{
  "iam": {
    "CredentialExposure": [
      "bigquery.connections.get",
      "cloudfunctions.functions.create",
      "cloudfunctions.functions.sourceCodeSet",
      "cloudfunctions.functions.update",
      "compute.instances.create",
      "compute.instances.osAdminLogin",
      "iam.serviceAccountKeys.create"
    ],
    "DataAccess": [
      "appengine.instances.enableDebug",
      "appengine.memcache.get",
      "appengine.memcache.getKey",
      "appengine.memcache.list",
      "bigquery.connections.use",
      "bigquery.models.export",
      "bigquery.models.getData",
      "bigquery.rowAccessPolicies.getFilteredData",
      "bigquery.rowAccessPolicies.overrideTimeTravelRestrictions",
      "bigquery.tables.export",
      "bigquery.tables.getData",
      "cloudfunctions.functions.call",
      "cloudfunctions.functions.create",
      "cloudfunctions.functions.invoke",
      "cloudfunctions.functions.sourceCodeSet",
      "cloudfunctions.functions.update",
      "compute.images.create",
      "compute.instances.getGuestAttributes",
      "compute.instances.getScreenshot",
      "compute.instances.getSerialPortOutput",
      "compute.instances.osAdminLogin",
      "compute.instances.osLogin",
      "container.deployments.create",
      "container.deployments.update",
      "container.jobs.create",
      "container.jobs.update",
      "container.pods.create",
      "container.replicaSets.create",
      "container.replicaSets.update",
      "container.services.proxy",
      "container.statefulSets.create",
      "container.statefulSets.update",
      "datastore.entities.get",
      "pubsub.snapshots.seek",
      "pubsub.subscriptions.consume",
      "pubsub.topics.attachSubscription",
      "storage.objects.get"
    ],
    "PrivEsc": [
      "bigquery.connections.setIamPolicy",
      "bigquery.dataPolicies.setIamPolicy",
      "bigquery.datasets.createTagBinding",
      "bigquery.datasets.deleteTagBinding",
      "bigquery.datasets.setIamPolicy",
      "bigquery.datasets.updateTag",
      "bigquery.rowAccessPolicies.setIamPolicy",
      "bigquery.tables.setCategory",
      "bigquery.tables.setIamPolicy",
      "bigquery.tables.updateTag",
      "billing.accounts.setIamPolicy",
      "cloudbuild.builds.create",
      "cloudbuild.connections.setIamPolicy",
      "cloudfunctions.functions.setIamPolicy",
      "compute.backendBuckets.addSignedUrlKey",
      "compute.backendBuckets.setIamPolicy",
      "compute.backendBuckets.setSecurityPolicy",
      "compute.backendBuckets.update",
      "compute.backendServices.addSignedUrlKey",
      "compute.backendServices.setIamPolicy",
      "compute.backendServices.setSecurityPolicy",
      "compute.backendServices.update",
      "compute.disks.createTagBinding",
      "compute.disks.deleteTagBinding",
      "compute.disks.setIamPolicy",
      "compute.firewallPolicies.setIamPolicy",
      "compute.globalNetworkEndpointGroups.setIamPolicy",
      "compute.images.createTagBinding",
      "compute.images.deleteTagBinding",
      "compute.images.setIamPolicy",
      "compute.instances.addAccessConfig",
      "compute.instances.createTagBinding",
      "compute.instances.deleteTagBinding",
      "compute.instances.setIamPolicy",
      "compute.instances.updateAccessConfig",
      "compute.instances.updateNetworkInterface",
      "compute.instances.use",
      "compute.instances.useReadOnly",
      "compute.networkEndpointGroups.setIamPolicy",
      "container.clusterRoleBindings.create",
      "container.clusterRoleBindings.update",
      "container.clusterRoles.bind",
      "container.clusterRoles.escalate",
      "container.clusterRoles.update",
      "container.clusters.createTagBinding",
      "container.clusters.deleteTagBinding",
      "container.nodes.proxy",
      "container.pods.exec",
      "container.roleBindings.create",
      "container.roleBindings.update",
      "container.roles.bind",
      "container.roles.escalate",
      "container.roles.update",
      "container.secrets.get",
      "container.secrets.list",
      "container.serviceAccounts.createToken",
      "dns.managedZones.setIamPolicy",
      "dns.policies.setIamPolicy",
      "domains.registrations.createTagBinding",
      "domains.registrations.deleteTagBinding",
      "domains.registrations.setIamPolicy",
      "iam.roles.update",
      "iam.serviceAccountKeys.enable",
      "iam.serviceAccounts.actAs",
      "iam.serviceAccounts.getAccessToken",
      "iam.serviceAccounts.getOpenIdToken",
      "iam.serviceAccounts.implicitDelegation",
      "iam.serviceAccounts.setIamPolicy",
      "iam.serviceAccounts.signBlob",
      "iam.serviceAccounts.signJwt",
      "pubsub.schemas.setIamPolicy",
      "pubsub.snapshots.setIamPolicy",
      "pubsub.subscriptions.setIamPolicy",
      "pubsub.topics.setIamPolicy",
      "pubsub.topics.updateTag",
      "resourcemanager.projects.setIamPolicy",
      "resourcemanager.tagkeys.setIamPolicy",
      "resourcemanager.tagvalues.setIamPolicy",
      "secretmanager.secrets.setIamPolicy",
      "storage.buckets.createTagBinding",
      "storage.buckets.deleteTagBinding",
      "storage.buckets.setIamPolicy",
      "storage.objects.setIamPolicy"
    ]
  }
}