OSDOCS-16649:Added permissions to required roles table in OSD WIF docs.

AedinC · AedinC · commit acd9db815a11 · 2025-11-03T09:47:34.000Z
diff --git a/modules/ccs-gcp-customer-procedure-wif.adoc b/modules/ccs-gcp-customer-procedure-wif.adoc
@@ -18,27 +18,90 @@ The following roles are only required when creating, updating, or deleting WIF c
 ====
 +
 .Required roles
-[cols="2a,3a,3a",options="header"]
-
+[cols="5a,3a,5a",options="header"]
 |===
 
-|Role|Console role name|Role purpose
+|Role and description|Console role name|Permissions
+
+|Role Admin
+
+Required by the {gcp-short} client in the OCM CLI for creating custom role.
 
-|Role Administrator
 |`roles/iam.roleAdmin`
-|Required by the {gcp-short} client in the OCM CLI for creating custom roles.
+|* iam.roles.create
+* iam.roles.delete
+* iam.roles.get
+* iam.roles.list
+* iam.roles.undelete
+* iam.roles.update
+* resourcemanager.projects.get
+* resourcemanager.projects.getIamPolicy
 
 |Service Account Admin
+
+Required for the pre-creation of the service accounts used by the deployer, support, and Operators.
 |`roles/iam.serviceAccountAdmin`
-|Required for the pre-creation of the service accounts used by the deployer, support, and Operators.
+|* iam.serviceAccountApiKeyBindings.create
+* iam.serviceAccountApiKeyBindings.delete
+* iam.serviceAccountApiKeyBindings.undelete
+* iam.serviceAccounts.create
+* iam.serviceAccounts.createTagBinding
+* iam.serviceAccounts.delete
+* iam.serviceAccounts.deleteTagBinding
+* iam.serviceAccounts.disable
+* iam.serviceAccounts.enable
+* iam.serviceAccounts.get
+* iam.serviceAccounts.getIamPolicy
+* iam.serviceAccounts.list
+* iam.serviceAccounts.listEffectiveTags
+* iam.serviceAccounts.listTagBindings
+* iam.serviceAccounts.setIamPolicy
+* iam.serviceAccounts.undelete
+* iam.serviceAccounts.update
+* resourcemanager.projects.get
+* resourcemanager.projects.list
 
 |Workload Identity Pool Admin
+
+Required to create and configure the workload identity pool.
 |`roles/iam.workloadIdentityPoolAdmin`
-|Required to create and configure the workload identity pool.
+|* iam.googleapis.com/workloadIdentityPoolProviderKeys.create
+* iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
+* iam.googleapis.com/workloadIdentityPoolProviderKeys.get
+* iam.googleapis.com/workloadIdentityPoolProviderKeys.list
+* iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
+* iam.googleapis.com/workloadIdentityPoolProviders.create
+* iam.googleapis.com/workloadIdentityPoolProviders.delete
+* iam.googleapis.com/workloadIdentityPoolProviders.get
+* iam.googleapis.com/workloadIdentityPoolProviders.list
+* iam.googleapis.com/workloadIdentityPoolProviders.undelete
+* iam.googleapis.com/workloadIdentityPoolProviders.update
+* iam.googleapis.com/workloadIdentityPools.create
+* iam.googleapis.com/workloadIdentityPools.delete
+* iam.googleapis.com/workloadIdentityPools.get
+* iam.googleapis.com/workloadIdentityPools.list
+* iam.googleapis.com/workloadIdentityPools.undelete
+* iam.googleapis.com/workloadIdentityPools.update
+* iam.workloadIdentityPools.createPolicyBinding
+* iam.workloadIdentityPools.deletePolicyBinding
+* iam.workloadIdentityPools.searchPolicyBindings
+* iam.workloadIdentityPools.updatePolicyBinding
+* resourcemanager.projects.get
+* resourcemanager.projects.list
 
 |Project IAM Admin
+
+Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.
 |`roles/resourcemanager.projectIamAdmin`
-|Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.
+|* iam.policybindings.get
+* iam.policybindings.list
+* resourcemanager.projects.createPolicyBinding
+* resourcemanager.projects.deletePolicyBinding
+* resourcemanager.projects.get
+* resourcemanager.projects.getIamPolicy
+* resourcemanager.projects.searchPolicyBindings
+* resourcemanager.projects.setIamPolicy
+* resourcemanager.projects.updatePolicyBinding
 
 |===
 
