Release notes

This page documents production updates to Cloud Identity and Access Management. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/iam-release-notes.xml

March 17, 2020

Forwarding rule attributes for Cloud IAM Conditions are now generally available. You can use these attributes to specify the types of forwarding rules that a member can create.

March 05, 2020

For Cloud Storage buckets, you can now use Credential Access Boundaries, currently in beta, to downscope the permissions that a short-lived credential can use.

February 28, 2020

Cloud IAM Conditions are now generally available. You can use Cloud IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

For Cloud IAM Conditions, you can now use the extract() function to extract a value from a resource name. This function enables condition expressions to refer to an arbitrary part of the resource name.

February 21, 2020

A version 1 Cloud IAM policy can now include conditional role bindings. The role name in these bindings includes the string withcond, followed by a hash value. For example: roles/iam.serviceAccountAdmin_withcond_2b17cc25d2cd9e2c54d8

If you see the string withcond in a Cloud IAM policy, follow the steps in the troubleshooting guide.

February 18, 2020

February 13, 2020

The Cloud IAM recommender is now generally available. The Cloud IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

February 04, 2020

Cloud IAM Conditions now supports forwarding rule attributes, currently in beta. You can use these attributes to specify the types of forwarding rules that a member can create.

December 17, 2019

Policy Troubleshooter is now generally available. Use Policy Troubleshooter to determine why a user has access to a resource or doesn't have permission to call an API.

December 13, 2019

On December 9, we announced that Cloud IAM policies would now identify deleted members. We have temporarily reverted this change. Cloud IAM policies no longer identify deleted members.

December 12, 2019

Cloud IAM Conditions are now available in public beta. You can use Cloud IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

December 09, 2019

Cloud IAM policies now identify deleted members that are bound to a role. Deleted members have the prefix deleted: and the suffix ?uid=[NUMERIC_ID].

For example, if you delete the account for the user bob@example.com, and a policy binds that user to a role, the policy shows an identifier similar to deleted:user:bob@example.com?uid=123456789012345678901.

For SetIamPolicy requests, you can use this new syntax starting today. For GetIamPolicy and SetIamPolicy responses, because we are still rolling out this change, you might see the new prefix and suffix in some, but not all, responses. We expect to complete the rollout by December 13, 2019.

If a binding in a policy refers to a deleted member (for example, deleted:user:bob@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:bob@example.com). If you try to add a binding for the newly created member, Cloud IAM will apply the binding to the deleted member instead.

September 23, 2019

The Cloud IAM recommender is now available in beta. The Cloud IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

September 18, 2019

You can now upload a public key for a service account, which causes service account keys to be signed with that public key. This feature is available in beta.

August 20, 2019

The Service Account Credentials API is now generally available. Use this API to create short-lived service account credentials.

March 28, 2019

When you create or update a service account, you can now provide a description of the service account.

June 29, 2018

You can now create short-lived service account credentials with the Service Account Credentials API, available in beta.

February 27, 2018

January 31, 2018

Custom roles are now generally available. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.

For more information, see the following topics:

September 27, 2017

Custom roles are now available in beta. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.

September 14, 2017

You can now refer to the IAM permissions change log to determine what permissions have changed recently. Use this change log to help you maintain and troubleshoot your custom roles.

July 06, 2017

You can now learn how to configure IAM roles for networking-related job functions.

June 28, 2017

Custom roles are now available in a public alpha. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.

May 24, 2017

You can now learn how to configure IAM roles for billing-related job functions.

March 08, 2017

Custom roles are now available in a private alpha. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.

May 10, 2016

Cloud IAM is now generally available.

March 28, 2016

Documentation is now available to help you understand service accounts and use IAM securely.

March 08, 2016

Cloud IAM is now available in beta.