diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index df34c95263..6e5d5af91e 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -372,9 +372,9 @@ If you are working on a existing resource, test yaml should exist under
 to make sure the test can still pass. Example command:
 
 ```bash
-   # Export the environment variables needed in the dynamic tests if you haven't done it.
-   TEST_FOLDER_ID=123456789 go test -v -tags=integration ./pkg/controller/dynamic/ -test.run TestCreateNoChangeUpdateDelete -run-tests cloudschedulerjob -timeout 900s
- ```
+# Export the environment variables needed in the dynamic tests if you haven't done it.
+TEST_FOLDER_ID=123456789 go test -v -tags=integration ./pkg/controller/dynamic/ -test.run TestCreateNoChangeUpdateDelete -run-tests cloudschedulerjob -timeout 900s
+```
 Replace `cloudschedulerjob` with your test target.
 
 ### Submit a Pull Request
@@ -387,5 +387,5 @@ you can first validate the change locally:
 make ready-pr
 ```
 
-You can then commit your change and make a pull request. See more details
-[here](https://docs.github.com/en/get-started/quickstart/contributing-to-projects#making-and-pushing-changes).
+You can then commit your change and make a pull request. See [GitHub's contributing
+to projects: making and pushing changes](https://docs.github.com/en/get-started/quickstart/contributing-to-projects#making-and-pushing-changes).
diff --git a/apis/networkconnectivity/v1alpha1/types.generated.go b/apis/networkconnectivity/v1alpha1/types.generated.go
index 891405ace1..d10254d3f6 100644
--- a/apis/networkconnectivity/v1alpha1/types.generated.go
+++ b/apis/networkconnectivity/v1alpha1/types.generated.go
@@ -46,7 +46,7 @@ type Binding struct {
 	// Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: All identities in a workload identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
 	Members []string `json:"members,omitempty"`
 
-	// Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles).
+	// Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [understanding roles](https://cloud.google.com/iam/docs/understanding-roles).
 	Role *string `json:"role,omitempty"`
 }
 
diff --git a/crds/artifactregistry_v1beta1_artifactregistryrepository.yaml b/crds/artifactregistry_v1beta1_artifactregistryrepository.yaml
index 31c687748b..b978551030 100644
--- a/crds/artifactregistry_v1beta1_artifactregistryrepository.yaml
+++ b/crds/artifactregistry_v1beta1_artifactregistryrepository.yaml
@@ -155,8 +155,8 @@ spec:
                 type: object
               format:
                 description: |-
-                  Immutable. The format of packages that are stored in the repository. Supported formats
-                  can be found [here](https://cloud.google.com/artifact-registry/docs/supported-formats).
+                  Immutable. The format of packages that are stored in the repository. See
+                  [Supported formats](https://cloud.google.com/artifact-registry/docs/supported-formats).
                   You can only create alpha formats if you are a member of the
                   [alpha user group](https://cloud.google.com/artifact-registry/docs/supported-formats#alpha-access).
                 type: string
diff --git a/crds/cloudscheduler_v1beta1_cloudschedulerjob.yaml b/crds/cloudscheduler_v1beta1_cloudschedulerjob.yaml
index 21f132a618..9a940e0fee 100644
--- a/crds/cloudscheduler_v1beta1_cloudschedulerjob.yaml
+++ b/crds/cloudscheduler_v1beta1_cloudschedulerjob.yaml
@@ -402,9 +402,8 @@ spec:
                     properties:
                       host:
                         description: 'Output only. The host that the job is sent to.
-                          For more information about how App Engine requests are routed,
-                          see [here](https://cloud.google.com/appengine/docs/standard/python/how-requests-are-routed).
-                          The host is constructed as: * `host = [application_domain_name]`
+                          Read information about [how App Engine requests are
+                          routed](https://cloud.google.com/appengine/docs/standard/python/how-requests-are-routed).                          The host is constructed as: * `host = [application_domain_name]`
                           `| [service] + ''.'' + [application_domain_name]` `| [version]
                           + ''.'' + [application_domain_name]` `| [version_dot_service]+
                           ''.'' + [application_domain_name]` `| [instance] + ''.''
diff --git a/docs/archive/README.NewResourceFromTerraform.md b/docs/archive/README.NewResourceFromTerraform.md
index fb35371d1d..8f10cb6706 100644
--- a/docs/archive/README.NewResourceFromTerraform.md
+++ b/docs/archive/README.NewResourceFromTerraform.md
@@ -146,8 +146,8 @@ ServiceMappings file. Add the `ResourceConfig` for your resource:
 **Tip**: You can
 [use the auto-generated service mappings as a reference](#using-the-auto-generated-service-mappings-as-a-reference).
 
-**Tip**: The full list of available properties for a `ResourceConfig` is defined
-[here](pkg/apis/core/v1alpha1/servicemapping_types.go#L46).
+**Tip**: See the [full list of available properties for a
+`ResourceConfig`](pkg/apis/core/v1alpha1/servicemapping_types.go#L46).
 
 1.  Open the Service Mappings file from the previous section for editing. In the
     case of the `Spanner` service the file is named `spanner.yaml`.
@@ -281,9 +281,8 @@ ServiceMappings file. Add the `ResourceConfig` for your resource:
     Note: The `containers` field has been deprecated, and
     `hierarchicalReferences` should be used instead.
 
-1.  Follow the resource reference guidelines
-    [here](README.ConfigureResourceReferences.md) to identify and configure
-    potential resource reference fields.
+1.  Follow the [resource reference guidelines](README.ConfigureResourceReferences.md)
+    to identify and configure potential resource reference fields.
 
 1.  Add `observedFields` if a common solution depends on the computed values
     from unspecified fields under `spec`. The field names should be paths of the
@@ -601,7 +600,7 @@ samples are created for that resource.
 
 1.  In [config/samples/resources](config/samples/resources), create a new
     directory for the resource's samples: `mkdir spannerinstance`.
-1.  Follow the sample guidelines [here](README.Samples.md) and create sample(s)
+1.  Follow the [sample guidelines](README.Samples.md) and create sample(s)
     for the resource.
 
 ## Run/Disable Sample Tests
@@ -854,10 +853,9 @@ projects, folders, and billing accounts.**
 *   All the resource names should be `[lowercase(Kind)]-${uniqueId}`, e.g.
     `cloudschedulerjob-${uniqueId}`, `pubsubtopic-${uniqueId}`.
 
-    *   ${uniqueId} is a 20-char unique ID generated
-        [here](pkg/test/resourcefixture/variable/variables.go#16). We always
-        want to use the `-${uniqueId}` as the suffix for the resource name in
-        testdata.
+    *   ${uniqueId} is a [generated](pkg/test/resourcefixture/variable/variables.go#16)
+        20-char unique ID. We always want to use the `-${uniqueId}` as the
+        suffix for the resource name in testdata.
 
     *   If there are multiple resources of the same kind used in the same test
         cases, the resource names should be
diff --git a/docs/archive/README.UpdatingTerraformProvider.md b/docs/archive/README.UpdatingTerraformProvider.md
index 89babb56c9..e0a8888d1b 100644
--- a/docs/archive/README.UpdatingTerraformProvider.md
+++ b/docs/archive/README.UpdatingTerraformProvider.md
@@ -72,7 +72,7 @@ We are actively evaluating the optimal long-term strategy for managing Terraform
     step following the below recommendations.
     1.  If you understand the bug well and want to unblock the TF provider
         upgrade quickly to delivery some user requested features, follow the
-        instructions [here](README.ChangingTerraform.md) to create a TF provider
+        [instructions](README.ChangingTerraform.md) to create a TF provider
         patch to fix the bug locally. Surface the issue separately to the
         terraform team by creating an
         [issue](https://github.com/hashicorp/terraform-provider-google/issues)
diff --git a/docs/develop-resources/deep-dives/4-add-controller.md b/docs/develop-resources/deep-dives/4-add-controller.md
index 0c7a8dc6dd..7ec6a8e5bc 100644
--- a/docs/develop-resources/deep-dives/4-add-controller.md
+++ b/docs/develop-resources/deep-dives/4-add-controller.md
@@ -25,7 +25,7 @@ Check  to make sure your validation is complete.
 
 ## 4.3 Register your controller
 
-To wire your controller in the Config Connector operator, you need to register the controller [here](https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/pkg/controller/direct/register/register.go)
+To wire your controller in the Config Connector operator, you need to [register the controller](https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/pkg/controller/direct/register/register.go)
 
 
 ## 4.4 Verify your controller
diff --git a/docs/develop-resources/deep-dives/5-releases.md b/docs/develop-resources/deep-dives/5-releases.md
index 84ec60e345..a34c670a43 100644
--- a/docs/develop-resources/deep-dives/5-releases.md
+++ b/docs/develop-resources/deep-dives/5-releases.md
@@ -37,7 +37,7 @@
 
 1.  In [config/samples/resources](config/samples/resources), create a new
     directory for the resource's samples: `mkdir spannerinstance`.
-1.  Follow the sample guidelines [here](./../../../README.Samples.md) and create sample(s) for the resource.
+1.  Follow the [sample guidelines](./../../../README.Samples.md) and create sample(s) for the resource.
 
 ### Run/Disable Sample Tests
 
diff --git a/docs/releasenotes/release-1.123.md b/docs/releasenotes/release-1.123.md
index 3a23a7fb2d..208586f2f9 100644
--- a/docs/releasenotes/release-1.123.md
+++ b/docs/releasenotes/release-1.123.md
@@ -8,9 +8,8 @@
 
 * Starting from this version, all the new CRs (CustomResources) will have the `cnrm.cloud.google.com/state-into-spec`
   annotation defaulted to `absent`. This means Config Connector will not populate any unspecified fields into the
-  `spec` after a successful reconciliation of the resource. The behavior of existing CRs will not be impacted. More
-  details about the Absent behavior can be found
-  [here](https://cloud.google.com/config-connector/docs/concepts/ignore-unspecified-fields#absent).
+  `spec` after a successful reconciliation of the resource. The behavior of existing CRs will not be impacted. See [details about the Absent
+  behavior](https://cloud.google.com/config-connector/docs/concepts/ignore-unspecified-fields#absent).
 
 * You can use the `alpha.cnrm.cloud.google.com/reconciler: direct` annotation on `DataflowFlexTemplateJob` resource to opt-in
 the Direct Cloud Reconciler, which provides an advanced status update solution for some timeout issues.
diff --git a/experiments/compositions/samples/AttachedAKS/aks-charlie.md b/experiments/compositions/samples/AttachedAKS/aks-charlie.md
index 07e783aed7..894b771cc3 100644
--- a/experiments/compositions/samples/AttachedAKS/aks-charlie.md
+++ b/experiments/compositions/samples/AttachedAKS/aks-charlie.md
@@ -76,8 +76,7 @@ az role assignment create \
 
 ## Set up impersonation
 
-This step allows the GCP service created
-[here](setup-Azure-ASO.md#create-a-gcp-service-account) to impersonate the Azure
+This step allows the [created GCP service](setup-Azure-ASO.md#create-a-gcp-service-account) to impersonate the Azure
 managed identity.
 
 In this example, we use the default GCP service account.
diff --git a/mockgcp/apis/mockgcp/cloud/kms/v1/service.proto b/mockgcp/apis/mockgcp/cloud/kms/v1/service.proto
index 578a6a0022..54984bf63f 100644
--- a/mockgcp/apis/mockgcp/cloud/kms/v1/service.proto
+++ b/mockgcp/apis/mockgcp/cloud/kms/v1/service.proto
@@ -456,7 +456,7 @@ message Binding {
   optional Expr condition = 1 [json_name="condition"];
   // Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: All identities in a workload identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
   repeated string members = 2 [json_name="members"];
-  // Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles).
+  // Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). See the [list of the available pre-defined roles](https://cloud.google.com/iam/docs/understanding-roles).
   optional string role = 3 [json_name="role"];
 }
 
diff --git a/mockgcp/apis/mockgcp/cloud/networkconnectivity/v1/networkconnectivity.proto b/mockgcp/apis/mockgcp/cloud/networkconnectivity/v1/networkconnectivity.proto
index 4fbc5a559c..23fb72cc33 100644
--- a/mockgcp/apis/mockgcp/cloud/networkconnectivity/v1/networkconnectivity.proto
+++ b/mockgcp/apis/mockgcp/cloud/networkconnectivity/v1/networkconnectivity.proto
@@ -502,7 +502,7 @@ message Binding {
   Expr condition = 1 [json_name="condition"];
   // Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: All identities in a workload identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
   repeated string members = 2 [json_name="members"];
-  // Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles).
+  // Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). See the [list of the available pre-defined roles](https://cloud.google.com/iam/docs/understanding-roles).
   string role = 3 [json_name="role"];
 }