diff --git a/blueprints/data-solutions/bq-ml/README.md b/blueprints/data-solutions/bq-ml/README.md index 39a9c0dec..7ac2d8623 100644 --- a/blueprints/data-solutions/bq-ml/README.md +++ b/blueprints/data-solutions/bq-ml/README.md @@ -97,5 +97,5 @@ module "test" { prefix = "prefix" } -# tftest modules=9 resources=69 +# tftest modules=9 resources=70 ``` diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md index 9890619d3..ccec5d774 100644 --- a/blueprints/data-solutions/data-playground/README.md +++ b/blueprints/data-solutions/data-playground/README.md @@ -84,5 +84,5 @@ module "test" { parent = "folders/467898377" } } -# tftest modules=8 resources=68 +# tftest modules=8 resources=69 ``` diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md index 6c4e5913d..3506e7ab2 100644 --- a/blueprints/data-solutions/vertex-mlops/README.md +++ b/blueprints/data-solutions/vertex-mlops/README.md @@ -72,7 +72,7 @@ module "test" { project_id = "test-dev" } } -# tftest modules=11 resources=90 +# tftest modules=11 resources=91 ``` ## Variables @@ -128,5 +128,5 @@ module "test" { project_id = "test-dev" } } -# tftest modules=13 resources=95 e2e +# tftest modules=13 resources=96 e2e ``` diff --git a/modules/project/README.md b/modules/project/README.md index 59612fe91..878b9e4f5 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -269,7 +269,7 @@ service_agents = { "email" = "service-0123456789@gcp-sa-gkenode.iam.gserviceaccount.com" "iam_email" = "serviceAccount:service-0123456789@gcp-sa-gkenode.iam.gserviceaccount.com" "is_primary" = false - "role" = "roles/container.nodeServiceAgent" + "role" = "roles/container.defaultNodeServiceAgent" } } ``` diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf index 0dee2b2ad..ff9617e1b 100644 --- a/modules/project/service-agents.tf +++ b/modules/project/service-agents.tf @@ -26,17 +26,31 @@ locals { for agent in local._service_agents_data : coalesce(agent.api, "cloudservices") => agent... # cloudservices api is null } + _universe_domain = ( + var.universe == null + ? "" + : "${var.universe.prefix}-system." + ) # map of service agent name => agent details for this project - _project_service_agents = merge([ + _project_service_agents_0 = merge([ for api in concat(local.services, ["cloudservices"]) : { for agent in lookup(local._service_agents_by_api, api, []) : (agent.name) => merge(agent, { - email = format(agent.identity, local.project.number) - iam_email = "serviceAccount:${format(agent.identity, local.project.number)}" - create_jit = api == "cloudservices" || contains(local.available_services, api) + email = ( + var.universe == null || api != "cloudservices" + ? templatestring(agent.identity, { project_number = local.project.number, universe_domain = local._universe_domain }) + : format("%s@cloudservices.%siam.gserviceaccount.com", local.project.number, local._universe_domain) + ) }) } ]...) + _project_service_agents = { + for k, v in local._project_service_agents_0 : + k => merge(v, { + iam_email = "serviceAccount:${v.email}" + create_jit = v.api == null ? false : contains(local.available_services, v.api) + }) + } # list of APIs with primary agents that should be created for the # current project, if the user requested it primary_service_agents = [ diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml index e7815218c..f024a58f5 100644 --- a/modules/project/service-agents.yaml +++ b/modules/project/service-agents.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,210 +15,210 @@ - name: aiplatform-cc display_name: AI Platform Custom Code Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-aiplatform-cc.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.customCodeServiceAgent is_primary: false aliases: [] - name: vertex-es display_name: AI Platform Example Store Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-es.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-es.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: aiplatform-ft display_name: AI Platform Fine Tuning Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-aiplatform-ft.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-aiplatform-ft.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.serviceAgent is_primary: false aliases: [] - name: aiplatform-is display_name: AI Platform Infra Spanner Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-aiplatform-is.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-aiplatform-is.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: vertex-eval display_name: AI Platform Rapid Eval Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-eval.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-eval.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.rapidevalServiceAgent is_primary: false aliases: [] - name: aiplatform-re display_name: AI Platform Reasoning Engine Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-aiplatform-re.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-aiplatform-re.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.reasoningEngineServiceAgent is_primary: false aliases: [] - name: gcp-ri-aiplatform display_name: AI Platform Resource Identity api: aiplatform.googleapis.com - identity: service-%s@gcp-ri-aiplatform.iam.gserviceaccount.com + identity: service-${project_number}@gcp-ri-aiplatform.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: aiplatform display_name: AI Platform Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-aiplatform.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.serviceAgent is_primary: true aliases: [] - name: apihub display_name: API Hub Service Account api: apihub.googleapis.com - identity: service-%s@gcp-sa-apihub.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apihub.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: apikeys display_name: API Keys Service Account api: apikeys.googleapis.com - identity: service-%s@gcp-sa-apikeys.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apikeys.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: apim display_name: APIM Service Account api: apim.googleapis.com - identity: service-%s@gcp-sa-apim.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apim.${universe_domain}iam.gserviceaccount.com role: roles/apim.apiDiscoveryServiceAgent is_primary: true aliases: [] - name: meshcontrolplane display_name: ASM Mesh Control Plane Service Account api: meshconfig.googleapis.com - identity: service-%s@gcp-sa-meshcontrolplane.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-meshcontrolplane.${universe_domain}iam.gserviceaccount.com role: roles/meshcontrolplane.serviceAgent is_primary: false aliases: [] - name: meshdataplane display_name: ASM Mesh Data Plane Service Account api: meshconfig.googleapis.com - identity: service-%s@gcp-sa-meshdataplane.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-meshdataplane.${universe_domain}iam.gserviceaccount.com role: roles/meshdataplane.serviceAgent is_primary: false aliases: [] - name: adsdatahub display_name: Ads Data Hub Service Account api: adsdatahub.googleapis.com - identity: service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-adsdatahub.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: alloydb display_name: AlloyDB Service Account api: alloydb.googleapis.com - identity: service-%s@gcp-sa-alloydb.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-alloydb.${universe_domain}iam.gserviceaccount.com role: roles/alloydb.serviceAgent is_primary: true aliases: [] - name: anthosaudit display_name: Anthos Audit Service Account api: anthosaudit.googleapis.com - identity: service-%s@gcp-sa-anthosaudit.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-anthosaudit.${universe_domain}iam.gserviceaccount.com role: roles/anthosaudit.serviceAgent is_primary: true aliases: [] - name: anthosconfigmanagement display_name: Anthos Config Management Service Account api: anthosconfigmanagement.googleapis.com - identity: service-%s@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-anthosconfigmanagement.${universe_domain}iam.gserviceaccount.com role: roles/anthosconfigmanagement.serviceAgent is_primary: true aliases: [] - name: anthosidentityservice display_name: Anthos Identity Service Account api: anthosidentityservice.googleapis.com - identity: service-%s@gcp-sa-anthosidentityservice.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-anthosidentityservice.${universe_domain}iam.gserviceaccount.com role: roles/anthosidentityservice.serviceAgent is_primary: true aliases: [] - name: gkemulticloudcontainer display_name: Anthos Multi-Cloud Container Service Agent api: gkemulticloud.googleapis.com - identity: service-%s@gcp-sa-gkemulticloudcontainer.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkemulticloudcontainer.${universe_domain}iam.gserviceaccount.com role: roles/gkemulticloud.containerServiceAgent is_primary: false aliases: [] - name: gkemulticloudcpmachine display_name: Anthos Multi-Cloud Control Plane Machine Service Agent api: gkemulticloud.googleapis.com - identity: service-%s@gcp-sa-gkemulticloudcpmachine.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkemulticloudcpmachine.${universe_domain}iam.gserviceaccount.com role: roles/gkemulticloud.controlPlaneMachineServiceAgent is_primary: false aliases: [] - name: gkemulticloudnpmachine display_name: Anthos Multi-Cloud Node Pool Machine Service Agent api: gkemulticloud.googleapis.com - identity: service-%s@gcp-sa-gkemulticloudnpmachine.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkemulticloudnpmachine.${universe_domain}iam.gserviceaccount.com role: roles/gkemulticloud.nodePoolMachineServiceAgent is_primary: false aliases: [] - name: gkemulticloud display_name: Anthos Multi-Cloud Service Agent api: gkemulticloud.googleapis.com - identity: service-%s@gcp-sa-gkemulticloud.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkemulticloud.${universe_domain}iam.gserviceaccount.com role: roles/gkemulticloud.serviceAgent is_primary: true aliases: [] - name: anthospolicycontroller display_name: Anthos Policy Controller Service Account api: anthospolicycontroller.googleapis.com - identity: service-%s@gcp-sa-anthospolicycontroller.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-anthospolicycontroller.${universe_domain}iam.gserviceaccount.com role: roles/anthospolicycontroller.serviceAgent is_primary: true aliases: [] - name: anthos display_name: Anthos Service Account api: anthos.googleapis.com - identity: service-%s@gcp-sa-anthos.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-anthos.${universe_domain}iam.gserviceaccount.com role: roles/anthos.serviceAgent is_primary: true aliases: [] - name: servicemesh display_name: Anthos Service Mesh Service Account api: meshconfig.googleapis.com - identity: service-%s@gcp-sa-servicemesh.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-servicemesh.${universe_domain}iam.gserviceaccount.com role: roles/anthosservicemesh.serviceAgent is_primary: false aliases: [] - name: anthossupport display_name: Anthos Support Service Account api: connectgateway.googleapis.com - identity: service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-anthossupport.${universe_domain}iam.gserviceaccount.com role: roles/anthossupport.serviceAgent is_primary: true aliases: [] - name: apigeeregistry display_name: Apigee Registry Service Account api: apigeeregistry.googleapis.com - identity: service-%s@gcp-sa-apigeeregistry.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apigeeregistry.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: apigee display_name: Apigee Service Agent api: apigee.googleapis.com - identity: service-%s@gcp-sa-apigee.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apigee.${universe_domain}iam.gserviceaccount.com role: roles/apigee.serviceAgent is_primary: true aliases: [] - name: appdevexperience display_name: App Development Experience Service Account api: appdevelopmentexperience.googleapis.com - identity: service-%s@gcp-sa-appdevexperience.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-appdevexperience.${universe_domain}iam.gserviceaccount.com role: roles/appdevelopmentexperience.serviceAgent is_primary: true aliases: [] - name: gae-api-prod display_name: App Engine Flexible Environment Service Agent api: appengineflex.googleapis.com - identity: service-%s@gae-api-prod.google.com.iam.gserviceaccount.com + identity: service-${project_number}@gae-api-prod.google.com.${universe_domain}iam.gserviceaccount.com role: roles/appengineflex.serviceAgent is_primary: true aliases: @@ -226,105 +226,105 @@ - name: gcp-gae-service display_name: App Engine Standard Environment Service Agent api: appenginestandard.googleapis.com - identity: service-%s@gcp-gae-service.iam.gserviceaccount.com + identity: service-${project_number}@gcp-gae-service.${universe_domain}iam.gserviceaccount.com role: roles/appengine.serviceAgent is_primary: true aliases: [] - name: apphub display_name: App Hub Service Account api: apphub.googleapis.com - identity: service-%s@gcp-sa-apphub.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apphub.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: integrations display_name: Application Integration Service Agent api: integrations.googleapis.com - identity: service-%s@gcp-sa-integrations.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-integrations.${universe_domain}iam.gserviceaccount.com role: roles/integrations.serviceAgent is_primary: true aliases: [] - name: artifactregistry display_name: Artifact Registry Service Agent api: artifactregistry.googleapis.com - identity: service-%s@gcp-sa-artifactregistry.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-artifactregistry.${universe_domain}iam.gserviceaccount.com role: roles/artifactregistry.serviceAgent is_primary: true aliases: [] - name: assuredworkloads display_name: AssuredWorkloads Service Account api: assuredworkloads.googleapis.com - identity: service-%s@gcp-sa-assuredworkloads.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-assuredworkloads.${universe_domain}iam.gserviceaccount.com role: roles/assuredworkloads.serviceAgent is_primary: true aliases: [] - name: audit-manager display_name: Audit Manager Service Agent api: auditmanager.googleapis.com - identity: service-%s@gcp-sa-audit-manager.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-audit-manager.${universe_domain}iam.gserviceaccount.com role: roles/auditmanager.serviceAgent is_primary: true aliases: [] - name: recommendationengine display_name: AutoML Recommendations Service Account api: recommendationengine.googleapis.com - identity: service-%s@gcp-sa-recommendationengine.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-recommendationengine.${universe_domain}iam.gserviceaccount.com role: roles/automlrecommendations.serviceAgent is_primary: true aliases: [] - name: automl display_name: AutoML Service Agent api: automl.googleapis.com - identity: service-%s@gcp-sa-automl.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-automl.${universe_domain}iam.gserviceaccount.com role: roles/automl.serviceAgent is_primary: true aliases: [] - name: backupdr-run display_name: Backup and DR Runner Service Agent api: backupdr.googleapis.com - identity: service-%s@gcp-sa-backupdr-run.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-backupdr-run.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: backupdr display_name: Backup and DR Service Agent api: backupdr.googleapis.com - identity: service-%s@gcp-sa-backupdr.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-backupdr.${universe_domain}iam.gserviceaccount.com role: roles/backupdr.serviceAgent is_primary: true aliases: [] - name: backupdr-pr display_name: Backup and DR Vault Service Agent api: backupdr.googleapis.com - identity: vault-%s-IDENTIFIER@gcp-sa-backupdr-pr.iam.gserviceaccount.com + identity: vault-${project_number}-IDENTIFIER@gcp-sa-backupdr-pr.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: gkebackup display_name: Backup for GKE Service Account api: gkebackup.googleapis.com - identity: service-%s@gcp-sa-gkebackup.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkebackup.${universe_domain}iam.gserviceaccount.com role: roles/gkebackup.serviceAgent is_primary: true aliases: [] - name: bms display_name: Bare Metal Solution Service Account api: baremetalsolution.googleapis.com - identity: service-%s@gcp-sa-bms.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bms.${universe_domain}iam.gserviceaccount.com role: roles/baremetalsolution.serviceAgent is_primary: true aliases: [] - name: cloudbatch display_name: Batch Service Account api: batch.googleapis.com - identity: service-%s@gcp-sa-cloudbatch.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudbatch.${universe_domain}iam.gserviceaccount.com role: roles/batch.serviceAgent is_primary: true aliases: [] - name: bigquery-encryption display_name: Big Query Service Agent api: bigquery.googleapis.com - identity: bq-%s@bigquery-encryption.iam.gserviceaccount.com + identity: bq-${project_number}@bigquery-encryption.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: @@ -332,140 +332,147 @@ - name: bigqueryconnection display_name: BigQuery Connection Service Agent api: bigqueryconnection.googleapis.com - identity: service-%s@gcp-sa-bigqueryconnection.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bigqueryconnection.${universe_domain}iam.gserviceaccount.com role: roles/bigqueryconnection.serviceAgent is_primary: true aliases: [] - name: bigquerytardis display_name: BigQuery Continuous Query Service Agent api: bigquery.googleapis.com - identity: service-%s@gcp-sa-bigquerytardis.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bigquerytardis.${universe_domain}iam.gserviceaccount.com role: roles/bigquerycontinuousquery.serviceAgent is_primary: false aliases: [] - name: bigquerydatatransfer display_name: BigQuery Data Transfer Service Agent api: bigquerydatatransfer.googleapis.com - identity: service-%s@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bigquerydatatransfer.${universe_domain}iam.gserviceaccount.com role: roles/bigquerydatatransfer.serviceAgent is_primary: true aliases: [] - name: prod-bigqueryomni display_name: BigQuery Omni Service Agent api: bigquery.googleapis.com - identity: service-%s@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-prod-bigqueryomni.${universe_domain}iam.gserviceaccount.com role: roles/bigqueryomni.serviceAgent is_primary: false aliases: [] - name: bigqueryri display_name: BigQuery Resource Identity Service Account api: bigquery.googleapis.com - identity: service-%s@gcp-sa-bigqueryri.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bigqueryri.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: bigquery-consp display_name: BigQuery Spark Connection Delegate Service Agent api: bigqueryconnection.googleapis.com - identity: bqcx-%s-IDENTIFIER@gcp-sa-bigquery-consp.iam.gserviceaccount.com + identity: bqcx-${project_number}-IDENTIFIER@gcp-sa-bigquery-consp.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: bigqueryspark display_name: BigQuery Spark Service Agent api: bigquery.googleapis.com - identity: service-%s@gcp-sa-bigqueryspark.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bigqueryspark.${universe_domain}iam.gserviceaccount.com role: roles/bigqueryspark.serviceAgent is_primary: false aliases: [] - name: binaryauthorization display_name: Binary Authorization Service Agent api: binaryauthorization.googleapis.com - identity: service-%s@gcp-sa-binaryauthorization.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-binaryauthorization.${universe_domain}iam.gserviceaccount.com role: roles/binaryauthorization.serviceAgent is_primary: true aliases: [] - name: bne display_name: Blockchain Node Engine Service Account api: blockchainnodeengine.googleapis.com - identity: service-%s@gcp-sa-bne.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bne.${universe_domain}iam.gserviceaccount.com role: roles/blockchainnodeengine.serviceAgent is_primary: true aliases: [] - name: bundles display_name: Bundles Service Agent api: integrations.googleapis.com - identity: b%s-IDENTIFIER@gcp-sa-bundles.iam.gserviceaccount.com + identity: b${project_number}-IDENTIFIER@gcp-sa-bundles.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: chronicle-sv display_name: Chronicle Security Validation Service Account api: chronicle.googleapis.com - identity: service-%s@gcp-sa-chronicle-sv.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-chronicle-sv.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: chronicle display_name: Chronicle Service Account api: chronicle.googleapis.com - identity: service-%s@gcp-sa-chronicle.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-chronicle.${universe_domain}iam.gserviceaccount.com role: roles/chronicle.serviceAgent is_primary: true aliases: [] - name: notebooks display_name: Cloud AI Platform Notebooks Service Account api: notebooks.googleapis.com - identity: service-%s@gcp-sa-notebooks.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-notebooks.${universe_domain}iam.gserviceaccount.com role: roles/notebooks.serviceAgent is_primary: true aliases: [] +- name: notebooks-vm + display_name: Cloud AI Platform Notebooks VM Service Account + api: notebooks.googleapis.com + identity: service-${project_number}@gcp-sa-notebooks-vm.${universe_domain}iam.gserviceaccount.com + role: roles/aiplatform.notebookServiceAgent + is_primary: false + aliases: [] - name: apigateway-mgmt display_name: Cloud API Gateway Management Plane Service Account api: apigateway.googleapis.com - identity: service-%s@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apigateway-mgmt.${universe_domain}iam.gserviceaccount.com role: roles/apigateway_management.serviceAgent is_primary: false aliases: [] - name: apigateway display_name: Cloud API Gateway Service Account api: apigateway.googleapis.com - identity: service-%s@gcp-sa-apigateway.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-apigateway.${universe_domain}iam.gserviceaccount.com role: roles/apigateway.serviceAgent is_primary: false aliases: [] - name: cloudasset display_name: Cloud Asset Service Agent api: cloudasset.googleapis.com - identity: service-%s@gcp-sa-cloudasset.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudasset.${universe_domain}iam.gserviceaccount.com role: roles/cloudasset.serviceAgent is_primary: true aliases: [] - name: bigtable display_name: Cloud Bigtable Service Agent api: bigtableadmin.googleapis.com - identity: service-%s@gcp-sa-bigtable.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-bigtable.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: cloudbuild display_name: Cloud Build Service Agent api: cloudbuild.googleapis.com - identity: service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudbuild.${universe_domain}iam.gserviceaccount.com role: roles/cloudbuild.serviceAgent is_primary: false aliases: [] - name: certificatemanager display_name: Cloud Certificate Manager Service Account api: certificatemanager.googleapis.com - identity: service-%s@gcp-sa-certificatemanager.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-certificatemanager.${universe_domain}iam.gserviceaccount.com role: roles/certificatemanager.serviceAgent is_primary: true aliases: [] - name: cloudcomposer-accounts display_name: Cloud Composer Service Agent api: composer.googleapis.com - identity: service-%s@cloudcomposer-accounts.iam.gserviceaccount.com + identity: service-${project_number}@cloudcomposer-accounts.${universe_domain}iam.gserviceaccount.com role: roles/composer.serviceAgent is_primary: true aliases: @@ -473,35 +480,35 @@ - name: dns display_name: Cloud DNS Service Account api: dns.googleapis.com - identity: service-%s@gcp-sa-dns.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dns.${universe_domain}iam.gserviceaccount.com role: roles/dns.serviceAgent is_primary: true aliases: [] - name: datafusion display_name: Cloud Data Fusion Service Account api: datafusion.googleapis.com - identity: service-%s@gcp-sa-datafusion.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-datafusion.${universe_domain}iam.gserviceaccount.com role: roles/datafusion.serviceAgent is_primary: true aliases: [] - name: dlp-api display_name: Cloud Data Loss Prevention Service Agent api: dlp.googleapis.com - identity: service-%s@dlp-api.iam.gserviceaccount.com + identity: service-${project_number}@dlp-api.${universe_domain}iam.gserviceaccount.com role: roles/dlp.serviceAgent is_primary: true aliases: [] - name: datamigration display_name: Cloud Database Migration Service Account api: datamigration.googleapis.com - identity: service-%s@gcp-sa-datamigration.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-datamigration.${universe_domain}iam.gserviceaccount.com role: roles/datamigration.serviceAgent is_primary: true aliases: [] - name: dataflow-service-producer-prod display_name: Cloud Dataflow Service Account api: dataflow.googleapis.com - identity: service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com + identity: service-${project_number}@dataflow-service-producer-prod.${universe_domain}iam.gserviceaccount.com role: roles/dataflow.serviceAgent is_primary: true aliases: @@ -509,231 +516,231 @@ - name: dataplex display_name: Cloud Dataplex Service Account api: dataplex.googleapis.com - identity: service-%s@gcp-sa-dataplex.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dataplex.${universe_domain}iam.gserviceaccount.com role: roles/dataplex.serviceAgent is_primary: true aliases: [] - name: datastream display_name: Cloud Datastream Service Account api: datastream.googleapis.com - identity: service-%s@gcp-sa-datastream.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-datastream.${universe_domain}iam.gserviceaccount.com role: roles/datastream.serviceAgent is_primary: true aliases: [] - name: clouddeploy display_name: Cloud Deploy Service Account api: clouddeploy.googleapis.com - identity: service-%s@gcp-sa-clouddeploy.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-clouddeploy.${universe_domain}iam.gserviceaccount.com role: roles/clouddeploy.serviceAgent is_primary: true aliases: [] - name: endpoints display_name: Cloud Endpoints Service Agent api: endpoints.googleapis.com - identity: service-%s@gcp-sa-endpoints.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-endpoints.${universe_domain}iam.gserviceaccount.com role: roles/endpoints.serviceAgent is_primary: true aliases: [] - name: cloud-filer display_name: Cloud File Storage Service Account api: file.googleapis.com - identity: service-%s@cloud-filer.iam.gserviceaccount.com + identity: service-${project_number}@cloud-filer.${universe_domain}iam.gserviceaccount.com role: roles/file.serviceAgent is_primary: true aliases: [] - name: firestore display_name: Cloud Firestore Service Agent api: firestore.googleapis.com - identity: service-%s@gcp-sa-firestore.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firestore.${universe_domain}iam.gserviceaccount.com role: roles/firestore.serviceAgent is_primary: true aliases: [] - name: healthcare display_name: Cloud Healthcare Service Agent api: healthcare.googleapis.com - identity: service-%s@gcp-sa-healthcare.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-healthcare.${universe_domain}iam.gserviceaccount.com role: roles/healthcare.serviceAgent is_primary: true aliases: [] - name: identitytoolkit display_name: Cloud Identity Platform Service Agent api: identitytoolkit.googleapis.com - identity: service-%s@gcp-sa-identitytoolkit.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-identitytoolkit.${universe_domain}iam.gserviceaccount.com role: roles/identitytoolkit.serviceAgent is_primary: true aliases: [] - name: cloudkms display_name: Cloud KMS Service Agent api: cloudkms.googleapis.com - identity: service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudkms.${universe_domain}iam.gserviceaccount.com role: roles/cloudkms.serviceAgent is_primary: false aliases: [] - name: lifesciences display_name: Cloud Life Sciences Service Agent api: lifesciences.googleapis.com - identity: service-%s@gcp-sa-lifesciences.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-lifesciences.${universe_domain}iam.gserviceaccount.com role: roles/lifesciences.serviceAgent is_primary: true aliases: [] - name: logging display_name: Cloud Logging Service Account api: logging.googleapis.com - identity: service-%s@gcp-sa-logging.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-logging.${universe_domain}iam.gserviceaccount.com role: roles/logging.serviceAgent is_primary: false aliases: [] - name: mi display_name: Cloud Managed Identities Service Agent api: managedidentities.googleapis.com - identity: service-%s@gcp-sa-mi.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-mi.${universe_domain}iam.gserviceaccount.com role: roles/managedidentities.serviceAgent is_primary: true aliases: [] - name: cloud-memcache-sa display_name: Cloud Memorystore Memcache Service Agent api: memcache.googleapis.com - identity: service-%s@cloud-memcache-sa.iam.gserviceaccount.com + identity: service-${project_number}@cloud-memcache-sa.${universe_domain}iam.gserviceaccount.com role: roles/memcache.serviceAgent is_primary: true aliases: [] - name: cloud-redis display_name: Cloud Memorystore Redis Service Agent api: redis.googleapis.com - identity: service-%s@cloud-redis.iam.gserviceaccount.com + identity: service-${project_number}@cloud-redis.${universe_domain}iam.gserviceaccount.com role: roles/redis.serviceAgent is_primary: true aliases: [] - name: migcenter display_name: Cloud Migration Center Service Account api: migrationcenter.googleapis.com - identity: service-%s@gcp-sa-migcenter.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-migcenter.${universe_domain}iam.gserviceaccount.com role: roles/migrationcenter.serviceAgent is_primary: true aliases: [] - name: networkmanagement display_name: Cloud Network Management Service Account api: networkmanagement.googleapis.com - identity: service-%s@gcp-sa-networkmanagement.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-networkmanagement.${universe_domain}iam.gserviceaccount.com role: roles/networkmanagement.serviceAgent is_primary: true aliases: [] - name: notebooksecurityscanner display_name: Cloud Notebook Security Scanner Service Agent api: notebooksecurityscanner.googleapis.com - identity: service-%s@gcp-sa-notebooksecurityscanner.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-notebooksecurityscanner.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: cloudoptim display_name: Cloud Optimization Service Agent api: cloudoptimization.googleapis.com - identity: service-%s@gcp-sa-cloudoptim.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudoptim.${universe_domain}iam.gserviceaccount.com role: roles/cloudoptimization.serviceAgent is_primary: true aliases: [] - name: routeoptim display_name: Cloud Optimization Service Agent api: routeoptimization.googleapis.com - identity: service-%s@gcp-sa-routeoptim.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-routeoptim.${universe_domain}iam.gserviceaccount.com role: roles/routeoptimization.serviceAgent is_primary: true aliases: [] - name: pubsub display_name: Cloud Pub/Sub Service Account api: pubsub.googleapis.com - identity: service-%s@gcp-sa-pubsub.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-pubsub.${universe_domain}iam.gserviceaccount.com role: roles/pubsub.serviceAgent is_primary: true aliases: [] - name: cloud-sql display_name: Cloud SQL Service Account api: sqladmin.googleapis.com - identity: service-%s@gcp-sa-cloud-sql.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloud-sql.${universe_domain}iam.gserviceaccount.com role: roles/cloudsql.serviceAgent is_primary: true aliases: [] - name: cloudscheduler display_name: Cloud Scheduler Service Account api: cloudscheduler.googleapis.com - identity: service-%s@gcp-sa-cloudscheduler.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudscheduler.${universe_domain}iam.gserviceaccount.com role: roles/cloudscheduler.serviceAgent is_primary: true aliases: [] - name: scc-notification display_name: Cloud Security Command Center Notification Service Account api: securitycenter.googleapis.com - identity: service-%s@gcp-sa-scc-notification.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-scc-notification.${universe_domain}iam.gserviceaccount.com role: roles/securitycenter.notificationServiceAgent is_primary: false aliases: [] - name: securitycenter display_name: Cloud Security Command Center Service Account api: securitycenter.googleapis.com - identity: service-%s@gcp-sa-securitycenter.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-securitycenter.${universe_domain}iam.gserviceaccount.com role: roles/securitycenter.serviceAgent is_primary: false aliases: [] - name: spanner display_name: Cloud Spanner Production Service Account api: spanner.googleapis.com - identity: service-%s@gcp-sa-spanner.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-spanner.${universe_domain}iam.gserviceaccount.com role: roles/spanner.serviceAgent is_primary: true aliases: [] - name: firebasestorage display_name: Cloud Storage for Firebase Service Agent api: firebasestorage.googleapis.com - identity: service-%s@gcp-sa-firebasestorage.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebasestorage.${universe_domain}iam.gserviceaccount.com role: roles/firebasestorage.serviceAgent is_primary: true aliases: [] - name: cloudtasks display_name: Cloud Tasks Service Account api: cloudtasks.googleapis.com - identity: service-%s@gcp-sa-cloudtasks.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudtasks.${universe_domain}iam.gserviceaccount.com role: roles/cloudtasks.serviceAgent is_primary: true aliases: [] - name: cloud-trace display_name: Cloud Trace Service Account api: cloudtrace.googleapis.com - identity: service-%s@gcp-sa-cloud-trace.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloud-trace.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: translation display_name: Cloud Translation Service Agent api: translate.googleapis.com - identity: service-%s@gcp-sa-translation.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-translation.${universe_domain}iam.gserviceaccount.com role: roles/cloudtranslate.serviceAgent is_primary: true aliases: [] - name: vmmigration display_name: Cloud VM Migration Service Account api: vmmigration.googleapis.com - identity: service-%s@gcp-sa-vmmigration.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vmmigration.${universe_domain}iam.gserviceaccount.com role: roles/vmmigration.serviceAgent is_primary: true aliases: [] - name: websecurityscanner display_name: Cloud Web Security Scanner Service Agent api: websecurityscanner.googleapis.com - identity: service-%s@gcp-sa-websecurityscanner.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-websecurityscanner.${universe_domain}iam.gserviceaccount.com role: roles/websecurityscanner.serviceAgent is_primary: true aliases: [] - name: workflows display_name: Cloud Workflows Service Agent api: workflows.googleapis.com - identity: service-%s@gcp-sa-workflows.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-workflows.${universe_domain}iam.gserviceaccount.com role: roles/workflows.serviceAgent is_primary: true aliases: [] - name: compute-system display_name: Compute Engine Service Agent api: compute.googleapis.com - identity: service-%s@compute-system.iam.gserviceaccount.com + identity: service-${project_number}@compute-system.${universe_domain}iam.gserviceaccount.com role: roles/compute.serviceAgent is_primary: false aliases: @@ -741,315 +748,322 @@ - name: compute-usage display_name: Compute Usage Export Service Agent api: compute.googleapis.com - identity: service-%s@gcp-sa-compute-usage.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-compute-usage.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: configdelivery display_name: Config Delivery Service Account api: configdelivery.googleapis.com - identity: service-%s@gcp-sa-configdelivery.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-configdelivery.${universe_domain}iam.gserviceaccount.com role: roles/configdelivery.serviceAgent is_primary: true aliases: [] - name: connectors display_name: Connectors Service Account api: connectors.googleapis.com - identity: service-%s@gcp-sa-connectors.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-connectors.${universe_domain}iam.gserviceaccount.com role: roles/connectors.serviceAgent is_primary: true aliases: [] - name: contactcenterinsights display_name: Contact Center AI Insights Service Account api: contactcenterinsights.googleapis.com - identity: service-%s@gcp-sa-contactcenterinsights.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-contactcenterinsights.${universe_domain}iam.gserviceaccount.com role: roles/contactcenterinsights.serviceAgent is_primary: true aliases: [] - name: ccinsights-cmek display_name: Contact Center AI Insights Service Account for CMEK (prod) api: contactcenterinsights.googleapis.com - identity: service-%s@gcp-sa-ccinsights-cmek.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ccinsights-cmek.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: ccaip display_name: Contact Center AI Platform Service Account api: contactcenteraiplatform.googleapis.com - identity: service-%s@gcp-sa-ccaip.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ccaip.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: ccai-cmek display_name: Contact Center AI shared Service Account for CMEK (prod) api: contactcenterinsights.googleapis.com - identity: service-%s@gcp-sa-ccai-cmek.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ccai-cmek.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: gcp-ri-contactcenterinsights display_name: Contact Center Insights Resource Identity (prod) api: contactcenterinsights.googleapis.com - identity: service-%s@gcp-ri-contactcenterinsights.iam.gserviceaccount.com + identity: service-${project_number}@gcp-ri-contactcenterinsights.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: container-analysis display_name: Container Analysis Service Agent api: containeranalysis.googleapis.com - identity: service-%s@container-analysis.iam.gserviceaccount.com + identity: service-${project_number}@container-analysis.${universe_domain}iam.gserviceaccount.com role: roles/containeranalysis.ServiceAgent is_primary: true aliases: [] - name: containerscanning display_name: Container Scanning Service Agent api: containerscanning.googleapis.com - identity: service-%s@gcp-sa-containerscanning.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-containerscanning.${universe_domain}iam.gserviceaccount.com role: roles/containerscanning.ServiceAgent is_primary: true aliases: [] - name: containersec display_name: Container Security Service Agent api: containersecurity.googleapis.com - identity: service-%s@gcp-sa-containersec.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-containersec.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: ktd-control display_name: Container Threat Detection Service Agent api: containerthreatdetection.googleapis.com - identity: service-%s@gcp-sa-ktd-control.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ktd-control.${universe_domain}iam.gserviceaccount.com role: roles/containerthreatdetection.serviceAgent is_primary: true aliases: [] - name: cloud-cw display_name: Content Warehouse Service Account api: contentwarehouse.googleapis.com - identity: service-%s@gcp-sa-cloud-cw.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloud-cw.${universe_domain}iam.gserviceaccount.com role: roles/contentwarehouse.serviceAgent is_primary: true aliases: [] - name: dataconnectors display_name: Data Connectors Service Account api: dataconnectors.googleapis.com - identity: service-%s@gcp-sa-dataconnectors.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dataconnectors.${universe_domain}iam.gserviceaccount.com role: roles/dataconnectors.serviceAgent is_primary: true aliases: [] - name: datalabeling display_name: Data Labeling Service Account api: datalabeling.googleapis.com - identity: service-%s@gcp-sa-datalabeling.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-datalabeling.${universe_domain}iam.gserviceaccount.com role: roles/datalabeling.serviceAgent is_primary: true aliases: [] - name: datapipelines display_name: Data Pipelines Service Agent api: datapipelines.googleapis.com - identity: service-%s@gcp-sa-datapipelines.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-datapipelines.${universe_domain}iam.gserviceaccount.com role: roles/datapipelines.serviceAgent is_primary: true aliases: [] - name: datastudio display_name: Data Studio Service Account api: datastudio.googleapis.com - identity: service-%s@gcp-sa-datastudio.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-datastudio.${universe_domain}iam.gserviceaccount.com role: roles/datastudio.serviceAgent is_primary: true aliases: [] - name: dataform display_name: Dataform Service Account api: dataform.googleapis.com - identity: service-%s@gcp-sa-dataform.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dataform.${universe_domain}iam.gserviceaccount.com role: roles/dataform.serviceAgent is_primary: true aliases: [] - name: metastore display_name: Dataproc Metastore Service Account api: metastore.googleapis.com - identity: service-%s@gcp-sa-metastore.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-metastore.${universe_domain}iam.gserviceaccount.com role: roles/metastore.serviceAgent is_primary: true aliases: [] - name: monitoring-deprecated display_name: Deprecated Monitoring Service Account api: monitoring.googleapis.com - identity: service-%s@gcp-sa-monitoring.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-monitoring.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] +- name: designcenter + display_name: Design Center Service Account + api: designcenter.googleapis.com + identity: service-${project_number}@gcp-sa-designcenter.${universe_domain}iam.gserviceaccount.com + role: roles/designcenter.serviceAgent + is_primary: true + aliases: [] - name: devconnect display_name: Developer Connect Service Account api: developerconnect.googleapis.com - identity: service-%s@gcp-sa-devconnect.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-devconnect.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: dialogflow-cmek display_name: Dialogflow Service Account for CMEK (prod) api: dialogflow.googleapis.com - identity: service-%s@gcp-sa-dialogflow-cmek.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dialogflow-cmek.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: dialogflow display_name: Dialogflow Service Agent api: dialogflow.googleapis.com - identity: service-%s@gcp-sa-dialogflow.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dialogflow.${universe_domain}iam.gserviceaccount.com role: roles/dialogflow.serviceAgent is_primary: true aliases: [] - name: discoveryengine display_name: Discovery Engine Service Account api: discoveryengine.googleapis.com - identity: service-%s@gcp-sa-discoveryengine.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-discoveryengine.${universe_domain}iam.gserviceaccount.com role: roles/discoveryengine.serviceAgent is_primary: true aliases: [] - name: cloud-cw-cmek display_name: Document AI Warehouse CMEK Infra Spanner Service Account api: contentwarehouse.googleapis.com - identity: service-%s@gcp-sa-cloud-cw-cmek.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloud-cw-cmek.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: prod-dai-core display_name: DocumentAI Core Service Agent api: documentai.googleapis.com - identity: service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-prod-dai-core.${universe_domain}iam.gserviceaccount.com role: roles/documentaicore.serviceAgent is_primary: true aliases: [] - name: edgecontainercluster display_name: Edge Container Cluster Service Agent api: edgecontainer.googleapis.com - identity: service-%s@gcp-sa-edgecontainercluster.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-edgecontainercluster.${universe_domain}iam.gserviceaccount.com role: roles/edgecontainer.clusterServiceAgent is_primary: false aliases: [] - name: edgecontainergcr display_name: Edge Container GCR Service Agent api: edgecontainer.googleapis.com - identity: service-%s@gcp-sa-edgecontainergcr.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-edgecontainergcr.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: edgecontainer display_name: Edge Container Service Agent api: edgecontainer.googleapis.com - identity: service-%s@gcp-sa-edgecontainer.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-edgecontainer.${universe_domain}iam.gserviceaccount.com role: roles/edgecontainer.serviceAgent is_primary: true aliases: [] - name: cloud-ekg display_name: Enterprise Knowledge Graph Service Agent api: enterpriseknowledgegraph.googleapis.com - identity: service-%s@gcp-sa-cloud-ekg.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloud-ekg.${universe_domain}iam.gserviceaccount.com role: roles/enterpriseknowledgegraph.serviceAgent is_primary: true aliases: [] - name: eventarc display_name: Eventarc Service Agent api: eventarc.googleapis.com - identity: service-%s@gcp-sa-eventarc.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-eventarc.${universe_domain}iam.gserviceaccount.com role: roles/eventarc.serviceAgent is_primary: true aliases: [] - name: ekms display_name: External Key Management Service Service Account api: cloudkms.googleapis.com - identity: service-%s@gcp-sa-ekms.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ekms.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: firebaseappcheck display_name: Firebase App Check Service Account api: firebaseappcheck.googleapis.com - identity: service-%s@gcp-sa-firebaseappcheck.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebaseappcheck.${universe_domain}iam.gserviceaccount.com role: roles/firebaseappcheck.serviceAgent is_primary: true aliases: [] - name: firebaseapphosting display_name: Firebase App Hosting Service Account api: firebaseapphosting.googleapis.com - identity: service-%s@gcp-sa-firebaseapphosting.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebaseapphosting.${universe_domain}iam.gserviceaccount.com role: roles/firebaseapphosting.serviceAgent is_primary: true aliases: [] - name: crashlytics display_name: Firebase Crashlytics Service Agent api: firebasecrashlytics.googleapis.com - identity: service-%s@gcp-sa-crashlytics.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-crashlytics.${universe_domain}iam.gserviceaccount.com role: roles/firebasecrashlytics.serviceAgent is_primary: true aliases: [] - name: firebasedataconnect display_name: Firebase Data Connect Service Account api: firebasedataconnect.googleapis.com - identity: service-%s@gcp-sa-firebasedataconnect.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebasedataconnect.${universe_domain}iam.gserviceaccount.com role: roles/firebasedataconnect.serviceAgent is_primary: true aliases: [] - name: firebasemods display_name: Firebase Extensions Service Agent api: firebaseextensions.googleapis.com - identity: service-%s@gcp-sa-firebasemods.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebasemods.${universe_domain}iam.gserviceaccount.com role: roles/firebasemods.serviceAgent is_primary: true aliases: [] - name: firebaseml display_name: Firebase Machine Learning Service Account api: firebaseml.googleapis.com - identity: service-%s@gcp-sa-firebaseml.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebaseml.${universe_domain}iam.gserviceaccount.com role: roles/firebaseml.serviceAgent is_primary: true aliases: [] - name: firebase display_name: Firebase Management Service Agent api: firebase.googleapis.com - identity: service-%s@gcp-sa-firebase.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebase.${universe_domain}iam.gserviceaccount.com role: roles/firebase.managementServiceAgent is_primary: false aliases: [] - name: firebasedatabase display_name: Firebase Realtime Database Service Agent api: firebasedatabase.googleapis.com - identity: service-%s@gcp-sa-firebasedatabase.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebasedatabase.${universe_domain}iam.gserviceaccount.com role: roles/firebasedatabase.serviceAgent is_primary: true aliases: [] - name: firebase-rules display_name: Firebase Rules Service Agent api: firebaserules.googleapis.com - identity: service-%s@firebase-rules.iam.gserviceaccount.com + identity: service-${project_number}@firebase-rules.${universe_domain}iam.gserviceaccount.com role: roles/firebaserules.system is_primary: true aliases: [] - name: firewallinsights display_name: Firewall Insights Service Account api: firewallinsights.googleapis.com - identity: service-%s@gcp-sa-firewallinsights.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firewallinsights.${universe_domain}iam.gserviceaccount.com role: roles/firewallinsights.serviceAgent is_primary: true aliases: [] - name: gsuiteaddons display_name: G Suite Add-ons Service Account api: gsuiteaddons.googleapis.com - identity: service-%s@gcp-sa-gsuiteaddons.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gsuiteaddons.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: gkedataplanev2 display_name: GKE Dataplane V2 Service Account api: gkedataplanev2.googleapis.com - identity: service-%s@gcp-sa-gkedataplanev2.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkedataplanev2.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: gkehub display_name: GKE Hub API Service Account api: gkehub.googleapis.com - identity: service-%s@gcp-sa-gkehub.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkehub.${universe_domain}iam.gserviceaccount.com role: roles/gkehub.serviceAgent is_primary: true aliases: @@ -1057,21 +1071,21 @@ - name: cloudaicompanion display_name: Gemini for Google Cloud Service Agent api: cloudaicompanion.googleapis.com - identity: service-%s@gcp-sa-cloudaicompanion.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-cloudaicompanion.${universe_domain}iam.gserviceaccount.com role: roles/cloudaicompanion.serviceAgent is_primary: true aliases: [] - name: gkeonprem display_name: Gke On-Prem Service Account api: gkeonprem.googleapis.com - identity: service-%s@gcp-sa-gkeonprem.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-gkeonprem.${universe_domain}iam.gserviceaccount.com role: roles/gkeonprem.serviceAgent is_primary: true aliases: [] - name: cloudservices display_name: Google APIs Service Agent api: null - identity: '%s@cloudservices.gserviceaccount.com' + identity: ${project_number}@cloudservices.gserviceaccount.com role: null is_primary: false aliases: @@ -1079,14 +1093,14 @@ - name: dataprocrmnode display_name: Google Cloud Dataproc Resource Manager Node Service Agent api: dataprocrm.googleapis.com - identity: service-%s@gcp-sa-dataprocrmnode.iam.gserviceaccount.com - role: roles/dataprocrm.nodeServiceAgent + identity: service-${project_number}@gcp-sa-dataprocrmnode.${universe_domain}iam.gserviceaccount.com + role: roles/dataprocrm.defaultNodeServiceAgent is_primary: true aliases: [] - name: dataproc-accounts display_name: Google Cloud Dataproc Service Agent api: dataproc.googleapis.com - identity: service-%s@dataproc-accounts.iam.gserviceaccount.com + identity: service-${project_number}@dataproc-accounts.${universe_domain}iam.gserviceaccount.com role: roles/dataproc.serviceAgent is_primary: true aliases: @@ -1094,7 +1108,7 @@ - name: gcf-admin-robot display_name: Google Cloud Functions Service Agent api: cloudfunctions.googleapis.com - identity: service-%s@gcf-admin-robot.iam.gserviceaccount.com + identity: service-${project_number}@gcf-admin-robot.${universe_domain}iam.gserviceaccount.com role: roles/cloudfunctions.serviceAgent is_primary: true aliases: @@ -1103,35 +1117,35 @@ - name: cloud-ml display_name: Google Cloud ML Engine Service Agent api: ml.googleapis.com - identity: service-%s@cloud-ml.google.com.iam.gserviceaccount.com + identity: service-${project_number}@cloud-ml.google.com.${universe_domain}iam.gserviceaccount.com role: roles/ml.serviceAgent is_primary: true aliases: [] - name: netapp display_name: Google Cloud NetApp Volumes Service Account api: netapp.googleapis.com - identity: service-%s@gcp-sa-netapp.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-netapp.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: osconfig-rollout display_name: Google Cloud OS Config Rollout Service Agent api: osconfig.googleapis.com - identity: service-%s@gcp-sa-osconfig-rollout.iam.gserviceaccount.com - role: null + identity: service-${project_number}@gcp-sa-osconfig-rollout.${universe_domain}iam.gserviceaccount.com + role: roles/osconfig.rolloutServiceAgent is_primary: false aliases: [] - name: osconfig display_name: Google Cloud OS Config Service Agent api: osconfig.googleapis.com - identity: service-%s@gcp-sa-osconfig.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-osconfig.${universe_domain}iam.gserviceaccount.com role: roles/osconfig.serviceAgent is_primary: true aliases: [] - name: serverless-robot-prod display_name: Google Cloud Run Service Agent api: run.googleapis.com - identity: service-%s@serverless-robot-prod.iam.gserviceaccount.com + identity: service-${project_number}@serverless-robot-prod.${universe_domain}iam.gserviceaccount.com role: roles/run.serviceAgent is_primary: true aliases: @@ -1140,21 +1154,21 @@ - name: dep display_name: Google Cloud Service Extensions Service Account api: networkservices.googleapis.com - identity: service-%s@gcp-sa-dep.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-dep.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: containerregistry display_name: Google Container Registry Service Agent api: containerregistry.googleapis.com - identity: service-%s@containerregistry.iam.gserviceaccount.com + identity: service-${project_number}@containerregistry.${universe_domain}iam.gserviceaccount.com role: roles/containerregistry.ServiceAgent is_primary: true aliases: [] - name: gs-project-accounts display_name: Google Storage Service Agent api: storage.googleapis.com - identity: service-%s@gs-project-accounts.iam.gserviceaccount.com + identity: service-${project_number}@gs-project-accounts.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: @@ -1162,70 +1176,70 @@ - name: iap display_name: IAP Service Account api: iap.googleapis.com - identity: service-%s@gcp-sa-iap.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-iap.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: gcp-ri-identitypool display_name: Identity Pool Resource Identity api: iam.googleapis.com - identity: service-%s@gcp-ri-identitypool.iam.gserviceaccount.com + identity: service-${project_number}@gcp-ri-identitypool.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: config display_name: Infrastructure Manager Service Account api: config.googleapis.com - identity: service-%s@gcp-sa-config.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-config.${universe_domain}iam.gserviceaccount.com role: roles/cloudconfig.serviceAgent is_primary: true aliases: [] - name: ivs display_name: Integrated Vulnerability Scanner Service Account api: securitycenter.googleapis.com - identity: service-%s@gcp-sa-ivs.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ivs.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: fs-spanner display_name: Internal Cloud Firestore Spanner Service Agent api: firestore.googleapis.com - identity: service-%s@gcp-sa-fs-spanner.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-fs-spanner.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: issuerswitch display_name: Issuer Switch Service Account api: issuerswitch.googleapis.com - identity: service-%s@gcp-sa-issuerswitch.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-issuerswitch.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: krmapihosting display_name: KRM API Hosting Service Account api: krmapihosting.googleapis.com - identity: service-%s@gcp-sa-krmapihosting.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-krmapihosting.${universe_domain}iam.gserviceaccount.com role: roles/krmapihosting.serviceAgent is_primary: false aliases: [] - name: krmapihosting-dataplane display_name: KRM API Hosting Service Account api: krmapihosting.googleapis.com - identity: service-%s@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-krmapihosting-dataplane.${universe_domain}iam.gserviceaccount.com role: roles/krmapihosting.anthosApiEndpointServiceAgent is_primary: false aliases: [] - name: gkenode display_name: Kubernetes Engine Node Service Agent api: container.googleapis.com - identity: service-%s@gcp-sa-gkenode.iam.gserviceaccount.com - role: roles/container.nodeServiceAgent + identity: service-${project_number}@gcp-sa-gkenode.${universe_domain}iam.gserviceaccount.com + role: roles/container.defaultNodeServiceAgent is_primary: false aliases: [] - name: container-engine-robot display_name: Kubernetes Engine Service Agent api: container.googleapis.com - identity: service-%s@container-engine-robot.iam.gserviceaccount.com + identity: service-${project_number}@container-engine-robot.${universe_domain}iam.gserviceaccount.com role: roles/container.serviceAgent is_primary: true aliases: @@ -1234,56 +1248,63 @@ - name: cloudbuild-sa display_name: Legacy Cloud Build service account api: cloudbuild.googleapis.com - identity: '%s@cloudbuild.gserviceaccount.com' + identity: ${project_number}@cloudbuild.gserviceaccount.com role: roles/cloudbuild.builds.builder is_primary: false aliases: [] - name: livestream display_name: Livestream Service Account api: livestream.googleapis.com - identity: service-%s@gcp-sa-livestream.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-livestream.${universe_domain}iam.gserviceaccount.com role: roles/livestream.serviceAgent is_primary: true aliases: [] - name: looker display_name: Looker Service Account api: looker.googleapis.com - identity: service-%s@gcp-sa-looker.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-looker.${universe_domain}iam.gserviceaccount.com role: roles/looker.serviceAgent is_primary: true aliases: [] - name: managedflink display_name: Managed Flink Service Agent api: managedflink.googleapis.com - identity: service-%s@gcp-sa-managedflink.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-managedflink.${universe_domain}iam.gserviceaccount.com role: roles/managedflink.serviceAgent is_primary: true aliases: [] - name: managedkafka display_name: Managed Kafka Service Account api: managedkafka.googleapis.com - identity: service-%s@gcp-sa-managedkafka.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-managedkafka.${universe_domain}iam.gserviceaccount.com role: roles/managedkafka.serviceAgent is_primary: true aliases: [] - name: memorystore display_name: Memorystore Service Agent api: memorystore.googleapis.com - identity: service-%s@gcp-sa-memorystore.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-memorystore.${universe_domain}iam.gserviceaccount.com role: roles/memorystore.serviceAgent is_primary: true aliases: [] - name: meshconfig display_name: Mesh Config Service Account api: meshconfig.googleapis.com - identity: service-%s@gcp-sa-meshconfig.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-meshconfig.${universe_domain}iam.gserviceaccount.com role: roles/meshconfig.serviceAgent is_primary: true aliases: [] +- name: modelarmor + display_name: Model Armor Service Account + api: modelarmor.googleapis.com + identity: service-${project_number}@gcp-sa-modelarmor.${universe_domain}iam.gserviceaccount.com + role: roles/modelarmor.serviceAgent + is_primary: true + aliases: [] - name: monitoring-notification display_name: Monitoring Service Account api: monitoring.googleapis.com - identity: service-%s@gcp-sa-monitoring-notification.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-monitoring-notification.${universe_domain}iam.gserviceaccount.com role: roles/monitoring.notificationServiceAgent is_primary: true aliases: @@ -1291,364 +1312,364 @@ - name: multiclusteringress display_name: Multi Cluster Ingress Service Account api: multiclusteringress.googleapis.com - identity: service-%s@gcp-sa-multiclusteringress.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-multiclusteringress.${universe_domain}iam.gserviceaccount.com role: roles/multiclusteringress.serviceAgent is_primary: true aliases: [] - name: mcmetering display_name: Multi cluster metering Service Account api: multiclustermetering.googleapis.com - identity: service-%s@gcp-sa-mcmetering.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-mcmetering.${universe_domain}iam.gserviceaccount.com role: roles/multiclustermetering.serviceAgent is_primary: true aliases: [] - name: mcsd display_name: Multi-cluster Service Discovery Service Account api: multiclusterservicediscovery.googleapis.com - identity: service-%s@gcp-sa-mcsd.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-mcsd.${universe_domain}iam.gserviceaccount.com role: roles/multiclusterservicediscovery.serviceAgent is_primary: true aliases: [] - name: networkactions display_name: Network Actions Service Account api: networkservices.googleapis.com - identity: service-%s@gcp-sa-networkactions.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-networkactions.${universe_domain}iam.gserviceaccount.com role: roles/networkactions.serviceAgent is_primary: false aliases: [] - name: networkconnectivity display_name: Network Connectivity Service Account api: networkconnectivity.googleapis.com - identity: service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-networkconnectivity.${universe_domain}iam.gserviceaccount.com role: roles/networkconnectivity.serviceAgent is_primary: true aliases: [] - name: networksecurity display_name: Network Security Service Account api: networksecurity.googleapis.com - identity: service-%s@gcp-sa-networksecurity.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-networksecurity.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: ondemandscanning display_name: On-Demand Scanning Service Account api: ondemandscanning.googleapis.com - identity: service-%s@gcp-sa-ondemandscanning.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-ondemandscanning.${universe_domain}iam.gserviceaccount.com role: roles/ondemandscanning.serviceAgent is_primary: true aliases: [] - name: oci display_name: Oracle Database@Google Cloud Service Account api: oracledatabase.googleapis.com - identity: service-%s@gcp-sa-oci.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-oci.${universe_domain}iam.gserviceaccount.com role: roles/oci.serviceAgent is_primary: true aliases: [] - name: parallelstore display_name: Parallelstore Service Agent api: parallelstore.googleapis.com - identity: service-%s@gcp-sa-parallelstore.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-parallelstore.${universe_domain}iam.gserviceaccount.com role: roles/parallelstore.serviceAgent is_primary: true aliases: [] - name: privateca display_name: Private CA Service Account api: privateca.googleapis.com - identity: service-%s@gcp-sa-privateca.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-privateca.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: progrollout display_name: Progressive Rollout Service Agent api: progressiverollout.googleapis.com - identity: service-%s@gcp-sa-progrollout.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-progrollout.${universe_domain}iam.gserviceaccount.com role: roles/progressiverollout.serviceAgent is_primary: true aliases: [] - name: pubsublite display_name: Pub/Sub Lite Service Account api: pubsublite.googleapis.com - identity: service-%s@gcp-sa-pubsublite.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-pubsublite.${universe_domain}iam.gserviceaccount.com role: roles/pubsublite.serviceAgent is_primary: true aliases: [] - name: rma display_name: Rapid Migration Assessment Service Account api: rapidmigrationassessment.googleapis.com - identity: service-%s@gcp-sa-rma.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-rma.${universe_domain}iam.gserviceaccount.com role: roles/rapidmigrationassessment.serviceAgent is_primary: true aliases: [] - name: rbe display_name: Remote Build Execution Service Agent api: remotebuildexecution.googleapis.com - identity: service-%s@gcp-sa-rbe.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-rbe.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: remotebuildexecution display_name: Remote Build Execution Service Agent api: remotebuildexecution.googleapis.com - identity: service-%s@remotebuildexecution.iam.gserviceaccount.com + identity: service-${project_number}@remotebuildexecution.${universe_domain}iam.gserviceaccount.com role: roles/remotebuildexecution.serviceAgent is_primary: false aliases: [] - name: remotebuild display_name: Remote Build Execution Service Agent api: remotebuildexecution.googleapis.com - identity: service-%s@gcp-sa-remotebuild.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-remotebuild.${universe_domain}iam.gserviceaccount.com role: roles/remotebuildexecution.serviceAgent is_primary: false aliases: [] - name: retail display_name: Retail Service Account api: retail.googleapis.com - identity: service-%s@gcp-sa-retail.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-retail.${universe_domain}iam.gserviceaccount.com role: roles/retail.serviceAgent is_primary: true aliases: [] - name: secretmanager display_name: Secret Manager Service Account api: secretmanager.googleapis.com - identity: service-%s@gcp-sa-secretmanager.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-secretmanager.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: sourcemanager display_name: Secure Source Manager Service Account api: securesourcemanager.googleapis.com - identity: service-%s@gcp-sa-sourcemanager.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-sourcemanager.${universe_domain}iam.gserviceaccount.com role: roles/securesourcemanager.serviceAgent is_primary: true aliases: [] - name: securewebproxy display_name: Secure Web Proxy Service Account api: networkservices.googleapis.com - identity: service-%s@gcp-sa-securewebproxy.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-securewebproxy.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: runapps display_name: Serverless Integrations Service Account api: runapps.googleapis.com - identity: service-%s@gcp-sa-runapps.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-runapps.${universe_domain}iam.gserviceaccount.com role: roles/runapps.serviceAgent is_primary: true aliases: [] - name: vpcaccess display_name: Serverless VPC Access Service Agent api: vpcaccess.googleapis.com - identity: service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vpcaccess.${universe_domain}iam.gserviceaccount.com role: roles/vpcaccess.serviceAgent is_primary: true aliases: [] - name: service-consumer-management display_name: Service Consumer Management Service Agent api: serviceconsumermanagement.googleapis.com - identity: service-%s@service-consumer-management.iam.gserviceaccount.com + identity: service-${project_number}@service-consumer-management.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: servicedirectory display_name: Service Directory Service Account api: servicedirectory.googleapis.com - identity: service-%s@gcp-sa-servicedirectory.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-servicedirectory.${universe_domain}iam.gserviceaccount.com role: roles/servicedirectory.serviceAgent is_primary: true aliases: [] - name: service-networking display_name: Service Networking Service Agent api: servicenetworking.googleapis.com - identity: service-%s@service-networking.iam.gserviceaccount.com + identity: service-${project_number}@service-networking.${universe_domain}iam.gserviceaccount.com role: roles/servicenetworking.serviceAgent is_primary: true aliases: [] - name: spectrumsas display_name: Spectrum SAS Service Account api: sasportal.googleapis.com - identity: service-%s@gcp-sa-spectrumsas.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-spectrumsas.${universe_domain}iam.gserviceaccount.com role: roles/spectrumsas.serviceAgent is_primary: true aliases: [] - name: speech display_name: Speech-to-Text Service Account api: speech.googleapis.com - identity: service-%s@gcp-sa-speech.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-speech.${universe_domain}iam.gserviceaccount.com role: roles/speech.serviceAgent is_primary: true aliases: [] - name: storageinsights display_name: Storage Insights Service Account api: storageinsights.googleapis.com - identity: service-%s@gcp-sa-storageinsights.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-storageinsights.${universe_domain}iam.gserviceaccount.com role: roles/storageinsights.serviceAgent is_primary: true aliases: [] - name: storage-transfer-service display_name: Storage Transfer Service Service Agent api: storagetransfer.googleapis.com - identity: project-%s@storage-transfer-service.iam.gserviceaccount.com + identity: project-${project_number}@storage-transfer-service.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: stream display_name: Stream Service Account api: stream.googleapis.com - identity: service-%s@gcp-sa-stream.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-stream.${universe_domain}iam.gserviceaccount.com role: roles/stream.serviceAgent is_primary: true aliases: [] - name: cloud-tpu display_name: TPU Service Agent api: tpu.googleapis.com - identity: service-%s@cloud-tpu.iam.gserviceaccount.com + identity: service-${project_number}@cloud-tpu.${universe_domain}iam.gserviceaccount.com role: roles/tpu.serviceAgent is_primary: true aliases: [] - name: tpu display_name: TPU Service Agent (v2) api: tpu.googleapis.com - identity: service-%s@gcp-sa-tpu.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-tpu.${universe_domain}iam.gserviceaccount.com role: roles/cloudtpu.serviceAgent is_primary: false aliases: [] - name: transcoder display_name: Transcoder Service Account api: transcoder.googleapis.com - identity: service-%s@gcp-sa-transcoder.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-transcoder.${universe_domain}iam.gserviceaccount.com role: roles/transcoder.serviceAgent is_primary: true aliases: [] - name: transferappliance display_name: Transfer Appliance Service Account api: transferappliance.googleapis.com - identity: service-%s@gcp-sa-transferappliance.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-transferappliance.${universe_domain}iam.gserviceaccount.com role: null is_primary: true aliases: [] - name: vmwareengine display_name: VMwareEngine Service Account api: vmwareengine.googleapis.com - identity: service-%s@gcp-sa-vmwareengine.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vmwareengine.${universe_domain}iam.gserviceaccount.com role: roles/vmwareengine.serviceAgent is_primary: true aliases: [] - name: vertex-shtune display_name: Vertex AI Ancillary Secure Fine Tuning Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-shtune.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-shtune.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.user is_primary: false aliases: [] - name: vertex-bp display_name: Vertex AI Batch Prediction Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-bp.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-bp.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.batchPredictionServiceAgent is_primary: false aliases: [] - name: vertex-nb display_name: Vertex AI Colab Service Account api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-nb.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-nb.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.colabServiceAgent is_primary: false aliases: [] - name: vertex-ex display_name: Vertex AI Extension Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-ex.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-ex.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.extensionServiceAgent is_primary: false aliases: [] - name: vertex-ex-cc display_name: Vertex AI Extension Service Agent for Custom Code api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-ex-cc.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-ex-cc.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.extensionCustomCodeServiceAgent is_primary: false aliases: [] - name: vertex-mm display_name: Vertex AI Model Monitoring Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-mm.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-mm.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.modelMonitoringServiceAgent is_primary: false aliases: [] - name: aiplatform-vm display_name: Vertex AI Notebook Service Account api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-aiplatform-vm.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-aiplatform-vm.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.notebookServiceAgent is_primary: false aliases: [] - name: vertex-op display_name: Vertex AI Online Prediction Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-op.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-op.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.onlinePredictionServiceAgent is_primary: false aliases: [] - name: vertex-tune display_name: Vertex AI Secure Fine Tuning Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-tune.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-tune.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.tuningServiceAgent is_primary: false aliases: [] - name: firebasevertexai display_name: Vertex AI in Firebase Service Account api: firebasevertexai.googleapis.com - identity: service-%s@gcp-sa-firebasevertexai.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-firebasevertexai.${universe_domain}iam.gserviceaccount.com role: roles/firebaseml.serviceAgent is_primary: true aliases: [] - name: vertex-agent display_name: Vertex Agent Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-agent.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-agent.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: vertex-rag display_name: Vertex RAG Data Service Agent api: aiplatform.googleapis.com - identity: service-%s@gcp-sa-vertex-rag.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-vertex-rag.${universe_domain}iam.gserviceaccount.com role: roles/aiplatform.ragServiceAgent is_primary: false aliases: [] - name: scc-vmtd display_name: Virtual Machine Threat Detection Service Account api: securitycenter.googleapis.com - identity: service-%s@gcp-sa-scc-vmtd.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-scc-vmtd.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] - name: visionai display_name: Vision AI Service Account api: visionai.googleapis.com - identity: service-%s@gcp-sa-visionai.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-visionai.${universe_domain}iam.gserviceaccount.com role: roles/visionai.serviceAgent is_primary: true aliases: [] - name: workloadmanager display_name: Workload Manager Service Account api: workloadmanager.googleapis.com - identity: service-%s@gcp-sa-workloadmanager.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-workloadmanager.${universe_domain}iam.gserviceaccount.com role: roles/workloadmanager.serviceAgent is_primary: true aliases: [] - name: workstations display_name: Workstations Service Account api: workstations.googleapis.com - identity: service-%s@gcp-sa-workstations.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-workstations.${universe_domain}iam.gserviceaccount.com role: roles/workstations.serviceAgent is_primary: true aliases: [] - name: workstationsvm display_name: Workstations VM Default Service Account api: workstations.googleapis.com - identity: service-%s@gcp-sa-workstationsvm.iam.gserviceaccount.com + identity: service-${project_number}@gcp-sa-workstationsvm.${universe_domain}iam.gserviceaccount.com role: null is_primary: false aliases: [] diff --git a/tests/modules/gke_hub/examples/full.yaml b/tests/modules/gke_hub/examples/full.yaml index 3662546b6..b7ac6a288 100644 --- a/tests/modules/gke_hub/examples/full.yaml +++ b/tests/modules/gke_hub/examples/full.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -235,7 +235,7 @@ values: module.project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: gkehub-test - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.project.google_project_iam_member.service_agents["mcsd"]: condition: [] project: gkehub-test diff --git a/tests/modules/project/examples/basic.yaml b/tests/modules/project/examples/basic.yaml index 66dd716c2..66f44d9b4 100644 --- a/tests/modules/project/examples/basic.yaml +++ b/tests/modules/project/examples/basic.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,7 +30,7 @@ values: module.project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-project - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.project.google_project_service.project_services["container.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false diff --git a/tests/modules/project/examples/data.yaml b/tests/modules/project/examples/data.yaml index 270023a0f..bae69bb7c 100644 --- a/tests/modules/project/examples/data.yaml +++ b/tests/modules/project/examples/data.yaml @@ -360,7 +360,7 @@ values: module.project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-project - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.project.google_project_iam_member.service_agents["serverless-robot-prod"]: condition: [] project: test-project diff --git a/tests/modules/project/examples/iam-authoritative.yaml b/tests/modules/project/examples/iam-authoritative.yaml index bcbcb230a..9792bb1a6 100644 --- a/tests/modules/project/examples/iam-authoritative.yaml +++ b/tests/modules/project/examples/iam-authoritative.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,7 +36,7 @@ values: module.project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-project - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.project.google_project_service.project_services["container.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false diff --git a/tests/modules/project/examples/shared-vpc-auto-grants.yaml b/tests/modules/project/examples/shared-vpc-auto-grants.yaml index 1fe0e1437..646fcb62e 100644 --- a/tests/modules/project/examples/shared-vpc-auto-grants.yaml +++ b/tests/modules/project/examples/shared-vpc-auto-grants.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,7 +48,7 @@ values: module.service-project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-service - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]: condition: [] project: test-host diff --git a/tests/modules/project/examples/shared-vpc-host-project-iam.yaml b/tests/modules/project/examples/shared-vpc-host-project-iam.yaml index 9b69e3ea1..a93118648 100644 --- a/tests/modules/project/examples/shared-vpc-host-project-iam.yaml +++ b/tests/modules/project/examples/shared-vpc-host-project-iam.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -65,7 +65,7 @@ values: module.service-project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-service - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]: condition: [] member: group:organization-admins@example.org diff --git a/tests/modules/project/examples/shared-vpc.yaml b/tests/modules/project/examples/shared-vpc.yaml index 30768a0ba..a59e8d9dc 100644 --- a/tests/modules/project/examples/shared-vpc.yaml +++ b/tests/modules/project/examples/shared-vpc.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,7 +48,7 @@ values: module.service-project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-service - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.service-project.google_project_iam_member.service_agents["serverless-robot-prod"]: condition: [] project: test-service diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml index 1c4e6b085..1ddb659de 100644 --- a/tests/modules/project_factory/examples/example.yaml +++ b/tests/modules/project_factory/examples/example.yaml @@ -173,7 +173,7 @@ values: module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-pf-dev-ta-app0-be - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"] : condition: [] member: group:gcp-devops@example.org @@ -305,7 +305,7 @@ values: module.project-factory.module.projects["teams-iac-0"].google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-pf-teams-iac-0 - role: roles/container.nodeServiceAgent + role: roles/container.defaultNodeServiceAgent module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false diff --git a/tools/build_service_agents.py b/tools/build_service_agents.py index 65e22d28b..8dc023d8f 100755 --- a/tools/build_service_agents.py +++ b/tools/build_service_agents.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -125,7 +125,9 @@ def main(e2e=False): # We keep the SERVICE_NAME part as the agent's name name = identity.split('@')[1].split('.')[0] name = name.removeprefix('gcp-sa-') - identity = identity.replace('PROJECT_NUMBER', '%s') + identity = identity.replace('PROJECT_NUMBER', '${project_number}') + identity = identity.replace('.iam.gserviceaccount.', + '.${universe_domain}iam.gserviceaccount.') if name == 'monitoring': # monitoring is deprecated in favor of monitoring-notification.