Discovery Engine v1alpha: 403 Permission Denied listing agents with Viewer role

Google Cloud Build with AI Agents
1

I was trying to list all agents from the discoveryengine v1alpha REST endpoint. But I encountered a permission issue.

I am using a service account, when I assign it the Gemini Enterprise Editor (Beta) or Discovery Engine Editor IAM role, I can list agents successfully. However, when I change it to the Gemini Enterprise Viewer (Beta) or Discovery Engine Viewer, I receive the following error:

{
    "error": {
        "code": 403,
        "message": "User does not have permission to list all of the agents.",
        "status": "PERMISSION_DENIED"
    }
}

The documentation states the following:

IAM Permissions

Requires the following IAM permission on the parent resource:

  • discoveryengine.agents.list

Since the Gemini Enterprise Viewer (Beta) already includes the permission discoveryengine.agents.list, I don’t know why it isn’t working.

I also tried cloning the Gemini Enterprise Editor (beta) into a custom role. The process automatically removed resourcemanager.projects.list, and I still could not list the agents. I then combined the custom role with Browser role which has the resourcemanager.projects.list permission, but it still failed.

Any idea on how to use a Viewer role to list agents?

2

I’m seeing exactly the same behaviour (Almost 3 months later).

Why does Google keep using hidden permissions, that are only available in Google predefined roles (Makes life very hard for enterprises using custom roles). This error is very obscure, we don’t even know which is the missing permission.

Why are not hidden permissions included in the appropriate predefined roles? If they decide to go ahead with this approach, Google should at least include it in all the predefined roles that make sense. Viewer is a clear example of a role that should have this permission…