# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: "accessapproval" service_agent: "service-p%s@gcp-sa-accessapproval.iam.gserviceaccount.com" - name: "adsdatahub" service_agent: "service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com" - name: "aiplatform" service_agent: "service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com" jit: true # roles/aiplatform.customCodeServiceAgent - name: "aiplatform-cc" service_agent: "service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com" - name: "alloydb" service_agent: "service-%s@gcp-sa-alloydb.iam.gserviceaccount.com" - name: "anthos" service_agent: "service-%s@gcp-sa-anthos.iam.gserviceaccount.com" - name: "anthosaudit" service_agent: "service-%s@gcp-sa-anthosaudit.iam.gserviceaccount.com" - name: "anthosconfigmanagement" service_agent: "service-%s@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com" - name: "anthosidentityservice" service_agent: "service-%s@gcp-sa-anthosidentityservice.iam.gserviceaccount.com" - name: "apigateway" service_agent: "service-%s@gcp-sa-apigateway.iam.gserviceaccount.com" - name: "apigateway-mgmt" service_agent: "service-%s@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com" - name: "apigee" service_agent: "service-%s@gcp-sa-apigee.iam.gserviceaccount.com" jit: true # roles/apigee.serviceAgent - name: "apigeeregistry" service_agent: "service-%s@gcp-sa-apigeeregistry.iam.gserviceaccount.com" - name: "appdevelopmentexperience" service_agent: "service-%s@gcp-sa-appdevexperience.iam.gserviceaccount.com" - name: "appengineflex" alias: "gae-flex" service_agent: "service-%s@gae-api-prod.google.com.iam.gserviceaccount.com" - name: "appenginestandard" service_agent: "service-%s@gcp-gae-service.iam.gserviceaccount.com" - name: "artifactregistry" service_agent: "service-%s@gcp-sa-artifactregistry.iam.gserviceaccount.com" jit: true # roles/artifactregistry.serviceAgent - name: "assuredworkloads" service_agent: "service-%s@gcp-sa-assuredworkloads.iam.gserviceaccount.com" - name: "automl" service_agent: "service-%s@gcp-sa-automl.iam.gserviceaccount.com" - name: "backupdr" service_agent: "service-%s@gcp-sa-backupdr.iam.gserviceaccount.com" - name: "backupdr-run" service_agent: "service-%s@gcp-sa-backupdr-run.iam.gserviceaccount.com" - name: "baremetalsolution" service_agent: "service-%s@gcp-sa-bms.iam.gserviceaccount.com" - name: "batch" service_agent: "service-%s@gcp-sa-cloudbatch.iam.gserviceaccount.com" - name: "bigquery" alias: "bq" service_agent: "bq-%s@bigquery-encryption.iam.gserviceaccount.com" - name: "bigquery-omni" service_agent: "service-%s@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com" - name: "bigquery-ri" service_agent: "service-%s@gcp-sa-bigqueryri.iam.gserviceaccount.com" - name: "bigquerydatatransfer" service_agent: "service-%s@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com" - name: "bigtableadmin" service_agent: "service-%s@gcp-sa-bigtable.iam.gserviceaccount.com" jit: true - name: "binaryauthorization" service_agent: "service-%s@gcp-sa-binaryauthorization.iam.gserviceaccount.com" - name: "certificatemanager" service_agent: "service-%s@gcp-sa-certificatemanager.iam.gserviceaccount.com" - name: "chronicle" service_agent: "service-%s@gcp-sa-chronicle.iam.gserviceaccount.com" - name: "cloudasset" service_agent: "service-%s@gcp-sa-cloudasset.iam.gserviceaccount.com" jit: true # roles/cloudasset.serviceAgent - name: "cloudbuild" service_agent: "service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com" jit: true # roles/cloudbuild.builds.builder - name: "cloudbuild-builder" service_agent: "%s@cloudbuild.gserviceaccount.com.iam.gserviceaccount.com" - name: "cloudbuild-logging" service_agent: "service-%s@gcp-sa-log-cloudbuild.iam.gserviceaccount.com" - name: "clouddeploy" service_agent: "service-%s@gcp-sa-clouddeploy.iam.gserviceaccount.com" - name: "cloudfunctions" alias: "gcf" service_agent: "service-%s@gcf-admin-robot.iam.gserviceaccount.com" - name: "cloudiot" service_agent: "service-%s@gcp-sa-cloudiot.iam.gserviceaccount.com" - name: "cloudkms" service_agent: "service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com" - name: "cloudkms-ekms" service_agent: "service-%s@gcp-sa-ekms.iam.gserviceaccount.com" - name: "cloudoptimization" service_agent: "service-%s@gcp-sa-cloudoptim.iam.gserviceaccount.com" - name: "cloudscheduler" service_agent: "service-%s@gcp-sa-cloudscheduler.iam.gserviceaccount.com" - name: "cloudtasks" service_agent: "service-%s@gcp-sa-cloudtasks.iam.gserviceaccount.com" - name: "cloudtrace" service_agent: "service-%s@gcp-sa-cloud-trace.iam.gserviceaccount.com" - name: "composer" service_agent: "service-%s@cloudcomposer-accounts.iam.gserviceaccount.com" - name: "compute" service_agent: "service-%s@compute-system.iam.gserviceaccount.com" - name: "compute-usage" service_agent: "service-%s@gcp-sa-compute-usage.iam.gserviceaccount.com" - name: "config" service_agent: "service-%s@gcp-sa-config.iam.gserviceaccount.com" - name: "connectgateway" service_agent: "service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com" - name: "connectors" service_agent: "service-%s@gcp-sa-connectors.iam.gserviceaccount.com" - name: "contactcenteraiplatform" service_agent: "service-%s@gcp-sa-ccaip.iam.gserviceaccount.com" - name: "contactcenterinsights" service_agent: "service-%s@gcp-sa-contactcenterinsights.iam.gserviceaccount.com" - name: "container" alias: "container-engine" service_agent: "service-%s@container-engine-robot.iam.gserviceaccount.com" - name: "container-gkenode" service_agent: "service-%s@gcp-sa-gkenode.iam.gserviceaccount.com" - name: "containeranalysis" service_agent: "service-%s@container-analysis.iam.gserviceaccount.com" - name: "containerregistry" service_agent: "service-%s@containerregistry.iam.gserviceaccount.com" - name: "containerscanning" service_agent: "service-%s@gcp-sa-containerscanning.iam.gserviceaccount.com" - name: "containerthreatdetection" service_agent: "service-%s@gcp-sa-ktd-control.iam.gserviceaccount.com" - name: "contentwarehouse" service_agent: "service-%s@gcp-sa-cloud-cw.iam.gserviceaccount.com" - name: "dataconnectors" service_agent: "service-%s@gcp-sa-dataconnectors.iam.gserviceaccount.com" - name: "dataflow" service_agent: "service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com" - name: "dataform" service_agent: "service-%s@gcp-sa-dataform.iam.gserviceaccount.com" jit: true # roles/dataform.serviceAgent - name: "datafusion" service_agent: "service-%s@gcp-sa-datafusion.iam.gserviceaccount.com" - name: "datalabeling" service_agent: "service-%s@gcp-sa-datalabeling.iam.gserviceaccount.com" - name: "datamigration" service_agent: "service-%s@gcp-sa-datamigration.iam.gserviceaccount.com" - name: "datapipelines" service_agent: "service-%s@gcp-sa-datapipelines.iam.gserviceaccount.com" - name: "dataplex" service_agent: "service-%s@gcp-sa-dataplex.iam.gserviceaccount.com" jit: true # roles/dataplex.serviceAgent - name: "dataproc" service_agent: "service-%s@dataproc-accounts.iam.gserviceaccount.com" - name: "datastream" service_agent: "service-%s@gcp-sa-datastream.iam.gserviceaccount.com" - name: "datastudio" service_agent: "service-%s@gcp-sa-datastudio.iam.gserviceaccount.com" - name: "dialogflow" service_agent: "service-%s@gcp-sa-dialogflow.iam.gserviceaccount.com" - name: "discoveryengine" service_agent: "service-%s@gcp-sa-discoveryengine.iam.gserviceaccount.com" # dlp ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager" - name: "dlp" service_agent: "service-%s@dlp-api.iam.gserviceaccount.com" jit: true - name: "documentai" service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com" - name: "edgecontainer" service_agent: "service-%s@gcp-sa-edgecontainer.iam.gserviceaccount.com" - name: "edgecontainer-cluster" service_agent: "service-%s@gcp-sa-edgecontainercluster.iam.gserviceaccount.com" - name: "endpoints" service_agent: "service-%s@gcp-sa-endpoints.iam.gserviceaccount.com" - name: "endpointsportal" service_agent: "service-%s@endpoints-portal.iam.gserviceaccount.com" - name: "enterpriseknowledgegraph" service_agent: "service-%s@gcp-sa-cloud-ekg.iam.gserviceaccount.com" - name: "eventarc" service_agent: "service-%s@gcp-sa-eventarc.iam.gserviceaccount.com" - name: "file" service_agent: "service-%s@cloud-filer.iam.gserviceaccount.com" - name: "firebase" service_agent: "service-%s@gcp-sa-firebase.iam.gserviceaccount.com" - name: "firebaseappcheck" service_agent: "service-%s@gcp-sa-firebaseappcheck.iam.gserviceaccount.com" - name: "firebasedatabase" service_agent: "service-%s@gcp-sa-firebasedatabase.iam.gserviceaccount.com" - name: "firebaseextensions" service_agent: "service-%s@gcp-sa-firebasemods.iam.gserviceaccount.com" - name: "firebaserules" service_agent: "service-%s@firebase-rules.iam.gserviceaccount.com" - name: "firebasestorage" service_agent: "service-%s@gcp-sa-firebasestorage.iam.gserviceaccount.com" - name: "firestore" service_agent: "service-%s@gcp-sa-firestore.iam.gserviceaccount.com" - name: "firewallinsights" service_agent: "service-%s@gcp-sa-firewallinsights.iam.gserviceaccount.com" - name: "gameservices" service_agent: "service-%s@gcp-sa-gameservices.iam.gserviceaccount.com" - name: "genomics" service_agent: "service-%s@genomics-api.google.com.iam.gserviceaccount.com" - name: "gkebackup" service_agent: "service-%s@gcp-sa-gkebackup.iam.gserviceaccount.com" - name: "gkehub" alias: "fleet" service_agent: "service-%s@gcp-sa-gkehub.iam.gserviceaccount.com" jit: true # roles/gkehub.serviceAgent - name: "gkemulticloud" service_agent: "service-%s@gcp-sa-gkemulticloud.iam.gserviceaccount.com" - name: "gkeonprem" service_agent: "service-%s@gcp-sa-gkeonprem.iam.gserviceaccount.com" - name: "gsuiteaddons" service_agent: "service-%s@gcp-sa-gsuiteaddons.iam.gserviceaccount.com" - name: "healthcare" service_agent: "service-%s@gcp-sa-healthcare.iam.gserviceaccount.com" - name: "iap" service_agent: "service-%s@gcp-sa-iap.iam.gserviceaccount.com" jit: true # none - name: "identitytoolkit" service_agent: "service-%s@gcp-sa-identitytoolkit.iam.gserviceaccount.com" - name: "ids" service_agent: "service-%s@gcp-sa-cloud-ids.iam.gserviceaccount.com" - name: "integrations" service_agent: "service-%s@gcp-sa-integrations.iam.gserviceaccount.com" - name: "krmapihosting" service_agent: "service-%s@gcp-sa-krmapihosting.iam.gserviceaccount.com" - name: "krmapihosting-dataplane" service_agent: "service-%s@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com" - name: "lifesciences" service_agent: "service-%s@gcp-sa-lifesciences.iam.gserviceaccount.com" - name: "livestream" service_agent: "service-%s@gcp-sa-livestream.iam.gserviceaccount.com" - name: "logging" service_agent: "service-%s@gcp-sa-logging.iam.gserviceaccount.com" - name: "managedidentities" service_agent: "service-%s@gcp-sa-mi.iam.gserviceaccount.com" - name: "memcache" service_agent: "service-%s@cloud-memcache-sa.iam.gserviceaccount.com" - name: "meshconfig" service_agent: "service-%s@gcp-sa-meshconfig.iam.gserviceaccount.com" jit: true # roles/anthosservicemesh.serviceAgent - name: "meshconfig-servicemesh" alias: "servicemesh" service_agent: "service-%s@gcp-sa-servicemesh.iam.gserviceaccount.com" - name: "meshconfig-controlplane" service_agent: "service-%s@gcp-sa-meshcontrolplane.iam.gserviceaccount.com" - name: "meshconfig-dataplane" service_agent: "service-%s@gcp-sa-meshdataplane.iam.gserviceaccount.com" - name: "metastore" service_agent: "service-%s@gcp-sa-metastore.iam.gserviceaccount.com" - name: "migrationcenter" service_agent: "service-%s@gcp-sa-migcenter.iam.gserviceaccount.com" - name: "ml" service_agent: "service-%s@cloud-ml.google.com.iam.gserviceaccount.com" - name: "monitoring-deprecated" service_agent: "service-%s@gcp-sa-monitoring.iam.gserviceaccount.com" - name: "monitoring" alias: "monitoring-notifications" service_agent: "service-%s@gcp-sa-monitoring-notification.iam.gserviceaccount.com" - name: "multiclusteringress" alias: "multicluster-ingress" service_agent: "service-%s@gcp-sa-multiclusteringress.iam.gserviceaccount.com" jit: true # roles/multiclusteringress.serviceAgent - name: "multiclustermetering" service_agent: "service-%s@gcp-sa-mcmetering.iam.gserviceaccount.com" - name: "multiclusterservicediscovery" alias: "gke-mcs" service_agent: "service-%s@gcp-sa-mcsd.iam.gserviceaccount.com" - name: "networkconnectivity" service_agent: "service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com" - name: "networkmanagement" service_agent: "service-%s@gcp-sa-networkmanagement.iam.gserviceaccount.com" - name: "networksecurity" service_agent: "service-%s@gcp-sa-networksecurity.iam.gserviceaccount.com" jit: true - name: "networkservices" service_agent: "service-%s@gcp-sa-networkactions.iam.gserviceaccount.com" - name: "notebooks" service_agent: "service-%s@gcp-sa-notebooks.iam.gserviceaccount.com" jit: true - name: "ondemandscanning" service_agent: "service-%s@gcp-sa-ondemandscanning.iam.gserviceaccount.com" - name: "osconfig" service_agent: "service-%s@gcp-sa-osconfig.iam.gserviceaccount.com" - name: "privateca" service_agent: "service-%s@gcp-sa-privateca.iam.gserviceaccount.com" - name: "pubsub" service_agent: "service-%s@gcp-sa-pubsub.iam.gserviceaccount.com" jit: true # roles/pubsub.serviceAgent - name: "pubsublite" service_agent: "service-%s@gcp-sa-pubsublite.iam.gserviceaccount.com" - name: "rapidmigrationassessment" service_agent: "service-%s@gcp-sa-rma.iam.gserviceaccount.com" - name: "recommendationengine" service_agent: "service-%s@gcp-sa-recommendationengine.iam.gserviceaccount.com" - name: "redis" service_agent: "service-%s@cloud-redis.iam.gserviceaccount.com" #remotebuildexecution ="service-%s@gcp-sa-rbe" #remotebuildexecution ="service-%s@remotebuildexecution" - name: "retail" service_agent: "service-%s@gcp-sa-retail.iam.gserviceaccount.com" - name: "run" alias: "cloudrun" service_agent: "service-%s@serverless-robot-prod.iam.gserviceaccount.com" - name: "runapps" service_agent: "service-%s@gcp-sa-runapps.iam.gserviceaccount.com" - name: "sasportal" service_agent: "service-%s@gcp-sa-spectrumsas.iam.gserviceaccount.com" - name: "secretmanager" service_agent: "service-%s@gcp-sa-secretmanager.iam.gserviceaccount.com" jit: true # none - name: "securedlandingzone" service_agent: "service-%s@gcp-sa-slz.iam.gserviceaccount.com" - name: "securitycenter-notification" service_agent: "service-%s@gcp-sa-scc-notification.iam.gserviceaccount.com" - name: "securitycenter-vmtd" service_agent: "service-%s@gcp-sa-scc-vmtd.iam.gserviceaccount.com" # securitycenter ="service-org-ORGANIZATION_NUMBER@security-center-api" - name: "serviceconsumermanagement" service_agent: "service-%s@service-consumer-management.iam.gserviceaccount.com" - name: "servicedirectory" service_agent: "service-%s@gcp-sa-servicedirectory.iam.gserviceaccount.com" - name: "servicenetworking" service_agent: "service-%s@service-networking.iam.gserviceaccount.com" - name: "sourcerepo" service_agent: "service-%s@sourcerepo-service-accounts.iam.gserviceaccount.com" - name: "spanner" service_agent: "service-%s@gcp-sa-spanner.iam.gserviceaccount.com" - name: "speech" service_agent: "service-%s@gcp-sa-speech.iam.gserviceaccount.com" - name: "sqladmin" alias: "sql" service_agent: "service-%s@gcp-sa-cloud-sql.iam.gserviceaccount.com" jit: true # roles/cloudsql.serviceAgent - name: "storage" service_agent: "service-%s@gs-project-accounts.iam.gserviceaccount.com" - name: "storagetransfer" service_agent: "project-%s@storage-transfer-service.iam.gserviceaccount.com" - name: "stream" service_agent: "service-%s@gcp-sa-stream.iam.gserviceaccount.com" - name: "tpu" service_agent: "service-%s@cloud-tpu.iam.gserviceaccount.com" - name: "tpu-v2" service_agent: "service-%s@gcp-sa-tpu.iam.gserviceaccount.com" - name: "transcoder" service_agent: "service-%s@gcp-sa-transcoder.iam.gserviceaccount.com" - name: "transferappliance" service_agent: "service-%s@gcp-sa-transferappliance.iam.gserviceaccount.com" - name: "translate" service_agent: "service-%s@gcp-sa-translation.iam.gserviceaccount.com" - name: "visionai" service_agent: "service-%s@gcp-sa-visionai.iam.gserviceaccount.com" - name: "vmmigration" service_agent: "service-%s@gcp-sa-vmmigration.iam.gserviceaccount.com" - name: "vmwareengine" service_agent: "service-%s@gcp-sa-vmwareengine.iam.gserviceaccount.com" - name: "vpcaccess" service_agent: "service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com" - name: "websecurityscanner" service_agent: "service-%s@gcp-sa-websecurityscanner.iam.gserviceaccount.com" - name: "workflows" service_agent: "service-%s@gcp-sa-workflows.iam.gserviceaccount.com" - name: "workloadcertificate" service_agent: "service-%s@gcp-sa-workloadcert.iam.gserviceaccount.com" - name: "workloadmanager" service_agent: "service-%s@gcp-sa-workloadmanager.iam.gserviceaccount.com" - name: "workstations" service_agent: "service-%s@gcp-sa-workstations.iam.gserviceaccount.com" # "accessapproval.googleapis.com. # For the project: service-p%s@gcp-sa-accessapproval # For the folder: service-fFOLDER_NUMBER@gcp-sa-accessapproval # For the organization: service-oORGANIZATION_NUMBER@gcp-sa-accessapproval" # "bigqueryconnection.googleapis.com. # bqcx-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel # connection-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel" # sqladmin.googleapis.com. # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-cloud-sql # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-cloud-sql # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-cloud-sql # logging.googleapis.com. # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-logging # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-logging # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-logging # integrations.googleapis.com. # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-playbooks # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-playbooks # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-playbooks