IAM release notes

For Privileged Access Manager, notification emails for grant activation, activation failure, or denial no longer include approver details.

To learn how to view the approver details, see Check grant status.

IAM offers predefined roles that are tailored to specific job functions. These roles cover all of the permissions that a user might need to perform their job. This feature is generally available.

For more information, see Predefined roles for job functions.

You can ask Gemini for predefined role suggestions using the IAM role picker in the Google Cloud console. This feature is in preview.

For more information, see Get predefined role suggestions with Gemini assistance.

Conditions that check the tags for a resource can also check other attributes, such as the resource name of the timestamp of the request. This feature is available in Preview. For more information, see Resource tags.

Workforce Identity Federation supports detailed audit logging, which you can use to troubleshoot attribute mapping issues. This feature is generally available.

The predefined role reference and the permissions reference have been reorganized to improve performance and searchability. To see the new experience, visit the IAM roles and permissions index.

A new enforcement version, enforcement version 3, is available for principal access boundary policies. To learn more about enforcement versions and see the permissions that enforcement version 3 can block, see Permissions that principal access boundary policies can block.

Workforce Identity Federation supports an attribute mapping of up to 400 groups and a maximum size of 16 KB.

Workforce Identity Federation can map up to 400 groups from Microsoft Entra ID. The feature is generally available. To learn more, see Configure Workforce Identity Federation with Microsoft Entra ID and a large number of groups.

Principal access boundary policies are generally available. You can use principal access boundary policies to limit the resources that a principal is eligible to access.

You can use the iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts managed organization policy constraint to prevent default service accounts from being granted the Editor (roles/editor) or Owner (roles/owner) roles. For more information, see Prevent the Owner and Editor role from being granted to default service accounts.

Using IAM attributes in custom organization policies is generally available. For more information, see Use custom organization policies.

Privileged Access Manager (PAM) is now released to General Availability. The following features have been added:

• Alerting on any external modifications to access grants outside of PAM.
• VPC Service Controls integration for PAM, which allows customers to enforce authorized network access or require specific access context while using PAM.
• Pub/Sub integration for custom alerting and monitoring.

You can manage IAM deny policies using the Google Cloud console. For more information, see Deny access to resources.

You can manage IAM deny policies using the Google Cloud console. For more information, see Deny access to resources.

You can use IAM attributes in custom organization policies to control how your allow policies can be modified. For more information, see Use custom organization policies.

You can use principal access boundary policies to limit the resources that a principal is eligible to access. This feature is available in Preview.

As of May 3, 2024, when you create a new organization, it enforces the following organization policy constraints by default:

• iam.disableServiceAccountKeyCreation
• iam.disableServiceAccountKeyUpload
• iam.automaticGrantsForDefaultServiceAccounts
• iam.allowedPolicyMemberDomains

For more information, see Restricting service account usage and Restricting identities by domain.

You can use the iam.serviceAccountKeyExposureResponse organization policy constraint to help manage leaked service account credentials.

Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. The feature is in Preview. Google Cloud provisions X.509 credentials, issued from Certificate Authority Service, that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication. For more information, see Managed workload identities overview.

You can use identities from workforce and workload identity pools in IAM deny policies. For more information, see Principal identifiers.

You can trigger service agent creation instead of waiting for service agents to be created automatically. This feature is in Preview.

You can now set an expiry time for all newly created service account keys in your project, folder, or organization. This feature is generally available (GA).

Deny policies are generally available (GA). Use deny policies to prevent principals from using certain permissions, regardless of the roles they're granted.

Workforce identity federation now lets users from external identity providers sign in to the Google Cloud workforce identity federation console, also known as the console (federated). The console (federated) provides UI access to supported Google Cloud products. This feature is available in Preview.

In June 2022, IAM had an issue that resulted in excess usage metrics for service accounts and service account keys when any of the following actions were performed:

• Listing service account keys
• Getting a service account key
• Disabling a service account key
• Enabling a service account key

Each time you took any of these actions, Cloud Monitoring recorded an authentication usage metric for the parent service account, and for each of its service account keys, regardless of whether you used the service account or its keys to authenticate. These excess metrics were visible in Cloud Monitoring, and in the metrics for individual service accounts and keys, from June 7, 2022, through June 17, 2022.

In addition, these excess metrics were visible in other systems that use data from Cloud Monitoring, including Activity Analyzer, which shows when service accounts and keys were used to authenticate, and service account insights, which provide findings about unused service accounts. Excess metrics were visible in these systems from June 7, 2022, through June 22, 2022.

This issue has been corrected, and Cloud Monitoring is no longer recording these excess metrics. However, the last authentication time for each service account and key will continue to reflect the excess metrics indefinitely, until you authenticate with the service account or key again.

Documentation for Activity Analyzer, IAM insights, IAM Policy Troubleshooter, IAM role recommendations, and IAM Policy Simulator has moved to the Policy Intelligence documentation.

Support for using workload identity federation with any SAML 2.0-compatible identity provider is now generally available.

The IAM documentation now refers to "IAM policies" as "allow policies." You might continue to see references to "IAM policies" in other documentation.

This change does not affect REST APIs, client libraries, or flags for the gcloud CLI.

You can now set an expiry time for all newly created service account keys in your project, folder, or organization. This feature is in Preview. To use this feature, request access to the Preview release.

The IAM documentation now explains how to choose the most appropriate predefined roles.

For Credential Access Boundaries, you can now use updated authentication libraries for Go, Java, Node.js, and Python to automatically exchange OAuth 2.0 access tokens for downscoped tokens.

For details, see Exchange and refresh the access token automatically.

The IAM page of the Cloud Console now lists lateral movement insights in addition to policy insights. Lateral movement insights are in Preview.

You can now use workload identity federation with any SAML 2.0-compatible identity provider. This feature is in Preview.

IAM role recommendations for folder- and organization-level roles are now generally available.

The reference documentation for predefined roles now uses a new format that is easier to browse.

The IAM documentation now refers to the identities that can be granted access to a resource as principals. Previously, these identities were known as members.

This change does not affect the REST API, the client libraries, or the flags for the gcloud command-line tool.

You can now disable and enable service account keys.

Managing Google Groups from the Cloud Console is now generally available.

You can now use Activity Analyzer to see when your service accounts and keys were last used to call a Google API. This feature is in Preview.

Recommender now generates lateral movement insights, which identify roles that allow a service account in one project to impersonate a service account in another project. You can manage lateral movement insights using the gcloud command-line tool or the Recommender REST API. This feature is available in Preview.

You can now get recommendations for folder- and organization-level role bindings using the gcloud command-line tool and REST API. This feature is available in Preview.

Tags are now generally available. You can attach tags to resources, then use the tags to manage access to your resources.

You can now use Policy Simulator to simulate policy changes before you apply them. This feature is available in Preview.

You can now use IAM conditions to set limits on the roles that a member can grant and revoke. This feature is generally available.

You can now troubleshoot conditional role bindings by troubleshooting directly from audit log entries. This feature is available in Preview.

You can now attach service accounts to resources in other projects. This feature is available in Preview.

You can now use Cloud Monitoring to check when your service accounts and service account keys were used. This feature is generally available.

IAM Conditions: Starting on February 26, 2021, if a permission check encounters an unsupported attribute in a conditional role binding, it will never interpret that part of the condition as granting access.

To prevent access issues, limit the scope of conditions when necessary, especially if a condition checks the resource.name attribute.

IAM Conditions now provides resource attributes for Pub/Sub Lite. You can use these resource attributes to grant access to a subset of your Pub/Sub Lite subscriptions and topics.

Credential Access Boundaries are now generally available. Use Credential Access Boundaries to downscope the permissions that a short-lived credential can use to access a Cloud Storage bucket.

If a role binding in an IAM policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901), you can now add role bindings for a newly created member with the same name (in this case, user:tamika@example.com). The role bindings always apply to the newly created member.

For details, see the documentation for policies with deleted members.

The issue with undeleting service accounts has been resolved. You can now undelete most service accounts that meet the criteria for undeletion.

The documentation now includes a quickstart demonstrating how to modify IAM policies using client libraries.

The documentation now includes a quickstart demonstrating how to modify IAM policies using client libraries.

You cannot undelete most service accounts at this time. Our engineering team is working to resolve this issue.

New features are available for Credential Access Boundaries, currently in beta:

• You can now manage permissions for Cloud Storage objects, in addition to buckets.
• You can now use IAM Conditions to control which permissions are available in a short-lived OAuth 2.0 access token. For an example, see Limit permissions for specific objects.
• You can now use Credential Access Boundaries with a Cloud Storage bucket that does not use uniform bucket-level access.

For Credential Access Boundaries, currently in beta, you must migrate to a new API endpoint, sts.googleapis.com. To learn how to use the new API endpoint, see Exchanging the OAuth 2.0 access token.

The documentation now provides a list of the resource types that accept IAM policies.

You can now use an organization policy to extend the maximum lifetime for OAuth 2.0 access tokens that you create for a service account.

You can now manage policy insights generated by the IAM recommender. This feature is generally available.

The documentation now describes best practices for using the IAM recommender.

Starting on July 27, 2020, if a binding in a policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:tamika@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

To resolve this issue, see our guidance on updating policies that contain deleted members.

You can now manage Google Groups from the Cloud Console. This feature is available in beta.

When you use a service account key to access Google Cloud, your audit logs now identify the key that was used.

Forwarding rule attributes for IAM Conditions are now generally available. You can use these attributes to specify the types of forwarding rules that a member can create.

For Cloud Storage buckets, you can now use Credential Access Boundaries, currently in beta, to downscope the permissions that a short-lived credential can use.

For IAM Conditions, you can now use the extract() function to extract a value from a resource name. This function enables condition expressions to refer to an arbitrary part of the resource name.

Policy Troubleshooter is now generally available. Use Policy Troubleshooter to determine why a user has access to a resource or doesn't have permission to call an API.

On December 9, we announced that IAM policies would now identify deleted members. We have temporarily reverted this change. IAM policies no longer identify deleted members.

If a binding in a policy refers to a deleted member (for example, deleted:user:bob@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case, user:bob@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

You can now upload a public key for a service account, which causes service account keys to be signed with that public key. This feature is available in beta.

The Service Account Credentials API is now generally available. Use this API to create short-lived service account credentials.

You can now create short-lived service account credentials with the Service Account Credentials API, available in beta.

Custom roles are now available in beta. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

You can now refer to the IAM permissions change log to determine what permissions have changed recently. Use this change log to help you maintain and troubleshoot your custom roles.

You can now learn how to configure IAM roles for networking-related job functions.

IAM is now generally available.

Documentation is now available to help you understand service accounts and use IAM securely.

IAM is now available in beta.

IAM is now available in beta.