Load all service agents identities from yaml
Source: https://cloud.google.com/iam/docs/service-agents
This commit is contained in:
Julio Castillo
parent
e2b0ef55ab
commit
b503bde544
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -24,71 +24,33 @@ locals {
|
|||
]
|
||||
"dataflow" : ["dataflow", "compute"]
|
||||
}
|
||||
_service_accounts_robot_services = {
|
||||
aiplatform = "service-%s@gcp-sa-aiplatform"
|
||||
apigee = "service-%s@gcp-sa-apigee"
|
||||
artifactregistry = "service-%s@gcp-sa-artifactregistry"
|
||||
bq = "bq-%s@bigquery-encryption"
|
||||
cloudasset = "service-%s@gcp-sa-cloudasset"
|
||||
cloudbatch = "service-%s@gcp-sa-cloudbatch"
|
||||
cloudbuild = "service-%s@gcp-sa-cloudbuild"
|
||||
cloudfunctions = "service-%s@gcf-admin-robot"
|
||||
cloudrun = "service-%s@serverless-robot-prod"
|
||||
composer = "service-%s@cloudcomposer-accounts"
|
||||
compute = "service-%s@compute-system"
|
||||
container-engine = "service-%s@container-engine-robot"
|
||||
containerregistry = "service-%s@containerregistry"
|
||||
dataflow = "service-%s@dataflow-service-producer-prod"
|
||||
dataplex = "service-%s@gcp-sa-dataplex"
|
||||
dataproc = "service-%s@dataproc-accounts"
|
||||
fleet = "service-%s@gcp-sa-gkehub"
|
||||
gae-flex = "service-%s@gae-api-prod"
|
||||
# TODO: deprecate gcf
|
||||
gcf = "service-%s@gcf-admin-robot"
|
||||
# TODO: jit?
|
||||
gke-mcs = "service-%s@gcp-sa-mcsd"
|
||||
monitoring-notifications = "service-%s@gcp-sa-monitoring-notification"
|
||||
multicluster-ingress = "service-%s@gcp-sa-multiclusteringress"
|
||||
multicluster-discovery = "service-%s@gcp-sa-mcsd"
|
||||
notebooks = "service-%s@gcp-sa-notebooks"
|
||||
pubsub = "service-%s@gcp-sa-pubsub"
|
||||
secretmanager = "service-%s@gcp-sa-secretmanager"
|
||||
servicemesh = "service-%s@gcp-sa-servicemesh"
|
||||
sql = "service-%s@gcp-sa-cloud-sql"
|
||||
sqladmin = "service-%s@gcp-sa-cloud-sql"
|
||||
storage = "service-%s@gs-project-accounts"
|
||||
}
|
||||
_service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
|
||||
service_accounts_default = {
|
||||
compute = "${local.project.number}-compute@developer.gserviceaccount.com"
|
||||
gae = "${local.project.project_id}@appspot.gserviceaccount.com"
|
||||
compute = "${local.project.number}-compute@developer.gserviceaccount.com"
|
||||
gae = "${local.project.project_id}@appspot.gserviceaccount.com"
|
||||
workstations = "service-${local.project.number}@gcp-sa-workstationsvm.iam.gserviceaccount.com"
|
||||
}
|
||||
service_account_cloud_services = (
|
||||
"${local.project.number}@cloudservices.gserviceaccount.com"
|
||||
)
|
||||
service_accounts_robots = merge(
|
||||
{
|
||||
for k, v in local._service_accounts_robot_services :
|
||||
k => "${format(v, local.project.number)}.iam.gserviceaccount.com"
|
||||
for agent in local._service_agents_data :
|
||||
agent.name => format(agent.service_agent, local.project.number)
|
||||
},
|
||||
{
|
||||
for agent in local._service_agents_data :
|
||||
agent.alias => format(agent.service_agent, local.project.number)
|
||||
if lookup(agent, "alias", null) != null
|
||||
},
|
||||
{
|
||||
gke-mcs-importer = "${local.project.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
|
||||
}
|
||||
)
|
||||
# JIT-ed service accounts are created without default roles granted, these needs to be assigned manually to them
|
||||
# Roles can be found here: https://cloud.google.com/iam/docs/service-agents
|
||||
# Remember to update "Service identities requiring manual IAM grants" in README.md when updating this list
|
||||
service_accounts_jit_services = [
|
||||
"apigee.googleapis.com", # grant roles/apigee.serviceAgent to apigee
|
||||
"artifactregistry.googleapis.com", # grant roles/artifactregistry.serviceAgent to artifactregistry
|
||||
"cloudasset.googleapis.com", # grant roles/cloudasset.serviceAgent to cloudasset
|
||||
"cloudbuild.googleapis.com", # grant roles/cloudbuild.builds.builder to cloudbuild
|
||||
"gkehub.googleapis.com", # grant roles/gkehub.serviceAgent to fleet
|
||||
"multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress
|
||||
"pubsub.googleapis.com", # grant roles/pubsub.serviceAgent to pubsub
|
||||
"meshconfig.googleapis.com", # grant roles/anthosservicemesh.serviceAgent to meshconfig
|
||||
"notebooks.googleapis.com", # no grants needed
|
||||
"secretmanager.googleapis.com", # no grants needed
|
||||
"sqladmin.googleapis.com", # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify)
|
||||
for agent in local._service_agents_data :
|
||||
"${agent.name}.googleapis.com"
|
||||
if lookup(agent, "jit", false)
|
||||
]
|
||||
service_accounts_cmek_service_keys = distinct(flatten([
|
||||
for s in keys(var.service_encryption_key_ids) : [
|
||||
|
|
|
|||
|
|
@ -0,0 +1,381 @@
|
|||
- name: "accessapproval"
|
||||
service_agent: "service-p%s@gcp-sa-accessapproval.iam.gserviceaccount.com"
|
||||
- name: "adsdatahub"
|
||||
service_agent: "service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com"
|
||||
- name: "aiplatform"
|
||||
service_agent: "service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com"
|
||||
- name: "aiplatform-cc"
|
||||
service_agent: "service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com"
|
||||
- name: "alloydb"
|
||||
service_agent: "service-%s@gcp-sa-alloydb.iam.gserviceaccount.com"
|
||||
- name: "anthos"
|
||||
service_agent: "service-%s@gcp-sa-anthos.iam.gserviceaccount.com"
|
||||
- name: "anthosaudit"
|
||||
service_agent: "service-%s@gcp-sa-anthosaudit.iam.gserviceaccount.com"
|
||||
- name: "anthosconfigmanagement"
|
||||
service_agent: "service-%s@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com"
|
||||
- name: "anthosidentityservice"
|
||||
service_agent: "service-%s@gcp-sa-anthosidentityservice.iam.gserviceaccount.com"
|
||||
- name: "apigateway"
|
||||
service_agent: "service-%s@gcp-sa-apigateway.iam.gserviceaccount.com"
|
||||
- name: "apigateway-mgmt"
|
||||
service_agent: "service-%s@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com"
|
||||
- name: "apigee"
|
||||
service_agent: "service-%s@gcp-sa-apigee.iam.gserviceaccount.com"
|
||||
jit: true #roles/apigee.serviceAgent
|
||||
- name: "apigeeregistry"
|
||||
service_agent: "service-%s@gcp-sa-apigeeregistry.iam.gserviceaccount.com"
|
||||
- name: "appdevelopmentexperience"
|
||||
service_agent: "service-%s@gcp-sa-appdevexperience.iam.gserviceaccount.com"
|
||||
- name: "appengineflex"
|
||||
alias: "gae-flex"
|
||||
service_agent: "service-%s@gae-api-prod.google.com.iam.gserviceaccount.com"
|
||||
- name: "appenginestandard"
|
||||
service_agent: "service-%s@gcp-gae-service.iam.gserviceaccount.com"
|
||||
- name: "artifactregistry"
|
||||
service_agent: "service-%s@gcp-sa-artifactregistry.iam.gserviceaccount.com"
|
||||
jit: true # roles/artifactregistry.serviceAgent
|
||||
- name: "assuredworkloads"
|
||||
service_agent: "service-%s@gcp-sa-assuredworkloads.iam.gserviceaccount.com"
|
||||
- name: "automl"
|
||||
service_agent: "service-%s@gcp-sa-automl.iam.gserviceaccount.com"
|
||||
- name: "backupdr"
|
||||
service_agent: "service-%s@gcp-sa-backupdr.iam.gserviceaccount.com"
|
||||
- name: "backupdr-run"
|
||||
service_agent: "service-%s@gcp-sa-backupdr-run.iam.gserviceaccount.com"
|
||||
- name: "baremetalsolution"
|
||||
service_agent: "service-%s@gcp-sa-bms.iam.gserviceaccount.com"
|
||||
- name: "batch"
|
||||
service_agent: "service-%s@gcp-sa-cloudbatch.iam.gserviceaccount.com"
|
||||
- name: "bigquery"
|
||||
alias: "bq"
|
||||
service_agent: "bq-%s@bigquery-encryption.iam.gserviceaccount.com"
|
||||
- name: "bigquery-omni"
|
||||
service_agent: "service-%s@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com"
|
||||
- name: "bigquery-ri"
|
||||
service_agent: "service-%s@gcp-sa-bigqueryri.iam.gserviceaccount.com"
|
||||
- name: "bigquerydatatransfer"
|
||||
service_agent: "service-%s@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
|
||||
- name: "bigtableadmin"
|
||||
service_agent: "service-%s@gcp-sa-bigtable.iam.gserviceaccount.com"
|
||||
- name: "binaryauthorization"
|
||||
service_agent: "service-%s@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
|
||||
- name: "certificatemanager"
|
||||
service_agent: "service-%s@gcp-sa-certificatemanager.iam.gserviceaccount.com"
|
||||
- name: "chronicle"
|
||||
service_agent: "service-%s@gcp-sa-chronicle.iam.gserviceaccount.com"
|
||||
- name: "cloudasset"
|
||||
service_agent: "service-%s@gcp-sa-cloudasset.iam.gserviceaccount.com"
|
||||
jit: true # roles/cloudasset.serviceAgent
|
||||
- name: "cloudbuild"
|
||||
service_agent: "service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com"
|
||||
jit: true # roles/cloudbuild.builds.builder
|
||||
- name: "cloudbuild-builder"
|
||||
service_agent: "%s@cloudbuild.gserviceaccount.com.iam.gserviceaccount.com"
|
||||
- name: "cloudbuild-logging"
|
||||
service_agent: "service-%s@gcp-sa-log-cloudbuild.iam.gserviceaccount.com"
|
||||
- name: "clouddeploy"
|
||||
service_agent: "service-%s@gcp-sa-clouddeploy.iam.gserviceaccount.com"
|
||||
- name: "cloudfunctions"
|
||||
alias: "gcf"
|
||||
service_agent: "service-%s@gcf-admin-robot.iam.gserviceaccount.com"
|
||||
- name: "cloudiot"
|
||||
service_agent: "service-%s@gcp-sa-cloudiot.iam.gserviceaccount.com"
|
||||
- name: "cloudkms"
|
||||
service_agent: "service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com"
|
||||
- name: "cloudkms-ekms"
|
||||
service_agent: "service-%s@gcp-sa-ekms.iam.gserviceaccount.com"
|
||||
- name: "cloudoptimization"
|
||||
service_agent: "service-%s@gcp-sa-cloudoptim.iam.gserviceaccount.com"
|
||||
- name: "cloudscheduler"
|
||||
service_agent: "service-%s@gcp-sa-cloudscheduler.iam.gserviceaccount.com"
|
||||
- name: "cloudtasks"
|
||||
service_agent: "service-%s@gcp-sa-cloudtasks.iam.gserviceaccount.com"
|
||||
- name: "cloudtrace"
|
||||
service_agent: "service-%s@gcp-sa-cloud-trace.iam.gserviceaccount.com"
|
||||
- name: "composer"
|
||||
service_agent: "service-%s@cloudcomposer-accounts.iam.gserviceaccount.com"
|
||||
- name: "compute"
|
||||
service_agent: "service-%s@compute-system.iam.gserviceaccount.com"
|
||||
- name: "compute-usage"
|
||||
service_agent: "service-%s@gcp-sa-compute-usage.iam.gserviceaccount.com"
|
||||
- name: "config"
|
||||
service_agent: "service-%s@gcp-sa-config.iam.gserviceaccount.com"
|
||||
- name: "connectgateway"
|
||||
service_agent: "service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com"
|
||||
- name: "connectors"
|
||||
service_agent: "service-%s@gcp-sa-connectors.iam.gserviceaccount.com"
|
||||
- name: "contactcenteraiplatform"
|
||||
service_agent: "service-%s@gcp-sa-ccaip.iam.gserviceaccount.com"
|
||||
- name: "contactcenterinsights"
|
||||
service_agent: "service-%s@gcp-sa-contactcenterinsights.iam.gserviceaccount.com"
|
||||
- name: "container"
|
||||
alias: "container-engine"
|
||||
service_agent: "service-%s@container-engine-robot.iam.gserviceaccount.com"
|
||||
- name: "container-gkenode"
|
||||
service_agent: "service-%s@gcp-sa-gkenode.iam.gserviceaccount.com"
|
||||
- name: "containeranalysis"
|
||||
service_agent: "service-%s@container-analysis.iam.gserviceaccount.com"
|
||||
- name: "containerregistry"
|
||||
service_agent: "service-%s@containerregistry.iam.gserviceaccount.com"
|
||||
- name: "containerscanning"
|
||||
service_agent: "service-%s@gcp-sa-containerscanning.iam.gserviceaccount.com"
|
||||
- name: "containerthreatdetection"
|
||||
service_agent: "service-%s@gcp-sa-ktd-control.iam.gserviceaccount.com"
|
||||
- name: "contentwarehouse"
|
||||
service_agent: "service-%s@gcp-sa-cloud-cw.iam.gserviceaccount.com"
|
||||
- name: "dataconnectors"
|
||||
service_agent: "service-%s@gcp-sa-dataconnectors.iam.gserviceaccount.com"
|
||||
- name: "dataflow"
|
||||
service_agent: "service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com"
|
||||
- name: "dataform"
|
||||
service_agent: "service-%s@gcp-sa-dataform.iam.gserviceaccount.com"
|
||||
- name: "datafusion"
|
||||
service_agent: "service-%s@gcp-sa-datafusion.iam.gserviceaccount.com"
|
||||
- name: "datalabeling"
|
||||
service_agent: "service-%s@gcp-sa-datalabeling.iam.gserviceaccount.com"
|
||||
- name: "datamigration"
|
||||
service_agent: "service-%s@gcp-sa-datamigration.iam.gserviceaccount.com"
|
||||
- name: "datapipelines"
|
||||
service_agent: "service-%s@gcp-sa-datapipelines.iam.gserviceaccount.com"
|
||||
- name: "dataplex"
|
||||
service_agent: "service-%s@gcp-sa-dataplex.iam.gserviceaccount.com"
|
||||
- name: "dataproc"
|
||||
service_agent: "service-%s@dataproc-accounts.iam.gserviceaccount.com"
|
||||
- name: "datastream"
|
||||
service_agent: "service-%s@gcp-sa-datastream.iam.gserviceaccount.com"
|
||||
- name: "datastudio"
|
||||
service_agent: "service-%s@gcp-sa-datastudio.iam.gserviceaccount.com"
|
||||
- name: "dialogflow"
|
||||
service_agent: "service-%s@gcp-sa-dialogflow.iam.gserviceaccount.com"
|
||||
- name: "discoveryengine"
|
||||
service_agent: "service-%s@gcp-sa-discoveryengine.iam.gserviceaccount.com"
|
||||
# dlp ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager"
|
||||
- name: "dlp"
|
||||
service_agent: "service-%s@dlp-api.iam.gserviceaccount.com"
|
||||
- name: "documentai"
|
||||
service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com"
|
||||
- name: "edgecontainer"
|
||||
service_agent: "service-%s@gcp-sa-edgecontainer.iam.gserviceaccount.com"
|
||||
- name: "edgecontainer-cluster"
|
||||
service_agent: "service-%s@gcp-sa-edgecontainercluster.iam.gserviceaccount.com"
|
||||
- name: "endpoints"
|
||||
service_agent: "service-%s@gcp-sa-endpoints.iam.gserviceaccount.com"
|
||||
- name: "endpointsportal"
|
||||
service_agent: "service-%s@endpoints-portal.iam.gserviceaccount.com"
|
||||
- name: "enterpriseknowledgegraph"
|
||||
service_agent: "service-%s@gcp-sa-cloud-ekg.iam.gserviceaccount.com"
|
||||
- name: "eventarc"
|
||||
service_agent: "service-%s@gcp-sa-eventarc.iam.gserviceaccount.com"
|
||||
- name: "file"
|
||||
service_agent: "service-%s@cloud-filer.iam.gserviceaccount.com"
|
||||
- name: "firebase"
|
||||
service_agent: "service-%s@gcp-sa-firebase.iam.gserviceaccount.com"
|
||||
- name: "firebaseappcheck"
|
||||
service_agent: "service-%s@gcp-sa-firebaseappcheck.iam.gserviceaccount.com"
|
||||
- name: "firebasedatabase"
|
||||
service_agent: "service-%s@gcp-sa-firebasedatabase.iam.gserviceaccount.com"
|
||||
- name: "firebaseextensions"
|
||||
service_agent: "service-%s@gcp-sa-firebasemods.iam.gserviceaccount.com"
|
||||
- name: "firebaserules"
|
||||
service_agent: "service-%s@firebase-rules.iam.gserviceaccount.com"
|
||||
- name: "firebasestorage"
|
||||
service_agent: "service-%s@gcp-sa-firebasestorage.iam.gserviceaccount.com"
|
||||
- name: "firestore"
|
||||
service_agent: "service-%s@gcp-sa-firestore.iam.gserviceaccount.com"
|
||||
- name: "firewallinsights"
|
||||
service_agent: "service-%s@gcp-sa-firewallinsights.iam.gserviceaccount.com"
|
||||
- name: "gameservices"
|
||||
service_agent: "service-%s@gcp-sa-gameservices.iam.gserviceaccount.com"
|
||||
- name: "genomics"
|
||||
service_agent: "service-%s@genomics-api.google.com.iam.gserviceaccount.com"
|
||||
- name: "gkebackup"
|
||||
service_agent: "service-%s@gcp-sa-gkebackup.iam.gserviceaccount.com"
|
||||
- name: "gkehub"
|
||||
alias: "fleet"
|
||||
service_agent: "service-%s@gcp-sa-gkehub.iam.gserviceaccount.com"
|
||||
jit: true # roles/gkehub.serviceAgent
|
||||
- name: "gkemulticloud"
|
||||
service_agent: "service-%s@gcp-sa-gkemulticloud.iam.gserviceaccount.com"
|
||||
- name: "gkeonprem"
|
||||
service_agent: "service-%s@gcp-sa-gkeonprem.iam.gserviceaccount.com"
|
||||
- name: "gsuiteaddons"
|
||||
service_agent: "service-%s@gcp-sa-gsuiteaddons.iam.gserviceaccount.com"
|
||||
- name: "healthcare"
|
||||
service_agent: "service-%s@gcp-sa-healthcare.iam.gserviceaccount.com"
|
||||
- name: "iap"
|
||||
service_agent: "service-%s@gcp-sa-iap.iam.gserviceaccount.com"
|
||||
- name: "identitytoolkit"
|
||||
service_agent: "service-%s@gcp-sa-identitytoolkit.iam.gserviceaccount.com"
|
||||
- name: "ids"
|
||||
service_agent: "service-%s@gcp-sa-cloud-ids.iam.gserviceaccount.com"
|
||||
- name: "integrations"
|
||||
service_agent: "service-%s@gcp-sa-integrations.iam.gserviceaccount.com"
|
||||
- name: "krmapihosting"
|
||||
service_agent: "service-%s@gcp-sa-krmapihosting.iam.gserviceaccount.com"
|
||||
- name: "krmapihosting-dataplane"
|
||||
service_agent: "service-%s@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com"
|
||||
- name: "lifesciences"
|
||||
service_agent: "service-%s@gcp-sa-lifesciences.iam.gserviceaccount.com"
|
||||
- name: "livestream"
|
||||
service_agent: "service-%s@gcp-sa-livestream.iam.gserviceaccount.com"
|
||||
- name: "logging"
|
||||
service_agent: "service-%s@gcp-sa-logging.iam.gserviceaccount.com"
|
||||
- name: "managedidentities"
|
||||
service_agent: "service-%s@gcp-sa-mi.iam.gserviceaccount.com"
|
||||
- name: "memcache"
|
||||
service_agent: "service-%s@cloud-memcache-sa.iam.gserviceaccount.com"
|
||||
- name: "meshconfig"
|
||||
service_agent: "service-%s@gcp-sa-meshconfig.iam.gserviceaccount.com"
|
||||
jit: true # roles/anthosservicemesh.serviceAgent
|
||||
- name: "meshconfig-servicemesh"
|
||||
alias: "servicemesh"
|
||||
service_agent: "service-%s@gcp-sa-servicemesh.iam.gserviceaccount.com"
|
||||
- name: "meshconfig-controlplane"
|
||||
service_agent: "service-%s@gcp-sa-meshcontrolplane.iam.gserviceaccount.com"
|
||||
- name: "meshconfig-dataplane"
|
||||
service_agent: "service-%s@gcp-sa-meshdataplane.iam.gserviceaccount.com"
|
||||
- name: "metastore"
|
||||
service_agent: "service-%s@gcp-sa-metastore.iam.gserviceaccount.com"
|
||||
- name: "migrationcenter"
|
||||
service_agent: "service-%s@gcp-sa-migcenter.iam.gserviceaccount.com"
|
||||
- name: "ml"
|
||||
service_agent: "service-%s@cloud-ml.google.com.iam.gserviceaccount.com"
|
||||
- name: "monitoring-deprecated"
|
||||
service_agent: "service-%s@gcp-sa-monitoring.iam.gserviceaccount.com"
|
||||
- name: "monitoring"
|
||||
alias: "monitoring-notifications"
|
||||
service_agent: "service-%s@gcp-sa-monitoring-notification.iam.gserviceaccount.com"
|
||||
- name: "multiclusteringress"
|
||||
alias: "multicluster-ingress"
|
||||
service_agent: "service-%s@gcp-sa-multiclusteringress.iam.gserviceaccount.com"
|
||||
jit: true # roles/multiclusteringress.serviceAgent
|
||||
- name: "multiclustermetering"
|
||||
service_agent: "service-%s@gcp-sa-mcmetering.iam.gserviceaccount.com"
|
||||
- name: "multiclusterservicediscovery"
|
||||
alias: "gke-mcs"
|
||||
service_agent: "service-%s@gcp-sa-mcsd.iam.gserviceaccount.com"
|
||||
- name: "networkconnectivity"
|
||||
service_agent: "service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com"
|
||||
- name: "networkmanagement"
|
||||
service_agent: "service-%s@gcp-sa-networkmanagement.iam.gserviceaccount.com"
|
||||
- name: "networksecurity"
|
||||
service_agent: "service-%s@gcp-sa-networksecurity.iam.gserviceaccount.com"
|
||||
- name: "networkservices"
|
||||
service_agent: "service-%s@gcp-sa-networkactions.iam.gserviceaccount.com"
|
||||
- name: "notebooks"
|
||||
service_agent: "service-%s@gcp-sa-notebooks.iam.gserviceaccount.com"
|
||||
jit: true
|
||||
- name: "ondemandscanning"
|
||||
service_agent: "service-%s@gcp-sa-ondemandscanning.iam.gserviceaccount.com"
|
||||
- name: "osconfig"
|
||||
service_agent: "service-%s@gcp-sa-osconfig.iam.gserviceaccount.com"
|
||||
- name: "privateca"
|
||||
service_agent: "service-%s@gcp-sa-privateca.iam.gserviceaccount.com"
|
||||
- name: "pubsub"
|
||||
service_agent: "service-%s@gcp-sa-pubsub.iam.gserviceaccount.com"
|
||||
jit: true # roles/pubsub.serviceAgent
|
||||
- name: "pubsublite"
|
||||
service_agent: "service-%s@gcp-sa-pubsublite.iam.gserviceaccount.com"
|
||||
- name: "rapidmigrationassessment"
|
||||
service_agent: "service-%s@gcp-sa-rma.iam.gserviceaccount.com"
|
||||
- name: "recommendationengine"
|
||||
service_agent: "service-%s@gcp-sa-recommendationengine.iam.gserviceaccount.com"
|
||||
- name: "redis"
|
||||
service_agent: "service-%s@cloud-redis.iam.gserviceaccount.com"
|
||||
#remotebuildexecution ="service-%s@gcp-sa-rbe"
|
||||
#remotebuildexecution ="service-%s@remotebuildexecution"
|
||||
- name: "retail"
|
||||
service_agent: "service-%s@gcp-sa-retail.iam.gserviceaccount.com"
|
||||
- name: "run"
|
||||
alias: "cloudrun"
|
||||
service_agent: "service-%s@serverless-robot-prod.iam.gserviceaccount.com"
|
||||
- name: "runapps"
|
||||
service_agent: "service-%s@gcp-sa-runapps.iam.gserviceaccount.com"
|
||||
- name: "sasportal"
|
||||
service_agent: "service-%s@gcp-sa-spectrumsas.iam.gserviceaccount.com"
|
||||
- name: "secretmanager"
|
||||
service_agent: "service-%s@gcp-sa-secretmanager.iam.gserviceaccount.com"
|
||||
jit: true
|
||||
- name: "securedlandingzone"
|
||||
service_agent: "service-%s@gcp-sa-slz.iam.gserviceaccount.com"
|
||||
- name: "securitycenter-notification"
|
||||
service_agent: "service-%s@gcp-sa-scc-notification.iam.gserviceaccount.com"
|
||||
- name: "securitycenter-vmtd"
|
||||
service_agent: "service-%s@gcp-sa-scc-vmtd.iam.gserviceaccount.com"
|
||||
# securitycenter ="service-org-ORGANIZATION_NUMBER@security-center-api"
|
||||
- name: "serviceconsumermanagement"
|
||||
service_agent: "service-%s@service-consumer-management.iam.gserviceaccount.com"
|
||||
- name: "servicedirectory"
|
||||
service_agent: "service-%s@gcp-sa-servicedirectory.iam.gserviceaccount.com"
|
||||
- name: "servicenetworking"
|
||||
service_agent: "service-%s@service-networking.iam.gserviceaccount.com"
|
||||
- name: "sourcerepo"
|
||||
service_agent: "service-%s@sourcerepo-service-accounts.iam.gserviceaccount.com"
|
||||
- name: "spanner"
|
||||
service_agent: "service-%s@gcp-sa-spanner.iam.gserviceaccount.com"
|
||||
- name: "speech"
|
||||
service_agent: "service-%s@gcp-sa-speech.iam.gserviceaccount.com"
|
||||
- name: "sqladmin"
|
||||
alias: "sql"
|
||||
service_agent: "service-%s@gcp-sa-cloud-sql.iam.gserviceaccount.com"
|
||||
jit: true # roles/cloudsql.serviceAgent
|
||||
- name: "storage"
|
||||
service_agent: "service-%s@gs-project-accounts.iam.gserviceaccount.com"
|
||||
- name: "storagetransfer"
|
||||
service_agent: "project-%s@storage-transfer-service.iam.gserviceaccount.com"
|
||||
- name: "stream"
|
||||
service_agent: "service-%s@gcp-sa-stream.iam.gserviceaccount.com"
|
||||
- name: "tpu"
|
||||
service_agent: "service-%s@cloud-tpu.iam.gserviceaccount.com"
|
||||
- name: "tpu-v2"
|
||||
service_agent: "service-%s@gcp-sa-tpu.iam.gserviceaccount.com"
|
||||
- name: "transcoder"
|
||||
service_agent: "service-%s@gcp-sa-transcoder.iam.gserviceaccount.com"
|
||||
- name: "transferappliance"
|
||||
service_agent: "service-%s@gcp-sa-transferappliance.iam.gserviceaccount.com"
|
||||
- name: "translate"
|
||||
service_agent: "service-%s@gcp-sa-translation.iam.gserviceaccount.com"
|
||||
- name: "visionai"
|
||||
service_agent: "service-%s@gcp-sa-visionai.iam.gserviceaccount.com"
|
||||
- name: "vmmigration"
|
||||
service_agent: "service-%s@gcp-sa-vmmigration.iam.gserviceaccount.com"
|
||||
- name: "vmwareengine"
|
||||
service_agent: "service-%s@gcp-sa-vmwareengine.iam.gserviceaccount.com"
|
||||
- name: "vpcaccess"
|
||||
service_agent: "service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com"
|
||||
- name: "websecurityscanner"
|
||||
service_agent: "service-%s@gcp-sa-websecurityscanner.iam.gserviceaccount.com"
|
||||
- name: "workflows"
|
||||
service_agent: "service-%s@gcp-sa-workflows.iam.gserviceaccount.com"
|
||||
- name: "workloadcertificate"
|
||||
service_agent: "service-%s@gcp-sa-workloadcert.iam.gserviceaccount.com"
|
||||
- name: "workloadmanager"
|
||||
service_agent: "service-%s@gcp-sa-workloadmanager.iam.gserviceaccount.com"
|
||||
- name: "workstations"
|
||||
service_agent: "service-%s@gcp-sa-workstations.iam.gserviceaccount.com"
|
||||
|
||||
|
||||
# "accessapproval.googleapis.com.
|
||||
# For the project: service-p%s@gcp-sa-accessapproval
|
||||
# For the folder: service-fFOLDER_NUMBER@gcp-sa-accessapproval
|
||||
# For the organization: service-oORGANIZATION_NUMBER@gcp-sa-accessapproval"
|
||||
|
||||
# "bigqueryconnection.googleapis.com.
|
||||
# bqcx-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel
|
||||
# connection-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel"
|
||||
|
||||
# sqladmin.googleapis.com.
|
||||
# For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-cloud-sql
|
||||
# For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-cloud-sql
|
||||
# For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-cloud-sql
|
||||
|
||||
# logging.googleapis.com.
|
||||
# For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-logging
|
||||
# For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-logging
|
||||
# For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-logging
|
||||
|
||||
# integrations.googleapis.com.
|
||||
# For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-playbooks
|
||||
# For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-playbooks
|
||||
# For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-playbooks
|
||||
Loading…
Reference in New Issue