Hope this is the correct forum to ask 
I’m trying to get a bot that I have and that is a part of the project principals to have one of the following OAuth scopes:
- https://www.googleapis.com/auth/cloud-identity.groups.readonly
- https://www.googleapis.com/auth/cloud-identity.groups
- https://www.googleapis.com/auth/cloud-identity
- https://www.googleapis.com/auth/cloud-platform
For that, I enabled “Cloud Identity” API.
I navigate to “IAM”, “VIEW BY PRINCIPALS”, click on “EDIT PRINCIPAL” and “ADD ANOTHER ROLE”. However, in the role dropdown I don’t see “Cloud Identity Groups Reader” or anything with “cloudidentity”.
I tried the option of creating a custom role (“ADD ANOTHER ROLE”, “MANAGE ROLES”, “CREATE ROLE” and attempt to “Add Permissions”), but the Cloud Identity Groups Reader wasn’t available there either.
I thought that might be inheritance related, or somehow related to the fact that the bot has “VIEWER” role, so I attempted to do the same for an Owner user, and even created a new Owner user. For both, I didn’t see the “Cloud Identity Groups” in available roles.
Because of a recommendation I saw about “API Cloud Identity” in one of the posts in Google Cloud community (Cloud Identity API.) I tried to search for “roles/identity.organizationViewer”, that might be a prerequisite, but I don’t see that in the dropdown either.
Note: In the “policy troubleshooter” I also don’t see cloudidentity in the permission list.
What can I do to grant the “Cloud Identity Groups Reader” role for my bot?