From acd9db815a11eef05a2005a4b24bd4f331ecfa15 Mon Sep 17 00:00:00 2001 From: AedinC Date: Thu, 23 Oct 2025 10:48:51 +0100 Subject: [PATCH] OSDOCS-16649:Added permissions to required roles table in OSD WIF docs. --- modules/ccs-gcp-customer-procedure-wif.adoc | 79 ++++++++++++++++++--- 1 file changed, 71 insertions(+), 8 deletions(-) diff --git a/modules/ccs-gcp-customer-procedure-wif.adoc b/modules/ccs-gcp-customer-procedure-wif.adoc index 8b90085cc0e8..3b77a247ad11 100644 --- a/modules/ccs-gcp-customer-procedure-wif.adoc +++ b/modules/ccs-gcp-customer-procedure-wif.adoc @@ -18,27 +18,90 @@ The following roles are only required when creating, updating, or deleting WIF c ==== + .Required roles -[cols="2a,3a,3a",options="header"] - +[cols="5a,3a,5a",options="header"] |=== -|Role|Console role name|Role purpose +|Role and description|Console role name|Permissions + +|Role Admin + +Required by the {gcp-short} client in the OCM CLI for creating custom role. -|Role Administrator |`roles/iam.roleAdmin` -|Required by the {gcp-short} client in the OCM CLI for creating custom roles. +|* iam.roles.create +* iam.roles.delete +* iam.roles.get +* iam.roles.list +* iam.roles.undelete +* iam.roles.update +* resourcemanager.projects.get +* resourcemanager.projects.getIamPolicy |Service Account Admin + +Required for the pre-creation of the service accounts used by the deployer, support, and Operators. |`roles/iam.serviceAccountAdmin` -|Required for the pre-creation of the service accounts used by the deployer, support, and Operators. +|* iam.serviceAccountApiKeyBindings.create +* iam.serviceAccountApiKeyBindings.delete +* iam.serviceAccountApiKeyBindings.undelete +* iam.serviceAccounts.create +* iam.serviceAccounts.createTagBinding +* iam.serviceAccounts.delete +* iam.serviceAccounts.deleteTagBinding +* iam.serviceAccounts.disable +* iam.serviceAccounts.enable +* iam.serviceAccounts.get +* iam.serviceAccounts.getIamPolicy +* iam.serviceAccounts.list +* iam.serviceAccounts.listEffectiveTags +* iam.serviceAccounts.listTagBindings +* iam.serviceAccounts.setIamPolicy +* iam.serviceAccounts.undelete +* iam.serviceAccounts.update +* resourcemanager.projects.get +* resourcemanager.projects.list |Workload Identity Pool Admin + +Required to create and configure the workload identity pool. |`roles/iam.workloadIdentityPoolAdmin` -|Required to create and configure the workload identity pool. +|* iam.googleapis.com/workloadIdentityPoolProviderKeys.create +* iam.googleapis.com/workloadIdentityPoolProviderKeys.delete +* iam.googleapis.com/workloadIdentityPoolProviderKeys.get +* iam.googleapis.com/workloadIdentityPoolProviderKeys.list +* iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete +* iam.googleapis.com/workloadIdentityPoolProviders.create +* iam.googleapis.com/workloadIdentityPoolProviders.delete +* iam.googleapis.com/workloadIdentityPoolProviders.get +* iam.googleapis.com/workloadIdentityPoolProviders.list +* iam.googleapis.com/workloadIdentityPoolProviders.undelete +* iam.googleapis.com/workloadIdentityPoolProviders.update +* iam.googleapis.com/workloadIdentityPools.create +* iam.googleapis.com/workloadIdentityPools.delete +* iam.googleapis.com/workloadIdentityPools.get +* iam.googleapis.com/workloadIdentityPools.list +* iam.googleapis.com/workloadIdentityPools.undelete +* iam.googleapis.com/workloadIdentityPools.update +* iam.workloadIdentityPools.createPolicyBinding +* iam.workloadIdentityPools.deletePolicyBinding +* iam.workloadIdentityPools.searchPolicyBindings +* iam.workloadIdentityPools.updatePolicyBinding +* resourcemanager.projects.get +* resourcemanager.projects.list |Project IAM Admin + +Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources. |`roles/resourcemanager.projectIamAdmin` -|Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources. +|* iam.policybindings.get +* iam.policybindings.list +* resourcemanager.projects.createPolicyBinding +* resourcemanager.projects.deletePolicyBinding +* resourcemanager.projects.get +* resourcemanager.projects.getIamPolicy +* resourcemanager.projects.searchPolicyBindings +* resourcemanager.projects.setIamPolicy +* resourcemanager.projects.updatePolicyBinding |===