Add Cloud Deploy API name and IAM reference doc (#111)

* Add Cloud Deploy API name and IAM reference doc

* Include permissions required for the automation service account

Author: mattsanta

skills/cloud-deploy-pipelines/SKILL.md

@@ -11,6 +11,8 @@ version: "0.1.0"
 
 This skill encompasses the entire lifecycle of Cloud Deploy for a user, from designing and creating delivery pipelines to managing releases and debugging release failures.
 
+**All** Workflows require the `clouddeploy.googleapis.com` API to be enabled.
+
 ## Workflow: Designing a Pipeline
 
 This workflow provides steps for designing a Cloud Deploy `DeliveryPipeline`.
@@ -78,6 +80,12 @@ gcloud deploy apply --file=clouddeploy.yaml --region=<REGION> --project=<PROJECT
 2. Create a `skaffold.yaml` file required to create a Cloud Deploy `Release` for the `DeliveryPipeline`.
     - Use `references/configure-skaffold.md` as a reference when generating the `skaffold.yaml` file.
 
+
+### Step 7: Setup IAM permissions
+
+Use `references/iam-permissions.md` as a reference to set up the necessary IAM permissions based on the `DeliveryPipeline` defined.
+
+
 ## Workflow: Add Google Observability Alert Policy Analysis to a Pipeline
 
 Cloud Deploy integrates with Google Cloud Observability to provide metrics analysis when deploying an application. When the application is deployed, Cloud Deploy will monitor alert policies defined in Google Cloud Observability for any incidents that were triggered after the application was deployed. 
@@ -117,6 +125,10 @@ Run the following command to update the Cloud Deploy `DeliveryPipeline`:
 gcloud deploy apply --file=clouddeploy.yaml --region=<REGION> --project=<PROJECT_ID>
 ```
 
+### Step 4: Setup IAM permissions
+
+Use `references/iam-permissions.md` as a reference to set up the necessary IAM permissions for analysis.
+
 ## Release Management
 
 This section covers the various aspects of managing Cloud Deploy `Release` resources.

skills/cloud-deploy-pipelines/references/iam-permissions.md

@@ -0,0 +1,35 @@
+# IAM Permissions
+
+This document provides insights into the IAM permissions required for Cloud Deploy to operate based on the features enabled for the `DeliveryPipeline`.
+
+## Execution Service Account
+
+**MUST KNOW**: The execution service account used by Cloud Deploy. This is either the default Compute Engine service account or a user-provided service account that was defined in the `Target`.
+
+The execution service account **must always** have the following roles:
+* `roles/clouddeploy.jobRunner`
+* `roles/iam.serviceAccountUser`
+
+### Runtime Permissions
+
+If deploying to Cloud Run then `roles/run.developer` is **required**.
+
+If deploying to GKE then `roles/container.developer` is **required**.
+
+### Analysis Permissions (Google Cloud Observability)
+
+The following roles are **required**:
+* `roles/monitoring.alertViewer`
+* `roles/serviceusage.serviceUsageConsumer`
+
+## Automation Service Account
+
+**MUST KNOW**: The service account defined in the `Automation` resources.
+
+The `Automation` service account **requires** the `roles/clouddeploy.operator` role.
+
+## Release Creator
+
+The user or service account that creates a `Release` and `Rollout` **must** have:
+* `roles/clouddeploy.releaser`
+* `roles/iam.serviceAccountUser`