This is an automated email from the ASF dual-hosted git repository.
damccorm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new d4015eb395b Remove pubsublite - infra, groovy, checkstyles (#37450)
d4015eb395b is described below
commit d4015eb395bc9284d0ca369bc028f19a63f92b46
Author: Derrick Williams <[email protected]>
AuthorDate: Fri Jan 30 08:14:59 2026 -0500
Remove pubsublite - infra, groovy, checkstyles (#37450)
* remove groovy pubsublite dependencies
* remove checkstyle suppressions
* remove role config for pubsublite service and update role files
---
.../org/apache/beam/gradle/BeamModulePlugin.groovy | 3 -
infra/iam/roles/beam_admin.role.yaml | 69 ++++++++++++-
infra/iam/roles/beam_infra_manager.role.yaml | 80 ++++++++++++---
infra/iam/roles/beam_viewer.role.yaml | 108 +++++++++++++++++----
infra/iam/roles/beam_writer.role.yaml | 22 ++++-
infra/iam/roles/roles_config.yaml | 2 +-
.../resources/beam/checkstyle/suppressions.xml | 2 -
7 files changed, 244 insertions(+), 42 deletions(-)
diff --git
a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
index 7db9e56e719..e64d7b1ebee 100644
--- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
@@ -758,7 +758,6 @@ class BeamModulePlugin implements Plugin<Project> {
google_cloud_firestore :
"com.google.cloud:google-cloud-firestore", //
google_cloud_platform_libraries_bom sets version
google_cloud_kms :
"com.google.cloud:google-cloud-kms", // google_cloud_platform_libraries_bom
sets version
google_cloud_pubsub :
"com.google.cloud:google-cloud-pubsub", // google_cloud_platform_libraries_bom
sets version
- google_cloud_pubsublite :
"com.google.cloud:google-cloud-pubsublite", //
google_cloud_platform_libraries_bom sets version
// [bomupgrader] the BOM version is set by
scripts/tools/bomupgrader.py. If update manually, also update
// libraries-bom version on
sdks/java/container/license_scripts/dep_urls_java.yaml
google_cloud_platform_libraries_bom :
"com.google.cloud:libraries-bom:26.74.0",
@@ -788,7 +787,6 @@ class BeamModulePlugin implements Plugin<Project> {
grpc_core : "io.grpc:grpc-core", //
google_cloud_platform_libraries_bom sets version
grpc_google_cloud_firestore_v1 :
"com.google.api.grpc:grpc-google-cloud-firestore-v1", //
google_cloud_platform_libraries_bom sets version
grpc_google_cloud_pubsub_v1 :
"com.google.api.grpc:grpc-google-cloud-pubsub-v1", //
google_cloud_platform_libraries_bom sets version
- grpc_google_cloud_pubsublite_v1 :
"com.google.api.grpc:grpc-google-cloud-pubsublite-v1", //
google_cloud_platform_libraries_bom sets version
grpc_google_common_protos :
"com.google.api.grpc:grpc-google-common-protos", //
google_cloud_platform_libraries_bom sets version
grpc_grpclb : "io.grpc:grpc-grpclb",
// google_cloud_platform_libraries_bom sets version
grpc_protobuf : "io.grpc:grpc-protobuf",
// google_cloud_platform_libraries_bom sets version
@@ -871,7 +869,6 @@ class BeamModulePlugin implements Plugin<Project> {
proto_google_cloud_firestore_v1 :
"com.google.api.grpc:proto-google-cloud-firestore-v1", //
google_cloud_platform_libraries_bom sets version
proto_google_cloud_kms_v1 :
"com.google.api.grpc:proto-google-cloud-kms-v1", //
google_cloud_platform_libraries_bom sets version
proto_google_cloud_pubsub_v1 :
"com.google.api.grpc:proto-google-cloud-pubsub-v1", //
google_cloud_platform_libraries_bom sets version
- proto_google_cloud_pubsublite_v1 :
"com.google.api.grpc:proto-google-cloud-pubsublite-v1", //
google_cloud_platform_libraries_bom sets version
proto_google_cloud_secret_manager_v1 :
"com.google.api.grpc:proto-google-cloud-secretmanager-v1", //
google_cloud_platform_libraries_bom sets version
proto_google_cloud_spanner_v1 :
"com.google.api.grpc:proto-google-cloud-spanner-v1", //
google_cloud_platform_libraries_bom sets version
proto_google_cloud_spanner_admin_database_v1:
"com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1", //
google_cloud_platform_libraries_bom sets version
diff --git a/infra/iam/roles/beam_admin.role.yaml
b/infra/iam/roles/beam_admin.role.yaml
index 4296196c495..73f553f746e 100644
--- a/infra/iam/roles/beam_admin.role.yaml
+++ b/infra/iam/roles/beam_admin.role.yaml
@@ -16,7 +16,7 @@
# This file is auto-generated by generate_roles.py.
# Do not edit manually.
-# This file was generated on 2025-08-11 14:34:54 UTC
+# This file was generated on 2026-01-29 22:47:50 UTC
description: This is the beam_admin role
permissions:
@@ -61,6 +61,7 @@ permissions:
- bigquery.reservations.delete
- bigquery.routines.delete
- bigquery.rowAccessPolicies.delete
+- bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
- bigquery.rowAccessPolicies.setIamPolicy
- bigquery.savedqueries.delete
- bigquery.tables.create
@@ -89,6 +90,7 @@ permissions:
- cloudkms.ekmConnections.setIamPolicy
- cloudkms.importJobs.setIamPolicy
- cloudkms.keyRings.setIamPolicy
+- cloudkms.singleTenantHsmInstanceProposals.delete
- cloudsql.backupRuns.delete
- cloudsql.databases.delete
- cloudsql.instances.delete
@@ -164,7 +166,11 @@ permissions:
- compute.instances.deleteTagBinding
- compute.instances.setIamPolicy
- compute.instances.stop
+- compute.instantSnapshotGroups.delete
+- compute.instantSnapshotGroups.setIamPolicy
+- compute.instantSnapshots.createTagBinding
- compute.instantSnapshots.delete
+- compute.instantSnapshots.deleteTagBinding
- compute.instantSnapshots.setIamPolicy
- compute.interconnectAttachmentGroups.delete
- compute.interconnectAttachments.createTagBinding
@@ -174,8 +180,12 @@ permissions:
- compute.interconnects.deleteTagBinding
- compute.interconnects.getMacsecConfig
- compute.licenseCodes.setIamPolicy
+- compute.licenses.createTagBinding
+- compute.licenses.deleteTagBinding
- compute.licenses.setIamPolicy
+- compute.machineImages.createTagBinding
- compute.machineImages.delete
+- compute.machineImages.deleteTagBinding
- compute.machineImages.setIamPolicy
- compute.multiMig.delete
- compute.networkAttachments.createTagBinding
@@ -206,21 +216,29 @@ permissions:
- compute.publicDelegatedPrefixes.createTagBinding
- compute.publicDelegatedPrefixes.delete
- compute.publicDelegatedPrefixes.deleteTagBinding
+- compute.regionBackendBuckets.createTagBinding
+- compute.regionBackendBuckets.delete
+- compute.regionBackendBuckets.deleteTagBinding
+- compute.regionBackendBuckets.setIamPolicy
- compute.regionBackendServices.createTagBinding
- compute.regionBackendServices.delete
- compute.regionBackendServices.deleteTagBinding
- compute.regionBackendServices.setIamPolicy
+- compute.regionCompositeHealthChecks.delete
- compute.regionFirewallPolicies.createTagBinding
- compute.regionFirewallPolicies.delete
- compute.regionFirewallPolicies.deleteTagBinding
- compute.regionFirewallPolicies.setIamPolicy
+- compute.regionHealthAggregationPolicies.delete
- compute.regionHealthCheckServices.delete
- compute.regionHealthChecks.createTagBinding
- compute.regionHealthChecks.delete
- compute.regionHealthChecks.deleteTagBinding
+- compute.regionHealthSources.delete
- compute.regionNetworkEndpointGroups.createTagBinding
- compute.regionNetworkEndpointGroups.delete
- compute.regionNetworkEndpointGroups.deleteTagBinding
+- compute.regionNetworkPolicies.delete
- compute.regionNotificationEndpoints.delete
- compute.regionOperations.delete
- compute.regionSecurityPolicies.createTagBinding
@@ -244,9 +262,14 @@ permissions:
- compute.regionUrlMaps.createTagBinding
- compute.regionUrlMaps.delete
- compute.regionUrlMaps.deleteTagBinding
+- compute.reservations.createTagBinding
- compute.reservations.delete
+- compute.reservations.deleteTagBinding
- compute.resourcePolicies.delete
- compute.resourcePolicies.setIamPolicy
+- compute.rolloutPlans.delete
+- compute.rollouts.cancel
+- compute.rollouts.delete
- compute.routers.createTagBinding
- compute.routers.delete
- compute.routers.deleteTagBinding
@@ -268,7 +291,9 @@ permissions:
- compute.sslCertificates.deleteTagBinding
- compute.sslPolicies.createTagBinding
- compute.sslPolicies.deleteTagBinding
+- compute.storagePools.createTagBinding
- compute.storagePools.delete
+- compute.storagePools.deleteTagBinding
- compute.storagePools.setIamPolicy
- compute.subnetworks.createTagBinding
- compute.subnetworks.delete
@@ -300,6 +325,7 @@ permissions:
- compute.targetVpnGateways.deleteTagBinding
- compute.urlMaps.createTagBinding
- compute.urlMaps.deleteTagBinding
+- compute.vmExtensionPolicies.delete
- compute.vpnGateways.createTagBinding
- compute.vpnGateways.delete
- compute.vpnGateways.deleteTagBinding
@@ -387,9 +413,15 @@ permissions:
- dataflow.snapshots.delete
- dataform.commentThreads.delete
- dataform.comments.delete
+- dataform.folders.delete
+- dataform.folders.setIamPolicy
+- dataform.operations.cancel
+- dataform.operations.delete
- dataform.releaseConfigs.delete
- dataform.repositories.delete
- dataform.repositories.setIamPolicy
+- dataform.teamFolders.delete
+- dataform.teamFolders.setIamPolicy
- dataform.workflowConfigs.delete
- dataform.workflowInvocations.cancel
- dataform.workflowInvocations.delete
@@ -401,10 +433,13 @@ permissions:
- dataplex.assets.setIamPolicy
- dataplex.content.delete
- dataplex.content.setIamPolicy
+- dataplex.dataAssets.delete
- dataplex.dataAttributeBindings.delete
- dataplex.dataAttributeBindings.setIamPolicy
- dataplex.dataAttributes.delete
- dataplex.dataAttributes.setIamPolicy
+- dataplex.dataProducts.delete
+- dataplex.dataProducts.setIamPolicy
- dataplex.dataTaxonomies.delete
- dataplex.dataTaxonomies.setIamPolicy
- dataplex.datascans.delete
@@ -477,7 +512,9 @@ permissions:
- datastore.userCreds.delete
- dns.managedZones.delete
- dns.managedZones.setIamPolicy
+- dns.policies.createTagBinding
- dns.policies.delete
+- dns.policies.deleteTagBinding
- dns.resourceRecordSets.delete
- dns.responsePolicies.delete
- dns.responsePolicyRules.delete
@@ -491,6 +528,12 @@ permissions:
- firebaseabt.experiments.delete
- firebaseappcheck.appCheckTokens.verify
- firebaseappcheck.automations.delete
+- firebaseapphosting.backends.delete
+- firebaseapphosting.builds.delete
+- firebaseapphosting.domains.delete
+- firebaseapphosting.operations.cancel
+- firebaseapphosting.operations.delete
+- firebaseapphosting.rollouts.delete
- firebaseauth.users.delete
- firebasedatabase.instances.delete
- firebasedataconnect.connectorRevisions.delete
@@ -515,6 +558,7 @@ permissions:
- firebaserules.releases.delete
- firebaserules.rulesets.delete
- firebasestorage.defaultBucket.delete
+- firebasevertexai.promptTemplates.delete
- iam.googleapis.com/workloadIdentityPoolProviderKeys.create
- iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
- iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
@@ -527,7 +571,9 @@ permissions:
- iam.googleapis.com/workloadIdentityPools.undelete
- iam.googleapis.com/workloadIdentityPools.update
- iam.roles.create
+- iam.roles.createTagBinding
- iam.roles.delete
+- iam.roles.deleteTagBinding
- iam.roles.undelete
- iam.roles.update
- iam.serviceAccountApiKeyBindings.delete
@@ -537,6 +583,9 @@ permissions:
- iam.serviceAccounts.deleteTagBinding
- iam.serviceAccounts.setIamPolicy
- iam.serviceAccounts.undelete
+- iam.workloadIdentityPools.createPolicyBinding
+- iam.workloadIdentityPools.deletePolicyBinding
+- iam.workloadIdentityPools.updatePolicyBinding
- iap.tunnel.getIamPolicy
- iap.tunnel.setIamPolicy
- iap.tunnelDestGroups.delete
@@ -570,16 +619,19 @@ permissions:
- monitoring.uptimeCheckConfigs.delete
- pubsub.schemas.delete
- pubsub.schemas.setIamPolicy
+- pubsub.snapshots.createTagBinding
- pubsub.snapshots.delete
+- pubsub.snapshots.deleteTagBinding
+- pubsub.subscriptions.createTagBinding
- pubsub.subscriptions.delete
+- pubsub.subscriptions.deleteTagBinding
- pubsub.subscriptions.getIamPolicy
- pubsub.subscriptions.setIamPolicy
+- pubsub.topics.createTagBinding
- pubsub.topics.delete
+- pubsub.topics.deleteTagBinding
- pubsub.topics.getIamPolicy
- pubsub.topics.setIamPolicy
-- pubsublite.reservations.delete
-- pubsublite.subscriptions.delete
-- pubsublite.topics.delete
- redis.backupCollections.delete
- redis.backups.delete
- redis.clusters.delete
@@ -588,7 +640,10 @@ permissions:
- redis.instances.deleteTagBinding
- redis.operations.cancel
- redis.operations.delete
+- resourcemanager.projects.createPolicyBinding
+- resourcemanager.projects.deletePolicyBinding
- resourcemanager.projects.setIamPolicy
+- resourcemanager.projects.updatePolicyBinding
- resourcemanager.tagHolds.delete
- resourcemanager.tagKeys.delete
- resourcemanager.tagKeys.setIamPolicy
@@ -655,6 +710,7 @@ permissions:
- storage.managedFolders.setIamPolicy
- storage.multipartUploads.list
- storage.objects.delete
+- storage.objects.deleteContext
- storage.objects.getIamPolicy
- storage.objects.move
- storage.objects.overrideUnlockedRetention
@@ -662,6 +718,11 @@ permissions:
- storage.objects.setIamPolicy
- storage.objects.setRetention
- storage.objects.update
+- storage.objects.updateContext
+- storagebatchoperations.jobs.cancel
+- storagebatchoperations.jobs.delete
+- storagebatchoperations.operations.cancel
+- storagebatchoperations.operations.delete
- storageinsights.datasetConfigs.delete
- storageinsights.operations.cancel
- storageinsights.operations.delete
diff --git a/infra/iam/roles/beam_infra_manager.role.yaml
b/infra/iam/roles/beam_infra_manager.role.yaml
index 169bebd7fbc..ab819c1cc48 100644
--- a/infra/iam/roles/beam_infra_manager.role.yaml
+++ b/infra/iam/roles/beam_infra_manager.role.yaml
@@ -16,7 +16,7 @@
# This file is auto-generated by generate_roles.py.
# Do not edit manually.
-# This file was generated on 2025-08-11 14:34:54 UTC
+# This file was generated on 2026-01-29 22:47:50 UTC
description: This is the beam_infra_manager role
permissions:
@@ -55,9 +55,11 @@ permissions:
- bigquery.connections.create
- bigquery.connections.update
- bigquery.connections.updateTag
+- bigquery.dataPolicies.attach
- bigquery.dataPolicies.create
- bigquery.dataPolicies.update
- bigquery.datasets.updateTag
+- bigquery.jobs.createGlobalQuery
- bigquery.models.create
- bigquery.models.updateData
- bigquery.models.updateMetadata
@@ -118,6 +120,11 @@ permissions:
- cloudkms.importJobs.useToImport
- cloudkms.kajPolicyConfigs.update
- cloudkms.keyRings.create
+- cloudkms.singleTenantHsmInstanceProposals.approve
+- cloudkms.singleTenantHsmInstanceProposals.create
+- cloudkms.singleTenantHsmInstanceProposals.execute
+- cloudkms.singleTenantHsmInstances.create
+- cloudkms.singleTenantHsmInstances.use
- cloudsql.backupRuns.create
- cloudsql.backupRuns.update
- cloudsql.databases.create
@@ -128,7 +135,6 @@ permissions:
- cloudsql.instances.connect
- cloudsql.instances.create
- cloudsql.instances.demoteMaster
-- cloudsql.instances.executeSql
- cloudsql.instances.failover
- cloudsql.instances.import
- cloudsql.instances.migrate
@@ -180,6 +186,7 @@ permissions:
- compute.disks.stopAsyncReplication
- compute.disks.stopGroupAsyncReplication
- compute.disks.update
+- compute.disks.updateKmsKey
- compute.disks.use
- compute.externalVpnGateways.create
- compute.externalVpnGateways.setLabels
@@ -275,6 +282,8 @@ permissions:
- compute.instances.updateShieldedInstanceConfig
- compute.instances.updateShieldedVmConfig
- compute.instances.use
+- compute.instantSnapshotGroups.create
+- compute.instantSnapshotGroups.useReadOnly
- compute.instantSnapshots.create
- compute.instantSnapshots.export
- compute.instantSnapshots.setLabels
@@ -299,6 +308,7 @@ permissions:
- compute.networks.create
- compute.networks.mirror
- compute.networks.setFirewallPolicy
+- compute.networks.setNetworkPolicy
- compute.networks.updatePeering
- compute.networks.updatePolicy
- compute.networks.use
@@ -323,28 +333,42 @@ permissions:
- compute.publicAdvertisedPrefixes.create
- compute.publicAdvertisedPrefixes.update
- compute.publicAdvertisedPrefixes.updatePolicy
+- compute.publicDelegatedPrefixes.announce
- compute.publicDelegatedPrefixes.create
- compute.publicDelegatedPrefixes.update
- compute.publicDelegatedPrefixes.updatePolicy
- compute.publicDelegatedPrefixes.use
+- compute.publicDelegatedPrefixes.withdraw
+- compute.regionBackendBuckets.create
+- compute.regionBackendBuckets.update
+- compute.regionBackendBuckets.use
- compute.regionBackendServices.create
- compute.regionBackendServices.setSecurityPolicy
- compute.regionBackendServices.update
- compute.regionBackendServices.use
+- compute.regionCompositeHealthChecks.create
+- compute.regionCompositeHealthChecks.update
- compute.regionFirewallPolicies.cloneRules
- compute.regionFirewallPolicies.create
- compute.regionFirewallPolicies.update
- compute.regionFirewallPolicies.use
+- compute.regionHealthAggregationPolicies.create
+- compute.regionHealthAggregationPolicies.update
- compute.regionHealthCheckServices.create
- compute.regionHealthCheckServices.update
- compute.regionHealthCheckServices.use
- compute.regionHealthChecks.create
- compute.regionHealthChecks.update
- compute.regionHealthChecks.use
+- compute.regionHealthSources.create
+- compute.regionHealthSources.update
- compute.regionNetworkEndpointGroups.attachNetworkEndpoints
- compute.regionNetworkEndpointGroups.create
- compute.regionNetworkEndpointGroups.detachNetworkEndpoints
- compute.regionNetworkEndpointGroups.use
+- compute.regionNetworkPolicies.create
+- compute.regionNetworkPolicies.update
+- compute.regionNetworkPolicies.use
- compute.regionNotificationEndpoints.create
- compute.regionNotificationEndpoints.update
- compute.regionNotificationEndpoints.use
@@ -371,6 +395,7 @@ permissions:
- compute.regionUrlMaps.use
- compute.reservationBlocks.performMaintenance
- compute.reservationSubBlocks.performMaintenance
+- compute.reservationSubBlocks.reportFaulty
- compute.reservations.create
- compute.reservations.performMaintenance
- compute.reservations.resize
@@ -378,6 +403,7 @@ permissions:
- compute.resourcePolicies.create
- compute.resourcePolicies.update
- compute.resourcePolicies.use
+- compute.rolloutPlans.create
- compute.routers.create
- compute.routers.deleteRoutePolicy
- compute.routers.update
@@ -391,6 +417,7 @@ permissions:
- compute.snapshotSettings.update
- compute.snapshots.create
- compute.snapshots.setLabels
+- compute.snapshots.updateKmsKey
- compute.sslCertificates.create
- compute.storagePools.create
- compute.storagePools.update
@@ -441,6 +468,8 @@ permissions:
- compute.targetTcpProxies.use
- compute.targetVpnGateways.create
- compute.targetVpnGateways.use
+- compute.vmExtensionPolicies.create
+- compute.vmExtensionPolicies.update
- compute.vpnGateways.create
- compute.vpnGateways.setLabels
- compute.vpnGateways.use
@@ -485,10 +514,18 @@ permissions:
- dataform.comments.update
- dataform.compilationResults.create
- dataform.config.update
+- dataform.folders.addContents
+- dataform.folders.move
+- dataform.folders.update
- dataform.releaseConfigs.create
- dataform.releaseConfigs.update
- dataform.repositories.commit
+- dataform.repositories.move
+- dataform.repositories.scheduleRelease
+- dataform.repositories.scheduleWorkflow
- dataform.repositories.update
+- dataform.teamFolders.create
+- dataform.teamFolders.update
- dataform.workflowConfigs.create
- dataform.workflowConfigs.update
- dataform.workflowInvocations.create
@@ -511,11 +548,15 @@ permissions:
- dataplex.assets.update
- dataplex.content.create
- dataplex.content.update
+- dataplex.dataAssets.create
+- dataplex.dataAssets.update
- dataplex.dataAttributeBindings.create
- dataplex.dataAttributeBindings.update
- dataplex.dataAttributes.bind
- dataplex.dataAttributes.create
- dataplex.dataAttributes.update
+- dataplex.dataProducts.create
+- dataplex.dataProducts.update
- dataplex.dataTaxonomies.configureDataAccess
- dataplex.dataTaxonomies.configureResourceAccess
- dataplex.dataTaxonomies.create
@@ -532,13 +573,18 @@ permissions:
- dataplex.entryGroups.import
- dataplex.entryGroups.update
- dataplex.entryGroups.useContactsAspect
+- dataplex.entryGroups.useDataProfileAspect
- dataplex.entryGroups.useDataQualityScorecardAspect
- dataplex.entryGroups.useDefinitionEntryLink
+- dataplex.entryGroups.useDescriptionsAspect
- dataplex.entryGroups.useGenericAspect
- dataplex.entryGroups.useGenericEntry
- dataplex.entryGroups.useOverviewAspect
+- dataplex.entryGroups.useQueriesAspect
+- dataplex.entryGroups.useRefreshCadenceAspect
- dataplex.entryGroups.useRelatedEntryLink
- dataplex.entryGroups.useSchemaAspect
+- dataplex.entryGroups.useStorageAspect
- dataplex.entryGroups.useSynonymEntryLink
- dataplex.entryLinks.create
- dataplex.entryLinks.reference
@@ -574,6 +620,7 @@ permissions:
- dataproc.batches.create
- dataproc.batches.sparkApplicationWrite
- dataproc.clusters.create
+- dataproc.clusters.repair
- dataproc.clusters.start
- dataproc.clusters.update
- dataproc.clusters.use
@@ -646,6 +693,15 @@ permissions:
- firebaseappdistro.groups.update
- firebaseappdistro.releases.update
- firebaseappdistro.testers.update
+- firebaseapphosting.backends.create
+- firebaseapphosting.backends.update
+- firebaseapphosting.builds.create
+- firebaseapphosting.builds.update
+- firebaseapphosting.domains.create
+- firebaseapphosting.domains.update
+- firebaseapphosting.rollouts.create
+- firebaseapphosting.rollouts.update
+- firebaseapphosting.traffic.update
- firebaseauth.configs.create
- firebaseauth.configs.getHashConfig
- firebaseauth.configs.getSecret
@@ -663,6 +719,8 @@ permissions:
- firebasedatabase.instances.undelete
- firebasedatabase.instances.update
- firebasedataconnect.connectors.create
+- firebasedataconnect.connectors.impersonateMutation
+- firebasedataconnect.connectors.impersonateQuery
- firebasedataconnect.connectors.update
- firebasedataconnect.schemas.create
- firebasedataconnect.schemas.update
@@ -697,6 +755,8 @@ permissions:
- firebasestorage.buckets.removeFirebase
- firebasestorage.defaultBucket.create
- firebasevertexai.configs.update
+- firebasevertexai.promptTemplates.create
+- firebasevertexai.promptTemplates.update
- iam.serviceAccountApiKeyBindings.create
- iam.serviceAccountApiKeyBindings.undelete
- iam.serviceAccountKeys.create
@@ -743,21 +803,12 @@ permissions:
- pubsub.topics.publish
- pubsub.topics.update
- pubsub.topics.updateTag
-- pubsublite.reservations.attachTopic
-- pubsublite.reservations.create
-- pubsublite.reservations.update
-- pubsublite.subscriptions.create
-- pubsublite.subscriptions.seek
-- pubsublite.subscriptions.setCursor
-- pubsublite.subscriptions.update
-- pubsublite.topics.create
-- pubsublite.topics.publish
-- pubsublite.topics.update
- redis.backupCollections.create
- redis.backups.create
- redis.clusters.backup
- redis.clusters.connect
- redis.clusters.create
+- redis.clusters.rescheduleMaintenance
- redis.clusters.update
- redis.instances.create
- redis.instances.export
@@ -789,6 +840,9 @@ permissions:
- servicemanagement.services.quota
- servicemanagement.services.report
- servicemanagement.services.update
+- serviceusage.consumerpolicy.update
+- serviceusage.contentsecuritypolicy.update
+- serviceusage.mcppolicy.update
- serviceusage.services.disable
- serviceusage.services.enable
- serviceusage.services.use
@@ -828,8 +882,10 @@ permissions:
- storage.multipartUploads.create
- storage.multipartUploads.listParts
- storage.objects.create
+- storage.objects.createContext
- storage.objects.get
- storage.objects.list
+- storagebatchoperations.jobs.create
- storageinsights.datasetConfigs.create
- storageinsights.datasetConfigs.linkDataset
- storageinsights.datasetConfigs.unlinkDataset
diff --git a/infra/iam/roles/beam_viewer.role.yaml
b/infra/iam/roles/beam_viewer.role.yaml
index 0525fda0956..2d761a495b1 100644
--- a/infra/iam/roles/beam_viewer.role.yaml
+++ b/infra/iam/roles/beam_viewer.role.yaml
@@ -16,7 +16,7 @@
# This file is auto-generated by generate_roles.py.
# Do not edit manually.
-# This file was generated on 2025-08-11 14:34:54 UTC
+# This file was generated on 2026-01-29 22:47:50 UTC
description: This is the beam_viewer role
permissions:
@@ -39,6 +39,7 @@ permissions:
- artifactregistry.pythonpackages.get
- artifactregistry.pythonpackages.list
- artifactregistry.repositories.downloadArtifacts
+- artifactregistry.repositories.exportArtifacts
- artifactregistry.repositories.get
- artifactregistry.repositories.getIamPolicy
- artifactregistry.repositories.list
@@ -250,6 +251,7 @@ permissions:
- cloudsql.instances.listServerCas
- cloudsql.instances.listServerCertificates
- cloudsql.instances.listTagBindings
+- cloudsql.instances.preCheckMajorVersionUpgrade
- cloudsql.schemas.view
- cloudsql.sslCerts.get
- cloudsql.sslCerts.list
@@ -370,9 +372,14 @@ permissions:
- compute.instances.listReferrers
- compute.instances.listTagBindings
- compute.instances.useReadOnly
+- compute.instantSnapshotGroups.get
+- compute.instantSnapshotGroups.getIamPolicy
+- compute.instantSnapshotGroups.list
- compute.instantSnapshots.get
- compute.instantSnapshots.getIamPolicy
- compute.instantSnapshots.list
+- compute.instantSnapshots.listEffectiveTags
+- compute.instantSnapshots.listTagBindings
- compute.instantSnapshots.useReadOnly
- compute.interconnectAttachmentGroups.get
- compute.interconnectAttachmentGroups.list
@@ -387,9 +394,13 @@ permissions:
- compute.licenseCodes.getIamPolicy
- compute.licenses.get
- compute.licenses.getIamPolicy
+- compute.licenses.listEffectiveTags
+- compute.licenses.listTagBindings
- compute.machineImages.get
- compute.machineImages.getIamPolicy
- compute.machineImages.list
+- compute.machineImages.listEffectiveTags
+- compute.machineImages.listTagBindings
- compute.machineImages.useReadOnly
- compute.machineTypes.get
- compute.machineTypes.list
@@ -441,16 +452,25 @@ permissions:
- compute.publicDelegatedPrefixes.list
- compute.publicDelegatedPrefixes.listEffectiveTags
- compute.publicDelegatedPrefixes.listTagBindings
+- compute.regionBackendBuckets.get
+- compute.regionBackendBuckets.getIamPolicy
+- compute.regionBackendBuckets.list
+- compute.regionBackendBuckets.listEffectiveTags
+- compute.regionBackendBuckets.listTagBindings
- compute.regionBackendServices.get
- compute.regionBackendServices.getIamPolicy
- compute.regionBackendServices.list
- compute.regionBackendServices.listEffectiveTags
- compute.regionBackendServices.listTagBindings
+- compute.regionCompositeHealthChecks.get
+- compute.regionCompositeHealthChecks.list
- compute.regionFirewallPolicies.get
- compute.regionFirewallPolicies.getIamPolicy
- compute.regionFirewallPolicies.list
- compute.regionFirewallPolicies.listEffectiveTags
- compute.regionFirewallPolicies.listTagBindings
+- compute.regionHealthAggregationPolicies.get
+- compute.regionHealthAggregationPolicies.list
- compute.regionHealthCheckServices.get
- compute.regionHealthCheckServices.list
- compute.regionHealthChecks.get
@@ -458,10 +478,14 @@ permissions:
- compute.regionHealthChecks.listEffectiveTags
- compute.regionHealthChecks.listTagBindings
- compute.regionHealthChecks.useReadOnly
+- compute.regionHealthSources.get
+- compute.regionHealthSources.list
- compute.regionNetworkEndpointGroups.get
- compute.regionNetworkEndpointGroups.list
- compute.regionNetworkEndpointGroups.listEffectiveTags
- compute.regionNetworkEndpointGroups.listTagBindings
+- compute.regionNetworkPolicies.get
+- compute.regionNetworkPolicies.list
- compute.regionNotificationEndpoints.get
- compute.regionNotificationEndpoints.list
- compute.regionOperations.get
@@ -504,10 +528,16 @@ permissions:
- compute.reservationSubBlocks.list
- compute.reservations.get
- compute.reservations.list
+- compute.reservations.listEffectiveTags
+- compute.reservations.listTagBindings
- compute.resourcePolicies.get
- compute.resourcePolicies.getIamPolicy
- compute.resourcePolicies.list
- compute.resourcePolicies.useReadOnly
+- compute.rolloutPlans.get
+- compute.rolloutPlans.list
+- compute.rollouts.get
+- compute.rollouts.list
- compute.routers.get
- compute.routers.getRoutePolicy
- compute.routers.list
@@ -543,6 +573,8 @@ permissions:
- compute.storagePools.get
- compute.storagePools.getIamPolicy
- compute.storagePools.list
+- compute.storagePools.listEffectiveTags
+- compute.storagePools.listTagBindings
- compute.subnetworks.get
- compute.subnetworks.getIamPolicy
- compute.subnetworks.list
@@ -582,6 +614,8 @@ permissions:
- compute.targetVpnGateways.listTagBindings
- compute.urlMaps.listEffectiveTags
- compute.urlMaps.listTagBindings
+- compute.vmExtensionPolicies.get
+- compute.vmExtensionPolicies.list
- compute.vpnGateways.get
- compute.vpnGateways.list
- compute.vpnGateways.listEffectiveTags
@@ -840,6 +874,8 @@ permissions:
- dns.managedZones.list
- dns.policies.get
- dns.policies.list
+- dns.policies.listEffectiveTags
+- dns.policies.listTagBindings
- dns.projects.get
- dns.resourceRecordSets.get
- dns.resourceRecordSets.list
@@ -873,6 +909,19 @@ permissions:
- firebaseappdistro.groups.list
- firebaseappdistro.releases.list
- firebaseappdistro.testers.list
+- firebaseapphosting.backends.get
+- firebaseapphosting.backends.list
+- firebaseapphosting.builds.get
+- firebaseapphosting.builds.list
+- firebaseapphosting.domains.get
+- firebaseapphosting.domains.list
+- firebaseapphosting.locations.get
+- firebaseapphosting.locations.list
+- firebaseapphosting.operations.get
+- firebaseapphosting.operations.list
+- firebaseapphosting.rollouts.get
+- firebaseapphosting.rollouts.list
+- firebaseapphosting.traffic.get
- firebaseauth.configs.get
- firebaseauth.users.get
- firebasecrash.reports.get
@@ -896,6 +945,7 @@ permissions:
- firebasedataconnect.schemas.get
- firebasedataconnect.schemas.list
- firebasedataconnect.services.get
+- firebasedataconnect.services.introspectGraphql
- firebasedataconnect.services.list
- firebasedynamiclinks.destinations.list
- firebasedynamiclinks.domains.get
@@ -928,6 +978,8 @@ permissions:
- firebasestorage.buckets.list
- firebasestorage.defaultBucket.get
- firebasevertexai.configs.get
+- firebasevertexai.promptTemplates.get
+- firebasevertexai.promptTemplates.list
- iam.denypolicies.get
- iam.denypolicies.list
- iam.googleapis.com/oauthClientCredentials.get
@@ -940,8 +992,15 @@ permissions:
- iam.googleapis.com/workloadIdentityPoolProviders.list
- iam.googleapis.com/workloadIdentityPools.get
- iam.googleapis.com/workloadIdentityPools.list
+- iam.policybindings.get
+- iam.policybindings.list
+- iam.principalaccessboundarypolicies.get
+- iam.principalaccessboundarypolicies.list
+- iam.principalaccessboundarypolicies.searchPolicyBindings
- iam.roles.get
- iam.roles.list
+- iam.roles.listEffectiveTags
+- iam.roles.listTagBindings
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- iam.serviceAccounts.get
@@ -949,12 +1008,15 @@ permissions:
- iam.serviceAccounts.list
- iam.serviceAccounts.listEffectiveTags
- iam.serviceAccounts.listTagBindings
+- iam.workloadIdentityPools.searchPolicyBindings
- iap.tunnelDestGroups.get
- iap.tunnelDestGroups.list
- monitoring.alertPolicies.get
- monitoring.alertPolicies.list
- monitoring.alertPolicies.listEffectiveTags
- monitoring.alertPolicies.listTagBindings
+- monitoring.alerts.get
+- monitoring.alerts.list
- monitoring.dashboards.get
- monitoring.dashboards.list
- monitoring.dashboards.listEffectiveTags
@@ -982,28 +1044,16 @@ permissions:
- pubsub.schemas.listRevisions
- pubsub.schemas.validate
- pubsub.snapshots.list
+- pubsub.snapshots.listEffectiveTags
+- pubsub.snapshots.listTagBindings
- pubsub.subscriptions.get
- pubsub.subscriptions.list
+- pubsub.subscriptions.listEffectiveTags
+- pubsub.subscriptions.listTagBindings
- pubsub.topics.get
- pubsub.topics.list
-- pubsublite.locations.openKafkaStream
-- pubsublite.operations.get
-- pubsublite.operations.list
-- pubsublite.reservations.get
-- pubsublite.reservations.list
-- pubsublite.reservations.listTopics
-- pubsublite.subscriptions.get
-- pubsublite.subscriptions.getCursor
-- pubsublite.subscriptions.list
-- pubsublite.subscriptions.subscribe
-- pubsublite.topics.computeHeadCursor
-- pubsublite.topics.computeMessageStats
-- pubsublite.topics.computeTimeCursor
-- pubsublite.topics.get
-- pubsublite.topics.getPartitions
-- pubsublite.topics.list
-- pubsublite.topics.listSubscriptions
-- pubsublite.topics.subscribe
+- pubsub.topics.listEffectiveTags
+- pubsub.topics.listTagBindings
- redis.backupCollections.get
- redis.backupCollections.list
- redis.backups.export
@@ -1023,6 +1073,7 @@ permissions:
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
+- resourcemanager.projects.searchPolicyBindings
- resourcemanager.tagHolds.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
@@ -1041,8 +1092,18 @@ permissions:
- secretmanager.versions.list
- servicemanagement.services.get
- servicemanagement.services.list
+- serviceusage.consumerpolicy.analyze
+- serviceusage.consumerpolicy.get
+- serviceusage.contentsecuritypolicy.get
+- serviceusage.effectivemcppolicy.get
+- serviceusage.effectivepolicy.get
+- serviceusage.groups.list
+- serviceusage.groups.listExpandedMembers
+- serviceusage.groups.listMembers
+- serviceusage.mcppolicy.get
- serviceusage.services.get
- serviceusage.services.list
+- serviceusage.values.test
- spanner.backupOperations.get
- spanner.backupOperations.list
- spanner.backupSchedules.get
@@ -1085,11 +1146,20 @@ permissions:
- storage.buckets.list
- storage.buckets.listEffectiveTags
- storage.buckets.listTagBindings
+- storage.buckets.viewIntelligenceDetails
- storage.folders.get
- storage.folders.list
- storage.hmacKeys.get
- storage.hmacKeys.list
- storage.intelligenceConfigs.get
+- storagebatchoperations.bucketOperations.get
+- storagebatchoperations.bucketOperations.list
+- storagebatchoperations.jobs.get
+- storagebatchoperations.jobs.list
+- storagebatchoperations.locations.get
+- storagebatchoperations.locations.list
+- storagebatchoperations.operations.get
+- storagebatchoperations.operations.list
- storageinsights.datasetConfigs.get
- storageinsights.datasetConfigs.list
- storageinsights.locations.get
diff --git a/infra/iam/roles/beam_writer.role.yaml
b/infra/iam/roles/beam_writer.role.yaml
index 947757b0d6d..45464465e81 100644
--- a/infra/iam/roles/beam_writer.role.yaml
+++ b/infra/iam/roles/beam_writer.role.yaml
@@ -16,7 +16,7 @@
# This file is auto-generated by generate_roles.py.
# Do not edit manually.
-# This file was generated on 2025-08-11 15:53:17 UTC
+# This file was generated on 2026-01-29 22:47:50 UTC
description: This is the beam_writer role
permissions:
@@ -56,6 +56,12 @@ permissions:
- cloudkms.projects.showEffectiveAutokeyConfig
- cloudkms.projects.showEffectiveKajEnrollmentConfig
- cloudkms.projects.showEffectiveKajPolicyConfig
+- cloudkms.protectedResources.search
+- cloudkms.singleTenantHsmInstanceProposals.get
+- cloudkms.singleTenantHsmInstanceProposals.list
+- cloudkms.singleTenantHsmInstances.get
+- cloudkms.singleTenantHsmInstances.list
+- cloudsql.instances.executeSql
- cloudsql.instances.login
- container.apiServices.create
- container.apiServices.update
@@ -205,8 +211,14 @@ permissions:
- dataform.compilationResults.list
- dataform.compilationResults.query
- dataform.config.get
+- dataform.folders.create
+- dataform.folders.get
+- dataform.folders.getIamPolicy
+- dataform.folders.queryContents
- dataform.locations.get
- dataform.locations.list
+- dataform.operations.get
+- dataform.operations.list
- dataform.releaseConfigs.get
- dataform.releaseConfigs.list
- dataform.repositories.computeAccessTokenStatus
@@ -218,6 +230,8 @@ permissions:
- dataform.repositories.list
- dataform.repositories.queryDirectoryContents
- dataform.repositories.readFile
+- dataform.teamFolders.get
+- dataform.teamFolders.getIamPolicy
- dataform.workflowConfigs.get
- dataform.workflowConfigs.list
- dataform.workflowInvocations.get
@@ -242,12 +256,17 @@ permissions:
- dataplex.content.get
- dataplex.content.getIamPolicy
- dataplex.content.list
+- dataplex.dataAssets.get
+- dataplex.dataAssets.list
- dataplex.dataAttributeBindings.get
- dataplex.dataAttributeBindings.getIamPolicy
- dataplex.dataAttributeBindings.list
- dataplex.dataAttributes.get
- dataplex.dataAttributes.getIamPolicy
- dataplex.dataAttributes.list
+- dataplex.dataProducts.get
+- dataplex.dataProducts.getIamPolicy
+- dataplex.dataProducts.list
- dataplex.dataTaxonomies.get
- dataplex.dataTaxonomies.getIamPolicy
- dataplex.dataTaxonomies.list
@@ -258,6 +277,7 @@ permissions:
- dataplex.entities.get
- dataplex.entities.list
- dataplex.entries.get
+- dataplex.entries.getData
- dataplex.entries.list
- dataplex.entryGroups.export
- dataplex.entryGroups.get
diff --git a/infra/iam/roles/roles_config.yaml
b/infra/iam/roles/roles_config.yaml
index 1e94cdc2ccb..453a3b07d97 100644
--- a/infra/iam/roles/roles_config.yaml
+++ b/infra/iam/roles/roles_config.yaml
@@ -52,7 +52,7 @@ roles:
- iap
- meshconfig
- monitoring
- - pubsub
+ - pubsub. # TODO: Remove '.' after Pubsublite GCP service is fully
deprecated.
- redis
- resourcemanager
- secretmanager
diff --git
a/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml
b/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml
index ef4cbdb5ba0..f79bb6cf3bf 100644
--- a/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml
+++ b/sdks/java/build-tools/src/main/resources/beam/checkstyle/suppressions.xml
@@ -43,7 +43,6 @@
<suppress id="ForbidNonVendoredGuava"
files=".*bigtable.*BigtableServiceImplTest\.java" />
<suppress id="ForbidNonVendoredGuava" files=".*sql.*BeamValuesRel\.java" />
<suppress id="ForbidNonVendoredGuava"
files=".*sql.*BeamEnumerableConverterTest\.java" />
- <suppress id="ForbidNonVendoredGuava"
files=".*pubsublite.*BufferingPullSubscriberTest\.java" />
<suppress id="ForbidNonVendoredGuava" files=".*cdap.*Plugin\.java" />
<suppress id="ForbidNonVendoredGuava"
files=".*cdap.*PluginConfigInstantiationUtils\.java" />
<suppress id="ForbidNonVendoredGuava" files=".*cdap.*Plugin\.java" />
@@ -69,7 +68,6 @@
<suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*google.*cloud.*spanner.*FakeBatchTransactionId\.java" />
<suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*google.*cloud.*spanner.*FakePartitionFactory\.java" />
<suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*extensions.*sql.*datastore.*" />
- <suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*extensions.*sql.*pubsublite.RowHandler.*" />
<suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*extensions.*sql.*ProtoPayloadSerializerProvider.*" />
<suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*datacatalog.*DataCatalogTableProvider\.java" />
<suppress id="ForbidNonVendoredGrpcProtobuf"
files=".*examples.*datatokenization.*BigTableIO\.java" />
