From 3d28eb7bdc145a927461f087471e9d15535cc0a6 Mon Sep 17 00:00:00 2001 From: Derrick Williams Date: Thu, 29 Jan 2026 22:54:13 +0000 Subject: [PATCH 1/3] remove groovy pubsublite dependencies --- .../main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy | 3 --- 1 file changed, 3 deletions(-) diff --git a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy index 7db9e56e7194..e64d7b1ebee3 100644 --- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy +++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy @@ -758,7 +758,6 @@ class BeamModulePlugin implements Plugin { google_cloud_firestore : "com.google.cloud:google-cloud-firestore", // google_cloud_platform_libraries_bom sets version google_cloud_kms : "com.google.cloud:google-cloud-kms", // google_cloud_platform_libraries_bom sets version google_cloud_pubsub : "com.google.cloud:google-cloud-pubsub", // google_cloud_platform_libraries_bom sets version - google_cloud_pubsublite : "com.google.cloud:google-cloud-pubsublite", // google_cloud_platform_libraries_bom sets version // [bomupgrader] the BOM version is set by scripts/tools/bomupgrader.py. If update manually, also update // libraries-bom version on sdks/java/container/license_scripts/dep_urls_java.yaml google_cloud_platform_libraries_bom : "com.google.cloud:libraries-bom:26.74.0", @@ -788,7 +787,6 @@ class BeamModulePlugin implements Plugin { grpc_core : "io.grpc:grpc-core", // google_cloud_platform_libraries_bom sets version grpc_google_cloud_firestore_v1 : "com.google.api.grpc:grpc-google-cloud-firestore-v1", // google_cloud_platform_libraries_bom sets version grpc_google_cloud_pubsub_v1 : "com.google.api.grpc:grpc-google-cloud-pubsub-v1", // google_cloud_platform_libraries_bom sets version - grpc_google_cloud_pubsublite_v1 : "com.google.api.grpc:grpc-google-cloud-pubsublite-v1", // google_cloud_platform_libraries_bom sets version grpc_google_common_protos : "com.google.api.grpc:grpc-google-common-protos", // google_cloud_platform_libraries_bom sets version grpc_grpclb : "io.grpc:grpc-grpclb", // google_cloud_platform_libraries_bom sets version grpc_protobuf : "io.grpc:grpc-protobuf", // google_cloud_platform_libraries_bom sets version @@ -871,7 +869,6 @@ class BeamModulePlugin implements Plugin { proto_google_cloud_firestore_v1 : "com.google.api.grpc:proto-google-cloud-firestore-v1", // google_cloud_platform_libraries_bom sets version proto_google_cloud_kms_v1 : "com.google.api.grpc:proto-google-cloud-kms-v1", // google_cloud_platform_libraries_bom sets version proto_google_cloud_pubsub_v1 : "com.google.api.grpc:proto-google-cloud-pubsub-v1", // google_cloud_platform_libraries_bom sets version - proto_google_cloud_pubsublite_v1 : "com.google.api.grpc:proto-google-cloud-pubsublite-v1", // google_cloud_platform_libraries_bom sets version proto_google_cloud_secret_manager_v1 : "com.google.api.grpc:proto-google-cloud-secretmanager-v1", // google_cloud_platform_libraries_bom sets version proto_google_cloud_spanner_v1 : "com.google.api.grpc:proto-google-cloud-spanner-v1", // google_cloud_platform_libraries_bom sets version proto_google_cloud_spanner_admin_database_v1: "com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1", // google_cloud_platform_libraries_bom sets version From 6438cdd536663d10b84613a50ffa15cacd913727 Mon Sep 17 00:00:00 2001 From: Derrick Williams Date: Thu, 29 Jan 2026 22:54:31 +0000 Subject: [PATCH 2/3] remove checkstyle suppressions --- .../src/main/resources/beam/checkstyle/suppressions.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml b/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml index ef4cbdb5ba02..f79bb6cf3bfa 100644 --- a/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml +++ b/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml @@ -43,7 +43,6 @@ - @@ -69,7 +68,6 @@ - From 1785c37046f3343527a2fb8a381ded4bcdeca1a0 Mon Sep 17 00:00:00 2001 From: Derrick Williams Date: Thu, 29 Jan 2026 22:55:07 +0000 Subject: [PATCH 3/3] remove role config for pubsublite service and update role files --- infra/iam/roles/beam_admin.role.yaml | 69 +++++++++++- infra/iam/roles/beam_infra_manager.role.yaml | 80 +++++++++++--- infra/iam/roles/beam_viewer.role.yaml | 108 +++++++++++++++---- infra/iam/roles/beam_writer.role.yaml | 22 +++- infra/iam/roles/roles_config.yaml | 2 +- 5 files changed, 244 insertions(+), 37 deletions(-) diff --git a/infra/iam/roles/beam_admin.role.yaml b/infra/iam/roles/beam_admin.role.yaml index 4296196c495e..73f553f746e8 100644 --- a/infra/iam/roles/beam_admin.role.yaml +++ b/infra/iam/roles/beam_admin.role.yaml @@ -16,7 +16,7 @@ # This file is auto-generated by generate_roles.py. # Do not edit manually. -# This file was generated on 2025-08-11 14:34:54 UTC +# This file was generated on 2026-01-29 22:47:50 UTC description: This is the beam_admin role permissions: @@ -61,6 +61,7 @@ permissions: - bigquery.reservations.delete - bigquery.routines.delete - bigquery.rowAccessPolicies.delete +- bigquery.rowAccessPolicies.overrideTimeTravelRestrictions - bigquery.rowAccessPolicies.setIamPolicy - bigquery.savedqueries.delete - bigquery.tables.create @@ -89,6 +90,7 @@ permissions: - cloudkms.ekmConnections.setIamPolicy - cloudkms.importJobs.setIamPolicy - cloudkms.keyRings.setIamPolicy +- cloudkms.singleTenantHsmInstanceProposals.delete - cloudsql.backupRuns.delete - cloudsql.databases.delete - cloudsql.instances.delete @@ -164,7 +166,11 @@ permissions: - compute.instances.deleteTagBinding - compute.instances.setIamPolicy - compute.instances.stop +- compute.instantSnapshotGroups.delete +- compute.instantSnapshotGroups.setIamPolicy +- compute.instantSnapshots.createTagBinding - compute.instantSnapshots.delete +- compute.instantSnapshots.deleteTagBinding - compute.instantSnapshots.setIamPolicy - compute.interconnectAttachmentGroups.delete - compute.interconnectAttachments.createTagBinding @@ -174,8 +180,12 @@ permissions: - compute.interconnects.deleteTagBinding - compute.interconnects.getMacsecConfig - compute.licenseCodes.setIamPolicy +- compute.licenses.createTagBinding +- compute.licenses.deleteTagBinding - compute.licenses.setIamPolicy +- compute.machineImages.createTagBinding - compute.machineImages.delete +- compute.machineImages.deleteTagBinding - compute.machineImages.setIamPolicy - compute.multiMig.delete - compute.networkAttachments.createTagBinding @@ -206,21 +216,29 @@ permissions: - compute.publicDelegatedPrefixes.createTagBinding - compute.publicDelegatedPrefixes.delete - compute.publicDelegatedPrefixes.deleteTagBinding +- compute.regionBackendBuckets.createTagBinding +- compute.regionBackendBuckets.delete +- compute.regionBackendBuckets.deleteTagBinding +- compute.regionBackendBuckets.setIamPolicy - compute.regionBackendServices.createTagBinding - compute.regionBackendServices.delete - compute.regionBackendServices.deleteTagBinding - compute.regionBackendServices.setIamPolicy +- compute.regionCompositeHealthChecks.delete - compute.regionFirewallPolicies.createTagBinding - compute.regionFirewallPolicies.delete - compute.regionFirewallPolicies.deleteTagBinding - compute.regionFirewallPolicies.setIamPolicy +- compute.regionHealthAggregationPolicies.delete - compute.regionHealthCheckServices.delete - compute.regionHealthChecks.createTagBinding - compute.regionHealthChecks.delete - compute.regionHealthChecks.deleteTagBinding +- compute.regionHealthSources.delete - compute.regionNetworkEndpointGroups.createTagBinding - compute.regionNetworkEndpointGroups.delete - compute.regionNetworkEndpointGroups.deleteTagBinding +- compute.regionNetworkPolicies.delete - compute.regionNotificationEndpoints.delete - compute.regionOperations.delete - compute.regionSecurityPolicies.createTagBinding @@ -244,9 +262,14 @@ permissions: - compute.regionUrlMaps.createTagBinding - compute.regionUrlMaps.delete - compute.regionUrlMaps.deleteTagBinding +- compute.reservations.createTagBinding - compute.reservations.delete +- compute.reservations.deleteTagBinding - compute.resourcePolicies.delete - compute.resourcePolicies.setIamPolicy +- compute.rolloutPlans.delete +- compute.rollouts.cancel +- compute.rollouts.delete - compute.routers.createTagBinding - compute.routers.delete - compute.routers.deleteTagBinding @@ -268,7 +291,9 @@ permissions: - compute.sslCertificates.deleteTagBinding - compute.sslPolicies.createTagBinding - compute.sslPolicies.deleteTagBinding +- compute.storagePools.createTagBinding - compute.storagePools.delete +- compute.storagePools.deleteTagBinding - compute.storagePools.setIamPolicy - compute.subnetworks.createTagBinding - compute.subnetworks.delete @@ -300,6 +325,7 @@ permissions: - compute.targetVpnGateways.deleteTagBinding - compute.urlMaps.createTagBinding - compute.urlMaps.deleteTagBinding +- compute.vmExtensionPolicies.delete - compute.vpnGateways.createTagBinding - compute.vpnGateways.delete - compute.vpnGateways.deleteTagBinding @@ -387,9 +413,15 @@ permissions: - dataflow.snapshots.delete - dataform.commentThreads.delete - dataform.comments.delete +- dataform.folders.delete +- dataform.folders.setIamPolicy +- dataform.operations.cancel +- dataform.operations.delete - dataform.releaseConfigs.delete - dataform.repositories.delete - dataform.repositories.setIamPolicy +- dataform.teamFolders.delete +- dataform.teamFolders.setIamPolicy - dataform.workflowConfigs.delete - dataform.workflowInvocations.cancel - dataform.workflowInvocations.delete @@ -401,10 +433,13 @@ permissions: - dataplex.assets.setIamPolicy - dataplex.content.delete - dataplex.content.setIamPolicy +- dataplex.dataAssets.delete - dataplex.dataAttributeBindings.delete - dataplex.dataAttributeBindings.setIamPolicy - dataplex.dataAttributes.delete - dataplex.dataAttributes.setIamPolicy +- dataplex.dataProducts.delete +- dataplex.dataProducts.setIamPolicy - dataplex.dataTaxonomies.delete - dataplex.dataTaxonomies.setIamPolicy - dataplex.datascans.delete @@ -477,7 +512,9 @@ permissions: - datastore.userCreds.delete - dns.managedZones.delete - dns.managedZones.setIamPolicy +- dns.policies.createTagBinding - dns.policies.delete +- dns.policies.deleteTagBinding - dns.resourceRecordSets.delete - dns.responsePolicies.delete - dns.responsePolicyRules.delete @@ -491,6 +528,12 @@ permissions: - firebaseabt.experiments.delete - firebaseappcheck.appCheckTokens.verify - firebaseappcheck.automations.delete +- firebaseapphosting.backends.delete +- firebaseapphosting.builds.delete +- firebaseapphosting.domains.delete +- firebaseapphosting.operations.cancel +- firebaseapphosting.operations.delete +- firebaseapphosting.rollouts.delete - firebaseauth.users.delete - firebasedatabase.instances.delete - firebasedataconnect.connectorRevisions.delete @@ -515,6 +558,7 @@ permissions: - firebaserules.releases.delete - firebaserules.rulesets.delete - firebasestorage.defaultBucket.delete +- firebasevertexai.promptTemplates.delete - iam.googleapis.com/workloadIdentityPoolProviderKeys.create - iam.googleapis.com/workloadIdentityPoolProviderKeys.delete - iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete @@ -527,7 +571,9 @@ permissions: - iam.googleapis.com/workloadIdentityPools.undelete - iam.googleapis.com/workloadIdentityPools.update - iam.roles.create +- iam.roles.createTagBinding - iam.roles.delete +- iam.roles.deleteTagBinding - iam.roles.undelete - iam.roles.update - iam.serviceAccountApiKeyBindings.delete @@ -537,6 +583,9 @@ permissions: - iam.serviceAccounts.deleteTagBinding - iam.serviceAccounts.setIamPolicy - iam.serviceAccounts.undelete +- iam.workloadIdentityPools.createPolicyBinding +- iam.workloadIdentityPools.deletePolicyBinding +- iam.workloadIdentityPools.updatePolicyBinding - iap.tunnel.getIamPolicy - iap.tunnel.setIamPolicy - iap.tunnelDestGroups.delete @@ -570,16 +619,19 @@ permissions: - monitoring.uptimeCheckConfigs.delete - pubsub.schemas.delete - pubsub.schemas.setIamPolicy +- pubsub.snapshots.createTagBinding - pubsub.snapshots.delete +- pubsub.snapshots.deleteTagBinding +- pubsub.subscriptions.createTagBinding - pubsub.subscriptions.delete +- pubsub.subscriptions.deleteTagBinding - pubsub.subscriptions.getIamPolicy - pubsub.subscriptions.setIamPolicy +- pubsub.topics.createTagBinding - pubsub.topics.delete +- pubsub.topics.deleteTagBinding - pubsub.topics.getIamPolicy - pubsub.topics.setIamPolicy -- pubsublite.reservations.delete -- pubsublite.subscriptions.delete -- pubsublite.topics.delete - redis.backupCollections.delete - redis.backups.delete - redis.clusters.delete @@ -588,7 +640,10 @@ permissions: - redis.instances.deleteTagBinding - redis.operations.cancel - redis.operations.delete +- resourcemanager.projects.createPolicyBinding +- resourcemanager.projects.deletePolicyBinding - resourcemanager.projects.setIamPolicy +- resourcemanager.projects.updatePolicyBinding - resourcemanager.tagHolds.delete - resourcemanager.tagKeys.delete - resourcemanager.tagKeys.setIamPolicy @@ -655,6 +710,7 @@ permissions: - storage.managedFolders.setIamPolicy - storage.multipartUploads.list - storage.objects.delete +- storage.objects.deleteContext - storage.objects.getIamPolicy - storage.objects.move - storage.objects.overrideUnlockedRetention @@ -662,6 +718,11 @@ permissions: - storage.objects.setIamPolicy - storage.objects.setRetention - storage.objects.update +- storage.objects.updateContext +- storagebatchoperations.jobs.cancel +- storagebatchoperations.jobs.delete +- storagebatchoperations.operations.cancel +- storagebatchoperations.operations.delete - storageinsights.datasetConfigs.delete - storageinsights.operations.cancel - storageinsights.operations.delete diff --git a/infra/iam/roles/beam_infra_manager.role.yaml b/infra/iam/roles/beam_infra_manager.role.yaml index 169bebd7fbc3..ab819c1cc480 100644 --- a/infra/iam/roles/beam_infra_manager.role.yaml +++ b/infra/iam/roles/beam_infra_manager.role.yaml @@ -16,7 +16,7 @@ # This file is auto-generated by generate_roles.py. # Do not edit manually. -# This file was generated on 2025-08-11 14:34:54 UTC +# This file was generated on 2026-01-29 22:47:50 UTC description: This is the beam_infra_manager role permissions: @@ -55,9 +55,11 @@ permissions: - bigquery.connections.create - bigquery.connections.update - bigquery.connections.updateTag +- bigquery.dataPolicies.attach - bigquery.dataPolicies.create - bigquery.dataPolicies.update - bigquery.datasets.updateTag +- bigquery.jobs.createGlobalQuery - bigquery.models.create - bigquery.models.updateData - bigquery.models.updateMetadata @@ -118,6 +120,11 @@ permissions: - cloudkms.importJobs.useToImport - cloudkms.kajPolicyConfigs.update - cloudkms.keyRings.create +- cloudkms.singleTenantHsmInstanceProposals.approve +- cloudkms.singleTenantHsmInstanceProposals.create +- cloudkms.singleTenantHsmInstanceProposals.execute +- cloudkms.singleTenantHsmInstances.create +- cloudkms.singleTenantHsmInstances.use - cloudsql.backupRuns.create - cloudsql.backupRuns.update - cloudsql.databases.create @@ -128,7 +135,6 @@ permissions: - cloudsql.instances.connect - cloudsql.instances.create - cloudsql.instances.demoteMaster -- cloudsql.instances.executeSql - cloudsql.instances.failover - cloudsql.instances.import - cloudsql.instances.migrate @@ -180,6 +186,7 @@ permissions: - compute.disks.stopAsyncReplication - compute.disks.stopGroupAsyncReplication - compute.disks.update +- compute.disks.updateKmsKey - compute.disks.use - compute.externalVpnGateways.create - compute.externalVpnGateways.setLabels @@ -275,6 +282,8 @@ permissions: - compute.instances.updateShieldedInstanceConfig - compute.instances.updateShieldedVmConfig - compute.instances.use +- compute.instantSnapshotGroups.create +- compute.instantSnapshotGroups.useReadOnly - compute.instantSnapshots.create - compute.instantSnapshots.export - compute.instantSnapshots.setLabels @@ -299,6 +308,7 @@ permissions: - compute.networks.create - compute.networks.mirror - compute.networks.setFirewallPolicy +- compute.networks.setNetworkPolicy - compute.networks.updatePeering - compute.networks.updatePolicy - compute.networks.use @@ -323,28 +333,42 @@ permissions: - compute.publicAdvertisedPrefixes.create - compute.publicAdvertisedPrefixes.update - compute.publicAdvertisedPrefixes.updatePolicy +- compute.publicDelegatedPrefixes.announce - compute.publicDelegatedPrefixes.create - compute.publicDelegatedPrefixes.update - compute.publicDelegatedPrefixes.updatePolicy - compute.publicDelegatedPrefixes.use +- compute.publicDelegatedPrefixes.withdraw +- compute.regionBackendBuckets.create +- compute.regionBackendBuckets.update +- compute.regionBackendBuckets.use - compute.regionBackendServices.create - compute.regionBackendServices.setSecurityPolicy - compute.regionBackendServices.update - compute.regionBackendServices.use +- compute.regionCompositeHealthChecks.create +- compute.regionCompositeHealthChecks.update - compute.regionFirewallPolicies.cloneRules - compute.regionFirewallPolicies.create - compute.regionFirewallPolicies.update - compute.regionFirewallPolicies.use +- compute.regionHealthAggregationPolicies.create +- compute.regionHealthAggregationPolicies.update - compute.regionHealthCheckServices.create - compute.regionHealthCheckServices.update - compute.regionHealthCheckServices.use - compute.regionHealthChecks.create - compute.regionHealthChecks.update - compute.regionHealthChecks.use +- compute.regionHealthSources.create +- compute.regionHealthSources.update - compute.regionNetworkEndpointGroups.attachNetworkEndpoints - compute.regionNetworkEndpointGroups.create - compute.regionNetworkEndpointGroups.detachNetworkEndpoints - compute.regionNetworkEndpointGroups.use +- compute.regionNetworkPolicies.create +- compute.regionNetworkPolicies.update +- compute.regionNetworkPolicies.use - compute.regionNotificationEndpoints.create - compute.regionNotificationEndpoints.update - compute.regionNotificationEndpoints.use @@ -371,6 +395,7 @@ permissions: - compute.regionUrlMaps.use - compute.reservationBlocks.performMaintenance - compute.reservationSubBlocks.performMaintenance +- compute.reservationSubBlocks.reportFaulty - compute.reservations.create - compute.reservations.performMaintenance - compute.reservations.resize @@ -378,6 +403,7 @@ permissions: - compute.resourcePolicies.create - compute.resourcePolicies.update - compute.resourcePolicies.use +- compute.rolloutPlans.create - compute.routers.create - compute.routers.deleteRoutePolicy - compute.routers.update @@ -391,6 +417,7 @@ permissions: - compute.snapshotSettings.update - compute.snapshots.create - compute.snapshots.setLabels +- compute.snapshots.updateKmsKey - compute.sslCertificates.create - compute.storagePools.create - compute.storagePools.update @@ -441,6 +468,8 @@ permissions: - compute.targetTcpProxies.use - compute.targetVpnGateways.create - compute.targetVpnGateways.use +- compute.vmExtensionPolicies.create +- compute.vmExtensionPolicies.update - compute.vpnGateways.create - compute.vpnGateways.setLabels - compute.vpnGateways.use @@ -485,10 +514,18 @@ permissions: - dataform.comments.update - dataform.compilationResults.create - dataform.config.update +- dataform.folders.addContents +- dataform.folders.move +- dataform.folders.update - dataform.releaseConfigs.create - dataform.releaseConfigs.update - dataform.repositories.commit +- dataform.repositories.move +- dataform.repositories.scheduleRelease +- dataform.repositories.scheduleWorkflow - dataform.repositories.update +- dataform.teamFolders.create +- dataform.teamFolders.update - dataform.workflowConfigs.create - dataform.workflowConfigs.update - dataform.workflowInvocations.create @@ -511,11 +548,15 @@ permissions: - dataplex.assets.update - dataplex.content.create - dataplex.content.update +- dataplex.dataAssets.create +- dataplex.dataAssets.update - dataplex.dataAttributeBindings.create - dataplex.dataAttributeBindings.update - dataplex.dataAttributes.bind - dataplex.dataAttributes.create - dataplex.dataAttributes.update +- dataplex.dataProducts.create +- dataplex.dataProducts.update - dataplex.dataTaxonomies.configureDataAccess - dataplex.dataTaxonomies.configureResourceAccess - dataplex.dataTaxonomies.create @@ -532,13 +573,18 @@ permissions: - dataplex.entryGroups.import - dataplex.entryGroups.update - dataplex.entryGroups.useContactsAspect +- dataplex.entryGroups.useDataProfileAspect - dataplex.entryGroups.useDataQualityScorecardAspect - dataplex.entryGroups.useDefinitionEntryLink +- dataplex.entryGroups.useDescriptionsAspect - dataplex.entryGroups.useGenericAspect - dataplex.entryGroups.useGenericEntry - dataplex.entryGroups.useOverviewAspect +- dataplex.entryGroups.useQueriesAspect +- dataplex.entryGroups.useRefreshCadenceAspect - dataplex.entryGroups.useRelatedEntryLink - dataplex.entryGroups.useSchemaAspect +- dataplex.entryGroups.useStorageAspect - dataplex.entryGroups.useSynonymEntryLink - dataplex.entryLinks.create - dataplex.entryLinks.reference @@ -574,6 +620,7 @@ permissions: - dataproc.batches.create - dataproc.batches.sparkApplicationWrite - dataproc.clusters.create +- dataproc.clusters.repair - dataproc.clusters.start - dataproc.clusters.update - dataproc.clusters.use @@ -646,6 +693,15 @@ permissions: - firebaseappdistro.groups.update - firebaseappdistro.releases.update - firebaseappdistro.testers.update +- firebaseapphosting.backends.create +- firebaseapphosting.backends.update +- firebaseapphosting.builds.create +- firebaseapphosting.builds.update +- firebaseapphosting.domains.create +- firebaseapphosting.domains.update +- firebaseapphosting.rollouts.create +- firebaseapphosting.rollouts.update +- firebaseapphosting.traffic.update - firebaseauth.configs.create - firebaseauth.configs.getHashConfig - firebaseauth.configs.getSecret @@ -663,6 +719,8 @@ permissions: - firebasedatabase.instances.undelete - firebasedatabase.instances.update - firebasedataconnect.connectors.create +- firebasedataconnect.connectors.impersonateMutation +- firebasedataconnect.connectors.impersonateQuery - firebasedataconnect.connectors.update - firebasedataconnect.schemas.create - firebasedataconnect.schemas.update @@ -697,6 +755,8 @@ permissions: - firebasestorage.buckets.removeFirebase - firebasestorage.defaultBucket.create - firebasevertexai.configs.update +- firebasevertexai.promptTemplates.create +- firebasevertexai.promptTemplates.update - iam.serviceAccountApiKeyBindings.create - iam.serviceAccountApiKeyBindings.undelete - iam.serviceAccountKeys.create @@ -743,21 +803,12 @@ permissions: - pubsub.topics.publish - pubsub.topics.update - pubsub.topics.updateTag -- pubsublite.reservations.attachTopic -- pubsublite.reservations.create -- pubsublite.reservations.update -- pubsublite.subscriptions.create -- pubsublite.subscriptions.seek -- pubsublite.subscriptions.setCursor -- pubsublite.subscriptions.update -- pubsublite.topics.create -- pubsublite.topics.publish -- pubsublite.topics.update - redis.backupCollections.create - redis.backups.create - redis.clusters.backup - redis.clusters.connect - redis.clusters.create +- redis.clusters.rescheduleMaintenance - redis.clusters.update - redis.instances.create - redis.instances.export @@ -789,6 +840,9 @@ permissions: - servicemanagement.services.quota - servicemanagement.services.report - servicemanagement.services.update +- serviceusage.consumerpolicy.update +- serviceusage.contentsecuritypolicy.update +- serviceusage.mcppolicy.update - serviceusage.services.disable - serviceusage.services.enable - serviceusage.services.use @@ -828,8 +882,10 @@ permissions: - storage.multipartUploads.create - storage.multipartUploads.listParts - storage.objects.create +- storage.objects.createContext - storage.objects.get - storage.objects.list +- storagebatchoperations.jobs.create - storageinsights.datasetConfigs.create - storageinsights.datasetConfigs.linkDataset - storageinsights.datasetConfigs.unlinkDataset diff --git a/infra/iam/roles/beam_viewer.role.yaml b/infra/iam/roles/beam_viewer.role.yaml index 0525fda09560..2d761a495b10 100644 --- a/infra/iam/roles/beam_viewer.role.yaml +++ b/infra/iam/roles/beam_viewer.role.yaml @@ -16,7 +16,7 @@ # This file is auto-generated by generate_roles.py. # Do not edit manually. -# This file was generated on 2025-08-11 14:34:54 UTC +# This file was generated on 2026-01-29 22:47:50 UTC description: This is the beam_viewer role permissions: @@ -39,6 +39,7 @@ permissions: - artifactregistry.pythonpackages.get - artifactregistry.pythonpackages.list - artifactregistry.repositories.downloadArtifacts +- artifactregistry.repositories.exportArtifacts - artifactregistry.repositories.get - artifactregistry.repositories.getIamPolicy - artifactregistry.repositories.list @@ -250,6 +251,7 @@ permissions: - cloudsql.instances.listServerCas - cloudsql.instances.listServerCertificates - cloudsql.instances.listTagBindings +- cloudsql.instances.preCheckMajorVersionUpgrade - cloudsql.schemas.view - cloudsql.sslCerts.get - cloudsql.sslCerts.list @@ -370,9 +372,14 @@ permissions: - compute.instances.listReferrers - compute.instances.listTagBindings - compute.instances.useReadOnly +- compute.instantSnapshotGroups.get +- compute.instantSnapshotGroups.getIamPolicy +- compute.instantSnapshotGroups.list - compute.instantSnapshots.get - compute.instantSnapshots.getIamPolicy - compute.instantSnapshots.list +- compute.instantSnapshots.listEffectiveTags +- compute.instantSnapshots.listTagBindings - compute.instantSnapshots.useReadOnly - compute.interconnectAttachmentGroups.get - compute.interconnectAttachmentGroups.list @@ -387,9 +394,13 @@ permissions: - compute.licenseCodes.getIamPolicy - compute.licenses.get - compute.licenses.getIamPolicy +- compute.licenses.listEffectiveTags +- compute.licenses.listTagBindings - compute.machineImages.get - compute.machineImages.getIamPolicy - compute.machineImages.list +- compute.machineImages.listEffectiveTags +- compute.machineImages.listTagBindings - compute.machineImages.useReadOnly - compute.machineTypes.get - compute.machineTypes.list @@ -441,16 +452,25 @@ permissions: - compute.publicDelegatedPrefixes.list - compute.publicDelegatedPrefixes.listEffectiveTags - compute.publicDelegatedPrefixes.listTagBindings +- compute.regionBackendBuckets.get +- compute.regionBackendBuckets.getIamPolicy +- compute.regionBackendBuckets.list +- compute.regionBackendBuckets.listEffectiveTags +- compute.regionBackendBuckets.listTagBindings - compute.regionBackendServices.get - compute.regionBackendServices.getIamPolicy - compute.regionBackendServices.list - compute.regionBackendServices.listEffectiveTags - compute.regionBackendServices.listTagBindings +- compute.regionCompositeHealthChecks.get +- compute.regionCompositeHealthChecks.list - compute.regionFirewallPolicies.get - compute.regionFirewallPolicies.getIamPolicy - compute.regionFirewallPolicies.list - compute.regionFirewallPolicies.listEffectiveTags - compute.regionFirewallPolicies.listTagBindings +- compute.regionHealthAggregationPolicies.get +- compute.regionHealthAggregationPolicies.list - compute.regionHealthCheckServices.get - compute.regionHealthCheckServices.list - compute.regionHealthChecks.get @@ -458,10 +478,14 @@ permissions: - compute.regionHealthChecks.listEffectiveTags - compute.regionHealthChecks.listTagBindings - compute.regionHealthChecks.useReadOnly +- compute.regionHealthSources.get +- compute.regionHealthSources.list - compute.regionNetworkEndpointGroups.get - compute.regionNetworkEndpointGroups.list - compute.regionNetworkEndpointGroups.listEffectiveTags - compute.regionNetworkEndpointGroups.listTagBindings +- compute.regionNetworkPolicies.get +- compute.regionNetworkPolicies.list - compute.regionNotificationEndpoints.get - compute.regionNotificationEndpoints.list - compute.regionOperations.get @@ -504,10 +528,16 @@ permissions: - compute.reservationSubBlocks.list - compute.reservations.get - compute.reservations.list +- compute.reservations.listEffectiveTags +- compute.reservations.listTagBindings - compute.resourcePolicies.get - compute.resourcePolicies.getIamPolicy - compute.resourcePolicies.list - compute.resourcePolicies.useReadOnly +- compute.rolloutPlans.get +- compute.rolloutPlans.list +- compute.rollouts.get +- compute.rollouts.list - compute.routers.get - compute.routers.getRoutePolicy - compute.routers.list @@ -543,6 +573,8 @@ permissions: - compute.storagePools.get - compute.storagePools.getIamPolicy - compute.storagePools.list +- compute.storagePools.listEffectiveTags +- compute.storagePools.listTagBindings - compute.subnetworks.get - compute.subnetworks.getIamPolicy - compute.subnetworks.list @@ -582,6 +614,8 @@ permissions: - compute.targetVpnGateways.listTagBindings - compute.urlMaps.listEffectiveTags - compute.urlMaps.listTagBindings +- compute.vmExtensionPolicies.get +- compute.vmExtensionPolicies.list - compute.vpnGateways.get - compute.vpnGateways.list - compute.vpnGateways.listEffectiveTags @@ -840,6 +874,8 @@ permissions: - dns.managedZones.list - dns.policies.get - dns.policies.list +- dns.policies.listEffectiveTags +- dns.policies.listTagBindings - dns.projects.get - dns.resourceRecordSets.get - dns.resourceRecordSets.list @@ -873,6 +909,19 @@ permissions: - firebaseappdistro.groups.list - firebaseappdistro.releases.list - firebaseappdistro.testers.list +- firebaseapphosting.backends.get +- firebaseapphosting.backends.list +- firebaseapphosting.builds.get +- firebaseapphosting.builds.list +- firebaseapphosting.domains.get +- firebaseapphosting.domains.list +- firebaseapphosting.locations.get +- firebaseapphosting.locations.list +- firebaseapphosting.operations.get +- firebaseapphosting.operations.list +- firebaseapphosting.rollouts.get +- firebaseapphosting.rollouts.list +- firebaseapphosting.traffic.get - firebaseauth.configs.get - firebaseauth.users.get - firebasecrash.reports.get @@ -896,6 +945,7 @@ permissions: - firebasedataconnect.schemas.get - firebasedataconnect.schemas.list - firebasedataconnect.services.get +- firebasedataconnect.services.introspectGraphql - firebasedataconnect.services.list - firebasedynamiclinks.destinations.list - firebasedynamiclinks.domains.get @@ -928,6 +978,8 @@ permissions: - firebasestorage.buckets.list - firebasestorage.defaultBucket.get - firebasevertexai.configs.get +- firebasevertexai.promptTemplates.get +- firebasevertexai.promptTemplates.list - iam.denypolicies.get - iam.denypolicies.list - iam.googleapis.com/oauthClientCredentials.get @@ -940,8 +992,15 @@ permissions: - iam.googleapis.com/workloadIdentityPoolProviders.list - iam.googleapis.com/workloadIdentityPools.get - iam.googleapis.com/workloadIdentityPools.list +- iam.policybindings.get +- iam.policybindings.list +- iam.principalaccessboundarypolicies.get +- iam.principalaccessboundarypolicies.list +- iam.principalaccessboundarypolicies.searchPolicyBindings - iam.roles.get - iam.roles.list +- iam.roles.listEffectiveTags +- iam.roles.listTagBindings - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list - iam.serviceAccounts.get @@ -949,12 +1008,15 @@ permissions: - iam.serviceAccounts.list - iam.serviceAccounts.listEffectiveTags - iam.serviceAccounts.listTagBindings +- iam.workloadIdentityPools.searchPolicyBindings - iap.tunnelDestGroups.get - iap.tunnelDestGroups.list - monitoring.alertPolicies.get - monitoring.alertPolicies.list - monitoring.alertPolicies.listEffectiveTags - monitoring.alertPolicies.listTagBindings +- monitoring.alerts.get +- monitoring.alerts.list - monitoring.dashboards.get - monitoring.dashboards.list - monitoring.dashboards.listEffectiveTags @@ -982,28 +1044,16 @@ permissions: - pubsub.schemas.listRevisions - pubsub.schemas.validate - pubsub.snapshots.list +- pubsub.snapshots.listEffectiveTags +- pubsub.snapshots.listTagBindings - pubsub.subscriptions.get - pubsub.subscriptions.list +- pubsub.subscriptions.listEffectiveTags +- pubsub.subscriptions.listTagBindings - pubsub.topics.get - pubsub.topics.list -- pubsublite.locations.openKafkaStream -- pubsublite.operations.get -- pubsublite.operations.list -- pubsublite.reservations.get -- pubsublite.reservations.list -- pubsublite.reservations.listTopics -- pubsublite.subscriptions.get -- pubsublite.subscriptions.getCursor -- pubsublite.subscriptions.list -- pubsublite.subscriptions.subscribe -- pubsublite.topics.computeHeadCursor -- pubsublite.topics.computeMessageStats -- pubsublite.topics.computeTimeCursor -- pubsublite.topics.get -- pubsublite.topics.getPartitions -- pubsublite.topics.list -- pubsublite.topics.listSubscriptions -- pubsublite.topics.subscribe +- pubsub.topics.listEffectiveTags +- pubsub.topics.listTagBindings - redis.backupCollections.get - redis.backupCollections.list - redis.backups.export @@ -1023,6 +1073,7 @@ permissions: - resourcemanager.hierarchyNodes.listTagBindings - resourcemanager.projects.get - resourcemanager.projects.getIamPolicy +- resourcemanager.projects.searchPolicyBindings - resourcemanager.tagHolds.list - resourcemanager.tagKeys.get - resourcemanager.tagKeys.getIamPolicy @@ -1041,8 +1092,18 @@ permissions: - secretmanager.versions.list - servicemanagement.services.get - servicemanagement.services.list +- serviceusage.consumerpolicy.analyze +- serviceusage.consumerpolicy.get +- serviceusage.contentsecuritypolicy.get +- serviceusage.effectivemcppolicy.get +- serviceusage.effectivepolicy.get +- serviceusage.groups.list +- serviceusage.groups.listExpandedMembers +- serviceusage.groups.listMembers +- serviceusage.mcppolicy.get - serviceusage.services.get - serviceusage.services.list +- serviceusage.values.test - spanner.backupOperations.get - spanner.backupOperations.list - spanner.backupSchedules.get @@ -1085,11 +1146,20 @@ permissions: - storage.buckets.list - storage.buckets.listEffectiveTags - storage.buckets.listTagBindings +- storage.buckets.viewIntelligenceDetails - storage.folders.get - storage.folders.list - storage.hmacKeys.get - storage.hmacKeys.list - storage.intelligenceConfigs.get +- storagebatchoperations.bucketOperations.get +- storagebatchoperations.bucketOperations.list +- storagebatchoperations.jobs.get +- storagebatchoperations.jobs.list +- storagebatchoperations.locations.get +- storagebatchoperations.locations.list +- storagebatchoperations.operations.get +- storagebatchoperations.operations.list - storageinsights.datasetConfigs.get - storageinsights.datasetConfigs.list - storageinsights.locations.get diff --git a/infra/iam/roles/beam_writer.role.yaml b/infra/iam/roles/beam_writer.role.yaml index 947757b0d6d9..45464465e81c 100644 --- a/infra/iam/roles/beam_writer.role.yaml +++ b/infra/iam/roles/beam_writer.role.yaml @@ -16,7 +16,7 @@ # This file is auto-generated by generate_roles.py. # Do not edit manually. -# This file was generated on 2025-08-11 15:53:17 UTC +# This file was generated on 2026-01-29 22:47:50 UTC description: This is the beam_writer role permissions: @@ -56,6 +56,12 @@ permissions: - cloudkms.projects.showEffectiveAutokeyConfig - cloudkms.projects.showEffectiveKajEnrollmentConfig - cloudkms.projects.showEffectiveKajPolicyConfig +- cloudkms.protectedResources.search +- cloudkms.singleTenantHsmInstanceProposals.get +- cloudkms.singleTenantHsmInstanceProposals.list +- cloudkms.singleTenantHsmInstances.get +- cloudkms.singleTenantHsmInstances.list +- cloudsql.instances.executeSql - cloudsql.instances.login - container.apiServices.create - container.apiServices.update @@ -205,8 +211,14 @@ permissions: - dataform.compilationResults.list - dataform.compilationResults.query - dataform.config.get +- dataform.folders.create +- dataform.folders.get +- dataform.folders.getIamPolicy +- dataform.folders.queryContents - dataform.locations.get - dataform.locations.list +- dataform.operations.get +- dataform.operations.list - dataform.releaseConfigs.get - dataform.releaseConfigs.list - dataform.repositories.computeAccessTokenStatus @@ -218,6 +230,8 @@ permissions: - dataform.repositories.list - dataform.repositories.queryDirectoryContents - dataform.repositories.readFile +- dataform.teamFolders.get +- dataform.teamFolders.getIamPolicy - dataform.workflowConfigs.get - dataform.workflowConfigs.list - dataform.workflowInvocations.get @@ -242,12 +256,17 @@ permissions: - dataplex.content.get - dataplex.content.getIamPolicy - dataplex.content.list +- dataplex.dataAssets.get +- dataplex.dataAssets.list - dataplex.dataAttributeBindings.get - dataplex.dataAttributeBindings.getIamPolicy - dataplex.dataAttributeBindings.list - dataplex.dataAttributes.get - dataplex.dataAttributes.getIamPolicy - dataplex.dataAttributes.list +- dataplex.dataProducts.get +- dataplex.dataProducts.getIamPolicy +- dataplex.dataProducts.list - dataplex.dataTaxonomies.get - dataplex.dataTaxonomies.getIamPolicy - dataplex.dataTaxonomies.list @@ -258,6 +277,7 @@ permissions: - dataplex.entities.get - dataplex.entities.list - dataplex.entries.get +- dataplex.entries.getData - dataplex.entries.list - dataplex.entryGroups.export - dataplex.entryGroups.get diff --git a/infra/iam/roles/roles_config.yaml b/infra/iam/roles/roles_config.yaml index 1e94cdc2ccbd..453a3b07d977 100644 --- a/infra/iam/roles/roles_config.yaml +++ b/infra/iam/roles/roles_config.yaml @@ -52,7 +52,7 @@ roles: - iap - meshconfig - monitoring - - pubsub + - pubsub. # TODO: Remove '.' after Pubsublite GCP service is fully deprecated. - redis - resourcemanager - secretmanager