vmmigration.sources.list
vmmigration.sources.update
vmmigration.targets.create
vmmigration.targets.delete
vmmigration.targets.get
vmmigration.targets.list
vmmigration.targets.update
vmmigration.utilizationReports.create
vmmigration.utilizationReports.delete
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list

Cloud IAM changes as of 2021-04-09

Service Change Description
Apigee Now GA

The role roles/apigee.monetizationAdmin (Apigee Monetization Admin) is now GA.
Cloud Billing Role Updated

The following permissions have been added to the role roles/billing.costsManager (Billing Account Costs Manager):

billing.resourceAssociations.list
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

artifactregistry.repositories.create
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.update
Compute Engine Now GA

The role roles/compute.publicIpAdmin (Compute Public IP Admin) is now GA.
Dialogflow Now GA

The role roles/dialogflow.consoleSimulatorUser (Dialogflow Console Simulator User) is now GA.
Dialogflow Now GA

The role roles/dialogflow.consoleSmartMessagingAllowlistEditor (Dialogflow Console Smart Messaging Allowlist Editor) is now GA.
Basic Role Role Updated

The following permissions have been removed from the role roles/editor (Editor):

iam.googleapis.com/workloadIdentityPoolProviders.create
iam.googleapis.com/workloadIdentityPoolProviders.delete
iam.googleapis.com/workloadIdentityPoolProviders.undelete
iam.googleapis.com/workloadIdentityPoolProviders.update
iam.googleapis.com/workloadIdentityPools.create
iam.googleapis.com/workloadIdentityPools.delete
iam.googleapis.com/workloadIdentityPools.undelete
iam.googleapis.com/workloadIdentityPools.update
iam.workloadIdentityPoolProviders.create
iam.workloadIdentityPoolProviders.delete
iam.workloadIdentityPoolProviders.undelete
iam.workloadIdentityPoolProviders.update
iam.workloadIdentityPools.create
iam.workloadIdentityPools.delete
iam.workloadIdentityPools.undelete
iam.workloadIdentityPools.update
Explore Anthos Now GA

The role roles/exploreanthos.serviceAgent (Explore Anthos Service Agent) is now GA.
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

cloudasset.assets.searchAllResources
policysimulator.replays.create
policysimulator.replays.get
policysimulator.replays.run
Dataproc Metastore Now GA

The role roles/metastore.admin (Dataproc Metastore Admin) is now GA.
Dataproc Metastore Now GA

The role roles/metastore.editor (Dataproc Metastore Editor) is now GA.
Dataproc Metastore Now GA

The role roles/metastore.metadataOperator (Dataproc Metastore Metadata Operator) is now GA.
Dataproc Metastore Now GA

The role roles/metastore.user (Dataproc Metastore Viewer) is now GA.
Multi Cluster Ingress Role Updated

The following permissions have been added to the role roles/multiclusteringress.serviceAgent (Multi Cluster Ingress Service Agent):

compute.subnetworks.list
container.thirdPartyObjects.create
Service Usage Now GA

The role roles/serviceusage.apiKeysAdmin (API Keys Admin) is now GA.
Service Usage Now GA

The role roles/serviceusage.apiKeysViewer (API Keys Viewer) is now GA.
Service Usage Now GA

The role roles/serviceusage.serviceUsageAdmin (Service Usage Admin) is now GA.
Service Usage Now GA

The role roles/serviceusage.serviceUsageConsumer (Service Usage Consumer) is now GA.
Service Usage Now GA

The role roles/serviceusage.serviceUsageViewer (Service Usage Viewer) is now GA.
Workflows Now GA

The role roles/workflows.admin (Workflows Admin) is now GA.
Workflows Now GA

The role roles/workflows.editor (Workflows Editor) is now GA.
Workflows Now GA

The role roles/workflows.invoker (Workflows Invoker) is now GA.
Workflows Now GA

The role roles/workflows.viewer (Workflows Viewer) is now GA.
Apigee Added apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update
apigee.rateplans.create
apigee.rateplans.delete
apigee.rateplans.get
apigee.rateplans.list
apigee.rateplans.update
Apigee Supported In Custom Roles apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update
Apigee Now GA apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update
apigee.rateplans.create
apigee.rateplans.delete
apigee.rateplans.get
apigee.rateplans.list
apigee.rateplans.update
Cloud Key Management Service Added cloudkms.locations.get
cloudkms.locations.list
Cloud Key Management Service Supported In Custom Roles cloudkms.locations.get
cloudkms.locations.list
Cloud Key Management Service Now GA cloudkms.locations.get
cloudkms.locations.list
Compute Engine Added compute.organizations.setFirewallPolicy
Compute Engine Now GA compute.globalPublicDelegatedPrefixes.create
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.globalPublicDelegatedPrefixes.use
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.publicAdvertisedPrefixes.create
compute.publicAdvertisedPrefixes.delete
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicAdvertisedPrefixes.update
compute.publicAdvertisedPrefixes.updatePolicy
compute.publicAdvertisedPrefixes.use
compute.publicDelegatedPrefixes.create
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.publicDelegatedPrefixes.use
Dialogflow Added dialogflow.answerrecords.delete
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.answerrecords.update
dialogflow.callMatchers.create
dialogflow.callMatchers.delete
dialogflow.callMatchers.list
dialogflow.conversationDatasets.create
dialogflow.conversationDatasets.delete
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.import
dialogflow.conversationDatasets.list
dialogflow.conversationModels.create
dialogflow.conversationModels.delete
dialogflow.conversationModels.deploy
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationModels.undeploy
dialogflow.conversationProfiles.create
dialogflow.conversationProfiles.delete
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversationProfiles.update
dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.messages.list
dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list
dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update
dialogflow.phoneNumberOrders.cancel
dialogflow.phoneNumberOrders.create
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumberOrders.update
dialogflow.phoneNumbers.delete
dialogflow.phoneNumbers.list
dialogflow.phoneNumbers.undelete
dialogflow.phoneNumbers.update
dialogflow.smartMessagingEntries.create
dialogflow.smartMessagingEntries.delete
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
Dialogflow Supported In Custom Roles dialogflow.answerrecords.delete
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.answerrecords.update
dialogflow.callMatchers.create
dialogflow.callMatchers.delete
dialogflow.callMatchers.list
dialogflow.conversationDatasets.create
dialogflow.conversationDatasets.delete
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.import
dialogflow.conversationDatasets.list
dialogflow.conversationModels.create
dialogflow.conversationModels.delete
dialogflow.conversationModels.deploy
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationModels.undeploy
dialogflow.conversations.addPhoneNumber
dialogflow.messages.list
dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list
dialogflow.participants.suggest
dialogflow.phoneNumberOrders.cancel
dialogflow.phoneNumberOrders.create
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumberOrders.update
dialogflow.phoneNumbers.delete
dialogflow.phoneNumbers.list
dialogflow.phoneNumbers.undelete
dialogflow.phoneNumbers.update
dialogflow.smartMessagingEntries.create
dialogflow.smartMessagingEntries.delete
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
Dialogflow Now GA dialogflow.answerrecords.delete
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.answerrecords.update
dialogflow.callMatchers.create
dialogflow.callMatchers.delete
dialogflow.callMatchers.list
dialogflow.conversationDatasets.create
dialogflow.conversationDatasets.delete
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.import
dialogflow.conversationDatasets.list
dialogflow.conversationModels.create
dialogflow.conversationModels.delete
dialogflow.conversationModels.deploy
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationModels.undeploy
dialogflow.conversationProfiles.create
dialogflow.conversationProfiles.delete
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversationProfiles.update
dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.messages.list
dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list
dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update
dialogflow.phoneNumberOrders.cancel
dialogflow.phoneNumberOrders.create
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumberOrders.update
dialogflow.phoneNumbers.delete
dialogflow.phoneNumbers.list
dialogflow.phoneNumbers.undelete
dialogflow.phoneNumbers.update
dialogflow.smartMessagingEntries.create
dialogflow.smartMessagingEntries.delete
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
Cloud Logging Added logging.queries.listShared
logging.queries.share
logging.queries.updateShared
Cloud Logging Supported In Custom Roles logging.queries.listShared
logging.queries.share
logging.queries.updateShared
Cloud Logging Now GA logging.queries.listShared
logging.queries.share
logging.queries.updateShared
Managed Service for Microsoft Active Directory Added managedidentities.domains.updateLDAPSSettings
Managed Service for Microsoft Active Directory Supported In Custom Roles managedidentities.domains.updateLDAPSSettings
Managed Service for Microsoft Active Directory Now GA managedidentities.domains.updateLDAPSSettings
Dataproc Metastore Added metastore.services.restore
Dataproc Metastore Now GA metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
metastore.services.setIamPolicy
metastore.services.update
AI Platform Notebooks Added notebooks.instances.updateShieldInstanceConfig
AI Platform Notebooks Now GA notebooks.instances.updateShieldInstanceConfig
Pub/Sub Lite Added pubsublite.topics.computeHeadCursor
Pub/Sub Lite Now GA pubsublite.topics.computeHeadCursor
Service Usage Supported In Custom Roles serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Service Usage Now GA serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Workflows Now GA workflows.executions.cancel
workflows.executions.create
workflows.executions.get
workflows.executions.list
workflows.locations.get
workflows.locations.list
workflows.operations.cancel
workflows.operations.get
workflows.operations.list
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
workflows.workflows.getIamPolicy
workflows.workflows.list
workflows.workflows.setIamPolicy
workflows.workflows.update

Cloud IAM changes as of 2021-03-05

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.serviceAgent (Apigee Service Agent):

apigee.appkeys.delete
Assured Workloads Role Updated

The following permissions have been added to the role roles/assuredworkloads.serviceAgent (Assured Workloads Service Agent):

cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
serviceusage.services.use
Contact Center AI Insights Role Updated

The following permissions have been added to the role roles/contactcenterinsights.serviceAgent (Contact Center AI Insights Service Agent):

dialogflow.documents.create
dialogflow.documents.delete
dialogflow.documents.get
dialogflow.documents.list
Database Migration Service Now GA

The role roles/datamigration.admin (Database Migration Admin) is now GA.
Early Access Center Now GA

The role roles/earlyaccesscenter.admin (Early Access Center Administrator) is now GA.
Early Access Center Now GA

The role roles/earlyaccesscenter.viewer (Early Access Center Viewer) is now GA.
Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

container.clusterRoleBindings.create
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.escalate
container.clusterRoles.update
container.roleBindings.create
container.roles.bind
container.roles.create
container.roles.escalate
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

container.clusterRoleBindings.list
container.clusterRoles.list
Network Management API Role Updated

The following permissions have been added to the role roles/networkmanagement.serviceAgent (GCP Network Management Service Agent):

cloudsql.instances.get
cloudsql.instances.list
compute.addresses.get
compute.addresses.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networks.getEffectiveFirewalls
compute.networks.listPeeringRoutes
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
AI Platform Added aiplatform.studies.create
aiplatform.studies.delete
aiplatform.studies.get
aiplatform.studies.list
aiplatform.studies.update
aiplatform.trials.create
aiplatform.trials.delete
aiplatform.trials.get
aiplatform.trials.list
aiplatform.trials.update
Database Migration Service Supported In Custom Roles datamigration.connectionprofiles.create
datamigration.connectionprofiles.delete
datamigration.connectionprofiles.get
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.connectionprofiles.setIamPolicy
datamigration.connectionprofiles.update
datamigration.locations.get
datamigration.locations.list
datamigration.migrationjobs.create
datamigration.migrationjobs.delete
datamigration.migrationjobs.generateSshScript
datamigration.migrationjobs.get
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.migrationjobs.promote
datamigration.migrationjobs.restart
datamigration.migrationjobs.resume
datamigration.migrationjobs.setIamPolicy
datamigration.migrationjobs.start
datamigration.migrationjobs.stop
datamigration.migrationjobs.update
datamigration.migrationjobs.verify
datamigration.operations.cancel
datamigration.operations.delete
datamigration.operations.get
datamigration.operations.list
Database Migration Service Now GA datamigration.connectionprofiles.create
datamigration.connectionprofiles.delete
datamigration.connectionprofiles.get
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.connectionprofiles.setIamPolicy
datamigration.connectionprofiles.update
datamigration.locations.get
datamigration.locations.list
datamigration.migrationjobs.create
datamigration.migrationjobs.delete
datamigration.migrationjobs.generateSshScript
datamigration.migrationjobs.get
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.migrationjobs.promote
datamigration.migrationjobs.restart
datamigration.migrationjobs.resume
datamigration.migrationjobs.setIamPolicy
datamigration.migrationjobs.start
datamigration.migrationjobs.stop
datamigration.migrationjobs.update
datamigration.migrationjobs.verify
datamigration.operations.cancel
datamigration.operations.delete
datamigration.operations.get
datamigration.operations.list
Early Access Center Now GA earlyaccesscenter.campaigns.enroll
earlyaccesscenter.campaigns.get
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
AI Platform Notebooks Added notebooks.executions.create
notebooks.executions.delete
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.executions.setIamPolicy
notebooks.schedules.create
notebooks.schedules.delete
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
notebooks.schedules.setIamPolicy
AI Platform Notebooks Now GA notebooks.executions.create
notebooks.executions.delete
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.executions.setIamPolicy
notebooks.schedules.create
notebooks.schedules.delete
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
notebooks.schedules.setIamPolicy

Cloud IAM changes as of 2021-02-26

Service Change Description
Cloud Functions Role Updated

The following permissions have been added to the role roles/cloudfunctions.serviceAgent (Cloud Functions Service Agent):

iam.serviceAccounts.actAs
Cloud TPU Role Updated

The following permissions have been added to the role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkViewer (Compute Network Viewer):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics
Document AI Role Updated

The following permissions have been added to the role roles/documentai.admin (Cloud DocumentAI Administrator.):

documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processorVersions.update
Document AI Role Updated

The following permissions have been added to the role roles/documentai.apiUser (Cloud DocumentAI API User):

documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
Document AI Role Updated

The following permissions have been added to the role roles/documentai.editor (Cloud DocumentAI Editor):

documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processorVersions.update
Document AI Role Updated

The following permissions have been added to the role roles/documentai.viewer (Cloud DocumentAI Viewer):

documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
Cloud Healthcare API Now GA

The role roles/healthcare.attributeDefinitionEditor (Healthcare Attribute Definition Editor) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.attributeDefinitionReader (Healthcare Attribute Definition Reader) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentArtifactAdmin (Healthcare Consent Artifact Administrator) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentArtifactEditor (Healthcare Consent Artifact Editor) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentArtifactReader (Healthcare Consent Artifact Reader) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentEditor (Healthcare Consent Editor) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentReader (Healthcare Consent Reader) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentStoreAdmin (Healthcare Consent Store Administrator) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.consentStoreViewer (Healthcare Consent Store Viewer) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.userDataMappingEditor (Healthcare User Data Mapping Editor) is now GA.
Cloud Healthcare API Now GA

The role roles/healthcare.userDataMappingReader (Healthcare User Data Mapping Reader) is now GA.
Service Networking Role Updated

The following permissions have been added to the role roles/servicenetworking.serviceAgent (Service Networking Service Agent):

compute.networks.listPeeringRoutes
Cloud Billing Supported In Custom Roles billing.accounts.create
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.list
billing.accounts.move
billing.accounts.removeFromOrganization
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.resourceAssociations.create
billing.resourceAssociations.delete
billing.resourceAssociations.list
Compute Engine Added compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.serviceAttachments.update
Compute Engine Supported In Custom Roles compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.serviceAttachments.update
Document AI Added documentai.evaluations.create
documentai.evaluations.get
documentai.evaluations.list
documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processorVersions.update
Cloud Healthcare API Now GA healthcare.attributeDefinitions.create
healthcare.attributeDefinitions.delete
healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.attributeDefinitions.update
healthcare.consentArtifacts.create
healthcare.consentArtifacts.delete
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.create
healthcare.consentStores.delete
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.getIamPolicy
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consentStores.setIamPolicy
healthcare.consentStores.update
healthcare.consents.activate
healthcare.consents.create
healthcare.consents.delete
healthcare.consents.get
healthcare.consents.list
healthcare.consents.reject
healthcare.consents.revoke
healthcare.consents.update
healthcare.userDataMappings.archive
healthcare.userDataMappings.create
healthcare.userDataMappings.delete
healthcare.userDataMappings.get
healthcare.userDataMappings.list
healthcare.userDataMappings.update
Resource Manager Supported In Custom Roles resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment

Cloud IAM changes as of 2021-02-19

Service Change Description
Access Context Manager Role Updated

The following permissions have been added to the role roles/accesscontextmanager.policyAdmin (Access Context Manager Admin):

cloudasset.assets.searchAllResources
Access Context Manager Role Updated

The following permissions have been added to the role roles/accesscontextmanager.policyEditor (Access Context Manager Editor):

cloudasset.assets.searchAllResources
Cloud Asset Inventory Role Updated

The following permissions have been added to the role roles/cloudasset.owner (Cloud Asset Owner):

recommender.locations.get
recommender.locations.list
Cloud Asset Inventory Role Updated

The following permissions have been added to the role roles/cloudasset.viewer (Cloud Asset Viewer):

recommender.locations.get
recommender.locations.list
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.hostServiceAgentUser (Kubernetes Engine Host Service Agent User):

dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

iam.serviceAccounts.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.admin (Error Reporting Admin):

resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.user (Error Reporting User):

resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.viewer (Error Reporting Viewer):

resourcemanager.projects.get
resourcemanager.projects.list
Media Asset Now GA

The role roles/mediaasset.serviceAgent (Media Asset Service Agent) is now GA.
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

recommender.locations.get
recommender.locations.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent):

recommender.locations.get
recommender.locations.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

recommender.locations.get
recommender.locations.list
Service Networking Role Updated

The following permissions have been added to the role roles/servicenetworking.serviceAgent (Service Networking Service Agent):

compute.globalAddresses.list
Compute Engine Now GA compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscUpdate
compute.nodeGroups.update
Firebase Added firebase.clients.list
firebase.clients.update
Firebase Supported In Custom Roles firebase.clients.list
firebase.clients.update
Firebase Now GA firebase.clients.list
firebase.clients.update
Policy Simulator Added policysimulator.replayResults.list
policysimulator.replays.create
policysimulator.replays.get
policysimulator.replays.list
policysimulator.replays.run
Policy Simulator Supported In Custom Roles policysimulator.replayResults.list
policysimulator.replays.create
policysimulator.replays.get
policysimulator.replays.list
policysimulator.replays.run
Pub/Sub Added pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.setIamPolicy
pubsub.schemas.validate
Recommender Added recommender.loggingProductSuggestionContainerInsights.get
recommender.loggingProductSuggestionContainerInsights.list
recommender.loggingProductSuggestionContainerInsights.update
recommender.loggingProductSuggestionContainerRecommendations.get
recommender.loggingProductSuggestionContainerRecommendations.list
recommender.loggingProductSuggestionContainerRecommendations.update
recommender.monitoringProductSuggestionComputeInsights.get
recommender.monitoringProductSuggestionComputeInsights.list
recommender.monitoringProductSuggestionComputeInsights.update
recommender.monitoringProductSuggestionComputeRecommendations.get
recommender.monitoringProductSuggestionComputeRecommendations.list
recommender.monitoringProductSuggestionComputeRecommendations.update
Recommender Supported In Custom Roles recommender.loggingProductSuggestionContainerInsights.get
recommender.loggingProductSuggestionContainerInsights.list
recommender.loggingProductSuggestionContainerInsights.update
recommender.loggingProductSuggestionContainerRecommendations.get
recommender.loggingProductSuggestionContainerRecommendations.list
recommender.loggingProductSuggestionContainerRecommendations.update
recommender.monitoringProductSuggestionComputeInsights.get
recommender.monitoringProductSuggestionComputeInsights.list
recommender.monitoringProductSuggestionComputeInsights.update
recommender.monitoringProductSuggestionComputeRecommendations.get
recommender.monitoringProductSuggestionComputeRecommendations.list
recommender.monitoringProductSuggestionComputeRecommendations.update
Resource Manager Added resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagKeys.update
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.create
resourcemanager.tagValues.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcemanager.tagValues.setIamPolicy
resourcemanager.tagValues.update
Resource Manager Supported In Custom Roles resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagKeys.update
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
resourcemanager.tagValues.create
resourcemanager.tagValues.delete
resourcemanager.tagValues.get
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcemanager.tagValues.setIamPolicy
resourcemanager.tagValues.update

Cloud IAM changes as of 2021-01-29

Service Change Description
Anthos Audit API Now GA

The role roles/anthosaudit.serviceAgent (Anthos Audit Service Agent) is now GA.
Apigee Role Updated

The following permissions have been added to the role roles/apigee.developerAdmin (Apigee Developer Admin):

apigee.apps.get
apigee.apps.list
Cloud Billing Now GA

The role roles/billing.costsManager (Billing Account Costs Manager) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.attestorsAdmin (Binary Authorization Attestor Admin) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.attestorsEditor (Binary Authorization Attestor Editor) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.attestorsVerifier (Binary Authorization Attestor Image Verifier) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.attestorsViewer (Binary Authorization Attestor Viewer) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.policyAdmin (Binary Authorization Policy Administrator) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.policyEditor (Binary Authorization Policy Editor) is now GA.
Binary Authorization Now GA

The role roles/binaryauthorization.policyViewer (Binary Authorization Policy Viewer) is now GA.
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkViewer (Compute Network Viewer):

compute.externalVpnGateways.get
compute.externalVpnGateways.list
Cloud Data Fusion Role Updated

The following permissions have been added to the role roles/datafusion.serviceAgent (Cloud Data Fusion API Service Agent):

compute.externalVpnGateways.get
compute.externalVpnGateways.list
GKE Hub Role Updated

The following permissions have been added to the role roles/gkehub.serviceAgent (GKE Hub Service Agent):

container.customResourceDefinitions.list
Google Workspace Now GA

The role roles/gsuiteaddons.developer (Google Workspace Add-ons Developer) is now GA.
Google Workspace Now GA

The role roles/gsuiteaddons.reader (Google Workspace Add-ons Reader) is now GA.
Google Workspace Now GA

The role roles/gsuiteaddons.tester (Google Workspace Add-ons Tester) is now GA.
Cloud Run for Anthos on Google Cloud Now GA

The role roles/kuberun.eventsControlPlaneServiceAgent (KubeRun Events Control Plane Service Agent) is now GA.
Cloud Run for Anthos on Google Cloud Now GA

The role roles/kuberun.eventsDataPlaneServiceAgent (KubeRun Events Data Plane Service Agent) is now GA.
Memorystore for Memcached Now GA

The role roles/memcache.admin (Cloud Memorystore Memcached Admin) is now GA.
Memorystore for Memcached Now GA

The role roles/memcache.editor (Cloud Memorystore Memcached Editor) is now GA.
Memorystore for Memcached Now GA

The role roles/memcache.viewer (Cloud Memorystore Memcached Viewer) is now GA.
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.serviceAgent (AI Platform Notebooks Service Agent):

ml.jobs.create
ml.jobs.get
ml.jobs.list
Retail API Now GA

The role roles/retail.admin (Retail Admin) is now GA.
Retail API Now GA

The role roles/retail.editor (Retail Editor) is now GA.
Retail API Now GA

The role roles/retail.viewer (Retail Viewer) is now GA.
Secured Landing Zone Role Updated

The following permissions have been added to the role roles/securedlandingzone.serviceAgent (Secured Landing Zone Service Agent):

cloudasset.assets.exportOrgPolicy
serviceusage.services.use
Binary Authorization Now GA binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
binaryauthorization.policy.update
Compute Engine Added compute.commitments.updateReservations
Compute Engine Supported In Custom Roles compute.commitments.updateReservations
Compute Engine Now GA compute.commitments.updateReservations
Firebase Storage Added firebasestorage.buckets.addFirebase
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.buckets.removeFirebase
Firebase Storage Supported In Custom Roles firebasestorage.buckets.addFirebase
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.buckets.removeFirebase
Google Workspace Added gsuiteaddons.authorizations.get
gsuiteaddons.deployments.create
gsuiteaddons.deployments.delete
gsuiteaddons.deployments.execute
gsuiteaddons.deployments.get
gsuiteaddons.deployments.install
gsuiteaddons.deployments.installStatus
gsuiteaddons.deployments.list
gsuiteaddons.deployments.uninstall
gsuiteaddons.deployments.update
Google Workspace Supported In Custom Roles gsuiteaddons.authorizations.get
gsuiteaddons.deployments.create
gsuiteaddons.deployments.delete
gsuiteaddons.deployments.execute
gsuiteaddons.deployments.get
gsuiteaddons.deployments.install
gsuiteaddons.deployments.installStatus
gsuiteaddons.deployments.list
gsuiteaddons.deployments.uninstall
gsuiteaddons.deployments.update
Google Workspace Now GA gsuiteaddons.authorizations.get
gsuiteaddons.deployments.create
gsuiteaddons.deployments.delete
gsuiteaddons.deployments.execute
gsuiteaddons.deployments.get
gsuiteaddons.deployments.install
gsuiteaddons.deployments.installStatus
gsuiteaddons.deployments.list
gsuiteaddons.deployments.uninstall
gsuiteaddons.deployments.update
Memorystore for Memcached Added memcache.instances.applySoftwareUpdate
Memorystore for Memcached Supported In Custom Roles memcache.instances.applySoftwareUpdate
Memorystore for Memcached Now GA memcache.instances.applyParameters
memcache.instances.create
memcache.instances.delete
memcache.instances.get
memcache.instances.list
memcache.instances.update
memcache.instances.updateParameters
memcache.locations.get
memcache.locations.list
memcache.operations.cancel
memcache.operations.delete
memcache.operations.get
memcache.operations.list
On-Demand Scanning Added ondemandscanning.operations.cancel
ondemandscanning.operations.delete
ondemandscanning.operations.get
ondemandscanning.operations.list
ondemandscanning.operations.wait
ondemandscanning.scans.analyzePackages
ondemandscanning.scans.listVulnerabilities
ondemandscanning.scans.scan
On-Demand Scanning Supported In Custom Roles ondemandscanning.operations.cancel
ondemandscanning.operations.delete
ondemandscanning.operations.get
ondemandscanning.operations.list
ondemandscanning.operations.wait
ondemandscanning.scans.analyzePackages
ondemandscanning.scans.listVulnerabilities
ondemandscanning.scans.scan
reCAPTCHA Enterprise Added recaptchaenterprise.projectmetadata.get
Retail API Now GA retail.catalogs.list
retail.catalogs.update
retail.operations.get
retail.operations.list
retail.placements.predict
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin
Storage Transfer Service Added storagetransfer.jobs.run
Storage Transfer Service Supported In Custom Roles storagetransfer.jobs.run
Storage Transfer Service Now GA storagetransfer.jobs.run

Cloud IAM changes as of 2021-01-08

Service Change Description
Apigee Now GA

The role roles/apigee.apiAdmin (Apigee API Admin) is now GA.
Apigee Now GA

The role roles/apigee.apiReader (Apigee API Reader) is now GA.
Apigee Now GA

The role roles/apigee.environmentAdmin (Apigee Environment Admin) is now GA.
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.admin (Error Reporting Admin):

stackdriver.projects.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.user (Error Reporting User):

stackdriver.projects.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.viewer (Error Reporting Viewer):

stackdriver.projects.get
Pub/Sub Role Updated

The following permissions have been added to the role roles/pubsub.serviceAgent (Cloud Pub/Sub Service Agent):

iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Retail API Role Updated

The following permissions have been added to the role roles/retail.admin (Retail Admin):

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update
automlrecommendations.eventStores.getStats
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.events.purge
automlrecommendations.events.rejoin
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
Retail API Role Updated

The following permissions have been added to the role roles/retail.editor (Retail Editor):

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update
automlrecommendations.eventStores.getStats
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
Retail API Role Updated

The following permissions have been added to the role roles/retail.viewer (Retail Viewer):

automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.getStats
automlrecommendations.events.list
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.list
Cloud Autoscaling Added autoscaling.sites.getIamPolicy
autoscaling.sites.readRecommendations
autoscaling.sites.setIamPolicy
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
Cloud Autoscaling Supported In Custom Roles autoscaling.sites.getIamPolicy
autoscaling.sites.readRecommendations
autoscaling.sites.setIamPolicy
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
Binary Authorization Added binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update
Binary Authorization Supported In Custom Roles binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update
Compute Engine Added compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscUpdate
Customer Usage Data Processing Added dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.groupcontrols.get
Customer Usage Data Processing Supported In Custom Roles dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.groupcontrols.get
Customer Usage Data Processing Now GA dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.groupcontrols.get
Google Earth Engine Added earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.assets.setIamPolicy
earthengine.assets.update
earthengine.computations.create
earthengine.exports.create
earthengine.filmstripthumbnails.create
earthengine.filmstripthumbnails.get
earthengine.imports.create
earthengine.maps.create
earthengine.maps.get
earthengine.operations.delete
earthengine.operations.get
earthengine.operations.list
earthengine.operations.update
earthengine.tables.create
earthengine.tables.get
earthengine.thumbnails.create
earthengine.thumbnails.get
earthengine.videothumbnails.create
earthengine.videothumbnails.get

Cloud IAM changes as of 2020-12-18

Service Change Description
Anthos Identity Service Now GA

The role roles/anthosidentityservice.serviceAgent (Anthos Identity Service Agent) is now GA.
API Gateway Now GA

The role roles/apigateway.admin (ApiGateway Admin) is now GA.
API Gateway Now GA

The role roles/apigateway.viewer (ApiGateway Viewer) is now GA.
Apigee Now GA

The role roles/apigee.portalAdmin (Apigee Portal Admin) is now GA.
AutoML Role Updated

The following permissions have been added to the role roles/automl.serviceAgent (AutoML Service Agent):

bigquery.tables.update
Private Catalog Role Updated

The following permissions have been added to the role roles/cloudprivatecatalogproducer.orgAdmin (Catalog Org Admin):

cloudprivatecatalog.targets.get
cloudprivatecatalogproducer.associations.create
cloudprivatecatalogproducer.associations.delete
cloudprivatecatalogproducer.associations.get
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.catalogs.create
cloudprivatecatalogproducer.catalogs.delete
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprivatecatalogproducer.catalogs.undelete
cloudprivatecatalogproducer.catalogs.update
cloudprivatecatalogproducer.producerCatalogs.attachProduct
cloudprivatecatalogproducer.producerCatalogs.create
cloudprivatecatalogproducer.producerCatalogs.delete
cloudprivatecatalogproducer.producerCatalogs.detachProduct
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.update
cloudprivatecatalogproducer.products.create
cloudprivatecatalogproducer.products.delete
cloudprivatecatalogproducer.products.get
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprivatecatalogproducer.products.update
cloudprivatecatalogproducer.targets.associate
cloudprivatecatalogproducer.targets.unassociate
Compute Engine Now GA

The role roles/compute.orgFirewallPolicyAdmin (Compute Organization Firewall Policy Admin) is now GA.
Compute Engine Now GA

The role roles/compute.orgFirewallPolicyUser (Compute Organization Firewall Policy User) is now GA.
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

dns.dnsKeys.get
dns.dnsKeys.list
dns.managedZoneOperations.get
dns.managedZoneOperations.list
dns.managedZones.delete
dns.networks.bindPrivateDNSPolicy
dns.networks.targetWithPeeringZone
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.get
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.admin (Error Reporting Admin):

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.user (Error Reporting User):

logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Error Reporting Role Updated

The following permissions have been added to the role roles/errorreporting.viewer (Error Reporting Viewer):

logging.notificationRules.get
logging.notificationRules.list
API Gateway Now GA apigateway.apiconfigs.create
apigateway.apiconfigs.delete
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apiconfigs.setIamPolicy
apigateway.apiconfigs.update
apigateway.apis.create
apigateway.apis.delete
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.apis.update
apigateway.gateways.create
apigateway.gateways.delete
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.gateways.setIamPolicy
apigateway.gateways.update
apigateway.locations.get
apigateway.locations.list
apigateway.operations.cancel
apigateway.operations.delete
apigateway.operations.get
apigateway.operations.list
Apigee Added apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
Apigee Supported In Custom Roles apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
Apigee Now GA apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
Filestore Supported In Custom Roles file.operations.cancel
Cloud Logging Added logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Cloud Logging Supported In Custom Roles logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Cloud Logging Now GA logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update
Recommender Added recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceInsights.update
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceInsights.update
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.update
Recommender Supported In Custom Roles recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceInsights.update
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceInsights.update
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.update
Recommender Now GA recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceInsights.update
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceInsights.update
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.update
Retail API Added retail.catalogs.list
retail.catalogs.update
retail.operations.get
retail.operations.list
retail.placements.predict
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin
Retail API Supported In Custom Roles retail.catalogs.list
retail.catalogs.update
retail.operations.get
retail.operations.list
retail.placements.predict
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin

Cloud IAM changes as of 2020-12-11

Service Change Description
Cloud TPU Role Updated

The following permissions have been added to the role roles/cloudtpu.serviceAgent (Cloud TPU V2 API Service Agent):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
Cloud Composer Now GA

The role roles/composer.sharedVpcAgent (Composer Shared VPC Agent) is now GA.
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.serviceAgent (Cloud Composer API Service Agent):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Cloud Composer Role Updated

The following permissions have been added to the role roles/composer.worker (Composer Worker):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Compute Engine Now GA

The role roles/compute.orgSecurityPolicyAdmin (Compute Organization Security Policy Admin) is now GA.
Compute Engine Now GA

The role roles/compute.orgSecurityPolicyUser (Compute Organization Security Policy User) is now GA.
Compute Engine Now GA

The role roles/compute.orgSecurityResourceAdmin (Compute Organization Resource Admin) is now GA.
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.admin (Compute Admin):

compute.firewallPolicies.cloneRules
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.networkAdmin (Compute Network Admin):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.orgSecurityPolicyAdmin (Compute Organization Security Policy Admin):

compute.firewallPolicies.cloneRules
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.securityAdmin (Compute Security Admin):

compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Compute Engine Role Updated

The following permissions have been added to the role roles/compute.serviceAgent (Compute Engine Service Agent):

cloudnotifications.activities.list
compute.instanceGroupManagers.get
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.admin (Kubernetes Engine Admin):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.developer (Kubernetes Engine Developer):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.serviceAgent (Kubernetes Engine Service Agent):

compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Google Kubernetes Engine Role Updated

The following permissions have been added to the role roles/container.viewer (Kubernetes Engine Viewer):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
Container Threat Detection Role Updated

The following permissions have been added to the role roles/containerthreatdetection.serviceAgent (Container Threat Detection Service Agent):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.update
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
Dataflow Role Updated

The following permissions have been added to the role roles/dataflow.serviceAgent (Cloud Dataflow Service Agent):

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
Dataproc Now GA

The role roles/dataproc.hubAgent (Dataproc Hub Agent) is now GA.
Early Access Center Role Updated

The following permissions have been added to the role roles/earlyaccesscenter.admin (Early Access Center Administrator):

earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
Early Access Center Role Updated

The following permissions have been added to the role roles/earlyaccesscenter.viewer (Early Access Center Viewer):

earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
Basic Role Role Updated

The following permissions have been added to the role roles/editor (Editor):

compute.firewallPolicies.cloneRules
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
metastore.services.export
Game Servers Role Updated

The following permissions have been added to the role roles/gameservices.serviceAgent (Game Services Service Agent):

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityAdmin (Security Admin):

container.endpointSlices.list
container.frontendConfigs.list
container.storageStates.list
container.storageVersionMigrations.list
container.updateInfos.list
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.list
container.volumeSnapshots.list
earlyaccesscenter.customerAllowlists.list
Identity and Access Management Role Updated

The following permissions have been added to the role roles/iam.securityReviewer (Security Reviewer):

container.endpointSlices.list
container.frontendConfigs.list
container.storageStates.list
container.storageVersionMigrations.list
container.updateInfos.list
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.list
container.volumeSnapshots.list
earlyaccesscenter.customerAllowlists.list
Cloud Logging Role Updated

The following permissions have been added to the role roles/logging.viewer (Logs Viewer):

logging.views.get
logging.views.list
Dataproc Metastore Role Added

The role roles/metastore.metadataOperator (Dataproc Metastore Metadata Operator) has been added with the following permissions:

metastore.imports.create
metastore.imports.delete
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
AI Platform Notebooks Role Updated

The following permissions have been added to the role roles/notebooks.legacyAdmin (Notebooks Legacy Admin):

compute.firewallPolicies.cloneRules
Basic Role Role Updated

The following permissions have been added to the role roles/owner (Owner):

compute.firewallPolicies.cloneRules
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
metastore.services.export
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.controlServiceAgent (Security Center Control Service Agent):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
logging.views.get
logging.views.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.securityHealthAnalyticsServiceAgent (Security Health Analytics Service Agent):

logging.views.get
logging.views.list
Security Command Center Role Updated

The following permissions have been added to the role roles/securitycenter.serviceAgent (Security Center Service Agent):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.storageStates.get
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
logging.views.get
logging.views.list
Basic Role Role Updated

The following permissions have been added to the role roles/viewer (Viewer):

container.endpointSlices.get
container.endpointSlices.list
container.frontendConfigs.get
container.frontendConfigs.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.updateInfos.get
container.updateInfos.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
metastore.services.export
Apigee Added apigee.organizations.delete
Apigee Supported In Custom Roles apigee.organizations.delete
Apigee Now GA apigee.organizations.delete
Compute Engine Added compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Compute Engine Supported In Custom Roles compute.firewallPolicies.addAssociation
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Compute Engine Now GA compute.firewallPolicies.addAssociation
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
Google Kubernetes Engine Added container.apiServices.getStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container.certificateSigningRequests.getStatus
container.clusterRoles.escalate
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.customResourceDefinitions.getStatus
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.managedCertificates.create
container.managedCertificates.delete
container.managedCertificates.get
container.managedCertificates.list
container.managedCertificates.update
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.finalize
container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update
container.roles.escalate
container.selfSubjectRulesReviews.create
container.serviceAccounts.createToken
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.delete
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
container.volumeAttachments.create
container.volumeAttachments.delete
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeAttachments.update
container.volumeAttachments.updateStatus
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus
Dataproc Added dataproc.clusters.start
dataproc.clusters.stop
Dataproc Now GA dataproc.clusters.start
dataproc.clusters.stop
Early Access Center Added earlyaccesscenter.customerAllowlists.get
earlyaccesscenter.customerAllowlists.list
Cloud Logging Added logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update
Cloud Logging Supported In Custom Roles logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update
Cloud Logging Now GA logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update
Dataproc Metastore Added metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.setIamPolicy
metastore.services.update
Dataproc Metastore Supported In Custom Roles metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update
metastore.locations.get
metastore.locations.list
metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.setIamPolicy
metastore.services.update

Cloud IAM changes as of 2020-11-20

Service Change Description
Apigee Role Updated

The following permissions have been added to the role roles/apigee.analyticsEditor (Apigee Analytics Editor):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.analyticsViewer (Apigee Analytics Viewer):

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
Apigee Role Updated

The following permissions have been added to the role roles/apigee.apiCreator (Apigee API Creator):

apigee.proxyrevisions.deploy
apigee.proxyrevisions.undeploy
Cloud Logging Role Updated

The following permissions have been removed from the role roles/logging.privateLogViewer (Private Logs Viewer):

logging.views.access
Dell EMC Cloud OneFS Added cloudonefs.isiloncloud.com/clusters.create
cloudonefs.isiloncloud.com/clusters.delete
cloudonefs.isiloncloud.com/clusters.get
cloudonefs.isiloncloud.com/clusters.list
cloudonefs.isiloncloud.com/clusters.update
cloudonefs.isiloncloud.com/clusters.updateAdvancedSettings
cloudonefs.isiloncloud.com/fileshares.create
cloudonefs.isiloncloud.com/fileshares.delete
cloudonefs.isiloncloud.com/fileshares.get
cloudonefs.isiloncloud.com/fileshares.list
cloudonefs.isiloncloud.com/fileshares.update
Private Catalog Added cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.producerCatalogs.attachProduct
cloudprivatecatalogproducer.producerCatalogs.create
cloudprivatecatalogproducer.producerCatalogs.delete
cloudprivatecatalogproducer.producerCatalogs.detachProduct
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.update
cloudprivatecatalogproducer.products.create
cloudprivatecatalogproducer.products.delete
cloudprivatecatalogproducer.products.get
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprivatecatalogproducer.products.update
cloudprivatecatalogproducer.settings.get
cloudprivatecatalogproducer.settings.update

Cloud IAM changes as of 2020-11-06

Service Change Description
Dialogflow Now GA

The role roles/dialogflow.conversationManager (Dialogflow Conversation Manager) is now GA.
Dialogflow Now GA

The role roles/dialogflow.integrationManager (Dialogflow Integration Manager) is now GA.
Service Management Now GA

The role roles/servicemanagement.reporter (Service Reporter) is now GA.
Compute Engine Added compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
Compute Engine Supported In Custom Roles compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
Compute Engine Now GA compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
Document AI Added documentai.humanReviewConfigs.get
documentai.humanReviewConfigs.review
documentai.humanReviewConfigs.update
documentai.labelerPools.create
documentai.labelerPools.delete
documentai.labelerPools.get
documentai.labelerPools.list
documentai.labelerPools.update
documentai.locations.get
documentai.locations.list
documentai.operations.getLegacy
documentai.processorTypes.list
documentai.processorVersions.create
documentai.processorVersions.delete
documentai.processorVersions.get
documentai.processorVersions.list
documentai.processors.create
documentai.processors.delete
documentai.processors.fetchHumanReviewDetails
documentai.processors.get
documentai.processors.list
documentai.processors.processBatch
documentai.processors.processOnline
documentai.processors.update
Cloud Logging Added logging.logEntries.download
Cloud Logging Now GA logging.logEntries.download

Cloud IAM changes as of 2020-10-30

Service Change Description
Compute Engine Added compute.forwardingRules.update
Compute Engine Supported In Custom Roles compute.forwardingRules.update
Compute Engine Now GA compute.forwardingRules.update
Early Access Center Added earlyaccesscenter.campaigns.enroll
earlyaccesscenter.campaigns.get
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerWhitelists.get
earlyaccesscenter.customerWhitelists.list
Early Access Center Supported In Custom Roles earlyaccesscenter.campaigns.enroll
earlyaccesscenter.campaigns.get
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerWhitelists.get
earlyaccesscenter.customerWhitelists.list
GKE Hub Added gkehub.operations.delete
GKE Hub Now GA gkehub.operations.delete
Cloud Logging Added logging.locations.get
logging.locations.list
Cloud Logging Supported In Custom Roles logging.locations.get
logging.locations.list
Cloud Logging Now GA logging.locations.get
logging.locations.list
AI Platform Notebooks Added notebooks.instances.use
AI Platform Notebooks Now GA notebooks.instances.use