Update service agents spec

2024-11-05 09:38:55 +01:00
parent d8a6f3a895
commit 5daba7fa03
2 changed files with 99 additions and 15 deletions
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -184,7 +184,7 @@ You can control these actions by adjusting the settings in the `var.service_agen
 The `service_agents` output provides a convenient way to access information about all active service agents in the project. Note that this output only includes details for service agents that are currently active (i.e. their API is listed in `var.services`) within your project.

 > [!IMPORTANT]
-> You can only access a service agent's details through the `service_agents` output if it's corresponding API is enabled through the `services` variable.
+> You can only access a service agent's details through the `service_agents` output if its corresponding API is enabled through the `services` variable.

 The complete list of Google Cloud service agents, including their names, default roles, and associated APIs, is maintained in the  [service-agents.yaml](./service-agents.yaml) file.  This file is regularly updated to reflect the [official list of Google Cloud service agents](https://cloud.google.com/iam/docs/service-agents) using the [`build_service_agents`](../../tools/build_service_agents.py) script.

@@ -273,7 +273,7 @@ service_agents = {

 Notice that some service agents appear under multiple names. For example, the Kubernetes Engine Service Agent shows up as `container-engine-robot` but also has the `container` and `container-engine` aliases. These aliases exist only in Fabric for convenience and backwards compatibility. Refer to the table below for the list of aliases.

-| Canonical Name                 Aliases                    |
+| Canonical Name                 | Aliases                    |
 |--------------------------------|----------------------------|
 | bigquery-encryption            | bq                         |
 | cloudservices                  | cloudsvc                   |
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -399,6 +399,13 @@
  role: null
  is_primary: false
  aliases: []
+- name: chronicle-sv
+  display_name: Chronicle Security Validation Service Account
+  api: chronicle.googleapis.com
+  identity: service-%s@gcp-sa-chronicle-sv.iam.gserviceaccount.com
+  role: null
+  is_primary: false
+  aliases: []
 - name: chronicle
  display_name: Chronicle Service Account
  api: chronicle.googleapis.com
@@ -441,13 +448,6 @@
  role: null
  is_primary: true
  aliases: []
- name: cloudbuild-sa
-  display_name: Cloud Build Service Agent
-  api: cloudbuild.googleapis.com
-  identity: '%s@cloudbuild.gserviceaccount.com'
-  role: roles/cloudbuild.builds.builder
-  is_primary: false
-  aliases: []
 - name: cloudbuild
  display_name: Cloud Build Service Agent
  api: cloudbuild.googleapis.com
@@ -618,6 +618,13 @@
  role: roles/networkmanagement.serviceAgent
  is_primary: true
  aliases: []
+- name: notebooksecurityscanner
+  display_name: Cloud Notebook Security Scanner Service Agent
+  api: notebooksecurityscanner.googleapis.com
+  identity: service-%s@gcp-sa-notebooksecurityscanner.iam.gserviceaccount.com
+  role: null
+  is_primary: true
+  aliases: []
 - name: cloudoptim
  display_name: Cloud Optimization Service Agent
  api: cloudoptimization.googleapis.com
@@ -794,6 +801,13 @@
  role: roles/containerscanning.ServiceAgent
  is_primary: true
  aliases: []
+- name: containersec
+  display_name: Container Security Service Agent
+  api: containersecurity.googleapis.com
+  identity: service-%s@gcp-sa-containersec.iam.gserviceaccount.com
+  role: null
+  is_primary: true
+  aliases: []
 - name: ktd-control
  display_name: Container Threat Detection Service Agent
  api: containerthreatdetection.googleapis.com
@@ -955,6 +969,13 @@
  role: roles/firebaseapphosting.serviceAgent
  is_primary: true
  aliases: []
+- name: firebasedataconnect
+  display_name: Firebase Data Connect Service Account
+  api: firebasedataconnect.googleapis.com
+  identity: service-%s@gcp-sa-firebasedataconnect.iam.gserviceaccount.com
+  role: roles/firebasedataconnect.serviceAgent
+  is_primary: true
+  aliases: []
 - name: firebasemods
  display_name: Firebase Extensions Service Agent
  api: firebaseextensions.googleapis.com
@@ -1041,12 +1062,12 @@
  is_primary: false
  aliases:
  - cloudsvc
- name: dep
-  display_name: Google Cloud Dataplane Extensibility Platform (DEP) Service Account
-  api: networkservices.googleapis.com
-  identity: service-%s@gcp-sa-dep.iam.gserviceaccount.com
-  role: null
-  is_primary: false
+- name: dataprocrmnode
+  display_name: Google Cloud Dataproc Resource Manager Node Service Agent
+  api: dataprocrm.googleapis.com
+  identity: service-%s@gcp-sa-dataprocrmnode.iam.gserviceaccount.com
+  role: roles/dataprocrm.nodeServiceAgent
+  is_primary: true
  aliases: []
 - name: dataproc-accounts
  display_name: Google Cloud Dataproc Service Agent
@@ -1102,6 +1123,13 @@
  aliases:
  - cloudrun
  - run
+- name: dep
+  display_name: Google Cloud Service Extensions Service Account
+  api: networkservices.googleapis.com
+  identity: service-%s@gcp-sa-dep.iam.gserviceaccount.com
+  role: null
+  is_primary: false
+  aliases: []
 - name: containerregistry
  display_name: Google Container Registry Service Agent
  api: containerregistry.googleapis.com
@@ -1196,6 +1224,13 @@
  aliases:
  - container
  - container-engine
+- name: cloudbuild-sa
+  display_name: Legacy Cloud Build service account
+  api: cloudbuild.googleapis.com
+  identity: '%s@cloudbuild.gserviceaccount.com'
+  role: roles/cloudbuild.builds.builder
+  is_primary: false
+  aliases: []
 - name: livestream
  display_name: Livestream Service Account
  api: livestream.googleapis.com
@@ -1210,6 +1245,13 @@
  role: roles/looker.serviceAgent
  is_primary: true
  aliases: []
+- name: managedflink
+  display_name: Managed Flink Service Agent
+  api: managedflink.googleapis.com
+  identity: service-%s@gcp-sa-managedflink.iam.gserviceaccount.com
+  role: roles/managedflink.serviceAgent
+  is_primary: true
+  aliases: []
 - name: managedkafka
  display_name: Managed Kafka Service Account
  api: managedkafka.googleapis.com
@@ -1217,6 +1259,13 @@
  role: roles/managedkafka.serviceAgent
  is_primary: true
  aliases: []
+- name: memorystore
+  display_name: Memorystore Service Agent
+  api: memorystore.googleapis.com
+  identity: service-%s@gcp-sa-memorystore.iam.gserviceaccount.com
+  role: roles/memorystore.serviceAgent
+  is_primary: true
+  aliases: []
 - name: meshconfig
  display_name: Mesh Config Service Account
  api: meshconfig.googleapis.com
@@ -1281,6 +1330,13 @@
  role: roles/ondemandscanning.serviceAgent
  is_primary: true
  aliases: []
+- name: oci
+  display_name: Oracle Database@Google Cloud Service Account
+  api: oracledatabase.googleapis.com
+  identity: service-%s@gcp-sa-oci.iam.gserviceaccount.com
+  role: roles/oci.serviceAgent
+  is_primary: true
+  aliases: []
 - name: parallelstore
  display_name: Parallelstore Service Agent
  api: parallelstore.googleapis.com
@@ -1344,6 +1400,13 @@
  role: null
  is_primary: true
  aliases: []
+- name: sourcemanager
+  display_name: Secure Source Manager Service Account
+  api: securesourcemanager.googleapis.com
+  identity: service-%s@gcp-sa-sourcemanager.iam.gserviceaccount.com
+  role: roles/securesourcemanager.serviceAgent
+  is_primary: true
+  aliases: []
 - name: securewebproxy
  display_name: Secure Web Proxy Service Account
  api: networkservices.googleapis.com
@@ -1463,6 +1526,13 @@
  role: roles/aiplatform.user
  is_primary: false
  aliases: []
+- name: vertex-bp
+  display_name: Vertex AI Batch Prediction Service Agent
+  api: aiplatform.googleapis.com
+  identity: service-%s@gcp-sa-vertex-bp.iam.gserviceaccount.com
+  role: roles/aiplatform.batchPredictionServiceAgent
+  is_primary: false
+  aliases: []
 - name: vertex-nb
  display_name: Vertex AI Colab Service Account
  api: aiplatform.googleapis.com
@@ -1498,6 +1568,13 @@
  role: roles/aiplatform.notebookServiceAgent
  is_primary: false
  aliases: []
+- name: vertex-op
+  display_name: Vertex AI Online Prediction Service Agent
+  api: aiplatform.googleapis.com
+  identity: service-%s@gcp-sa-vertex-op.iam.gserviceaccount.com
+  role: null
+  is_primary: false
+  aliases: []
 - name: vertex-tune
  display_name: Vertex AI Secure Fine Tuning Service Agent
  api: aiplatform.googleapis.com
@@ -1505,6 +1582,13 @@
  role: roles/aiplatform.tuningServiceAgent
  is_primary: false
  aliases: []
+- name: firebasevertexai
+  display_name: Vertex AI in Firebase Service Account
+  api: firebasevertexai.googleapis.com
+  identity: service-%s@gcp-sa-firebasevertexai.iam.gserviceaccount.com
+  role: roles/firebaseml.serviceAgent
+  is_primary: true
+  aliases: []
 - name: vertex-agent
  display_name: Vertex Agent Service Agent
  api: aiplatform.googleapis.com