diff --git a/manifests/0000_30_cluster-api_00_credentials-request.yaml b/manifests/0000_30_cluster-api_00_credentials-request.yaml
index 383f71b36..b9367bd58 100644
--- a/manifests/0000_30_cluster-api_00_credentials-request.yaml
+++ b/manifests/0000_30_cluster-api_00_credentials-request.yaml
@@ -165,10 +165,57 @@ spec:
     apiVersion: cloudcredential.openshift.io/v1
     kind: GCPProviderSpec
     skipServiceCheck: true
-    predefinedRoles:
-    - "roles/compute.instanceAdmin.v1"
-    - "roles/iam.serviceAccountUser"
-    - "roles/compute.loadBalancerAdmin"
+    permissions:
+    - "compute.addresses.create"
+    - "compute.addresses.delete"
+    - "compute.addresses.get"
+    - "compute.addresses.useInternal"
+    - "compute.backendServices.create"
+    - "compute.backendServices.delete"
+    - "compute.backendServices.get"
+    - "compute.backendServices.update"
+    - "compute.disks.create"
+    - "compute.disks.setLabels"
+    - "compute.firewalls.create"
+    - "compute.firewalls.delete"
+    - "compute.firewalls.get"
+    - "compute.firewalls.update"
+    - "compute.forwardingRules.create"
+    - "compute.forwardingRules.delete"
+    - "compute.forwardingRules.get"
+    - "compute.healthChecks.create"
+    - "compute.healthChecks.delete"
+    - "compute.healthChecks.get"
+    - "compute.instanceGroups.create"
+    - "compute.instanceGroups.delete"
+    - "compute.instanceGroups.get"
+    - "compute.instanceGroups.list"
+    - "compute.instances.create"
+    - "compute.instances.delete"
+    - "compute.instances.get"
+    - "compute.instances.setLabels"
+    - "compute.instances.setMetadata"
+    - "compute.instances.setServiceAccount"
+    - "compute.instances.setTags"
+    - "compute.networks.create"
+    - "compute.networks.delete"
+    - "compute.networks.get"
+    - "compute.routers.create"
+    - "compute.routers.delete"
+    - "compute.routers.get"
+    - "compute.subnetworks.create"
+    - "compute.subnetworks.delete"
+    - "compute.subnetworks.get"
+    - "compute.subnetworks.use"
+    - "compute.targetTcpProxies.create"
+    - "compute.targetTcpProxies.delete"
+    - "compute.targetTcpProxies.get"
+    - "compute.zones.get"
+    - "compute.zones.list"
+    - "iam.serviceAccounts.actAs"
+    - "iam.serviceAccounts.get"
+    - "iam.serviceAccounts.list"
+
 # includes compute.targetPools.* currently used to add masters to LB in DR scenarios.
 # https://cloud.google.com/compute/docs/access/iam#compute.loadBalancerAdmin
 ---