GCP IAM Updates Detected

jdyke · Dec 2, 2023 · a254259 · a254259
1 parent 8fcb5f5
commit a254259
Show file tree

Hide file tree

Showing 60 changed files with 508 additions and 31 deletions.
diff --git a/roles/billing.admin b/roles/billing.admin
@@ -110,6 +110,8 @@
     "recommender.costInsights.get",
     "recommender.costInsights.list",
     "recommender.costInsights.update",
+    "recommender.costRecommendations.listAll",
+    "recommender.costRecommendations.summarizeAll",
     "recommender.resourcemanagerProjectUtilizationRecommendations.get",
     "recommender.resourcemanagerProjectUtilizationRecommendations.list",
     "recommender.spendBasedCommitmentInsights.get",

diff --git a/roles/billing.viewer b/roles/billing.viewer
@@ -48,6 +48,8 @@
     "recommender.commitmentUtilizationInsights.list",
     "recommender.costInsights.get",
     "recommender.costInsights.list",
+    "recommender.costRecommendations.listAll",
+    "recommender.costRecommendations.summarizeAll",
     "recommender.spendBasedCommitmentInsights.get",
     "recommender.spendBasedCommitmentInsights.list",
     "recommender.spendBasedCommitmentRecommendations.get",

diff --git a/roles/clouddeploy.admin b/roles/clouddeploy.admin
@@ -2,7 +2,20 @@
   "description": "Full control of Cloud Deploy resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "clouddeploy.automationRuns.cancel",
+    "clouddeploy.automationRuns.get",
+    "clouddeploy.automationRuns.list",
+    "clouddeploy.automations.create",
+    "clouddeploy.automations.delete",
+    "clouddeploy.automations.get",
+    "clouddeploy.automations.list",
+    "clouddeploy.automations.update",
     "clouddeploy.config.get",
+    "clouddeploy.customTargetTypes.create",
+    "clouddeploy.customTargetTypes.delete",
+    "clouddeploy.customTargetTypes.get",
+    "clouddeploy.customTargetTypes.list",
+    "clouddeploy.customTargetTypes.update",
     "clouddeploy.deliveryPipelines.create",
     "clouddeploy.deliveryPipelines.delete",
     "clouddeploy.deliveryPipelines.get",

diff --git a/roles/clouddeploy.customTargetTypeAdmin b/roles/clouddeploy.customTargetTypeAdmin
@@ -0,0 +1,17 @@
+{
+  "description": "Permission to manage CustomTargetType resources",
+  "etag": "AA==",
+  "includedPermissions": [
+    "clouddeploy.config.get",
+    "clouddeploy.customTargetTypes.create",
+    "clouddeploy.customTargetTypes.delete",
+    "clouddeploy.customTargetTypes.get",
+    "clouddeploy.customTargetTypes.list",
+    "clouddeploy.customTargetTypes.update",
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/clouddeploy.customTargetTypeAdmin",
+  "stage": "ALPHA",
+  "title": "Cloud Deploy Custom Target Type Admin"
+}
diff --git a/roles/clouddeploy.developer b/roles/clouddeploy.developer
@@ -2,6 +2,10 @@
   "description": "Permission to manage deployment configuration without permission to access operational resources, such as targets.",
   "etag": "AA==",
   "includedPermissions": [
+    "clouddeploy.automationRuns.get",
+    "clouddeploy.automationRuns.list",
+    "clouddeploy.automations.get",
+    "clouddeploy.automations.list",
     "clouddeploy.config.get",
     "clouddeploy.deliveryPipelines.create",
     "clouddeploy.deliveryPipelines.delete",

diff --git a/roles/clouddeploy.operator b/roles/clouddeploy.operator
@@ -2,7 +2,17 @@
   "description": "Permission to manage deployment configuration.",
   "etag": "AA==",
   "includedPermissions": [
+    "clouddeploy.automationRuns.cancel",
+    "clouddeploy.automationRuns.get",
+    "clouddeploy.automationRuns.list",
+    "clouddeploy.automations.create",
+    "clouddeploy.automations.delete",
+    "clouddeploy.automations.get",
+    "clouddeploy.automations.list",
+    "clouddeploy.automations.update",
     "clouddeploy.config.get",
+    "clouddeploy.customTargetTypes.get",
+    "clouddeploy.customTargetTypes.list",
     "clouddeploy.deliveryPipelines.create",
     "clouddeploy.deliveryPipelines.delete",
     "clouddeploy.deliveryPipelines.get",

diff --git a/roles/clouddeploy.releaser b/roles/clouddeploy.releaser
@@ -3,6 +3,7 @@
   "etag": "AA==",
   "includedPermissions": [
     "clouddeploy.config.get",
+    "clouddeploy.customTargetTypes.get",
     "clouddeploy.deliveryPipelines.get",
     "clouddeploy.jobRuns.get",
     "clouddeploy.jobRuns.list",

diff --git a/roles/clouddeploy.viewer b/roles/clouddeploy.viewer
@@ -2,7 +2,13 @@
   "description": "Can view Cloud Deploy resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "clouddeploy.automationRuns.get",
+    "clouddeploy.automationRuns.list",
+    "clouddeploy.automations.get",
+    "clouddeploy.automations.list",
     "clouddeploy.config.get",
+    "clouddeploy.customTargetTypes.get",
+    "clouddeploy.customTargetTypes.list",
     "clouddeploy.deliveryPipelines.get",
     "clouddeploy.deliveryPipelines.getIamPolicy",
     "clouddeploy.deliveryPipelines.list",

diff --git a/roles/cloudsql.admin b/roles/cloudsql.admin
@@ -43,7 +43,6 @@
     "cloudsql.instances.truncateLog",
     "cloudsql.instances.update",
     "cloudsql.sslCerts.create",
-    "cloudsql.sslCerts.createEphemeral",
     "cloudsql.sslCerts.delete",
     "cloudsql.sslCerts.get",
     "cloudsql.sslCerts.list",

diff --git a/roles/composer.environmentAndStorageObjectAdmin b/roles/composer.environmentAndStorageObjectAdmin
@@ -35,7 +35,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/composer.environmentAndStorageObjectAdmin",

diff --git a/roles/composer.serviceAgent b/roles/composer.serviceAgent
@@ -71,7 +71,6 @@
     "cloudsql.instances.truncateLog",
     "cloudsql.instances.update",
     "cloudsql.sslCerts.create",
-    "cloudsql.sslCerts.createEphemeral",
     "cloudsql.sslCerts.delete",
     "cloudsql.sslCerts.get",
     "cloudsql.sslCerts.list",
@@ -1647,6 +1646,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -1670,7 +1670,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update",
     "trafficdirector.networks.getConfigs",
     "trafficdirector.networks.reportMetrics"

diff --git a/roles/composer.worker b/roles/composer.worker
@@ -558,7 +558,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/composer.worker",

diff --git a/roles/container.nodeServiceAccount b/roles/container.nodeServiceAccount
diff --git a/roles/dataflow.serviceAgent b/roles/dataflow.serviceAgent
@@ -1183,6 +1183,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -1206,7 +1207,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update",
     "trafficdirector.networks.getConfigs",
     "trafficdirector.networks.reportMetrics"

diff --git a/roles/datafusion.serviceAgent b/roles/datafusion.serviceAgent
@@ -467,6 +467,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -490,7 +491,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update",
     "trafficdirector.networks.getConfigs",
     "trafficdirector.networks.reportMetrics"

diff --git a/roles/datapipelines.serviceAgent b/roles/datapipelines.serviceAgent
@@ -62,6 +62,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -85,7 +86,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/datapipelines.serviceAgent",

diff --git a/roles/dataplex.serviceAgent b/roles/dataplex.serviceAgent
@@ -155,6 +155,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -178,7 +179,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/dataplex.serviceAgent",

diff --git a/roles/dataprep.serviceAgent b/roles/dataprep.serviceAgent
@@ -387,7 +387,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/dataprep.serviceAgent",

diff --git a/roles/dataproc.serviceAgent b/roles/dataproc.serviceAgent
@@ -285,6 +285,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -308,7 +309,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/dataproc.serviceAgent",

diff --git a/roles/dataproc.worker b/roles/dataproc.worker
@@ -32,7 +32,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/dataproc.worker",

diff --git a/roles/dlp.serviceAgent b/roles/dlp.serviceAgent
@@ -166,6 +166,7 @@
     "storage.buckets.createTagBinding",
     "storage.buckets.delete",
     "storage.buckets.deleteTagBinding",
+    "storage.buckets.enableObjectRetention",
     "storage.buckets.get",
     "storage.buckets.getIamPolicy",
     "storage.buckets.getObjectInsights",
@@ -189,7 +190,9 @@
     "storage.objects.get",
     "storage.objects.getIamPolicy",
     "storage.objects.list",
+    "storage.objects.overrideUnlockedRetention",
     "storage.objects.setIamPolicy",
+    "storage.objects.setRetention",
     "storage.objects.update"
   ],
   "name": "roles/dlp.serviceAgent",