fix: added missing permission 'roles/serviceusage.serviceUsageConsumer'

gwright99 · gwright99 · commit cc0065513bce · 2026-02-24T10:24:49.000-05:00
This permission is necessary for Data Explorer to be able to auto-discover the GCS Buckets the Platform credential has access to (limited to Buckets in the GCP Project from which the credential was issued).

Not having this permission will cause Buckets not to be auto-discovered and a message like the following being emitted in the Platform logs:
"""
backend-1         | Feb-24 13:57:37.874 [data-link-fetch-worker-4] - DEBUG i.s.t.s.data.cache.DataLinkStoreImpl - Update data links to error for credentials: 73k0ncyXvpbnwZRyNBnmC,
                    errorMessage: com.google.cloud.storage.StorageException: SERVICE-ACCOUNT-NAME@GCP-PROJECT.iam.gserviceaccount.com does not have serviceusage.services.use access to
                    the Google Cloud project. Permission 'serviceusage.services.use' denied on resource (or it may not exist).
"""
diff --git a/platform-enterprise_versioned_docs/version-24.1/compute-envs/google-cloud-batch.md b/platform-enterprise_versioned_docs/version-24.1/compute-envs/google-cloud-batch.md
@@ -62,6 +62,7 @@ By default, Google Cloud Batch uses the default Compute Engine service account t
 - Batch Job Editor (`roles/batch.jobsEditor`) on the project
 - Logs Writer (`roles/logging.logWriter`) on the project (to let jobs generate logs in Cloud Logging)
 - Service Account User (`roles/iam.serviceAccountUser`)
+- Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)
 
 If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal on each bucket individually. See [Cloud Storage bucket](#cloud-storage-bucket) below.
 
diff --git a/platform-enterprise_versioned_docs/version-24.2/compute-envs/google-cloud-batch.md b/platform-enterprise_versioned_docs/version-24.2/compute-envs/google-cloud-batch.md
@@ -62,6 +62,7 @@ By default, Google Cloud Batch uses the default Compute Engine service account t
 - Batch Job Editor (`roles/batch.jobsEditor`) on the project
 - Logs Writer (`roles/logging.logWriter`) on the project (to let jobs generate logs in Cloud Logging)
 - Service Account User (`roles/iam.serviceAccountUser`)
+- Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)
 
 If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal on each bucket individually. See [Cloud Storage bucket](#cloud-storage-bucket) below.
 
diff --git a/platform-enterprise_versioned_docs/version-25.1/compute-envs/google-cloud-batch.md b/platform-enterprise_versioned_docs/version-25.1/compute-envs/google-cloud-batch.md
@@ -62,6 +62,7 @@ By default, Google Cloud Batch uses the default Compute Engine service account t
 - Batch Job Editor (`roles/batch.jobsEditor`) on the project
 - Logs Writer (`roles/logging.logWriter`) on the project (to let jobs generate logs in Cloud Logging)
 - Service Account User (`roles/iam.serviceAccountUser`)
+- Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)
 
 If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal on each bucket individually. See [Cloud Storage bucket](#cloud-storage-bucket) below.
 
diff --git a/platform-enterprise_versioned_docs/version-25.2/compute-envs/google-cloud-batch.md b/platform-enterprise_versioned_docs/version-25.2/compute-envs/google-cloud-batch.md
@@ -62,6 +62,7 @@ By default, Google Cloud Batch uses the default Compute Engine service account t
 - Batch Job Editor (`roles/batch.jobsEditor`) on the project
 - Logs Writer (`roles/logging.logWriter`) on the project (to let jobs generate logs in Cloud Logging)
 - Service Account User (`roles/iam.serviceAccountUser`)
+- Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)
 
 If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal on each bucket individually. See [Cloud Storage bucket](#cloud-storage-bucket) below.
 
diff --git a/platform-enterprise_versioned_docs/version-25.3/compute-envs/google-cloud-batch.md b/platform-enterprise_versioned_docs/version-25.3/compute-envs/google-cloud-batch.md
@@ -62,6 +62,7 @@ By default, Google Cloud Batch uses the default Compute Engine service account t
 - Batch Job Editor (`roles/batch.jobsEditor`) on the project
 - Logs Writer (`roles/logging.logWriter`) on the project (to let jobs generate logs in Cloud Logging)
 - Service Account User (`roles/iam.serviceAccountUser`)
+- Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)
 
 If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (`roles/storage.admin`) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal on each bucket individually. See [Cloud Storage bucket](#cloud-storage-bucket) below.
 
