infra/iam/roles/roles_config.yaml - beam - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 # Configuration for Apache Beam roles in GCP.
 # This file defines the roles, their hierarchy, the services they can access and the roles they inherit from.

 project-id: "apache-beam-testing" # Default project ID for Apache Beam in GCP.
 roles-prefix: "beam" # Prefix for the roles generated by this configuration.

 # Each custom role is defined here.
 # name: The name of the role.
 # hierarchy: The hierarchy level of the role, lower numbers indicate fewer permissions,
 # the higher hierarchy level also gets the permissions of lower hierarchy levels.
 # description: A brief description of the role.
 # services: The list of services that the role can access.
 # roles: The list of base roles that this role inherits permissions from.
 # except_suffixes: A list of suffixes that indicate permissions that should not be included in the role.
 # The suffixes are defined in the `suffixes` section below.
 roles:
   - name: viewer
     hierarchy: 0
     description: "Viewer role for Apache Beam in GCP, it has read-only access to all services used by Beam."
     services:
       - artifactregistry
       - biglake
       - bigquery
       - cloudasset
       - cloudbuild
       - cloudfunctions
       - cloudsql
       - compute
       - container
       - dataflow
       - dataproc
       - datastore
       - dns
       - firebase
       - iam
       - iap
       - meshconfig
       - monitoring
       - pubsub. # TODO: Remove '.' after Pubsublite GCP service is fully deprecated.
       - redis
       - resourcemanager
       - secretmanager
       - servicemanagement
       - serviceusage
       - spanner
       - storage
       - trafficdirector
     roles:
       - roles/viewer
     except_suffixes:
       - destructive
   - name: writer
     description: "Writer role for Apache Beam in GCP, it has additional permissions for managing resources."
     hierarchy: 1
     services:
       - cloudkms
       - dataform
       - dataplex
     roles:
       - roles/viewer
       - roles/bigquery.user
       - roles/bigquery.dataViewer
       - roles/cloudsql.instanceUser
       - roles/container.clusterViewer
       - roles/container.developer
       - roles/compute.networkViewer
       - roles/datastore.user
       - roles/trafficdirector.client
     except_suffixes:
       - destructive
   - name: infra_manager
     description: "Infrastructure Manager role for Apache Beam in GCP, it has permissions for managing infrastructure resources but not for destructive actions."
     hierarchy: 2
     services: []
     roles:
       - roles/cloudbuild.builds.editor
       - roles/iam.serviceAccountTokenCreator
       - roles/iam.serviceAccountUser
       - roles/storage.objectCreator
       - roles/storage.objectViewer
       - roles/editor
     except_suffixes:
       - destructive
   - name: admin
     description: "Admin role for Apache Beam in GCP, it has permissions for managing all services used by Beam, it can perform destructive actions and access secrets."
     hierarchy: 3
     services:
       - secretmanager
     roles:
       - roles/editor
       - roles/artifactregistry.admin
       - roles/biglake.admin
       - roles/bigquery.admin
       - roles/cloudfunctions.admin
       - roles/compute.admin
       - roles/compute.instanceAdmin.v1
       - roles/compute.networkAdmin
       - roles/container.admin
       - roles/dataflow.admin
       - roles/dataproc.admin
       - roles/datastore.indexAdmin
       - roles/dns.admin
       - roles/firebase.admin
       - roles/iam.roleAdmin
       - roles/iam.securityAdmin
       - roles/iam.serviceAccountAdmin
       - roles/iam.workloadIdentityPoolAdmin
       - roles/meshconfig.admin
       - roles/monitoring.admin
       - roles/pubsub.admin
       - roles/redis.admin
       - roles/resourcemanager.projectIamAdmin
       - roles/secretmanager.admin
       - roles/secretmanager.secretAccessor
       - roles/secretmanager.viewer
       - roles/servicemanagement.quotaAdmin
       - roles/serviceusage.serviceUsageAdmin
       - roles/spanner.admin
       - roles/spanner.databaseAdmin
       - roles/storage.admin
       - roles/storage.objectAdmin
     except_suffixes: []

 suffixes:
   - name: destructive
     description: "Suffixes that indicate destructive actions in GCP."
     values:
       - ".delete"
       - ".remove"
       - ".destroy"
       - ".purge"
       - ".cancel"
       - ".stop"
       - ".terminate"
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# Configuration for Apache Beam roles in GCP.
	# This file defines the roles, their hierarchy, the services they can access and the roles they inherit from.

	project-id: "apache-beam-testing" # Default project ID for Apache Beam in GCP.
	roles-prefix: "beam" # Prefix for the roles generated by this configuration.

	# Each custom role is defined here.
	# name: The name of the role.
	# hierarchy: The hierarchy level of the role, lower numbers indicate fewer permissions,
	# the higher hierarchy level also gets the permissions of lower hierarchy levels.
	# description: A brief description of the role.
	# services: The list of services that the role can access.
	# roles: The list of base roles that this role inherits permissions from.
	# except_suffixes: A list of suffixes that indicate permissions that should not be included in the role.
	# The suffixes are defined in the `suffixes` section below.
	roles:
	- name: viewer
	hierarchy: 0
	description: "Viewer role for Apache Beam in GCP, it has read-only access to all services used by Beam."
	services:
	- artifactregistry
	- biglake
	- bigquery
	- cloudasset
	- cloudbuild
	- cloudfunctions
	- cloudsql
	- compute
	- container
	- dataflow
	- dataproc
	- datastore
	- dns
	- firebase
	- iam
	- iap
	- meshconfig
	- monitoring
	- pubsub. # TODO: Remove '.' after Pubsublite GCP service is fully deprecated.
	- redis
	- resourcemanager
	- secretmanager
	- servicemanagement
	- serviceusage
	- spanner
	- storage
	- trafficdirector
	roles:
	- roles/viewer
	except_suffixes:
	- destructive
	- name: writer
	description: "Writer role for Apache Beam in GCP, it has additional permissions for managing resources."
	hierarchy: 1
	services:
	- cloudkms
	- dataform
	- dataplex
	roles:
	- roles/viewer
	- roles/bigquery.user
	- roles/bigquery.dataViewer
	- roles/cloudsql.instanceUser
	- roles/container.clusterViewer
	- roles/container.developer
	- roles/compute.networkViewer
	- roles/datastore.user
	- roles/trafficdirector.client
	except_suffixes:
	- destructive
	- name: infra_manager
	description: "Infrastructure Manager role for Apache Beam in GCP, it has permissions for managing infrastructure resources but not for destructive actions."
	hierarchy: 2
	services: []
	roles:
	- roles/cloudbuild.builds.editor
	- roles/iam.serviceAccountTokenCreator
	- roles/iam.serviceAccountUser
	- roles/storage.objectCreator
	- roles/storage.objectViewer
	- roles/editor
	except_suffixes:
	- destructive
	- name: admin
	description: "Admin role for Apache Beam in GCP, it has permissions for managing all services used by Beam, it can perform destructive actions and access secrets."
	hierarchy: 3
	services:
	- secretmanager
	roles:
	- roles/editor
	- roles/artifactregistry.admin
	- roles/biglake.admin
	- roles/bigquery.admin
	- roles/cloudfunctions.admin
	- roles/compute.admin
	- roles/compute.instanceAdmin.v1
	- roles/compute.networkAdmin
	- roles/container.admin
	- roles/dataflow.admin
	- roles/dataproc.admin
	- roles/datastore.indexAdmin
	- roles/dns.admin
	- roles/firebase.admin
	- roles/iam.roleAdmin
	- roles/iam.securityAdmin
	- roles/iam.serviceAccountAdmin
	- roles/iam.workloadIdentityPoolAdmin
	- roles/meshconfig.admin
	- roles/monitoring.admin
	- roles/pubsub.admin
	- roles/redis.admin
	- roles/resourcemanager.projectIamAdmin
	- roles/secretmanager.admin
	- roles/secretmanager.secretAccessor
	- roles/secretmanager.viewer
	- roles/servicemanagement.quotaAdmin
	- roles/serviceusage.serviceUsageAdmin
	- roles/spanner.admin
	- roles/spanner.databaseAdmin
	- roles/storage.admin
	- roles/storage.objectAdmin
	except_suffixes: []

	suffixes:
	- name: destructive
	description: "Suffixes that indicate destructive actions in GCP."
	values:
	- ".delete"
	- ".remove"
	- ".destroy"
	- ".purge"
	- ".cancel"
	- ".stop"
	- ".terminate"