Release notes

This page documents production updates to Identity and Access Management. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/iam-release-notes.xml

November 12, 2020

IAM Conditions now provides resource attributes for Pub/Sub Lite. You can use these resource attributes to grant access to a subset of your Pub/Sub Lite subscriptions and topics.

October 16, 2020

Credential Access Boundaries are now generally available. Use Credential Access Boundaries to downscope the permissions that a short-lived credential can use to access a Cloud Storage bucket.

October 15, 2020

If a role binding in an IAM policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901), you can now add role bindings for a newly created member with the same name (in this case, user:tamika@example.com). The role bindings always apply to the newly created member.

For details, see the documentation for policies with deleted members.

October 09, 2020

The documentation now provides details about service agents for all publicly available services. A service agent is a special type of service account that is created and managed by Google, and is used by Google Cloud services to access your resources.

September 21, 2020

You can now use workload identity federation, available in beta, to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

September 17, 2020

The issue with undeleting service accounts has been resolved. You can now undelete most service accounts that meet the criteria for undeletion.

September 09, 2020

You cannot undelete most service accounts at this time. Our engineering team is working to resolve this issue.

August 28, 2020

New features are available for Credential Access Boundaries, currently in beta:

  • You can now manage permissions for Cloud Storage objects, in addition to buckets.
  • You can now use IAM Conditions to control which permissions are available in a short-lived OAuth 2.0 access token. For an example, see Limit permissions for specific objects.
  • You can now use Credential Access Boundaries with a Cloud Storage bucket that does not use uniform bucket-level access.

For Credential Access Boundaries, currently in beta, you must migrate to a new API endpoint, sts.googleapis.com. To learn how to use the new API endpoint, see Exchanging the OAuth 2.0 access token.

August 25, 2020

Uploading public keys for service accounts is now generally available.

August 14, 2020

You can now use Cloud Monitoring to check when your service accounts and service account keys were used. This feature is available in beta.

You can now use an organization policy to extend the maximum lifetime for OAuth 2.0 access tokens that you create for a service account.

July 31, 2020

We are delaying the upcoming changes for deleted members that are bound to a role. These changes will take effect starting on September 14, 2020.

July 20, 2020

We are delaying the upcoming changes for deleted members that are bound to a role. These changes will take effect starting on August 31, 2020.

July 01, 2020

The organization policy constraint to prevent automatic role grants to IAM service accounts is now generally available. To improve security, we strongly recommend that you enable this constraint.

Starting on July 27, 2020, IAM policies will identify deleted members that are bound to a role. Deleted members have the prefix deleted: and the suffix ?uid=numeric-id.

For example, if you delete the account for the user tamika@example.com, and a policy binds that user to a role, the policy shows an identifier similar to deleted:user:tamika@example.com?uid=123456789012345678901.

For SetIamPolicy requests, you can use this new syntax starting on July 27. For GetIamPolicy and SetIamPolicy responses, you might see the new prefix and suffix in some, but not all, responses until we finish rolling out the change. We expect to complete the rollout by July 31, 2020.

See the documentation for a detailed example, as well as guidance on updating policies that contain deleted members.

Starting on July 27, 2020, if a binding in a policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:tamika@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

To resolve this issue, see our guidance on updating policies that contain deleted members.

June 22, 2020

Using the IAM API to sign JSON Web Tokens (JWTs) or binary blobs is now deprecated.

May 18, 2020

Recommendations from the IAM recommender can now include suggestions to create custom roles.

April 01, 2020

When you use a service account key to access Google Cloud, your audit logs now identify the key that was used.

March 17, 2020

Forwarding rule attributes for IAM Conditions are now generally available. You can use these attributes to specify the types of forwarding rules that a member can create.

March 05, 2020

For Cloud Storage buckets, you can now use Credential Access Boundaries, currently in beta, to downscope the permissions that a short-lived credential can use.

February 28, 2020

IAM Conditions are now generally available. You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

For IAM Conditions, you can now use the extract() function to extract a value from a resource name. This function enables condition expressions to refer to an arbitrary part of the resource name.

February 21, 2020

A version 1 IAM policy can now include conditional role bindings. The role name in these bindings includes the string withcond, followed by a hash value. For example: roles/iam.serviceAccountAdmin_withcond_2b17cc25d2cd9e2c54d8

If you see the string withcond in an IAM policy, follow the steps in the troubleshooting guide.

February 18, 2020

February 13, 2020

The IAM recommender is now generally available. The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

February 04, 2020

IAM Conditions now supports forwarding rule attributes, currently in beta. You can use these attributes to specify the types of forwarding rules that a member can create.

December 17, 2019

Policy Troubleshooter is now generally available. Use Policy Troubleshooter to determine why a user has access to a resource or doesn't have permission to call an API.

December 13, 2019

On December 9, we announced that IAM policies would now identify deleted members. We have temporarily reverted this change. IAM policies no longer identify deleted members.

December 12, 2019

IAM Conditions are now available in public beta. You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

December 09, 2019

IAM policies now identify deleted members that are bound to a role. Deleted members have the prefix deleted: and the suffix ?uid=[NUMERIC_ID].

For example, if you delete the account for the user bob@example.com, and a policy binds that user to a role, the policy shows an identifier similar to deleted:user:bob@example.com?uid=123456789012345678901.

For SetIamPolicy requests, you can use this new syntax starting today. For GetIamPolicy and SetIamPolicy responses, because we are still rolling out this change, you might see the new prefix and suffix in some, but not all, responses. We expect to complete the rollout by December 13, 2019.

If a binding in a policy refers to a deleted member (for example, deleted:user:bob@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:bob@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

September 23, 2019

The IAM recommender is now available in beta. The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

September 18, 2019

You can now upload a public key for a service account, which causes service account keys to be signed with that public key. This feature is available in beta.

August 20, 2019

The Service Account Credentials API is now generally available. Use this API to create short-lived service account credentials.

March 28, 2019

When you create or update a service account, you can now provide a description of the service account.

June 29, 2018

You can now create short-lived service account credentials with the Service Account Credentials API, available in beta.

February 27, 2018

January 31, 2018

Custom roles are now generally available. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

For more information, see the following topics:

September 27, 2017

Custom roles are now available in beta. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

September 14, 2017

You can now refer to the IAM permissions change log to determine what permissions have changed recently. Use this change log to help you maintain and troubleshoot your custom roles.

July 06, 2017

You can now learn how to configure IAM roles for networking-related job functions.

June 28, 2017

Custom roles are now available in a public alpha. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

May 24, 2017

You can now learn how to configure IAM roles for billing-related job functions.

March 08, 2017

Custom roles are now available in a private alpha. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

May 10, 2016

IAM is now generally available.

March 28, 2016

Documentation is now available to help you understand service accounts and use IAM securely.

March 08, 2016

IAM is now available in beta.