IAM permissions change log

This page describes changes to the public Identity and Access Management (IAM) permissions for all Generally Available (GA) and Preview services on Google Cloud. This change log can help you maintain and troubleshoot your custom roles.

When a permission is added, IAM does not automatically add the permission to your custom roles.

For changes that occurred before 2022, see Archived permissions change log.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cloud-iam-permissions-change-log.xml

IAM changes as of 2024-06-14

Service Description
Config Management

The following permissions have been added to the Anthos Config Management Service Agent role (roles/anthosconfigmanagement.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

GKE Identity Service

The following permissions have been added to the Anthos Identity Service Agent role (roles/anthosidentityservice.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Policy Controller

The following permissions have been added to the Anthos Policy Controller Service Agent role (roles/anthospolicycontroller.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

gkehub.gateway.generateCredentials

App Development Experience

The following permissions have been added to the App Development Experience Service Agent role (roles/appdevelopmentexperience.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Backup and Disaster Recovery

The Backup and DR Management Server Accessor role (roles/backupdr.managementServerAccessor) has been added with the following permissions:

backupdr.googleapis.com/managementServers.createConnection
backupdr.managementServers.createConnection

Google Security Operations

The following permissions have been removed from the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list

Google Security Operations

The following permissions have been added to the Chronicle Service Agent role (roles/chronicle.serviceAgent):

bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
storage.objects.delete

Google Security Operations

The following permissions have been added to the Chronicle SOAR Admin role (roles/chronicle.soarAdmin):

cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.simulations.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list

Google Security Operations

The following permissions have been added to the Chronicle SOAR Service Agent role (roles/chronicle.soarServiceAgent):

securitycenter.findings.setMute
securitycenter.findings.update
securitycenter.sources.list

Google Security Operations

The following permissions have been added to the Chronicle SOAR Threat Manager role (roles/chronicle.soarThreatManager):

cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.simulations.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list

Google Security Operations

The following permissions have been added to the Chronicle SOAR Vulnerability Manager role (roles/chronicle.soarVulnerabilityManager):

cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.simulations.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list

Config Delivery

The following permissions have been added to the Config Delivery Service Agent role (roles/configdelivery.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get

GKE Hub

The following permissions have been added to the GKE Hub Service Agent role (roles/gkehub.serviceAgent):

gkehub.gateway.generateCredentials

Multi-Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Multi-Cluster Metering

The following permissions have been added to the Multi-cluster metering Service Agent role (roles/multiclustermetering.serviceAgent):

gkehub.gateway.generateCredentials

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Network Connectivity Center

The Regional Endpoint Admin role (roles/networkconnectivity.regionalEndpointAdmin) has reached General Availability (GA).

Network Connectivity Center

The Regional Endpoint Viewer role (roles/networkconnectivity.regionalEndpointViewer) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Admin role (roles/privilegedaccessmanager.admin) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Viewer role (roles/privilegedaccessmanager.viewer) has reached General Availability (GA).

Secure Source Manager

The Secure Source Manager Service Agent role (roles/securesourcemanager.serviceAgent) has reached General Availability (GA).

Service Directory

The following permissions have been added to the Service Directory Service Agent role (roles/servicedirectory.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Personalized Service Health

The Personalized Service Health Viewer role (roles/servicehealth.viewer) has reached General Availability (GA).

Spectrum Access System (SAS)

The Spectrum SAS Service Agent role (roles/spectrumsas.serviceAgent) has reached General Availability (GA).

Google Security Operations

The following permissions have been added:

chronicle.dashboardCharts.get
chronicle.dashboardCharts.list
chronicle.dashboardQueries.execute
chronicle.dashboardQueries.get
chronicle.dashboardQueries.list
chronicle.nativeDashboards.create
chronicle.nativeDashboards.delete
chronicle.nativeDashboards.duplicate
chronicle.nativeDashboards.get
chronicle.nativeDashboards.list
chronicle.nativeDashboards.update

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dashboardCharts.get
chronicle.dashboardCharts.list
chronicle.dashboardQueries.execute
chronicle.dashboardQueries.get
chronicle.dashboardQueries.list
chronicle.nativeDashboards.create
chronicle.nativeDashboards.delete
chronicle.nativeDashboards.duplicate
chronicle.nativeDashboards.get
chronicle.nativeDashboards.list
chronicle.nativeDashboards.update

Config Delivery

The following permissions have been added:

configdelivery.fleetPackages.create
configdelivery.fleetPackages.delete
configdelivery.fleetPackages.get
configdelivery.fleetPackages.list
configdelivery.fleetPackages.update
configdelivery.locations.get
configdelivery.locations.list
configdelivery.operations.cancel
configdelivery.operations.delete
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.delete
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.resourceBundles.create
configdelivery.resourceBundles.delete
configdelivery.resourceBundles.get
configdelivery.resourceBundles.list
configdelivery.resourceBundles.update
configdelivery.rollouts.abort
configdelivery.rollouts.get
configdelivery.rollouts.list
configdelivery.rollouts.resume
configdelivery.rollouts.suspend

Config Delivery

The following permissions are supported in custom roles:

configdelivery.fleetPackages.create
configdelivery.fleetPackages.delete
configdelivery.fleetPackages.get
configdelivery.fleetPackages.list
configdelivery.fleetPackages.update
configdelivery.locations.get
configdelivery.locations.list
configdelivery.operations.cancel
configdelivery.operations.delete
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.delete
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.resourceBundles.create
configdelivery.resourceBundles.delete
configdelivery.resourceBundles.get
configdelivery.resourceBundles.list
configdelivery.resourceBundles.update
configdelivery.rollouts.abort
configdelivery.rollouts.get
configdelivery.rollouts.list
configdelivery.rollouts.resume
configdelivery.rollouts.suspend

Dataproc Resource Manager

The following permissions have been added:

dataprocrm.locations.get
dataprocrm.locations.list
dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update
dataprocrm.operations.cancel
dataprocrm.operations.delete
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

Dataproc Resource Manager

The following permissions are supported in custom roles:

dataprocrm.locations.get
dataprocrm.locations.list
dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update
dataprocrm.operations.cancel
dataprocrm.operations.delete
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

GKE Hub

The following permissions have been added:

gkehub.gateway.generateCredentials

GKE Hub

The following permissions are supported in custom roles:

gkehub.gateway.generateCredentials

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.gateway.generateCredentials

Maps Analytics

The following permissions have been added:

mapsanalytics.metricData.queryMobilitySolutionsOverageData

Maps Analytics

The following permissions are supported in custom roles:

mapsanalytics.metricData.queryMobilitySolutionsOverageData

Network Connectivity Center

The following permissions have reached General Availability (GA):

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Privileged Access Manager

The following permissions have reached General Availability (GA):

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.checkOnboardingStatus
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

Personalized Service Health

The following permissions have reached General Availability (GA):

servicehealth.events.get
servicehealth.events.list
servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list

Spanner

The following permissions have been added:

spanner.instancePartitionOperations.cancel
spanner.instancePartitionOperations.delete
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list
spanner.instancePartitions.create
spanner.instancePartitions.delete
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instancePartitions.update

Spanner

The following permissions are supported in custom roles:

spanner.instancePartitionOperations.cancel
spanner.instancePartitionOperations.delete
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list
spanner.instancePartitions.create
spanner.instancePartitions.delete
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instancePartitions.update

Workload Manager

The following permissions have been added:

workloadmanager.discoveredprofiles.get
workloadmanager.discoveredprofiles.getHealth
workloadmanager.discoveredprofiles.list

IAM changes as of 2024-05-31

Service Description
Assured Workloads

The following permissions have been added to the Assured Workloads Administrator role (roles/assuredworkloads.admin):

orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update

Assured Workloads

The following permissions have been added to the Assured Workloads Editor role (roles/assuredworkloads.editor):

orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update

Assured Workloads

The following permissions have been added to the Assured Workloads Reader role (roles/assuredworkloads.reader):

orgpolicy.policies.list

Google Cloud Support

The following permissions have been added to the Tech Support Editor role (roles/cloudsupport.techSupportEditor):

billing.resourceAssociations.list

Config Delivery

The Config Delivery Service Agent role (roles/configdelivery.serviceAgent) has reached General Availability (GA).

Workload Manager

The following permissions have been added to the Workload Manager Service Agent role (roles/workloadmanager.serviceAgent):

cloudasset.assets.listAccessPolicy
cloudasset.assets.listIamPolicy
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listResource
serviceusage.services.use

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings

BigQuery

The following permissions have been added:

bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings

BigQuery

The following permissions are supported in custom roles:

bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings

BigQuery

The following permissions have reached General Availability (GA):

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings

Cloud Logging

The following permissions have been added:

logging.queries.usePrivate

Cloud Logging

The following permissions are supported in custom roles:

logging.queries.usePrivate

Cloud Logging

The following permissions have reached General Availability (GA):

logging.queries.usePrivate

IAM changes as of 2024-05-24

Service Description
Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

secretmanager.secrets.list

Cloud AI Companion API

The Cloud AI Companion Service Agent role (roles/cloudaicompanion.serviceAgent) has been added with the following permissions:

cloudbuild.connections.get
cloudbuild.googleapis.com/connections.get
cloudbuild.googleapis.com/repositories.accessReadToken
cloudbuild.googleapis.com/repositories.fetchGitRefs
cloudbuild.googleapis.com/repositories.get
cloudbuild.googleapis.com/repositories.list
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list
developerconnect.connections.get
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.googleapis.com/connections.get
developerconnect.googleapis.com/gitRepositoryLinks.fetchGitRefs
developerconnect.googleapis.com/gitRepositoryLinks.fetchReadToken
developerconnect.googleapis.com/gitRepositoryLinks.get
developerconnect.googleapis.com/gitRepositoryLinks.list
logging.googleapis.com/logEntries.create
logging.googleapis.com/logEntries.route
logging.logEntries.create
logging.logEntries.route
serviceusage.googleapis.com/services.use
serviceusage.services.use

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

dataproc.sessionTemplates.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

eventarc.operations.get

GKE Hub

The following permissions have been added to the Fleet Project-level Scope Viewer role (roles/gkehub.scopeViewerProjectLevel):

monitoring.timeSeries.list

GKE Hub

The following permissions have been added to the GKE Hub Service Agent role (roles/gkehub.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Multi-Cluster Metering

The following permissions have been added to the Multi-cluster metering Service Agent role (roles/multiclustermetering.serviceAgent):

gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put

Basic Role

The following permissions have been added to the Owner role (roles/owner):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Route Optimization

The Route Optimization Editor role (roles/routeoptimization.editor) has reached General Availability (GA).

Route Optimization

The Route Optimization Viewer role (roles/routeoptimization.viewer) has reached General Availability (GA).

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Command Center

The following permissions have been added to the Security Center Settings Admin role (roles/securitycenter.settingsAdmin):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Command Center

The following permissions have been added to the Security Center Settings Editor role (roles/securitycenter.settingsEditor):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Center Management API

The Security Center Management Services Editor role (roles/securitycentermanagement.securityCenterServicesEditor) has reached General Availability (GA).

Security Center Management API

The Security Center Management Services Viewer role (roles/securitycentermanagement.securityCenterServicesViewer) has reached General Availability (GA).

Security Center Management API

The following permissions have been added to the Security Center Management Admin role (roles/securitycentermanagement.admin):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Center Management API

The following permissions have been added to the Security Center Management Settings Editor role (roles/securitycentermanagement.settingsEditor):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

chronicle.logs.import

Vertex AI

The following permissions have been added:

aiplatform.featureOnlineStores.getIamPolicy
aiplatform.featureOnlineStores.setIamPolicy
aiplatform.featureViews.getIamPolicy
aiplatform.featureViews.setIamPolicy

Google Security Operations

The following permissions have been added:

chronicle.dataTableRows.asyncBulkCreate
chronicle.dataTableRows.asyncBulkReplace
chronicle.dataTableRows.asyncBulkUpdate
chronicle.dataTableRows.bulkCreate
chronicle.dataTableRows.bulkReplace
chronicle.dataTableRows.bulkUpdate
chronicle.dataTables.bulkCreateDataTableAsync

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataTableRows.asyncBulkCreate
chronicle.dataTableRows.asyncBulkReplace
chronicle.dataTableRows.asyncBulkUpdate
chronicle.dataTableRows.bulkCreate
chronicle.dataTableRows.bulkReplace
chronicle.dataTableRows.bulkUpdate
chronicle.dataTables.bulkCreateDataTableAsync

Cloud Data Fusion

The following permissions have been added:

datafusion.instances.createTagBinding
datafusion.instances.deleteTagBinding
datafusion.instances.listEffectiveTags
datafusion.instances.listTagBindings

Cloud Data Fusion

The following permissions have reached General Availability (GA):

datafusion.instances.createTagBinding
datafusion.instances.deleteTagBinding
datafusion.instances.listEffectiveTags
datafusion.instances.listTagBindings

Live Stream

The following permissions have been added:

livestream.clips.create
livestream.clips.get
livestream.clips.list

Live Stream

The following permissions are supported in custom roles:

livestream.clips.create
livestream.clips.get
livestream.clips.list

Live Stream

The following permissions have reached General Availability (GA):

livestream.clips.create
livestream.clips.get
livestream.clips.list

Cloud Logging

The following permissions have been added:

logging.queries.deleteShared
logging.queries.getShared

Cloud Logging

The following permissions are supported in custom roles:

logging.queries.deleteShared
logging.queries.getShared

Cloud Logging

The following permissions have reached General Availability (GA):

logging.queries.deleteShared
logging.queries.getShared

Network Services

The following permissions have been added:

networkservices.route_views.get
networkservices.route_views.list

reCAPTCHA

The following permissions have been added:

recaptchaenterprise.firewallpolicies.create
recaptchaenterprise.firewallpolicies.delete
recaptchaenterprise.firewallpolicies.get
recaptchaenterprise.firewallpolicies.list
recaptchaenterprise.firewallpolicies.update

reCAPTCHA

The following permissions are supported in custom roles:

recaptchaenterprise.firewallpolicies.create
recaptchaenterprise.firewallpolicies.delete
recaptchaenterprise.firewallpolicies.get
recaptchaenterprise.firewallpolicies.list
recaptchaenterprise.firewallpolicies.update

Route Optimization

The following permissions have been added:

routeoptimization.locations.use
routeoptimization.operations.create
routeoptimization.operations.get

Route Optimization

The following permissions are supported in custom roles:

routeoptimization.locations.use
routeoptimization.operations.create
routeoptimization.operations.get

Route Optimization

The following permissions have reached General Availability (GA):

routeoptimization.locations.use
routeoptimization.operations.create
routeoptimization.operations.get

Security Center Management API

The following permissions have been added:

securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update

IAM changes as of 2024-05-10

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.cacheConfigs.update
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have been added to the Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin):

aiplatform.notebookRuntimeTemplates.update

Vertex AI

The following permissions have been added to the Vertex AI Colab Service Agent role (roles/aiplatform.colabServiceAgent):

compute.instances.getGuestAttributes

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have been added to the Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin):

aiplatform.notebookRuntimeTemplates.update

Vertex AI

The following permissions have been added to the Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent):

aiplatform.endpoints.get
aiplatform.models.get

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune
compute.instances.getGuestAttributes

Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have been added to the Vertex AI Viewer role (roles/aiplatform.viewer):

aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.cacheConfigs.get
aiplatform.sessions.get
aiplatform.sessions.list

API Hub

The following permissions have been added to the Cloud API Hub Editor role (roles/apihub.editor):

apihub.operations.get
apihub.operations.list

API Hub

The following permissions have been removed from the Cloud API Hub Editor role (roles/apihub.editor):

apihub.styleGuides.update

API Hub

The following permissions have been added to the Cloud API hub Provisioning Admin role (roles/apihub.provisioningAdmin):

apihub.operations.cancel
apihub.operations.delete
apihub.operations.get
apihub.operations.list

API Hub

The following permissions have been added to the Cloud API hub Viewer role (roles/apihub.viewer):

apihub.operations.get
apihub.operations.list

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

bigquery.datasets.get

BigQuery

The following permissions have been added to the BigQuery Studio Admin role (roles/bigquery.studioAdmin):

aiplatform.notebookRuntimeTemplates.update

Blockchain Node Engine

The Blockchain Node Engine Service Agent role (roles/blockchainnodeengine.serviceAgent) has reached General Availability (GA).

Google Security Operations

The following permissions have been added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.instances.logTypeClassifier

Google Security Operations

The following permissions have been added to the Chronicle API Editor role (roles/chronicle.editor):

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.instances.logTypeClassifier
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

Google Security Operations

The following permissions have been removed from the Chronicle API Editor role (roles/chronicle.editor):

chronicle.instances.generateWorkspaceConnectionToken

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list

Google Security Operations

The following permissions have been removed from the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.instances.generateWorkspaceConnectionToken

Google Security Operations

The following permissions have been added to the Chronicle Service Agent role (roles/chronicle.serviceAgent):

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use
bigquery.datasets.create
bigquery.tables.update
bigquery.tables.updateData
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.create
storage.objects.get

Google Security Operations

The following permissions have been added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.instances.logTypeClassifier
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

Google Security Operations

The following permissions have been removed from the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.instances.generateWorkspaceConnectionToken

Cloud Build

The following permissions have been added to the Cloud Build Service Agent role (roles/cloudbuild.serviceAgent):

compute.networkAttachments.get
compute.networkAttachments.update
compute.regionOperations.get

Contact Center AI Insights

The following permissions have been added to the Contact Center AI Insights editor role (roles/contactcenterinsights.editor):

contactcenterinsights.qaScorecardRevisions.get

Contact Center AI Insights

The following permissions have been added to the Contact Center AI Insights viewer role (roles/contactcenterinsights.viewer):

contactcenterinsights.qaScorecardRevisions.get

Dataform

The Code Creator role (roles/dataform.codeCreator) has reached General Availability (GA).

Dataform

The Code Editor role (roles/dataform.codeEditor) has reached General Availability (GA).

Dataform

The Code Owner role (roles/dataform.codeOwner) has reached General Availability (GA).

Dataform

The Code Viewer role (roles/dataform.codeViewer) has reached General Availability (GA).

Discovery Engine

The following permissions have been added to the Discovery Engine Admin role (roles/discoveryengine.admin):

resourcemanager.projects.get
resourcemanager.projects.list

Discovery Engine

The following permissions have been added to the Discovery Engine Editor role (roles/discoveryengine.editor):

resourcemanager.projects.get
resourcemanager.projects.list

Discovery Engine

The following permissions have been added to the Discovery Engine Viewer role (roles/discoveryengine.viewer):

resourcemanager.projects.get
resourcemanager.projects.list

Sensitive Data Protection

The DLP File Store Data Profiles Admin role (roles/dlp.fileStoreProfilesAdmin) has reached General Availability (GA).

Sensitive Data Protection

The DLP File Store Data Profiles Reader role (roles/dlp.fileStoreProfilesReader) has reached General Availability (GA).

Sensitive Data Protection

The following permissions have been added to the DLP Administrator role (roles/dlp.admin):

dlp.fileStoreProfiles.delete
dlp.tableDataProfiles.delete

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

dlp.fileStoreProfiles.delete
dlp.tableDataProfiles.delete

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

dlp.fileStoreProfiles.delete
dlp.tableDataProfiles.delete

Cloud DNS

The Cloud DNS Service Agent role (roles/dns.serviceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

GKE Hub

The Fleet Scope Admin role (roles/gkehub.scopeAdmin) has reached General Availability (GA).

GKE Hub

The Fleet Scope Editor role (roles/gkehub.scopeEditor) has reached General Availability (GA).

GKE Hub

The Fleet Project-level Scope Editor role (roles/gkehub.scopeEditorProjectLevel) has reached General Availability (GA).

GKE Hub

The Fleet Project-level Scope Viewer role (roles/gkehub.scopeViewerProjectLevel) has reached General Availability (GA).

Apache Kafka for BigQuery

The Managed Kafka Service Agent role (roles/managedkafka.serviceAgent) has reached General Availability (GA).

Progressive Rollout

The Progressive Rollout Service Agent role (roles/progressiverollout.serviceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

datamigration.conversionworkspaces.commit

Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.cacheConfigs.update
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.vertexTune

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

serviceusage.services.get

Vertex AI

The following permissions have been added:

aiplatform.agentExamples.create
aiplatform.agentExamples.delete
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agentExamples.update
aiplatform.agents.create
aiplatform.agents.delete
aiplatform.agents.get
aiplatform.agents.list
aiplatform.agents.update
aiplatform.apps.create
aiplatform.apps.delete
aiplatform.apps.get
aiplatform.apps.list
aiplatform.apps.update
aiplatform.cacheConfigs.get
aiplatform.cacheConfigs.update
aiplatform.consents.get
aiplatform.consents.update
aiplatform.notebookExecutionJobs.create
aiplatform.notebookExecutionJobs.delete
aiplatform.notebookExecutionJobs.get
aiplatform.notebookExecutionJobs.list
aiplatform.reasoningEngines.create
aiplatform.reasoningEngines.delete
aiplatform.reasoningEngines.get
aiplatform.reasoningEngines.list
aiplatform.reasoningEngines.query
aiplatform.reasoningEngines.update
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.run
aiplatform.tuningJobs.cancel
aiplatform.tuningJobs.create
aiplatform.tuningJobs.delete
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
aiplatform.tuningJobs.vertexTune

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.notebookRuntimeTemplates.update

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.clusters.export

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.clusters.export

Google Security Operations

The following permissions have been added:

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.instances.generateCollectionAgentAuth
chronicle.instances.logTypeClassifier

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataTableRows.create
chronicle.dataTableRows.delete
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTableRows.replace
chronicle.dataTableRows.update
chronicle.dataTables.create
chronicle.dataTables.delete
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTables.update
chronicle.instances.generateCollectionAgentAuth
chronicle.instances.logTypeClassifier

Cloud Key Management Service

The following permissions have been added:

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update
cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list
cloudkms.projects.showEffectiveAutokeyConfig

Contact Center AI Insights

The following permissions have been added:

contactcenterinsights.qaQuestions.get
contactcenterinsights.qaQuestions.list
contactcenterinsights.qaScorecardRevisions.get
contactcenterinsights.qaScorecards.get
contactcenterinsights.qaScorecards.list

Contact Center AI Insights

The following permissions are supported in custom roles:

contactcenterinsights.qaQuestions.get
contactcenterinsights.qaQuestions.list
contactcenterinsights.qaScorecardRevisions.get
contactcenterinsights.qaScorecards.get
contactcenterinsights.qaScorecards.list

Developer Connect

The following permissions have been added:

developerconnect.connections.constructGitHubAppManifest
developerconnect.connections.create
developerconnect.connections.delete
developerconnect.connections.fetchGitHubInstallations
developerconnect.connections.fetchLinkableGitRepositories
developerconnect.connections.generateGitHubStateToken
developerconnect.connections.get
developerconnect.connections.list
developerconnect.connections.processGitHubAppCreationCallback
developerconnect.connections.processGitHubOAuthCallback
developerconnect.connections.update
developerconnect.gitRepositoryLinks.create
developerconnect.gitRepositoryLinks.delete
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.fetchReadWriteToken
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.locations.get
developerconnect.locations.list
developerconnect.operations.cancel
developerconnect.operations.delete
developerconnect.operations.get
developerconnect.operations.list

Developer Connect

The following permissions are supported in custom roles:

developerconnect.connections.constructGitHubAppManifest
developerconnect.connections.create
developerconnect.connections.delete
developerconnect.connections.fetchGitHubInstallations
developerconnect.connections.fetchLinkableGitRepositories
developerconnect.connections.generateGitHubStateToken
developerconnect.connections.get
developerconnect.connections.list
developerconnect.connections.processGitHubAppCreationCallback
developerconnect.connections.processGitHubOAuthCallback
developerconnect.connections.update
developerconnect.gitRepositoryLinks.create
developerconnect.gitRepositoryLinks.delete
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.fetchReadWriteToken
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.locations.get
developerconnect.locations.list
developerconnect.operations.cancel
developerconnect.operations.delete
developerconnect.operations.get
developerconnect.operations.list

Sensitive Data Protection

The following permissions have been added:

dlp.fileStoreProfiles.delete
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.fileStoreProfiles.delete
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list

GKE Hub

The following permissions have been added:

gke.fleets.create
gke.fleets.delete
gke.fleets.get
gke.fleets.update

reCAPTCHA

The following permissions have been added:

recaptchaenterprise.projectmetadata.get
recaptchaenterprise.projectmetadata.update

Security Command Center

The following permissions have been added:

securitycenter.vulnerabilitysnapshots.list

IAM changes as of 2024-04-26

Service Description
API Hub

The API-Hub Runtime Project Service Agent role (roles/apihub.runtimeProjectServiceAgent) has reached General Availability (GA).

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

resourcemanager.folders.get

Cloud Infrastructure Entitlement Management (CIEM)

The CIEM Service Agent role (roles/ciem.serviceAgent) has reached General Availability (GA).

Cloud Deploy

The Cloud Deploy Custom Target Type Admin role (roles/clouddeploy.customTargetTypeAdmin) has reached General Availability (GA).

Compute Engine

The following permissions have been added to the Compute Instance Admin (beta) role (roles/compute.instanceAdmin):

compute.resourcePolicies.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

compute.resourcePolicies.list

Firebase Data Connect

The Firebase Data Connect Service Agent role (roles/firebasedataconnect.serviceAgent) has reached General Availability (GA).

Cloud OS Config

The following permissions have been added to the Cloud OS Config Service Agent role (roles/osconfig.serviceAgent):

compute.projects.get
compute.projects.setCommonInstanceMetadata
osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

securitycentermanagement.securityCommandCenter.activate

Security Command Center

The following permissions have been added to the Security Center Settings Admin role (roles/securitycenter.settingsAdmin):

securitycentermanagement.securityCommandCenter.activate

Security Command Center

The following permissions have been added to the Security Center Settings Editor role (roles/securitycenter.settingsEditor):

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions have been added to the Security Center Management Admin role (roles/securitycentermanagement.admin):

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions have been added to the Security Center Management Settings Editor role (roles/securitycentermanagement.settingsEditor):

securitycentermanagement.securityCommandCenter.activate

API Management

The following permissions have been added:

apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.get
apim.apiOperations.list
apim.locations.get
apim.locations.list
apim.observationJobs.create
apim.observationJobs.delete
apim.observationJobs.disable
apim.observationJobs.enable
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.create
apim.observationSources.delete
apim.observationSources.get
apim.observationSources.list
apim.operations.cancel
apim.operations.delete
apim.operations.get
apim.operations.list

API Management

The following permissions are supported in custom roles:

apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.get
apim.apiOperations.list
apim.locations.get
apim.locations.list
apim.observationJobs.create
apim.observationJobs.delete
apim.observationJobs.disable
apim.observationJobs.enable
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.create
apim.observationSources.delete
apim.observationSources.get
apim.observationSources.list
apim.operations.cancel
apim.operations.delete
apim.operations.get
apim.operations.list

Cloud Deploy

The following permissions have reached General Availability (GA):

clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.setIamPolicy
clouddeploy.customTargetTypes.update

Security Center Management API

The following permissions have been added:

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.securityCommandCenter.activate

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.securityCommandCenter.activate

Video Stitcher API

The following permissions have been added:

videostitcher.vodConfigs.create
videostitcher.vodConfigs.delete
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodConfigs.update

Video Stitcher API

The following permissions are supported in custom roles:

videostitcher.vodConfigs.create
videostitcher.vodConfigs.delete
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodConfigs.update

Video Stitcher API

The following permissions have reached General Availability (GA):

videostitcher.vodConfigs.create
videostitcher.vodConfigs.delete
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodConfigs.update

IAM changes as of 2024-04-19

Service Description
Vertex AI

The Vertex AI Model Monitoring Service Agent role (roles/aiplatform.modelMonitoringServiceAgent) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Admin role (roles/alloydb.admin):

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceInsights.update
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterPerformanceRecommendations.update
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityInsights.update
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list
recommender.alloydbClusterReliabilityRecommendations.update
recommender.alloydbInstanceSecurityInsights.get
recommender.alloydbInstanceSecurityInsights.list
recommender.alloydbInstanceSecurityInsights.update
recommender.alloydbInstanceSecurityRecommendations.get
recommender.alloydbInstanceSecurityRecommendations.list
recommender.alloydbInstanceSecurityRecommendations.update

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Viewer role (roles/alloydb.viewer):

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list

API Management

The APIM API Discovery Service Agent role (roles/apim.apiDiscoveryServiceAgent) has been added with the following permissions:

compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.googleapis.com/backendServices.create
compute.googleapis.com/backendServices.delete
compute.googleapis.com/backendServices.get
compute.googleapis.com/backendServices.list
compute.googleapis.com/backendServices.update
compute.googleapis.com/backendServices.use
compute.googleapis.com/globalOperations.get
compute.googleapis.com/networks.use
compute.googleapis.com/regionBackendServices.create
compute.googleapis.com/regionBackendServices.delete
compute.googleapis.com/regionBackendServices.get
compute.googleapis.com/regionBackendServices.list
compute.googleapis.com/regionBackendServices.update
compute.googleapis.com/regionBackendServices.use
compute.googleapis.com/regionNetworkEndpointGroups.attachNetworkEndpoints
compute.googleapis.com/regionNetworkEndpointGroups.create
compute.googleapis.com/regionNetworkEndpointGroups.delete
compute.googleapis.com/regionNetworkEndpointGroups.detachNetworkEndpoints
compute.googleapis.com/regionNetworkEndpointGroups.get
compute.googleapis.com/regionNetworkEndpointGroups.list
compute.googleapis.com/regionNetworkEndpointGroups.use
compute.googleapis.com/regionOperations.get
compute.googleapis.com/subnetworks.use
compute.networks.use
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionOperations.get
compute.subnetworks.use
networkservices.googleapis.com/operations.cancel
networkservices.googleapis.com/operations.delete
networkservices.googleapis.com/operations.get
networkservices.googleapis.com/operations.list
networkservices.googleapis.com/projectLbObservabilityExtensions.create
networkservices.googleapis.com/projectLbObservabilityExtensions.delete
networkservices.googleapis.com/projectLbObservabilityExtensions.get
networkservices.googleapis.com/projectLbObservabilityExtensions.list
networkservices.googleapis.com/projectLbObservabilityExtensions.update
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list
networkservices.projectLbObservabilityExtensions.create
networkservices.projectLbObservabilityExtensions.delete
networkservices.projectLbObservabilityExtensions.get
networkservices.projectLbObservabilityExtensions.list
networkservices.projectLbObservabilityExtensions.update

Assured Open Source Software

The following permissions have been added to the Assured OSS Admin role (roles/assuredoss.admin):

iam.serviceAccountKeys.create
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
serviceusage.quotas.get
serviceusage.services.list

Assured Open Source Software

The following permissions have been added to the Assured OSS Project Admin role (roles/assuredoss.projectAdmin):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
serviceusage.quotas.get
serviceusage.services.list

Assured Open Source Software

The following permissions have been added to the Assured OSS Reader role (roles/assuredoss.reader):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Assured Workloads

The following permissions have been added to the Assured Workloads Service Agent role (roles/assuredworkloads.serviceAgent):

orgpolicy.policies.list
orgpolicy.policy.get

Audit Manager

The following permissions have been added to the Audit Manager Admin role (roles/auditmanager.admin):

cloudasset.assets.searchAllResources

Audit Manager

The following permissions have been added to the Audit Manager Auditor role (roles/auditmanager.auditor):

cloudasset.assets.searchAllResources

Compliance Scanning

The Compliance Scanning Service Agent role (roles/compliancescanning.serviceAgent) has reached General Availability (GA).

Cloud Config Manager API

The following permissions have been added to the Cloud Infrastructure Manager Agent role (roles/config.agent):

monitoring.timeSeries.list

Contact Center AI Insights

The following permissions have been added to the Contact Center AI Insights editor role (roles/contactcenterinsights.editor):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Contact Center AI Insights

The following permissions have been added to the Contact Center AI Insights viewer role (roles/contactcenterinsights.viewer):

contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.databases.list

Dataplex

The Dataplex Catalog Admin role (roles/dataplex.catalogAdmin) has reached General Availability (GA).

Dataplex

The Dataplex Catalog Editor role (roles/dataplex.catalogEditor) has reached General Availability (GA).

Dataplex

The Dataplex Catalog Viewer role (roles/dataplex.catalogViewer) has reached General Availability (GA).

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

aiplatform.extensions.execute
aiplatform.extensions.get

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

alloydb.databases.list
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Service Agent role (roles/edgecontainer.serviceAgent):

serviceusage.services.list

Basic Role

The following permissions have been added to the Editor role (roles/editor):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

serviceusage.services.list

ML Kit for Firebase

The Firebase Machine Learning Service Agent role (roles/firebaseml.serviceAgent) has reached General Availability (GA).

GKE Hub

The Fleet Scope Viewer role (roles/gkehub.scopeViewer) has reached General Availability (GA).

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

contactcenterinsights.feedbackLabels.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

contactcenterinsights.feedbackLabels.list

Cloud OS Config

The Project Feature Settings Editor role (roles/osconfig.projectFeatureSettingsEditor) has reached General Availability (GA).

Cloud OS Config

The Project Feature Settings Viewer role (roles/osconfig.projectFeatureSettingsViewer) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Owner role (roles/owner):

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

iam.serviceAccountKeys.create
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list

Security Command Center

The following permissions have been added to the Security Center Admin Editor role (roles/securitycenter.adminEditor):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list

Security Command Center

The following permissions have been added to the Security Center Admin Viewer role (roles/securitycenter.adminViewer):

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list

Security Center Management API

The Security Center Management Admin role (roles/securitycentermanagement.admin) has reached General Availability (GA).

Security Center Management API

The Security Center Management Settings Editor role (roles/securitycentermanagement.settingsEditor) has reached General Availability (GA).

Security Center Management API

The Security Center Management Settings Viewer role (roles/securitycentermanagement.settingsViewer) has reached General Availability (GA).

Security Center Management API

The Security Center Management Viewer role (roles/securitycentermanagement.viewer) has reached General Availability (GA).

Service Networking

The following permissions have been added to the Service Networking Service Agent role (roles/servicenetworking.serviceAgent):

networkconnectivity.internalRanges.list

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list

Cloud AI Companion API

The following permissions have been added:

cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText

Cloud AI Companion API

The following permissions are supported in custom roles:

cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText

Compute Engine

The following permissions have reached General Availability (GA):

compute.nodeGroups.performMaintenance

Contact Center AI Insights

The following permissions have been added:

contactcenterinsights.feedbackLabels.create
contactcenterinsights.feedbackLabels.delete
contactcenterinsights.feedbackLabels.get
contactcenterinsights.feedbackLabels.list
contactcenterinsights.feedbackLabels.update

Google Kubernetes Engine

The following permissions have been added:

container.clusters.connect

Google Kubernetes Engine

The following permissions have reached General Availability (GA):

container.clusters.connect

Database Center

The following permissions have been added:

databasecenter.fleetHealthStats.list
databasecenter.fleetStats.list
databasecenter.locations.list
databasecenter.products.list
databasecenter.resourceGroups.list
databasecenter.userLabels.list

Database Center

The following permissions are supported in custom roles:

databasecenter.fleetHealthStats.list
databasecenter.fleetStats.list
databasecenter.locations.list
databasecenter.products.list
databasecenter.resourceGroups.list
databasecenter.userLabels.list

Dataproc

The following permissions have been added:

dataproc.batches.analyze

Dataproc

The following permissions are supported in custom roles:

dataproc.batches.analyze

Dataproc

The following permissions have reached General Availability (GA):

dataproc.batches.analyze

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.dataStores.create
discoveryengine.dataStores.delete
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.dataStores.update
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.engines.update
discoveryengine.servingConfigs.recommend

Identity and Access Management

The following permissions have been added:

iam.oauthClientCredentials.create
iam.oauthClientCredentials.delete
iam.oauthClientCredentials.get
iam.oauthClientCredentials.list
iam.oauthClientCredentials.update
iam.oauthClients.create
iam.oauthClients.delete
iam.oauthClients.get
iam.oauthClients.list
iam.oauthClients.undelete
iam.oauthClients.update

Identity and Access Management

The following permissions are supported in custom roles:

iam.oauthClientCredentials.create
iam.oauthClientCredentials.delete
iam.oauthClientCredentials.get
iam.oauthClientCredentials.list
iam.oauthClientCredentials.update
iam.oauthClients.create
iam.oauthClients.delete
iam.oauthClients.get
iam.oauthClients.list
iam.oauthClients.undelete
iam.oauthClients.update

Identity and Access Management

The following permissions have been added:

iam.googleapis.com/oauthClientCredentials.create
iam.googleapis.com/oauthClientCredentials.delete
iam.googleapis.com/oauthClientCredentials.get
iam.googleapis.com/oauthClientCredentials.list
iam.googleapis.com/oauthClientCredentials.update
iam.googleapis.com/oauthClients.create
iam.googleapis.com/oauthClients.delete
iam.googleapis.com/oauthClients.get
iam.googleapis.com/oauthClients.list
iam.googleapis.com/oauthClients.undelete
iam.googleapis.com/oauthClients.update

Identity and Access Management

The following permissions are supported in custom roles:

iam.googleapis.com/oauthClientCredentials.create
iam.googleapis.com/oauthClientCredentials.delete
iam.googleapis.com/oauthClientCredentials.get
iam.googleapis.com/oauthClientCredentials.list
iam.googleapis.com/oauthClientCredentials.update
iam.googleapis.com/oauthClients.create
iam.googleapis.com/oauthClients.delete
iam.googleapis.com/oauthClients.get
iam.googleapis.com/oauthClients.list
iam.googleapis.com/oauthClients.undelete
iam.googleapis.com/oauthClients.update

Cloud Logging

The following permissions have been added:

logging.views.getIamPolicy
logging.views.setIamPolicy

Cloud Logging

The following permissions have reached General Availability (GA):

logging.views.getIamPolicy
logging.views.setIamPolicy

Cloud OS Config

The following permissions have been added:

osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Cloud OS Config

The following permissions are supported in custom roles:

osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Cloud OS Config

The following permissions have reached General Availability (GA):

osconfig.projectFeatureSettings.get
osconfig.projectFeatureSettings.update

Recommender

The following permissions have been added:

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceInsights.update
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterPerformanceRecommendations.update
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityInsights.update
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list
recommender.alloydbClusterReliabilityRecommendations.update
recommender.alloydbInstanceSecurityInsights.get
recommender.alloydbInstanceSecurityInsights.list
recommender.alloydbInstanceSecurityInsights.update
recommender.alloydbInstanceSecurityRecommendations.get
recommender.alloydbInstanceSecurityRecommendations.list
recommender.alloydbInstanceSecurityRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.alloydbClusterPerformanceInsights.get
recommender.alloydbClusterPerformanceInsights.list
recommender.alloydbClusterPerformanceInsights.update
recommender.alloydbClusterPerformanceRecommendations.get
recommender.alloydbClusterPerformanceRecommendations.list
recommender.alloydbClusterPerformanceRecommendations.update
recommender.alloydbClusterReliabilityInsights.get
recommender.alloydbClusterReliabilityInsights.list
recommender.alloydbClusterReliabilityInsights.update
recommender.alloydbClusterReliabilityRecommendations.get
recommender.alloydbClusterReliabilityRecommendations.list
recommender.alloydbClusterReliabilityRecommendations.update
recommender.alloydbInstanceSecurityInsights.get
recommender.alloydbInstanceSecurityInsights.list
recommender.alloydbInstanceSecurityInsights.update
recommender.alloydbInstanceSecurityRecommendations.get
recommender.alloydbInstanceSecurityRecommendations.list
recommender.alloydbInstanceSecurityRecommendations.update

Security Center Management API

The following permissions have been added:

securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update

IAM changes as of 2024-03-29

Service Description
Vertex AI

The Vertex AI Extension Custom Code Service Agent role (roles/aiplatform.extensionCustomCodeServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI Rapid Eval Service Agent role (roles/aiplatform.rapidevalServiceAgent) has reached General Availability (GA).

Vertex AI

The following permissions have been added to the Vertex AI Colab Service Agent role (roles/aiplatform.colabServiceAgent):

iam.serviceAccounts.actAs

Vertex AI

The following permissions have been added to the Vertex AI Extension Service Agent role (roles/aiplatform.extensionServiceAgent):

serviceusage.services.use

Vertex AI

The following permissions have been added to the Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent):

aiplatform.locations.get

API Hub

The API hub attribute admin role (roles/apihub.attributeAdmin) has been added with the following permissions:

apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.googleapis.com/attributes.create
apihub.googleapis.com/attributes.delete
apihub.googleapis.com/attributes.get
apihub.googleapis.com/attributes.list
apihub.googleapis.com/attributes.update
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

API Hub

The API hub plugin admin role (roles/apihub.pluginAdmin) has been added with the following permissions:

apihub.googleapis.com/plugins.disable
apihub.googleapis.com/plugins.enable
apihub.googleapis.com/plugins.get
apihub.googleapis.com/plugins.list
apihub.googleapis.com/specs.lint
apihub.googleapis.com/styleGuides.get
apihub.googleapis.com/styleGuides.update
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.specs.lint
apihub.styleGuides.get
apihub.styleGuides.update
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

API Hub

The API hub all permissions related to provisioning role (roles/apihub.provisioningAdmin) has been added with the following permissions:

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.googleapis.com/apiHubInstances.create
apihub.googleapis.com/apiHubInstances.delete
apihub.googleapis.com/apiHubInstances.get
apihub.googleapis.com/apiHubInstances.list
apihub.googleapis.com/hostProjectRegistrations.create
apihub.googleapis.com/hostProjectRegistrations.delete
apihub.googleapis.com/hostProjectRegistrations.get
apihub.googleapis.com/hostProjectRegistrations.list
apihub.googleapis.com/hostProjectRegistrations.register
apihub.googleapis.com/runTimeProjectAttachments.attach
apihub.googleapis.com/runTimeProjectAttachments.create
apihub.googleapis.com/runTimeProjectAttachments.delete
apihub.googleapis.com/runTimeProjectAttachments.get
apihub.googleapis.com/runTimeProjectAttachments.list
apihub.googleapis.com/runTimeProjectAttachments.lookup
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.runTimeProjectAttachments.attach
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

Assured Open Source Software

The Assured OSS Admin role (roles/assuredoss.admin) has reached General Availability (GA).

Assured Open Source Software

The Assured OSS Reader role (roles/assuredoss.reader) has reached General Availability (GA).

Assured Open Source Software

The Assured OSS User role (roles/assuredoss.user) has reached General Availability (GA).

Google Security Operations

The following permissions have been removed from the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.riskConfigs.get
chronicle.watchlists.get
chronicle.watchlists.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.databases.delete
cloudsql.databases.get
serviceusage.services.use

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

storage.buckets.getIamPolicy
storage.buckets.setIamPolicy

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

gkehub.endpoints.connect
gkehub.features.create
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.get
gkehub.locations.list
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list
serviceusage.services.list

Basic Role

The following permissions have been added to the Editor role (roles/editor):

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apiOperations.update
apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.definitions.get
apihub.definitions.list
apihub.definitions.update
apihub.dependencies.create
apihub.dependencies.delete
apihub.dependencies.get
apihub.dependencies.list
apihub.dependencies.update
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.get
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.create
apihub.externalApis.delete
apihub.externalApis.get
apihub.externalApis.list
apihub.externalApis.update
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.llmEnablements.deregister
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.llmEnablements.register
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.specs.lint
apihub.styleGuides.get
apihub.styleGuides.update

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.hostProjectRegistrations.list
apihub.llmEnablements.list
apihub.plugins.list
apihub.runTimeProjectAttachments.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.hostProjectRegistrations.list
apihub.llmEnablements.list
apihub.plugins.list
apihub.runTimeProjectAttachments.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apiOperations.update
apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.definitions.get
apihub.definitions.list
apihub.definitions.update
apihub.dependencies.create
apihub.dependencies.delete
apihub.dependencies.get
apihub.dependencies.list
apihub.dependencies.update
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.get
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.create
apihub.externalApis.delete
apihub.externalApis.get
apihub.externalApis.list
apihub.externalApis.update
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.llmEnablements.deregister
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.llmEnablements.register
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.attach
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.specs.lint
apihub.styleGuides.get
apihub.styleGuides.update

Privileged Access Manager

The Privileged Access Manager Service Agent role (roles/privilegedaccessmanager.serviceAgent) has reached General Availability (GA).

Cloud Run

The following permissions have been removed from the Cloud Run Invoker role (roles/run.invoker):

run.executions.cancel

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.attributes.get
apihub.attributes.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.externalApis.get
apihub.externalApis.list
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.styleGuides.get

API Hub

The following permissions have been added:

apihub.apiHubInstances.create
apihub.apiHubInstances.delete
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apiOperations.update
apihub.apis.create
apihub.apis.delete
apihub.apis.get
apihub.apis.list
apihub.apis.update
apihub.attributes.create
apihub.attributes.delete
apihub.attributes.get
apihub.attributes.list
apihub.attributes.update
apihub.definitions.get
apihub.definitions.list
apihub.definitions.update
apihub.dependencies.create
apihub.dependencies.delete
apihub.dependencies.get
apihub.dependencies.list
apihub.dependencies.update
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.get
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.create
apihub.externalApis.delete
apihub.externalApis.get
apihub.externalApis.list
apihub.externalApis.update
apihub.hostProjectRegistrations.create
apihub.hostProjectRegistrations.delete
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.hostProjectRegistrations.register
apihub.llmEnablements.deregister
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.llmEnablements.register
apihub.locations.searchResources
apihub.locations2.searchResources
apihub.operations.cancel
apihub.operations.delete
apihub.operations.get
apihub.operations.list
apihub.plugins.disable
apihub.plugins.enable
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.attach
apihub.runTimeProjectAttachments.create
apihub.runTimeProjectAttachments.delete
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.runTimeProjectAttachments.lookup
apihub.specs.create
apihub.specs.delete
apihub.specs.get
apihub.specs.lint
apihub.specs.list
apihub.specs.update
apihub.styleGuides.get
apihub.styleGuides.update
apihub.versions.create
apihub.versions.delete
apihub.versions.get
apihub.versions.list
apihub.versions.update

API Hub

The following permissions are supported in custom roles:

apihub.apis.create
apihub.apis.delete
apihub.apis.get
apihub.apis.list
apihub.apis.update
apihub.operations.cancel
apihub.operations.delete
apihub.operations.get
apihub.operations.list
apihub.specs.create
apihub.specs.delete
apihub.specs.get
apihub.specs.list
apihub.specs.update
apihub.versions.create
apihub.versions.delete
apihub.versions.get
apihub.versions.list
apihub.versions.update

Artifact Registry

The following permissions have been added:

artifactregistry.files.delete

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.files.delete

Assured Open Source Software

The following permissions have reached General Availability (GA):

assuredoss.customers.create
assuredoss.locations.get
assuredoss.locations.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Google Security Operations

The following permissions have been added:

chronicle.instances.generateWorkspaceConnectionToken

Google Security Operations

The following permissions are supported in custom roles:

chronicle.instances.generateWorkspaceConnectionToken

Commerce Org Governance

The following permissions have been added:

commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.services.get
commerceorggovernance.services.request

Commerce Org Governance

The following permissions are supported in custom roles:

commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.services.get
commerceorggovernance.services.request

GDC Hardware Management API

The following permissions have been added:

gdchardwaremanagement.zones.create
gdchardwaremanagement.zones.delete
gdchardwaremanagement.zones.get
gdchardwaremanagement.zones.list
gdchardwaremanagement.zones.update

GDC Hardware Management API

The following permissions are supported in custom roles:

gdchardwaremanagement.zones.create
gdchardwaremanagement.zones.delete
gdchardwaremanagement.zones.get
gdchardwaremanagement.zones.list
gdchardwaremanagement.zones.update

Privileged Access Manager

The following permissions have been added:

privilegedaccessmanager.locations.checkOnboardingStatus

Privileged Access Manager

The following permissions are supported in custom roles:

privilegedaccessmanager.locations.checkOnboardingStatus

Security Posture API

The following permissions have been added:

securityposture.reports.get
securityposture.reports.list

Security Posture API

The following permissions are supported in custom roles:

securityposture.reports.get
securityposture.reports.list

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.reports.get
securityposture.reports.list

IAM changes as of 2024-03-22

Service Description
Vertex AI

The Vertex AI Extension Service Agent role (roles/aiplatform.extensionServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI Reasoning Engine Service Agent role (roles/aiplatform.reasoningEngineServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI Tuning Service Agent role (roles/aiplatform.tuningServiceAgent) has reached General Availability (GA).

BigQuery

The BigQuery Studio Admin role (roles/bigquery.studioAdmin) has reached General Availability (GA).

BigQuery

The BigQuery Studio User role (roles/bigquery.studioUser) has reached General Availability (GA).

Google Security Operations

The Chronicle SOAR Service Agent role (roles/chronicle.soarServiceAgent) has reached General Availability (GA).

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

spanner.databases.useDataBoost

Multi-Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

compute.regionSslPolicies.use

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

aiplatform.extensions.execute

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.machineImages.create
compute.machineImages.get

Vertex AI

The following permissions have been added:

aiplatform.extensions.delete
aiplatform.extensions.execute
aiplatform.extensions.get
aiplatform.extensions.import
aiplatform.extensions.list
aiplatform.extensions.update

Assured Open Source Software

The following permissions have been added:

assuredoss.customers.create

Assured Open Source Software

The following permissions are supported in custom roles:

assuredoss.customers.create

Bigtable

The following permissions have been added:

bigtable.authorizedViews.create
bigtable.authorizedViews.createTagBinding
bigtable.authorizedViews.delete
bigtable.authorizedViews.deleteTagBinding
bigtable.authorizedViews.get
bigtable.authorizedViews.getIamPolicy
bigtable.authorizedViews.list
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.authorizedViews.mutateRows
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.authorizedViews.setIamPolicy
bigtable.authorizedViews.update

Bigtable

The following permissions have reached General Availability (GA):

bigtable.authorizedViews.create
bigtable.authorizedViews.createTagBinding
bigtable.authorizedViews.delete
bigtable.authorizedViews.deleteTagBinding
bigtable.authorizedViews.get
bigtable.authorizedViews.getIamPolicy
bigtable.authorizedViews.list
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.authorizedViews.mutateRows
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.authorizedViews.setIamPolicy
bigtable.authorizedViews.update

Cloud SQL

The following permissions have been added:

cloudsql.instances.executeSql

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.instances.executeSql

Compute Engine

The following permissions have been added:

compute.routers.deleteRoutePolicy
compute.routers.getRoutePolicy
compute.routers.listBgpRoutes
compute.routers.listRoutePolicies
compute.routers.updateRoutePolicy

Dataproc Metastore

The following permissions have been added:

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

Dataproc Metastore

The following permissions are supported in custom roles:

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

Recommender

The following permissions have been added:

recommender.bigqueryMaterializedViewInsights.get
recommender.bigqueryMaterializedViewInsights.list
recommender.bigqueryMaterializedViewInsights.update
recommender.bigqueryMaterializedViewRecommendations.get
recommender.bigqueryMaterializedViewRecommendations.list
recommender.bigqueryMaterializedViewRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.bigqueryMaterializedViewInsights.get
recommender.bigqueryMaterializedViewInsights.list
recommender.bigqueryMaterializedViewInsights.update
recommender.bigqueryMaterializedViewRecommendations.get
recommender.bigqueryMaterializedViewRecommendations.list
recommender.bigqueryMaterializedViewRecommendations.update

IAM changes as of 2024-03-15

Service Description
Vertex AI

The Vertex AI Colab Service Agent role (roles/aiplatform.colabServiceAgent) has reached General Availability (GA).

Vertex AI

The Vertex AI RAG Data Service Agent role (roles/aiplatform.ragServiceAgent) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Admin role (roles/alloydb.admin):

cloudaicompanion.entitlements.get

AlloyDB for PostgreSQL

The following permissions have been added to the Cloud AlloyDB Viewer role (roles/alloydb.viewer):

cloudaicompanion.entitlements.get

Assured Open Source Software

The following permissions have been added to the Assured OSS Admin role (roles/assuredoss.admin):

iam.serviceAccounts.create
iam.serviceAccounts.get
serviceusage.services.enable
serviceusage.services.get

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Backup User role (roles/backupdr.backupUser):

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Mount User role (roles/backupdr.mountUser):

backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Restore User role (roles/backupdr.restoreUser):

backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR User V2 role (roles/backupdr.userv2):

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection

Google Security Operations

The following permissions have been added to the Chronicle API Limited Viewer role (roles/chronicle.limitedViewer):

chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats
chronicle.multitenantDirectories.get
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.referenceLists.verifyReferenceList

Cloud Config Manager API

The following permissions have been added to the Cloud Infrastructure Manager Agent role (roles/config.agent):

cloudquotas.quotas.get

Container Security

The following permissions have been added to the GKE Security Posture Viewer role (roles/containersecurity.viewer):

container.clusters.list

Database Migration Service

The following permissions have been added to the Database Migration Admin role (roles/datamigration.admin):

cloudaicompanion.entitlements.get

Dialogflow

The following permissions have been added to the Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient):

dialogflow.messages.list

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

datastore.databases.getMetadata

Distributed Cloud Edge Container

The following permissions have been removed from the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

gkehub.endpoints.connect
gkehub.features.create
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.get
gkehub.locations.list
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list
serviceusage.services.list

Security Command Center

The following permissions have been added to the Security Center Admin role (roles/securitycenter.admin):

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.create
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
iam.serviceAccounts.create
iam.serviceAccounts.get
serviceusage.services.enable

Security Command Center

The following permissions have been added to the Security Center Admin Editor role (roles/securitycenter.adminEditor):

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list

Security Command Center

The following permissions have been added to the Security Center Admin Viewer role (roles/securitycenter.adminViewer):

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list

Cloud Storage

The Storage Folder Admin role (roles/storage.folderAdmin) has reached General Availability (GA).

Backup and Disaster Recovery

The following permissions have been added:

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions are supported in custom roles:

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

Backup and Disaster Recovery

The following permissions have reached General Availability (GA):

backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.listDynamicProtection

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/bireservations.get
bigqueryreservation.googleapis.com/bireservations.update

Google Security Operations

The following permissions have been added:

chronicle.bigQueryAccess.provide
chronicle.dataExports.cancel
chronicle.dataExports.create
chronicle.dataExports.fetchLogTypesAvailableForExport
chronicle.dataExports.get
chronicle.dataTaps.create
chronicle.dataTaps.delete
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle.dataTaps.update
chronicle.feeds.generateSecret
chronicle.instances.generateSoarAuthJwt
chronicle.instances.soarAdmin
chronicle.instances.soarThreatManager
chronicle.instances.soarVulnerabilityManager
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection
chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats

Google Security Operations

The following permissions are supported in custom roles:

chronicle.bigQueryAccess.provide
chronicle.dataExports.cancel
chronicle.dataExports.create
chronicle.dataExports.fetchLogTypesAvailableForExport
chronicle.dataExports.get
chronicle.dataTaps.create
chronicle.dataTaps.delete
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle.dataTaps.update
chronicle.feeds.generateSecret
chronicle.iocMatches.get
chronicle.iocMatches.list
chronicle.iocState.get
chronicle.iocState.update
chronicle.iocs.batchGet
chronicle.iocs.findFirstAndLastSeen
chronicle.iocs.get
chronicle.iocs.searchCuratedDetectionsForIoc
chronicle.legacies.legacyGetEventForDetection
chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacySearchIngestionStats

Compute Engine

The following permissions have been added:

compute.projects.setCloudArmorTier
compute.storagePools.setIamPolicy
compute.storagePools.use

Compute Engine

The following permissions are supported in custom roles:

compute.storagePools.use

Compute Engine

The following permissions have reached General Availability (GA):

compute.instanceSettings.get
compute.instanceSettings.update
compute.projects.setCloudArmorTier
compute.storagePools.setIamPolicy
compute.storagePools.use

Discovery Engine

The following permissions have been added:

discoveryengine.schemas.preview
discoveryengine.schemas.validate

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.schemas.preview
discoveryengine.schemas.validate

GKE Hub

The following permissions have been added:

gkehub.scopes.listBoundMemberships

GKE Hub

The following permissions are supported in custom roles:

gkehub.scopes.listBoundMemberships

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.scopes.listBoundMemberships

Google Cloud Migration Center

The following permissions have been added:

migrationcenter.discoveryClients.create
migrationcenter.discoveryClients.delete
migrationcenter.discoveryClients.get
migrationcenter.discoveryClients.list
migrationcenter.discoveryClients.sendHeartbeat
migrationcenter.discoveryClients.update

Privileged Access Manager

The following permissions have been added:

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.approve
privilegedaccessmanager.grants.create
privilegedaccessmanager.grants.deny
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

Privileged Access Manager

The following permissions are supported in custom roles:

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

Cloud Storage

The following permissions have been added:

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

Cloud Storage

The following permissions are supported in custom roles:

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

Cloud Storage

The following permissions have reached General Availability (GA):

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Workload Manager

The following permissions have been added:

workloadmanager.insights.export

IAM changes as of 2024-03-08

Service Description
Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get

Assured Open Source Software

The Assured OSS Project Admin role (roles/assuredoss.projectAdmin) has been added with the following permissions:

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.googleapis.com/dockerimages.get
artifactregistry.googleapis.com/dockerimages.list
artifactregistry.googleapis.com/files.download
artifactregistry.googleapis.com/files.get
artifactregistry.googleapis.com/files.list
artifactregistry.googleapis.com/locations.get
artifactregistry.googleapis.com/locations.list
artifactregistry.googleapis.com/mavenartifacts.get
artifactregistry.googleapis.com/mavenartifacts.list
artifactregistry.googleapis.com/npmpackages.get
artifactregistry.googleapis.com/npmpackages.list
artifactregistry.googleapis.com/packages.get
artifactregistry.googleapis.com/packages.list
artifactregistry.googleapis.com/projectsettings.get
artifactregistry.googleapis.com/pythonpackages.get
artifactregistry.googleapis.com/pythonpackages.list
artifactregistry.googleapis.com/repositories.create
artifactregistry.googleapis.com/repositories.downloadArtifacts
artifactregistry.googleapis.com/repositories.get
artifactregistry.googleapis.com/repositories.list
artifactregistry.googleapis.com/repositories.listEffectiveTags
artifactregistry.googleapis.com/repositories.listTagBindings
artifactregistry.googleapis.com/repositories.readViaVirtualRepository
artifactregistry.googleapis.com/rules.get
artifactregistry.googleapis.com/rules.list
artifactregistry.googleapis.com/tags.get
artifactregistry.googleapis.com/tags.list
artifactregistry.googleapis.com/versions.get
artifactregistry.googleapis.com/versions.list
artifactregistry.googleapis.com/vpcscconfigs.get
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.create
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.vpcscconfigs.get
assuredoss.config.get
assuredoss.customers.create
assuredoss.googleapis.com/config.get
assuredoss.googleapis.com/customers.create
assuredoss.googleapis.com/locations.get
assuredoss.googleapis.com/locations.list
assuredoss.googleapis.com/metadata.get
assuredoss.googleapis.com/metadata.list
assuredoss.googleapis.com/operations.cancel
assuredoss.googleapis.com/operations.delete
assuredoss.googleapis.com/operations.get
assuredoss.googleapis.com/operations.list
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
iam.googleapis.com/serviceAccounts.create
iam.googleapis.com/serviceAccounts.get
iam.serviceAccounts.create
iam.serviceAccounts.get
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.googleapis.com/services.enable
serviceusage.googleapis.com/services.get
serviceusage.services.enable
serviceusage.services.get

BigQuery Continuous Query

The BigQuery Continuous Query Service Agent role (roles/bigquerycontinuousquery.serviceAgent) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Admin role (roles/cloudcontrolspartner.admin) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Editor role (roles/cloudcontrolspartner.editor) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Inspectability Reader role (roles/cloudcontrolspartner.inspectabilityReader) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Monitoring Reader role (roles/cloudcontrolspartner.monitoringReader) has reached General Availability (GA).

Cloud Controls Partner API

The Cloud Controls Partner Reader role (roles/cloudcontrolspartner.reader) has reached General Availability (GA).

Cloud Deployment Manager

The Cloud Deployment Manager Service Agent role (roles/clouddeploymentmanager.serviceAgent) has reached General Availability (GA).

Cloud SQL

The following permissions have been added to the Cloud SQL Admin role (roles/cloudsql.admin):

cloudaicompanion.entitlements.get

Cloud SQL

The following permissions have been added to the Cloud SQL Editor role (roles/cloudsql.editor):

cloudaicompanion.entitlements.get

Cloud SQL

The following permissions have been added to the Cloud SQL Viewer role (roles/cloudsql.viewer):

cloudaicompanion.entitlements.get

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

cloudaicompanion.entitlements.get

Route Optimization

The Route Optimization Service Agent role (roles/routeoptimization.serviceAgent) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.clusters.promote

Apigee

The following permissions have been added:

apigee.securityFeedback.create
apigee.securityFeedback.delete
apigee.securityFeedback.get
apigee.securityFeedback.list

Apigee

The following permissions are supported in custom roles:

apigee.securityFeedback.create
apigee.securityFeedback.delete
apigee.securityFeedback.get
apigee.securityFeedback.list

Apigee

The following permissions have reached General Availability (GA):

apigee.securityFeedback.create
apigee.securityFeedback.delete
apigee.securityFeedback.get
apigee.securityFeedback.list

Cloud Controls Partner API

The following permissions have reached General Availability (GA):

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list
cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.partnerpermissions.get
cloudcontrolspartner.partners.get
cloudcontrolspartner.platformcontrols.get
cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list

Compute Engine

The following permissions have been added:

compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings

Compute Engine

The following permissions are supported in custom roles:

compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings

Compute Engine

The following permissions have reached General Availability (GA):

compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings

Cloud Config Manager API

The following permissions have been added:

config.terraformversions.get
config.terraformversions.list

Cloud Config Manager API

The following permissions are supported in custom roles:

config.terraformversions.get
config.terraformversions.list

Database Insights

The following permissions have been added:

databaseinsights.activeQueries.fetch
databaseinsights.activeQuery.terminate
databaseinsights.activitySummary.fetch
databaseinsights.aggregatedEvents.query
databaseinsights.aggregatedStats.query
databaseinsights.clusterEvents.query
databaseinsights.instanceEvents.query
databaseinsights.locations.get
databaseinsights.locations.list
databaseinsights.recommendations.query
databaseinsights.resourceRecommendations.query
databaseinsights.timeSeries.query
databaseinsights.workloadRecommendations.fetch

Database Insights

The following permissions are supported in custom roles:

databaseinsights.activeQueries.fetch
databaseinsights.activeQuery.terminate
databaseinsights.activitySummary.fetch
databaseinsights.aggregatedEvents.query
databaseinsights.aggregatedStats.query
databaseinsights.clusterEvents.query
databaseinsights.instanceEvents.query
databaseinsights.locations.get
databaseinsights.locations.list
databaseinsights.recommendations.query
databaseinsights.resourceRecommendations.query
databaseinsights.timeSeries.query
databaseinsights.workloadRecommendations.fetch

Sensitive Data Protection

The following permissions have been added:

dlp.charts.get

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.charts.get

Backup for GKE

The following permissions have been added:

gkebackup.backups.getBackupIndex

Backup for GKE

The following permissions have reached General Availability (GA):

gkebackup.backups.getBackupIndex

Cloud Run

The following permissions have been added:

run.executions.cancel

Cloud Run

The following permissions have reached General Availability (GA):

run.executions.cancel

IAM changes as of 2024-03-01

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

run.executions.delete
run.executions.get
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.run
run.jobs.update
run.operations.delete
run.operations.get

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

resourcemanager.organizations.get

Cloud Functions

The following permissions have been added to the Cloud Functions Admin role (roles/cloudfunctions.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Functions

The following permissions have been added to the Cloud Functions Developer role (roles/cloudfunctions.developer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Functions

The following permissions have been added to the Cloud Functions Service Agent role (roles/cloudfunctions.serviceAgent):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Functions

The following permissions have been added to the Cloud Functions Viewer role (roles/cloudfunctions.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Compute Engine

The following permissions have been added to the Compute Load Balancer Admin role (roles/compute.loadBalancerAdmin):

compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list

Dataplex

The Dataplex Aspect Type Owner role (roles/dataplex.aspectTypeOwner) has reached General Availability (GA).

Dataplex

The Dataplex Aspect Type User role (roles/dataplex.aspectTypeUser) has reached General Availability (GA).

Dataplex

The Dataplex Entry Group Owner role (roles/dataplex.entryGroupOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Owner role (roles/dataplex.entryOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Type Owner role (roles/dataplex.entryTypeOwner) has reached General Availability (GA).

Dataplex

The Dataplex Entry Type User role (roles/dataplex.entryTypeUser) has reached General Availability (GA).

Dataplex

The following permissions have been removed from the Dataplex Administrator role (roles/dataplex.admin):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions have been removed from the Dataplex Editor role (roles/dataplex.editor):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update

Dataplex

The following permissions have been removed from the Dataplex Metadata Reader role (roles/dataplex.metadataReader):

dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.list

Dataplex

The following permissions have been removed from the Dataplex Metadata Writer role (roles/dataplex.metadataWriter):

dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.get
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use

Dataplex

The following permissions have been removed from the Dataplex Viewer role (roles/dataplex.viewer):

dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

alloydb.instances.get
alloydb.operations.get
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
cloudsql.databases.get
cloudsql.instances.export
cloudsql.instances.get
datastore.databases.export
datastore.databases.get
datastore.operations.get
spanner.databases.beginReadOnlyTransaction
spanner.databases.partitionQuery
spanner.databases.select
spanner.sessions.create

Firebase

The following permissions have been added to the Firebase Admin role (roles/firebase.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Firebase

The following permissions have been added to the Firebase Develop Admin role (roles/firebase.developAdmin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Firebase

The following permissions have been added to the Firebase Develop Viewer role (roles/firebase.developViewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Firebase

The following permissions have been added to the Firebase Viewer role (roles/firebase.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Cloud Run

The following permissions have been added to the Cloud Run Admin role (roles/run.admin):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run

The following permissions have been added to the Cloud Run Developer role (roles/run.developer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Cloud Run

The following permissions have been added to the Cloud Run Viewer role (roles/run.viewer):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list

Security Command Center

The Attack Surface Management Scanner Service Agent role (roles/securitycenter.attackSurfaceManagementScannerServiceAgent) has reached General Availability (GA).

BigQuery

The following permissions have been added:

bigquery.tables.setColumnDataPolicy

Bigtable

The following permissions have been added:

bigtable.instances.executeQuery

Bigtable

The following permissions are supported in custom roles:

bigtable.instances.executeQuery

Cloud Controls Partner API

The following permissions have been added:

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.partnerpermissions.get

Cloud Controls Partner API

The following permissions are supported in custom roles:

cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.partnerpermissions.get

Dataplex

The following permissions have been added:

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions are supported in custom roles:

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Dataplex

The following permissions have reached General Availability (GA):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

Recommender

The following permissions have been added:

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Recommender

The following permissions have reached General Availability (GA):

recommender.runServicePerformanceInsights.get
recommender.runServicePerformanceInsights.list
recommender.runServicePerformanceInsights.update
recommender.runServicePerformanceRecommendations.get
recommender.runServicePerformanceRecommendations.list
recommender.runServicePerformanceRecommendations.update

Security Posture API

The following permissions have been added:

securityposture.reports.create

Security Posture API

The following permissions are supported in custom roles:

securityposture.reports.create

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.reports.create

IAM changes as of 2024-02-23

Service Description
App Hub

The App Hub Admin role (roles/apphub.admin) has reached General Availability (GA).

App Hub

The App Hub Editor role (roles/apphub.editor) has reached General Availability (GA).

App Hub

The App Hub Viewer role (roles/apphub.viewer) has reached General Availability (GA).

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

compute.autoscalers.list
compute.globalForwardingRules.list
compute.instanceGroupManagers.list
compute.regionSslPolicies.list
compute.regionTargetHttpProxies.list
compute.regionUrlMaps.list
compute.urlMaps.list
container.clusters.list
monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.list
storage.buckets.get

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.instances.listEffectiveTags

Cloud SQL

The Cloud SQL Schema Viewer role (roles/cloudsql.schemaViewer) has reached General Availability (GA).

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Folder Service Agent role (roles/privilegedaccessmanager.folderServiceAgent):

resourcemanager.folders.get

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Organization Service Agent role (roles/privilegedaccessmanager.organizationServiceAgent):

resourcemanager.organizations.get

Privileged Access Manager

The following permissions have been added to the Privileged Access Manager Project Service Agent role (roles/privilegedaccessmanager.projectServiceAgent):

resourcemanager.projects.get

Recommender

The RecentChange RecommenderConfig Admin role (roles/recommender.recentChangeConfigAdmin) has reached General Availability (GA).

Recommender

The Recent Change Risk Recommender Admin role (roles/recommender.recentchangeriskAdmin) has reached General Availability (GA).

Recommender

The Recent Change Risk Recommender Viewer role (roles/recommender.recentchangeriskViewer) has reached General Availability (GA).

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.backups.createTagBinding
alloydb.backups.deleteTagBinding
alloydb.backups.listEffectiveTags
alloydb.backups.listTagBindings
alloydb.clusters.createTagBinding
alloydb.clusters.deleteTagBinding
alloydb.clusters.listEffectiveTags
alloydb.clusters.listTagBindings

App Hub

The following permissions have reached General Availability (GA):

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

Cloud SQL

The following permissions have been added:

cloudsql.schemas.view

Cloud SQL

The following permissions have reached General Availability (GA):

cloudsql.schemas.view

Compute Engine

The following permissions have been added:

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Compute Engine

The following permissions are supported in custom roles:

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute.storagePools.getIamPolicy
compute.storagePools.list
compute.storagePools.update

Recommender

The following permissions have been added:

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Recommender

The following permissions have reached General Availability (GA):

recommender.cloudRecentChangeInsights.get
recommender.cloudRecentChangeInsights.list
recommender.cloudRecentChangeInsights.update
recommender.cloudRecentChangeRecommendations.get
recommender.cloudRecentChangeRecommendations.list
recommender.cloudRecentChangeRecommendations.update
recommender.cloudRecentChangeRecommenderConfig.get
recommender.cloudRecentChangeRecommenderConfig.update

Cloud Storage

The following permissions have been added:

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.restore
storage.objects.restore

Cloud Storage

The following permissions have reached General Availability (GA):

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.restore
storage.objects.restore

IAM changes as of 2024-02-16

Service Description
Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

compute.vpnGateways.list
logging.buckets.list
serviceusage.services.get
storage.buckets.getIamPolicy

BigQuery

The following permissions have been added to the BigQuery Admin role (roles/bigquery.admin):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

BigQuery

The following permissions have been added to the BigQuery Job User role (roles/bigquery.jobUser):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

BigQuery

The following permissions have been added to the BigQuery User role (roles/bigquery.user):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

BigQuery Data Transfer Service

The following permissions have been added to the BigQuery Data Transfer Service Agent role (roles/bigquerydatatransfer.serviceAgent):

compute.regionOperations.get
compute.subnetworks.use
dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Dataflow

The following permissions have been added to the Cloud Dataflow Service Agent role (roles/dataflow.serviceAgent):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Cloud Data Fusion

The following permissions have been added to the Cloud Data Fusion API Service Agent role (roles/datafusion.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Dataprep by Trifacta

The following permissions have been added to the Dataprep Service Agent role (roles/dataprep.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Sensitive Data Protection

The following permissions have been added to the DLP API Service Agent role (roles/dlp.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Enterprise Knowledge Graph

The following permissions have been added to the Enterprise Knowledge Graph Service Agent role (roles/enterpriseknowledgegraph.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

FleetEngine

The following permissions have been added to the FleetEngine Service Agent role (roles/fleetengine.serviceAgent):

dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.list

Security Posture API

The following permissions have been added to the Security Posture Shift-Left Validator role (roles/securityposture.reportCreator):

securityposture.operations.get

Google Security Operations

The following permissions have been added:

chronicle.events.searchRawLogs
chronicle.logTypes.list

Google Security Operations

The following permissions are supported in custom roles:

chronicle.events.searchRawLogs
chronicle.logTypes.list

Firebase Test Lab

The following permissions have been added:

cloudtestservice.devicesession.cancel
cloudtestservice.devicesession.create
cloudtestservice.devicesession.get
cloudtestservice.devicesession.list
cloudtestservice.devicesession.update
cloudtestservice.devicesession.use

Firebase Test Lab

The following permissions are supported in custom roles:

cloudtestservice.devicesession.cancel
cloudtestservice.devicesession.create
cloudtestservice.devicesession.get
cloudtestservice.devicesession.list
cloudtestservice.devicesession.update
cloudtestservice.devicesession.use

Contact Center AI Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.issueModels.import

Discovery Engine

The following permissions have been added:

discoveryengine.collections.delete
discoveryengine.collections.get
discoveryengine.collections.list

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.collections.delete
discoveryengine.collections.get
discoveryengine.collections.list

IAM changes as of 2024-02-09

Service Description
Advisory Notifications

The Advisory Notifications Admin role (roles/advisorynotifications.admin) has reached General Availability (GA).

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create

App Engine

The following permissions have been added to the App Engine Code Viewer role (roles/appengine.codeViewer):

appengine.applications.listRuntimes

Audit Manager

The following permissions have been added to the Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent):

cloudsql.instances.list
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
orgpolicy.policy.get
storage.buckets.list

Advisory Notifications

The following permissions have reached General Availability (GA):

advisorynotifications.settings.get
advisorynotifications.settings.update

App Engine

The following permissions have been added:

appengine.applications.listRuntimes

App Engine

The following permissions have reached General Availability (GA):

appengine.applications.listRuntimes

Artifact Registry

The following permissions have been added:

artifactregistry.files.download

Artifact Registry

The following permissions have reached General Availability (GA):

artifactregistry.files.download

Cloud Deploy

The following permissions have been added:

clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.setIamPolicy

Cloud Composer

The following permissions have been added:

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Cloud Composer

The following permissions are supported in custom roles:

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Cloud Composer

The following permissions have reached General Availability (GA):

composer.userworkloadsconfigmaps.create
composer.userworkloadsconfigmaps.delete
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadsconfigmaps.update
composer.userworkloadssecrets.create
composer.userworkloadssecrets.delete
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
composer.userworkloadssecrets.update

Dialogflow

The following permissions have been added:

dialogflow.encryptionspec.get
dialogflow.encryptionspec.update
dialogflow.examples.create
dialogflow.examples.delete
dialogflow.examples.get
dialogflow.examples.list
dialogflow.examples.update
dialogflow.playbooks.create
dialogflow.playbooks.delete
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.playbooks.update
dialogflow.tools.create
dialogflow.tools.delete
dialogflow.tools.get
dialogflow.tools.list
dialogflow.tools.update

Dialogflow

The following permissions have reached General Availability (GA):

dialogflow.encryptionspec.get
dialogflow.encryptionspec.update
dialogflow.examples.create
dialogflow.examples.delete
dialogflow.examples.get
dialogflow.examples.list
dialogflow.examples.update
dialogflow.playbooks.create
dialogflow.playbooks.delete
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.playbooks.update
dialogflow.tools.create
dialogflow.tools.delete
dialogflow.tools.get
dialogflow.tools.list
dialogflow.tools.update

IAM changes as of 2024-02-02

Service Description
Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.dataAccessScopes.list

Google Security Operations

The following permissions have been added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.dataAccessScopes.list

Cloud Key Management Service

The Cloud KMS KACLS Service Agent role (roles/cloudkmskacls.serviceAgent) has reached General Availability (GA).

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

firebaseabt.experiments.delete

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

dns.managedZones.list
resourcemanager.projects.getIamPolicy
storage.objects.list

Workload Manager

The following permissions have been added to the Workload Manager Deployment Admin role (roles/workloadmanager.deploymentAdmin):

dns.managedZones.list
resourcemanager.projects.getIamPolicy
storage.objects.list

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.databases.list

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.databases.list

Audit Manager

The following permissions have been added:

auditmanager.auditReports.generate
auditmanager.auditScopeReports.generate
auditmanager.locations.enrollResource
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.get
auditmanager.operations.list

Audit Manager

The following permissions are supported in custom roles:

auditmanager.auditReports.generate
auditmanager.auditScopeReports.generate
auditmanager.locations.enrollResource
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.get
auditmanager.operations.list

Google Security Operations

The following permissions have been added:

chronicle.entities.batchCreate
chronicle.entities.batchDelete
chronicle.entities.batchValidate
chronicle.entities.create
chronicle.entities.delete
chronicle.entities.list
chronicle.entities.modifyEntityRiskScore
chronicle.operations.streamSearch
chronicle.watchlists.create
chronicle.watchlists.delete
chronicle.watchlists.get
chronicle.watchlists.list
chronicle.watchlists.update

Google Security Operations

The following permissions are supported in custom roles:

chronicle.entities.batchCreate
chronicle.entities.batchDelete
chronicle.entities.batchValidate
chronicle.entities.create
chronicle.entities.delete
chronicle.entities.list
chronicle.entities.modifyEntityRiskScore
chronicle.operations.streamSearch
chronicle.watchlists.create
chronicle.watchlists.delete
chronicle.watchlists.get
chronicle.watchlists.list
chronicle.watchlists.update

IAM changes as of 2024-01-26

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Feature Store Resource Viewer role (roles/aiplatform.featurestoreResourceViewer):

aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureOnlineStores.get
aiplatform.featureOnlineStores.list
aiplatform.featureViewSyncs.get
aiplatform.featureViewSyncs.list
aiplatform.featureViews.get
aiplatform.featureViews.list

Audit Manager

The Audit Manager Auditing Service Agent role (roles/auditmanager.serviceAgent) has reached General Availability (GA).

Cloud AI Companion API

The following permissions have been added to the Cloud AI Companion User role (roles/cloudaicompanion.user):

cloudaicompanion.entitlements.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.models.get
run.jobs.run
run.routes.invoke

Sensitive Data Protection

The following permissions have been added to the DLP Administrator role (roles/dlp.admin):

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update
resourcemanager.projects.get
resourcemanager.projects.list

Sensitive Data Protection

The following permissions have been added to the DLP Organization Data Profiles Driver role (roles/dlp.orgdriver):

cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Sensitive Data Protection

The following permissions have been added to the DLP Project Data Profiles Driver role (roles/dlp.projectdriver):

cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update
dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

Distributed Cloud Edge Container

The following permissions have been added to the Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent):

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

cloudaicompanion.entitlements.get

Basic Role

The following permissions have been added to the Owner role (roles/owner):

cloudaicompanion.entitlements.get

Policy Simulator

The following permissions have been added to the OrgPolicy Simulator Admin role (roles/policysimulator.orgPolicyAdmin):

cloudasset.assets.analyzeOrgPolicy

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

cloudaicompanion.entitlements.get

Google Cloud VMware Engine

The following permissions have been added to the VMware Engine Service Agent role (roles/vmwareengine.serviceAgent):

vmwareengine.nodes.get
vmwareengine.nodes.list

AlloyDB for PostgreSQL

The following permissions have been added:

alloydb.instances.executeSql

AlloyDB for PostgreSQL

The following permissions are supported in custom roles:

alloydb.instances.executeSql

Cloud AI Companion API

The following permissions have been added:

cloudaicompanion.entitlements.get

Discovery Engine

The following permissions have been added:

discoveryengine.branches.get
discoveryengine.branches.list
discoveryengine.documentProcessingConfigs.get
discoveryengine.documentProcessingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.documentProcessingConfigs.get
discoveryengine.documentProcessingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus

Retail API

The following permissions have been added:

retail.catalogs.exportAnalyticsMetrics

IAM changes as of 2024-01-19

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Feature Store EntityType owner role (roles/aiplatform.entityTypeOwner):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Admin role (roles/aiplatform.featurestoreAdmin):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Viewer role (roles/aiplatform.featurestoreDataViewer):

aiplatform.featureViews.searchNearestEntities

Vertex AI

The following permissions have been added to the Vertex AI Feature Store Data Writer role (roles/aiplatform.featurestoreDataWriter):

aiplatform.featureViews.searchNearestEntities

Artifact Registry

The following permissions have been added to the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent):

artifactregistry.repositories.get

Assured Open Source Software

The Assured OSS User role (roles/assuredoss.user) has been added with the following permissions:

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.googleapis.com/dockerimages.get
artifactregistry.googleapis.com/dockerimages.list
artifactregistry.googleapis.com/files.download
artifactregistry.googleapis.com/files.get
artifactregistry.googleapis.com/files.list
artifactregistry.googleapis.com/locations.get
artifactregistry.googleapis.com/locations.list
artifactregistry.googleapis.com/mavenartifacts.get
artifactregistry.googleapis.com/mavenartifacts.list
artifactregistry.googleapis.com/npmpackages.get
artifactregistry.googleapis.com/npmpackages.list
artifactregistry.googleapis.com/packages.get
artifactregistry.googleapis.com/packages.list
artifactregistry.googleapis.com/projectsettings.get
artifactregistry.googleapis.com/pythonpackages.get
artifactregistry.googleapis.com/pythonpackages.list
artifactregistry.googleapis.com/repositories.downloadArtifacts
artifactregistry.googleapis.com/repositories.get
artifactregistry.googleapis.com/repositories.list
artifactregistry.googleapis.com/repositories.listEffectiveTags
artifactregistry.googleapis.com/repositories.listTagBindings
artifactregistry.googleapis.com/repositories.readViaVirtualRepository
artifactregistry.googleapis.com/tags.get
artifactregistry.googleapis.com/tags.list
artifactregistry.googleapis.com/versions.get
artifactregistry.googleapis.com/versions.list
artifactregistry.googleapis.com/vpcscconfigs.get
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.vpcscconfigs.get
assuredoss.googleapis.com/locations.get
assuredoss.googleapis.com/locations.list
assuredoss.googleapis.com/metadata.get
assuredoss.googleapis.com/metadata.list
assuredoss.googleapis.com/operations.get
assuredoss.googleapis.com/operations.list
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Connectors

The following permissions have been added to the Connector Admin role (roles/connectors.admin):

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Discovery Engine

The Discovery Engine Admin role (roles/discoveryengine.admin) has reached General Availability (GA).

Discovery Engine

The Discovery Engine Editor role (roles/discoveryengine.editor) has reached General Availability (GA).

Discovery Engine

The Discovery Engine Viewer role (roles/discoveryengine.viewer) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

GKE Hub

The following permissions have been added to the Connect Gateway Admin role (roles/gkehub.gatewayAdmin):

gkehub.memberships.get

GKE Hub

The following permissions have been added to the Connect Gateway Editor role (roles/gkehub.gatewayEditor):

gkehub.memberships.get

GKE Hub

The following permissions have been added to the Connect Gateway Reader role (roles/gkehub.gatewayReader):

gkehub.memberships.get

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Container Service Agent role (roles/gkemulticloud.containerServiceAgent):

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

assuredoss.metadata.list

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

assuredoss.metadata.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

Serverless Integrations

The following permissions have been added to the Serverless Integrations Service Agent role (roles/runapps.serviceAgent):

cloudsql.databases.get
cloudsql.instances.get
cloudsql.users.get

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

assuredoss.config.get
assuredoss.metadata.get
assuredoss.metadata.list

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.instances.createTagBinding
compute.instances.deleteTagBinding
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

Assured Open Source Software

The following permissions have been added:

assuredoss.config.get
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Assured Open Source Software

The following permissions are supported in custom roles:

assuredoss.locations.get
assuredoss.locations.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list

Database Migration Service

The following permissions have been added:

datamigration.conversionworkspaces.apply

Database Migration Service

The following permissions have reached General Availability (GA):

datamigration.conversionworkspaces.apply

Discovery Engine

The following permissions have been added:

discoveryengine.analytics.acquireDashboardSession
discoveryengine.analytics.refreshDashboardSessionTokens
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.cmekConfigs.update
discoveryengine.dataStores.trainCustomModel
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.locations.estimateDataSize
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.analytics.acquireDashboardSession
discoveryengine.analytics.refreshDashboardSessionTokens
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.cmekConfigs.update
discoveryengine.dataStores.trainCustomModel
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.locations.estimateDataSize
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge

Discovery Engine

The following permissions have reached General Availability (GA):

discoveryengine.conversations.converse
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.purge
discoveryengine.documents.update
discoveryengine.operations.get
discoveryengine.operations.list
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.update
discoveryengine.servingConfigs.search
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge
discoveryengine.userEvents.create
discoveryengine.userEvents.import
discoveryengine.userEvents.purge

Cloud Healthcare API

The following permissions have been added:

healthcare.fhirStores.explainDataAccess

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.explainDataAccess

IAM changes as of 2024-01-05

Service Description
API Gateway

The following permissions have been added to the ApiGateway Admin role (roles/apigateway.admin):

serviceusage.services.get

API Gateway

The following permissions have been added to the ApiGateway Viewer role (roles/apigateway.viewer):

serviceusage.services.get

Assured Workloads

The following permissions have been added to the Assured Workloads Service Agent role (roles/assuredworkloads.serviceAgent):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Admin role (roles/automl.admin):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Editor role (roles/automl.editor):

serviceusage.services.get

AutoML

The following permissions have been added to the AutoML Viewer role (roles/automl.viewer):

serviceusage.services.get

Google Security Operations

The following permissions have been added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.rules.delete

Cloud Functions

The following permissions have been added to the Cloud Functions Service Agent role (roles/cloudfunctions.serviceAgent):

serviceusage.services.get

Cloud Commerce Consumer Procurement

The Consumer Procurement Entitlement Manager role (roles/consumerprocurement.entitlementManager) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Entitlement Viewer role (roles/consumerprocurement.entitlementViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Events Viewer role (roles/consumerprocurement.eventsViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Order Administrator role (roles/consumerprocurement.orderAdmin) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Order Viewer role (roles/consumerprocurement.orderViewer) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Administrator role (roles/consumerprocurement.procurementAdmin) has reached General Availability (GA).

Cloud Commerce Consumer Procurement

The Consumer Procurement Viewer role (roles/consumerprocurement.procurementViewer) has reached General Availability (GA).

AI Platform Data Labeling Service

The following permissions have been added to the Data Labeling Service Agent role (roles/datalabeling.serviceAgent):

serviceusage.services.get

Dialogflow

The following permissions have been added to the Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient):

dialogflow.generators.get

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

discoveryengine.engines.delete
discoveryengine.engines.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

securityposture.postures.extract
securityposture.reports.create

Firebase

The following permissions have been added to the Firebase SDK Provisioning Service Agent role (roles/firebase.sdkProvisioningServiceAgent):

serviceusage.services.get

Firewall Insights

The following permissions have been added to the Cloud Firewall Insights Service Agent role (roles/firewallinsights.serviceAgent):

compute.regionTargetTcpProxies.list

Cloud Service Mesh

The following permissions have been added to the Mesh Config Service Agent role (roles/meshconfig.serviceAgent):

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

Cloud Monitoring

The following permissions have been added to the Monitoring Admin role (roles/monitoring.admin):

serviceusage.services.get

Cloud Monitoring

The following permissions have been added to the Monitoring Editor role (roles/monitoring.editor):

serviceusage.services.get

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

Network Management API

The following permissions have been added to the GCP Network Management Service Agent role (roles/networkmanagement.serviceAgent):

compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

securityposture.postures.extract
securityposture.reports.create

Security Command Center

The following permissions have been added to the Security Center Automation Service Agent role (roles/securitycenter.automationServiceAgent):

serviceusage.services.get

Security Posture API

The Security Posture Shift-Left Validator role (roles/securityposture.reportCreator) has been added with the following permissions:

securityposture.googleapis.com/reports.create
securityposture.reports.create

Security Posture API

The Security Posture Admin role (roles/securityposture.admin) has reached General Availability (GA).

Security Posture API

The Security Posture Deployer role (roles/securityposture.postureDeployer) has reached General Availability (GA).

Security Posture API

The Security Posture Deployments Viewer role (roles/securityposture.postureDeploymentsViewer) has reached General Availability (GA).

Security Posture API

The Security Posture Resource Editor role (roles/securityposture.postureEditor) has reached General Availability (GA).

Security Posture API

The Security Posture Resource Viewer role (roles/securityposture.postureViewer) has reached General Availability (GA).

Security Posture API

The Security Posture Viewer role (roles/securityposture.viewer) has reached General Availability (GA).

Google Cloud Observability

The following permissions have been added to the Stackdriver Accounts Editor role (roles/stackdriver.accounts.editor):

serviceusage.services.get

Apigee

The following permissions have been added:

apigee.keyvaluemapentries.update

Apigee

The following permissions have reached General Availability (GA):

apigee.keyvaluemapentries.update

BigQuery

The following permissions have been added:

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding

BigQuery

The following permissions are supported in custom roles:

bigquery.tables.createTagBinding
bigquery.tables.deleteTagBinding

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/capacityCommitments.create
bigqueryreservation.googleapis.com/capacityCommitments.delete
bigqueryreservation.googleapis.com/capacityCommitments.get
bigqueryreservation.googleapis.com/capacityCommitments.list
bigqueryreservation.googleapis.com/capacityCommitments.update
bigqueryreservation.googleapis.com/reservationAssignments.create
bigqueryreservation.googleapis.com/reservationAssignments.delete
bigqueryreservation.googleapis.com/reservationAssignments.list
bigqueryreservation.googleapis.com/reservationAssignments.search

Google Security Operations

The following permissions have been added:

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entities.queryEntityRiskScoreModifications
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.get
chronicle.errorNotificationConfigs.list
chronicle.errorNotificationConfigs.update
chronicle.feedServiceAccounts.fetch
chronicle.findingsRefinementDeployments.get
chronicle.findingsRefinementDeployments.list
chronicle.findingsRefinementDeployments.update
chronicle.findingsRefinements.computeActivity
chronicle.findingsRefinements.computeAllActivities
chronicle.findingsRefinements.create
chronicle.findingsRefinements.get
chronicle.findingsRefinements.list
chronicle.findingsRefinements.test
chronicle.findingsRefinements.update
chronicle.legacies.legacyGetDetection
chronicle.legacies.legacySearchAlerts
chronicle.legacies.legacySearchCuratedDetections
chronicle.legacies.legacySearchDetections
chronicle.legacies.legacySearchEnterpriseWideAlerts
chronicle.legacies.legacySearchEnterpriseWideIoCs
chronicle.legacies.legacyStreamDetectionAlerts
chronicle.legacies.legacyTestRuleStreaming
chronicle.legacies.legacyUpdateAlert
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.parsers.generateEventTypesSuggestions
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.rules.delete
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Google Security Operations

The following permissions are supported in custom roles:

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entities.queryEntityRiskScoreModifications
chronicle.feedServiceAccounts.fetch
chronicle.legacies.legacyGetDetection
chronicle.legacies.legacySearchCuratedDetections
chronicle.legacies.legacySearchDetections
chronicle.legacies.legacySearchEnterpriseWideAlerts
chronicle.legacies.legacySearchEnterpriseWideIoCs
chronicle.legacies.legacyStreamDetectionAlerts
chronicle.legacies.legacyTestRuleStreaming
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.parsers.generateEventTypesSuggestions
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.rules.delete
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Google Security Operations

The following permissions have reached General Availability (GA):

chronicle.ais.createFeedback
chronicle.ais.translateUdmQuery
chronicle.ais.translateYlRule
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.cases.countPriorities
chronicle.conversations.create
chronicle.conversations.delete
chronicle.conversations.get
chronicle.conversations.list
chronicle.conversations.update
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.get
chronicle.errorNotificationConfigs.list
chronicle.errorNotificationConfigs.update
chronicle.feedServiceAccounts.fetch
chronicle.findingsRefinementDeployments.get
chronicle.findingsRefinementDeployments.list
chronicle.findingsRefinementDeployments.update
chronicle.findingsRefinements.computeActivity
chronicle.findingsRefinements.computeAllActivities
chronicle.findingsRefinements.create
chronicle.findingsRefinements.get
chronicle.findingsRefinements.list
chronicle.findingsRefinements.test
chronicle.findingsRefinements.update
chronicle.logs.export
chronicle.logs.get
chronicle.logs.import
chronicle.logs.list
chronicle.messages.create
chronicle.messages.delete
chronicle.messages.get
chronicle.messages.list
chronicle.messages.update
chronicle.preferenceSets.get
chronicle.preferenceSets.update
chronicle.riskConfigs.get
chronicle.riskConfigs.update
chronicle.searchQueries.create
chronicle.searchQueries.delete
chronicle.searchQueries.get
chronicle.searchQueries.list
chronicle.searchQueries.update

Translation

The following permissions have been added:

cloudtranslate.adaptiveMtDatasets.create
cloudtranslate.adaptiveMtDatasets.delete
cloudtranslate.adaptiveMtDatasets.get
cloudtranslate.adaptiveMtDatasets.import
cloudtranslate.adaptiveMtDatasets.list
cloudtranslate.adaptiveMtDatasets.predict
cloudtranslate.adaptiveMtFiles.delete
cloudtranslate.adaptiveMtFiles.get
cloudtranslate.adaptiveMtFiles.list
cloudtranslate.adaptiveMtSentences.list

Compute Engine

The following permissions have been added:

compute.networkAttachments.update

Compute Engine

The following permissions are supported in custom roles:

compute.networkAttachments.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.networkAttachments.update

Cloud Config Manager API

The following permissions have been added:

config.artifacts.import
config.previews.create
config.previews.delete
config.previews.export
config.previews.get
config.previews.list
config.previews.upload

Cloud Config Manager API

The following permissions are supported in custom roles:

config.artifacts.import
config.previews.create
config.previews.delete
config.previews.export
config.previews.get
config.previews.list
config.previews.upload

Cloud Commerce Consumer Procurement

The following permissions have reached General Availability (GA):

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

Enterprise Purchasing API

The following permissions have been added:

enterprisepurchasing.gcveCuds.create
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.get
enterprisepurchasing.locations.list
enterprisepurchasing.operations.cancel
enterprisepurchasing.operations.delete
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list

Enterprise Purchasing API

The following permissions are supported in custom roles:

enterprisepurchasing.gcveCuds.create
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.get
enterprisepurchasing.locations.list
enterprisepurchasing.operations.cancel
enterprisepurchasing.operations.delete
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list

Mandiant

The following permissions have been added:

mandiant.genericAttackSurfaceManagements.create
mandiant.genericAttackSurfaceManagements.delete
mandiant.genericAttackSurfaceManagements.get
mandiant.genericAttackSurfaceManagements.update
mandiant.genericDigitalThreatMonitorings.create
mandiant.genericDigitalThreatMonitorings.get
mandiant.genericDigitalThreatMonitorings.update
mandiant.genericExpertiseOnDemands.create
mandiant.genericExpertiseOnDemands.delete
mandiant.genericExpertiseOnDemands.get
mandiant.genericExpertiseOnDemands.update
mandiant.genericPlatforms.create
mandiant.genericPlatforms.delete
mandiant.genericPlatforms.get
mandiant.genericPlatforms.update
mandiant.genericThreatIntels.create
mandiant.genericThreatIntels.delete
mandiant.genericThreatIntels.get
mandiant.genericThreatIntels.update
mandiant.genericValidations.create
mandiant.genericValidations.delete
mandiant.genericValidations.get
mandiant.genericValidations.update

Mandiant

The following permissions are supported in custom roles:

mandiant.genericAttackSurfaceManagements.create
mandiant.genericAttackSurfaceManagements.delete
mandiant.genericAttackSurfaceManagements.get
mandiant.genericAttackSurfaceManagements.update
mandiant.genericDigitalThreatMonitorings.create
mandiant.genericDigitalThreatMonitorings.get
mandiant.genericDigitalThreatMonitorings.update
mandiant.genericExpertiseOnDemands.create
mandiant.genericExpertiseOnDemands.delete
mandiant.genericExpertiseOnDemands.get
mandiant.genericExpertiseOnDemands.update
mandiant.genericPlatforms.create
mandiant.genericPlatforms.delete
mandiant.genericPlatforms.get
mandiant.genericPlatforms.update
mandiant.genericThreatIntels.create
mandiant.genericThreatIntels.delete
mandiant.genericThreatIntels.get
mandiant.genericThreatIntels.update
mandiant.genericValidations.create
mandiant.genericValidations.delete
mandiant.genericValidations.get
mandiant.genericValidations.update

Marketplace Solutions API

The following permissions have been added:

marketplacesolutions.locations.get
marketplacesolutions.locations.list
marketplacesolutions.operations.cancel
marketplacesolutions.operations.delete
marketplacesolutions.operations.get
marketplacesolutions.operations.list
marketplacesolutions.powerImages.get
marketplacesolutions.powerImages.list
marketplacesolutions.powerInstances.applyPowerAction
marketplacesolutions.powerInstances.create
marketplacesolutions.powerInstances.delete
marketplacesolutions.powerInstances.get
marketplacesolutions.powerInstances.list
marketplacesolutions.powerInstances.reset
marketplacesolutions.powerInstances.update
marketplacesolutions.powerNetworks.get
marketplacesolutions.powerNetworks.list
marketplacesolutions.powerSshKeys.get
marketplacesolutions.powerSshKeys.list
marketplacesolutions.powerVolumes.get
marketplacesolutions.powerVolumes.list

Marketplace Solutions API

The following permissions are supported in custom roles:

marketplacesolutions.locations.get
marketplacesolutions.locations.list
marketplacesolutions.operations.cancel
marketplacesolutions.operations.delete
marketplacesolutions.operations.get
marketplacesolutions.operations.list
marketplacesolutions.powerImages.get
marketplacesolutions.powerImages.list
marketplacesolutions.powerInstances.applyPowerAction
marketplacesolutions.powerInstances.create
marketplacesolutions.powerInstances.delete
marketplacesolutions.powerInstances.get
marketplacesolutions.powerInstances.list
marketplacesolutions.powerInstances.reset
marketplacesolutions.powerInstances.update
marketplacesolutions.powerNetworks.get
marketplacesolutions.powerNetworks.list
marketplacesolutions.powerSshKeys.get
marketplacesolutions.powerSshKeys.list
marketplacesolutions.powerVolumes.get
marketplacesolutions.powerVolumes.list

Memorystore for Redis

The following permissions have been added:

redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings

Memorystore for Redis

The following permissions have reached General Availability (GA):

redis.instances.createTagBinding
redis.instances.deleteTagBinding
redis.instances.listEffectiveTags
redis.instances.listTagBindings

Security Command Center

The following permissions have been added:

securitycenter.compliancesnapshots.list

Security Posture API

The following permissions have been added:

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update
securityposture.reports.create

Security Posture API

The following permissions are supported in custom roles:

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Security Posture API

The following permissions have reached General Availability (GA):

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Personalized Service Health

The following permissions have been added:

servicehealth.statuses.get

Personalized Service Health

The following permissions are supported in custom roles:

servicehealth.statuses.get

IAM changes as of 2023-12-15

Service Description
Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

Apigee

The following permissions have been added to the Apigee Security Admin role (roles/apigee.securityAdmin):

apigee.addonsconfig.get

Apigee

The following permissions have been added to the Apigee Security Viewer role (roles/apigee.securityViewer):

apigee.addonsconfig.get

Connectors

The Connector Event Listener role (roles/connectors.listener) has been added with the following permissions:

connectors.connections.listenEvent
connectors.googleapis.com/connections.listenEvent

Artifact Analysis

The following permissions have been removed from the Container Analysis Service Agent role (roles/containeranalysis.ServiceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update

Container Scanning

The following permissions have been removed from the Container Scanner Service Agent role (roles/containerscanning.ServiceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.update

Basic Role

The following permissions have been added to the Editor role (roles/editor):

connectors.connections.listenEvent

Cloud Integrations

The following permissions have been added to the Application Integration Service Agent role (roles/integrations.serviceAgent):

storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update

Multi-Cluster Service Discovery

The following permissions have been added to the Multi-Cluster Service Discovery Service Agent role (roles/multiclusterservicediscovery.serviceAgent):

container.thirdPartyObjects.update

Basic Role

The following permissions have been added to the Owner role (roles/owner):

connectors.connections.listenEvent

Security Command Center

The following permissions have been added to the Security Center Control Service Agent role (roles/securitycenter.controlServiceAgent):

compute.disks.useReadOnly

Security Command Center

The following permissions have been added to the Security Center Service Agent role (roles/securitycenter.serviceAgent):

compute.disks.useReadOnly

BigQuery

The following permissions have reached General Availability (GA):

bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag

Cloud Billing

The following permissions have been added:

billing.billingAccountPrices.list

Cloud Billing

The following permissions have reached General Availability (GA):

billing.billingAccountPrices.list

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

Connectors

The following permissions have been added:

connectors.connections.listenEvent

Firebase Storage

The following permissions have been added:

firebasestorage.defaultBucket.create
firebasestorage.defaultBucket.delete
firebasestorage.defaultBucket.get

Google Cloud NetApp Volumes

The following permissions have been added:

netapp.backupPolicies.create
netapp.backupPolicies.delete
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupPolicies.update
netapp.backupVaults.create
netapp.backupVaults.delete
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backupVaults.update
netapp.backups.create
netapp.backups.delete
netapp.backups.get
netapp.backups.list
netapp.backups.update

Google Cloud NetApp Volumes

The following permissions are supported in custom roles:

netapp.backupPolicies.create
netapp.backupPolicies.delete
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupPolicies.update
netapp.backupVaults.create
netapp.backupVaults.delete
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backupVaults.update
netapp.backups.create
netapp.backups.delete
netapp.backups.get
netapp.backups.list
netapp.backups.update

IAM changes as of 2023-12-08

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

compute.snapshots.useReadOnly

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.healthChecks.useReadOnly
compute.networks.updatePolicy

Apigee

The following permissions have been added to the Apigee Organization Admin role (roles/apigee.admin):

apigee.securitySettings.get
apigee.securitySettings.update

Apigee

The following permissions have been added to the Apigee Read-only Admin role (roles/apigee.readOnlyAdmin):

apigee.securitySettings.get

Apigee

The following permissions have been added to the Apigee Security Admin role (roles/apigee.securityAdmin):

apigee.securitySettings.get
apigee.securitySettings.update

Apigee

The following permissions have been added to the Apigee Security Viewer role (roles/apigee.securityViewer):

apigee.securitySettings.get

Binary Authorization

The following permissions have been added to the Binary Authorization Service Agent role (roles/binaryauthorization.serviceAgent):

artifactregistry.dockerimages.get

Blockchain Node Engine

The Blockchain Node Engine Admin role (roles/blockchainnodeengine.admin) has reached General Availability (GA).

Blockchain Node Engine

The Blockchain Node Engine Viewer role (roles/blockchainnodeengine.viewer) has reached General Availability (GA).

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

cloudquotas.quotas.get

Connectors

The Custom Connectors Admin role (roles/connectors.customConnectorAdmin) has been added with the following permissions:

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update
connectors.googleapis.com/customConnectorVersions.create
connectors.googleapis.com/customConnectorVersions.delete
connectors.googleapis.com/customConnectorVersions.get
connectors.googleapis.com/customConnectorVersions.getIamPolicy
connectors.googleapis.com/customConnectorVersions.list
connectors.googleapis.com/customConnectorVersions.setIamPolicy
connectors.googleapis.com/customConnectorVersions.update
connectors.googleapis.com/customConnectors.create
connectors.googleapis.com/customConnectors.delete
connectors.googleapis.com/customConnectors.get
connectors.googleapis.com/customConnectors.getIamPolicy
connectors.googleapis.com/customConnectors.list
connectors.googleapis.com/customConnectors.setIamPolicy
connectors.googleapis.com/customConnectors.update
connectors.googleapis.com/locations.get
connectors.googleapis.com/locations.list
connectors.locations.get
connectors.locations.list

Connectors

The Custom Connector Viewer role (roles/connectors.customConnectorViewer) has been added with the following permissions:

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.googleapis.com/customConnectorVersions.get
connectors.googleapis.com/customConnectorVersions.getIamPolicy
connectors.googleapis.com/customConnectorVersions.list
connectors.googleapis.com/customConnectors.get
connectors.googleapis.com/customConnectors.getIamPolicy
connectors.googleapis.com/customConnectors.list
connectors.googleapis.com/locations.get
connectors.googleapis.com/locations.list
connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connector Admin role (roles/connectors.admin):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.list

Connectors

The following permissions have been added to the Connectors Viewer role (roles/connectors.viewer):

connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

cloudsql.instances.import
storage.objects.list

Dataplex

The following permissions have been added to the Cloud Dataplex Service Agent role (roles/dataplex.serviceAgent):

datacatalog.entries.get

Basic Role

The following permissions have been added to the Editor role (roles/editor):

apigee.securitySettings.get
apigee.securitySettings.update
connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.update

FleetEngine

The Fleet Engine Delivery Admin role (roles/fleetengine.deliveryAdmin) has reached General Availability (GA).

FleetEngine

The Fleet Engine On-Demand Admin role (roles/fleetengine.ondemandAdmin) has reached General Availability (GA).

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Control Plane Machine Service Agent role (roles/gkemulticloud.controlPlaneMachineServiceAgent):

serviceusage.services.use

GKE Multi-Cloud

The following permissions have been added to the Anthos Multi-Cloud Node Pool Machine Service Agent role (roles/gkemulticloud.nodePoolMachineServiceAgent):

serviceusage.services.use

Identity and Access Management

The following permissions have been added to the Security Admin role (roles/iam.securityAdmin):

connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy

Identity and Access Management

The following permissions have been added to the Security Reviewer role (roles/iam.securityReviewer):

connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Basic Role

The following permissions have been added to the Owner role (roles/owner):

apigee.securitySettings.get
apigee.securitySettings.update
connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Security Center Management API

The Security Center Management Custom Modules Editor role (roles/securitycentermanagement.customModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.create
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.delete
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.update
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.create
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.delete
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.update
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The Security Center Management Custom Modules Viewer role (roles/securitycentermanagement.customModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test

Security Center Management API

The Security Center Management Custom ETD Modules Editor role (roles/securitycentermanagement.etdCustomModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.create
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.delete
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.update
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.locations.get
securitycentermanagement.locations.list

Security Center Management API

The Security Center Management ETD Custom Modules Viewer role (roles/securitycentermanagement.etdCustomModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.get
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.list
securitycentermanagement.googleapis.com/eventThreatDetectionCustomModules.validate
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.locations.get
securitycentermanagement.locations.list

Security Center Management API

The Security Center Management SHA Custom Modules Editor role (roles/securitycentermanagement.shaCustomModulesEditor) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.create
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.delete
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.update
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The Security Center Management SHA Custom Modules Viewer role (roles/securitycentermanagement.shaCustomModulesViewer) has been added with the following permissions:

cloudresourcemanager.googleapis.com/organizations.get
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/locations.get
securitycentermanagement.googleapis.com/locations.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.get
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.list
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.googleapis.com/securityHealthAnalyticsCustomModules.test
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test

Basic Role

The following permissions have been added to the Viewer role (roles/viewer):

apigee.securitySettings.get
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list

Vision AI

The following permissions have been added to the Cloud Vision AI Service Agent role (roles/visionai.serviceAgent):

visionai.assets.analyze
visionai.assets.generateHlsUri
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.create
visionai.corpora.import
visionai.corpora.suggest
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Workflows

The following permissions have been added to the Workflows Invoker role (roles/workflows.invoker):

workflows.stepEntries.get
workflows.stepEntries.list

Workload Manager

The following permissions have been added to the Workload Manager Worker role (roles/workloadmanager.worker):

workloadmanager.insights.write

Apigee

The following permissions have been added:

apigee.securitySettings.get
apigee.securitySettings.update

Blockchain Node Engine

The following permissions have reached General Availability (GA):

blockchainnodeengine.blockchainNodes.create
blockchainnodeengine.blockchainNodes.delete
blockchainnodeengine.blockchainNodes.get
blockchainnodeengine.blockchainNodes.list
blockchainnodeengine.blockchainNodes.update
blockchainnodeengine.locations.get
blockchainnodeengine.locations.list
blockchainnodeengine.operations.cancel
blockchainnodeengine.operations.delete
blockchainnodeengine.operations.get
blockchainnodeengine.operations.list

Cloud Deploy

The following permissions have been added:

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.update

Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.update

Connectors

The following permissions have been added:

connectors.customConnectorVersions.create
connectors.customConnectorVersions.delete
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectorVersions.setIamPolicy
connectors.customConnectorVersions.update
connectors.customConnectors.create
connectors.customConnectors.delete
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.customConnectors.setIamPolicy
connectors.customConnectors.update

Firebase App Check

The following permissions have been added:

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

Firebase App Check

The following permissions are supported in custom roles:

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

Firebase App Check

The following permissions have reached General Availability (GA):

firebaseappcheck.resourcePolicies.get
firebaseappcheck.resourcePolicies.update

FleetEngine

The following permissions have been added:

fleetengine.deliveryvehicles.allowAllActions
fleetengine.tasks.allowAllActions
fleetengine.tasktrackinginfo.allowAllActions
fleetengine.trips.allowAllActions
fleetengine.vehicles.allowAllActions

FleetEngine

The following permissions have reached General Availability (GA):

fleetengine.deliveryvehicles.allowAllActions
fleetengine.tasks.allowAllActions
fleetengine.tasktrackinginfo.allowAllActions
fleetengine.trips.allowAllActions
fleetengine.vehicles.allowAllActions

Kubernetes Metadata API

The following permissions have been added:

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Kubernetes Metadata API

The following permissions are supported in custom roles:

kubernetesmetadata.metadata.config
kubernetesmetadata.metadata.publish
kubernetesmetadata.metadata.snapshot

Live Stream

The following permissions have been added:

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Live Stream

The following permissions are supported in custom roles:

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Live Stream

The following permissions have reached General Availability (GA):

livestream.assets.create
livestream.assets.delete
livestream.assets.get
livestream.assets.list
livestream.pools.get
livestream.pools.update

Maps Analytics

The following permissions have been added:

mapsanalytics.metricData.query
mapsanalytics.metricMetadata.list

Maps Analytics

The following permissions are supported in custom roles:

mapsanalytics.metricData.query
mapsanalytics.metricMetadata.list

Network Connectivity Center

The following permissions have been added:

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Network Connectivity Center

The following permissions are supported in custom roles:

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

Recommender

The following permissions have been added:

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

Recommender

The following permissions are supported in custom roles:

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

Security Center Management API

The following permissions have been added:

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The following permissions are supported in custom roles:

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Security Center Management API

The following permissions have reached General Availability (GA):

securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update

Cloud Storage

The following permissions have been added:

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Cloud Storage

The following permissions are supported in custom roles:

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Cloud Storage

The following permissions have reached General Availability (GA):

storage.buckets.enableObjectRetention
storage.objects.overrideUnlockedRetention
storage.objects.setRetention

Video Stitcher API

The following permissions have been added:

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Video Stitcher API

The following permissions are supported in custom roles:

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Video Stitcher API

The following permissions have reached General Availability (GA):

videostitcher.liveConfigs.create
videostitcher.liveConfigs.delete
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list

Workflows

The following permissions have been added:

workflows.stepEntries.get
workflows.stepEntries.list

Workflows

The following permissions are supported in custom roles:

workflows.stepEntries.get
workflows.stepEntries.list

Workflows

The following permissions have reached General Availability (GA):

workflows.stepEntries.get
workflows.stepEntries.list

Workload Manager

The following permissions have been added:

workloadmanager.insights.write

Workload Manager

The following permissions are supported in custom roles:

workloadmanager.insights.write

IAM changes as of 2023-11-17

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

compute.disks.createSnapshot
compute.globalOperations.get
compute.instances.useReadOnly
compute.snapshots.create
compute.snapshots.delete

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Compute Engine Operator role (roles/backupdr.computeEngineOperator):

compute.addresses.use

Backup and Disaster Recovery

The following permissions have been added to the Backup and DR Service Agent role (roles/backupdr.serviceAgent):

compute.addresses.use

Capacity Planner

The following permissions have been added to the Capacity Planner Usage Viewer role (roles/capacityplanner.viewer):

monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

orgpolicy.policy.get

Workload Manager

The following permissions have been added to the Workload Manager Viewer role (roles/workloadmanager.viewer):

orgpolicy.policy.get

Workload Manager

The following permissions have been added to the Workload Manager Worker role (roles/workloadmanager.worker):

orgpolicy.policy.get

Dataform

The following permissions have been added:

dataform.workspaces.searchFiles

Dataform

The following permissions have reached General Availability (GA):

dataform.workspaces.searchFiles

Identity-Aware Proxy

The following permissions have been added:

iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap.webServiceVersions.remediate

IAM changes as of 2023-11-10

Service Description
Content Warehouse

The following permissions have been added to the Content Warehouse Admin role (roles/contentwarehouse.admin):

contentwarehouse.documents.list

Content Warehouse

The following permissions have been added to the Content Warehouse Document Admin role (roles/contentwarehouse.documentAdmin):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse document creator role (roles/contentwarehouse.documentCreator):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse Document Editor role (roles/contentwarehouse.documentEditor):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse document schema viewer role (roles/contentwarehouse.documentSchemaViewer):

contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have been added to the Content Warehouse Viewer role (roles/contentwarehouse.documentViewer):

contentwarehouse.locations.getStatus

GKE Multi-Cloud

The Anthos Multi-Cloud Container Service Agent role (roles/gkemulticloud.containerServiceAgent) has reached General Availability (GA).

GKE Multi-Cloud

The Anthos Multi-Cloud Control Plane Machine Service Agent role (roles/gkemulticloud.controlPlaneMachineServiceAgent) has reached General Availability (GA).

GKE Multi-Cloud

The Anthos Multi-Cloud Node Pool Machine Service Agent role (roles/gkemulticloud.nodePoolMachineServiceAgent) has reached General Availability (GA).

Cloud Run

The following permissions have been added to the Cloud Run Service Agent role (roles/run.serviceAgent):

artifactregistry.repositories.uploadArtifacts

Storage Insights

The Storage Insights Analyst role (roles/storageinsights.analyst) has reached General Availability (GA).

App Hub

The following permissions have been added:

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

App Hub

The following permissions are supported in custom roles:

apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.getIamPolicy
apphub.applications.list
apphub.applications.setIamPolicy
apphub.applications.update
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredServices.register
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.discoveredWorkloads.register
apphub.locations.get
apphub.locations.list
apphub.operations.cancel
apphub.operations.delete
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.attach
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.detach
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list
apphub.serviceProjectAttachments.lookup
apphub.services.create
apphub.services.delete
apphub.services.get
apphub.services.list
apphub.services.update
apphub.workloads.create
apphub.workloads.delete
apphub.workloads.get
apphub.workloads.list
apphub.workloads.update

Commerce Org Governance

The following permissions have been added:

commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update

Commerce Org Governance

The following permissions are supported in custom roles:

commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update

Content Warehouse

The following permissions have been added:

contentwarehouse.corpora.create
contentwarehouse.corpora.delete
contentwarehouse.corpora.get
contentwarehouse.corpora.list
contentwarehouse.corpora.update
contentwarehouse.documents.list
contentwarehouse.locations.getStatus

Content Warehouse

The following permissions have reached General Availability (GA):

contentwarehouse.corpora.create
contentwarehouse.corpora.delete
contentwarehouse.corpora.get
contentwarehouse.corpora.list
contentwarehouse.corpora.update
contentwarehouse.documents.list
contentwarehouse.locations.getStatus

Looker Studio

The following permissions are supported in custom roles:

lookerstudio.pro.manage

Network Security

The following permissions have been added:

networksecurity.addressGroups.create
networksecurity.addressGroups.delete
networksecurity.addressGroups.get
networksecurity.addressGroups.getIamPolicy
networksecurity.addressGroups.list
networksecurity.addressGroups.setIamPolicy
networksecurity.addressGroups.update
networksecurity.addressGroups.use

Network Security

The following permissions are supported in custom roles:

networksecurity.addressGroups.create
networksecurity.addressGroups.delete
networksecurity.addressGroups.get
networksecurity.addressGroups.getIamPolicy
networksecurity.addressGroups.list
networksecurity.addressGroups.setIamPolicy
networksecurity.addressGroups.update
networksecurity.addressGroups.use

Storage Insights

The following permissions have been added:

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

Storage Insights

The following permissions are supported in custom roles:

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

Storage Insights

The following permissions have reached General Availability (GA):

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update

IAM changes as of 2023-11-03

Service Description
Google Security Operations

The following permissions have been added to the Chronicle API Limited Viewer role (roles/chronicle.limitedViewer):

chronicle.dashboards.schedule
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.findUdmFieldValues
chronicle.events.get
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchIoCInsights
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchUserEvents
chronicle.logTypeSchemas.list
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph

Cloud AI Companion API

The following permissions have been added to the Cloud AI Companion User role (roles/cloudaicompanion.user):

resourcemanager.projects.get
resourcemanager.projects.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

compute.disks.createTagBinding

Distributed Cloud Edge Container

The Edge Container Cluster Service Agent role (roles/edgecontainer.clusterServiceAgent) has reached General Availability (GA).

Distributed Cloud Edge Container

The Edge Container Cluster offline Credential User role (roles/edgecontainer.offlineCredentialUser) has reached General Availability (GA).

Looker

The Looker Service Agent role (roles/looker.serviceAgent) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Admin role (roles/readerrevenuesubscriptionlinking.admin) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Entitlements Viewer role (roles/readerrevenuesubscriptionlinking.entitlementsViewer) has reached General Availability (GA).

Subscription Linking

The Subscription Linking Viewer role (roles/readerrevenuesubscriptionlinking.viewer) has reached General Availability (GA).

Apigee

The following permissions have been added:

apigee.securityIncidents.update

Apigee

The following permissions are supported in custom roles:

apigee.securityIncidents.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityIncidents.update

Google Security Operations

The following permissions have been added:

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchIoCInsights

Google Security Operations

The following permissions are supported in custom roles:

chronicle.findingsGraphs.exploreNode
chronicle.findingsGraphs.initializeGraph
chronicle.legacies.legacySearchArtifactIoCDetails
chronicle.legacies.legacySearchDomainsRecentlyRegistered
chronicle.legacies.legacySearchDomainsTimingStats
chronicle.legacies.legacySearchIoCInsights

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.clusters.generateOfflineCredential

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.clusters.generateOfflineCredential

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.clusters.generateOfflineCredential

Subscription Linking

The following permissions have been added:

readerrevenuesubscriptionlinking.readerEntitlements.get
readerrevenuesubscriptionlinking.readerEntitlements.update
readerrevenuesubscriptionlinking.readers.delete
readerrevenuesubscriptionlinking.readers.get

Subscription Linking

The following permissions have reached General Availability (GA):

readerrevenuesubscriptionlinking.readerEntitlements.get
readerrevenuesubscriptionlinking.readerEntitlements.update
readerrevenuesubscriptionlinking.readers.delete
readerrevenuesubscriptionlinking.readers.get

Security Command Center

The following permissions have been added:

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

Security Command Center

The following permissions are supported in custom roles:

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get

IAM changes as of 2023-10-27

Service Description
BigQuery

The following permissions have been added to the Bigquery Studio User role (roles/bigquery.studioUser):

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

BigQuery Data Transfer Service

The following permissions have been added to the BigQuery Data Transfer Service Agent role (roles/bigquerydatatransfer.serviceAgent):

compute.networkAttachments.get

Cloud Asset Inventory

The Other Cloud Config Service Agent role (roles/cloudasset.otherCloudConfigServiceAgent) has reached General Availability (GA).

Cloud Composer

The following permissions have been added to the Cloud Composer API Service Agent role (roles/composer.serviceAgent):

composer.dags.get
composer.environments.get
iam.serviceAccounts.getAccessToken

Connectors

The following permissions have been added to the Connectors Platform Service Agent role (roles/connectors.serviceAgent):

connectors.actions.list
connectors.entityTypes.list

Datastream

The Datastream Admin role (roles/datastream.admin) has reached General Availability (GA).

Datastream

The Datastream Viewer role (roles/datastream.viewer) has reached General Availability (GA).

Looker Studio

The following permissions have been added to the Data Studio Workspace Content Manager role (roles/datastudio.contentManager):

datastudio.datasources.move
datastudio.reports.move

GKE Hub

The GKE Hub Cross Project Service Agent role (roles/gkehub.crossProjectServiceAgent) has reached General Availability (GA).

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

dialogflow.sessions.detectIntent
dialogflow.sessions.streamingDetectIntent

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.setLabels

Capacity Planner

The following permissions have been added:

capacityplanner.forecasts.list
capacityplanner.usageHistories.list
capacityplanner.usageHistories.summarize

Cloud Key Management Service

The following permissions have been added:

cloudkms.locations.optOutKeyDeletionMsa

Cloud Key Management Service

The following permissions have reached General Availability (GA):

cloudkms.locations.optOutKeyDeletionMsa

Cloud Tasks

The following permissions have been added:

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update

Cloud Tasks

The following permissions are supported in custom roles:

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update

Datastream

The following permissions have reached General Availability (GA):

datastream.connectionProfiles.create
datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.delete
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.listTagBindings
datastream.connectionProfiles.setIamPolicy
datastream.connectionProfiles.sourceTypes
datastream.connectionProfiles.update
datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list
datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob
datastream.operations.cancel
datastream.operations.delete
datastream.operations.get
datastream.operations.list
datastream.privateConnections.create
datastream.privateConnections.createTagBinding
datastream.privateConnections.delete
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.privateConnections.setIamPolicy
datastream.routes.create
datastream.routes.delete
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.computeState
datastream.streams.create
datastream.streams.createTagBinding
datastream.streams.delete
datastream.streams.deleteTagBinding
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
datastream.streams.pause
datastream.streams.resume
datastream.streams.setIamPolicy
datastream.streams.start
datastream.streams.update

Financial Services

The following permissions have been added:

financialservices.locations.get
financialservices.locations.list
financialservices.operations.cancel
financialservices.operations.delete
financialservices.operations.get
financialservices.operations.list
financialservices.v1backtests.create
financialservices.v1backtests.delete
financialservices.v1backtests.exportMetadata
financialservices.v1backtests.get
financialservices.v1backtests.list
financialservices.v1backtests.update
financialservices.v1datasets.create
financialservices.v1datasets.delete
financialservices.v1datasets.get
financialservices.v1datasets.list
financialservices.v1datasets.update
financialservices.v1engineconfigs.create
financialservices.v1engineconfigs.delete
financialservices.v1engineconfigs.exportMetadata
financialservices.v1engineconfigs.get
financialservices.v1engineconfigs.list
financialservices.v1engineconfigs.update
financialservices.v1engineversions.get
financialservices.v1engineversions.list
financialservices.v1instances.create
financialservices.v1instances.delete
financialservices.v1instances.exportRegisteredParties
financialservices.v1instances.get
financialservices.v1instances.importRegisteredParties
financialservices.v1instances.list
financialservices.v1instances.update
financialservices.v1models.create
financialservices.v1models.delete
financialservices.v1models.exportMetadata
financialservices.v1models.get
financialservices.v1models.list
financialservices.v1models.update
financialservices.v1predictions.create
financialservices.v1predictions.delete
financialservices.v1predictions.exportMetadata
financialservices.v1predictions.get
financialservices.v1predictions.list
financialservices.v1predictions.update

GKE Hub

The following permissions have been added:

gkehub.fleet.createFreeTrial
gkehub.fleet.getFreeTrial
gkehub.fleet.updateFreeTrial

GKE Hub

The following permissions are supported in custom roles:

gkehub.fleet.createFreeTrial
gkehub.fleet.getFreeTrial
gkehub.fleet.updateFreeTrial

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.fleet.createFreeTrial
gkehub.fleet.getFreeTrial
gkehub.fleet.updateFreeTrial

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.applyConsents

IAM changes as of 2023-10-20

Service Description
Vertex AI

The following permissions have been added to the Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin):

aiplatform.operations.list

Vertex AI

The following permissions have been added to the Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser):

aiplatform.operations.list

Vertex AI

The following permissions have been added to the Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin):

aiplatform.operations.list

Vertex AI

The following permissions have been added to the Notebook Runtime User role (roles/aiplatform.notebookRuntimeUser):

aiplatform.operations.list

BigQuery

The following permissions have been added to the Bigquery Studio Admin role (roles/bigquery.studioAdmin):

aiplatform.operations.list

BigQuery

The following permissions have been added to the Bigquery Studio User role (roles/bigquery.studioUser):

aiplatform.operations.list

BigQuery

The following permissions have been removed from the Bigquery Studio User role (roles/bigquery.studioUser):

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.translation.translate
bigqueryreservation.googleapis.com/reservations.get
bigqueryreservation.googleapis.com/reservations.list

Dataproc

The following permissions have been added to the Dataproc Service Agent role (roles/dataproc.serviceAgent):

serviceusage.services.use

Dialogflow

The Dialogflow Agent Assist Client role (roles/dialogflow.agentAssistClient) has reached General Availability (GA).

Sensitive Data Protection

The DLP Data Profiles Admin role (roles/dlp.dataProfilesAdmin) has reached General Availability (GA).

Sensitive Data Protection

The DLP Table Data Profiles Admin role (roles/dlp.tableDataProfilesAdmin) has reached General Availability (GA).

Storage Insights

The following permissions have been added to the StorageInsights Service Agent role (roles/storageinsights.serviceAgent):

bigquery.datasets.create
serviceusage.services.use

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.snapshotSettings.get
compute.snapshotSettings.update

Sensitive Data Protection

The following permissions have been added:

dlp.tableDataProfiles.delete

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.tableDataProfiles.delete

Looker Studio

The following permissions have been added:

lookerstudio.pro.manage

Cloud Storage

The following permissions have been added:

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Cloud Storage

The following permissions are supported in custom roles:

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

Telco Automation API

The following permissions have been added:

telcoautomation.blueprints.approve
telcoautomation.blueprints.create
telcoautomation.blueprints.delete
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.blueprints.propose
telcoautomation.blueprints.update
telcoautomation.deployments.apply
telcoautomation.deployments.computeStatus
telcoautomation.deployments.create
telcoautomation.deployments.delete
telcoautomation.deployments.get
telcoautomation.deployments.list
telcoautomation.deployments.rollback
telcoautomation.deployments.update
telcoautomation.edgeSlms.create
telcoautomation.edgeSlms.delete
telcoautomation.edgeSlms.get
telcoautomation.edgeSlms.list
telcoautomation.hydratedDeployments.apply
telcoautomation.hydratedDeployments.get
telcoautomation.hydratedDeployments.list
telcoautomation.hydratedDeployments.update
telcoautomation.locations.get
telcoautomation.locations.list
telcoautomation.operations.cancel
telcoautomation.operations.delete
telcoautomation.operations.get
telcoautomation.operations.list
telcoautomation.orchestrationClusters.create
telcoautomation.orchestrationClusters.delete
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
telcoautomation.publicBlueprints.get
telcoautomation.publicBlueprints.list

Telco Automation API

The following permissions are supported in custom roles:

telcoautomation.blueprints.approve
telcoautomation.blueprints.create
telcoautomation.blueprints.delete
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.blueprints.propose
telcoautomation.blueprints.update
telcoautomation.deployments.apply
telcoautomation.deployments.computeStatus
telcoautomation.deployments.create
telcoautomation.deployments.delete
telcoautomation.deployments.get
telcoautomation.deployments.list
telcoautomation.deployments.rollback
telcoautomation.deployments.update
telcoautomation.edgeSlms.delete
telcoautomation.edgeSlms.get
telcoautomation.edgeSlms.list
telcoautomation.hydratedDeployments.apply
telcoautomation.hydratedDeployments.get
telcoautomation.hydratedDeployments.list
telcoautomation.hydratedDeployments.update
telcoautomation.locations.get
telcoautomation.locations.list
telcoautomation.operations.cancel
telcoautomation.operations.delete
telcoautomation.operations.get
telcoautomation.operations.list
telcoautomation.orchestrationClusters.create
telcoautomation.orchestrationClusters.delete
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
telcoautomation.publicBlueprints.get
telcoautomation.publicBlueprints.list

IAM changes as of 2023-10-13

Service Description
Vertex AI

The following permissions have been added to the Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin):

aiplatform.pipelineJobs.create
aiplatform.schedules.create
aiplatform.schedules.delete
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.schedules.update

Vertex AI

The following permissions have been added to the Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser):

aiplatform.pipelineJobs.create
aiplatform.schedules.create
aiplatform.schedules.delete
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.schedules.update

App Engine

The following permissions have been added to the App Engine Standard Environment Service Agent role (roles/appengine.serviceAgent):

artifactregistry.aptartifacts.create
artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.kfpartifacts.create
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.create

Cloud Deploy

The following permissions have been added to the Cloud Deploy Approver role (roles/clouddeploy.approver):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Developer role (roles/clouddeploy.developer):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Runner role (roles/clouddeploy.jobRunner):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Operator role (roles/clouddeploy.operator):

clouddeploy.config.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Releaser role (roles/clouddeploy.releaser):

clouddeploy.config.get

Compute Engine

The following permissions have been added to the Compute Engine Service Agent role (roles/compute.serviceAgent):

iam.serviceAccounts.implicitDelegation

Vision AI

The following permissions have been added to the VisionAI Editor role (roles/visionai.editor):

visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update

Workload Manager

The following permissions have been added to the Workload Manager Admin role (roles/workloadmanager.admin):

monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get

Cloud Config Manager API

The following permissions have been added:

config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.lock
config.deployments.unlock
config.deployments.updateState
config.revisions.getState

Cloud Config Manager API

The following permissions are supported in custom roles:

config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.lock
config.deployments.unlock
config.deployments.updateState
config.revisions.getState

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.clusters.upgrade

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.clusters.upgrade

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.clusters.upgrade

Vision AI

The following permissions have been added:

visionai.assets.analyze
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.import
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Vision AI

The following permissions are supported in custom roles:

visionai.assets.analyze
visionai.assets.index
visionai.assets.removeIndex
visionai.assets.upload
visionai.corpora.analyze
visionai.corpora.import
visionai.indexEndpoints.create
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexEndpoints.undeploy
visionai.indexEndpoints.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.get
visionai.indexes.list
visionai.indexes.update
visionai.indexes.viewAssets

Google Cloud VMware Engine

The following permissions have been added:

vmwareengine.dnsBindPermission.get
vmwareengine.dnsBindPermission.grant
vmwareengine.dnsBindPermission.revoke
vmwareengine.dnsForwarding.get
vmwareengine.dnsForwarding.update
vmwareengine.externalAccessRules.create
vmwareengine.externalAccessRules.delete
vmwareengine.externalAccessRules.get
vmwareengine.externalAccessRules.list
vmwareengine.externalAccessRules.update
vmwareengine.externalAddresses.create
vmwareengine.externalAddresses.delete
vmwareengine.externalAddresses.get
vmwareengine.externalAddresses.list
vmwareengine.externalAddresses.update
vmwareengine.loggingServers.create
vmwareengine.loggingServers.delete
vmwareengine.loggingServers.get
vmwareengine.loggingServers.list
vmwareengine.loggingServers.update
vmwareengine.managementDnsZoneBindings.create
vmwareengine.managementDnsZoneBindings.delete
vmwareengine.managementDnsZoneBindings.get
vmwareengine.managementDnsZoneBindings.list
vmwareengine.managementDnsZoneBindings.repair
vmwareengine.managementDnsZoneBindings.update
vmwareengine.networkPeerings.create
vmwareengine.networkPeerings.delete
vmwareengine.networkPeerings.get
vmwareengine.networkPeerings.list
vmwareengine.networkPeerings.listPeeringRoutes
vmwareengine.networkPeerings.update
vmwareengine.networkPolicies.fetchExternalAddresses
vmwareengine.nodes.get
vmwareengine.nodes.list

Google Cloud VMware Engine

The following permissions are supported in custom roles:

vmwareengine.dnsBindPermission.get
vmwareengine.dnsBindPermission.grant
vmwareengine.dnsBindPermission.revoke
vmwareengine.dnsForwarding.get
vmwareengine.dnsForwarding.update
vmwareengine.externalAccessRules.create
vmwareengine.externalAccessRules.delete
vmwareengine.externalAccessRules.get
vmwareengine.externalAccessRules.list
vmwareengine.externalAccessRules.update
vmwareengine.externalAddresses.create
vmwareengine.externalAddresses.delete
vmwareengine.externalAddresses.get
vmwareengine.externalAddresses.list
vmwareengine.externalAddresses.update
vmwareengine.loggingServers.create
vmwareengine.loggingServers.delete
vmwareengine.loggingServers.get
vmwareengine.loggingServers.list
vmwareengine.loggingServers.update
vmwareengine.managementDnsZoneBindings.create
vmwareengine.managementDnsZoneBindings.delete
vmwareengine.managementDnsZoneBindings.get
vmwareengine.managementDnsZoneBindings.list
vmwareengine.managementDnsZoneBindings.repair
vmwareengine.managementDnsZoneBindings.update
vmwareengine.networkPeerings.create
vmwareengine.networkPeerings.delete
vmwareengine.networkPeerings.get
vmwareengine.networkPeerings.list
vmwareengine.networkPeerings.listPeeringRoutes
vmwareengine.networkPeerings.update
vmwareengine.networkPolicies.fetchExternalAddresses
vmwareengine.nodes.get
vmwareengine.nodes.list

Google Cloud VMware Engine

The following permissions have reached General Availability (GA):

vmwareengine.dnsBindPermission.get
vmwareengine.dnsBindPermission.grant
vmwareengine.dnsBindPermission.revoke
vmwareengine.dnsForwarding.get
vmwareengine.dnsForwarding.update
vmwareengine.externalAccessRules.create
vmwareengine.externalAccessRules.delete
vmwareengine.externalAccessRules.get
vmwareengine.externalAccessRules.list
vmwareengine.externalAccessRules.update
vmwareengine.externalAddresses.create
vmwareengine.externalAddresses.delete
vmwareengine.externalAddresses.get
vmwareengine.externalAddresses.list
vmwareengine.externalAddresses.update
vmwareengine.loggingServers.create
vmwareengine.loggingServers.delete
vmwareengine.loggingServers.get
vmwareengine.loggingServers.list
vmwareengine.loggingServers.update
vmwareengine.managementDnsZoneBindings.create
vmwareengine.managementDnsZoneBindings.delete
vmwareengine.managementDnsZoneBindings.get
vmwareengine.managementDnsZoneBindings.list
vmwareengine.managementDnsZoneBindings.repair
vmwareengine.managementDnsZoneBindings.update
vmwareengine.networkPeerings.create
vmwareengine.networkPeerings.delete
vmwareengine.networkPeerings.get
vmwareengine.networkPeerings.list
vmwareengine.networkPeerings.listPeeringRoutes
vmwareengine.networkPeerings.update
vmwareengine.networkPolicies.fetchExternalAddresses
vmwareengine.nodes.get
vmwareengine.nodes.list

IAM changes as of 2023-10-06

Service Description
Advisory Notifications

The following permissions have been added to the Advisory Notifications Admin role (roles/advisorynotifications.admin):

resourcemanager.projects.get

Advisory Notifications

The following permissions have been added to the Advisory Notifications Viewer role (roles/advisorynotifications.viewer):

resourcemanager.projects.get

Policy Controller

The Anthos Policy Controller Service Agent role (roles/anthospolicycontroller.serviceAgent) has reached General Availability (GA).

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.networkEndpointGroups.list

Spark connector for BigQuery

The BigQuery Spark Service Agent role (roles/bigqueryspark.serviceAgent) has reached General Availability (GA).

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

alloydb.clusters.generateClientCertificate

Recommender

The Network Analyzer GKE Service Account Insights Recommender Admin role (roles/recommender.networkAnalyzerGkeServiceAccountAdmin) has reached General Availability (GA).

Recommender

The Network Analyzer GKE Service Account Insights Recommender Viewer role (roles/recommender.networkAnalyzerGkeServiceAccountViewer) has reached General Availability (GA).

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.globalOperations.get
compute.globalOperations.list

Vertex AI

The following permissions have been added:

aiplatform.datasetVersions.create
aiplatform.datasetVersions.delete
aiplatform.datasetVersions.get
aiplatform.datasetVersions.list
aiplatform.datasetVersions.restore

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.datasetVersions.create
aiplatform.datasetVersions.delete
aiplatform.datasetVersions.get
aiplatform.datasetVersions.list
aiplatform.datasetVersions.restore

Cloud Billing

The following permissions have been added:

billing.resourcebudgets.read
billing.resourcebudgets.write

Cloud Billing

The following permissions are supported in custom roles:

billing.resourcebudgets.read
billing.resourcebudgets.write

Cloud Billing

The following permissions have reached General Availability (GA):

billing.resourcebudgets.read
billing.resourcebudgets.write

Compute Engine

The following permissions have been added:

compute.instances.pscInterfaceCreate

Compute Engine

The following permissions are supported in custom roles:

compute.instances.pscInterfaceCreate

Compute Engine

The following permissions have reached General Availability (GA):

compute.instances.pscInterfaceCreate

Distributed Cloud Edge Container

The following permissions have been added:

edgecontainer.serverconfig.get

Distributed Cloud Edge Container

The following permissions are supported in custom roles:

edgecontainer.serverconfig.get

Distributed Cloud Edge Container

The following permissions have reached General Availability (GA):

edgecontainer.serverconfig.get

Recommender

The following permissions have been added:

recommender.networkAnalyzerGkeServiceAccountInsights.get
recommender.networkAnalyzerGkeServiceAccountInsights.list
recommender.networkAnalyzerGkeServiceAccountInsights.update

Recommender

The following permissions are supported in custom roles:

recommender.networkAnalyzerGkeServiceAccountInsights.get
recommender.networkAnalyzerGkeServiceAccountInsights.list
recommender.networkAnalyzerGkeServiceAccountInsights.update

Recommender

The following permissions have reached General Availability (GA):

recommender.networkAnalyzerGkeServiceAccountInsights.get
recommender.networkAnalyzerGkeServiceAccountInsights.list
recommender.networkAnalyzerGkeServiceAccountInsights.update

Retail API

The following permissions have been added:

retail.experiments.create
retail.experiments.delete
retail.experiments.get
retail.experiments.list
retail.experiments.loadExperimentLookerDashboard
retail.experiments.queryTrafficMetrics
retail.experiments.update

IAM changes as of 2023-09-29

Service Description
Google Security Operations

The following permissions have been added to the Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer):

chronicle.events.findUdmFieldValues

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

alloydb.instances.connect

Dataproc Metastore

The Dataproc Metastore Metadata Editor role (roles/metastore.metadataEditor) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata Mutate Admin role (roles/metastore.metadataMutateAdmin) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Data Owner role (roles/metastore.metadataOwner) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata Query Admin role (roles/metastore.metadataQueryAdmin) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata User role (roles/metastore.metadataUser) has reached General Availability (GA).

Dataproc Metastore

The Dataproc Metastore Metadata Viewer role (roles/metastore.metadataViewer) has reached General Availability (GA).

Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.subnetworks.getIamPolicy

Privileged Access Manager

The Privileged Access Manager Folder Service Agent role (roles/privilegedaccessmanager.folderServiceAgent) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Organization Service Agent role (roles/privilegedaccessmanager.organizationServiceAgent) has reached General Availability (GA).

Privileged Access Manager

The Privileged Access Manager Project Service Agent role (roles/privilegedaccessmanager.projectServiceAgent) has reached General Availability (GA).

Rapid Migration Assessment

The following permissions have been added to the RMA Service Agent role (roles/rapidmigrationassessment.serviceAgent):

migrationcenter.sources.list

Google Security Operations

The following permissions have been added:

chronicle.events.findUdmFieldValues

Google Security Operations

The following permissions are supported in custom roles:

chronicle.events.findUdmFieldValues

Memorystore for Memcached

The following permissions have been added:

memcache.instances.upgrade

Memorystore for Memcached

The following permissions have reached General Availability (GA):

memcache.instances.upgrade

Dataproc Metastore

The following permissions have reached General Availability (GA):

metastore.services.mutateMetadata
metastore.services.queryMetadata

IAM changes as of 2023-09-22

Service Description
Vertex AI

The Colab Enterprise Admin role (roles/aiplatform.colabEnterpriseAdmin) has reached General Availability (GA).

Vertex AI

The Colab Enterprise User role (roles/aiplatform.colabEnterpriseUser) has reached General Availability (GA).

Vertex AI

The Notebook Runtime Admin role (roles/aiplatform.notebookRuntimeAdmin) has reached General Availability (GA).

Vertex AI

The Notebook Runtime User role (roles/aiplatform.notebookRuntimeUser) has reached General Availability (GA).

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.networkEndpointGroups.use
networksecurity.authorizationPolicies.create
networksecurity.authorizationPolicies.delete
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.update
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.update
networksecurity.clientTlsPolicies.use
networksecurity.operations.cancel
networksecurity.operations.delete
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.update
networksecurity.serverTlsPolicies.use
networkservices.endpointPolicies.create
networkservices.endpointPolicies.delete
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.endpointPolicies.update
networkservices.endpointPolicies.use
networkservices.gateways.create
networkservices.gateways.delete
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.update
networkservices.gateways.use
networkservices.grpcRoutes.create
networkservices.grpcRoutes.delete
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.grpcRoutes.update
networkservices.grpcRoutes.use
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.update
networkservices.httpFilters.use
networkservices.httpRoutes.create
networkservices.httpRoutes.delete
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpRoutes.update
networkservices.httpRoutes.use
networkservices.meshes.create
networkservices.meshes.delete
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.update
networkservices.meshes.use
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list
networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update
networkservices.tcpRoutes.create
networkservices.tcpRoutes.delete
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tcpRoutes.update
networkservices.tcpRoutes.use
networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use

Dataform

The Dataform Admin role (roles/dataform.admin) has reached General Availability (GA).

Dataform

The Dataform Editor role (roles/dataform.editor) has reached General Availability (GA).

Dataform

The Dataform Viewer role (roles/dataform.viewer) has reached General Availability (GA).

Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Developer role (roles/datafusion.developer):

datafusion.instances.runtime

Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Operator role (roles/datafusion.operator):

datafusion.instances.runtime

Cloud Data Fusion

The following permissions have been removed from the Cloud Data Fusion Viewer role (roles/datafusion.viewer):

datafusion.instances.runtime

Dataplex

The Dataplex DataScan Creator role (roles/dataplex.dataScanCreator) has reached General Availability (GA).

Basic Role

The following permissions have been removed from the Viewer role (roles/viewer):

datafusion.instances.runtime

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.useReadOnly

Cloud Workstations

The following permissions have been added to the Cloud Workstations Admin role (roles/workstations.admin):

compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.zones.get
compute.zones.list

Advisory Notifications

The following permissions have been added:

advisorynotifications.settings.get
advisorynotifications.settings.update

Advisory Notifications

The following permissions are supported in custom roles:

advisorynotifications.settings.get
advisorynotifications.settings.update

Vertex AI

The following permissions have been added:

aiplatform.featureGroups.create
aiplatform.featureGroups.delete
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.featureGroups.update

Vertex AI

The following permissions have reached General Availability (GA):

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade

Apigee

The following permissions have been added:

apigee.addonsconfig.get
apigee.addonsconfig.update

Apigee

The following permissions are supported in custom roles:

apigee.addonsconfig.get
apigee.addonsconfig.update

Apigee

The following permissions have reached General Availability (GA):

apigee.addonsconfig.get
apigee.addonsconfig.update

Google Security Operations

The following permissions have been added:

chronicle.dataAccessLabels.create
chronicle.dataAccessLabels.delete
chronicle.dataAccessLabels.get
chronicle.dataAccessLabels.list
chronicle.dataAccessLabels.update
chronicle.dataAccessScopes.create
chronicle.dataAccessScopes.delete
chronicle.dataAccessScopes.get
chronicle.dataAccessScopes.list
chronicle.dataAccessScopes.permit
chronicle.dataAccessScopes.update
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.import
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.get
chronicle.events.import
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.globalDataAccessScopes.permit
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents

Google Security Operations

The following permissions are supported in custom roles:

chronicle.dataAccessLabels.create
chronicle.dataAccessLabels.delete
chronicle.dataAccessLabels.get
chronicle.dataAccessLabels.list
chronicle.dataAccessLabels.update
chronicle.dataAccessScopes.create
chronicle.dataAccessScopes.delete
chronicle.dataAccessScopes.get
chronicle.dataAccessScopes.list
chronicle.dataAccessScopes.permit
chronicle.dataAccessScopes.update
chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.import
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.events.batchGet
chronicle.events.get
chronicle.events.import
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.globalDataAccessScopes.permit
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents

Compute Engine

The following permissions have been added:

compute.instanceSettings.get
compute.instanceSettings.update
compute.interconnects.getMacsecConfig
compute.projects.setManagedProtectionTier

Compute Engine

The following permissions are supported in custom roles:

compute.instanceSettings.get
compute.instanceSettings.update
compute.interconnects.getMacsecConfig

Compute Engine

The following permissions have reached General Availability (GA):

compute.interconnects.getMacsecConfig
compute.projects.setManagedProtectionTier

Dataform

The following permissions are supported in custom roles:

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.list
dataform.repositories.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.writeFile

Dataform

The following permissions have reached General Availability (GA):

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

Dialogflow

The following permissions have been added:

dialogflow.generators.create
dialogflow.generators.delete
dialogflow.generators.get
dialogflow.generators.list
dialogflow.generators.update

Dialogflow

The following permissions have reached General Availability (GA):

dialogflow.generators.create
dialogflow.generators.delete
dialogflow.generators.get
dialogflow.generators.list
dialogflow.generators.update

Network Services

The following permissions have been added:

networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update

Network Services

The following permissions are supported in custom roles:

networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update

Cloud OS Config

The following permissions have been added:

osconfig.osPolicyAssignmentReports.searchSummaries
osconfig.osPolicyAssignments.searchPolicies
osconfig.upgradeReports.get
osconfig.upgradeReports.getSummary
osconfig.upgradeReports.list
osconfig.upgradeReports.searchSummaries

Cloud OS Config

The following permissions are supported in custom roles:

osconfig.osPolicyAssignmentReports.searchSummaries
osconfig.osPolicyAssignments.searchPolicies
osconfig.upgradeReports.get
osconfig.upgradeReports.getSummary
osconfig.upgradeReports.list
osconfig.upgradeReports.searchSummaries

Policy Remediator Manager

The following permissions have been added:

policyremediatormanager.locations.get
policyremediatormanager.locations.list
policyremediatormanager.operations.cancel
policyremediatormanager.operations.delete
policyremediatormanager.operations.get
policyremediatormanager.operations.list
policyremediatormanager.remediatorServices.disable
policyremediatormanager.remediatorServices.enable
policyremediatormanager.remediatorServices.get

Policy Remediator Manager

The following permissions are supported in custom roles:

policyremediatormanager.locations.get
policyremediatormanager.locations.list
policyremediatormanager.operations.cancel
policyremediatormanager.operations.delete
policyremediatormanager.operations.get
policyremediatormanager.operations.list
policyremediatormanager.remediatorServices.disable
policyremediatormanager.remediatorServices.enable
policyremediatormanager.remediatorServices.get

Workflows

The following permissions have been added:

workflows.callbacks.list
workflows.workflows.listRevision

Workflows

The following permissions have reached General Availability (GA):

workflows.callbacks.list
workflows.workflows.listRevision

IAM changes as of 2023-09-17

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Administrator role (roles/aiplatform.admin):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Vertex AI

The following permissions have been added to the Vertex AI Custom Code Service Agent role (roles/aiplatform.customCodeServiceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Vertex AI

The following permissions have been added to the Vertex AI User role (roles/aiplatform.user):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

Cloud Service Mesh

The following permissions have been added to the Anthos Service Mesh Service Agent role (roles/anthosservicemesh.serviceAgent):

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics

Assured Workloads

The Assured Workloads Monitoring Service Agent role (roles/assuredworkloads.monitoringServiceAgent) has reached General Availability (GA).

Assured Workloads

The following permissions have been added to the Assured Workloads Reader role (roles/assuredworkloads.reader):

orgpolicy.policy.get

Bare Metal Solution

The following permissions have been added to the Bare Metal Solution Editor role (roles/baremetalsolution.editor):

baremetalsolution.osimages.list

Bare Metal Solution

The following permissions have been added to the Bare Metal Solution Instances Admin role (roles/baremetalsolution.instancesadmin):

baremetalsolution.osimages.list

Google Security Operations

The Chronicle API Restricted Data Access role (roles/chronicle.restrictedDataAccess) has been added with the following permissions:

chronicle.dataAccessScopes.permit
chronicle.googleapis.com/dataAccessScopes.permit

Google Security Operations

The Chronicle API Restricted Data Access Viewer role (roles/chronicle.restrictedDataAccessViewer) has been added with the following permissions:

chronicle.entities.find
chronicle.entities.findRelatedEntities
chronicle.entities.get
chronicle.entities.searchEntities
chronicle.entities.summarize
chronicle.entities.summarizeFromQuery
chronicle.entityRiskScores.queryEntityRiskScores
chronicle.events.batchGet
chronicle.events.get
chronicle.events.queryProductSourceStats
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.googleapis.com/entities.find
chronicle.googleapis.com/entities.findRelatedEntities
chronicle.googleapis.com/entities.get
chronicle.googleapis.com/entities.searchEntities
chronicle.googleapis.com/entities.summarize
chronicle.googleapis.com/entities.summarizeFromQuery
chronicle.googleapis.com/entityRiskScores.queryEntityRiskScores
chronicle.googleapis.com/events.batchGet
chronicle.googleapis.com/events.get
chronicle.googleapis.com/events.queryProductSourceStats
chronicle.googleapis.com/events.udmSearch
chronicle.googleapis.com/events.validateQuery
chronicle.googleapis.com/instances.get
chronicle.googleapis.com/instances.report
chronicle.googleapis.com/legacies.legacyBatchGetCases
chronicle.googleapis.com/legacies.legacyCalculateAlertStats
chronicle.googleapis.com/legacies.legacyFetchAlertsView
chronicle.googleapis.com/legacies.legacyFetchUdmSearchCsv
chronicle.googleapis.com/legacies.legacyFetchUdmSearchView
chronicle.googleapis.com/legacies.legacyFindAssetEvents
chronicle.googleapis.com/legacies.legacyFindRawLogs
chronicle.googleapis.com/legacies.legacyFindUdmEvents
chronicle.googleapis.com/legacies.legacyGetAlert
chronicle.googleapis.com/legacies.legacyGetFinding
chronicle.googleapis.com/legacies.legacyGetRuleCounts
chronicle.googleapis.com/legacies.legacyGetRulesTrends
chronicle.googleapis.com/legacies.legacyRunTestRule
chronicle.googleapis.com/legacies.legacySearchArtifactEvents
chronicle.googleapis.com/legacies.legacySearchAssetEvents
chronicle.googleapis.com/legacies.legacySearchFindings
chronicle.googleapis.com/legacies.legacySearchRawLogs
chronicle.googleapis.com/legacies.legacySearchRuleDetectionCountBuckets
chronicle.googleapis.com/legacies.legacySearchRuleDetectionEvents
chronicle.googleapis.com/legacies.legacySearchRuleResults
chronicle.googleapis.com/legacies.legacySearchRulesAlerts
chronicle.googleapis.com/legacies.legacySearchUserEvents
chronicle.googleapis.com/logs.get
chronicle.googleapis.com/logs.list
chronicle.googleapis.com/operations.get
chronicle.googleapis.com/operations.list
chronicle.googleapis.com/operations.wait
chronicle.googleapis.com/retrohunts.get
chronicle.googleapis.com/retrohunts.list
chronicle.googleapis.com/ruleDeployments.get
chronicle.googleapis.com/ruleDeployments.list
chronicle.googleapis.com/ruleExecutionErrors.list
chronicle.googleapis.com/rules.get
chronicle.googleapis.com/rules.list
chronicle.googleapis.com/rules.listRevisions
chronicle.googleapis.com/rules.verifyRuleText
chronicle.googleapis.com/signalGraphs.exploreNode
chronicle.googleapis.com/signalGraphs.initializeGraph
chronicle.instances.get
chronicle.instances.report
chronicle.legacies.legacyBatchGetCases
chronicle.legacies.legacyCalculateAlertStats
chronicle.legacies.legacyFetchAlertsView
chronicle.legacies.legacyFetchUdmSearchCsv
chronicle.legacies.legacyFetchUdmSearchView
chronicle.legacies.legacyFindAssetEvents
chronicle.legacies.legacyFindRawLogs
chronicle.legacies.legacyFindUdmEvents
chronicle.legacies.legacyGetAlert
chronicle.legacies.legacyGetFinding
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyRunTestRule
chronicle.legacies.legacySearchArtifactEvents
chronicle.legacies.legacySearchAssetEvents
chronicle.legacies.legacySearchFindings
chronicle.legacies.legacySearchRawLogs
chronicle.legacies.legacySearchRuleDetectionCountBuckets
chronicle.legacies.legacySearchRuleDetectionEvents
chronicle.legacies.legacySearchRuleResults
chronicle.legacies.legacySearchRulesAlerts
chronicle.legacies.legacySearchUserEvents
chronicle.logs.get
chronicle.logs.list
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.ruleExecutionErrors.list
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.signalGraphs.exploreNode
chronicle.signalGraphs.initializeGraph
cloudresourcemanager.googleapis.com/projects.get
cloudresourcemanager.googleapis.com/projects.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Controls Partner API

The Cloud Controls Partner Access Approval Service Agent role (roles/cloudcontrolspartner.accessApprovalServiceAgent) has reached General Availability (GA).

Cloud Controls Partner API

The following permissions have been added to the Cloud Controls Partner Admin role (roles/cloudcontrolspartner.admin):

cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.platformcontrols.get

Cloud Deploy

The following permissions have been added to the Cloud Deploy Service Agent role (roles/clouddeploy.serviceAgent):

storage.objects.get

Commerce Price Management

The following permissions have been added to the Commerce Price Management Private Offers Admin role (roles/commercepricemanagement.privateOffersAdmin):

commerceprice.privateoffers.sendEmail

Compute Engine

The Compute Future Reservation Admin role (roles/compute.futureReservationAdmin) has been added with the following permissions:

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.googleapis.com/futureReservations.cancel
compute.googleapis.com/futureReservations.create
compute.googleapis.com/futureReservations.delete
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
compute.googleapis.com/futureReservations.update
compute.googleapis.com/reservations.create
compute.reservations.create

Compute Engine

The Compute Future Reservation User role (roles/compute.futureReservationUser) has been added with the following permissions:

compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.googleapis.com/futureReservations.create
compute.googleapis.com/futureReservations.delete
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list
compute.googleapis.com/futureReservations.update
compute.googleapis.com/reservations.create
compute.reservations.create

Compute Engine

The Compute Future Reservation Viewer role (roles/compute.futureReservationViewer) has been added with the following permissions:

compute.futureReservations.get
compute.futureReservations.list
compute.googleapis.com/futureReservations.get
compute.googleapis.com/futureReservations.list

Connectors

The following permissions have been added to the Connectors Endpoint Attachment Admin role (roles/connectors.endpointAttachmentAdmin):

connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connectors Endpoint Attachment Viewer role (roles/connectors.endpointAttachmentViewer):

connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connectors Managed Zone Admin role (roles/connectors.managedZoneAdmin):

connectors.locations.get
connectors.locations.list

Connectors

The following permissions have been added to the Connectors Managed Zone Viewer role (roles/connectors.managedZoneViewer):

connectors.locations.get
connectors.locations.list

Data Catalog

The following permissions have been added to the DataCatalog Data Steward role (roles/datacatalog.dataSteward):

datacatalog.relationships.list

Data Catalog

The following permissions have been added to the DataCatalog Entry Viewer role (roles/datacatalog.entryViewer):

datacatalog.relationships.list

Dataplex

The following permissions have been added to the Dataplex Metadata Reader role (roles/dataplex.metadataReader):

resourcemanager.projects.get
resourcemanager.projects.list

Dataplex

The following permissions have been added to the Dataplex Metadata Writer role (roles/dataplex.metadataWriter):

resourcemanager.projects.get
resourcemanager.projects.list

Datastore

The Cloud Datastore Backups Admin role (roles/datastore.backupsAdmin) has reached General Availability (GA).

Datastore

The Cloud Datastore Backup Schedules Admin role (roles/datastore.backupSchedulesAdmin) has reached General Availability (GA).

Datastore

The Cloud Datastore Backup Schedules Viewer role (roles/datastore.backupSchedulesViewer) has reached General Availability (GA).

Datastore

The Cloud Datastore Backups Viewer role (roles/datastore.backupsViewer) has reached General Availability (GA).

Datastore

The Cloud Datastore Restore Admin role (roles/datastore.restoreAdmin) has reached General Availability (GA).

Discovery Engine

The following permissions have been added to the Discovery Engine Service Agent role (roles/discoveryengine.serviceAgent):

discoveryengine.conversations.create

Sensitive Data Protection

The DLP Connections Admin role (roles/dlp.connectionsAdmin) has reached General Availability (GA).

Sensitive Data Protection

The DLP Connections Viewer role (roles/dlp.connectionsReader) has reached General Availability (GA).

Basic Role

The following permissions have been added to the Editor role (roles/editor):

commerceprice.privateoffers.sendEmail

Firebase

The following permissions have been added to the Firebase Service Management Service Agent role (roles/firebase.managementServiceAgent):

bigquery.datasets.update

Multi-Cluster Ingress

The following permissions have been added to the Multi Cluster Ingress Service Agent role (roles/multiclusteringress.serviceAgent):

compute.networkEndpointGroups.list

Network Connectivity Center

The following permissions have been added to the Network Connectivity Service Agent role (roles/networkconnectivity.serviceAgent):

compute.subnetworks.setIamPolicy

Basic Role

The following permissions have been added to the Owner role (roles/owner):

commerceprice.privateoffers.sendEmail

Visual Inspection AI

The following permissions have been added to the Visual Inspection AI Service Agent role (roles/visualinspection.serviceAgent):

aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update

VM Migration

The following permissions have been added to the VM Migration Service Agent role (roles/vmmigration.serviceAgent):

compute.images.create
compute.images.get

Cloud Workstations

The following permissions have been added to the Workstations Service Agent role (roles/workstations.serviceAgent):

compute.disks.useReadOnly

Vertex AI

The following permissions have been added:

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimeTemplates.update
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade

Chrome Enterprise Premium

The following permissions have been added:

beyondcorp.partnerTenants.create
beyondcorp.partnerTenants.delete
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.partnerTenants.update
beyondcorp.proxyConfigs.create
beyondcorp.proxyConfigs.delete
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
beyondcorp.proxyConfigs.update

Chrome Enterprise Premium

The following permissions are supported in custom roles:

beyondcorp.partnerTenants.create
beyondcorp.partnerTenants.delete
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.partnerTenants.update
beyondcorp.proxyConfigs.create
beyondcorp.proxyConfigs.delete
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
beyondcorp.proxyConfigs.update

Certificate Manager

The following permissions have reached General Availability (GA):

certificatemanager.trustconfigs.create
certificatemanager.trustconfigs.delete
certificatemanager.trustconfigs.get
certificatemanager.trustconfigs.list
certificatemanager.trustconfigs.update
certificatemanager.trustconfigs.use

Cloud AI Companion API

The following permissions have been added:

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

Cloud AI Companion API

The following permissions are supported in custom roles:

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

Cloud Deploy

The following permissions have been added:

clouddeploy.rollouts.rollback

Cloud Deploy

The following permissions are supported in custom roles:

clouddeploy.rollouts.rollback

Cloud Deploy

The following permissions have reached General Availability (GA):

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.retryJob

Cloud Quotas

The following permissions have been added:

cloudquotas.quotas.get
cloudquotas.quotas.update

Cloud Quotas

The following permissions are supported in custom roles:

cloudquotas.quotas.get
cloudquotas.quotas.update

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.resellerDiscountConfig.get

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.resellerDiscountConfig.get

Commerce Price Management

The following permissions have been added:

commerceprice.privateoffers.sendEmail

Compute Engine

The following permissions have been added:

compute.nodeGroups.performMaintenance

Compute Engine

The following permissions are supported in custom roles:

compute.nodeGroups.performMaintenance

Compute Engine

The following permissions have reached General Availability (GA):

compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly

Contact Center AI Platform

The following permissions have reached General Availability (GA):

contactcenteraiplatform.contactCenters.program

Contact Center AI Insights

The following permissions have been added:

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
contactcenterinsights.issueModels.import

Contact Center AI Insights

The following permissions are supported in custom roles:

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update
contactcenterinsights.issueModels.import

Contact Center AI Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.faqEntries.delete
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqEntries.update
contactcenterinsights.faqModels.create
contactcenterinsights.faqModels.delete
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.faqModels.update

Dataproc

The following permissions have been added:

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate

Dataproc

The following permissions are supported in custom roles:

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate

Dataproc

The following permissions have reached General Availability (GA):

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate

Datastore

The following permissions have been added:

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase

Datastore

The following permissions are supported in custom roles:

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase

Datastore

The following permissions have reached General Availability (GA):

datastore.backupSchedules.create
datastore.backupSchedules.delete
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.update
datastore.backups.delete
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase

Sensitive Data Protection

The following permissions have been added:

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update

Sensitive Data Protection

The following permissions have reached General Availability (GA):

dlp.connections.create
dlp.connections.delete
dlp.connections.get
dlp.connections.list
dlp.connections.search
dlp.connections.update

GDC Hardware Management API

The following permissions have been added:

gdchardwaremanagement.changeLogEntries.get
gdchardwaremanagement.changeLogEntries.list
gdchardwaremanagement.comments.create
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardware.update
gdchardwaremanagement.hardwareGroups.create
gdchardwaremanagement.hardwareGroups.delete
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.hardwareGroups.update
gdchardwaremanagement.locations.get
gdchardwaremanagement.locations.list
gdchardwaremanagement.operations.cancel
gdchardwaremanagement.operations.delete
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.delete
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.submit
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.create
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.sites.update
gdchardwaremanagement.skus.get
gdchardwaremanagement.skus.list

GDC Hardware Management API

The following permissions are supported in custom roles:

gdchardwaremanagement.changeLogEntries.get
gdchardwaremanagement.changeLogEntries.list
gdchardwaremanagement.comments.create
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardware.update
gdchardwaremanagement.hardwareGroups.create
gdchardwaremanagement.hardwareGroups.delete
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.hardwareGroups.update
gdchardwaremanagement.locations.get
gdchardwaremanagement.locations.list
gdchardwaremanagement.operations.cancel
gdchardwaremanagement.operations.delete
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.delete
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.submit
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.create
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.sites.update
gdchardwaremanagement.skus.get
gdchardwaremanagement.skus.list

Cloud Healthcare API

The following permissions have been added:

healthcare.fhirStores.applyConsents
healthcare.fhirStores.rollback

Cloud Healthcare API

The following permissions are supported in custom roles:

healthcare.fhirStores.rollback

Payment Gateway issuer switch

The following permissions have been added:

issuerswitch.accountManagerTransactions.update
issuerswitch.managedAccounts.get
issuerswitch.managedAccounts.update

Payment Gateway issuer switch

The following permissions are supported in custom roles:

issuerswitch.accountManagerTransactions.update
issuerswitch.managedAccounts.get
issuerswitch.managedAccounts.update

Network Services

The following permissions have been added:

networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update

Network Services

The following permissions are supported in custom roles:

networkservices.serviceLbPolicies.create
networkservices.serviceLbPolicies.delete
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.serviceLbPolicies.update

Recommender

The following permissions have been added:

recommender.cloudDeprecationGeneralInsights.get
recommender.cloudDeprecationGeneralInsights.list
recommender.cloudDeprecationGeneralInsights.update
recommender.cloudDeprecationGeneralRecommendations.get
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudDeprecationGeneralInsights.get
recommender.cloudDeprecationGeneralInsights.list
recommender.cloudDeprecationGeneralInsights.update
recommender.cloudDeprecationGeneralRecommendations.get
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.update

Cloud Run

The following permissions have been added:

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings

Cloud Run

The following permissions are supported in custom roles:

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings

Cloud Run

The following permissions have reached General Availability (GA):

run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings

Secure Source Manager

The following permissions have been added:

securesourcemanager.instances.access
securesourcemanager.instances.create
securesourcemanager.instances.createRepository
securesourcemanager.instances.delete
securesourcemanager.instances.get
securesourcemanager.instances.getIamPolicy
securesourcemanager.instances.list
securesourcemanager.instances.setIamPolicy
securesourcemanager.locations.get
securesourcemanager.locations.list
securesourcemanager.operations.cancel
securesourcemanager.operations.delete
securesourcemanager.operations.get
securesourcemanager.operations.list
securesourcemanager.repositories.create
securesourcemanager.repositories.delete
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.getIamPolicy
securesourcemanager.repositories.list
securesourcemanager.repositories.push
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
securesourcemanager.repositories.setIamPolicy
securesourcemanager.repositories.update
securesourcemanager.repositories.writeIssues
securesourcemanager.repositories.writePullRequests
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.createAny
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.deleteAny
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
securesourcemanager.sshkeys.listAny

Secure Source Manager

The following permissions are supported in custom roles:

securesourcemanager.instances.access
securesourcemanager.instances.create
securesourcemanager.instances.createRepository
securesourcemanager.instances.delete
securesourcemanager.instances.get
securesourcemanager.instances.getIamPolicy
securesourcemanager.instances.list
securesourcemanager.instances.setIamPolicy
securesourcemanager.locations.get
securesourcemanager.locations.list
securesourcemanager.operations.cancel
securesourcemanager.operations.delete
securesourcemanager.operations.get
securesourcemanager.operations.list
securesourcemanager.repositories.create
securesourcemanager.repositories.delete
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.getIamPolicy
securesourcemanager.repositories.list
securesourcemanager.repositories.push
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
securesourcemanager.repositories.setIamPolicy
securesourcemanager.repositories.update
securesourcemanager.repositories.writeIssues
securesourcemanager.repositories.writePullRequests
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.createAny
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.deleteAny
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
securesourcemanager.sshkeys.listAny

Workload Manager

The following permissions have been added:

workloadmanager.actuations.create
workloadmanager.actuations.delete
workloadmanager.actuations.get
workloadmanager.actuations.list
workloadmanager.deployments.create
workloadmanager.deployments.delete
workloadmanager.deployments.get
workloadmanager.deployments.list

IAM changes as of 2023-08-18

Service Description
Cloud Deploy

The following permissions have been added to the Cloud Deploy Service Agent role (roles/clouddeploy.serviceAgent):

iam.serviceAccounts.getAccessToken

Contact Center AI Insights

The following permissions have been added to the Contact Center AI Insights Service Agent role (roles/contactcenterinsights.serviceAgent):

storage.objects.create
storage.objects.update

Dataplex

The following permissions have been added to the Dataplex DataScan Administrator role (roles/dataplex.dataScanAdmin):

dataplex.operations.get
dataplex.operations.list

Dataplex

The following permissions have been added to the Dataplex DataScan Editor role (roles/dataplex.dataScanEditor):

dataplex.operations.get
dataplex.operations.list

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

compute.regionOperations.get

Cloud Storage

The Storage Object User role (roles/storage.objectUser) has reached General Availability (GA).

Vertex AI

The following permissions have been added:

aiplatform.endpoints.getIamPolicy
aiplatform.endpoints.setIamPolicy

Commerce Business Enablement

The following permissions have been added:

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update

Commerce Business Enablement

The following permissions are supported in custom roles:

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update

Contact Center AI Platform

The following permissions have been added:

contactcenteraiplatform.contactCenters.program

Contact Center AI Platform

The following permissions are supported in custom roles:

contactcenteraiplatform.contactCenters.program

GKE Hub

The following permissions have been added:

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update

GKE Hub

The following permissions are supported in custom roles:

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update

GKE Hub

The following permissions have reached General Availability (GA):

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update
gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkehub.scopes.update

Payment Gateway issuer switch

The following permissions have been added:

issuerswitch.accountManagerTransactions.list
issuerswitch.issuerParticipants.get
issuerswitch.issuerParticipants.update

Payment Gateway issuer switch

The following permissions are supported in custom roles:

issuerswitch.accountManagerTransactions.list
issuerswitch.issuerParticipants.get
issuerswitch.issuerParticipants.update

Recommender

The following permissions have been added:

recommender.iamPolicyChangeRiskInsights.get
recommender.iamPolicyChangeRiskInsights.list
recommender.iamPolicyChangeRiskInsights.update
recommender.iamPolicyChangeRiskRecommendations.get
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.update
recommender.iamServiceAccountChangeRiskInsights.get
recommender.iamServiceAccountChangeRiskInsights.list
recommender.iamServiceAccountChangeRiskInsights.update
recommender.iamServiceAccountChangeRiskRecommendations.get
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.update
recommender.resourcemanagerProjectChangeRiskInsights.get
recommender.resourcemanagerProjectChangeRiskInsights.list
recommender.resourcemanagerProjectChangeRiskInsights.update
recommender.resourcemanagerProjectChangeRiskRecommendations.get
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.iamPolicyChangeRiskInsights.get
recommender.iamPolicyChangeRiskInsights.list
recommender.iamPolicyChangeRiskInsights.update
recommender.iamPolicyChangeRiskRecommendations.get
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.update
recommender.iamServiceAccountChangeRiskInsights.get
recommender.iamServiceAccountChangeRiskInsights.list
recommender.iamServiceAccountChangeRiskInsights.update
recommender.iamServiceAccountChangeRiskRecommendations.get
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.update
recommender.resourcemanagerProjectChangeRiskInsights.get
recommender.resourcemanagerProjectChangeRiskInsights.list
recommender.resourcemanagerProjectChangeRiskInsights.update
recommender.resourcemanagerProjectChangeRiskRecommendations.get
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.update

IAM changes as of 2023-08-11

Service Description
Vertex AI

The following permissions have been added to the Vertex AI Service Agent role (roles/aiplatform.serviceAgent):

run.routes.invoke
run.services.create
run.services.delete
run.services.get

Firebase Remote Config

The following permissions have been removed from the Cloud Config Service Agent role (roles/cloudconfig.serviceAgent):

krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.get
krmapihosting.operations.list

Database Migration Service

The following permissions have been added to the Database Migration Service Agent role (roles/datamigration.serviceAgent):

compute.networks.list
compute.routers.list

Google Cloud Migration Center

The following permissions have been added to the Migration Center Admin role (roles/migrationcenter.admin):

serviceusage.quotas.get

Google Cloud Migration Center

The following permissions have been added to the Migration Center Viewer role (roles/migrationcenter.viewer):

serviceusage.quotas.get

Serverless Integrations

The following permissions have been added to the Serverless Integrations Service Agent role (roles/runapps.serviceAgent):

run.jobs.get
run.jobs.list

Security Command Center

The Security Center Attack Paths Reader role (roles/securitycenter.attackPathsViewer) has reached General Availability (GA).

Security Command Center

The Security Center Resource Value Configurations Editor role (roles/securitycenter.resourceValueConfigsEditor) has reached General Availability (GA).

Security Command Center

The Security Center Resource Value Configurations Viewer role (roles/securitycenter.resourceValueConfigsViewer) has reached General Availability (GA).

Security Command Center

The Security Center Simulations Reader role (roles/securitycenter.simulationsViewer) has reached General Availability (GA).

Security Command Center

The Security Center Valued Resources Reader role (roles/securitycenter.valuedResourcesViewer) has reached General Availability (GA).

BigQuery Reservation API

The following permissions have been added:

bigqueryreservation.googleapis.com/reservations.create
bigqueryreservation.googleapis.com/reservations.delete
bigqueryreservation.googleapis.com/reservations.get
bigqueryreservation.googleapis.com/reservations.list
bigqueryreservation.googleapis.com/reservations.update

Commerce Agreement Publishing

The following permissions have been added:

commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update

Compute Engine

The following permissions have been added:

compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.getIamPolicy
compute.futureReservations.list
compute.futureReservations.setIamPolicy
compute.futureReservations.update
compute.networkAttachments.getIamPolicy
compute.networkAttachments.setIamPolicy

Compute Engine

The following permissions are supported in custom roles:

compute.futureReservations.getIamPolicy
compute.futureReservations.setIamPolicy
compute.networkAttachments.getIamPolicy
compute.networkAttachments.setIamPolicy
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update

Compute Engine

The following permissions have reached General Availability (GA):

compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.getIamPolicy
compute.networkAttachments.list
compute.networkAttachments.setIamPolicy
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.detachNetworkEndpoints

Contact Center AI Insights

The following permissions have been added:

contactcenterinsights.issueModels.export

Contact Center AI Insights

The following permissions are supported in custom roles:

contactcenterinsights.issueModels.export

Contact Center AI Insights

The following permissions have reached General Availability (GA):

contactcenterinsights.issueModels.export

Datastore

The following permissions have been added:

datastore.databases.delete

Datastore

The following permissions have reached General Availability (GA):

datastore.databases.delete

Recommender

The following permissions have been added:

recommender.cloudCostGeneralInsights.get
recommender.cloudCostGeneralInsights.list
recommender.cloudCostGeneralInsights.update
recommender.cloudCostGeneralRecommendations.get
recommender.cloudCostGeneralRecommendations.list
recommender.cloudCostGeneralRecommendations.update
recommender.cloudManageabilityGeneralInsights.get
recommender.cloudManageabilityGeneralInsights.list
recommender.cloudManageabilityGeneralInsights.update
recommender.cloudManageabilityGeneralRecommendations.get
recommender.cloudManageabilityGeneralRecommendations.list
recommender.cloudManageabilityGeneralRecommendations.update
recommender.cloudPerformanceGeneralInsights.get
recommender.cloudPerformanceGeneralInsights.list
recommender.cloudPerformanceGeneralInsights.update
recommender.cloudPerformanceGeneralRecommendations.get
recommender.cloudPerformanceGeneralRecommendations.list
recommender.cloudPerformanceGeneralRecommendations.update
recommender.cloudReliabilityGeneralInsights.get
recommender.cloudReliabilityGeneralInsights.list
recommender.cloudReliabilityGeneralInsights.update
recommender.cloudReliabilityGeneralRecommendations.get
recommender.cloudReliabilityGeneralRecommendations.list
recommender.cloudReliabilityGeneralRecommendations.update
recommender.cloudSecurityGeneralInsights.get
recommender.cloudSecurityGeneralInsights.list
recommender.cloudSecurityGeneralInsights.update
recommender.cloudSecurityGeneralRecommendations.get
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudSecurityGeneralRecommendations.update

Recommender

The following permissions are supported in custom roles:

recommender.cloudCostGeneralInsights.get
recommender.cloudCostGeneralInsights.list
recommender.cloudCostGeneralInsights.update
recommender.cloudCostGeneralRecommendations.get
recommender.cloudCostGeneralRecommendations.list
recommender.cloudCostGeneralRecommendations.update
recommender.cloudManageabilityGeneralInsights.get
recommender.cloudManageabilityGeneralInsights.list
recommender.cloudManageabilityGeneralInsights.update
recommender.cloudManageabilityGeneralRecommendations.get
recommender.cloudManageabilityGeneralRecommendations.list
recommender.cloudManageabilityGeneralRecommendations.update
recommender.cloudPerformanceGeneralInsights.get
recommender.cloudPerformanceGeneralInsights.list
recommender.cloudPerformanceGeneralInsights.update
recommender.cloudPerformanceGeneralRecommendations.get
recommender.cloudPerformanceGeneralRecommendations.list
recommender.cloudPerformanceGeneralRecommendations.update
recommender.cloudReliabilityGeneralInsights.get
recommender.cloudReliabilityGeneralInsights.list
recommender.cloudReliabilityGeneralInsights.update
recommender.cloudReliabilityGeneralRecommendations.get
recommender.cloudReliabilityGeneralRecommendations.list
recommender.cloudReliabilityGeneralRecommendations.update
recommender.cloudSecurityGeneralInsights.get
recommender.cloudSecurityGeneralInsights.list
recommender.cloudSecurityGeneralInsights.update
recommender.cloudSecurityGeneralRecommendations.get
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudSecurityGeneralRecommendations.update

Security Command Center

The following permissions have been added:

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

Security Command Center

The following permissions are supported in custom roles:

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

Security Command Center

The following permissions have reached General Availability (GA):

securitycenter.attackpaths.list
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.simulations.get
securitycenter.valuedresources.list

IAM changes as of 2023-08-04

Service Description
Cloud Billing

The following permissions have been added to the Billing Account Administrator role (roles/billing.admin):

cloudasset.assets.searchAllResources

Firebase Remote Config

The following permissions have been added to the Cloud Config Service Agent role (roles/cloudconfig.serviceAgent):

iam.serviceAccounts.actAs

Google Cloud Support

The following permissions have been added to the Tech Support Editor role (roles/cloudsupport.techSupportEditor):

cloudasset.assets.searchAllResources

Dialogflow

The following permissions have been added to the Dialogflow Service Agent role (roles/dialogflow.serviceAgent):

bigquery.jobs.create
bigquery.tables.getData

Discovery Engine

The following permissions have been added to the Discovery Engine Admin role (roles/discoveryengine.admin):

discoveryengine.engines.update

Eventarc

The following permissions have been added to the Eventarc Service Agent role (roles/eventarc.serviceAgent):

iam.serviceAccounts.getOpenIdToken

GKE Dataplane Management

The Warp Run Service Agent role (roles/gkedataplanemanagement.warpRunServiceAgent) has reached General Availability (GA).

Cloud Integrations

The following permissions have been added to the Application Integration Service Agent role (roles/integrations.serviceAgent):

cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.get
cloudscheduler.locations.list

Recommender

The Recommendations Exporter role (roles/recommender.exporter) has reached General Availability (GA).

Workload Manager

The following permissions have been added to the Workload Manager Service Agent role (roles/workloadmanager.serviceAgent):

config.resources.list

Cloud Workstations

The following permissions have been added to the Cloud Workstations User role (roles/workstations.user):

workstations.workstations.update

Apigee

The following permissions have been added:

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update

Apigee

The following permissions are supported in custom roles:

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update

Apigee

The following permissions have reached General Availability (GA):

apigee.securityProfiles.create
apigee.securityProfiles.delete
apigee.securityProfiles.update

Content Warehouse

The following permissions have been added:

contentwarehouse.dataExportJobs.create
contentwarehouse.dataExportJobs.update
contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update
contentwarehouse.schemas.create
contentwarehouse.schemas.delete
contentwarehouse.schemas.get
contentwarehouse.schemas.list
contentwarehouse.schemas.update

Content Warehouse

The following permissions have reached General Availability (GA):

contentwarehouse.dataExportJobs.create
contentwarehouse.dataExportJobs.update
contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update
contentwarehouse.schemas.create
contentwarehouse.schemas.delete
contentwarehouse.schemas.get
contentwarehouse.schemas.list
contentwarehouse.schemas.update

Discovery Engine

The following permissions have been added:

discoveryengine.completionConfigs.get
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.controls.update
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.dataStores.create
discoveryengine.dataStores.delete
discoveryengine.dataStores.enrollSolutions
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.dataStores.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.update
discoveryengine.models.create
discoveryengine.models.delete
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.models.pause
discoveryengine.models.resume
discoveryengine.models.tune
discoveryengine.models.update
discoveryengine.projects.get
discoveryengine.projects.provision
discoveryengine.projects.reportConsentChange
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.update
discoveryengine.servingConfigs.create
discoveryengine.servingConfigs.delete
discoveryengine.servingConfigs.get
discoveryengine.servingConfigs.list
discoveryengine.servingConfigs.update
discoveryengine.siteSearchEngines.get
discoveryengine.targetSites.batchCreate
discoveryengine.targetSites.create
discoveryengine.targetSites.delete
discoveryengine.targetSites.get
discoveryengine.targetSites.list
discoveryengine.targetSites.update
discoveryengine.userEvents.fetchStats
discoveryengine.userEvents.purge
discoveryengine.widgetConfigs.get
discoveryengine.widgetConfigs.update

Discovery Engine

The following permissions are supported in custom roles:

discoveryengine.completionConfigs.get
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.controls.update
discoveryengine.conversations.create
discoveryengine.conversations.delete
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.conversations.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.update
discoveryengine.targetSites.batchCreate