-
Notifications
You must be signed in to change notification settings - Fork 822
/
CustomRole.yaml
30 lines (30 loc) · 1.01 KB
/
CustomRole.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# This was retroactively put together to match a role that is already in
# production. It's not entirely clear why it was built this way, for example
# why all of the permission exclusions from roles/billing.viewer
#
# TODO: CustomRole is a brittle name, we should migrate to a better named role
title: Billing Viewer
description: View access to billing info
name: CustomRole
include:
roles:
- roles/billing.viewer
- roles/browser
permissions:
# not sure what role this permission comes from
- billing.resourceCosts.get
exclude:
permissionRegexes:
# unclear why the exclusion of billing.account.* except getSpendingInformation
- ^billing.accounts.get$
- ^billing.accounts.getPaymentInfo
- ^billing.accounts.getUsageExportSpec
- ^billing.accounts.list
# unclear if these were intentionally excluded
- ^consumerprocurement.
- ^dataprocessing.
- ^recommender.
# we may want to allow these two for org hierarchy navigation
- ^resourcemanager.folders.
- ^resourcemanager.organizations.
- getIamPolicy$