Fetch all roles

bgeesaman · bgeesaman · commit b66aa22d5d86 · 2025-06-07T01:30:58.000Z
diff --git a/gcp_roles_cai.json b/gcp_roles_cai.json
diff --git a/roles/backupdr.backupUser b/roles/backupdr.backupUser
@@ -13,6 +13,8 @@
     "backupdr.backupPlanAssociations.triggerBackupForComputeInstance",
     "backupdr.backupPlanAssociations.updateForComputeDisk",
     "backupdr.backupPlanAssociations.updateForComputeInstance",
+    "backupdr.backupPlanRevisions.get",
+    "backupdr.backupPlanRevisions.list",
     "backupdr.backupPlans.get",
     "backupdr.backupPlans.list",
     "backupdr.backupPlans.useForComputeDisk",
diff --git a/roles/backupdr.serviceAgent b/roles/backupdr.serviceAgent
@@ -2,6 +2,7 @@
   "description": "Grants the Backup and DR Service access to discover and protect GCP resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "alloydb.operations.get",
     "cloudsql.instances.get",
     "compute.addresses.list",
     "compute.addresses.use",
diff --git a/roles/chronicle.admin b/roles/chronicle.admin
@@ -161,6 +161,10 @@
     "chronicle.instances.report",
     "chronicle.instances.update",
     "chronicle.instances.verifyNonce",
+    "chronicle.iocAssociations.batchGet",
+    "chronicle.iocAssociations.fetchRelatedIocAssociations",
+    "chronicle.iocAssociations.fetchRelatedThreatCollections",
+    "chronicle.iocAssociations.get",
     "chronicle.iocMatches.get",
     "chronicle.iocMatches.list",
     "chronicle.iocState.get",
@@ -277,6 +281,10 @@
     "chronicle.searchQueries.get",
     "chronicle.searchQueries.list",
     "chronicle.searchQueries.update",
+    "chronicle.threatCollections.fetchIocMatchMetadata",
+    "chronicle.threatCollections.fetchRuleMetadata",
+    "chronicle.threatCollections.get",
+    "chronicle.threatCollections.list",
     "chronicle.validationErrors.list",
     "chronicle.validationReports.get",
     "chronicle.watchlists.create",
diff --git a/roles/clouddeploy.developer b/roles/clouddeploy.developer
@@ -29,7 +29,6 @@
     "clouddeploy.operations.list",
     "clouddeploy.releases.abandon",
     "clouddeploy.releases.create",
-    "clouddeploy.releases.delete",
     "clouddeploy.releases.get",
     "clouddeploy.releases.list",
     "clouddeploy.rollouts.get",
diff --git a/roles/clouddeploy.operator b/roles/clouddeploy.operator
@@ -38,7 +38,6 @@
     "clouddeploy.operations.list",
     "clouddeploy.releases.abandon",
     "clouddeploy.releases.create",
-    "clouddeploy.releases.delete",
     "clouddeploy.releases.get",
     "clouddeploy.releases.list",
     "clouddeploy.rollouts.advance",
diff --git a/roles/compliancescanning.serviceAgent b/roles/compliancescanning.serviceAgent
@@ -28,12 +28,15 @@
     "artifactregistry.tags.list",
     "artifactregistry.versions.get",
     "artifactregistry.versions.list",
+    "compute.globalOperations.get",
     "compute.images.get",
     "compute.images.list",
     "compute.images.useReadOnly",
     "compute.instances.get",
     "compute.instances.getGuestAttributes",
     "compute.instances.list",
+    "compute.regionOperations.get",
+    "compute.zoneOperations.get",
     "compute.zones.get",
     "compute.zones.list",
     "containeranalysis.notes.attachOccurrence",
diff --git a/roles/compute.serviceAgent b/roles/compute.serviceAgent
@@ -10,6 +10,7 @@
     "compute.disks.setLabels",
     "compute.disks.use",
     "compute.disks.useReadOnly",
+    "compute.globalOperations.get",
     "compute.images.useReadOnly",
     "compute.instanceGroupManagers.get",
     "compute.instanceTemplates.useReadOnly",
@@ -24,10 +25,12 @@
     "compute.machineImages.useReadOnly",
     "compute.networks.use",
     "compute.networks.useExternalIp",
+    "compute.regionOperations.get",
     "compute.resourcePolicies.use",
     "compute.snapshots.useReadOnly",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.zoneOperations.get",
     "iam.serviceAccounts.actAs",
     "iam.serviceAccounts.getAccessToken",
     "iam.serviceAccounts.getOpenIdToken",
diff --git a/roles/datastream.bigqueryWriter b/roles/datastream.bigqueryWriter
@@ -0,0 +1,72 @@
+{
+  "description": "Permissions needed for datastream to write to BigQuery.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "bigquery.connections.delegate",
+    "bigquery.connections.get",
+    "bigquery.datasets.create",
+    "bigquery.datasets.get",
+    "bigquery.jobs.create",
+    "bigquery.jobs.delete",
+    "bigquery.jobs.get",
+    "bigquery.jobs.list",
+    "bigquery.jobs.update",
+    "bigquery.tables.create",
+    "bigquery.tables.get",
+    "bigquery.tables.getData",
+    "bigquery.tables.list",
+    "bigquery.tables.update",
+    "bigquery.tables.updateData",
+    "datastream.connectionProfiles.create",
+    "datastream.connectionProfiles.delete",
+    "datastream.connectionProfiles.destinationTypes",
+    "datastream.connectionProfiles.discover",
+    "datastream.connectionProfiles.get",
+    "datastream.connectionProfiles.getIamPolicy",
+    "datastream.connectionProfiles.list",
+    "datastream.connectionProfiles.listEffectiveTags",
+    "datastream.connectionProfiles.listStaticServiceIps",
+    "datastream.connectionProfiles.listTagBindings",
+    "datastream.connectionProfiles.sourceTypes",
+    "datastream.connectionProfiles.update",
+    "datastream.locations.fetchStaticIps",
+    "datastream.locations.get",
+    "datastream.locations.list",
+    "datastream.objects.get",
+    "datastream.objects.list",
+    "datastream.objects.startBackfillJob",
+    "datastream.objects.stopBackfillJob",
+    "datastream.operations.cancel",
+    "datastream.operations.delete",
+    "datastream.operations.get",
+    "datastream.operations.list",
+    "datastream.privateConnections.create",
+    "datastream.privateConnections.delete",
+    "datastream.privateConnections.get",
+    "datastream.privateConnections.getIamPolicy",
+    "datastream.privateConnections.list",
+    "datastream.privateConnections.listEffectiveTags",
+    "datastream.privateConnections.listTagBindings",
+    "datastream.routes.create",
+    "datastream.routes.delete",
+    "datastream.routes.get",
+    "datastream.routes.getIamPolicy",
+    "datastream.routes.list",
+    "datastream.streams.computeState",
+    "datastream.streams.create",
+    "datastream.streams.delete",
+    "datastream.streams.fetchErrors",
+    "datastream.streams.get",
+    "datastream.streams.getIamPolicy",
+    "datastream.streams.list",
+    "datastream.streams.listEffectiveTags",
+    "datastream.streams.listTagBindings",
+    "datastream.streams.pause",
+    "datastream.streams.resume",
+    "datastream.streams.start",
+    "datastream.streams.update"
+  ],
+  "name": "roles/datastream.bigqueryWriter",
+  "stage": "GA",
+  "title": "Datastream Bigquery Writer"
+}
diff --git a/roles/developerconnect.insightsAdmin b/roles/developerconnect.insightsAdmin
@@ -0,0 +1,15 @@
+{
+  "description": "Admin access to Developer Connect Insights resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "developerconnect.locations.get",
+    "developerconnect.locations.list",
+    "developerconnect.operations.get",
+    "developerconnect.operations.list",
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/developerconnect.insightsAdmin",
+  "stage": "BETA",
+  "title": "Developer Connect Insights Admin"
+}
diff --git a/roles/developerconnect.insightsAgent b/roles/developerconnect.insightsAgent
@@ -0,0 +1,18 @@
+{
+  "description": "Allow Developer Connect to access SDLC information.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "cloudasset.assets.exportResource",
+    "cloudasset.assets.listResource",
+    "cloudasset.assets.searchAllResources",
+    "cloudasset.feeds.create",
+    "cloudasset.feeds.get",
+    "cloudasset.feeds.update",
+    "containeranalysis.occurrences.get",
+    "containeranalysis.occurrences.list",
+    "logging.logEntries.create"
+  ],
+  "name": "roles/developerconnect.insightsAgent",
+  "stage": "BETA",
+  "title": "Developer Connect Insights Config Agent"
+}
diff --git a/roles/developerconnect.insightsViewer b/roles/developerconnect.insightsViewer
@@ -0,0 +1,15 @@
+{
+  "description": "Readonly access to Developer Connect Insights resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "developerconnect.locations.get",
+    "developerconnect.locations.list",
+    "developerconnect.operations.get",
+    "developerconnect.operations.list",
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/developerconnect.insightsViewer",
+  "stage": "BETA",
+  "title": "Developer Connect Insights Viewer"
+}
diff --git a/roles/discoveryengine.user b/roles/discoveryengine.user
@@ -18,6 +18,7 @@
     "discoveryengine.dataConnectors.checkRefreshToken",
     "discoveryengine.dataConnectors.executeAction",
     "discoveryengine.dataConnectors.queryAvailableActions",
+    "discoveryengine.engines.get",
     "discoveryengine.notebooks.create",
     "discoveryengine.notebooks.list",
     "discoveryengine.servingConfigs.answer",
diff --git a/roles/documentai.admin b/roles/documentai.admin
@@ -4,9 +4,7 @@
   "includedPermissions": [
     "documentai.dataLabelingJobs.cancel",
     "documentai.dataLabelingJobs.create",
-    "documentai.dataLabelingJobs.delete",
     "documentai.dataLabelingJobs.list",
-    "documentai.dataLabelingJobs.update",
     "documentai.datasetSchemas.get",
     "documentai.datasetSchemas.update",
     "documentai.datasets.createDocuments",
@@ -27,7 +25,6 @@
     "documentai.labelerPools.delete",
     "documentai.labelerPools.get",
     "documentai.labelerPools.list",
-    "documentai.labelerPools.update",
     "documentai.locations.get",
     "documentai.locations.list",
     "documentai.operations.getLegacy",
diff --git a/roles/documentai.editor b/roles/documentai.editor
@@ -4,9 +4,7 @@
   "includedPermissions": [
     "documentai.dataLabelingJobs.cancel",
     "documentai.dataLabelingJobs.create",
-    "documentai.dataLabelingJobs.delete",
     "documentai.dataLabelingJobs.list",
-    "documentai.dataLabelingJobs.update",
     "documentai.datasetSchemas.get",
     "documentai.datasetSchemas.update",
     "documentai.datasets.createDocuments",
@@ -27,7 +25,6 @@
     "documentai.labelerPools.delete",
     "documentai.labelerPools.get",
     "documentai.labelerPools.list",
-    "documentai.labelerPools.update",
     "documentai.locations.get",
     "documentai.locations.list",
     "documentai.operations.getLegacy",
diff --git a/roles/editor b/roles/editor
@@ -1875,6 +1875,10 @@
     "chronicle.instances.permitFederationAccess",
     "chronicle.instances.report",
     "chronicle.instances.verifyNonce",
+    "chronicle.iocAssociations.batchGet",
+    "chronicle.iocAssociations.fetchRelatedIocAssociations",
+    "chronicle.iocAssociations.fetchRelatedThreatCollections",
+    "chronicle.iocAssociations.get",
     "chronicle.iocMatches.get",
     "chronicle.iocMatches.list",
     "chronicle.iocState.get",
@@ -1969,6 +1973,10 @@
     "chronicle.searchQueries.get",
     "chronicle.searchQueries.list",
     "chronicle.searchQueries.update",
+    "chronicle.threatCollections.fetchIocMatchMetadata",
+    "chronicle.threatCollections.fetchRuleMetadata",
+    "chronicle.threatCollections.get",
+    "chronicle.threatCollections.list",
     "chronicle.watchlists.get",
     "chronicle.watchlists.list",
     "chroniclesm.gcpAssociations.get",
@@ -2283,7 +2291,6 @@
     "clouddeploy.operations.list",
     "clouddeploy.releases.abandon",
     "clouddeploy.releases.create",
-    "clouddeploy.releases.delete",
     "clouddeploy.releases.get",
     "clouddeploy.releases.list",
     "clouddeploy.rollouts.advance",
@@ -5619,9 +5626,7 @@
     "dns.responsePolicyRules.update",
     "documentai.dataLabelingJobs.cancel",
     "documentai.dataLabelingJobs.create",
-    "documentai.dataLabelingJobs.delete",
     "documentai.dataLabelingJobs.list",
-    "documentai.dataLabelingJobs.update",
     "documentai.datasetSchemas.get",
     "documentai.datasetSchemas.update",
     "documentai.datasets.createDocuments",
@@ -5642,7 +5647,6 @@
     "documentai.labelerPools.delete",
     "documentai.labelerPools.get",
     "documentai.labelerPools.list",
-    "documentai.labelerPools.update",
     "documentai.locations.get",
     "documentai.locations.list",
     "documentai.operations.getLegacy",
@@ -6595,6 +6599,9 @@
     "iam.principalaccessboundarypolicies.searchPolicyBindings",
     "iam.roles.get",
     "iam.roles.list",
+    "iam.serviceAccountApiKeyBindings.create",
+    "iam.serviceAccountApiKeyBindings.delete",
+    "iam.serviceAccountApiKeyBindings.undelete",
     "iam.serviceAccountKeys.create",
     "iam.serviceAccountKeys.delete",
     "iam.serviceAccountKeys.disable",
diff --git a/roles/iam.securityReviewer b/roles/iam.securityReviewer
@@ -434,6 +434,7 @@
     "chronicle.ruleExecutionErrors.list",
     "chronicle.rules.list",
     "chronicle.searchQueries.list",
+    "chronicle.threatCollections.list",
     "chronicle.validationErrors.list",
     "chronicle.watchlists.list",
     "chroniclesm.gcpAssociations.list",
diff --git a/roles/iam.serviceAccountApiKeyBindingAdmin b/roles/iam.serviceAccountApiKeyBindingAdmin
@@ -1,6 +1,11 @@
 {
   "description": "Create and delete service account API Key bindings",
   "etag": "AA==",
+  "includedPermissions": [
+    "iam.serviceAccountApiKeyBindings.create",
+    "iam.serviceAccountApiKeyBindings.delete",
+    "iam.serviceAccountApiKeyBindings.undelete"
+  ],
   "name": "roles/iam.serviceAccountApiKeyBindingAdmin",
   "stage": "GA",
   "title": "Service Account API Key Binding Admin"
diff --git a/roles/multiclusteringress.serviceAgent b/roles/multiclusteringress.serviceAgent
@@ -109,6 +109,7 @@
     "compute.globalForwardingRules.setLabels",
     "compute.globalForwardingRules.setTarget",
     "compute.globalForwardingRules.update",
+    "compute.globalOperations.get",
     "compute.healthChecks.create",
     "compute.healthChecks.createTagBinding",
     "compute.healthChecks.delete",
@@ -149,6 +150,7 @@
     "compute.regionHealthChecks.update",
     "compute.regionHealthChecks.use",
     "compute.regionHealthChecks.useReadOnly",
+    "compute.regionOperations.get",
     "compute.regionSslCertificates.create",
     "compute.regionSslCertificates.createTagBinding",
     "compute.regionSslCertificates.delete",
@@ -242,6 +244,7 @@
     "compute.urlMaps.update",
     "compute.urlMaps.use",
     "compute.urlMaps.validate",
+    "compute.zoneOperations.get",
     "container.backendConfigs.create",
     "container.backendConfigs.delete",
     "container.backendConfigs.get",
diff --git a/roles/observability.analyticsUser b/roles/observability.analyticsUser
@@ -2,6 +2,9 @@
   "description": "Grants permissions to use Cloud Observability Analytics.",
   "etag": "AA==",
   "includedPermissions": [
+    "logging.queries.getShared",
+    "logging.queries.listShared",
+    "logging.queries.usePrivate",
     "observability.analyticsViews.create",
     "observability.analyticsViews.delete",
     "observability.analyticsViews.get",
diff --git a/roles/securitycenter.controlServiceAgent b/roles/securitycenter.controlServiceAgent
@@ -584,6 +584,8 @@
     "compute.instances.list",
     "compute.networkEndpointGroups.get",
     "compute.projects.get",
+    "compute.regionOperations.get",
+    "compute.zoneOperations.get",
     "container.clusters.get",
     "iam.denypolicies.get",
     "iam.denypolicies.list",
diff --git a/roles/securitycenter.securityResponseServiceAgent b/roles/securitycenter.securityResponseServiceAgent
@@ -2,9 +2,12 @@
   "description": "Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks",
   "etag": "AA==",
   "includedPermissions": [
+    "compute.globalOperations.get",
     "compute.instances.deleteAccessConfig",
     "compute.instances.get",
     "compute.instances.setMetadata",
+    "compute.regionOperations.get",
+    "compute.zoneOperations.get",
     "iam.serviceAccounts.actAs",
     "pubsub.topics.publish",
     "securitycenter.findings.list",
diff --git a/roles/viewer b/roles/viewer
