IAM permissions change log

This page describes changes to the public Identity and Access Management (IAM) permissions for all Generally Available (GA) and Preview services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is retired or is no longer supported in custom roles, IAM automatically removes the permission from your custom roles. In contrast, when a permission is added, IAM does not automatically add the permission to your custom roles.

For changes that occurred before 2022, see Archived permissions change log.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM permissions change log

Upcoming IAM changes for the week of 2024-02-26

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

run.executions.delete
run.executions.get
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.run
run.jobs.update
run.operations.delete
run.operations.get

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

resourcemanager.organizations.get

Cloud Functions

The following permissions have been added to the Cloud Functions Admin role (roles/cloudfunctions.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Functions

The following permissions have been added to the Cloud Functions Developer role (roles/cloudfunctions.developer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Functions

The following permissions have been added to the Cloud Functions Service Agent role (roles/cloudfunctions.serviceAgent):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Functions

The following permissions have been added to the Cloud Functions Viewer role (roles/cloudfunctions.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Compute Engine

The following permissions have been added to the Compute Load Balancer Admin role (roles/compute.loadBalancerAdmin):

compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list

Dataplex

The Dataplex Aspect Type Owner role (roles/dataplex.aspectTypeOwner) has reached General Availability (GA).

Dataplex

The Dataplex Aspect Type User role (roles/dataplex.aspectTypeUser) has reached General Availability (GA).

Dataplex

The Dataplex Entry Group Owner role (roles/dataplex.entryGroupOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Owner role (roles/dataplex.entryOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Type Owner role (roles/dataplex.entryTypeOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Type User role (roles/dataplex.entryTypeUser) has reached General Availability (GA).

Dataplex

The following permissions have been removed from the Dataplex Administrator role (roles/dataplex.admin):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions have been removed from the Dataplex Editor role (roles/dataplex.editor):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update

Dataplex

The following permissions have been removed from the Dataplex Metadata Reader role (roles/dataplex.metadataReader):

dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.list

Dataplex

The following permissions have been removed from the Dataplex Metadata Writer role (roles/dataplex.metadataWriter):

dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.get
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use

Dataplex

The following permissions have been removed from the Dataplex Viewer role (roles/dataplex.viewer):

dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

alloydb.instances.get
alloydb.operations.get
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
cloudsql.databases.get
cloudsql.instances.export
cloudsql.instances.get
datastore.databases.export
datastore.databases.get
datastore.operations.get
spanner.databases.beginReadOnlyTransaction
spanner.databases.partitionQuery
spanner.databases.select
spanner.sessions.create

Firebase

The following permissions have been added to the Firebase Admin role (roles/firebase.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Firebase

The following permissions have been added to the Firebase Develop Admin role (roles/firebase.developAdmin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Firebase

The following permissions have been added to the Firebase Develop Viewer role (roles/firebase.developViewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Firebase

The following permissions have been added to the Firebase Viewer role (roles/firebase.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Cloud Run

The following permissions have been added to the Cloud Run Admin role (roles/run.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run

The following permissions have been added to the Cloud Run Developer role (roles/run.developer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run

The following permissions have been added to the Cloud Run Viewer role (roles/run.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Security Command Center

The Attack Surface Management Scanner Service Agent role (roles/securitycenter.attackSurfaceManagementScannerServiceAgent) has reached General Availability (GA).

BigQuery

The following permissions have been added:

bigquery.tables.setColumnDataPolicy

Bigtable

The following permissions have been added:

bigtable.instances.executeQuery

Bigtable

The following permissions are supported in custom roles:

bigtable.instances.executeQuery

Cloud Controls Partner API

The following permissions have been added:

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.partnerpermissions.get

Cloud Controls Partner API

The following permissions are supported in custom roles:

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.partnerpermissions.get

Dataplex

The following permissions have been added:

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions are supported in custom roles:

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions have reached General Availability (GA):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Recommender

The following permissions have been added:

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Recommender

The following permissions have reached General Availability (GA):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Security Posture API

The following permissions have been added:

securityposture.reports.create

Security Posture API

The following permissions are supported in custom roles:

securityposture.reports.create

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.reports.create

IAM changes as of 2024-02-23

Service Description
App Hub

The App Hub Admin role (roles/apphub.admin) has reached General Availability (GA).

App Hub

The App Hub Editor role (roles/apphub.editor) has reached General Availability (GA).

App Hub

The App Hub Viewer role (roles/apphub.viewer) has reached General Availability (GA).

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

compute.autoscalers.list
compute.globalForwardingRules.list
compute.instanceGroupManagers.list
compute.regionSslPolicies.list
compute.regionTargetHttpProxies.list
compute.regionUrlMaps.list
compute.urlMaps.list
container.clusters.list
monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.list
storage.buckets.get

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.instances.listEffectiveTags

Cloud SQL

The Cloud SQL Schema Viewer role (roles/cloudsql.schemaViewer) has reached General Availability (GA).

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Folder Service Agent role (roles/privilegedaccessmanager.folderServiceAgent):

resourcemanager.folders.get

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Organization Service Agent role (roles/privilegedaccessmanager.organizationServiceAgent):

resourcemanager.organizations.get

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Project Service Agent role (roles/privilegedaccessmanager.projectServiceAgent):

resourcemanager.projects.get

Recommender

The RecentChange RecommenderConfig Admin role (roles/recommender.recentChangeConfigAdmin) has reached General Availability (GA).

Recommender

The Recent Change Risk Recommender Admin role (roles/recommender.recentchangeriskAdmin) has reached General Availability (GA).

Recommender

The Recent Change Risk Recommender Viewer role (roles/recommender.recentchangeriskViewer) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.backups.createTagBinding
alloydb.backups.deleteTagBinding
alloydb.backups.listEffectiveTags
alloydb.backups.listTagBindings
alloydb.clusters.createTagBinding
alloydb.clusters.deleteTagBinding
alloydb.clusters.listEffectiveTags
alloydb.clusters.listTagBindings

App Hub

The following permissions have reached General Availability (GA):

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

Cloud SQL

The following permissions have been added:

cloudsql.schemas.view

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.schemas.view

Compute Engine

The following permissions have been added:

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Compute Engine

The following permissions are supported in custom roles:

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Recommender

The following permissions have been added:

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Recommender

The following permissions have reached General Availability (GA):

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Cloud Storage

The following permissions have been added:

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.restore
storage.objects.restore

Cloud Storage

The following permissions have reached General Availability (GA):

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.restore
storage.objects.restore

IAM changes as of 2024-02-16

Service Description
Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

compute.vpnGateways.list
logging.buckets.list
serviceusage.services.get
storage.buckets.getIamPolicy

BigQuery

The following permissions have been added to the BigQuery Admin role (roles/bigquery.admin):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

BigQuery

The following permissions have been added to the BigQuery Job User role (roles/bigquery.jobUser):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

BigQuery

The following permissions have been added to the BigQuery User role (roles/bigquery.user):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

BigQuery Data Transfer Service

The following permissions have been added to the BigQuery Data Transfer Service Agent role (roles/bigquerydatatransfer.serviceAgent):

compute.regionOperations.get
compute.subnetworks.use
dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Cloud Data Fusion

The following permissions have been added to the Cloud Data Fusion API Service Agent role (roles/datafusion.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Dataprep by Trifacta

The following permissions have been added to the Dataprep Service Agent role (roles/dataprep.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP API Service Agent role (roles/dlp.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Enterprise Knowledge Graph

The following permissions have been added to the Enterprise Knowledge Graph Service Agent role (roles/enterpriseknowledgegraph.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

FleetEngine

The following permissions have been added to the FleetEngine Service Agent role (roles/fleetengine.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Security Posture API

The following permissions have been added to the Security Posture Shift-Left Validator role (roles/securityposture.reportCreator):

securityposture.operations.get

Chronicle

The following permissions have been added:

chronicle.events.searchRawLogs
chronicle.logTypes.list

Chronicle

The following permissions are supported in custom roles:

chronicle.events.searchRawLogs
chronicle.logTypes.list

Firebase Test Lab

The following permissions have been added:

cloudtestservice.devicesession.cancel
cloudtestservice.devicesession.create
cloudtestservice.devicesession.get
cloudtestservice.devicesession.list
cloudtestservice.devicesession.update
cloudtestservice.devicesession.use

Firebase Test Lab

The following permissions are supported in custom roles:

cloudtestservice.devicesession.cancel
cloudtestservice.devicesession.create
cloudtestservice.devicesession.get
cloudtestservice.devicesession.list
cloudtestservice.devicesession.update
cloudtestservice.devicesession.use

Contact Center AI Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.issueModels.import

Discovery Engine

The following permissions have been added:

discoveryengine.collections.delete
discoveryengine.collections.get
discoveryengine.collections.list

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.collections.delete
discoveryengine.collections.get
discoveryengine.collections.list

IAM changes as of 2024-02-09

Service Description
Advisory Notifications

The Advisory Notifications Admin role (roles/advisorynotifications.admin) has reached General Availability (GA).

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create

App Engine

The following permissions have been added to the App Engine Code Viewer role (roles/appengine.codeViewer):

appengine.applications.listRuntimes

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

cloudsql.instances.list
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
orgpolicy.policy.get
storage.buckets.list

Advisory Notifications

The following permissions have reached General Availability (GA):

advisorynotifications.settings.get
advisorynotifications.settings.update

App Engine

The following permissions have been added:

appengine.applications.listRuntimes

App Engine

The following permissions have reached General Availability (GA):

appengine.applications.listRuntimes

Artifact Registry

The following permissions have been added:

artifactregistry.files.download

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.files.download

Cloud Deploy

The following permissions have been added:

clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.setIamPolicy

Cloud Composer

The following permissions have been added:

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Cloud Composer

The following permissions are supported in custom roles:

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Cloud Composer

The following permissions have reached General Availability (GA):

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Dialogflow

The following permissions have been added:

dialogflow.encryptionspec.get
dialogflow.encryptionspec.update
dialogflow.examples.create
dialogflow.examples.delete
dialogflow.examples.get
dialogflow.examples.list
dialogflow.examples.update
dialogflow.playbooks.create
dialogflow.playbooks.delete
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.playbooks.update
dialogflow.tools.create
dialogflow.tools.delete
dialogflow.tools.get
dialogflow.tools.list
dialogflow.tools.update

Dialogflow

The following permissions have reached General Availability (GA):

dialogflow.encryptionspec.get
dialogflow.encryptionspec.update
dialogflow.examples.create
dialogflow.examples.delete
dialogflow.examples.get
dialogflow.examples.list
dialogflow.examples.update
dialogflow.playbooks.create
dialogflow.playbooks.delete
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.playbooks.update
dialogflow.tools.create
dialogflow.tools.delete
dialogflow.tools.get
dialogflow.tools.list
dialogflow.tools.update

IAM changes as of 2024-02-02

Service Description
Chronicle

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataAccessScopes.list

Chronicle

The following permissions have been added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.dataAccessScopes.list

Cloud Key Management Service

The Cloud KMS KACLS Service Agent role (roles/cloudkmskacls.serviceAgent) has reached General Availability (GA).

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

firebaseabt.experiments.delete

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

dns.managedZones.list
resourcemanager.projects.getIamPolicy
storage.objects.list

Workload Manager

The following permissions have been added to the Workload Manager Deployment Admin role (roles/workloadmanager.deploymentAdmin):

dns.managedZones.list
resourcemanager.projects.getIamPolicy
storage.objects.list

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.databases.list

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.databases.list

Audit Manager

The following permissions have been added:

auditmanager.auditReports.generate
auditmanager.auditScopeReports.generate
auditmanager.locations.enrollResource
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.get
auditmanager.operations.list

Audit Manager

The following permissions are supported in custom roles:

auditmanager.auditReports.generate
auditmanager.auditScopeReports.generate
auditmanager.locations.enrollResource
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.get
auditmanager.operations.list

Chronicle

The following permissions have been added:

chronicle.entities.batchCreate
chronicle.entities.batchDelete
chronicle.entities.batchValidate
chronicle.entities.create
chronicle.entities.delete
chronicle.entities.list
chronicle.entities.modifyEntityRiskScore
chronicle.operations.streamSearch
chronicle.watchlists.create
chronicle.watchlists.delete
chronicle.watchlists.get
chronicle.watchlists.list
chronicle.watchlists.update

Chronicle

The following permissions are supported in custom roles:

chronicle.entities.batchCreate
chronicle.entities.batchDelete
chronicle.entities.batchValidate
chronicle.entities.create
chronicle.entities.delete
chronicle.entities.list
chronicle.entities.modifyEntityRiskScore
chronicle.operations.streamSearch
chronicle.watchlists.create
chronicle.watchlists.delete
chronicle.watchlists.get
chronicle.watchlists.list
chronicle.watchlists.update

IAM changes as of 2024-01-26

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Feature Store Resource Viewer role (roles/aiplatform.featurestoreResourceViewer):

aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.get
aiplatform.featureViews.list

Audit Manager

The Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent) has reached General Availability (GA).

Cloud AI Companion API

The following permissions have been added to the Cloud AI Companion User role (roles/cloudaicompanion.user):

cloudaicompanion.entitlements.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.models.get
run.jobs.run
run.routes.invoke

Sensitive Data Protection

The following permissions have been added to the DLP Administrator role (roles/dlp.admin):

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update
resourcemanager.projects.get
resourcemanager.projects.list

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

cloudaicompanion.entitlements.get

Basic Role

The following permissions have been added to the Owner role (roles/owner):

cloudaicompanion.entitlements.get

Policy Simulator

The following permissions have been added to the OrgPolicy Simulator Admin role (roles/policysimulator.orgPolicyAdmin):

cloudasset.assets.analyzeOrgPolicy

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

cloudaicompanion.entitlements.get

Google Cloud VMware Engine

The following permissions have been added to the VMware Engine Service Agent role (roles/vmwareengine.serviceAgent):

vmwareengine.nodes.get
vmwareengine.nodes.list

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.instances.executeSql

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.instances.executeSql

Cloud AI Companion API

The following permissions have been added:

cloudaicompanion.entitlements.get

Discovery Engine

The following permissions have been added:

discoveryengine.branches.get
discoveryengine.branches.list
discoveryengine.documentProcessingConfigs.get
discoveryengine.documentProcessingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.documentProcessingConfigs.get
discoveryengine.documentProcessingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus

Retail API

The following permissions have been added:

retail.catalogs.exportAnalyticsMetrics

IAM changes as of 2024-01-19

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Feature Store EntityType owner role (roles/aiplatform.entityTypeOwner):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Admin role (roles/aiplatform.featurestoreAdmin):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Viewer role (roles/aiplatform.featurestoreDataViewer):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Writer role (roles/aiplatform.featurestoreDataWriter):

aiplatform.featureViews.searchNearestEntities

Artifact Registry

The following permissions have been added to the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent):

artifactregistry.repositories.get

Assured Open Source Software

The Assured OSS User role (roles/assuredoss.user) has been added with the following permissions:

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.googleapis.com/dockerimages.get
artifactregistry.googleapis.com/dockerimages.list
artifactregistry.googleapis.com/files.download
artifactregistry.googleapis.com/files.get
artifactregistry.googleapis.com/files.list
artifactregistry.googleapis.com/locations.get
artifactregistry.googleapis.com/locations.list
artifactregistry.googleapis.com/mavenartifacts.get
artifactregistry.googleapis.com/mavenartifacts.list
artifactregistry.googleapis.com/npmpackages.get
artifactregistry.googleapis.com/npmpackages.list
artifactregistry.googleapis.com/packages.get
artifactregistry.googleapis.com/packages.list
artifactregistry.googleapis.com/projectsettings.get
artifactregistry.googleapis.com/pythonpackages.get
artifactregistry.googleapis.com/pythonpackages.list
artifactregistry.googleapis.com/repositories.downloadArtifacts
artifactregistry.googleapis.com/repositories.get
artifactregistry.googleapis.com/repositories.list
artifactregistry.googleapis.com/repositories.listEffectiveTags
artifactregistry.googleapis.com/repositories.listTagBindings
artifactregistry.googleapis.com/repositories.readViaVirtualRepository
artifactregistry.googleapis.com/tags.get
artifactregistry.googleapis.com/tags.list
artifactregistry.googleapis.com/versions.get
artifactregistry.googleapis.com/versions.list
artifactregistry.googleapis.com/vpcscconfigs.get
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.vpcscconfigs.get
assuredoss.googleapis.com/locations.get
assuredoss.googleapis.com/locations.list
assuredoss.googleapis.com/metadata.get
assuredoss.googleapis.com/metadata.list
assuredoss.googleapis.com/operations.get
assuredoss.googleapis.com/operations.list
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Connectors

The following permissions have been added to the Connector Admin role (roles/connectors.admin):

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Discovery Engine

The Discovery Engine Admin role (roles/discoveryengine.admin) has reached General Availability (GA).

Discovery Engine

The Discovery Engine Editor role (roles/discoveryengine.editor) has reached General Availability (GA).

Discovery Engine

The Discovery Engine Viewer role (roles/discoveryengine.viewer) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

GKE Hub

The following permissions have been added to the Connect Gateway Admin role (roles/gkehub.gatewayAdmin):

gkehub.memberships.get

GKE Hub

The following permissions have been added to the Connect Gateway Editor role (roles/gkehub.gatewayEditor):

gkehub.memberships.get

GKE Hub

The following permissions have been added to the Connect Gateway Reader role (roles/gkehub.gatewayReader):

gkehub.memberships.get

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Container Service Agent role (roles/gkemulticloud.containerServiceAgent):

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

assuredoss.metadata.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

assuredoss.metadata.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

Serverless Integrations

The following permissions have been added to the Serverless Integrations Service Agent role (roles/runapps.serviceAgent):

cloudsql.databases.get
cloudsql.instances.get
cloudsql.users.get

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.instances.createTagBinding
compute.instances.deleteTagBinding
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

Assured Open Source Software

The following permissions have been added:

assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Assured Open Source Software

The following permissions are supported in custom roles:

assuredoss.locations.get
assuredoss.locations.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Database Migration Service

The following permissions have been added:

datamigration.conversionworkspaces.apply

Database Migration Service

The following permissions have reached General Availability (GA):

datamigration.conversionworkspaces.apply

Discovery Engine

The following permissions have been added:

discoveryengine.analytics.acquireDashboardSession
discoveryengine.analytics.refreshDashboardSessionTokens
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.cmekConfigs.update
discoveryengine.dataStores.trainCustomModel
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.locations.estimateDataSize
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.analytics.acquireDashboardSession
discoveryengine.analytics.refreshDashboardSessionTokens
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.cmekConfigs.update
discoveryengine.dataStores.trainCustomModel
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.locations.estimateDataSize
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.conversations.converse
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.purge
discoveryengine.documents.update
discoveryengine.operations.get
discoveryengine.operations.list
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.update
discoveryengine.servingConfigs.search
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge
discoveryengine.userEvents.create
discoveryengine.userEvents.import
discoveryengine.userEvents.purge

Cloud Healthcare API

The following permissions have been added:

healthcare.fhirStores.explainDataAccess

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.explainDataAccess

IAM changes as of 2024-01-05

Service Description
API Gateway

The following permissions have been added to the ApiGateway Admin role (roles/apigateway.admin):

serviceusage.services.get

API Gateway

The following permissions have been added to the ApiGateway Viewer role (roles/apigateway.viewer):

serviceusage.services.get

Assured Workloads

The following permissions have been added to the Assured Workloads Service Agent role (roles/assuredworkloads.serviceAgent):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Admin role (roles/automl.admin):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Editor role (roles/automl.editor):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Viewer role (roles/automl.viewer):

serviceusage.services.get

Chronicle

The following permissions have been added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.rules.delete

Cloud Functions

The following permissions have been added to the Cloud Functions Service Agent role (roles/cloudfunctions.serviceAgent):

serviceusage.services.get

Cloud Commerce Consumer Procurement

The Consumer Procurement Entitlement Manager role (roles/consumerprocurement.entitlementManager) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Entitlement Viewer role (roles/consumerprocurement.entitlementViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Events Viewer role (roles/consumerprocurement.eventsViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Order Administrator role (roles/consumerprocurement.orderAdmin) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Order Viewer role (roles/consumerprocurement.orderViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Administrator role (roles/consumerprocurement.procurementAdmin) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Viewer role (roles/consumerprocurement.procurementViewer) has reached General Availability (GA).

AI Platform Data Labeling Service

The following permissions have been added to the Data Labeling Service Agent role (roles/datalabeling.serviceAgent):

serviceusage.services.get

Dialogflow

The following permissions have been added to the Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient):

dialogflow.generators.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

discoveryengine.engines.delete
discoveryengine.engines.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

securityposture.postures.extract
securityposture.reports.create

Firebase

The following permissions have been added to the Firebase SDK Provisioning Service Agent role (roles/firebase.sdkProvisioningServiceAgent):

serviceusage.services.get

Firewall Insights

The following permissions have been added to the Cloud Firewall Insights Service Agent role (roles/firewallinsights.serviceAgent):

compute.regionTargetTcpProxies.list

Anthos Service Mesh

The following permissions have been added to the Mesh Config Service Agent role (roles/meshconfig.serviceAgent):

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

Cloud Monitoring

The following permissions have been added to the Monitoring Admin role (roles/monitoring.admin):

serviceusage.services.get

Cloud Monitoring

The following permissions have been added to the Monitoring Editor role (roles/monitoring.editor):

serviceusage.services.get

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

Network Management API

The following permissions have been added to the GCP Network Management Service Agent role (roles/networkmanagement.serviceAgent):

compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

securityposture.postures.extract
securityposture.reports.create

Security Command Center

The following permissions have been added to the Security Center Automation Service Agent role (roles/securitycenter.automationServiceAgent):

serviceusage.services.get

Security Posture API

The Security Posture Shift-Left Validator role (roles/securityposture.reportCreator) has been added with the following permissions:

securityposture.googleapis.com/reports.create
securityposture.reports.create

Security Posture API

The Security Posture Admin role (roles/securityposture.admin) has reached General Availability (GA).

Security Posture API

The Security Posture Deployer role (roles/securityposture.postureDeployer) has reached General Availability (GA).

Security Posture API

The Security Posture Deployments Viewer role (roles/securityposture.postureDeploymentsViewer) has reached General Availability (GA).

Security Posture API

The Security Posture Resource Editor role (roles/securityposture.postureEditor) has reached General Availability (GA).

Security Posture API

The Security Posture Resource Viewer role (roles/securityposture.postureViewer) has reached General Availability (GA).

Security Posture API

The Security Posture Viewer role (roles/securityposture.viewer) has reached General Availability (GA).

Google Cloud's operations suite

The following permissions have been added to the Stackdriver Accounts Editor role (roles/stackdriver.accounts.editor):

serviceusage.services.get

Apigee

The following permissions have been added:

apigee.keyvaluemapentries.update

Apigee

The following permissions have reached General Availability (GA):

apigee.keyvaluemapentries.update

BigQuery

The following permissions have been added:

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding

BigQuery

The following permissions are supported in custom roles:

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/capacityCommitments.create
bigqueryreservation.googleapis.com/capacityCommitments.delete
bigqueryreservation.googleapis.com/capacityCommitments.get
bigqueryreservation.googleapis.com/capacityCommitments.list
bigqueryreservation.googleapis.com/capacityCommitments.update
bigqueryreservation.googleapis.com/reservationAssignments.create
bigqueryreservation.googleapis.com/reservationAssignments.delete
bigqueryreservation.googleapis.com/reservationAssignments.list
bigqueryreservation.googleapis.com/reservationAssignments.search

Chronicle

The following permissions have been added:

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entities.queryEntityRiskScoreModifications
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.get
chronicle.errorNotificationConfigs.list
chronicle.errorNotificationConfigs.update
chronicle.feedServiceAccounts.fetch
chronicle.findingsRefinementDeployments.get
chronicle.findingsRefinementDeployments.list
chronicle.findingsRefinementDeployments.update
chronicle.findingsRefinements.computeActivity
chronicle.findingsRefinements.computeAllActivities
chronicle.findingsRefinements.create
chronicle.findingsRefinements.get
chronicle.findingsRefinements.list
chronicle.findingsRefinements.test
chronicle.findingsRefinements.update
chronicle.legacies.legacyGetDetection
chronicle.legacies.legacySearchAlerts
chronicle.legacies.legacySearchCuratedDetections
chronicle.legacies.legacySearchDetections
chronicle.legacies.legacySearchEnterpriseWideAlerts
chronicle.legacies.legacySearchEnterpriseWideIoCs
chronicle.legacies.legacyStreamDetectionAlerts
chronicle.legacies.legacyTestRuleStreaming
chronicle.legacies.legacyUpdateAlert
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.parsers.generateEventTypesSuggestions
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.rules.delete
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Chronicle

The following permissions are supported in custom roles:

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entities.queryEntityRiskScoreModifications
chronicle.feedServiceAccounts.fetch
chronicle.legacies.legacyGetDetection
chronicle.legacies.legacySearchCuratedDetections
chronicle.legacies.legacySearchDetections
chronicle.legacies.legacySearchEnterpriseWideAlerts
chronicle.legacies.legacySearchEnterpriseWideIoCs
chronicle.legacies.legacyStreamDetectionAlerts
chronicle.legacies.legacyTestRuleStreaming
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.parsers.generateEventTypesSuggestions
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.rules.delete
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Chronicle

The following permissions have reached General Availability (GA):

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.get
chronicle.errorNotificationConfigs.list
chronicle.errorNotificationConfigs.update
chronicle.feedServiceAccounts.fetch
chronicle.findingsRefinementDeployments.get
chronicle.findingsRefinementDeployments.list
chronicle.findingsRefinementDeployments.update
chronicle.findingsRefinements.computeActivity
chronicle.findingsRefinements.computeAllActivities
chronicle.findingsRefinements.create
chronicle.findingsRefinements.get
chronicle.findingsRefinements.list
chronicle.findingsRefinements.test
chronicle.findingsRefinements.update
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Translation

The following permissions have been added:

cloudtranslate.adaptiveMtDatasets.create
cloudtranslate.adaptiveMtDatasets.delete
cloudtranslate.adaptiveMtDatasets.get
cloudtranslate.adaptiveMtDatasets.import
cloudtranslate.adaptiveMtDatasets.list
cloudtranslate.adaptiveMtDatasets.predict
cloudtranslate.adaptiveMtFiles.delete
cloudtranslate.adaptiveMtFiles.get
cloudtranslate.adaptiveMtFiles.list
cloudtranslate.adaptiveMtSentences.list

Compute Engine

The following permissions have been added:

compute.networkAttachments.update

Compute Engine

The following permissions are supported in custom roles:

compute.networkAttachments.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.networkAttachments.update

Cloud Config Manager API

The following permissions have been added:

config.artifacts.import
config.previews.create
config.previews.delete
config.previews.export
config.previews.get
config.previews.list
config.previews.upload

Cloud Config Manager API

The following permissions are supported in custom roles:

config.artifacts.import
config.previews.create
config.previews.delete
config.previews.export
config.previews.get
config.previews.list
config.previews.upload

Cloud Commerce Consumer Procurement

The following permissions have reached General Availability (GA):

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

Enterprise Purchasing API

The following permissions have been added:

enterprisepurchasing.gcveCuds.create
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.get
enterprisepurchasing.locations.list
enterprisepurchasing.operations.cancel
enterprisepurchasing.operations.delete
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list

Enterprise Purchasing API

The following permissions are supported in custom roles:

enterprisepurchasing.gcveCuds.create
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.get
enterprisepurchasing.locations.list
enterprisepurchasing.operations.cancel
enterprisepurchasing.operations.delete
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list

Mandiant

The following permissions have been added:

mandiant.genericAttackSurfaceManagements.create
mandiant.genericAttackSurfaceManagements.delete
mandiant.genericAttackSurfaceManagements.get
mandiant.genericAttackSurfaceManagements.update
mandiant.genericDigitalThreatMonitorings.create
mandiant.genericDigitalThreatMonitorings.get
mandiant.genericDigitalThreatMonitorings.update
mandiant.genericExpertiseOnDemands.create
mandiant.genericExpertiseOnDemands.delete
mandiant.genericExpertiseOnDemands.get
mandiant.genericExpertiseOnDemands.update
mandiant.genericPlatforms.create
mandiant.genericPlatforms.delete
mandiant.genericPlatforms.get
mandiant.genericPlatforms.update
mandiant.genericThreatIntels.create
mandiant.genericThreatIntels.delete
mandiant.genericThreatIntels.get
mandiant.genericThreatIntels.update
mandiant.genericValidations.create
mandiant.genericValidations.delete
mandiant.genericValidations.get
mandiant.genericValidations.update

Mandiant

The following permissions are supported in custom roles:

mandiant.genericAttackSurfaceManagements.create
mandiant.genericAttackSurfaceManagements.delete
mandiant.genericAttackSurfaceManagements.get
mandiant.genericAttackSurfaceManagements.update
mandiant.genericDigitalThreatMonitorings.create
mandiant.genericDigitalThreatMonitorings.get
mandiant.genericDigitalThreatMonitorings.update
mandiant.genericExpertiseOnDemands.create
mandiant.genericExpertiseOnDemands.delete
mandiant.genericExpertiseOnDemands.get
mandiant.genericExpertiseOnDemands.update
mandiant.genericPlatforms.create
mandiant.genericPlatforms.delete
mandiant.genericPlatforms.get
mandiant.genericPlatforms.update
mandiant.genericThreatIntels.create
mandiant.genericThreatIntels.delete
mandiant.genericThreatIntels.get
mandiant.genericThreatIntels.update
mandiant.genericValidations.create
mandiant.genericValidations.delete
mandiant.genericValidations.get
mandiant.genericValidations.update

Marketplace Solutions API

The following permissions have been added:

marketplacesolutions.locations.get
marketplacesolutions.locations.list
marketplacesolutions.operations.cancel
marketplacesolutions.operations.delete
marketplacesolutions.operations.get
marketplacesolutions.operations.list
marketplacesolutions.powerImages.get
marketplacesolutions.powerImages.list
marketplacesolutions.powerInstances.applyPowerAction
marketplacesolutions.powerInstances.create
marketplacesolutions.powerInstances.delete
marketplacesolutions.powerInstances.get
marketplacesolutions.powerInstances.list
marketplacesolutions.powerInstances.reset
marketplacesolutions.powerInstances.update
marketplacesolutions.powerNetworks.get
marketplacesolutions.powerNetworks.list
marketplacesolutions.powerSshKeys.get
marketplacesolutions.powerSshKeys.list
marketplacesolutions.powerVolumes.get
marketplacesolutions.powerVolumes.list

Marketplace Solutions API

The following permissions are supported in custom roles:

marketplacesolutions.locations.get
marketplacesolutions.locations.list
marketplacesolutions.operations.cancel
marketplacesolutions.operations.delete
marketplacesolutions.operations.get
marketplacesolutions.operations.list
marketplacesolutions.powerImages.get
marketplacesolutions.powerImages.list
marketplacesolutions.powerInstances.applyPowerAction
marketplacesolutions.powerInstances.create
marketplacesolutions.powerInstances.delete
marketplacesolutions.powerInstances.get
marketplacesolutions.powerInstances.list
marketplacesolutions.powerInstances.reset
marketplacesolutions.powerInstances.update
marketplacesolutions.powerNetworks.get
marketplacesolutions.powerNetworks.list
marketplacesolutions.powerSshKeys.get
marketplacesolutions.powerSshKeys.list
marketplacesolutions.powerVolumes.get
marketplacesolutions.powerVolumes.list

Memorystore for Redis

The following permissions have been added:

redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings

Memorystore for Redis

The following permissions have reached General Availability (GA):

redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings

Security Command Center

The following permissions have been added:

securitycenter.compliancesnapshots.list

Security Posture API

The following permissions have been added:

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update
securityposture.reports.create

Security Posture API

The following permissions are supported in custom roles:

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Personalized Service Health

The following permissions have been added:

servicehealth.statuses.get

Personalized Service Health

The following permissions are supported in custom roles:

servicehealth.statuses.get

IAM changes as of 2023-12-15

Service Description
Anthos Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

Apigee

The following permissions have been added to the Apigee Security Admin role (roles/apigee.securityAdmin):

apigee.addonsconfig.get

Apigee

The following permissions have been added to the Apigee Security Viewer role (roles/apigee.securityViewer):

apigee.addonsconfig.get

Connectors

The Connector Event Listener role (roles/connectors.listener) has been added with the following permissions:

connectors.connections.listenEvent
connectors.googleapis.com/connections.listenEvent

Artifact Analysis

The following permissions have been removed from the Container Analysis Service Agent role (roles/containeranalysis.ServiceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update

Container Scanning

The following permissions have been removed from the Container Scanner Service Agent role (roles/containerscanning.ServiceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update

Basic Role

The following permissions have been added to the Editor role (roles/editor):

connectors.connections.listenEvent

Cloud Integrations

The following permissions have been added to the Application Integration Service Agent role (roles/integrations.serviceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

container.thirdPartyObjects.update

Basic Role

The following permissions have been added to the Owner role (roles/owner):

connectors.connections.listenEvent

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

compute.disks.useReadOnly

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

compute.disks.useReadOnly

BigQuery

The following permissions have reached General Availability (GA):

bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag

Cloud Billing

The following permissions have been added:

billing.billingAccountPrices.list

Cloud Billing

The following permissions have reached General Availability (GA):

billing.billingAccountPrices.list

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

Connectors

The following permissions have been added:

connectors.connections.listenEvent

Firebase Storage

The following permissions have been added:

firebasestorage.defaultBucket.create
firebasestorage.defaultBucket.delete
firebasestorage.defaultBucket.get

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.backupPolicies.create
netapp.backupPolicies.delete
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupPolicies.update
netapp.backupVaults.create
netapp.backupVaults.delete
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backupVaults.update
netapp.backups.create
netapp.backups.delete
netapp.backups.get
netapp.backups.list
netapp.backups.update

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.backupPolicies.create
netapp.backupPolicies.delete
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupPolicies.update
netapp.backupVaults.create
netapp.backupVaults.delete
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backupVaults.update
netapp.backups.create
netapp.backups.delete
netapp.backups.get
netapp.backups.list
netapp.backups.update

IAM changes as of 2023-12-08

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

compute.snapshots.useReadOnly

Anthos Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.healthChecks.useReadOnly
compute.networks.updatePolicy

Apigee

The following permissions have been added to the Apigee Organization Admin role (roles/apigee.admin):

apigee.securitySettings.get
apigee.securitySettings.update

Apigee

The following permissions have been added to the Apigee Read-only Admin role (roles/apigee.readOnlyAdmin):

apigee.securitySettings.get

Apigee

The following permissions have been added to the Apigee Security Admin role (roles/apigee.securityAdmin):

apigee.securitySettings.get
apigee.securitySettings.update

Apigee

The following permissions have been added to the Apigee Security Viewer role (roles/apigee.securityViewer):

apigee.securitySettings.get

Binary Authorization

The following permissions have been added to the Binary Authorization Service Agent role (roles/binaryauthorization.serviceAgent):

artifactregistry.dockerimages.get

Blockchain Node Engine

The Blockchain Node Engine Admin role (roles/blockchainnodeengine.admin) has reached General Availability (GA).

Blockchain Node Engine

The Blockchain Node Engine Viewer role (roles/blockchainnodeengine.viewer) has reached General Availability (GA).

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

cloudquotas.quotas.get

Connectors

The Custom Connectors Admin role (roles/connectors.customConnectorAdmin) has been added with the following permissions:

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update
connectors.googleapis.com/customConnectorVersions.create
connectors.googleapis.com/customConnectorVersions.delete
connectors.googleapis.com/customConnectorVersions.get
connectors.googleapis.com/customConnectorVersions.getIamPolicy
connectors.googleapis.com/customConnectorVersions.list
connectors.googleapis.com/customConnectorVersions.setIamPolicy
connectors.googleapis.com/customConnectorVersions.update
connectors.googleapis.com/customConnectors.create
connectors.googleapis.com/customConnectors.delete
connectors.googleapis.com/customConnectors.get
connectors.googleapis.com/customConnectors.getIamPolicy
connectors.googleapis.com/customConnectors.list
connectors.googleapis.com/customConnectors.setIamPolicy
connectors.googleapis.com/customConnectors.update
connectors.googleapis.com/locations.get
connectors.googleapis.com/locations.list
connectors.locations.get
connectors.locations.list

Connectors

The Custom Connector Viewer role (roles/connectors.customConnectorViewer) has been added with the following permissions:

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.googleapis.com/customConnectorVersions.get
connectors.googleapis.com/customConnectorVersions.getIamPolicy
connectors.googleapis.com/customConnectorVersions.list
connectors.googleapis.com/customConnectors.get
connectors.googleapis.com/customConnectors.getIamPolicy
connectors.googleapis.com/customConnectors.list
connectors.googleapis.com/locations.get
connectors.googleapis.com/locations.list
connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connector Admin role (roles/connectors.admin):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.list

Connectors

The following permissions have been added to the Connectors Viewer role (roles/connectors.viewer):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.instances.import
storage.objects.list

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

datacatalog.entries.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

apigee.securitySettings.get
apigee.securitySettings.update
connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.update

FleetEngine

The Fleet Engine Delivery Admin role (roles/fleetengine.deliveryAdmin) has reached General Availability (GA).

FleetEngine

The Fleet Engine On-Demand Admin role (roles/fleetengine.ondemandAdmin) has reached General Availability (GA).

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Control Plane Machine Service Agent role (roles/gkemulticloud.controlPlaneMachineServiceAgent):

serviceusage.services.use

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Node Pool Machine Service Agent role (roles/gkemulticloud.nodePoolMachineServiceAgent):

serviceusage.services.use

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

apigee.securitySettings.get
apigee.securitySettings.update
connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Security Center Management API

The Security Center Management Custom Modules Editor role (roles/securitycentermanagement.customModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.create
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.delete
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.update
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.create
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.delete
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.update
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The Security Center Management Custom Modules Viewer role (roles/securitycentermanagement.customModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test

Security Center Management API

The Security Center Management Custom ETD Modules Editor role (roles/securitycentermanagement.etdCustomModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.create
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.delete
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.update
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.locations.get
securitycentermanagement.locations.list

Security Center Management API

The Security Center Management ETD Custom Modules Viewer role (roles/securitycentermanagement.etdCustomModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.locations.get
securitycentermanagement.locations.list

Security Center Management API

The Security Center Management SHA Custom Modules Editor role (roles/securitycentermanagement.shaCustomModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.create
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.delete
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.update
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The Security Center Management SHA Custom Modules Viewer role (roles/securitycentermanagement.shaCustomModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

apigee.securitySettings.get
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Vision AI

The following permissions have been added to the Cloud Vision AI Service Agent role (roles/visionai.serviceAgent):

visionai.assets.analyze
visionai.assets.generateHlsUri
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.create
visionai.corpora.import
visionai.corpora.suggest
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Workflows

The following permissions have been added to the Workflows Invoker role (roles/workflows.invoker):

workflows.stepEntries.get
workflows.stepEntries.list

Workload Manager

The following permissions have been added to the Workload Manager Worker role (roles/workloadmanager.worker):

workloadmanager.insights.write

Apigee

The following permissions have been added:

apigee.securitySettings.get
apigee.securitySettings.update

Blockchain Node Engine

The following permissions have reached General Availability (GA):

blockchainnodeengine.blockchainNodes.create
blockchainnodeengine.blockchainNodes.delete
blockchainnodeengine.blockchainNodes.get
blockchainnodeengine.blockchainNodes.list
blockchainnodeengine.blockchainNodes.update
blockchainnodeengine.locations.get
blockchainnodeengine.locations.list
blockchainnodeengine.operations.cancel
blockchainnodeengine.operations.delete
blockchainnodeengine.operations.get
blockchainnodeengine.operations.list

Cloud Deploy

The following permissions have been added:

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.update

Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.update

Connectors

The following permissions have been added:

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Firebase App Check

The following permissions have been added:

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

Firebase App Check

The following permissions are supported in custom roles:

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

Firebase App Check

The following permissions have reached General Availability (GA):

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

FleetEngine

The following permissions have been added:

fleetengine.deliveryvehicles.allowAllActions
fleetengine.tasks.allowAllActions
fleetengine.tasktrackinginfo.allowAllActions
fleetengine.trips.allowAllActions
fleetengine.vehicles.allowAllActions

FleetEngine

The following permissions have reached General Availability (GA):

fleetengine.deliveryvehicles.allowAllActions
fleetengine.tasks.allowAllActions
fleetengine.tasktrackinginfo.allowAllActions
fleetengine.trips.allowAllActions
fleetengine.vehicles.allowAllActions

Kubernetes Metadata API

The following permissions have been added:

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Kubernetes Metadata API

The following permissions are supported in custom roles:

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Live Stream

The following permissions have been added:

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Live Stream

The following permissions are supported in custom roles:

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Live Stream

The following permissions have reached General Availability (GA):

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Maps Analytics

The following permissions have been added:

mapsanalytics.metricData.query
mapsanalytics.metricMetadata.list

Maps Analytics

The following permissions are supported in custom roles:

mapsanalytics.metricData.query
mapsanalytics.metricMetadata.list

Network Connectivity Center

The following permissions have been added:

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Recommender

The following permissions have been added:

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

Recommender

The following permissions are supported in custom roles:

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

Security Center Management API

The following permissions have been added:

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Cloud Storage

The following permissions have been added:

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Cloud Storage

The following permissions are supported in custom roles:

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Cloud Storage

The following permissions have reached General Availability (GA):

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Video Stitcher API

The following permissions have been added:

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Video Stitcher API

The following permissions are supported in custom roles:

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Video Stitcher API

The following permissions have reached General Availability (GA):

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Workflows

The following permissions have been added:

workflows.stepEntries.get
workflows.stepEntries.list

Workflows

The following permissions are supported in custom roles:

workflows.stepEntries.get
workflows.stepEntries.list

Workflows

The following permissions have reached General Availability (GA):

workflows.stepEntries.get
workflows.stepEntries.list

Workload Manager

The following permissions have been added:

workloadmanager.insights.write

Workload Manager

The following permissions are supported in custom roles:

workloadmanager.insights.write

IAM changes as of 2023-11-17

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

compute.disks.createSnapshot
compute.globalOperations.get
compute.instances.useReadOnly
compute.snapshots.create
compute.snapshots.delete

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.addresses.use

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Service Agent role (roles/backupdr.serviceAgent):

compute.addresses.use

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

orgpolicy.policy.get

Workload Manager

The following permissions have been added to the Workload Manager Viewer role (roles/workloadmanager.viewer):

orgpolicy.policy.get

Workload Manager

The following permissions have been added to the Workload Manager Worker role (roles/workloadmanager.worker):

orgpolicy.policy.get

Dataform

The following permissions have been added:

dataform.workspaces.searchFiles

Dataform

The following permissions have reached General Availability (GA):

dataform.workspaces.searchFiles

Identity-Aware Proxy

The following permissions have been added:

iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap.webServiceVersions.remediate

IAM changes as of 2023-11-10

Service Description
Content Warehouse

The following permissions have been added to the Content Warehouse Admin role (roles/contentwarehouse.admin):

contentwarehouse.documents.list

Content Warehouse

The following permissions have been added to the Content Warehouse Document Admin role (roles/contentwarehouse.documentAdmin):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse document creator role (roles/contentwarehouse.documentCreator):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse Document Editor role (roles/contentwarehouse.documentEditor):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse document schema viewer role (roles/contentwarehouse.documentSchemaViewer):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse Viewer role (roles/contentwarehouse.documentViewer):

contentwarehouse.locations.getStatus

GKE Multi-Cloud

The Anthos Multi-Cloud Container Service Agent role (roles/gkemulticloud.containerServiceAgent) has reached General Availability (GA).

GKE Multi-Cloud

The Anthos Multi-Cloud Control Plane Machine Service Agent role (roles/gkemulticloud.controlPlaneMachineServiceAgent) has reached General Availability (GA).

GKE Multi-Cloud

The Anthos Multi-Cloud Node Pool Machine Service Agent role (roles/gkemulticloud.nodePoolMachineServiceAgent) has reached General Availability (GA).

Cloud Run

The following permissions have been added to the Cloud Run Service Agent role (roles/run.serviceAgent):

artifactregistry.repositories.uploadArtifacts

Storage Insights

The Storage Insights Analyst role (roles/storageinsights.analyst) has reached General Availability (GA).

App Hub

The following permissions have been added:

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

App Hub

The following permissions are supported in custom roles:

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

Commerce Org Governance

The following permissions have been added:

commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update

Commerce Org Governance

The following permissions are supported in custom roles:

commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update

Content Warehouse

The following permissions have been added:

contentwarehouse.corpora.create
contentwarehouse.corpora.delete
contentwarehouse.corpora.get
contentwarehouse.corpora.list
contentwarehouse.corpora.update
contentwarehouse.documents.list
contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have reached General Availability (GA):

contentwarehouse.corpora.create
contentwarehouse.corpora.delete
contentwarehouse.corpora.get
contentwarehouse.corpora.list
contentwarehouse.corpora.update
contentwarehouse.documents.list
contentwarehouse.locations.getStatus

Looker Studio

The following permissions are supported in custom roles:

lookerstudio.pro.manage

Network Security

The following permissions have been added:

networksecurity.addressGroups.create
networksecurity.addressGroups.delete
networksecurity.addressGroups.get
networksecurity.addressGroups.getIamPolicy
networksecurity.addressGroups.list
networksecurity.addressGroups.setIamPolicy
networksecurity.addressGroups.update
networksecurity.addressGroups.use

Network Security

The following permissions are supported in custom roles:

networksecurity.addressGroups.create
networksecurity.addressGroups.delete
networksecurity.addressGroups.get
networksecurity.addressGroups.getIamPolicy
networksecurity.addressGroups.list
networksecurity.addressGroups.setIamPolicy
networksecurity.addressGroups.update
networksecurity.addressGroups.use

Storage Insights

The following permissions have been added:

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

Storage Insights

The following permissions are supported in custom roles:

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

Storage Insights

The following permissions have reached General Availability (GA):

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

IAM changes as of 2023-11-03

Service Description
Chronicle

The following permissions have been added to the Chronicle API Limited Viewer role (roles/chronicle.limitedViewer):

chronicle.dashboards.schedule
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.findUdmFieldValues
chronicle.events.get
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchIoCInsights
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchUserEvents
chronicle.logTypeSchemas.list
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

Chronicle

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph

Cloud AI Companion API

The following permissions have been added to the Cloud AI Companion User role (roles/cloudaicompanion.user):

resourcemanager.projects.get
resourcemanager.projects.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

compute.disks.createTagBinding

Distributed Cloud Edge Container

The Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent) has reached General Availability (GA).

Distributed Cloud Edge Container

The Edge Container Cluster offline Credential User role (roles/edgecontainer.offlineCredentialUser) has reached General Availability (GA).

Looker

The Looker Service Agent role (roles/looker.serviceAgent) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Admin role (roles/readerrevenuesubscriptionlinking.admin) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Entitlements Viewer role (roles/readerrevenuesubscriptionlinking.entitlementsViewer) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Viewer role (roles/readerrevenuesubscriptionlinking.viewer) has reached General Availability (GA).

Apigee

The following permissions have been added:

apigee.securityIncidents.update

Apigee

The following permissions are supported in custom roles:

apigee.securityIncidents.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityIncidents.update

Chronicle

The following permissions have been added:

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchIoCInsights

Chronicle

The following permissions are supported in custom roles:

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchIoCInsights

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.clusters.generateOfflineCredential

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.clusters.generateOfflineCredential

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.clusters.generateOfflineCredential

Subscription Linking

The following permissions have been added:

readerrevenuesubscriptionlinking.readerEntitlements.get
readerrevenuesubscriptionlinking.readerEntitlements.update
readerrevenuesubscriptionlinking.readers.delete
readerrevenuesubscriptionlinking.readers.get

Subscription Linking

The following permissions have reached General Availability (GA):

readerrevenuesubscriptionlinking.readerEntitlements.get
readerrevenuesubscriptionlinking.readerEntitlements.update
readerrevenuesubscriptionlinking.readers.delete
readerrevenuesubscriptionlinking.readers.get

Security Command Center

The following permissions have been added:

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

Security Command Center

The following permissions are supported in custom roles:

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

IAM changes as of 2023-10-27

Service Description
BigQuery

The following permissions have been added to the Bigquery Studio User role (roles/bigquery.studioUser):

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

BigQuery Data Transfer Service

The following permissions have been added to the BigQuery Data Transfer Service Agent role (roles/bigquerydatatransfer.serviceAgent):

compute.networkAttachments.get

Cloud Asset Inventory

The Other Cloud Config Service Agent role (roles/cloudasset.otherCloudConfigServiceAgent) has reached General Availability (GA).

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

composer.dags.get
composer.environments.get
iam.serviceAccounts.getAccessToken

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.actions.list
connectors.entityTypes.list

Datastream

The Datastream Admin role (roles/datastream.admin) has reached General Availability (GA).

Datastream

The Datastream Viewer role (roles/datastream.viewer) has reached General Availability (GA).

Looker Studio

The following permissions have been added to the Data Studio Workspace Content Manager role (roles/datastudio.contentManager):

datastudio.datasources.move
datastudio.reports.move

GKE Hub

The GKE Hub Cross Project Service Agent role (roles/gkehub.crossProjectServiceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

dialogflow.sessions.detectIntent
dialogflow.sessions.streamingDetectIntent

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.setLabels

Capacity Planner

The following permissions have been added:

capacityplanner.forecasts.list
capacityplanner.usageHistories.list
capacityplanner.usageHistories.summarize

Cloud Key Management Service

The following permissions have been added:

cloudkms.locations.optOutKeyDeletionMsa

Cloud Key Management Service

The following permissions have reached General Availability (GA):

cloudkms.locations.optOutKeyDeletionMsa

Cloud Tasks

The following permissions have been added:

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update

Cloud Tasks

The following permissions are supported in custom roles:

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update

Datastream

The following permissions have reached General Availability (GA):

datastream.connectionProfiles.create
datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.delete
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.listTagBindings
datastream.connectionProfiles.setIamPolicy
datastream.connectionProfiles.sourceTypes
datastream.connectionProfiles.update
datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list
datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob
datastream.operations.cancel
datastream.operations.delete
datastream.operations.get
datastream.operations.list
datastream.privateConnections.create
datastream.privateConnections.createTagBinding
datastream.privateConnections.delete
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.privateConnections.setIamPolicy
datastream.routes.create
datastream.routes.delete
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.computeState
datastream.streams.create
datastream.streams.createTagBinding
datastream.streams.delete
datastream.streams.deleteTagBinding
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
datastream.streams.pause
datastream.streams.resume
datastream.streams.setIamPolicy
datastream.streams.start
datastream.streams.update

Financial Services

The following permissions have been added:

financialservices.locations.get
financialservices.locations.list
financialservices.operations.cancel
financialservices.operations.delete
financialservices.operations.get
financialservices.operations.list
financialservices.v1backtests.create
financialservices.v1backtests.delete
financialservices.v1backtests.exportMetadata
financialservices.v1backtests.get
financialservices.v1backtests.list
financialservices.v1backtests.update
financialservices.v1datasets.create
financialservices.v1datasets.delete
financialservices.v1datasets.get
financialservices.v1datasets.list
financialservices.v1datasets.update
financialservices.v1engineconfigs.create
financialservices.v1engineconfigs.delete
financialservices.v1engineconfigs.exportMetadata
financialservices.v1engineconfigs.get
financialservices.v1engineconfigs.list
financialservices.v1engineconfigs.update
financialservices.v1engineversions.get
financialservices.v1engineversions.list
financialservices.v1instances.create
financialservices.v1instances.delete