GCP IAM Updates Detected

jdyke · Mar 24, 2024 · 74d9f01 · 74d9f01
1 parent a38ae82
commit 74d9f01
Show file tree

Hide file tree

Showing 9 changed files with 56 additions and 21 deletions.
diff --git a/roles/apihub.admin b/roles/apihub.admin
@@ -2,6 +2,25 @@
   "description": "Full access to Cloud API Hub Registry and Runtime resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "apihub.apis.create",
+    "apihub.apis.delete",
+    "apihub.apis.get",
+    "apihub.apis.list",
+    "apihub.apis.update",
+    "apihub.operations.cancel",
+    "apihub.operations.delete",
+    "apihub.operations.get",
+    "apihub.operations.list",
+    "apihub.specs.create",
+    "apihub.specs.delete",
+    "apihub.specs.get",
+    "apihub.specs.list",
+    "apihub.specs.update",
+    "apihub.versions.create",
+    "apihub.versions.delete",
+    "apihub.versions.get",
+    "apihub.versions.list",
+    "apihub.versions.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/apihub.viewer b/roles/apihub.viewer
@@ -2,6 +2,12 @@
   "description": "Read-only access to Cloud API Hub Registry resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "apihub.apis.get",
+    "apihub.apis.list",
+    "apihub.specs.get",
+    "apihub.specs.list",
+    "apihub.versions.get",
+    "apihub.versions.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/gdchardwaremanagement.admin b/roles/gdchardwaremanagement.admin
@@ -33,6 +33,11 @@
     "gdchardwaremanagement.sites.update",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.create",
+    "gdchardwaremanagement.zones.delete",
+    "gdchardwaremanagement.zones.get",
+    "gdchardwaremanagement.zones.list",
+    "gdchardwaremanagement.zones.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/gdchardwaremanagement.operator b/roles/gdchardwaremanagement.operator
@@ -29,6 +29,11 @@
     "gdchardwaremanagement.sites.update",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.create",
+    "gdchardwaremanagement.zones.delete",
+    "gdchardwaremanagement.zones.get",
+    "gdchardwaremanagement.zones.list",
+    "gdchardwaremanagement.zones.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/gdchardwaremanagement.reader b/roles/gdchardwaremanagement.reader
@@ -20,6 +20,8 @@
     "gdchardwaremanagement.sites.list",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.get",
+    "gdchardwaremanagement.zones.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

diff --git a/roles/privilegedaccessmanager.admin b/roles/privilegedaccessmanager.admin
@@ -11,6 +11,7 @@
     "privilegedaccessmanager.grants.get",
     "privilegedaccessmanager.grants.list",
     "privilegedaccessmanager.grants.revoke",
+    "privilegedaccessmanager.locations.checkOnboardingStatus",
     "privilegedaccessmanager.locations.get",
     "privilegedaccessmanager.locations.list",
     "privilegedaccessmanager.operations.delete",

diff --git a/roles/privilegedaccessmanager.approver b/roles/privilegedaccessmanager.approver
diff --git a/roles/privilegedaccessmanager.requester b/roles/privilegedaccessmanager.requester
diff --git a/roles/privilegedaccessmanager.serviceAgent b/roles/privilegedaccessmanager.serviceAgent
@@ -0,0 +1,18 @@
+{
+  "description": "Gives privileged access manager service account access to modify IAM policies on GCP resources",
+  "etag": "AA==",
+  "includedPermissions": [
+    "resourcemanager.folders.get",
+    "resourcemanager.folders.getIamPolicy",
+    "resourcemanager.folders.setIamPolicy",
+    "resourcemanager.organizations.get",
+    "resourcemanager.organizations.getIamPolicy",
+    "resourcemanager.organizations.setIamPolicy",
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.getIamPolicy",
+    "resourcemanager.projects.setIamPolicy"
+  ],
+  "name": "roles/privilegedaccessmanager.serviceAgent",
+  "stage": "ALPHA",
+  "title": "Privileged Access Manager Service Agent"
+}