IAM release notes

This page documents production updates to Identity and Access Management. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/iam-release-notes.xml

March 15, 2024

You can use the iam.serviceAccountKeyExposure organization policy constraint to help manage leaked service account credentials.

March 05, 2024

To improve performance, we've removed the ability to expand abbreviated permissions in the predefined roles table. You can still filter the predefined roles table based on the full list of permissions included in a role.

February 15, 2024

Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. The feature is in Preview. Google Cloud provisions X.509 credentials, issued from Certificate Authority Service, that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication. For more information, see Managed workload identities overview.

January 17, 2024

IAM deny policies let you deny groups of permissions for certain services. For more information, see Permission groups.

December 11, 2023

You can use identities from workforce and workload identity pools in IAM deny policies. For more information, see Principal identifiers.

September 27, 2023

You can now configure IAM workforce identity federation using the Google Cloud console. To learn more, see the configuration guides for Azure AD, Okta, or other OIDC and SAML 2.0 providers. The feature is in General Availability (GA).

September 13, 2023

You can now configure IAM workforce identity federation using the Google Cloud console. To learn more, see the configuration guides for Azure AD, Okta, or other OIDC and SAML 2.0 providers. The feature is in Preview.

August 14, 2023

For Credential Access Boundaries, removed the requirement to enable uniform bucket-level access for your Cloud Storage bucket.

July 11, 2023

Workforce identity federation now supports browser-based sign-in with the Google Cloud CLI. The feature is generally available (GA). To use it, see Browser-based sign-in in Obtain short-lived tokens for workforce identity federation, or locate the Browser-based sign-in section in the configuration guide for your identity provider.

June 22, 2023

You can trigger service agent creation instead of waiting for service agents to be created automatically. This feature is in Preview.

April 05, 2023

Workforce identity federation and workload identity federation can now accept encrypted SAML assertions. The feature is generally available (GA). To use the feature, locate the Create the workload identity pool and provider section in the configuration guide for your identity provider and follow the gcloud CLI instructions for the SAML workflow.

March 13, 2023

Workforce identity federation now supports browser-based sign-in with the Google Cloud CLI. The feature is in Preview. To use it, see Browser-based sign-in in Obtain short-lived tokens for workforce identity federation, or locate the Browser-based sign-in section in the configuration guide for your identity provider.

March 07, 2023

You can now set an expiry time for all newly created service account keys in your project, folder, or organization. This feature is generally available (GA).

March 03, 2023

The IAM documentation has been reorganized. We made the following changes:

  • Reorganized the left-hand navigation for the Guides tab.
  • Removed the Support tab and relocated its documents to the Resources and Guides tabs.

February 10, 2023

Workforce identity federation is generally available (GA). The feature lets you use an external identity provider to authenticate and authorize users to access supported Google Cloud products.

December 14, 2022

For information about issues with workforce identity federation, see Troubleshoot workforce identity federation

December 01, 2022

For some users, the IAM basic and predefined roles reference is crashing or is very slow to load. We are working to mitigate this issue.

November 09, 2022

You can use the Google Cloud console to view authentication activities, which indicate when your service accounts and keys were last used to call a Google API.

October 25, 2022

Deny policies are generally available (GA). Use deny policies to prevent principals from using certain permissions, regardless of the roles they're granted.

September 20, 2022

Conceptual and reference information for IAM basic and predefined roles has been improved. You can now filter the predefined roles table, expand abbreviated permissions to see all included permissions, and quickly identify owner permissions.

August 18, 2022

Workforce identity federation now lets users from external identity providers sign in to the Google Cloud workforce identity federation console, also known as the console (federated). The console (federated) provides UI access to supported Google Cloud products. This feature is available in Preview.

July 07, 2022

Workforce identity federation lets you authenticate and authorize users from external identity providers to access supported Google Cloud products. This feature is available in Preview.

June 30, 2022

In June 2022, IAM had an issue that resulted in excess usage metrics for service accounts and service account keys when any of the following actions were performed:

Each time you took any of these actions, Cloud Monitoring recorded an authentication usage metric for the parent service account, and for each of its service account keys, regardless of whether you used the service account or its keys to authenticate. These excess metrics were visible in Cloud Monitoring, and in the metrics for individual service accounts and keys, from June 7, 2022, through June 17, 2022.

In addition, these excess metrics were visible in other systems that use data from Cloud Monitoring, including Activity Analyzer, which shows when service accounts and keys were used to authenticate, and service account insights, which provide findings about unused service accounts. Excess metrics were visible in these systems from June 7, 2022, through June 22, 2022.

This issue has been corrected, and Cloud Monitoring is no longer recording these excess metrics. However, the last authentication time for each service account and key will continue to reflect the excess metrics indefinitely, until you authenticate with the service account or key again.

May 05, 2022

Documentation for Activity Analyzer, IAM insights, IAM Policy Troubleshooter, IAM role recommendations, and IAM Policy Simulator has moved to the Policy Intelligence documentation.

April 29, 2022

Support for using workload identity federation with any SAML 2.0-compatible identity provider is now generally available.

April 25, 2022

The IAM documentation now refers to "IAM policies" as "allow policies." You might continue to see references to "IAM policies" in other documentation.

This change does not affect REST APIs, client libraries, or flags for the gcloud CLI.

April 22, 2022

IAM Conditions now provides resource attributes for Cloud SQL backup sets. You can use these resource attributes to grant access to a subset of your Cloud SQL resources.

March 25, 2022

IAM Conditions now provides resource attributes for Apigee X. You can use these resource attributes to grant access to a subset of your Apigee X resources.

March 03, 2022

You can now use deny policies to prevent principals from using certain permissions, regardless of the roles they're granted. This feature is in Preview.

January 27, 2022

You can now set an expiry time for all newly created service account keys in your project, folder, or organization. This feature is in Preview. To use this feature, request access to the Preview release.

December 03, 2021

The IAM documentation now explains how to choose the most appropriate predefined roles.

October 26, 2021

For Credential Access Boundaries, you can now use updated authentication libraries for Go, Java, Node.js, and Python to automatically exchange OAuth 2.0 access tokens for downscoped tokens.

For details, see Exchange and refresh the access token automatically.

October 19, 2021

The IAM page of the Cloud Console now lists lateral movement insights in addition to policy insights. Lateral movement insights are in Preview.

October 13, 2021

You can now use workload identity federation with any SAML 2.0-compatible identity provider. This feature is in Preview.

September 30, 2021

IAM role recommendations for folder- and organization-level roles are now generally available.

September 20, 2021

The IAM documentation now refers to the identities that can be granted access to a resource as principals. Previously, these identities were known as members.

This change does not affect the REST API, the client libraries, or the flags for the gcloud command-line tool.

The reference documentation for predefined roles now uses a new format that is easier to browse.

September 16, 2021

August 27, 2021

Managing Google Groups from the Cloud Console is now generally available.

August 02, 2021

You can now use Activity Analyzer to see when your service accounts and keys were last used to call a Google API. This feature is in Preview.

July 27, 2021

Recommender now generates lateral movement insights, which identify roles that allow a service account in one project to impersonate a service account in another project. You can manage lateral movement insights using the gcloud command-line tool or the Recommender REST API. This feature is available in Preview.

July 22, 2021

A C++ client library for IAM is now available. The client library supports the IAM API and the Service Account Credentials API.

July 21, 2021

You can now set limits on the Cloud Storage roles that a member can grant and revoke. This is possible because Cloud Storage now recognizes the modifiedGrantsByRole API attribute in conditions.

June 10, 2021

The documentation for IAM role recommendations now has more detail about how insights are used to generate recommendations.

May 14, 2021

You can now use the Google Cloud Console to manage workload identity federation. For details, see the documentation for your identity provider:

May 10, 2021

The ability to attach service accounts to resources in other projects is now generally available.

April 09, 2021

Workload identity federation is now generally available. You can use workload identity federation to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

April 07, 2021

You can now get recommendations for folder- and organization-level role bindings using the gcloud command-line tool and REST API. This feature is available in Preview.

April 01, 2021

Policy Simulator is now generally available. You can use Policy Simulator to simulate policy changes before you apply them.

March 16, 2021

Tags are now generally available. You can attach tags to resources, then use the tags to manage access to your resources.

March 04, 2021

For workload identity federation, available in beta, you can now use updated client libraries for C++, Go, Java, Node.js, and Python to automatically obtain Google credentials.

For details, see the documentation for your identity provider:

February 24, 2021

You can now use Policy Simulator to simulate policy changes before you apply them. This feature is available in Preview.

February 16, 2021

You can now use IAM conditions to set limits on the roles that a member can grant and revoke. This feature is generally available.

February 09, 2021

You can now attach tags to resources, then use the tags to manage access to your resources. This feature is available in Preview.

If you run one of the gcloud tool's add-iam-policy-binding commands, and the IAM policy contains conditional role bindings for that role, the gcloud tool prompts you to choose one of the condition expressions that exists in the policy. If you choose a condition expression that contains a comma, the command fails.

To work around this issue, use the --condition flag to specify a condition expression on the command line.

January 20, 2021

You can now troubleshoot conditional role bindings by troubleshooting directly from audit log entries. This feature is available in Preview.

December 17, 2020

You can now attach service accounts to resources in other projects. This feature is available in Preview.

December 14, 2020

You can now use Cloud Monitoring to check when your service accounts and service account keys were used. This feature is generally available.

November 24, 2020

IAM Conditions: Starting on February 26, 2021, if a permission check encounters an unsupported attribute in a conditional role binding, it will never interpret that part of the condition as granting access.

To prevent access issues, limit the scope of conditions when necessary, especially if a condition checks the resource.name attribute.

November 12, 2020

IAM Conditions now provides resource attributes for Pub/Sub Lite. You can use these resource attributes to grant access to a subset of your Pub/Sub Lite subscriptions and topics.

October 16, 2020

Credential Access Boundaries are now generally available. Use Credential Access Boundaries to downscope the permissions that a short-lived credential can use to access a Cloud Storage bucket.

You can now manage service account insights generated by the IAM recommender. This feature is available in beta.

October 15, 2020

If a role binding in an IAM policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901), you can now add role bindings for a newly created member with the same name (in this case, user:tamika@example.com). The role bindings always apply to the newly created member.

For details, see the documentation for policies with deleted members.

October 09, 2020

The documentation now provides details about service agents for all publicly available services. A service agent is a special type of service account that is created and managed by Google, and is used by Google Cloud services to access your resources.

September 21, 2020

You can now use workload identity federation, available in beta, to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

September 17, 2020

The issue with undeleting service accounts has been resolved. You can now undelete most service accounts that meet the criteria for undeletion.

September 16, 2020

The documentation now includes a quickstart demonstrating how to modify IAM policies using client libraries.

September 09, 2020

You cannot undelete most service accounts at this time. Our engineering team is working to resolve this issue.

August 28, 2020

New features are available for Credential Access Boundaries, currently in beta:

  • You can now manage permissions for Cloud Storage objects, in addition to buckets.
  • You can now use IAM Conditions to control which permissions are available in a short-lived OAuth 2.0 access token. For an example, see Limit permissions for specific objects.
  • You can now use Credential Access Boundaries with a Cloud Storage bucket that does not use uniform bucket-level access.

For Credential Access Boundaries, currently in beta, you must migrate to a new API endpoint, sts.googleapis.com. To learn how to use the new API endpoint, see Exchanging the OAuth 2.0 access token.

August 25, 2020

Uploading public keys for service accounts is now generally available.

August 18, 2020

The documentation now provides a list of the resource types that accept IAM policies.

August 14, 2020

You can now use Cloud Monitoring to check when your service accounts and service account keys were used. This feature is available in beta.

You can now use an organization policy to extend the maximum lifetime for OAuth 2.0 access tokens that you create for a service account.

August 05, 2020

You can now manage policy insights generated by the IAM recommender. This feature is generally available.

July 31, 2020

We are delaying the upcoming changes for deleted members that are bound to a role. These changes will take effect starting on September 14, 2020.

The documentation now describes best practices for using the IAM recommender.

July 20, 2020

We are delaying the upcoming changes for deleted members that are bound to a role. These changes will take effect starting on August 31, 2020.

July 01, 2020

The organization policy constraint to prevent automatic role grants to IAM service accounts is now generally available. To improve security, we strongly recommend that you enable this constraint.

Starting on July 27, 2020, IAM policies will identify deleted members that are bound to a role. Deleted members have the prefix deleted: and the suffix ?uid=numeric-id.

For example, if you delete the account for the user tamika@example.com, and a policy binds that user to a role, the policy shows an identifier similar to deleted:user:tamika@example.com?uid=123456789012345678901.

For SetIamPolicy requests, you can use this new syntax starting on July 27. For GetIamPolicy and SetIamPolicy responses, you might see the new prefix and suffix in some, but not all, responses until we finish rolling out the change. We expect to complete the rollout by July 31, 2020.

See the documentation for a detailed example, as well as guidance on updating policies that contain deleted members.

Starting on July 27, 2020, if a binding in a policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:tamika@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

To resolve this issue, see our guidance on updating policies that contain deleted members.

June 22, 2020

Using the IAM API to sign JSON Web Tokens (JWTs) or binary blobs is now deprecated.

May 19, 2020

You can now manage Google Groups from the Cloud Console. This feature is available in beta.

May 18, 2020

Recommendations from the IAM recommender can now include suggestions to create custom roles.

April 01, 2020

When you use a service account key to access Google Cloud, your audit logs now identify the key that was used.

March 17, 2020

Forwarding rule attributes for IAM Conditions are now generally available. You can use these attributes to specify the types of forwarding rules that a member can create.

March 05, 2020

For Cloud Storage buckets, you can now use Credential Access Boundaries, currently in beta, to downscope the permissions that a short-lived credential can use.

February 28, 2020

IAM Conditions are now generally available. You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

For IAM Conditions, you can now use the extract() function to extract a value from a resource name. This function enables condition expressions to refer to an arbitrary part of the resource name.

February 21, 2020

A version 1 IAM policy can now include conditional role bindings. The role name in these bindings includes the string withcond, followed by a hash value. For example: roles/iam.serviceAccountAdmin_withcond_2b17cc25d2cd9e2c54d8

If you see the string withcond in an IAM policy, follow the steps in the troubleshooting guide.

February 18, 2020

February 13, 2020

The IAM recommender is now generally available. The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

February 04, 2020

IAM Conditions now supports forwarding rule attributes, currently in beta. You can use these attributes to specify the types of forwarding rules that a member can create.

December 17, 2019

Policy Troubleshooter is now generally available. Use Policy Troubleshooter to determine why a user has access to a resource or doesn't have permission to call an API.

December 13, 2019

On December 9, we announced that IAM policies would now identify deleted members. We have temporarily reverted this change. IAM policies no longer identify deleted members.

December 12, 2019

IAM Conditions are now available in public beta. You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

December 09, 2019

IAM policies now identify deleted members that are bound to a role. Deleted members have the prefix deleted: and the suffix ?uid=[NUMERIC_ID].

For example, if you delete the account for the user bob@example.com, and a policy binds that user to a role, the policy shows an identifier similar to deleted:user:bob@example.com?uid=123456789012345678901.

For SetIamPolicy requests, you can use this new syntax starting today. For GetIamPolicy and SetIamPolicy responses, because we are still rolling out this change, you might see the new prefix and suffix in some, but not all, responses. We expect to complete the rollout by December 13, 2019.

If a binding in a policy refers to a deleted member (for example, deleted:user:bob@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:bob@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

September 23, 2019

The IAM recommender is now available in beta. The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

September 18, 2019

You can now upload a public key for a service account, which causes service account keys to be signed with that public key. This feature is available in beta.

August 20, 2019

The Service Account Credentials API is now generally available. Use this API to create short-lived service account credentials.

March 28, 2019

When you create or update a service account, you can now provide a description of the service account.

June 29, 2018

You can now create short-lived service account credentials with the Service Account Credentials API, available in beta.

February 27, 2018

January 31, 2018

Custom roles are now generally available. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

For more information, see the following topics:

September 27, 2017

Custom roles are now available in beta. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

September 14, 2017

You can now refer to the IAM permissions change log to determine what permissions have changed recently. Use this change log to help you maintain and troubleshoot your custom roles.

July 06, 2017

You can now learn how to configure IAM roles for networking-related job functions.

June 28, 2017

Custom roles are now available in a public alpha. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

May 24, 2017

You can now learn how to configure IAM roles for billing-related job functions.

March 08, 2017

Custom roles are now available in a private alpha. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

May 10, 2016

IAM is now generally available.

March 28, 2016

Documentation is now available to help you understand service accounts and use IAM securely.

March 08, 2016

IAM is now available in beta.