From b503bde544670d9acdd584a9798613dc84c0c0d5 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 30 Mar 2023 09:13:27 +0300 Subject: [PATCH] Load all service agents identities from yaml Source: https://cloud.google.com/iam/docs/service-agents --- modules/project/service-accounts.tf | 68 ++--- modules/project/service-agents.yaml | 381 ++++++++++++++++++++++++++++ 2 files changed, 396 insertions(+), 53 deletions(-) create mode 100644 modules/project/service-agents.yaml diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index afd1c619..4c6b419c 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,71 +24,33 @@ locals { ] "dataflow" : ["dataflow", "compute"] } - _service_accounts_robot_services = { - aiplatform = "service-%s@gcp-sa-aiplatform" - apigee = "service-%s@gcp-sa-apigee" - artifactregistry = "service-%s@gcp-sa-artifactregistry" - bq = "bq-%s@bigquery-encryption" - cloudasset = "service-%s@gcp-sa-cloudasset" - cloudbatch = "service-%s@gcp-sa-cloudbatch" - cloudbuild = "service-%s@gcp-sa-cloudbuild" - cloudfunctions = "service-%s@gcf-admin-robot" - cloudrun = "service-%s@serverless-robot-prod" - composer = "service-%s@cloudcomposer-accounts" - compute = "service-%s@compute-system" - container-engine = "service-%s@container-engine-robot" - containerregistry = "service-%s@containerregistry" - dataflow = "service-%s@dataflow-service-producer-prod" - dataplex = "service-%s@gcp-sa-dataplex" - dataproc = "service-%s@dataproc-accounts" - fleet = "service-%s@gcp-sa-gkehub" - gae-flex = "service-%s@gae-api-prod" - # TODO: deprecate gcf - gcf = "service-%s@gcf-admin-robot" - # TODO: jit? - gke-mcs = "service-%s@gcp-sa-mcsd" - monitoring-notifications = "service-%s@gcp-sa-monitoring-notification" - multicluster-ingress = "service-%s@gcp-sa-multiclusteringress" - multicluster-discovery = "service-%s@gcp-sa-mcsd" - notebooks = "service-%s@gcp-sa-notebooks" - pubsub = "service-%s@gcp-sa-pubsub" - secretmanager = "service-%s@gcp-sa-secretmanager" - servicemesh = "service-%s@gcp-sa-servicemesh" - sql = "service-%s@gcp-sa-cloud-sql" - sqladmin = "service-%s@gcp-sa-cloud-sql" - storage = "service-%s@gs-project-accounts" - } + _service_agents_data = yamldecode(file("${path.module}/service-agents.yaml")) service_accounts_default = { - compute = "${local.project.number}-compute@developer.gserviceaccount.com" - gae = "${local.project.project_id}@appspot.gserviceaccount.com" + compute = "${local.project.number}-compute@developer.gserviceaccount.com" + gae = "${local.project.project_id}@appspot.gserviceaccount.com" + workstations = "service-${local.project.number}@gcp-sa-workstationsvm.iam.gserviceaccount.com" } service_account_cloud_services = ( "${local.project.number}@cloudservices.gserviceaccount.com" ) service_accounts_robots = merge( { - for k, v in local._service_accounts_robot_services : - k => "${format(v, local.project.number)}.iam.gserviceaccount.com" + for agent in local._service_agents_data : + agent.name => format(agent.service_agent, local.project.number) + }, + { + for agent in local._service_agents_data : + agent.alias => format(agent.service_agent, local.project.number) + if lookup(agent, "alias", null) != null }, { gke-mcs-importer = "${local.project.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]" } ) - # JIT-ed service accounts are created without default roles granted, these needs to be assigned manually to them - # Roles can be found here: https://cloud.google.com/iam/docs/service-agents - # Remember to update "Service identities requiring manual IAM grants" in README.md when updating this list service_accounts_jit_services = [ - "apigee.googleapis.com", # grant roles/apigee.serviceAgent to apigee - "artifactregistry.googleapis.com", # grant roles/artifactregistry.serviceAgent to artifactregistry - "cloudasset.googleapis.com", # grant roles/cloudasset.serviceAgent to cloudasset - "cloudbuild.googleapis.com", # grant roles/cloudbuild.builds.builder to cloudbuild - "gkehub.googleapis.com", # grant roles/gkehub.serviceAgent to fleet - "multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress - "pubsub.googleapis.com", # grant roles/pubsub.serviceAgent to pubsub - "meshconfig.googleapis.com", # grant roles/anthosservicemesh.serviceAgent to meshconfig - "notebooks.googleapis.com", # no grants needed - "secretmanager.googleapis.com", # no grants needed - "sqladmin.googleapis.com", # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify) + for agent in local._service_agents_data : + "${agent.name}.googleapis.com" + if lookup(agent, "jit", false) ] service_accounts_cmek_service_keys = distinct(flatten([ for s in keys(var.service_encryption_key_ids) : [ diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml new file mode 100644 index 00000000..e9bf0c51 --- /dev/null +++ b/modules/project/service-agents.yaml @@ -0,0 +1,381 @@ +- name: "accessapproval" + service_agent: "service-p%s@gcp-sa-accessapproval.iam.gserviceaccount.com" +- name: "adsdatahub" + service_agent: "service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com" +- name: "aiplatform" + service_agent: "service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com" +- name: "aiplatform-cc" + service_agent: "service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com" +- name: "alloydb" + service_agent: "service-%s@gcp-sa-alloydb.iam.gserviceaccount.com" +- name: "anthos" + service_agent: "service-%s@gcp-sa-anthos.iam.gserviceaccount.com" +- name: "anthosaudit" + service_agent: "service-%s@gcp-sa-anthosaudit.iam.gserviceaccount.com" +- name: "anthosconfigmanagement" + service_agent: "service-%s@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com" +- name: "anthosidentityservice" + service_agent: "service-%s@gcp-sa-anthosidentityservice.iam.gserviceaccount.com" +- name: "apigateway" + service_agent: "service-%s@gcp-sa-apigateway.iam.gserviceaccount.com" +- name: "apigateway-mgmt" + service_agent: "service-%s@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com" +- name: "apigee" + service_agent: "service-%s@gcp-sa-apigee.iam.gserviceaccount.com" + jit: true #roles/apigee.serviceAgent +- name: "apigeeregistry" + service_agent: "service-%s@gcp-sa-apigeeregistry.iam.gserviceaccount.com" +- name: "appdevelopmentexperience" + service_agent: "service-%s@gcp-sa-appdevexperience.iam.gserviceaccount.com" +- name: "appengineflex" + alias: "gae-flex" + service_agent: "service-%s@gae-api-prod.google.com.iam.gserviceaccount.com" +- name: "appenginestandard" + service_agent: "service-%s@gcp-gae-service.iam.gserviceaccount.com" +- name: "artifactregistry" + service_agent: "service-%s@gcp-sa-artifactregistry.iam.gserviceaccount.com" + jit: true # roles/artifactregistry.serviceAgent +- name: "assuredworkloads" + service_agent: "service-%s@gcp-sa-assuredworkloads.iam.gserviceaccount.com" +- name: "automl" + service_agent: "service-%s@gcp-sa-automl.iam.gserviceaccount.com" +- name: "backupdr" + service_agent: "service-%s@gcp-sa-backupdr.iam.gserviceaccount.com" +- name: "backupdr-run" + service_agent: "service-%s@gcp-sa-backupdr-run.iam.gserviceaccount.com" +- name: "baremetalsolution" + service_agent: "service-%s@gcp-sa-bms.iam.gserviceaccount.com" +- name: "batch" + service_agent: "service-%s@gcp-sa-cloudbatch.iam.gserviceaccount.com" +- name: "bigquery" + alias: "bq" + service_agent: "bq-%s@bigquery-encryption.iam.gserviceaccount.com" +- name: "bigquery-omni" + service_agent: "service-%s@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com" +- name: "bigquery-ri" + service_agent: "service-%s@gcp-sa-bigqueryri.iam.gserviceaccount.com" +- name: "bigquerydatatransfer" + service_agent: "service-%s@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com" +- name: "bigtableadmin" + service_agent: "service-%s@gcp-sa-bigtable.iam.gserviceaccount.com" +- name: "binaryauthorization" + service_agent: "service-%s@gcp-sa-binaryauthorization.iam.gserviceaccount.com" +- name: "certificatemanager" + service_agent: "service-%s@gcp-sa-certificatemanager.iam.gserviceaccount.com" +- name: "chronicle" + service_agent: "service-%s@gcp-sa-chronicle.iam.gserviceaccount.com" +- name: "cloudasset" + service_agent: "service-%s@gcp-sa-cloudasset.iam.gserviceaccount.com" + jit: true # roles/cloudasset.serviceAgent +- name: "cloudbuild" + service_agent: "service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com" + jit: true # roles/cloudbuild.builds.builder +- name: "cloudbuild-builder" + service_agent: "%s@cloudbuild.gserviceaccount.com.iam.gserviceaccount.com" +- name: "cloudbuild-logging" + service_agent: "service-%s@gcp-sa-log-cloudbuild.iam.gserviceaccount.com" +- name: "clouddeploy" + service_agent: "service-%s@gcp-sa-clouddeploy.iam.gserviceaccount.com" +- name: "cloudfunctions" + alias: "gcf" + service_agent: "service-%s@gcf-admin-robot.iam.gserviceaccount.com" +- name: "cloudiot" + service_agent: "service-%s@gcp-sa-cloudiot.iam.gserviceaccount.com" +- name: "cloudkms" + service_agent: "service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com" +- name: "cloudkms-ekms" + service_agent: "service-%s@gcp-sa-ekms.iam.gserviceaccount.com" +- name: "cloudoptimization" + service_agent: "service-%s@gcp-sa-cloudoptim.iam.gserviceaccount.com" +- name: "cloudscheduler" + service_agent: "service-%s@gcp-sa-cloudscheduler.iam.gserviceaccount.com" +- name: "cloudtasks" + service_agent: "service-%s@gcp-sa-cloudtasks.iam.gserviceaccount.com" +- name: "cloudtrace" + service_agent: "service-%s@gcp-sa-cloud-trace.iam.gserviceaccount.com" +- name: "composer" + service_agent: "service-%s@cloudcomposer-accounts.iam.gserviceaccount.com" +- name: "compute" + service_agent: "service-%s@compute-system.iam.gserviceaccount.com" +- name: "compute-usage" + service_agent: "service-%s@gcp-sa-compute-usage.iam.gserviceaccount.com" +- name: "config" + service_agent: "service-%s@gcp-sa-config.iam.gserviceaccount.com" +- name: "connectgateway" + service_agent: "service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com" +- name: "connectors" + service_agent: "service-%s@gcp-sa-connectors.iam.gserviceaccount.com" +- name: "contactcenteraiplatform" + service_agent: "service-%s@gcp-sa-ccaip.iam.gserviceaccount.com" +- name: "contactcenterinsights" + service_agent: "service-%s@gcp-sa-contactcenterinsights.iam.gserviceaccount.com" +- name: "container" + alias: "container-engine" + service_agent: "service-%s@container-engine-robot.iam.gserviceaccount.com" +- name: "container-gkenode" + service_agent: "service-%s@gcp-sa-gkenode.iam.gserviceaccount.com" +- name: "containeranalysis" + service_agent: "service-%s@container-analysis.iam.gserviceaccount.com" +- name: "containerregistry" + service_agent: "service-%s@containerregistry.iam.gserviceaccount.com" +- name: "containerscanning" + service_agent: "service-%s@gcp-sa-containerscanning.iam.gserviceaccount.com" +- name: "containerthreatdetection" + service_agent: "service-%s@gcp-sa-ktd-control.iam.gserviceaccount.com" +- name: "contentwarehouse" + service_agent: "service-%s@gcp-sa-cloud-cw.iam.gserviceaccount.com" +- name: "dataconnectors" + service_agent: "service-%s@gcp-sa-dataconnectors.iam.gserviceaccount.com" +- name: "dataflow" + service_agent: "service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com" +- name: "dataform" + service_agent: "service-%s@gcp-sa-dataform.iam.gserviceaccount.com" +- name: "datafusion" + service_agent: "service-%s@gcp-sa-datafusion.iam.gserviceaccount.com" +- name: "datalabeling" + service_agent: "service-%s@gcp-sa-datalabeling.iam.gserviceaccount.com" +- name: "datamigration" + service_agent: "service-%s@gcp-sa-datamigration.iam.gserviceaccount.com" +- name: "datapipelines" + service_agent: "service-%s@gcp-sa-datapipelines.iam.gserviceaccount.com" +- name: "dataplex" + service_agent: "service-%s@gcp-sa-dataplex.iam.gserviceaccount.com" +- name: "dataproc" + service_agent: "service-%s@dataproc-accounts.iam.gserviceaccount.com" +- name: "datastream" + service_agent: "service-%s@gcp-sa-datastream.iam.gserviceaccount.com" +- name: "datastudio" + service_agent: "service-%s@gcp-sa-datastudio.iam.gserviceaccount.com" +- name: "dialogflow" + service_agent: "service-%s@gcp-sa-dialogflow.iam.gserviceaccount.com" +- name: "discoveryengine" + service_agent: "service-%s@gcp-sa-discoveryengine.iam.gserviceaccount.com" + # dlp ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager" +- name: "dlp" + service_agent: "service-%s@dlp-api.iam.gserviceaccount.com" +- name: "documentai" + service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com" +- name: "edgecontainer" + service_agent: "service-%s@gcp-sa-edgecontainer.iam.gserviceaccount.com" +- name: "edgecontainer-cluster" + service_agent: "service-%s@gcp-sa-edgecontainercluster.iam.gserviceaccount.com" +- name: "endpoints" + service_agent: "service-%s@gcp-sa-endpoints.iam.gserviceaccount.com" +- name: "endpointsportal" + service_agent: "service-%s@endpoints-portal.iam.gserviceaccount.com" +- name: "enterpriseknowledgegraph" + service_agent: "service-%s@gcp-sa-cloud-ekg.iam.gserviceaccount.com" +- name: "eventarc" + service_agent: "service-%s@gcp-sa-eventarc.iam.gserviceaccount.com" +- name: "file" + service_agent: "service-%s@cloud-filer.iam.gserviceaccount.com" +- name: "firebase" + service_agent: "service-%s@gcp-sa-firebase.iam.gserviceaccount.com" +- name: "firebaseappcheck" + service_agent: "service-%s@gcp-sa-firebaseappcheck.iam.gserviceaccount.com" +- name: "firebasedatabase" + service_agent: "service-%s@gcp-sa-firebasedatabase.iam.gserviceaccount.com" +- name: "firebaseextensions" + service_agent: "service-%s@gcp-sa-firebasemods.iam.gserviceaccount.com" +- name: "firebaserules" + service_agent: "service-%s@firebase-rules.iam.gserviceaccount.com" +- name: "firebasestorage" + service_agent: "service-%s@gcp-sa-firebasestorage.iam.gserviceaccount.com" +- name: "firestore" + service_agent: "service-%s@gcp-sa-firestore.iam.gserviceaccount.com" +- name: "firewallinsights" + service_agent: "service-%s@gcp-sa-firewallinsights.iam.gserviceaccount.com" +- name: "gameservices" + service_agent: "service-%s@gcp-sa-gameservices.iam.gserviceaccount.com" +- name: "genomics" + service_agent: "service-%s@genomics-api.google.com.iam.gserviceaccount.com" +- name: "gkebackup" + service_agent: "service-%s@gcp-sa-gkebackup.iam.gserviceaccount.com" +- name: "gkehub" + alias: "fleet" + service_agent: "service-%s@gcp-sa-gkehub.iam.gserviceaccount.com" + jit: true # roles/gkehub.serviceAgent +- name: "gkemulticloud" + service_agent: "service-%s@gcp-sa-gkemulticloud.iam.gserviceaccount.com" +- name: "gkeonprem" + service_agent: "service-%s@gcp-sa-gkeonprem.iam.gserviceaccount.com" +- name: "gsuiteaddons" + service_agent: "service-%s@gcp-sa-gsuiteaddons.iam.gserviceaccount.com" +- name: "healthcare" + service_agent: "service-%s@gcp-sa-healthcare.iam.gserviceaccount.com" +- name: "iap" + service_agent: "service-%s@gcp-sa-iap.iam.gserviceaccount.com" +- name: "identitytoolkit" + service_agent: "service-%s@gcp-sa-identitytoolkit.iam.gserviceaccount.com" +- name: "ids" + service_agent: "service-%s@gcp-sa-cloud-ids.iam.gserviceaccount.com" +- name: "integrations" + service_agent: "service-%s@gcp-sa-integrations.iam.gserviceaccount.com" +- name: "krmapihosting" + service_agent: "service-%s@gcp-sa-krmapihosting.iam.gserviceaccount.com" +- name: "krmapihosting-dataplane" + service_agent: "service-%s@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com" +- name: "lifesciences" + service_agent: "service-%s@gcp-sa-lifesciences.iam.gserviceaccount.com" +- name: "livestream" + service_agent: "service-%s@gcp-sa-livestream.iam.gserviceaccount.com" +- name: "logging" + service_agent: "service-%s@gcp-sa-logging.iam.gserviceaccount.com" +- name: "managedidentities" + service_agent: "service-%s@gcp-sa-mi.iam.gserviceaccount.com" +- name: "memcache" + service_agent: "service-%s@cloud-memcache-sa.iam.gserviceaccount.com" +- name: "meshconfig" + service_agent: "service-%s@gcp-sa-meshconfig.iam.gserviceaccount.com" + jit: true # roles/anthosservicemesh.serviceAgent +- name: "meshconfig-servicemesh" + alias: "servicemesh" + service_agent: "service-%s@gcp-sa-servicemesh.iam.gserviceaccount.com" +- name: "meshconfig-controlplane" + service_agent: "service-%s@gcp-sa-meshcontrolplane.iam.gserviceaccount.com" +- name: "meshconfig-dataplane" + service_agent: "service-%s@gcp-sa-meshdataplane.iam.gserviceaccount.com" +- name: "metastore" + service_agent: "service-%s@gcp-sa-metastore.iam.gserviceaccount.com" +- name: "migrationcenter" + service_agent: "service-%s@gcp-sa-migcenter.iam.gserviceaccount.com" +- name: "ml" + service_agent: "service-%s@cloud-ml.google.com.iam.gserviceaccount.com" +- name: "monitoring-deprecated" + service_agent: "service-%s@gcp-sa-monitoring.iam.gserviceaccount.com" +- name: "monitoring" + alias: "monitoring-notifications" + service_agent: "service-%s@gcp-sa-monitoring-notification.iam.gserviceaccount.com" +- name: "multiclusteringress" + alias: "multicluster-ingress" + service_agent: "service-%s@gcp-sa-multiclusteringress.iam.gserviceaccount.com" + jit: true # roles/multiclusteringress.serviceAgent +- name: "multiclustermetering" + service_agent: "service-%s@gcp-sa-mcmetering.iam.gserviceaccount.com" +- name: "multiclusterservicediscovery" + alias: "gke-mcs" + service_agent: "service-%s@gcp-sa-mcsd.iam.gserviceaccount.com" +- name: "networkconnectivity" + service_agent: "service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com" +- name: "networkmanagement" + service_agent: "service-%s@gcp-sa-networkmanagement.iam.gserviceaccount.com" +- name: "networksecurity" + service_agent: "service-%s@gcp-sa-networksecurity.iam.gserviceaccount.com" +- name: "networkservices" + service_agent: "service-%s@gcp-sa-networkactions.iam.gserviceaccount.com" +- name: "notebooks" + service_agent: "service-%s@gcp-sa-notebooks.iam.gserviceaccount.com" + jit: true +- name: "ondemandscanning" + service_agent: "service-%s@gcp-sa-ondemandscanning.iam.gserviceaccount.com" +- name: "osconfig" + service_agent: "service-%s@gcp-sa-osconfig.iam.gserviceaccount.com" +- name: "privateca" + service_agent: "service-%s@gcp-sa-privateca.iam.gserviceaccount.com" +- name: "pubsub" + service_agent: "service-%s@gcp-sa-pubsub.iam.gserviceaccount.com" + jit: true # roles/pubsub.serviceAgent +- name: "pubsublite" + service_agent: "service-%s@gcp-sa-pubsublite.iam.gserviceaccount.com" +- name: "rapidmigrationassessment" + service_agent: "service-%s@gcp-sa-rma.iam.gserviceaccount.com" +- name: "recommendationengine" + service_agent: "service-%s@gcp-sa-recommendationengine.iam.gserviceaccount.com" +- name: "redis" + service_agent: "service-%s@cloud-redis.iam.gserviceaccount.com" + #remotebuildexecution ="service-%s@gcp-sa-rbe" + #remotebuildexecution ="service-%s@remotebuildexecution" +- name: "retail" + service_agent: "service-%s@gcp-sa-retail.iam.gserviceaccount.com" +- name: "run" + alias: "cloudrun" + service_agent: "service-%s@serverless-robot-prod.iam.gserviceaccount.com" +- name: "runapps" + service_agent: "service-%s@gcp-sa-runapps.iam.gserviceaccount.com" +- name: "sasportal" + service_agent: "service-%s@gcp-sa-spectrumsas.iam.gserviceaccount.com" +- name: "secretmanager" + service_agent: "service-%s@gcp-sa-secretmanager.iam.gserviceaccount.com" + jit: true +- name: "securedlandingzone" + service_agent: "service-%s@gcp-sa-slz.iam.gserviceaccount.com" +- name: "securitycenter-notification" + service_agent: "service-%s@gcp-sa-scc-notification.iam.gserviceaccount.com" +- name: "securitycenter-vmtd" + service_agent: "service-%s@gcp-sa-scc-vmtd.iam.gserviceaccount.com" + # securitycenter ="service-org-ORGANIZATION_NUMBER@security-center-api" +- name: "serviceconsumermanagement" + service_agent: "service-%s@service-consumer-management.iam.gserviceaccount.com" +- name: "servicedirectory" + service_agent: "service-%s@gcp-sa-servicedirectory.iam.gserviceaccount.com" +- name: "servicenetworking" + service_agent: "service-%s@service-networking.iam.gserviceaccount.com" +- name: "sourcerepo" + service_agent: "service-%s@sourcerepo-service-accounts.iam.gserviceaccount.com" +- name: "spanner" + service_agent: "service-%s@gcp-sa-spanner.iam.gserviceaccount.com" +- name: "speech" + service_agent: "service-%s@gcp-sa-speech.iam.gserviceaccount.com" +- name: "sqladmin" + alias: "sql" + service_agent: "service-%s@gcp-sa-cloud-sql.iam.gserviceaccount.com" + jit: true # roles/cloudsql.serviceAgent +- name: "storage" + service_agent: "service-%s@gs-project-accounts.iam.gserviceaccount.com" +- name: "storagetransfer" + service_agent: "project-%s@storage-transfer-service.iam.gserviceaccount.com" +- name: "stream" + service_agent: "service-%s@gcp-sa-stream.iam.gserviceaccount.com" +- name: "tpu" + service_agent: "service-%s@cloud-tpu.iam.gserviceaccount.com" +- name: "tpu-v2" + service_agent: "service-%s@gcp-sa-tpu.iam.gserviceaccount.com" +- name: "transcoder" + service_agent: "service-%s@gcp-sa-transcoder.iam.gserviceaccount.com" +- name: "transferappliance" + service_agent: "service-%s@gcp-sa-transferappliance.iam.gserviceaccount.com" +- name: "translate" + service_agent: "service-%s@gcp-sa-translation.iam.gserviceaccount.com" +- name: "visionai" + service_agent: "service-%s@gcp-sa-visionai.iam.gserviceaccount.com" +- name: "vmmigration" + service_agent: "service-%s@gcp-sa-vmmigration.iam.gserviceaccount.com" +- name: "vmwareengine" + service_agent: "service-%s@gcp-sa-vmwareengine.iam.gserviceaccount.com" +- name: "vpcaccess" + service_agent: "service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com" +- name: "websecurityscanner" + service_agent: "service-%s@gcp-sa-websecurityscanner.iam.gserviceaccount.com" +- name: "workflows" + service_agent: "service-%s@gcp-sa-workflows.iam.gserviceaccount.com" +- name: "workloadcertificate" + service_agent: "service-%s@gcp-sa-workloadcert.iam.gserviceaccount.com" +- name: "workloadmanager" + service_agent: "service-%s@gcp-sa-workloadmanager.iam.gserviceaccount.com" +- name: "workstations" + service_agent: "service-%s@gcp-sa-workstations.iam.gserviceaccount.com" + + + # "accessapproval.googleapis.com. + # For the project: service-p%s@gcp-sa-accessapproval + # For the folder: service-fFOLDER_NUMBER@gcp-sa-accessapproval + # For the organization: service-oORGANIZATION_NUMBER@gcp-sa-accessapproval" + + # "bigqueryconnection.googleapis.com. + # bqcx-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel + # connection-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel" + + # sqladmin.googleapis.com. + # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-cloud-sql + # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-cloud-sql + # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-cloud-sql + + # logging.googleapis.com. + # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-logging + # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-logging + # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-logging + + # integrations.googleapis.com. + # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-playbooks + # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-playbooks + # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-playbooks