This page documents production updates to Cloud Identity and Access Management. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.
To get the latest product updates delivered to you, add the URL of this page to your
reader, or add the feed URL directly:
May 18, 2020
April 01, 2020
When you use a service account key to access Google Cloud, your audit logs now identify the key that was used.
March 17, 2020
March 05, 2020
For Cloud Storage buckets, you can now use Credential Access Boundaries, currently in beta, to downscope the permissions that a short-lived credential can use.
February 28, 2020
For Cloud IAM Conditions, you can now use the
extract() function to extract a value from a resource name. This function enables condition expressions to refer to an arbitrary part of the resource name.
February 21, 2020
A version 1 Cloud IAM policy can now include conditional role bindings. The role name in these bindings includes the string
withcond, followed by a hash value. For example:
If you see the string
withcond in a Cloud IAM policy, follow the steps in the troubleshooting guide.
February 18, 2020
February 13, 2020
The Cloud IAM recommender is now generally available. The Cloud IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.
February 04, 2020
December 17, 2019
December 13, 2019
On December 9, we announced that Cloud IAM policies would now identify deleted members. We have temporarily reverted this change. Cloud IAM policies no longer identify deleted members.
December 12, 2019
Cloud IAM Conditions are now available in public beta. You can use Cloud IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.
December 09, 2019
Cloud IAM policies now identify deleted members that are bound to a role. Deleted members have the prefix
deleted: and the suffix
For example, if you delete the account for the user
firstname.lastname@example.org, and a policy binds that user to a role, the policy shows an identifier similar to
SetIamPolicy requests, you can use this new syntax starting today. For
SetIamPolicy responses, because we are still rolling out this change, you might see the new prefix and suffix in some, but not all, responses. We expect to complete the rollout by December 13, 2019.
If a binding in a policy refers to a deleted member (for example,
deleted:user:email@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case,
user:firstname.lastname@example.org). If you try to add a binding for the newly created member, Cloud IAM will apply the binding to the deleted member instead.
September 23, 2019
The Cloud IAM recommender is now available in beta. The Cloud IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.
September 18, 2019
You can now upload a public key for a service account, which causes service account keys to be signed with that public key. This feature is available in beta.
August 20, 2019
March 28, 2019
June 29, 2018
You can now create short-lived service account credentials with the Service Account Credentials API, available in beta.
February 27, 2018
You can now learn how to configure Cloud IAM roles to facilitate audit logging.
January 31, 2018
For more information, see the following topics:
September 27, 2017
Custom roles are now available in beta. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.
September 14, 2017
You can now refer to the IAM permissions change log to determine what permissions have changed recently. Use this change log to help you maintain and troubleshoot your custom roles.
July 06, 2017
You can now learn how to configure IAM roles for networking-related job functions.
June 28, 2017
Custom roles are now available in a public alpha. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.
May 24, 2017
You can now learn how to configure IAM roles for billing-related job functions.
March 08, 2017
Custom roles are now available in a private alpha. You can create a custom Cloud IAM role with one or more permissions, then grant that custom role to users in your organization.
May 10, 2016
Cloud IAM is now generally available.
March 28, 2016
March 08, 2016
Cloud IAM is now available in beta.