Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

October 26, 2025

Google SecOps SIEM

Release 6.3.65 is being rolled out to the first phase of regions as listed here.

This release contains the following changes:

Delete high-load environments

You can now easily delete environments with heavy loads directly from the platform.

Google SecOps SOAR

Release 6.3.65 is being rolled out to the first phase of regions as listed here.

This release contains the following changes:

Delete high-load environments

You can now easily delete environments with heavy loads directly from the platform.

October 25, 2025

Google SecOps SIEM

Release 6.3.64 is now available for all regions.

Google SecOps SOAR

Release 6.3.64 is now available for all regions.

October 24, 2025

Config Controller

Config Controller now uses the following versions of its included products:

Virtual Private Cloud

You can view IP address utilization when you list or describe subnets. IP address utilization displays the number of free and allocated IP addresses in a subnet. This feature is available in General Availability.

October 23, 2025

BigQuery

BigQuery is now offering early access to conversational analytics. Conversational analytics accelerates data analysis by enabling quick insights through natural language. Users can chat with their BigQuery data, create custom agents, and access those agents even outside of BigQuery. To enroll in conversational analytics early access, fill out the request form.

Cloud Monitoring

You can now use the Google Cloud CLI and the Cloud Monitoring API to list incidents and get incident details. This feature is in Public Preview. For more information, see the following pages:

Cloud SQL for PostgreSQL

Cloud SQL now proactively detects and works to cancel high memory usage connections to prevent out-of-memory (OOM) failures. For more information, see Cancelled queries due to high memory usage.

Generative AI on Vertex AI

The following models are available through Model Garden:

Looker

Conversational Analytics in Looker

The following features are available in Preview for use with Conversational Analytics in Looker instances that are running Looker 25.18 or later:

Looker now supports cloning a public Git repository using an https:// URL. Looker does not support cloning Git repositories using git:// URLs.

October 22, 2025

BigQuery

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some BigQuery sharing resources. For more information, see Manage Sharing data exchanges and listings using custom constraints. This feature is in preview.

Support for table parameters in table-value functions (TVFs) has been temporarily disabled. We are working to restore this feature as soon as possible.

BigQuery ML now offers a built-in TimesFM univariate time series forecasting model that implements Google Research's open source TimesFM model. You can use BigQuery ML's built-in TimesFM model with the following functions:

  • Use AI.FORECAST to perform forecasting. This function now supports a larger context window.
  • Use AI.EVALUATE to evaluate forecasted data against a reference time series based on historical data.

To try using a TimesFM model with the AI.FORECAST function, see Forecast a time series with a TimesFM univariate model.

This feature is generally available (GA).

Dataproc

Announcing the General Availability (GA) of Lightning Engine for Google Cloud Serverless for Apache Spark. Lightning Engine is a high-performance query accelerator that delivers up to 4.3x faster performance for Spark workloads compared to open-source Spark, as measured on TPC-H-like benchmarks.

For more details on enabling Lightning Engine and its advanced features like Native Query Execution (NQE), see the official documentation.

Serverless for Apache Spark: With the Lightning Engine GA release, the property to enable Native Query Execution (NQE) feature has been updated.

In order to use Lightning Engine, submit your jobs in the Premium tier. Under Lightning Engine, if you would like to use the NQE feature, set the new flag: spark.dataproc.lightningEngine.runtime=native. Users are encouraged to try this feature to explore the full potential of Lightning Engine.

For backward compatibility, the legacy property that was used to enable NQE spark.dataproc.runtimeEngine=native will continue to be honored in the existing runtimes 1.2, 2.2 and 2.3, but it's not supported in future releases (3.0+ runtimes).

Google Kubernetes Engine

(2025-R44) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

Regular channel

Stable channel

Extended channel

No channel

(2025-R44) Security updates

This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.

To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:

GKE version Container-Optimized OS version Details
1.28.15-gke.2793000 cos-113-18244-448-63 cos-113-18244-448-63 release notes
1.29.15-gke.2085000 cos-113-18244-448-63 cos-113-18244-448-63 release notes
1.30.14-gke.1408000 cos-113-18244-448-63 cos-113-18244-448-63 release notes
1.31.13-gke.1123000 cos-117-18613-339-84 cos-117-18613-339-84 release notes
1.32.9-gke.1207000 cos-117-18613-339-84 cos-117-18613-339-84 release notes
1.33.5-gke.1308000 cos-121-18867-199-88 cos-121-18867-199-88 release notes
1.34.0-gke.2201000 cos-121-18867-199-28 cos-121-18867-199-28 release notes
1.34.1-gke.1829001 cos-125-19216-0-94 cos-125-19216-0-94 release notes

(2025-R44) Version updates

(2025-R44) Version updates

(2025-R44) Version updates

(2025-R44) Version updates

(2025-R44) Version updates

Google SecOps Marketplace

SentinelOneV2: Version 42.0

  • The following new actions have been added:

    • Create Device Control Rule

    • Delete Device Control Rule

    • Update Device Control Rule

CrowdStrike Falcon: Version 67.0

  • Fixed a bug where the Contains filter would fail to find hosts when the Max Hosts To Return limit was applied in the following action:

    • List Host

CSV: Version 34.0

  • Fixed a bug that caused inconsistent column order for the same JSON input by stabilizing the order based on the keys of the first object in the list in the following action:

    • Save Json to CSV

DomainTools: Version 8.0

  • Extended capabilities in the following action:

    • Get Domain Risk

  • Added support for the domain entity type in the following actions:

    • Get Domain Profile

    • Get Domain Risk

    • Reverse Domain

Google SecOps SIEM

SentinelOneV2: Version 42.0

  • The following new actions have been added:

    • Create Device Control Rule

    • Delete Device Control Rule

    • Update Device Control Rule

CrowdStrike Falcon: Version 67.0

  • Fixed a bug where the Contains filter would fail to find hosts when the Max Hosts To Return limit was applied in the following action:

    • List Host

CSV: Version 34.0

  • Fixed a bug that caused inconsistent column order for the same JSON input by stabilizing the order based on the keys of the first object in the list in the following action:

    • Save Json to CSV

DomainTools: Version 8.0

  • Extended capabilities in the following action:

    • Get Domain Risk

  • Added support for the domain entity type in the following actions:

    • Get Domain Profile

    • Get Domain Risk

    • Reverse Domain

earliest and latest functions supported in Rules and Dashboards

The earliest and latest YARA-L functions for statistics and aggregations are now supported in Rules and Dashboards, in addition to Search.

For more information, see earliest and latest.

Google SecOps SOAR

SentinelOneV2: Version 42.0

  • The following new actions have been added:

    • Create Device Control Rule

    • Delete Device Control Rule

    • Update Device Control Rule

CrowdStrike Falcon: Version 67.0

  • Fixed a bug where the Contains filter would fail to find hosts when the Max Hosts To Return limit was applied in the following action:

    • List Host

CSV: Version 34.0

  • Fixed a bug that caused inconsistent column order for the same JSON input by stabilizing the order based on the keys of the first object in the list in the following action:

    • Save Json to CSV

DomainTools: Version 8.0

  • Extended capabilities in the following action:

    • Get Domain Risk

  • Added support for the domain entity type in the following actions:

    • Get Domain Profile

    • Get Domain Risk

    • Reverse Domain

Memorystore for Redis

We have implemented a security fix for CVE-2025-49844.

Memorystore for Valkey

We have implemented a security fix for CVE-2025-49844.

Policy Intelligence

The issue that caused IAM recommender role recommendations to be inaccurate and out of date is fixed.

reCAPTCHA

reCAPTCHA Mobile SDK v18.8.1 is available for iOS. This version fixes an issue with iOS 26 screen time showing use from recaptcha.net

October 21, 2025

AI Hypercomputer

Generally available: You can use future reservations in AI Hypercomputer to request to reserve capacity starting on a specific date up to one year in the future. For more information, see Reserve capacity.

BigQuery

BigQuery now supports TransUnion for entity resolution. This feature is generally available (GA).

Cloud NAT

Private NAT supports Cloud Run in General Availability. For more information, see Supported resources.

Cloud Run

Support for configuring GPU for your Cloud Run job is in General Availability (GA).

Direct VPC egress now supports Private NAT (GA).

Compute Engine

Version 20251009.01 of the guest agent, announced in the October 20, 2025 release notes, has been rolled back. This version introduced the plugin-based architecture to Windows but contained a bug in the WSFC module. To resolve this issue, guest agent version 20251011.00 is now available for Windows, which excludes the new plugin-based architecture.

Generally available: You can use future reservations to request to reserve capacity starting on a specific date up to one year in the future. For more information, see About future reservation requests.

The kernel dist-tag that supports the Rocky Linux Optimized and Accelerator images on Compute Engine is being updated from elX_ycld_next to elX_y_ciq as part of the consolidation of CIQ's kernel trees. There are no changes to Secure Boot or GPG signing keys.

For example, 6.12.0-55.32.1.el10_0cld_next.2.1 to 6.12.0-55.39.1.el10_0_ciq.2.1, where the cld_next tag is swapped with ciq.

This change affects the Rocky Linux 8, 9, and 10 optimized and accelerator images in an upcoming kernel update over the next month. The major version 8 and 9 kernels now include FIPS 140-3 patches as part of CIQ's ongoing FIPS 140-3 validation efforts for Rocky Linux. These patches have no effect if FIPS mode is not enabled. There are no code changes to the major version 10 kernel.

The kernel source tree is available at CIQ's kernel-src-tree GitHub repository.

Generative AI on Vertex AI

On September 23, 2025, we discovered a technical issue in the Vertex AI API that resulted in a limited amount of responses being misrouted between recipients for certain third-party models when using streaming requests. This issue is now resolved. Google models, e.g. Gemini, were not impacted.

Some internal proxies did not properly handle HTTP requests that have an Expect: 100-continue header, resulting in a desynchronization in a streaming response connection, where a response intended for one request was instead delivered as the response for a subsequent request.

For more information, see Security bulletins.

Google Kubernetes Engine

The G4 VM, powered by NVIDIA's RTX PRO 6000 Blackwell Server Edition GPUs with the AMD EPYC Turin CPU platform, is generally available on GKE. G4 instances have up to 384 vCPUs, 1,440 GB of memory, 12 TiB of Titanium SSD disks attached, and up to 400 Gbps of standard network performance. The G4 VM offers a leap in performance with up to 9 times the throughput of G2 instances for workloads such as AI development, and graphics rendering. G4 VMs are currently available with 1, 2, 4, or 8 GPUs.

Google SecOps

Premium Fortinet Firewall parser now available as Release Candidate

This enhanced parser is available as a Release Candidate for the next 2 months. To opt in and begin testing it, go to SIEM Settings > Parsers. We encourage you to try it out and evaluate the improvements before it becomes the default.

Google SecOps SIEM

Premium Fortinet Firewall parser now available as Release Candidate

This enhanced parser is available as a Release Candidate for the next 2 months. To opt in and begin testing it, go to SIEM Settings > Parsers. We encourage you to try it out and evaluate the improvements before it becomes the default.

Premium Fortinet Firewall parser now available as Release Candidate

This enhanced parser is available as a Release Candidate for the next 2 months. To opt in and begin testing it, go to SIEM Settings > Parsers. We encourage you to try it out and evaluate the improvements before it becomes the default.

Guest Environment

Version 20251009.01 of the guest agent, announced in the October 20, 2025 release notes, has been rolled back. This version introduced the plugin-based architecture to Windows but contained a bug in the WSFC module. To resolve this issue, guest agent version 20251011.00 is now available for Windows, which excludes the new plugin-based architecture.

Looker

The new Looker Status Dashboard provides real-time updates about service availability or disruptions for Looker-hosted instances. For more information, see the Monitor Looker status documentation page.

Memorystore for Valkey

You can now use self-service maintenance to update your instance to a newer version. This feature is Generally Available.

Security Command Center

The release note for Security Command Center and attack path simulations, published on October 16, 2025, was updated to clarify that attack path simulations use Compute Engine and Google Kubernetes Engine OS and software vulnerability findings to detect toxic combinations and chokepoints.

Text-to-Speech

Chirp 3: instant custom voice now supports voice cloning key generation in the eu and us regions. For more information, see the Chirp 3: instant custom voice page.

October 20, 2025

App Engine flexible environment Go

Support for TLS version 1.2 and later, along with a corresponding secure set of cipher suites, is in General Availability (GA).

App Engine flexible environment PHP

Support for TLS version 1.2 and later, along with a corresponding secure set of cipher suites, is in General Availability (GA).

BigQuery

You can now use visualization cells to automatically generate a visualization of any DataFrame in your notebook. You can customize the columns, chart type, aggregations, colors , labels, and title.

This feature is in Preview.

In BigQuery ML, you can now fully manage open models as Vertex AI endpoints. BigQuery-managed open models offer the following benefits:

This feature is in Preview.

Cloud Run

Direct VPC egress now supports VPC Flow Logs (Preview).

Colab Enterprise

Visualization cells

Preview: You can use visualization cells to generate interactive and editable visualizations from within a Colab Enterprise notebook. You can configure the chart type, aggregation, colors, labels, and other aspects of the visualization to help you explore data and discover insights. For more information, see Use visualization cells.

Compute Engine

Version 20251009.01 of the guest agent, which introduces the plugin-based architecture to Windows, is now available.

For more information about the plugin-based architecture, see Guest agent.

A vulnerability affecting AMD Zen 5 processors (Turin) was discovered and is being addressed. For more information, see the GCP-2025-058 security bulletin.

Generally Available: The G4 accelerator-optimized machine series is designed for graphics-intensive workloads such as NVIDIA Omniverse simulations, video transcoding, and virtual desktops. The G4 machine series also provides a cost-effective solution for single-host inference and model tuning. The G4 machine series is now available in the following regions and zones:

  • APAC
    • Jurong West, Singapore: asia-southeast1-b
  • Europe:
    • Eemshaven, Netherlands: europe-west4-a
  • North America
    • Council Bluffs, Iowa: us-central1-b
    • Ashburn, Virginia: us-east4-c
    • Columbus, Ohio: us-east5-c

To get started with G4 machine types, see Create a G2 or G4 instance.

Confidential VM

A vulnerability affecting AMD Zen 5 processors (Turin) was discovered and is being addressed. For more information, see the GCP-2025-058 security bulletin.

Guest Environment

Version 20251009.01 of the guest agent, which introduces the plugin-based architecture to Windows, is now available.

For more information about the plugin-based architecture, see Guest agent.

Security Command Center Virtual Private Cloud

VPC Flow Logs supports logging for Cloud Run resources that are configured with Direct VPC egress. This feature is available in General Availability.

For more information, see Serverless flows and ServerlessDetails field format.

October 19, 2025

Google SecOps SIEM

Release 6.3.64 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

Google SecOps SOAR

Release 6.3.64 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

October 18, 2025

Compute Engine

Generally Available: You can now access the Compute Engine alpha API at the project level through a self-service process. By enabling the alpha API, you can use the Google Cloud console, Google Cloud CLI, API, and Terraform to view and manage Preview features. For more information, see Use the Compute Engine alpha API.

Google SecOps SIEM

Release 6.3.63 is now available for all regions.

Google SecOps SOAR

Release 6.3.63 is now available for all regions.

October 17, 2025

Cloud SQL for MySQL

Cloud SQL Enterprise edition now supports a new machine series called the N4 machine series. This machine series provides balanced price-to-performance and uses the Hyperdisk Balanced storage. You can create custom machine types for the N4 machine series with up to 80 vCPUs and up to 640 GB memory. The N4 machine series is generally available (GA).

For more information about the N4 machine series and its availability, see Machine series overview.

The C4A machine series is now generally available (GA).

The C4A machine series is supported for Cloud SQL Enterprise Plus edition instances, and provides optimized price-performance and delivers predictable high performance for high demand Cloud SQL workloads. It uses the Hyperdisk Balanced storage.

For more information about the C4A machine series and its availability, see Machine series overview.

Cloud SQL for PostgreSQL

Cloud SQL Enterprise edition now supports a new machine series called the N4 machine series. This machine series provides balanced price-to-performance and uses the Hyperdisk Balanced storage. You can create custom machine types for the N4 machine series with up to 80 vCPUs and up to 640 GB memory. The N4 machine series is generally available (GA).

For more information about the N4 machine series and its availability, see Machine series overview.

The C4A machine series is now generally available (GA).

The C4A machine series is supported for Cloud SQL Enterprise Plus edition instances, and provides optimized price-performance and delivers predictable high performance for high demand Cloud SQL workloads. It uses the Hyperdisk Balanced storage.

For more information about the C4A machine series and its availability, see Machine series overview.

Cloud SQL for SQL Server

Cloud SQL Enterprise edition now supports a new machine series called the N4 machine series. This machine series provides balanced price-to-performance and uses the Hyperdisk Balanced storage. You can create custom machine types for the N4 machine series with up to 80 vCPUs and up to 640 GB memory. The N4 machine series is generally available (GA).

For more information about the N4 machine series and its availability, see Machine series overview.

Compute Engine

Generally Available: You can now access the Compute Engine alpha API at the project level through a self-service process. By enabling the alpha API, you can use the Google Cloud console, Google Cloud CLI, API, and Terraform to view and manage Preview features. For more information, see Use the Compute Engine alpha API.

Container Optimized OS

cos-125-19216-0-94

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Updated the dump capture kernel to v6.12.52.

Added task information collection to sosreports.

Updated golang.org/x/crypto, golang.org/x/net, and golang.org/x/oauth2 in kubelet and kubectl.

Fixed CVE-2025-41244 in app-emulation/open-vm-tools.

Fixed KCTF-6bb73db in the Linux Kernel.

Fixed CVE-2025-39963 in the Linux kernel.

Fixed CVE-2025-39965 in the Linux kernel.

Fixed CVE-2025-39961 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811514 -> 811534
  • Changed: net.ipv4.udp_mem: 188034 250714 376068 -> 188034 250715 376068

Google Kubernetes Engine

Don't use GKE version 1.34.1-gke.1431000 or later when creating or upgrading node pools with the a3-highgpu-8g machine type. GKE nodes with these versions include COS Milestone 125, which has an updated Linux kernel version that is incompatible with GPUDirect-TCPX.

Memorystore for Valkey

You can now create an instance in Memorystore for Valkey, even if a zone of the region where you want the instance to be created is unavailable. If this occurs, then Memorystore for Valkey creates the instance in the available zones of the region. This feature is Generally Available.

Text-to-Speech

Chirp 3 HD now supports speech synthesis using SSML input. Supported SSML tags are: <phoneme>, <p>, <s>, <sub>, and <say-as>. For more information, see Chirp 3 HD: SSML support.

October 16, 2025

Apigee API hub

Create and manage API operations in the UI

You can now create and manage API operations for your API versions from the API details page in the Google Cloud console.

For more information, see Manage operations.

Apigee APIM Operator

On October 16, 2025, we released an updated version of Apigee (1-16-0-apigee-3).

Bug ID Description
442501403 Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>.
437999897 Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses.
436323210 Fixed ingress cert keys to allow both tls.key/key and tls.crt/cert.
438192028 Updated the geolocation database to mitigate stale IP-to-location mappings.
N/A Updates to security infrastructure and libraries.
Bug ID Description
440419558, 433759657 Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

  • CVE-2025-22868
  • CVE-2025-48924
Apigee X

On October 16, 2025, we released an updated version of Apigee (1-16-0-apigee-3).

Bug ID Description
442501403 Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>.
437999897 Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses.
436323210 Fixed ingress cert keys to allow both tls.key/key and tls.crt/cert.
438192028 Updated the geolocation database to mitigate stale IP-to-location mappings.
N/A Updates to security infrastructure and libraries.
Bug ID Description
440419558, 433759657 Security fix for Apigee infrastructure.

This addresses the following vulnerabilities:

  • CVE-2025-22868
  • CVE-2025-48924
BigQuery

The following features are now generally available (GA) in BigQuery Studio:

  • To streamline resource discovery and access, the left Explorer pane has been reorganized into three sections: Explorer, Classic Explorer, and Git repository. You can still use the Classic Explorer, which provides the complete resources tree.

  • In the Explorer pane, you can use the search feature to find BigQuery resources in your organization. The results appear in a new tab in the details pane. You can use filters to narrow your search.

  • You can access job histories by clicking Job history in the Explorer pane. A new tab opens that displays a list of job histories. BigQuery Studio no longer has a bottom pane for job history.

  • To reduce tab proliferation, clicking a resource opens it within the same tab. To open the resource in a separate tab, press Ctrl (or Command on macOS) and click the resource. To prevent the current tab from getting its content replaced, double-click the tab. The name changes from italicized to regular font. If you still lose your resource, you can click tab_recent Recent tabs in the details pane to find the resource.

  • You can use breadcrumbs to navigate through different tabs and resources in the details pane.

  • In the Home tab, the What's new section contains a list of new capabilities and changes to the BigQuery Studio.

  • The notebook action bar is consolidated by default to give you more screen space for writing code.

You can now access repositories by clicking Repositories in the Explorer pane. A new tab opens that displays a list of repositories. The Explorer pane no longer has a bottom pane for repositories. When you open a workspace in a repository, it opens in the Git repository pane in the left pane. These features are available in BigQuery Studio in preview.

Cloud Service Mesh

The promotion of 1.21 to the Rapid release channel included upstream breaking changes to ExternalName and auto-sni when using the ISTIOD implementation. After considering the impact on customers, we have decided to restore the previous behavior from 1.20 and earlier for managed Cloud Service Mesh clusters using the ISTIOD implementation to match Rapid clusters using the TRAFFIC_DIRECTOR implementation. These changes are rolling out to the Rapid release channel in version 1.21.5-asm.55 or later.

  • If you are using an ExternalName service in the Rapid channel without a port description, the ExternalName service will not be translated into Cluster in the Envoy configuration. If the ExternalName service is a destination of VirtualService or ExternalName service is used with REGISTRY_ONLY mode, you must specify the port in the service like in 1.20 and earlier.

  • If you have an external service multiplexing traffic based on SNI but the corresponding DestinationRule doesn't have an explicit SNI, you must set SNI properly.

Compute Engine

Starting with SUSE Linux Enterprise Server (SLES) 16, including variants for SAP, the default file system for the root partition (/) is Btrfs changing from the previous default of XFS. For more information, see File systems in SLES in the SUSE documentation.

Config Connector

Config Connector version 1.137.0 is now available.

New Beta Resources (Direct Reconciler):

  • DocumentAIProcessorVersion
  • EssentialContactsContact
  • BigQueryBigLakeTable
  • BackupDRBackupPlan

New Alpha Resources (Direct Reconciler):

  • BigtableMaterializedView

New Fields:

  • BigtableMaterializedView: Added spec.sourceTableRef and spec.definition.
  • BackupDRBackupPlan: Added spec.backupConfig.retentionPeriodDays and spec.backupConfig.backupWindow.
  • MemorystoreInstance: Added support for MEMCACHE and REDIS instance types.

Reconciliation Improvements:

  • Enabled opt-in for IAM partial policy management.
  • Enabled server-side apply for KMS resources.
  • Improved reconciliation for BigtableLogicalView by using deep reflection.
  • Improved reconciliation for FirestoreDatabase with identity pattern and export support.
  • Improved reconciliation for RunJob with export support.
  • Unified ComputeTargetTCPProxy direct API and controller.

Bug Fixes:

  • Fixed an issue where ComputeBackendService backends were not sorted.
  • Fixed an issue where CloudFunctionsFunction runtime was not a supported value.
  • Fixed an issue with labels for BackupDRBackupPlan.
  • Fixed an issue with labels for RunJob.
  • Fixed a fuzzing issue for FirestoreField.
  • Fixed an issue with KMSCryptoKey import.
  • Fixed a flakiness issue in the MonitoringDashboard fuzzer.
  • Fixed a flakiness issue in tests.
  • Fixed an issue with bad labels in tests.
  • Fixed an issue with etag in direct reconciliation.
Dataproc

Dataproc on Compute Engine: The default image version of premium tier clusters is now 2.3.

Generative AI on Vertex AI

Mistral's Codestral 2

You can use Mistral's Codestral 2 in Model Garden.

vLLM TPU

vLLM TPU, a highly-efficient serving framework for large language models (LLM) that's optimized for Cloud TPU hardware, is available through Model Garden.

Looker Studio

Pro feature: Share and schedule reports with Slack

You can now send Looker Studio reports to Slack channels and Slack users on your Slack workspaces. This feature is only available to Looker Studio Pro users, and is available in Preview.

Vertical stacking in responsive reports

Responsive reports now support vertical stacking. You can add multiple components to a column within a section. Learn more about creating responsive reports.

Migrate to Virtual Machines

Migrate to Virtual Machines now supports all available versions of AlmaLinux EL 8 and 9.

Policy Intelligence

You can use Policy Troubleshooter to remediate access issues. This feature is available in Preview.

Security Command Center

Security Command Center and attack path simulations use Compute Engine and Google Kubernetes Engine operating system and software vulnerabilities to detect toxic combinations and chokepoints.

UPDATE: Attack path simulations analyze OS and software vulnerability findings for Compute Engine and Google Kubernetes Engine resources to detect toxic combinations and chokepoints.

October 15, 2025

Backup and DR

Backup and DR Service 11.0.16.253 is now available to update your backup/recovery appliances. Refer to these instructions to update your appliance.

  • Guardrails have been defined for each backup/recovery appliance to specify the number of supported job slots, ensuring smooth parallel backup and mount jobs.

Introducing notifications and alerts for the following critical events:

  • Processes not running on a backup/recovery appliance
  • Expired certificates
  • No jobs running on a backup/recovery appliance
  • CPU and memory usage exceeding threshold values
  • Backup/recovery appliance appliance version out of support
  • Backup/recovery appliance updates available

You can subscribe to these events and configure email alerts.

BigQuery

You can use the dbt-bigquery adapter to run Python code that's defined in BigQuery DataFrames. For more information, see Use BigQuery DataFrames in dbt. This feature is generally available (GA).

You can visualize your geospatial query results on an interactive map in BigQuery Studio. This feature is generally available (GA).

Cloud Service Mesh

1.25.5-asm.7 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.5-asm.7 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.5 subject to the list of supported features. Cloud Service Mesh version 1.25.5-asm.7 uses envoy v1.33.10-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

1.25.5-asm.7 includes the fixes for the following CVEs:

CVE Proxy Control Plane CNI Distroless
CVE-2025-6297 Yes Yes Yes -
CVE-2024-10963 Yes Yes Yes -
CVE-2025-4802 - - - Yes
CVE-2025-8058 Yes Yes Yes Yes

1.26.4-asm.7 is now available for in-cluster Cloud Service Mesh.

You can now download 1.26.4-asm.7 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.26.4 subject to the list of supported features.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.26.4-asm.7 uses Envoy v1.34.8-dev.

1.26.4-asm.7 includes the fixes for the following CVEs:

CVE Proxy Control Plane CNI Distroless
CVE-2024-10963 Yes Yes Yes -
CVE-2025-8058 Yes Yes Yes Yes
CVE-2025-4802 - - - Yes

1.27.1-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.1-asm.5 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.27.1 subject to the list of supported features.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.27.1-asm.5 uses Envoy v1.35.4-dev.

1.27.1-asm.5 includes the fixes for the following CVEs:

CVE Proxy Control Plane CNI Distroless
CVE-2025-6297 Yes Yes Yes -
CVE-2024-10963 Yes Yes Yes -
CVE-2025-9230 Yes Yes Yes -
CVE-2025-8058 Yes Yes Yes Yes
CVE-2025-4802 - - - Yes

In-cluster Cloud Service Mesh 1.24 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.

Generative AI on Vertex AI

Anthropic's Claude Haiku 4.5

You can use Anthropic's Claude Haiku 4.5 in Model Garden.

Veo video generation

Veo 2 supports adding and removing objects from videos in Preview.

For more information about Veo 2, see Veo 2 Preview

For more information about adding and removing objects, see the following:

Google Cloud Armor

Cloud Armor's Hierarchical security policies that facilitate centralized control, enhanced consistency, operational efficiency, and effective delegation of security policy management is Generally Available.

Google Cloud Contact Center as a Service

Mobile SDK patch 2.14.1 is released

This patch adds the didHandleUjetError function to the iOS SDK. The didHandleUjetError function can listen for and handle the following errors:

  • networkError
  • authenticationError
  • authenticationJwtError
  • voipConnectionError
  • voipLibraryNotFound
  • chatLibraryNotFound

For more information, see Fallback.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.31.1000-gke.44 is available for download. To upgrade, see Upgrade a cluster. Distributed Cloud 1.31.1000-gke.44 runs on Kubernetes v1.31.12-gke.600.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following issues were fixed in 1.31.1000-gke.44:

Google Distributed Cloud (software only) for bare metal

Google Distributed Cloud for bare metal 1.31.1000-gke.44 is now available for download. To upgrade, see Upgrade clusters. Distributed Cloud for bare metal 1.31.1000-gke.44 runs on Kubernetes v1.31.12-gke.600.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Distributed Cloud for bare metal.

The following issues were fixed in 1.31.1000-gke.44:

  • Fixed an issue where the cluster restore process leaves the Kubelet certificate files as regular files instead of symbolic links, preventing certificate rotation.

  • Fixed the etcd-cleanup job timeout issue caused by the use of incorrect certificates.

  • Fixed vulnerabilities listed in Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google Kubernetes Engine

(2025-R43) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

Regular channel

Stable channel

  • Version 1.33.4-gke.1245000 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
  • Clusters in this channel running the listed minor version have new general auto-upgrade targets. GKE can upgrade control planes and nodes to the following new versions with this release:

Extended channel

No channel

(2025-R43) Security updates

This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.

To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:

GKE version Container-Optimized OS version Details
1.34.1-gke.1431000 cos-beta-125-19216-0-76 cos-beta-125-19216-0-76 release notes

(2025-R43) Version updates

(2025-R43) Version updates

(2025-R43) Version updates

(2025-R43) Version updates

(2025-R43) Version updates

  • Version 1.33.4-gke.1245000 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
  • Clusters in this channel running the listed minor version have new general auto-upgrade targets. GKE can upgrade control planes and nodes to the following new versions with this release:
Google SecOps

The Netskope v1 API feed has been deprecated by Netskope. If you are using the Netskope REST API v1 with Google SecOps, you must switch to the Netskope REST API v2.

Google SecOps Marketplace

ThreatQ: Version 15.0

  • Updated the API request payload to align with a change in the ThreatQ API in the following actions:

    • Enrich IP

    • Enrich URL

    • Enrich Email

    • Enrich Hash

    • Enrich CVE

UrlScan.io: Version 26.0

  • Added ability to scan domains and IPs in the following action:

    • URL Check

CrowdStrike Falcon: Version 66.0

  • The following new action has been added:

    • Get Alert Details

Azure Active Directory: Version 19.0

  • Improved performance by implementing a direct API filter query for group name searches, which avoids fetching all groups and significantly reduces execution time in large-group environments, in the following action:

    • List Members in Group

CrowdStrike Falcon: Version 66.0

  • Updated entity processing logic in the following actions:

    • Contain Endpoint

    • Download File

    • Execute Command

    • Get Host Information

    • Lift Contained Endpoint

    • List Host Vulnerabilities

    • On-Demand Scan

    • Run Script

Updated dependencies in the following integrations:

  • Microsoft Teams: Version 30.0

  • Microsoft Graph Mail Delegated: Version 8.0

  • Exchange: Version 114.0

  • Case Federation: Version 5.0

  • Azure Security Center: Version 12.0

Microsoft Teams: Version 30.0

  • Integration: Fixed an issue with the special characters in the query parameters.

Okta: Version 10.0

  • Updated the pagination processing mechanism in the following actions:

    • List Users

    • Add Group

    • Get Group

    • List Providers

Google SecOps SIEM

ThreatQ: Version 15.0

  • Updated the API request payload to align with a change in the ThreatQ API in the following actions:

    • Enrich IP

    • Enrich URL

    • Enrich Email

    • Enrich Hash

    • Enrich CVE

UrlScan.io: Version 26.0

  • Added ability to scan domains and IPs in the following action:

    • URL Check

CrowdStrike Falcon: Version 66.0

  • The following new action has been added:

    • Get Alert Details

Azure Active Directory: Version 19.0

  • Improved performance by implementing a direct API filter query for group name searches, which avoids fetching all groups and significantly reduces execution time in large-group environments, in the following action:

    • List Members in Group

CrowdStrike Falcon: Version 66.0

  • Updated entity processing logic in the following actions:

    • Contain Endpoint

    • Download File

    • Execute Command

    • Get Host Information

    • Lift Contained Endpoint

    • List Host Vulnerabilities

    • On-Demand Scan

    • Run Script

Updated dependencies in the following integrations:

  • Microsoft Teams: Version 30.0

  • Microsoft Graph Mail Delegated: Version 8.0

  • Exchange: Version 114.0

  • Case Federation: Version 5.0

  • Azure Security Center: Version 12.0

Microsoft Teams: Version 30.0

  • Integration: Fixed an issue with the special characters in the query parameters.

Okta: Version 10.0

  • Updated the pagination processing mechanism in the following actions:

    • List Users

    • Add Group

    • Get Group

    • List Providers

The Netskope v1 API feed has been deprecated by Netskope. If you are using the Netskope REST API v1 with Google SecOps, you must switch to the Netskope REST API v2.

The Netskope v1 API feed has been deprecated by Netskope. If you are using the Netskope REST API v1 with Google SecOps, you must switch to the Netskope REST API v2.

Google SecOps SOAR

ThreatQ: Version 15.0

  • Updated the API request payload to align with a change in the ThreatQ API in the following actions:

    • Enrich IP

    • Enrich URL

    • Enrich Email

    • Enrich Hash

    • Enrich CVE

UrlScan.io: Version 26.0

  • Added ability to scan domains and IPs in the following action:

    • URL Check

CrowdStrike Falcon: Version 66.0

  • The following new action has been added:

    • Get Alert Details

Azure Active Directory: Version 19.0

  • Improved performance by implementing a direct API filter query for group name searches, which avoids fetching all groups and significantly reduces execution time in large-group environments, in the following action:

    • List Members in Group

CrowdStrike Falcon: Version 66.0

  • Updated entity processing logic in the following actions:

    • Contain Endpoint

    • Download File

    • Execute Command

    • Get Host Information

    • Lift Contained Endpoint

    • List Host Vulnerabilities

    • On-Demand Scan

    • Run Script

Updated dependencies in the following integrations:

  • Microsoft Teams: Version 30.0

  • Microsoft Graph Mail Delegated: Version 8.0

  • Exchange: Version 114.0

  • Case Federation: Version 5.0

  • Azure Security Center: Version 12.0

Microsoft Teams: Version 30.0

  • Integration: Fixed an issue with the special characters in the query parameters.

Okta: Version 10.0

  • Updated the pagination processing mechanism in the following actions:

    • List Users

    • Add Group

    • Get Group

    • List Providers

Security Command Center

The following features in Compliance Manager are available in General Availability:

Virtual Private Cloud

Private Service Connect health is available in Preview.

Private Service Connect health lets service producers define health states to support automatic cross-region failover for consumers that use Private Service Connect backends. For more information, see About Private Service Connect health for automatic cross-region failover.

October 14, 2025

Access Approval

Google Cloud Managed Service for Apache Kafka is generally available (GA).

Access Transparency

Google Cloud Managed Service for Apache Kafka is generally available (GA).

Apigee API hub

New MCP API style system attribute

The system-defined API style attribute now includes a new value: MCP. This lets you classify and govern APIs based on the latest Model Context Protocol (MCP) standards.

For more information, see System attributes.

Apigee APIM Operator

Removal of deprecated Gemini Code Assist @Apigee tool.

The Gemini Code Assist @Apigee tool is shut down as of October 14, 2025.

See Gemini Code Assist @Apigee tool deprecation for information.

Apigee X

Removal of deprecated Gemini Code Assist @Apigee tool.

The Gemini Code Assist @Apigee tool is shut down as of October 14, 2025.

See Gemini Code Assist @Apigee tool deprecation for information.

Backup and DR

You can now set up backup vault specific workload quotas for critical resources like data sources, backups, backup plans, and backup plan associations. Until now these quotas were set up only at the project level, not at the workload level.

BigQuery

You can now use SQL cells to write, edit, and run SQL queries on your BigQuery data directly from your notebooks. This feature is in Preview.

The BigQuery Data Transfer API (bigquerydatatransfer.googleapis.com) is now enabled by default for every new Google Cloud project. This feature is generally available (GA).

Colab Enterprise

SQL cells

Preview: You can use SQL cells to write, edit, and run SQL queries directly from your Colab Enterprise notebooks. For more information, see Use SQL cells.

Generative AI on Vertex AI

Imagen subject and style fine-tuning

Imagen subject model and style model tuning will be removed on December 31, 2025. We recommend that you use Gemini 2.5 Flash Image, which supports most use cases that require fine-tuning. For more information, see Edit images with Gemini.

Imagen 4 preview models

The following Imagen 4 preview models will be removed on November 30, 2025 : imagen-4.0-generate-preview-06-06, imagen-4.0-ultra-generate-preview-06-06, and imagen-4.0-fast-generate-preview-06-06. To avoid service disruption, migrate all workflows that use Imagen 4 preview models before November 30, 2025 , 2025, to the following Imagen 4 Generally Available models: imagen-4.0-generate-001, imagen-4.0-ultra-generate-001, imagen-4.0-fast-generate-001.

Google Cloud Contact Center as a Service

Portal version 3.40 pre-release notes

Here are the pre-release notes for portal version 3.40. When we release version 3.40, we expect the new capabilities to be as shown here.

New variables for custom lookup URLs

We've added the following five variables for custom lookup URLs:

  • CUSTOMER_PHONE_NUMBER: the end-user's phone number
  • SUPPORT_PHONE_NUMBER: your call center's phone number that an end-user calls in on
  • OUTBOUND_NUMBER: the phone number an agent uses when making an outbound call
  • SESSION_ID: the session ID
  • CUSTOM_AGENT_ID: an optional agent ID

Agent desktop maintains state after refresh

While you're using the agent desktop, if you refresh your browser, the agent desktop now maintains its state. This means that active conversations, finished tabs, and recently closed sessions remain as they were before the refresh.

Search in email channel by email address and name

Agents can now search for email sessions by email address and name in the email adapter.

User experience change: The search pane in the email adapter includes two new fields: Email Address and Name.

Customize the color of the Start Screen Share button

You can now control the color of the Start Screen Share button to match the color palette of your brand.

The europe-west4 and europe-west6 regions are available for Agent Assist conversation profiles

The europe-west4 and europe-west6 regions are now available when you create an Agent Assist conversation profile for a Dialogflow CX virtual agent. For more information, see Create conversation profile for Dialogflow CX virtual agents.

Web SDK: Support for hiding the download transcript option

You can now configure the web SDK to do the following on the end-user's chat screen:

  • Hide the Download transcript menu option during a chat session

  • Hide the Download transcript button after a chat session ends

Web SDK: Support for hiding the Start a new conversation button

You can now configure the web SDK to hide the Start a new conversation button on the end-user's chat screen after the session ends.

The following issues were addressed in this release:

  • Fixed an issue that prevented administrators from configuring virtual agents on the top level for IVR queues.

  • Fixed an issue where attempting to configure automatic redirection settings for the top level of an IVR queue returned an error.

  • Fixed in issue that caused incorrect agent monitoring and reporting data when a virtual agent escalated a call to a queue in a different language.

  • Fixed issue for HubSpot users where the call adapter got stuck on a non-functional reconnect page after a session expired.

  • Fixed an issue for HubSpot users where the Delay call record creation until the call is connected to agent checkbox didn't appear in the CRM Record Creation Details pane.

  • Fixed an issue that prevented agents from ending direct SMS chat sessions.

  • Fixed an issue for Microsoft Windows 11 users that prevented agents from entering Japanese characters in the chat screen during chat sessions and into the notes during wrap-up.

  • Fixed an issue where SDK custom data that was passed using the web SDK didn't appear in the agent adapter.

  • Fixed an issue that prevented custom links entered in the chat adapter from being converted into clickable links.

  • Fixed an issue in the chat screen of the chat adapter where the Missed target response time message was partially obscured by the formatting toolbar.

  • Fixed an issue where agents couldn't initiate a callback to a missed agent-to-agent call from the History tab of the agent adapter.

  • Fixed an issue where predictive outbound calling campaigns stalled and incorrectly moved contacts to the Redialed list before retrying them. This prevented the campaigns from completing successfully.

  • Fixed an issue in the Call Details pane where the Recording Message Sequence settings were incorrectly inactive when the Play Call Recording Messages checkboxes were cleared.

    Administrators: In the Call Details pane, we changed Recording Message Sequence to Recording Message Sequence for Outbound Calls for clarity.

  • Fixed an issue where the customized greeting for an automatic redirection rule didn't play for calls that entered the queue using a Direct Access Phone (DAP) number.

  • Fixed an issue that occurred when a call was made from the global contact list. On the Details tab of the call adapter, the destination name didn't display. Instead, the destination phone number displayed.

  • Fixed an agent desktop issue where an agent status that was configured with a role restriction mistakenly appeared in the status list for a user assigned to that restricted role.

  • Fixed an issue where searching for an inbound-only queue on the Phone Number Management page failed to return a result.

  • Fixed an issue that caused queue duration and wait duration to be reported as 0. This occurred when the Call Service Level Target on a queue settings page was set to a number that exceeded the maximum allowed limit.

  • Fixed an issue where a team assigned to a preference profile added only 1 user to the profile's users count, instead of adding the total number of users on the team.

  • Fixed an issue where agents were timed out for inactivity while composing an email in the email adapter.

  • Fixed an issue where users with a custom role were unable to save changes in the Chat Settings pane, even when their role had View and Edit permissions.

  • Fixed an issue that occurred after an agent configured their own hours of operation settings in the agent adapter. Those settings didn't appear for administrators in the agent's user profile on the Settings > Users & Team > Manage Users & Teams page. This prevented the administrator from making other edits to the agent's profile without overwriting the agent's hours of operation settings.

  • Fixed an issue where CRM tickets weren't created for some calls.

  • Fixed an issue where outbound SIP calls incorrectly appended data parameters, causing calls to fail.

  • Fixed a Web SDK security vulnerability associated with DOMPurify.

  • Fixed an issue where chat metadata wasn't saved to external storage. This occurred when an end-user ended a chat after escalating from a virtual agent but before being connected to a human agent.

Google Kubernetes Engine

In GKE versions 1.32.4-gke.1029000 and later, MountVolume calls for network file system (NFS) volumes might fail with the following error: mount.nfs:rpc.statd is not running but is required for remote locking.

This failure can occur if a Pod mounting an NFS volume runs on the same node as an NFS server Pod, and the NFS server Pod starts before the client Pod attempts to mount the volume. This scenario causes a conflict over the rpcbind service, which prevents the service from starting correctly on the node for the client Pod, leading to the mount failure.

As a workaround, deploy this DaemonSet on all nodes where you mount the NFS volumes. The DaemonSet ensures that the required services start correctly.

Organization Policy

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Datastream resources. For more information, see Manage Application Integration resources using custom constraints. This feature is generally available (GA).

Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Datastream resources. For more information, see Manage Application Integration resources using custom constraints. This feature is generally available (GA).

October 13, 2025

Access Approval

IAM System for Cross-domain Identity Management (SCIM) Service is available in Preview.

Access Transparency

IAM System for Cross-domain Identity Management (SCIM) Service is available in Preview.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.67.1 (2025-10-08)

Dependencies

Python

Changes for google-cloud-bigtable

2.33.0 (2025-10-06)

Features
Bug Fixes
  • Fix instance registration cleanup on early iterator termination (#1216) (bbfd746)
  • Refactor channel refresh (#1174) (6fa3008)
Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/storage

7.17.2 (2025-10-06)

Bug Fixes
  • Common Service: should retry a request failed (#2652) (b38b5d2)
  • Implement path containment to prevent traversal attacks (#2654) (08d7abf)

Java

Changes for google-cloud-storage

2.58.1 (2025-10-06)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.3 (ba84793)
  • Update BlobReadSession ScatteringByteChannel projection to use less CPU (#3324) (678fecc)
  • Update DefaultRetryContext to trap and forward RejectedExceptionException to onFailure (#3327) (1be31bd)
  • Update PCU request building logic to properly clear crc32c and md5 (#3323) (4da9f31)
Dependencies
  • Update dependency com.google.apis:google-api-services-storage to v1-rev20250925-2.0.0 (#3313) (ab310eb)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.3 (#3325) (4d3e3be)
  • Update googleapis/sdk-platform-java action to v2.62.3 (#3322) (a5808ea)

Python

Changes for google-cloud-storage

3.4.1 (2025-10-08)

Bug Fixes
  • Fixes #1561 by adding an option to specify the entire object checksum for resumable uploads via the upload_from_string, upload_from_file, and upload_from_filename methods (acb918e)
Container Optimized OS

cos-dev-129-19319-0-0

Kernel Docker Containerd GPU Drivers
COS-6.12.50 v27.5.1 v2.1.3 See List

Updated the Linux kernel to v6.12.50.

Added support for NVIDIA driver v580.95.05. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.95.05.

Upgraded app-containers/docker-credential-helpers to v0.9.4.

Updated toolbox container image tag to v20251002.

Upgraded chromeos-base/google-breakpad to v2025.10.06.205107-r254.

Upgraded dev-libs/expat to v2.7.3.

Upgraded sys-apps/hwdata to v0.399.

Upgraded net-libs/libtirpc to v1.3.7.

Partially fixed an issue where excessive contention among writeback kworkers when switching a large number of inodes between cgroups could lead to system unresponsiveness.

Upgraded open-vm-tools to 13.0.5. This fixes CVE-2025-41244 in anthos variant.

Fixed CVE-2025-11081, CVE-2025-11082 and CVE-2025-11083 in sys-libs/binutils-libs.

Updated dev-python/urllib3 to v2.5.0. This resolves CVE-2025-50181.

Updated sys-apps/coreutils to v9.5. This resolves CVE-2024-0684.

Fixed KCTF-134121b in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811493 -> 811438
  • Changed: net.ipv4.udp_mem: 188034 250714 376068 -> 188034 250715 376068

cos-121-18867-199-98

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v27.5.1 v2.0.6 See List

Added support for NVIDIA driver v580.95.05. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.95.05.

Upgraded app-admin/node-problem-detector to v0.8.22.

Updated toolbox container image tag to v20251002.

Upgraded sys-apps/hwdata to v0.399.

Partially fixed an issue where excessive contention among writeback kworkers when switching a large number of inodes between cgroups could lead to system unresponsiveness.

Fixed CVE-2025-41244 in app-emulation/open-vm-tools in anthos variant.

Fixed CVE-2025-11081, CVE-2025-11082 and CVE-2025-11083 in sys-libs/binutils-libs.

Fixed CVE-2025-23143 in the Linux kernel.

Fixed CVE-2025-39947 in the Linux kernel.

Fixed KCTF-134121b in the Linux kernel.

Fixed CVE-2025-39931 in the Linux kernel.

Fixed CVE-2025-39953 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811724 -> 811792

cos-125-19216-0-87

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Added support for NVIDIA driver v580.95.05. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.95.05.

Upgraded app-admin/node-problem-detector to v0.8.22.

Upgraded sys-apps/hwdata to v0.399.

Partially fixed an issue where excessive contention among writeback kworkers when switching a large number of inodes between cgroups could lead to system unresponsiveness.

Fixed CVE-2025-11081, CVE-2025-11082 and CVE-2025-11083 in sys-libs/binutils-libs.

Fixed CVE-2025-39931 in the Linux kernel.

Fixed CVE-2025-39953 in the Linux kernel.

Fixed CVE-2025-39947 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811500 -> 811514

cos-113-18244-448-73

Kernel Docker Containerd GPU Drivers
COS-6.1.151 v24.0.9 v1.7.27 See List

Updated toolbox container image tag to v20251002.

Upgraded sys-apps/hwdata to v0.399.

Fixed CVE-2025-11081, CVE-2025-11082 and CVE-2025-11083 in sys-libs/binutils-libs.

Fixed CVE-2025-23143 in the Linux kernel.

Fixed KCTF-134121b in the Linux kernel.

Fixed CVE-2025-39931 in the Linux kernel.

Fixed CVE-2025-39953 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811950 -> 812035

cos-117-18613-339-97

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v24.0.9 v1.7.28 See List

Added support for NVIDIA driver v580.95.05. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.95.05.

Upgraded app-admin/node-problem-detector to v0.8.22.

Fixed CVE-2025-11081, CVE-2025-11082 and CVE-2025-11083 in sys-libs/binutils-libs.

Fixed CVE-2025-23143 in the Linux kernel.

Fixed CVE-2025-39947 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811755 -> 811830

Dataproc

Serverless for Apache Spark: Runtimes rollout with Apache Spark upgrade to version 3.5.3 in the latest 1.2 and 2.2 Serverless for Apache Spark runtime versions has started and is expected to finish by October 16th.

Managed Lustre

Google Cloud Managed Lustre now fully supports data transfers to and from Cloud Storage buckets that have Object Lifecycle Management (OLM) or Autoclass enabled.

Policy Intelligence

Due to an ongoing issue, IAM recommender role recommendations might be out of date and inaccurate. Removing roles or permissions can break existing processes. Therefore, please validate usage before applying any changes.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-pubsub

1.142.0 (2025-10-07)

Features
  • Support the protocol version in StreamingPullRequest (af40810)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.3 (af40810)
Dependencies
  • Update actions/checkout action to v5 (#2562) (b7fa499)
  • Update actions/checkout action to v5 (#2573) (4153dba)
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.55.1 (#2566) (66c9ec4)
  • Update dependency com.google.cloud:google-cloud-core to v2.60.2 (#2557) (460bcd9)
  • Update dependency com.google.cloud:google-cloud-core to v2.60.3 (#2571) (ac2c85a)
  • Update dependency com.google.cloud:google-cloud-storage to v2.58.0 (#2561) (0189388)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.3 (#2572) (0785ee4)
  • Update dependency org.assertj:assertj-core to v3.27.6 (#2560) (c82766a)
Secret Manager

For more information, see Synchronize secrets to Kubernetes Secrets.

Speech-to-Text

Speech-to-Text is excited to announce the General Availability (GA) of the Chirp 3: Transcription, the latest generation of Google's multilingual Automatic Speech Recognition (ASR)-specific generative model, delivering state-of-the-art ASR accuracy and multilingual capabilities. Available exclusively in the Speech-to-Text API V2, Chirp 3 delivers significant enhancements in transcription accuracy and speed over previous versions. Under the new chirp_3 model identifier, you can now leverage powerful new capabilities, including speaker diarization to identify different speakers and automatic language detection for multilingual audio. The model supports all major recognition methods —StreamingRecognize, Recognize, and BatchRecognize- making it suitable for both real-time and batch processing. Chirp 3 also offers advanced features such as speech adaptation for custom vocabularies and a built-in denoiser to improve results from noisy audio.

To explore the new Chirp 3: Transcription model's capabilities and learn how to leverage its full potential, please visit our updated documentation page.

October 12, 2025

Apigee hybrid

hybrid v1.15.1

On October 10, 2025 we released an updated version of the Apigee hybrid software, 1.15.1.

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Apigee policies for LLM/GenAI workloads

Apigee hybrid now supports the following Apigee policies with support for LLM/GenAI workloads.

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

Bug ID Description
451375397 The apigee-pull-push.sh script could return a No such image error message.
445912919 Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process.
442501403 Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>.
437999897 Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses.
431930277, 395272878 When the configuration property envs.managementCallsSkipProxy is set to true via helm for environment-level forward proxy, trace and analytics (which use googleapis.com) will skip forward proxy.
423597917 Post of an AppGroupAppKey scopes should result in insert operation instead of update.
420675540 Fixed Cassandra based replication for runtime contracts in synchronizer.
419578402 Mint-Mart forward proxy compatible.
416634326 Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods.
412740465 Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway.
409048431 Fixes a vulnerability which could allow a SAML signature verification to be bypassed.
378686709 The use of wildcards (*) in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error. To apply this fix, follow the procedure in Known issue 378686709.
367815792 Two new Flow Variables: app_group_app and app_group_name have been added to VerifyApiKey and Access Token policy.
Bug ID Description
448498138 Security fixes for apigee-runtime.
This addresses the following vulnerability:
447367372 Security fixes for apigee-runtime.
This addresses the following vulnerability:
418557195 Security fixes for apigee-fluent-bit.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-fluent-bit.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra.
This addresses the following vulnerability:
N/A Security fixes for apigee-mart-server.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-stackdriver-logging-agent.
This addresses the following vulnerabilities:

Documentation change

The following documents have been changed or introduced to align the Apigee hybrid installation guides with the supported methods for service account authentication:

October 10, 2025

Application Integration

Manage Application Integration resources using custom constraints

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Application Integration resources. For more information, see Manage Application Integration resources using custom constraints. This feature is now available in Preview.

Cloud Composer

(Cloud Composer 2 versions from 2.12.0 to 2.12.3) Fixed a problem where Airflow components in the environment's cluster were running out of ephemeral storage. This change rolls out gradually over several releases to all regions supported by Cloud Composer 2.

New images are available in Cloud Composer 2:

The following Cloud Composer versions and builds have reached their end of support period: composer-2.9.6-*, composer-3-airflow-2.7.3-build.17, composer-3-airflow-2.7.3-build.18, composer-3-airflow-2.9.1-build.8, and composer-3-airflow-2.9.1-build.9.

Cluster Toolkit

Cluster Toolkit release version v1.68.0 is available. This release introduces the option to download the NVIDIA Collective Communications Library (NCCL) software packages libnccl2 and libnccl-dev for A3U and A4H machine types, as well as other minor changes. For more information about this release, see the Release Announcement on GitHub.

This release supports the generally available, open-source IBM Spectrum Symphony HostFactory connectors for Google Compute Engine and Google Kubernetes Engine (GKE), which can be deployed through Cluster Toolkit to extend your on-premises cluster or run entirely within Google Cloud. For more information, see Run IBM Spectrum Symphony workloads.

Database Center

You can monitor the inventory, metrics, and alerts for Oracle Database@Google Cloud databases using Database Center. For more information, see Metrics and alerting policy filters. Oracle Database@Google Cloud support in Database Center is in Preview. During Preview, you can't monitor health issues for Oracle Database@Google Cloud databases.

Looker

Conversational Analytics in Looker

The following features are available in Preview for use with Conversational Analytics in Looker instances that are running Looker 25.18.9 or later:

  • New model-specific Looker permissions are available to manage and use the Conversational Analytics data agents that are created to chat with Looker Explores. You can grant these permissions to users as part of a custom role, or use one of two new default roles, Conversational Analytics Agent Manager and Conversational Analytics User, to manage and use agents, respectively.
  • You can now select up to five Looker Explores as data sources for a data agent in Looker.
  • Users with the admin_agents permission can now share data agents to let other users chat with your agent and its Explores. Starting in Looker 25.18.10, users with either the save_agents or the admin_agents permission can share data agents with other users.

(This release note was updated on October 10, 2025 to correct the Looker version for this release. This release note was updated on October 23, 2025 to correct the Looker version for data agent sharing permissions.)

Media CDN

Media CDN supports multipart range requests, which enable users to request multiple non-contiguous segments of a file in a single HTTP request. This feature is in Preview.

For more information, see Multipart range requests.

Memorystore for Valkey

Memorystore for Valkey now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as patches for security vulnerabilities.

For links to current maintenance changelogs for each major version of Memorystore for Valkey, see Memorystore for Valkey maintenance changelogs. This feature is Generally Available.

Organization Policy

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Application Integration resources. For more information, see Manage Application Integration resources using custom constraints. This feature is available in Preview.

Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Application Integration resources. For more information, see Manage Application Integration resources using custom constraints. This feature is available in Preview.

Security Command Center

Correlated Threats is available in Preview. This feature combines related threat findings together by using the security graph, helping you to prioritize and respond to active threats.

Sensitive Data Protection

The BRAZIL_RG_NUMBER infoType detector is available in all regions. For more information about all built-in infoTypes, see the InfoType detector reference.

October 09, 2025

Agent Assist

Agent assist offers AI coach in GA. AI coach automatically suggests responses to an agent during a customer service conversation. AI coach is available in all Google Cloud languages and regions.

OpenAPI and Integration Connectors tools are generally available in Agent Assist. Google Cloud enables the use of this external API and data source to improve Agent Assist integrations.

Agent Assist offers the following functions in addition to generative knowledge assist features:

Anthos Config Management

Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.

Apigee APIM Operator

Deprecation of the Gemini Code Assist @Apigee tool.

The Gemini Code Assist @Apigee tool is deprecated and will be shut down as of October 14, 2025.

See Gemini Code Assist @Apigee tool deprecation for information.

Apigee X

Deprecation of the Gemini Code Assist @Apigee tool.

The Gemini Code Assist @Apigee tool is deprecated and will be shut down as of October 14, 2025.

See Gemini Code Assist @Apigee tool deprecation for information.

BigQuery

You can allocate idle slots fairly across reservations within a single admin project. This ensures each reservation receives an approximately equal share of available capacity. This feature is now generally available (GA).

You can set a maximum slot limit for a reservation. You can configure the maximum reservation size when creating or updating a reservation. This feature is now generally available (GA).

Security, privacy, and compliance for Gemini in BigQuery details how customer data is protected and processed by Gemini in BigQuery.

An updated version of the ODBC driver for BigQuery is now available.

Cloud Build

The Service Account User role has been removed from the Cloud Build Permissions page in the Google Cloud Console. Instead, when you enable certain roles on your Cloud Build service account, you can configure your Cloud Build Service account to impersonate the service account of the managed services related to those roles. This configuration lets you deploy builds using managed services while maintaining minimal permissions. For more information, see Configure Cloud Build service account impersonation for managed services.

In addition, the Cloud Build Permissions page in the Google Cloud Console will only show the legacy Cloud Build service account if your organization's policy allows it.

Cloud Composer

Upgrade checks are now generally available (GA) in Cloud Composer 3 and Cloud Composer 2.

Cloud Healthcare API
  • A new application has been added to the Cloud Console under "Healthcare", called "DICOM Studio"
  • This new application provides a web interface for exploring DICOM Stores in the Cloud Healthcare API similar to "FHIR Viewer".
    • Search and find studies, series, and instances in any DICOM Store using our DICOM Web API
    • View studies, series and instance metadata
    • Edit studies, series and instance metadata
    • Perform CRUD operations (Delete) on studies, series and instances
    • View studies, series and instance images via a transcoded image preview
Cloud Logging

The query builder in the Log Analytics page is generally available (GA). For more information, see Build, edit, and run a query.

Container Optimized OS

cos-117-18613-339-89

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v24.0.9 v1.7.28 See List

Updated toolbox container image tag to v20251002.

Upgraded sys-apps/hwdata to v0.399.

Partially fixed the system not responding caused by excessive contention among writeback kworkers when switching a large number of inodes between cgroups.

Fixed KCTF-134121b in the Linux kernel.

Fixed CVE-2025-39953 in the Linux kernel.

Fixed CVE-2025-39931 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811788 -> 811755

cos-125-19216-0-80

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Promoted Milestone 125 to stable.

Fixed KCTF-134121b in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811450 -> 811500
  • Changed: net.ipv4.udp_mem: 188034 250715 376068 -> 188034 250714 376068

Updated toolbox container image tag to v20251002.

Generative AI on Vertex AI

Imagen

Imagen's virtual try-on model, virtual-try-on-preview-08-04 was updated on September 30, 2025, to more accurately preserve the person's body shape and preserve the garment's identity.

Google Cloud Contact Center as a Service

Version 3.39 is released

All release notes published on this date are part of version 3.39.

The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.

Destination queue name and session history is available in the agent adapter

The agent adapter now displays the destination queue during transfers and deflections for IVR calls. The agent adapter also displays transfer history in the Call details and Chat details tabs.

User experience changes:

  • The Call details and Chat details tabs in the agent adapter have a new Transfer History section.
  • The chat pane in the chat adapter has a new Transfers button that opens the Transfer History pane.

Administrators: There's a new checkbox at Settings > Operation Management > Transfer history for turning on transfer history in the agent adapter.

For more information, see Transfer history and queue information in the agent adapter.

Improved controls over the ordering of key-value pairs in the agent adapter and CRM records

Google Cloud CCaaS has improved controls over the ordering of the key-value pairs that appear in the agent adapter and in CRM records. Here's how the ordering controls work:

  • Virtual agents: When you configure session variables, you can use the new display_order_in_adapter property to specify the order that the session variables appear in the agent adapter and in CRM records. For more information, see Capture from intent response.

  • Web SDK: Web SDK custom data is displayed in the agent adapter and CRM records in the order that the key-value pairs appear in the JSON custom data file. For more information about JSON custom data files, see Chat unsigned custom data.

Virtual agents for the SMS channel

Virtual agents are now available for the SMS channel. This lets you create virtual agents and assign them to SMS queues, offering virtual agent support to end-users in SMS chat sessions. For more information, see Virtual agents for SMS.

Search in the email channel

Agents can now search for emails in the agent adapter by keyword, session ID, or subject. For more information, see Search for emails.

Cancel scheduled calls with the callback calls API

You can now use the callback calls API to cancel a single scheduled callback call or a list of calls. For more information, see Callback call API.

Mid-session authentication is supported by all CRM types

Mid-session authentication is supported by all CRM types, not just custom CRMs. For more information, see Mid-Session authentication by API.

New advanced reporting dashboards

The following new advanced reporting dashboard is available:

Advanced reporting dashboard updates

We've made the following updates to the advanced reporting dashboards:

  • Queue Group Dashboards All dashboard: The tiles and tables on this dashboard have been replaced with the following tables:

    • Queue Group Performance Calls: displays detailed performance information for calls by queue group.

    • Queue Group Performance Chats: displays detailed performance information for chats by queue group.

    For more information, see Queue Group Dashboards All.

  • Queue interval dashboards: The Queue Interval - Calls and Queue Interval - Chats dashboards have a new Total Queue Entries column in the table tile. This is the sum of all inbound interactions that have entered a queue, excluding transfers.

    For more information, see Queue interval dashboards.

  • Virtual agent dashboards: On both the Virtual Agent Dashboard Calls and Virtual Agent Dashboard Chats dashboards, the virtual agent metrics table contains a new Interaction Outcome column.

    For more information, see Virtual agent dashboards.

  • All Interactions - Chat dashboard: In the All Chat Interactions (Historical) table, if you configure chat transcript storage for your CRM, the values in the Chat ID column become links to the chat transcripts.

    For more information, see All interactions dashboards.

  • New metrics in the Call Queue Metrics (Historical) Explore: We've added the following two metrics to the Call Queue Metrics (Historical) Explore:

    • CSL %: Custom Service Level. This is calculated as follows: The number of queued interactions within SLA / The number of queued interactions answered.

    • Total Queued Answered: The number of queued interactions answered by a human agent.

    For information about metrics in an Explore, see Create a new metrics tile in a dashboard.

  • Additional dashboards with advanced capabilities: the following dashboards now appear on the Advanced Reporting Landing Page. This means you can use them to create new custom dashboards or create Looks to link to custom dashboards.

    Performance

    • Dispositions / Calls

    • Dispositions / Chats

    • Deflections / Calls

    • Deflections / Chats

    • CSAT / Calls

    • CSAT / Chats

    • Co-browse / Calls

    • Co-browse / Chats

    • Failed / Calls

    • Failed / Chats

    • Missed / Calls

    • Missed / Chats

    Agent Reporting

    • Agent Activity Timeline

    Monitoring Dashboards

    • Calls Connected

    • Chats Connected

    • Calls Queued

    • Chats Queued

    For more information, see Advanced capabilities.

The following issues were addressed in this release:

  • Fixed an issue where incoming chats took precedence over the in-progress chat.

    User experience change: When a new chat appears in the agent adapter, it no longer takes focus away from the in-progress chat. The in-progress retains focus.

  • Fixed a web SDK issue where sensitive data sent by an end-user was redacted for both the end-user and the agent, instead of just for the agent.

  • Fixed an issue where the contact list in the agent adapter wouldn't load the full list of contacts.

  • Fixed an issue where an agent clicking an email in the agent adapter returned an Email Not Found error.

  • Fixed an issue where managers assigned to multiple teams were unable to view agent statistics for every team they were assigned to.

  • Fixed an issue for ServiceNow users where call_duration was using the earliest connected_at time instead of the latest connected_at time, causing call durations to appear longer than they actually were.

  • Fixed an issue in the Settings > Developer Settings > External Storage pane where language checkboxes were associated with the Co-browse Recordings checkbox instead of the Session Data Feed checkbox.

    Administrators: In the Settings > Developer Settings > External Storage pane, the languages checkboxes have moved from the Co-browse Recordings checkbox to the Session Data Feed checkbox.

  • Fixed an issue where agent-initiated outbound calls were using the default number for the selected queue instead of the number chosen by the agent.

  • Fixed an issue where the downloaded session chat data report contained an extra quotation mark.

  • Fixed an issue where users received an email telling them to create a password after Single Sign-On (SSO) was turned on.

  • Fixed an issue where SSO configuration settings in the user's instance were deleted after they turned off SSO.

  • Fixed an issue where an administrator couldn't configure agent status restrictions without exposing them to agents.

  • Fixed an issue where custom contact lists could only be replaced, and not removed, after they were assigned to a team.

  • Fixed an issue where the inheritance indicator and Reset to parent button was missing from the queue level Contact List Management pane.

  • Fixed an issue where the SMS and Web chat availability preferences in the agent adapter were the reverse of how they were configured.

  • Fixed an issue where queue transfer restrictions were not saved after being configured.

  • Fixed an issue that occurred when a user attempted to name a new queue. The name field abruptly lost focus after the first character, forcing the user to enter the queue name again.

  • Fixed an issue where creating an instance would time out and fail.

  • Fixed an issue that prevented reports from being downloaded.

  • Fixed an issue where the chat history for blended SMS sessions failed to save.

  • Fixed an issue where the Transfer failed message didn't appear. This occurred when an agent failed to pick up a transferred call before the transferred call expiration time expired.

  • Fixed an issue where IVR call recordings failed to save or were corrupted. This resulted in recordings that were only one second long, were saved in the wrong format, or weren't saved at all.

  • Fixed an issue where completed chat sessions appeared in the chats waiting area of agent desktop.

  • Fixed an issue for CRM users with voicemails that are attached directly to tickets. An incorrect "External Storage must be configured" warning appeared when configuring voicemail options for IVR queues.

  • Fixed an issue where transfer restrictions that were configured and saved for a web queue did not appear correctly the next time the Transfer Restrictions pane for that queue was viewed.

  • Fixed an issue where the unread message count in the chat pane was inconsistent when viewing it from multiple browser tabs.

  • Fixed an issue in virtual assistant reporting where the finish_reason property was incorrectly assigned to the undefined value. Now the finish_reason property is assigned to descriptive values that describe the reason for the conclusion of the chat session.

  • Fixed an issue where PDF transcripts of chat sessions contained malformed links.

  • Fixed an issue in historical reports where the fields in the Failed Reason Description column were blank.

  • Fixed an issue where CSAT scores were missing from some advanced reporting dashboards.

  • Fixed an issue for HubSpot users that caused long delays in case creation for inbound calls.

  • Fixed an issue where the photo and video files that the agent provided in pre-session Smart Actions didn't appear in the CRM.

  • Fixed an issue where agents in Unavailable status couldn't see waiting web chats.

  • Fixed an issue where HTML was not rendering properly in virtual agent messages in the agent adapter

  • Fixed an issue where agents were not switching into Wrap-up Exceeded status after a breakthrough call.

  • Fixed an agent desktop issue where administrators were unable to assign announcements to some teams or agents.

  • Fixed an agent desktop issue where agents couldn't copy text to the clipboard from an agent desktop custom panel.

  • Fixed an agent desktop issue where the term "Anonymous User" wasn't being translated into French.

  • Fixed an issue where the UJET_ID and ANI variables weren't passed correctly for SIP calls.

  • Fixed an issue where the chat adapter froze when agents switched between chats.

  • Fixed an issue on the Agents page of the Google Cloud CCaaS portal where administrators couldn't switch between session types.

  • Fixed an issue where a newly added Agent Assist platform displayed as Invalid even though it was valid.

  • Fixed an issue for Salesforce users where the call button didn't work when an agent attempted to call a number that was attached to a record for a previous call.

  • Fixed an issue where audio files with accented characters in their file names failed to play back when using a storage proxy.

  • Fixed an agent desktop issue where the UJET_ID variable in the custom URL for a custom panel wasn't being passed correctly.

  • Fixed an issue where calls originating from a native campaign generated two CRM tickets for the same interaction.

  • Fixed latency issues with web SDK Telnyx calls.

  • Fixed an issue where outbound Bring Your Own Carrier (BYOC) calls used a number other than the one agents selected in the agent adapter.

  • Fixed a Telnyx chatbot worker failure issue where background jobs related to call processing and chatbot escalations were failing and consuming excessive system resources.

  • Fixed an issue where calls to the bulk user upload endpoint returned a success status even when the uploads failed.

  • Fixed an issue in the chat waiting field of the agent desktop when multiple chats were in wrap-up. Instead of displaying Wrap-up in progress for all sessions in wrap-up, some sessions displayed Auto answered.

  • Fixed an issue in the queue group dashboard where the Callbacks waiting tile incorrectly included callbacks that were completed, abandoned, or failed.

  • Fixed an issue that caused inbound calls to disconnect if they were routed to an agent with a disabled microphone.

  • Fixed an issue for HubSpot users where logging the "call started" event (create_activity) in the ticket was delayed.

  • Fixed an issue that prevented transferred calls from being routed to available agents.

  • Fixed an issue in the agent adapter for French (Canada) where words weren't translated or were translated incorrectly.

  • Fixed an issue in call queue reporting where the Failed Reason Description for voice-scheduled mobile calls was not appearing.

  • Fixed an issue that prevented external chat transcripts from being passed into new chat sessions.

  • Fixed an advanced reporting issue where CSAT ratings were not appearing correctly when creating custom dashboards.

  • Fixed an advanced reporting issue where callbacks waiting metrics didn't match in the following dashboards: Queue Groups Dashboard Calls and Queued Calls Status Dashboard.

Google Kubernetes Engine

For AI models deployed on a GKE cluster, you can view details about these deployments in the Google Cloud console. The pages include deployment details, logs, and observability dashboards.

The following networking features are available:

  • In GKE version 1.33.4-gke.1055000 or later, you can control how external traffic reaches your Services on GKE clusters by using Network Service Tiers. You can configure the network tier to use either Standard Tier or Premium Tier when you create or update clusters or when you update LoadBalancer Services. For more information, see Configure external traffic with Network Service Tiers.

  • Starting with GKE versions 1.33 and later, you can enable automatic IP address management (auto IPAM) on GKE clusters. Auto IPAM dynamically adds or removes additional IP address ranges for nodes and Pods as the cluster scales up or down. This feature eliminates the need for large, potentially wasteful, upfront IP reservations and manual intervention during cluster scaling. For more information, see Use auto IP address management.

  • In GKE version 1.30.3-gke.1211000 and later, you can assign additional subnets to a VPC-native cluster. Additional subnets assigned to a cluster let you create new node pools where IPv4 addresses for both nodes and Pods come from the additional subnet ranges. This enhancement removes single-subnet limitations, increases scalability, and enhances the flexibility of your GKE clusters. For more information, see Add subnets to clusters.

Google SecOps Marketplace

Google Workspace: Version 22.0

  • Updated the action description to reflect that the action deletes the extension from the blocklist rather than deleting the extension from the organizational unit in the following action:

    • Delete Extension

Google Chronicle: Version 66.0

  • Updated processing of reference list rows in the following action:

    • Get Reference Lists

Google Threat Intelligence: Version 5.0

  • Added ability to filter by issue name in the following connector:

    • Google Threat Intelligence - ASM Issues Connector

  • Added ability to filter events in the following connector:

    • Google Threat Intelligence - DTM Alerts Connector

Microsoft Teams: Version 29.0

  • Refactored action logic in the following actions:

    • Get Authorization

    • Generate Token

Google SecOps SIEM

Google Workspace: Version 22.0

  • Updated the action description to reflect that the action deletes the extension from the blocklist rather than deleting the extension from the organizational unit in the following action:

    • Delete Extension

Google Chronicle: Version 66.0

  • Updated processing of reference list rows in the following action:

    • Get Reference Lists

Google Threat Intelligence: Version 5.0

  • Added ability to filter by issue name in the following connector:

    • Google Threat Intelligence - ASM Issues Connector

  • Added ability to filter events in the following connector:

    • Google Threat Intelligence - DTM Alerts Connector

Microsoft Teams: Version 29.0

  • Refactored action logic in the following actions:

    • Get Authorization

    • Generate Token

Google SecOps SOAR

Google Workspace: Version 22.0

  • Updated the action description to reflect that the action deletes the extension from the blocklist rather than deleting the extension from the organizational unit in the following action:

    • Delete Extension

Google Chronicle: Version 66.0

  • Updated processing of reference list rows in the following action:

    • Get Reference Lists

Google Threat Intelligence: Version 5.0

  • Added ability to filter by issue name in the following connector:

    • Google Threat Intelligence - ASM Issues Connector

  • Added ability to filter events in the following connector:

    • Google Threat Intelligence - DTM Alerts Connector

Microsoft Teams: Version 29.0

  • Refactored action logic in the following actions:

    • Get Authorization

    • Generate Token

Oracle Database@Google Cloud

Oracle Database@Google Cloud adds the following regions and zones for its services:

  • Exadata Database Service

    • europe-west2-a-r1 (London, Europe)
    • europe-west3-a-r2 (Frankfurt, Europe)

  • Exadata Database Service on Exascale infrastructure

    • asia-northeast1-a-r1 (Tokyo, Asia Pacific)
    • europe-west3-b-r1 (Frankfurt, Europe)

  • Base Database Service

    • asia-northeast1-a-r1 (Tokyo, Asia Pacific)
    • europe-west3-b-r1 (Frankfurt, Europe)

  • Autonomous Database Service

    • australia-southeast2 (Melbourne, Asia Pacific)
    • us-central1 (Iowa, North America)

For a full list of supported locations, see Supported regions and zones.

Security Command Center

Data Security Posture Management (available in Preview) lets you deploy frameworks with advanced data security cloud controls to app-enabled folders. For more information, see Deploy advanced data security cloud controls.

Vertex AI Workbench

M134 release

The M134 release of Vertex AI Workbench instances includes the following:

  • Patched a regression with custom notebook metrics reporting (for example, jupyterlab_kernels and docker_status metrics).
  • Updated the Dataproc JupyterLab plugin (dataproc-jupyter-plugin) to version 0.1.92.
  • When using Google Cloud CLI commands, the project and region properties are preset.

October 08, 2025

Access Approval

NCC Gateway is generally available (GA).

Access Transparency

NCC Gateway is generally available (GA).

BigQuery

The default limit of QueryUsagePerDay for on-demand pricing has changed. The default limit of all new projects is now 200 TiB. For existing projects, the default limit has been set based on your project's usage over the last 30 days. Projects that have custom cost controls configured or that use reservations aren't affected. If the new limit might affect your workload, create a custom cost control based on your workload needs.

You can set labels on reservations. These labels can be used to organize your reservations and for billing analysis. This feature is generally available (GA).

You can specify which reservation a query uses at runtime, and set IAM policies directly on reservations. This provides more flexibility and fine-grained control over resource management. This feature is generally available (GA).

Google Cloud Architecture Center

(New guide) Choose a design pattern for your agentic AI system: Learn how to select an agent design pattern to build your agentic AI system.

Google Kubernetes Engine

(2025-R42) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

Regular channel

Stable channel

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1108000
    • 1.30.14-gke.1130000
    • 1.32.8-gke.1108000
    • 1.33.4-gke.1134000
  • Clusters in this channel running the listed minor version have new general auto-upgrade targets. GKE can upgrade control planes and nodes to the following new versions with this release:

Extended channel

No channel

(2025-R42) Security updates

This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.

To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:

GKE version Container-Optimized OS version Details
1.33.5-gke.1162000 cos-121-18867-199-80 cos-121-18867-199-80 release notes
1.34.1-gke.1279000 cos-121-18867-199-80 cos-121-18867-199-80 release notes
1.28.15-gke.2751000 cos-113-18244-448-58 cos-113-18244-448-58 release notes
1.29.15-gke.1989000 cos-113-18244-448-58 cos-113-18244-448-58 release notes
1.30.14-gke.1336000 cos-113-18244-448-58 cos-113-18244-448-58 release notes
1.31.13-gke.1023000 cos-117-18613-339-77 cos-117-18613-339-77 release notes
1.32.9-gke.1108000 cos-117-18613-339-77 cos-117-18613-339-77 release notes

(2025-R42) Version updates

(2025-R42) Version updates

(2025-R42) Version updates

(2025-R42) Version updates

(2025-R42) Version updates

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1108000
    • 1.30.14-gke.1130000
    • 1.32.8-gke.1108000
    • 1.33.4-gke.1134000
  • Clusters in this channel running the listed minor version have new general auto-upgrade targets. GKE can upgrade control planes and nodes to the following new versions with this release:
Google SecOps

Multi-stage queries in YARA-L

This feature is currently in Preview.

Multi-stage queries in YARA-L are now available as a Preview feature. Multi-stage queries in YARA-L let you feed the output of one query stage directly into the input of a subsequent stage. This process gives you greater control over data transformation than single, monolithic query. They are supported in both Dashboards and Search. Multi-stage queries can contain between 1 and 4 named stages, in addition to a root stage.

For more information, see Create multi-stage queries in YARA-L.

Google SecOps SIEM

Multi-stage queries in YARA-L

This feature is currently in Preview.

Multi-stage queries in YARA-L are now available as a Preview feature. Multi-stage queries in YARA-L let you feed the output of one query stage directly into the input of a subsequent stage. This process gives you greater control over data transformation than single, monolithic query. They are supported in both Dashboards and Search. Multi-stage queries can contain between 1 and 4 named stages, in addition to a root stage.

For more information, see Create multi-stage queries in YARA-L.

Multi-stage queries in YARA-L

This feature is currently in Preview.

Multi-stage queries in YARA-L are now available as a Preview feature. Multi-stage queries in YARA-L let you feed the output of one query stage directly into the input of a subsequent stage. This process gives you greater control over data transformation than single, monolithic query. They are supported in both Dashboards and Search. Multi-stage queries can contain between 1 and 4 named stages, in addition to a root stage.

For more information, see Create multi-stage queries in YARA-L.

SAP on Google Cloud

BigQuery Connector for SAP version 2.10

Version 2.10 of the BigQuery Connector for SAP is generally available (GA). This version resolves the non-ASCII character handling issue in CDC replication through Pub/Sub and enhances server-side error handling.

For more information, see What's new with BigQuery Connector for SAP.

ABAP SDK for Google Cloud version 1.12 (On-premises or any cloud edition)

Version 1.12 of the on-premises or any cloud edition of the ABAP SDK for Google Cloud is generally available (GA). This version lets you integrate Gemma models into your ABAP applications. In addition, the SDK improves your interaction with Gemini models by letting you control the randomness of the model's output and gain insight into the model's reasoning.

For more information, see What's new with the on-premises or any cloud edition of the ABAP SDK for Google Cloud.

October 07, 2025

Apigee APIM Operator

Previously unreported customer DNS misconfigurations now result in DNS errors

Apigee removed the automatic DNS fallback functionality that was in 1-16-0-apigee-2. This removal surfaces customer DNS misconfigurations that previously did not show as DNS errors.

See Known Issue 445936920.

Apigee UI

On October 7, 2025, we released an updated version of the Apigee UI.

Output from print statements is now displayed in the Debug session viewer

A new option has been added to the transaction navigation table header in the Debug session viewer that opens the Transaction output window. The Transaction output window displays print() output from either all transactions in the debug session, or a specific transaction from the session. See Creating a debug session for details.

Apigee X

Previously unreported customer DNS misconfigurations now result in DNS errors

Apigee removed the automatic DNS fallback functionality that was in 1-16-0-apigee-2. This removal surfaces customer DNS misconfigurations that previously did not show as DNS errors.

See Known Issue 445936920.

Apigee hybrid

hybrid v1.14.3

On October 7, 2025 we released an enhancement to Apigee hybrid version 1.14.3, recurring, top-up, and setup fees for Apigee hybrid monetization.

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Bug ID Description
419578402 Mint-Mart forward proxy compatible.
BigQuery

As of February 25, 2025, enhancements to the workload management autoscaler that were announced on July 31, 2024 have rolled out to all users. These enhancements are generally available (GA).

Bigtable

The Cassandra-Bigtable proxy adapter, which lets you connect your Apache Cassandra-based applications to Bigtable, is generally available (GA).

You can connect to Bigtable from Java applications and other reporting tools that support a generic JDBC adapter by using the Bigtable JDBC driver. This feature is available in Preview.

Cloud CDN

Cloud CDN provides predefined dashboards that are enabled by default for a quick insight into system health and performance. These dashboards display key metrics that enable you to monitor traffic distribution and cache effectiveness without manual configuration. This feature is Generally Available.

For more information, see Predefined dashboards.

Cloud Run functions

Cloud Run functions (1st gen) supports the Node.js 22 runtime at the General Availability release level.

Colab Enterprise

Post-startup scripts

Preview: You can use a post-startup script to perform tasks after the startup process of your Colab Enterprise runtime. For example, you can use a post-startup script to install specific packages or make specific changes to your runtime's VM. For more information, see Use a post-startup script.

Config Connector

Bug Fixes:

  • Added support for checking etag in spec for alpha resources.
  • Fixed an issue where CloudIdentityMembership roles comparison would fail.
  • Fixed a bug where the wrong GVK was reported in IAM controller.
  • Fixed a bug where errors were swallowed when reading a Secret.
  • Fixed an issue with LRO endTime in mockgcp.
  • Fixed a bug in the etag mapper.
  • Fixed a bug in the mapper generator for slice and single object map.
  • Fixed a bug in the mapper generator for OneOf if the input is not proto.Message.
  • Fixed an import for refs in the same package in controllerbuilder.

Config Connector version 1.136.1 is now available.

New Fields:

  • ComposerEnvironment
    • Added spec.storageConfig field.
    • Added spec.config.workloadsConfig.dagProcessor field.
    • Added spec.config.workloadsConfig.triggerer field.
    • Added spec.config.softwareConfig.webServerPluginsMode field.
    • Added spec.config.softwareConfig.cloudDataLineageIntegration field.

Reconciliation Improvements:

  • Introduced Stateful Reconciliation for Direct Controllers. With stateful reconciliation, the direct controller stores a hash of the last successfully applied .spec in the resource's .status. This provides a lightweight, GitOps-safe record when a user has modified the desired state of the resource.
Generative AI on Vertex AI

Save and share prompts in Vertex AI Studio: You can now save and share prompts in Vertex AI Studio. Sharing prompts lets you collaborate with team members, ensure consistency, and build a library of effective prompts for various tasks. For more information, see Save and share prompts.

The following Qwen models are available in Model Garden:

  • Qwen-Image
  • Qwen-Image-Edit
  • Qwen-Image-Edit-2509

The Gemini 2.5 Computer Use model and tool (gemini-2.5-computer-use-preview-10-2025) is now available in Preview. The Computer Use model and tool lets you enable your applications to interact with and automate tasks in the browser. With the Computer Use model and tool, you can build agents that can:

  • Automate repetitive data entry or form filling on websites.

  • Navigate websites to gather information.

  • Assist users by performing sequences of actions in web applications.

Google Kubernetes Engine

Starting with GKE version 1.33.2-gke.1240000 and later, you can specify the network tier (Standard or Premium) for ephemeral IP addresses used by the gke-l7-regional-external-managed-mc GatewayClass. For more information, see Configure Network Tier.

Google SecOps

Manage parser versions

This feature is in preview.

You now have granular control over how new pre-built parser versions are deployed within your environment.

This feature lets you manage parser updates by taking the following actions:

  • Opt in or opt out of automatic parser updates.

  • Review and compare the processing logic between different parser versions.

  • Manually update a parser to a newer version.

  • Revert to a previously deployed, stable parser version.

For details, see Manage prebuilt parser versions.

Azure AD Organizational Context default parser rollback

The recent update to the pre-built Azure AD Organizational Context (AZURE_AD_CONTEXT) parser has been rolled back. This action was necessary to resolve a performance degradation issue that was introduced in the latest parser version. For more information about the exact changes and rollback timeline, see the change log for the pre-built parser.

Google SecOps SIEM

Manage parser versions

This feature is in preview.

You now have granular control over how new pre-built parser versions are deployed within your environment.

This feature lets you manage parser updates by taking the following actions:

  • Opt in or opt out of automatic parser updates.

  • Review and compare the processing logic between different parser versions.

  • Manually update a parser to a newer version.

  • Revert to a previously deployed, stable parser version.

For details, see Manage prebuilt parser versions.

Manage parser versions

This feature is in preview.

You now have granular control over how new pre-built parser versions are deployed within your environment.

This feature lets you manage parser updates by taking the following actions:

  • Opt in or opt out of automatic parser updates.

  • Review and compare the processing logic between different parser versions.

  • Manually update a parser to a newer version.

  • Revert to a previously deployed, stable parser version.

For details, see Manage prebuilt parser versions.

Azure AD Organizational Context default parser rollback

The recent update to the pre-built Azure AD Organizational Context (AZURE_AD_CONTEXT) parser has been rolled back. This action was necessary to resolve a performance degradation issue that was introduced in the latest parser version. For more information about the exact changes and rollback timeline, see the change log for the pre-built parser.

Azure AD Organizational Context default parser rollback

The recent update to the pre-built Azure AD Organizational Context (AZURE_AD_CONTEXT) parser has been rolled back. This action was necessary to resolve a performance degradation issue that was introduced in the latest parser version. For more information about the exact changes and rollback timeline, see the change log for the pre-built parser.

Security Command Center

Google Cloud console pages for all Security Command Center tiers have been enhanced.

  • The following changes were made to all service tiers—Standard, Premium, and Enterprise:

    • You can refresh findings in the Finding query results panel.
    • The JSON tab on the detail pane of the Findings page displays the raw findings JSON object, making it compatible with APIs.
    • Autocompletion of a query in the Findings page query editor is improved.
    • The Findings > Quick filters panel shows default values if there is an error fetching results.
    • The Findings > Quick filters panel shows separate State and Mute filter sections.

  • The following changes were made to the Enterprise service tier:

    • Added support for the Vulnerabilities page.
    • Added support for security marks.
    • Added support for the Threats dashboard on the Risk overview page.
    • The finding detail panel on the Issues page is updated. Open the panel using the View details button when viewing a toxic combination issue type.
    • Additional query operators and query functions are available.
    • The opt-out banner is no longer available.

October 06, 2025

Access Transparency

Vertex AI Agent Engine is generally available (GA).

AlloyDB for PostgreSQL

AlloyDB supports the tds_fdw extension, which provides a foreign data wrapper for accessing databases—such as Microsoft SQL Server and Sybase—that use the Tabular Data Stream (TDS) protocol. For more information, see Supported database extensions. This feature is generally available (GA).

BigQuery

The INFORMATION_SCHEMA.SHARED_DATASET_USAGE view now includes the following schema fields to support usage metrics for external tables and routines:

  • shared_resource_id: the ID of the queried resource
  • shared_resource_type: the type of the queried resource
  • referenced_tables: Contains project_id, dataset_id, table_id, and processed_bytes fields of the base table.

These fields are generally available (GA).

The BigQuery Data Transfer Service can now transfer reporting data from Google Analytics 4 into BigQuery. You can also include custom reports from Google Analytics 4 in your data transfer. This feature is generally available (GA).

The BigQuery Data Transfer Service can now transfer data from the following data sources:

Transfers from these data sources are supported in preview.

You can now set the priority of BigQuery jobs initiated by Dataform workflows to run queries as interactive jobs that start running as quickly as possible or as batch jobs with lower priority. For more information, see Create a pipeline schedule and InvocationConfig. This feature is generally available (GA).

Starting March 17, 2026, the BigQuery Data Transfer Service will require the bigquery.datasets.setIamPolicy and the bigquery.datasets.getIamPolicy permissions on the target dataset to create or update a transfer configuration. For more information, see Changes to dataset-level access controls.

Bigtable

You can optimize storage with Bigtable tiered storage, reduce storage costs, and retain data for longer. This feature is available in Preview.

Cloud Load Balancing

Percentage-based request mirroring is now supported for the global and regional external Application Load Balancers (classic is not supported). By default, the mirrored backend service receives all requests, even if the original traffic is being split between multiple weighted backend services. You can now configure the mirrored backend service to receive only a percentage of the requests by using the mirrorPercent flag to specify the percentage of requests to be mirrored, expressed as a value between 0 and 100.0.

For an example, see Set up traffic management for regional external Application Load Balancers.

This feature is available in General availability.

Cloud Run

Support for applying maximum instance configuration at the service level is in General Availability (GA).

Cloud SQL for PostgreSQL

You can now assess the upgrade readiness of your Cloud SQL for PostgreSQL instances before a major version upgrade by running a precheck. This precheck either confirms your instance can be upgraded, or lists issues and their solutions that need to be fixed prior to upgrading. For more information, see Assess upgrade readiness for your instance.

Cloud SQL for SQL Server

You can now use advanced disaster recovery (DR) for your Private Service Connect (PSC) enabled Cloud SQL Enterprise Plus edition instances. With advanced DR, you can:

  • Designate a cross-region disaster recovery (DR) replica
  • Perform a cross-region replica failover for disaster recovery
  • Restore your original deployment by using zero-data loss switchover
You can also use switchover to simulate disaster recovery without data loss. For more information, see Use advanced disaster recovery (DR). This feature is generally available (GA).

Compute Engine

The Google Cloud optimized (-optimized-gcp) and accelerated (optimized-gcp-nvidia-*) versions of the Rocky Linux images now include the CIQ SIG/Cloud Next repository. This repository provides a cloud-optimized kernel. Additionally, the accelerated images now also include the CIQ SIG/Cloud Next Nonfree repository, which provides access to proprietary GPU drivers for the cloud-optimized kernel.

This update is applied to images created on or after September 12, 2025.

For more information about Rocky Linux OS images, see Rocky Linux on the operating system details page.

Container Optimized OS

cos-beta-125-19216-0-76

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Configured the cos-gpu-installer to use R580 drivers as the default GPU drivers.

Add support for NVIDIA MFT Tools v4.33.0.

Updated dev-python/urllib3 to v1.26.18 and fixed CVE-2025-50181.

Updated dev-python/jinja to v3.1.6. This resolves CVE-2024-56326, CVE-2024-56201 and CVE-2025-27516.

Fixed CVE-2025-39913 in the Linux kernel.

Fixed CVE-2025-39914 in the Linux kernel.

Fixed CVE-2025-39911 in the Linux kernel.

Fixed CVE-2025-39926 in the Linux kernel.

Fixed CVE-2025-39917 in the Linux kernel.

Fixed CVE-2025-22106 in the Linux kernel.

Fixed KCTF-1b34cbb in the Linux kernel.

Fixed CVE-2025-39886 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811504 -> 811450

cos-121-18867-199-88

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v27.5.1 v2.0.6 See List

Add support for NVIDIA MFT Tools v4.33.0.

Fixed CVE-2025-50181 in dev-python/urllib3.

Fixed CVE-2025-39914 in the Linux kernel.

Fixed CVE-2025-39913 in the Linux kernel.

Fixed CVE-2025-39911 in the Linux kernel.

Fixed CVE-2025-22106 in the Linux kernel.

Fixed KCTF-1b34cbb in the Linux kernel.

Fixed CVE-2025-39882 in the Linux kernel.

Fixed CVE-2025-39886 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811826 -> 811724

cos-117-18613-339-84

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v24.0.9 v1.7.28 See List

Add support for NVIDIA MFT Tools v4.33.0.

Fixed CVE-2025-50181 in dev-python/urllib3.

Fixed CVE-2025-39914 in the Linux kernel.

Fixed CVE-2025-39913 in the Linux kernel.

Fixed CVE-2025-39911 in the Linux kernel.

Fixed CVE-2025-22106 in the Linux kernel.

Fixed KCTF-1b34cbb in the Linux kernel.

Fixed CVE-2025-39882 in the Linux kernel.

Fixed CVE-2025-39886 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811817 -> 811788

cos-dev-129-19302-0-0

Kernel Docker Containerd GPU Drivers
COS-6.12.49 v27.5.1 v2.1.3 See List

Updated the Linux kernel to v6.12.49.

Configured the cos-gpu-installer to use R580 drivers as the default GPU drivers.

Add support for NVIDIA MFT Tools v4.33.0.

Updated dev-python/jinja to v3.1.6. This resolves CVE-2024-56326, CVE-2024-56201 and CVE-2025-27516.

Runtime sysctl changes:

  • Changed: fs.file-max: 811490 -> 811493
  • Changed: net.ipv4.udp_mem: 188034 250715 376068 -> 188034 250714 376068

cos-113-18244-448-63

Kernel Docker Containerd GPU Drivers
COS-6.1.151 v24.0.9 v1.7.27 See List

Fixed CVE-2025-50181 in dev-python/urllib3.

Fixed CVE-2025-39914 in the Linux kernel.

Fixed CVE-2025-39913 in the Linux kernel.

Fixed KCTF-1b34cbb in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812039 -> 811950

Dataform

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataform resources. For more information, see Create custom organization policy constraints. This feature is generally available (GA).

You can now set the priority of BigQuery jobs in Dataform to run queries as interactive jobs that start running as quickly as possible or as batch jobs with lower priority. For more information, see Create a workflow configuration and InvocationConfig. This feature is generally available (GA).

Dataproc

Dataproc on Compute Engine: The following diagnostic properties are now enabled by default for new Dataproc clusters created with 2.0+ image versions:

Note: To disable any of these features, set the corresponding property to false during cluster creation.

To continue using the Ops Agent initialization action opsagent.sh to ingest syslogs from Dataproc cluster nodes, do one of the following:

  • Recommended: Use opsagent_nosyslog.sh since VM syslogs are emitted by default from Dataproc clusters.
  • Set the dataproc:dataproc.logging.syslog.enabled=false and continue using opsagent.sh to ingest syslogs.

Serverless for Apache Spark: Upgraded Apache Spark to version 3.5.3 in the latest 2.3 Serverless for Apache Spark runtime versions.

Document AI

Custom extractor model pretrained-foundation-model-v1.5.1-2025-08-07 with improved adaptive few-shot learning is available as Release Candidate (Preview).

Firestore in Datastore mode

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-datastore

2.32.2 (2025-10-04)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.3 (#1973) (141ec94)
Generative AI on Vertex AI

Updated pricing for Vertex AI Agent Engine: Starting on November 6, 2025, Vertex AI Agent Engine Runtime will start charging for runtime usage for the following regions:

  • asia-southeast1 (Singapore)
  • australia-southeast2 (Melbourne)
  • europe-west2 (London)
  • europe-west3 (Frankfurt)
  • europe-west4 (Netherlands)

For more details, see Pricing for Vertex AI Agent Engine.

Access Transparency for Vertex AI Agent Engine: Access Transparency is now available for Vertex AI Agent Engine. For more information, see the overview for Enterprise security.

Google Cloud Marketplace

We've updated the Cloud Commerce Procurement API's GET Account resource to provide the reseller parent Cloud Billing account ID for transactions associated with resold Cloud Billing accounts. For transactions on direct Cloud Billing accounts, no value is returned for the reseller parent Cloud Billing account id. For details, see the Cloud Commerce Procurement API documentation.

Google Cloud Marketplace Partners

We've updated the Cloud Commerce Procurement API's GET Account resource to provide the reseller parent Cloud Billing account ID for transactions associated with resold Cloud Billing accounts. For transactions on direct Cloud Billing accounts, no value is returned for the reseller parent Cloud Billing account id. For details, see the Cloud Commerce Procurement API documentation.

Google SecOps

Advanced BigQuery Export

This feature is in preview.

This feature is available for Google SecOps Enterprise Plus customers only.

Advanced BigQuery Export automatically provisions and manages essential Google SecOps datasets in a secure, Google-managed BigQuery project. You gain secure, read-only access to this data through a BigQuery linked dataset, which appears directly in your own Google Cloud project. This functionality lets you query your security data as if it were stored locally, but without the overhead of managing the data pipeline or storage.

For details, see Use Advanced BigQuery Export.

Google SecOps SIEM

Advanced BigQuery Export

This feature is in preview.

This feature is available for Google SecOps Enterprise Plus customers only.

Advanced BigQuery Export automatically provisions and manages essential Google SecOps datasets in a secure, Google-managed BigQuery project. You gain secure, read-only access to this data through a BigQuery linked dataset, which appears directly in your own Google Cloud project. This functionality lets you query your security data as if it were stored locally, but without the overhead of managing the data pipeline or storage.

For details, see Use Advanced BigQuery Export.

Looker

Looker 25.18 is expected to include the following changes, features, and fixes:

  • Expected Looker (original) deployment start: Tuesday, October 7, 2025

  • Expected Looker (original) final deployment and download available: Thursday, October 16, 2025

  • Expected Looker (Google Cloud core) deployment start: Tuesday, October 7, 2025

  • Expected Looker (Google Cloud core) final deployment: Monday, October 20, 2025

Conversational Analytics users with the save_agents permission can now share data agents, which lets other users chat with the data agent and its Explores. (This release note was added on October 9, 2025.)

You can now set the Auto Resize Value setting on single value visualizations. This setting has no effect if the Smart Single Value Text Size setting is enabled on the Admin > General Settings page.

The Athena JDBC driver version has been upgraded from 2.1.5 to 2.2.2. The Athena JDBC driver is used for connections to Amazon Athena.

An issue has been fixed where subtotal values could display incorrect values after a filter was added or updated. This feature now performs as expected.

An issue has been fixed where, when dashboard filters were updated, table visualizations could get incorrectly cropped to exclude the Total row and scroll bar. This feature now performs as expected.

An issue has been fixed where the Collapse Subtotal toggle wasn't collapsing subtotals on table visualizations. This feature now performs as expected.

An issue has been fixed where the maximum column limit warning could obscure the contents of a visualization. This feature now performs as expected.

An issue has been fixed where users couldn't sort tables that included pivoted values. This feature now performs as expected.

LookML dashboards that aren't deployed to production can no longer be moved into folders other than the LookML Dashboards folder.

LookML project parse errors now include the LookML file path as well as the line number of the error.

An issue has been fixed where Databricks connections that used OAuth could not be saved if the password field was blank. You can now use OAuth without entering a password on the connections page.

An issue has been fixed where users were sometimes unable to add line breaks to table calculations. This feature now performs as expected.

An issue has been fixed where certain countries would not be displayed when a custom TopoJSON file was used. The following country names are now supported:

  • Czechia for Czech Republic
  • Eswatini for Swaziland
  • Brunei Darussalam for Brunei
  • North Macedonia for Macedonia
  • Timor-Leste for East Timor

Looker 25.18 contains the following accessibility improvements:

  • You can navigate drill menus by using a keyboard.

  • When you select a button toggle with a keyboard, the focus ring uses more contrasting colors.

  • You can switch button toggles on or off by using the Enter key.

  • When you use a keyboard to select a Look, dashboard, or folder that's inside a folder, a focus ring will appear around the selected item.

  • You can now use a keyboard to edit boards.

  • You can now use the keyboard to access LookML field definitions in the field picker.

  • The Alerts dialog is now compatible with screen readers.

  • The Series tab of the visualization editor is now compatible with screen readers.

  • Tile notes are now added to ARIA descriptions.

  • Actions for pivot columns are now accessible with a keyboard.

  • The color contrast has been improved on large text boxes such as the custom filter editor.

  • The options in the visualization settings panel now have names that can be read by screen readers.

  • The state of expanded dialogs on the Explore page, such as the field picker and visualization settings panel, can now be read by screen readers.

An issue has been fixed where, when dashboard filters were updated, column widths could resize on table visualizations that included pivoted values. This feature now performs as expected.

An issue has been fixed where non-string values that were entered in the expression element of the dynamic_fields section of a LookML dashboard could cause the LookML validator to crash. This feature now performs as expected.

The Prerender iframes for custom visualizations feature is now generally available on the Admin > Content Guardrails page.

The Smart single value text size feature is now generally available on the Admin > General Settings page.

The API endpoint search_lookml_dashboards is now generally available. This endpoint is similar to the search_dashboards endpoint except that it searches LookML dashboards instead of user-defined dashboards.

The Data History Playback feature is now generally available on the Admin > Settings page.

The Reduce Filter Queries feature is now generally available on the Admin > Settings page.

Looker admins can no longer create or edit individual users' API keys. Instead, from the Admin > Users page, admins can enable users to manage their own API keys. Once a user has API key management enabled, they can create, view, edit, and delete their API keys from their Looker account page. Note: This item was changed on October 9, 2025 to specify that it supports Looker (Google Cloud core) only, and it was changed again on October 22, 2025 to indicate that it's a breaking change.

The Prerender iframes for custom visualizations feature is now out of Labs and generally available on the Admin > Content Guardrails page.

The Smart single value text size feature is now out of Labs and generally available on the Admin > General Settings page.

The API endpoint search_lookml_dashboards is now out of Labs and generally available. This endpoint is similar to the search_dashboards endpoint except that it searches LookML dashboards instead of user-defined dashboards.

The Data History Playback Labs feature is is now out of Labs and generally available on the Admin > Settings page.

The Reduce Filter Queries Labs feature is now is now out of Labs and generally available on the Admin > Settings page.

Memorystore for Valkey

For each primary node of a Memorystore for Valkey instance, you can now have up to five replica nodes. For more information, see Memorystore for Valkey overview. This feature is Generally Available.

Organization Policy

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataform resources. For more information, see Create custom organization policy constraints. This feature is generally available (GA).

Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataform resources. For more information, see Create custom organization policy constraints. This feature is generally available (GA).

October 05, 2025

Google SecOps Google SecOps SIEM

Release 6.3.63 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

Google SecOps SOAR

Release 6.3.63 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

October 04, 2025

Google SecOps SIEM

Release 6.3.62 is now available for all regions.

Google SecOps SOAR

Release 6.3.62 is now available for all regions.

October 03, 2025

Access Approval

NCC Gateway is available in Preview.

Access Transparency

NCC Gateway is available in Preview.

Capacity Planner

Preview: Capacity Planner supports the following:

  • Usage and forecast data for Hyperdisk volumes
  • Usage and forecast data for Persistent Disk and Hyperdisk volume IOPS and throughput
  • Usage data for Spot VMs

For more information, see View usage and forecast data.

Cloud SQL for PostgreSQL

Cloud SQL for PostgreSQL now supports PostgreSQL version 18 in Preview.

PostgreSQL 18 is a newly supported version. We strongly recommend that you review the changes in the release and validate the readiness of your instance thoroughly prior to upgrading your instance to this version.

The following information applies to flags and extensions for PostgreSQL 18:

Flags

The following new flags are available for PostgreSQL 18 only:

  • autovacuum_vacuum_max_threshold
  • autovacuum_worker_slots
  • enable_distinct_reordering
  • enable_self_join_elimitation
  • io_max_concurrency
  • io_method
  • io_workers
  • log_lock_failures
  • max_active_replecation_origins
  • track_cost_delay_timing
  • vacuum_max_eager_freeze_failure_rate
  • vacuum_truncate

For more information, see Configure database flags.

Extensions

The following extensions aren't available for PostgreSQL 18:

  • pgRouting
  • plpgsql_check
  • pg_hint_plan
  • pgrouting
  • anonymizer
  • pg_wait_sampling
  • tds_fdw

For more information, see Configure PostgreSQL extensions.

To create a new instance using PostgreSQL 18, see Create instances.

Confidential Space

New Confidential Space images (251000 and 251001) are now available.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.150-debian10, 2.0.150-ubuntu18, 2.0.150-rocky8
  • 2.1.99-debian11, 2.1.99-ubuntu20, 2.1.99-ubuntu20-arm, 2.1.99-rocky8
  • 2.2.67-debian12, 2.2.67-ubuntu22, 2.2.67-ubuntu22-arm, 2.2.67-rocky9
  • 2.3.14-debian12, 2.3.14-ubuntu22, 2.3.14-ubuntu22-arm, 2.3.14-ml-ubuntu22, 2.3.14-rocky9
Generative AI on Vertex AI

Prompt management

Vertex AI offers tooling to help manage prompts and prompt versions. In addition to the prompt management capabilities in Vertex AI Studio, prompts can be stored and versioned using the Vertex AI SDK.

For more information, see the Prompt management API reference.

Google Cloud VMware Engine

This is to notify you about upcoming changes in licensing model with Google Cloud VMware Engine following Broadcom's recent announcement to move to a "bring your own" subscription model for VMware Cloud Foundation (VCF).

You can renew or add additional capacity of VMware Engine nodes with VCF-license included until October 15, 2025. After that, Google Cloud will not be able to sell new VMware Engine VCF license-included nodes. You can buy new VMware Engine BYOL nodes and use them with "bring your own" VCF subscriptions (purchased by you from Broadcom) for new capacity after October 15, 2025.

For any questions, please reach out to your Google Cloud sales team, who can help review your specific scenarios, discuss the implications of these changes for your organization, and help you manage this transition.

For more details, see the October 3, 2025 service announcement.

Google SecOps

Customer-managed encryption key compliance now includes support for data tables

Google SecOps has expanded its coverage of Customer-Managed Encryption Key (CMEK) compliance to now include support for data tables.

For more information, see CMEK for Google SecOps.

Google SecOps SIEM

Customer-managed encryption key compliance now includes support for data tables

Google SecOps has expanded its coverage of Customer-Managed Encryption Key (CMEK) compliance to now include support for data tables.

For more information, see CMEK for Google SecOps.

Customer-managed encryption key compliance now includes support for data tables

Google SecOps has expanded its coverage of Customer-Managed Encryption Key (CMEK) compliance to now include support for data tables.

For more information, see CMEK for Google SecOps.

Organization Policy

Select Workload Identity Federation resources let you use custom constraints to define your own restrictions on Google Cloud services. To learn which Workload Identity Federation resources support custom constraints and to view sample use cases, see Use custom organization policies for Workload Identity Federation.

This feature is available in General Availability.

Resource Manager

Select Workload Identity Federation resources let you use custom constraints to define your own restrictions on Google Cloud services. To learn which Workload Identity Federation resources support custom constraints and to view sample use cases, see Use custom organization policies for Workload Identity Federation.

This feature is available in General Availability.

SAP on Google Cloud

New SAP certification for operating system: RHEL for SAP 9.6

For use with SAP HANA and SAP NetWeaver on Google Cloud, SAP has certified the operating system Red Hat Enterprise Linux (RHEL) for SAP 9.6.

For more information about SAP-certified operating systems, see:

October 02, 2025

Apigee Advanced API Security

On October 2, 2025 we released an updated version of Advanced API Security Abuse Detection

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Introduction of exclusion lists for Abuse Detection and incidents

You can now specify CIDR ranges and IP addresses to exclude from future incident reports. Use this feature to exclude traffic known to be safe, such as requests related to automated testing.

The new functionality includes the ability to create and manage multiple "exclusion lists" which define traffic to exclude and the reasons it is excluded.

Note: Exclusion lists are not available for VPC-SC customers at this time.

For usage information, see Exclude traffic from abuse detection in the documentation.

BigQuery

You can now use the notebook gallery in the BigQuery web UI as your central hub for discovering and using prebuilt notebook templates. This feature is in preview.

Cloud Monitoring

Application Monitoring is now generally available (GA). Application Monitoring lets you monitor the resources and infrastructure from the perspective of an App Hub application. The out-of-the-box dashboards that Application Monitoring creates can help you understand how your application's resources are performing, and they can help you diagnose issues.

Compute Engine

Version 20250930.01 of the guest agent, which introduces the plugin-based architecture to Debian 11, is now available.

For more information about the plugin-based architecture, see Guest agent.

Gemini Enterprise

Google Agentspace: Configure prompt chips

You can create, delete, edit, and enable or disable Google-provided and custom prompts that provide better guidance to your users.

For more information, see Configure prompt chips.

Google Agentspace: Generate images using Nano Banana (GA)

Image generation and editing with Nano Banana (Gemini 2.5 Flash Image) is generally available (GA) in Google Agentspace across Global, EU, and US multi-regions.

For more information on generating images, see Generate an image.

Generative AI on Vertex AI

Gemini 2.5 Flash Image (gemini-2.5-flash-image) is now generally available. This GA release adds support for aspect ratio controls, image-only response modality, regional endpoints, support for batch predictions, image generation from multiple reference images, and improved multi-turn image editing.

See Gemini 2.5 Flash Image for more information.

Google Gen AI SDK in C# Preview

Preview: The Google Gen AI SDK is available in C#. See googleapis/dotnet-genai.

This release includes support for GenerateContentAsync, GenerateContentStreamAsync, GenerateImagesAsync, and three Live APIs, which includes SendClientContentAsync, SendRealtimeInputAsync, and SendToolResponseAsync.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.33.100-gke.89 is now available for download. To upgrade, see Upgrade a cluster. Distributed Cloud 1.33.100-gke.89 runs on Kubernetes v1.33.4-gke.900.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following issues were fixed in 1.33.100-gke.89:

Google Distributed Cloud (software only) for bare metal

Google Distributed Cloud for bare metal 1.33.100-gke.89 is now available for download. To upgrade, see Upgrade clusters. Distributed Cloud for bare metal 1.33.100-gke.89 runs on Kubernetes v1.33.4-gke.900.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Distributed Cloud for bare metal.

The following issues were fixed in 1.33.100-gke.89:

  • Fixed an issue where the cluster restore process leaves the Kubelet certificate files as regular files instead of symbolic links, preventing certificate rotation.

  • Fixed the etcd-cleanup job timeout issue caused by the use of incorrect certificates.

  • This patch release doesn't include new fixes for specific, externally-cited vulnerabilities.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google Kubernetes Engine

(2025-R41) Version updates

  • Version 1.33.4-gke.1245000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2610000
    • 1.28.15-gke.2730000
    • 1.29.15-gke.1835000
    • 1.29.15-gke.1971000
    • 1.30.14-gke.1130000
    • 1.31.12-gke.1110000
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2630000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2630000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1851000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1245000 with this release.

(2025-R41) Version updates

(2025-R41) Version updates

  • Version 1.34.0-gke.2201000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.31.12-gke.1110000
    • 1.32.8-gke.1170000
    • 1.34.0-gke.1662000
    • 1.34.0-gke.2011000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1220000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.9-gke.1010000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1220000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.9-gke.1010000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.34 to version 1.34.0-gke.2201000 with this release.

(2025-R41) Version updates

  • Version 1.33.4-gke.1245000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1130000
    • 1.31.12-gke.1110000
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1245000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1245000 with this release.

(2025-R41) Version updates

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1059000
    • 1.32.6-gke.1060000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.32.8-gke.1108000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.33 to version 1.33.4-gke.1134000 with this release.

(2025-R41) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

  • Version 1.34.0-gke.2201000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.31.12-gke.1110000
    • 1.32.8-gke.1170000
    • 1.34.0-gke.1662000
    • 1.34.0-gke.2011000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1220000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.9-gke.1010000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1220000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.9-gke.1010000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.34 to version 1.34.0-gke.2201000 with this release.

Regular channel

  • Version 1.33.4-gke.1245000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1130000
    • 1.31.12-gke.1110000
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1245000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1245000 with this release.

Stable channel

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1059000
    • 1.32.6-gke.1060000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.32.8-gke.1108000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.33 to version 1.33.4-gke.1134000 with this release.

Extended channel

  • Version 1.33.4-gke.1245000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2610000
    • 1.28.15-gke.2730000
    • 1.29.15-gke.1835000
    • 1.29.15-gke.1971000
    • 1.30.14-gke.1130000
    • 1.31.12-gke.1110000
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2630000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2630000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1851000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1245000 with this release.

No channel
Guest Environment

Version 20250930.01 of the guest agent, which introduces the plugin-based architecture to Debian 11, is now available.

For more information about the plugin-based architecture, see Guest agent.

Looker

The sql_preamble parameter now supports Liquid statements. This update is supported on Looker 25.12 and later versions.

Looker Studio

Double-click to resize chart margins

You can now double-click the chart boundaries of a time, a bar, a line, an area, or a scatter chart to reset the boundaries to their default settings.

More data from Google Ads

You can visualize the following fields using the the Google Ads connector:

  • Conversions (by conv. date)
  • Conv. value (by conv. date)
  • All conv. (by conv. date)
  • All conv. value (by conv. date)
  • New vs. returning customers
  • Gross profit
  • Gross profit margin
Sensitive Data Protection

This is an addition to the May 1 release note announcing the deprecation of the ability to send inspection and discovery results from Sensitive Data Protection to Data Catalog.

If you have workflows that create inspection jobs or job triggers and set the deprecated PublishFindingsToCloudDataCatalog action, you must update those workflows by January 30, 2026. On or after this date, new jobs and job triggers that are created by those workflows will fail.

Spanner

You can now use repeatable read isolation (in Preview) to reduce latency and transaction abort rates for workloads that have many reads contending with fewer writes. For more information, see Repeatable read isolation.

Vertex AI Search

Vertex AI Search: Renamed from AI Applications

The AI Applications product has been renamed as Vertex AI Search in the following contexts:

What has not changed:

  • The user interface in the Google Cloud console is still referred to as AI Applications. See AI Applications.
  • The APIs still use the DiscoveryEngine API endpoints. See APIs and reference.

Despite the rebrand, the product functionality remains the same.

October 01, 2025

Access Approval

Certificate Manager is generally available (GA).

Access Transparency

Certificate Manager is generally available (GA).

Agent Assist

Smart compose is no longer in use and will be permanently removed in October 2025. Refer to Generative smart reply for an alternative.

BigQuery

You can now apply SQL query generated in the Gemini Cloud Assist chat to the query open in your editor. This feature is in Preview.

Carbon Footprint

Cloud Carbon Footprint launched an improved data export experience in the Cloud Carbon console, now available in Experimental Preview.

When you click Data export on the Cloud Carbon console Ul for a given billing account, you can now see Carbon Footprint exports that you have access to for that billing account, in addition to the ability to create a new data export. This feature helps you better manage your Carbon Footprint exports in BigQuery. Read more for details.

In some cases, the list of exports may not be complete for the following reasons:

  • Permissions: The export was configured in a project that you don't have permission to view.
  • Performance Optimization: To optimize performance and prevent latency when you have access to a very large number of projects, the search may not display exports in all projects.
Cloud Run functions

Cloud Run functions now provides an upgrade tool for upgrading 1st gen functions to Cloud Run. This feature is in Preview.

Google Cloud Managed Service for Apache Kafka

Support for Kafka Connect is now generally available (GA). Kafka Connect lets you stream data at scale between Managed Service for Apache Kafka clusters and other systems, such as external Kafka deployments, BigQuery, Cloud Storage, or Pub/Sub. For more information, see Kafka Connect overview.

Google Kubernetes Engine

The GKE cluster autoscaler now allows for a significantly longer node drain time. From GKE version 1.32.7-gke.1079000 and later, the graceful node drain timeout has been increased from 10 minutes to 1 hour. For more information, see How cluster autoscaler works.

The InPlaceOrRecreate mode for Vertical Pod Autoscaler (VPA) is now available for Public Preview in GKE.

This mode uses In-Place Pod Resize (IPPR/IPPU), which allows VPA to automatically adjust workload resources, without requiring Pod recreation. This seamless rightsizing capability helps ensure better service continuity and helps minimize costs by optimizing resource allocation, particularly during idle periods.

VPA is enabled by default in Autopilot clusters. For Standard clusters, you must first enable VPA. For more information on configuring a VPA object, see Set Pod resource requests automatically.

NetApp Volumes

The manual QoS feature is now generally available for Google Cloud NetApp Volumes, supporting the Standard, Premium, and Extreme service levels. For more information, see Manual QoS.

Oracle Database@Google Cloud

Oracle Database@Google Cloud supports customer-managed encryption keys (CMEK) using Cloud Key Management Service. You can enable CMEK on Exadata VM Clusters and Autonomous Databases. This feature is generally available (GA).

Spanner

The Spanner CLI is generally available. Bundled with gcloud, you can use the Spanner command-line interface to open an interactive session or automate SQL executions from the shell or an input file.

Vertex AI Workbench

Generally available (GA): You can use Workforce Identity Federation with Vertex AI Workbench instances. Workforce Identity Federation lets you create and manage Vertex AI Workbench instances with credentials provided by an external identity provider (IdP). For more information, see Create an instance with third party credentials.

September 30, 2025

AlloyDB for PostgreSQL

You can enable alloydb.enable_cache_aware_costing to turn on cache awareness for AlloyDB for PostgreSQL's query planner. This improves index scan query plans for query performance and reduces IO costs. This feature is in Preview.

Cloud Composer

The GCE_METADATA_TIMEOUT environment variable is changed to reserved. This change addresses an issue where setting a low timeout value disrupted the environment's operations that relied on the metadata server.

DAG UI now correctly generates error messages about malformed serialized DAG.

(Airflow 2.10.5) The apache-airflow-providers-google package was upgraded to version 17.2.0 in Cloud Composer 2 images and Cloud Composer 3 builds.

For more information about changes, see the apache-airflow-providers-google changelog from version 17.1.0 to version 17.2.0.

(Airflow 2.10.5) CloudComposerDAGRunSensor is broken in the apache-airflow-providers-google package version 17.2.0. This package is used by Cloud Composer versions and builds with Airflow 2.10.5 available in this release. If your DAGs use this sensor, we recommend you postpone upgrading until the issue is resolved.

(Airflow 2.10.5) The apache-airflow-providers-cncf-kubernetes package was upgraded to version 10.8.0 from version 10.7.0. For changes in other packages, see the preinstalled packages changelog.

New images are available in Cloud Composer 2:

The following Cloud Composer versions and builds have reached their end of support period: composer-2.9.4-*, composer-3-airflow-2.9.1 builds from build.0 to build.7, and composer-3-airflow-2.7.3-build.16.

Cloud DNS

Alias records are available in GA.

This custom record type provides CNAME-like functionality at the zone apex, mapping the apex domain name to a canonical target.

Cloud Service Mesh

You can now configure traffic routing using Cloud Service Mesh service routing APIs between Cloud Run and Cloud Run, Google Kubernetes Engine, and Google Compute Engine services. (GA).

Managed Cloud Service Mesh with a TD control plane in the Rapid release channel will start using proxy images with an internal envoy version.

All features supported by Managed (TD) control planes are supported by this proxy. To identify which proxy version is used in a cluster, see Identify the proxy versions used in the cluster.

This release uses the version csm_istio_proxy_20250611.00_p0. More details about the proxy version can be found on the Versions page.

Cloud Storage

Object contexts are now available in Preview. Object contexts let you attach contextual information to your objects to help you manage and discover data.

Cloud VPN

Cloud VPN supports customizable cipher options for your VPN tunnels. You can configure ciphers as per your security requirements. This feature is Generally Available.

For more information, see Configure ciphers in Cloud VPN tunnel.

Compute Engine

Version 20250930.01 includes the following fixes for issues found in the plugin-based architecture. For more information about the plugin-based architecture, see Guest agent.

  • Fixes an issue where the networking module incorrectly added routes when ip_forwarding and target_instance_ips settings were disabled in /etc/default/instance_configs.cfg.
  • Prevents unnecessary error logs in the OS Login module caused by attempts to read a non-existent file.
Datastream

Datastream support for Salesforce as a source is now generally available (GA). For more information, see the documentation.

Generative AI on Vertex AI

DeepSeek-V3.2-Exp is available through Model Garden.

Google SecOps

Customize Events table columns in Search

You can now specify which columns appear in the Events table on the Search page and in tables within your dashboard widgets. Use the select and unselect keywords to define the displayed columns.

For more information, see Control columns using select and unselect keywords.

Google SecOps SIEM

Customize Events table columns in Search

You can now specify which columns appear in the Events table on the Search page and in tables within your dashboard widgets. Use the select and unselect keywords to define the displayed columns.

For more information, see Control columns using select and unselect keywords.

Customize Events table columns in Search

You can now specify which columns appear in the Events table on the Search page and in tables within your dashboard widgets. Use the select and unselect keywords to define the displayed columns.

For more information, see Control columns using select and unselect keywords.

Guest Environment

Version 20250930.01 includes the following fixes for issues found in the plugin-based architecture. For more information about the plugin-based architecture, see Guest agent.

  • Fixes an issue where the networking module incorrectly added routes when ip_forwarding and target_instance_ips settings were disabled in /etc/default/instance_configs.cfg.
  • Prevents unnecessary error logs in the OS Login module caused by attempts to read a non-existent file.
Looker

The following features are coming soon for use with Conversational Analytics:

Network Intelligence Center

The following insight types and subtypes are no longer supported in Network Analyzer:

  • Recommender insight type and subtypes:
    • google.networkanalyzer.managedservices.cloudSqlInsight, including BLOCKED_BY_EGRESS_FIREWALL, BLOCKED_BY_ROUTING_ISSUE, and INSTANCE_NOT_RUNNING
    • CONTROL_PLANE_TO_NODE_BLOCKED_BY_INGRESS_FIREWALL
    • CONTROL_PLANE_TO_NODE_BLOCKED_BY_ROUTING_ISSUE
    • EXTERNAL_IP_UNASSIGNED
    • MISSING_ROUTES_TO_GOOGLE_APIS_AND_SERVICES
    • PRIVATE_GOOGLE_ACCESS_DISABLED
  • Cloud Logging insight types:
    • CLOUD_SQL_PRIVATE_IP_BLOCKED_BY_EGRESS_FIREWALL
    • CLOUD_SQL_PRIVATE_IP_BLOCKED_BY_ROUTING_ISSUE
    • CLOUD_SQL_PRIVATE_IP_INSTANCE_NOT_RUNNING
    • GKE_CONTROL_PLANE_TO_NODE_BLOCKED_BY_INGRESS_FIREWALL_ON_NODE
    • GKE_CONTROL_PLANE_TO_NODE_BLOCKED_BY_ROUTING_ISSUE
Spanner

A monthly digest of client library updates from across the Cloud SDK.

Go

Changes for spanner/admin/database/apiv1

1.85.0 (2025-08-28)

Features
  • spanner: Enable multiplex sessions by default for all operations (#12734) (0491ba6)
Performance Improvements
  • spanner: Improve mutationProto allocations and performance (#12740) (2a4add5)

1.85.1 (2025-09-12)

Bug Fixes
  • spanner: Disable afe_connectivity_error_count metric (#12866) (baab714)
Documentation
  • spanner: A comment for enum Kind is changed (51583bd)
  • spanner: A comment for enum Priority is changed (51583bd)
  • spanner: A comment for enum value LOCK_HINT_EXCLUSIVE in enum LockHint is changed (51583bd)
  • spanner: A comment for enum value LOCK_HINT_UNSPECIFIED in enum LockHint is changed (51583bd)
  • spanner: A comment for enum value ORDER_BY_PRIMARY_KEY in enum OrderBy is changed (51583bd)
  • spanner: A comment for enum value ORDER_BY_UNSPECIFIED in enum OrderBy is changed (51583bd)
  • spanner: A comment for enum value PROFILE in enum QueryMode is changed (51583bd)
  • spanner: A comment for enum value SERIALIZABLE in enum IsolationLevel is changed (51583bd)
  • spanner: A comment for field approximate_last_use_time in message .google.spanner.v1.Session is changed (51583bd)
  • spanner: A comment for field auto_failover_disabled in message .google.spanner.v1.DirectedReadOptions is changed (51583bd)
  • spanner: A comment for field columns in message .google.spanner.v1.Mutation is changed (51583bd)
  • spanner: A comment for field data_boost_enabled in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field data_boost_enabled in message .google.spanner.v1.ReadRequest is changed (51583bd)
  • spanner: A comment for field exclude_replicas in message .google.spanner.v1.DirectedReadOptions is changed (51583bd)
  • spanner: A comment for field exclude_txn_from_change_streams in message .google.spanner.v1.BatchWriteRequest is changed (51583bd)
  • spanner: A comment for field include_replicas in message .google.spanner.v1.DirectedReadOptions is changed (51583bd)
  • spanner: A comment for field index in message .google.spanner.v1.PlanNode is changed (51583bd)
  • spanner: A comment for field insert_or_update in message .google.spanner.v1.Mutation is changed (51583bd)
  • spanner: A comment for field key_set in message .google.spanner.v1.Mutation is changed (51583bd)
  • spanner: A comment for field key_set in message .google.spanner.v1.PartitionReadRequest is changed (51583bd)
  • spanner: A comment for field key_set in message .google.spanner.v1.ReadRequest is changed (51583bd)
  • spanner: A comment for field kind in message .google.spanner.v1.PlanNode is changed (51583bd)
  • spanner: A comment for field last_statement in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field last_statements in message .google.spanner.v1.ExecuteBatchDmlRequest is changed (51583bd)
  • spanner: A comment for field limit in message .google.spanner.v1.ReadRequest is changed (51583bd)
  • spanner: A comment for field location in message .google.spanner.v1.DirectedReadOptions is changed (51583bd)
  • spanner: A comment for field max_commit_delay in message .google.spanner.v1.CommitRequest is changed (51583bd)
  • spanner: A comment for field max_partitions in message .google.spanner.v1.PartitionOptions is changed (51583bd)
  • spanner: A comment for field multiplexed in message .google.spanner.v1.Session is changed (51583bd)
  • spanner: A comment for field mutation_key in message .google.spanner.v1.BeginTransactionRequest is changed (51583bd)
  • spanner: A comment for field optimizer_statistics_package in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field optimizer_version in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field order_by in message .google.spanner.v1.ReadRequest is changed (51583bd)
  • spanner: A comment for field param_types in message .google.spanner.v1.ExecuteBatchDmlRequest is changed (51583bd)
  • spanner: A comment for field param_types in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field param_types in message .google.spanner.v1.PartitionQueryRequest is changed (51583bd)
  • spanner: A comment for field params in message .google.spanner.v1.ExecuteBatchDmlRequest is changed (51583bd)
  • spanner: A comment for field params in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field params in message .google.spanner.v1.PartitionQueryRequest is changed (51583bd)
  • spanner: A comment for field partition_size_bytes in message .google.spanner.v1.PartitionOptions is changed (51583bd)
  • spanner: A comment for field partition_token in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field partition_token in message .google.spanner.v1.Partition is changed (51583bd)
  • spanner: A comment for field partition_token in message .google.spanner.v1.ReadRequest is changed (51583bd)
  • spanner: A comment for field plan_nodes in message .google.spanner.v1.QueryPlan is changed (51583bd)
  • spanner: A comment for field precommit_token in message .google.spanner.v1.CommitRequest is changed (51583bd)
  • spanner: A comment for field precommit_token in message .google.spanner.v1.ExecuteBatchDmlResponse is changed (51583bd)
  • spanner: A comment for field ranges in message .google.spanner.v1.KeySet is changed (51583bd)
  • spanner: A comment for field replace in message .google.spanner.v1.Mutation is changed (51583bd)
  • spanner: A comment for field request_options in message .google.spanner.v1.BeginTransactionRequest is changed (51583bd)
  • spanner: A comment for field request_tag in message .google.spanner.v1.RequestOptions is changed (51583bd)
  • spanner: A comment for field return_commit_stats in message .google.spanner.v1.CommitRequest is changed (51583bd)
  • spanner: A comment for field seqno in message .google.spanner.v1.ExecuteBatchDmlRequest is changed (51583bd)
  • spanner: A comment for field seqno in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field session_count in message .google.spanner.v1.BatchCreateSessionsRequest is changed (51583bd)
  • spanner: A comment for field session_template in message .google.spanner.v1.BatchCreateSessionsRequest is changed (51583bd)
  • spanner: A comment for field short_representation in message .google.spanner.v1.PlanNode is changed (51583bd)
  • spanner: A comment for field single_use_transaction in message .google.spanner.v1.CommitRequest is changed (51583bd)
  • spanner: A comment for field sql in message .google.spanner.v1.PartitionQueryRequest is changed (51583bd)
  • spanner: A comment for field transaction in message .google.spanner.v1.ExecuteSqlRequest is changed (51583bd)
  • spanner: A comment for field transaction in message .google.spanner.v1.PartitionQueryRequest is changed (51583bd)
  • spanner: A comment for field transaction_tag in message .google.spanner.v1.RequestOptions is changed (51583bd)
  • spanner: A comment for field values in message .google.spanner.v1.Mutation is changed (51583bd)
  • spanner: A comment for field variable in message .google.spanner.v1.PlanNode is changed (51583bd)
  • spanner: A comment for message DirectedReadOptions is changed (51583bd)
  • spanner: A comment for message DirectedReadOptions is changed (51583bd)
  • spanner: A comment for message DirectedReadOptions is changed (51583bd)
  • spanner: A comment for message Mutation is changed (51583bd)
  • spanner: A comment for message PartitionOptions is changed (51583bd)
  • spanner: A comment for message PlanNode is changed (51583bd)
  • spanner: A comment for method BatchWrite in service Spanner is changed (51583bd)
  • spanner: A comment for method Commit in service Spanner is changed (51583bd)
  • spanner: A comment for method CreateSession in service Spanner is changed (51583bd)
  • spanner: A comment for method DeleteSession in service Spanner is changed (51583bd)
  • spanner: A comment for method ExecuteSql in service Spanner is changed (51583bd)
  • spanner: A comment for method ExecuteStreamingSql in service Spanner is changed (51583bd)
  • spanner: A comment for method GetSession in service Spanner is changed (51583bd)
  • spanner: A comment for method PartitionQuery in service Spanner is changed (51583bd)
  • spanner: A comment for method PartitionRead in service Spanner is changed (51583bd)
  • spanner: A comment for method Read in service Spanner is changed (51583bd)
  • spanner: A comment for method Rollback in service Spanner is changed (51583bd)

Java

Changes for google-cloud-spanner

6.99.0 (2025-08-26)

Features
  • Support read lock mode for R/W transactions (#4010) (7d752d6)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.0 (52c68db)
  • GetCommitResponse() should return error if tx has not committed (#4021) (a2c179f)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.0 (#4024) (7e3294f)

6.100.0 (2025-09-11)

Features
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.1 (e9773a7)
  • Disable afe_connectivity_error_count metric (#4041) (f89c1c0)
  • Skip session delete in case of multiplexed sessions (#4029) (8bcb09d)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#4034) (13bfa7c)
Documentation
  • A comment for field ranges in message .google.spanner.v1.KeySet is changed (e9773a7)

6.101.1 (2025-09-26)

Bug Fixes
  • Potential NullPointerException in LocalConnectionChecker (#4092) (3b9f597)

6.101.0 (2025-09-26)

Features
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.2 (8d6cbf6)
  • Potential NullPointerException in Value#hashCode (#4046) (74abb34)
  • Recalculate remaining statement timeout after retry (#4053) (5e26596)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.2 (#4057) (d782aff)

Node.js

Changes for @google-cloud/spanner

8.2.0 (2025-08-26)

Features
  • spanner: Add support for multiplexed session for r/w transactions (#2351) (6a9f1a2)
  • spanner: Support setting read lock mode (#2388) (bd66f61)
Bug Fixes
  • deps: Add uuid to dependencies (#2376) (0b2060b)
  • deps: Update dependency @grpc/proto-loader to ^0.8.0 (#2354) (75dc4da)
  • deps: Update dependency google-gax to v5.0.1 (#2362) (9223470)
  • Provide option to disable built in metrics (#2380) (b378e2e)
  • Race condition among transactions when running parallely (#2369) (f8b6f63)

8.2.1 (2025-09-12)

Bug Fixes
  • deps: Update dependency google-gax to v5.0.3 (#2371) (8a175e2)
  • Disable afe_connectivity_error_count metric (af72d70)
Text-to-Speech

Gemini-TTS is generally available (GA) and provides support for 30 voices and over 70 locales. You can synthesize single or multi-speaker speech from short snippets to long-form narratives. You can precisely dictate style, accent, pace, tone, and even emotional expression using natural-language prompts.

For more information, see Gemini TTS. Give it a try in Media Studio.

Vertex AI

DeepSeek-V3.2-Exp is available through Model Garden.

September 29, 2025

AlloyDB for PostgreSQL

The alloydb_scann extension version 0.1.3 is updated to include the following vector search improvements in (Preview):

Apigee hybrid

hybrid v1.14.3

On September 29, 2025 we released an updated version of the Apigee hybrid software, 1.14.3.

Bug ID Description
423597917 Post of an AppGroupAppKey scopes should result in insert operation instead of update.
420675540 Fixed Cassandra based replication for runtime contracts in synchronizer.
416634326 Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods.
414499328 ApigeeTelemetry could become stuck in creating state
412740465 Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway.
409048431 Fixes a vulnerability which could allow a SAML signature verification to be bypassed.
395272878 Separate Forward proxy support for googleapis.com and non-googleapis.com runtime traffic.
378686709 The use of wildcards (*) in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error. To apply this fix, follow the procedure in Known issue 378686709.
367815792 Two new Flow Variables: app_group_app and app_group_name have been added to VerifyApiKey and Access Token policy.
Bug ID Description
433952146 Security fix.
This addresses the following vulnerability:
433951774 Security fix.
This addresses the following vulnerability:
433950558 Security fix.
This addresses the following vulnerability:
433950370 Security fix.
This addresses the following vulnerability:
N/A Security fixes for apigee-asm-ingress.
This addresses the following vulnerability:
N/A Security fixes for apigee-asm-istiod.
This addresses the following vulnerability:
N/A Security fixes for apigee-envoy.
This addresses the following vulnerability:
N/A Security fixes for apigee-fluent-bit.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra-client.
This addresses the following vulnerability:
N/A Security fixes for apigee-kube-rbac-proxy.
This addresses the following vulnerability:
N/A Security fixes for apigee-mart-server.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-operators.
This addresses the following vulnerability:
N/A Security fixes for apigee-stackdriver-logging-agent.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-watcher.
This addresses the following vulnerability:
BigQuery

To simplify access management for your Iceberg tables, you can use credential vending mode with the Apache Iceberg REST catalog in BigLake metastore. Credential vending removes the need for catalog users to have direct access to Cloud Storage buckets. This feature is in Preview.

You can now create BigQuery non-incremental materialized views over Spanner data to improve query performance by periodically caching results. This feature is in Preview.

BigQuery data preparation supports unnesting arrays, which expands each array element into its own row for easier analysis. For more information, see Unnest arrays. This feature is generally available (GA).

History-based query optimizations are now enabled by default. If history-based optimizations have been previously disabled, you can re-enable history-based optimizations for your project or organization.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.67.0 (2025-09-24)

Features
Bug Fixes
  • Add missing break; to PROTO and ENUM value type check (#2672) (337e432)
  • Remove beta api annotation for query paginator (#2660) (f68a1fa)
Dependencies
Cloud Build

Developer Connect build triggers are now generally available.

You can now create build triggers that build from repositories connected to Developer Connect using the Google Cloud Console, gcloud, the Cloud Build API, and Terraform.

Cloud SQL for MySQL Cloud SQL for PostgreSQL Cloud SQL for SQL Server Cloud Scheduler

VPC Service Controls support for Cloud Scheduler jobs has been extended to Google Cloud APIs that are VPC Service Controls-compliant. For more information, see Secure cron jobs with VPC Service Controls.

Cloud Service Mesh

CNI/managed data plane controller version 1.23.6-asm.15 is rolling out to all release channels.

CVE CNI MDP Controller
CVE-2025-4802 Yes Yes
CVE-2023-29383 Yes Yes
CVE-2024-56406 Yes Yes
CVE-2023-7008 Yes Yes
CVE-2025-1377 Yes Yes
CVE-2023-4039 Yes Yes
CVE-2025-46836 Yes Yes
CVE-2023-50495 Yes Yes
CVE-2025-4598 Yes Yes
CVE-2025-3576 Yes Yes
CVE-2025-30258 Yes Yes
CVE-2017-11164 Yes Yes
CVE-2022-41409 Yes Yes
CVE-2025-1372 Yes Yes
CVE-2022-27943 Yes Yes
CVE-2022-4899 Yes Yes
CVE-2023-34969 Yes Yes
CVE-2023-45918 Yes Yes
Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for storage/internal/apiv2

1.57.0 (2025-09-23)

Features
  • storage/control: Add new GetIamPolicy, SetIamPolicy, and TestIamPermissions RPCs (d73f912)
  • storage: Post support dynamic key name (#12677) (9e761f9)
  • storage: WithMeterProvider allows custom meter provider configuration (#12668) (7f574b0)
Bug Fixes
Performance Improvements

Java

Changes for google-cloud-storage

2.58.0 (2025-09-23)

Features
  • storagecontrol: Add GetIamPolicy, SetIamPolicy, and TestIamPermissions RPCs (c884551)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.2 (984f8ca)
  • Fix appendable upload finalization race condition (#3295) (485be18)
  • Fix IllegalMonitorStateException thrown from BlobAppendableUpload.isOpen() (#3302) (aa90468)
  • Update object context diff logic to be shallow rather than deep (#3287) (2fd15f6)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.2 (#3298) (1489f3a)
  • Update googleapis/sdk-platform-java action to v2.62.2 (#3299) (c3b05ac)
Container Optimized OS

cos-beta-125-19216-0-62

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Updated app-admin/node-problem-detector to v0.8.21.

Updated golang.org/x/oauth2, golang.org/x/net, golang.org/x/crypto, and github.com/golang-jwt/jwt/v5 in Docker.

Fixed CVE-2025-39882 in the Linux kernel.

Fixed KCTF-0aeb54a in the Linux Kernel.

Fixed CVE-2025-39884 in the Linux kernel.

Fixed CVE-2025-40300 in the Linux kernel.

Fixed CVE-2025-39881 in the Linux kernel.

Fixed CVE-2025-39883 in the Linux kernel.

cos-dev-129-19290-0-0

Kernel Docker Containerd GPU Drivers
COS-6.12.48 v27.5.1 v2.1.3 See List

Updated the Linux kernel to v6.12.48.

Added CPU balloon support for ARM CPUs.

Added support for the fwctl subsystem and the Mellanox fwctl driver for ARM64.

Upgraded sys-auth/pambase to v20250906.

Upgraded app-admin/google-guest-configs to v20250913.00.

Upgraded dev-libs/expat to v2.7.2.

Updated golang.org/x/oauth2, golang.org/x/net, golang.org/x/crypto, and github.com/golang-jwt/jwt/v5 in Docker.

cos-117-18613-339-77

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v24.0.9 v1.7.28 See List

Updated golang.org/x/crypto, golang.org/x/net, golang.org/x/oauth2, and github.com/golang-jwt/jwt/v4 in Docker.

Updated dev-python/jinja to v3.1.6. This resolves CVE-2024-56326, CVE-2024-56201 and CVE-2025-27516.

Fixed KCTF-0aeb54a in the Linux Kernel.

Fixed CVE-2025-39881 in the Linux kernel.

Fixed CVE-2025-39883 in the Linux kernel.

Fixed CVE-2025-40300 in the Linux kernel.

cos-113-18244-448-58

Kernel Docker Containerd GPU Drivers
COS-6.1.151 v24.0.9 v1.7.27 See List

Added support for NVIDIA driver v580.82.07. Updated all latest driver version and default driver versions for NVIDIA_B200 to v580.82.07.

Updated dev-python/jinja to v3.1.6. This resolves CVE-2024-56326, CVE-2024-56201 and CVE-2025-27516.

Fixed KCTF-0aeb54a in the Linux Kernel.

Fixed CVE-2025-39881 in the Linux kernel.

Fixed CVE-2025-39883 in the Linux kernel.

Fixed CVE-2025-40300 in the Linux kernel.

cos-121-18867-199-80

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v27.5.1 v2.0.6 See List

Updated golang.org/x/oauth2, golang.org/x/net, golang.org/x/crypto, and github.com/golang-jwt/jwt/v5 in Docker.

Updated dev-python/jinja to v3.1.6. This resolves CVE-2024-56326, CVE-2024-56201 and CVE-2025-27516.

Fixed KCTF-0aeb54a in the Linux Kernel.

Fixed CVE-2025-39881 in the Linux kernel.

Fixed CVE-2025-39883 in the Linux kernel.

Fixed CVE-2025-40300 in the Linux kernel.

Dataplex

Column-level lineage is generally available (GA). The feature provides a granular view of your data by tracking the flow between individual columns within tables. You can perform functions such as root cause analysis, impact analysis, and data source verification for specific columns. Column-level lineage is only supported for BigQuery jobs. For more information about column-level lineage, see Column-level lineage.

Google Kubernetes Engine

(2025-R40) Version updates

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2599000
    • 1.28.15-gke.2697000
    • 1.29.15-gke.1820000
    • 1.29.15-gke.1936000
    • 1.30.14-gke.1108000
    • 1.31.12-gke.1083000
    • 1.32.8-gke.1108000
    • 1.33.4-gke.1134000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2610000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2610000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1835000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1134000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1172000 with this release.

To improve security and workload isolation, GKE has introduced a new, dedicated service agent for logging and monitoring of GKE nodes on clusters running version 1.33 and later. For more information, see GKE service agents.

What's changing?

GKE will now use the following service agent for logging and monitoring on your nodes:

service-{PROJECT_NUMBER}@gcp-sa-gkenode.iam.gserviceaccount.com

This service agent has the minimal permissions GKE needs to operate nodes, which are included in the role/container.defaultNodeServiceAgent IAM role.

Using a dedicated service agent helps to isolate the requirements of GKE-managed workloads from your own workloads.

What's the impact?

  • This change affects only GKE system workloads, which will now use the new service agent for their logging and monitoring capabilities. Your own workloads are not impacted.
  • You might notice missing logs or metrics for your nodes if the new service agent doesn't have the necessary permissions.

What do I need to do?

In the vast majority of cases, no action is needed, as the role role/container.defaultNodeServiceAgent has been automatically granted to the new GKE Node Service Agent on your cluster project.

However, you will need to re-apply the role role/container.defaultNodeServiceAgent to the new service agent in the following scenarios:

  • You have automation that might have removed this role.
  • You notice missing logs or metrics for your nodes.

You can find the full list of permissions for this role in the IAM documentation.

(2025-R40) Version updates

(2025-R40) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1150000
    • 1.33.4-gke.1245000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1267000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1350000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1267000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1350000 with this release.

(2025-R40) Version updates

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1108000
    • 1.31.12-gke.1083000
    • 1.32.8-gke.1108000
    • 1.33.4-gke.1134000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1134000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1172000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1134000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1172000 with this release.

(2025-R40) Version updates

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1036000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1059000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.

(2025-R40) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1150000
    • 1.33.4-gke.1245000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1267000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1350000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1267000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1350000 with this release.

Regular channel

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1108000
    • 1.31.12-gke.1083000
    • 1.32.8-gke.1108000
    • 1.33.4-gke.1134000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1134000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1172000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1134000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1172000 with this release.

Stable channel

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1036000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1059000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.

Extended channel

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2599000
    • 1.28.15-gke.2697000
    • 1.29.15-gke.1820000
    • 1.29.15-gke.1936000
    • 1.30.14-gke.1108000
    • 1.31.12-gke.1083000
    • 1.32.8-gke.1108000
    • 1.33.4-gke.1134000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2610000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2610000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1835000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1134000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1172000 with this release.

No channel
Oracle Database@Google Cloud

For Exadata Database Service, Oracle Database@Google Cloud supports region australia-southeast2 (Melbourne, Australia).

For a full list of supported locations, see Regional availability

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-pubsub

1.141.5 (2025-09-24)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.2 (c02d304)
Dependencies
  • Update actions/checkout action to v5 (#2539) (83144e6)
  • Update actions/github-script action to v8 (#2542) (0e6f0da)
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.55.0 (#2553) (15b9e66)
  • Update dependency com.google.cloud:google-cloud-core to v2.60.1 (#2543) (fbb45ce)
  • Update dependency com.google.cloud:google-cloud-storage to v2.57.0 (#2547) (133f8c7)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.2 (#2558) (0623ac5)
  • Update dependency com.google.protobuf:protobuf-java-util to v4.32.1 (#2551) (49722cb)
  • Update googleapis/sdk-platform-java action to v2.62.2 (#2559) (3f1d901)

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for pubsub/apiv1

2.1.0 (2025-09-25)

Features
Spanner

You can now create BigQuery non-incremental materialized views over Spanner data to improve query performance by periodically caching results. This feature is in Preview.

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for spanner/admin/database/apiv1

1.86.0 (2025-09-26)

Features
  • spanner: Support "readOnly" column tag parsing for Go struct operations (#12895) (003abca)
Bug Fixes

September 28, 2025

Google SecOps

Forwarder component: end-of-life and migration

The forwarder component is being phased out of the Google SecOps platform and will reach end-of-life (EOL) in January 2027. This impact will change all any data collection pipelines that currently use the forwarder.

Action required: If you're currently using the forwarder component, you must migrate your data collection workflows to an alternative mechanism before April 1, 2027. You'll need to use another data pipeline management application for log ingestion.

We recommend that you migrate to the Bindplane OpenTelemetry (OTel) collector, which provides a scalable, open-standard solution for log and metric ingestion.

The following are key dates to note:

  • Apr 1, 2026: New Google SecOps customers cannot use the forwarder component.
  • Jan 1, 2027: The forwarder is officially EOL. No further patches, including security patches, will be released.
  • Apr 1, 2027: Data is no longer allowed to be ingested from the forwarder component.

Update CrowdStrike API permissions before decommission

CrowdStrike is decommissioning its Detects API on September 30, 2025. This API has been replaced by the Alerts API. To ensure that your data feeds continue without interruption, you may need to update your API permissions.

This change impacts you if your Google SecOps tenant meets both of the following conditions:

  • You use the CrowdStrike Detection Monitoring API connector, which ingests the CS_DETECTS log type.
  • The CrowdStrike API client configured for that feed lacks the permissions to read alerts Read.

To prevent disruption to your CrowdStrike data ingestion, you must update your API client permissions before September 30, 2025. Follow the instructions in Migrate from CrowdStrike Detects API to Alerts API to migrate your configuration to use the Alerts API.

For more details, see CrowdStrike’s official decommissioning notice.

Podman support for Remote Agents

You can now install a Remote Agent using Podman. This new functionality provides a streamlined deployment workflow—a lightweight alternative to existing installation methods. For details, see Deploy an agent with Podman.

Debian support for remote agents

You can now install a Remote Agent using Debian. This new functionality provides a streamlined deployment workflow—an alternative to existing installation methods. For details, see Deploy an agent with Debian.

Remote Agent, Release 2.5.0 contains the following changes:

Increased Alert Trimming limit for Remote Agent

The default setting for Alert Trimming has been increased to 25 MB.

Publisher Connector package size limit enforced

The maximum allowed size for a Publisher's Connector Package is now limited to 25 MB.

Google SecOps SIEM

Forwarder component: end-of-life and migration

The forwarder component is being phased out of the Google SecOps platform and will reach end-of-life (EOL) in January 2027. This impact will change all any data collection pipelines that currently use the forwarder.

Action required: If you're currently using the forwarder component, you must migrate your data collection workflows to an alternative mechanism before April 1, 2027. You'll need to use another data pipeline management application for log ingestion.

We recommend that you migrate to the Bindplane OpenTelemetry (OTel) collector, which provides a scalable, open-standard solution for log and metric ingestion.

The following are key dates to note:

  • Apr 1, 2026: New Google SecOps customers cannot use the forwarder component.
  • Jan 1, 2027: The forwarder is officially EOL. No further patches, including security patches, will be released.
  • Apr 1, 2027: Data is no longer allowed to be ingested from the forwarder component.

Forwarder component: end-of-life and migration

The forwarder component is being phased out of the Google SecOps platform and will reach end-of-life (EOL) in January 2027. This impact will change all any data collection pipelines that currently use the forwarder.

Action required: If you're currently using the forwarder component, you must migrate your data collection workflows to an alternative mechanism before April 1, 2027. You'll need to use another data pipeline management application for log ingestion.

We recommend that you migrate to the Bindplane OpenTelemetry (OTel) collector, which provides a scalable, open-standard solution for log and metric ingestion.

The following are key dates to note:

  • Apr 1, 2026: New Google SecOps customers cannot use the forwarder component.
  • Jan 1, 2027: The forwarder is officially EOL. No further patches, including security patches, will be released.
  • Apr 1, 2027: Data is no longer allowed to be ingested from the forwarder component.

Update CrowdStrike API permissions before decommission

CrowdStrike is decommissioning its Detects API on September 30, 2025. This API has been replaced by the Alerts API. To ensure that your data feeds continue without interruption, you may need to update your API permissions.

This change impacts you if your Google SecOps tenant meets both of the following conditions:

  • You use the CrowdStrike Detection Monitoring API connector, which ingests the CS_DETECTS log type.
  • The CrowdStrike API client configured for that feed lacks the permissions to read alerts Read.

To prevent disruption to your CrowdStrike data ingestion, you must update your API client permissions before September 30, 2025. Follow the instructions in Migrate from CrowdStrike Detects API to Alerts API to migrate your configuration to use the Alerts API.

For more details, see CrowdStrike’s official decommissioning notice.

Update CrowdStrike API permissions before decommission

CrowdStrike is decommissioning its Detects API on September 30, 2025. This API has been replaced by the Alerts API. To ensure that your data feeds continue without interruption, you may need to update your API permissions.

This change impacts you if your Google SecOps tenant meets both of the following conditions:

  • You use the CrowdStrike Detection Monitoring API connector, which ingests the CS_DETECTS log type.
  • The CrowdStrike API client configured for that feed lacks the permissions to read alerts Read.

To prevent disruption to your CrowdStrike data ingestion, you must update your API client permissions before September 30, 2025. Follow the instructions in Migrate from CrowdStrike Detects API to Alerts API to migrate your configuration to use the Alerts API.

For more details, see CrowdStrike’s official decommissioning notice.

Podman support for Remote Agents

You can now install a Remote Agent using Podman. This new functionality provides a streamlined deployment workflow—a lightweight alternative to existing installation methods. For details, see Deploy an agent with Podman.

Debian support for remote agents

You can now install a Remote Agent using Debian. This new functionality provides a streamlined deployment workflow—an alternative to existing installation methods. For details, see Deploy an agent with Debian.

Remote Agent, Release 2.5.0 contains the following changes:

Increased Alert Trimming limit for Remote Agent

The default setting for Alert Trimming has been increased to 25 MB.

Publisher Connector package size limit enforced

The maximum allowed size for a Publisher's Connector Package is now limited to 25 MB.

Release 6.3.62 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan.

This release contains the following changes:

Podman support for Remote Agents

You can now install a Remote Agent using Podman. This new functionality provides a streamlined deployment workflow—a lightweight alternative to existing installation methods.

For more information, see Deploy an agent with Podman.

Deploy an agent with Debian

You can now install a Remote Agent using Debian. This new functionality provides a streamlined deployment workflow—an alternative to existing installation methods.

For more information, see Deploy an agent with Debian.

Remote Agent, Release 2.5.0 contains the following changes:

Increased Alert Trimming limit for Remote Agent

The default setting for Alert Trimming has been increased to 25 MB.

Publisher Connector package size limit enforced

The maximum allowed size for a Publisher's Connector Package is now limited to 25 MB.

Google SecOps SOAR

Release 6.3.62 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan.

This release contains the following changes:

Podman support for Remote Agents

You can now install a Remote Agent using Podman. This new functionality provides a streamlined deployment workflow—a lightweight alternative to existing installation methods.

For more information, see Deploy an agent with Podman.

Deploy an agent with Debian

You can now install a Remote Agent using Debian. This new functionality provides a streamlined deployment workflow—an alternative to existing installation methods.

For more information, see Deploy an agent with Debian.

Remote Agent, Release 2.5.0 contains the following changes:

Increased Alert Trimming limit for Remote Agent

The default setting for Alert Trimming has been increased to 25 MB.

Publisher Connector package size limit enforced

The maximum allowed size for a Publisher's Connector Package is now limited to 25 MB.

September 27, 2025

Google SecOps

Use joins in YARA-L Search queries

These changes are currently in Preview.

You can now use joins in statistical Search queries that include a match section to correlate data from multiple sources. This feature lets you link related sources directly within a single query.

For more information, see Use joins in Search.

Google SecOps SIEM

Use joins in YARA-L Search queries

These changes are currently in Preview.

You can now use joins in statistical Search queries that include a match section to correlate data from multiple sources. This feature lets you link related sources directly within a single query.

For more information, see Use joins in Search.

Use joins in YARA-L Search queries

These changes are currently in Preview.

You can now use joins in statistical Search queries that include a match section to correlate data from multiple sources. This feature lets you link related sources directly within a single query.

For more information, see Use joins in Search.

Release 6.3.61 is now available for all regions.

Google SecOps SOAR

Release 6.3.61 is now available for all regions.

Security Command Center

Model Armor limits the maximum input size for files and text to 4 MB, automatically skipping any content that exceeds this threshold.

September 26, 2025

Access Approval

Memorystore for Redis Cluster is generally available (GA).

Memorystore for Valkey is generally available (GA).

Access Transparency

Memorystore for Redis Cluster is generally available (GA).

Memorystore for Valkey is generally available (GA).

Compute Engine

Version 20250926.00 of the guest agent is now available. This guest agent version introduces the plugin-based architecture to Debian 12.

For more information about the plugin-based architecture, see Guest agent.

Document AI

Capacity reservation is available for Document AI in preview. This lets you grant capacity to selected processors and maintain a steady real-time, high-volume processing flow for document processing requests.

For the necessary steps, read make a capacity reservation request.

Gemini Enterprise

Google Agentspace: Manage image and video generation on the web app

By default, image and video generation are enabled in the Agentspace web app. To turn off these features, admins must navigate to the Configurations > Feature Management tab, and turn off the Enable video generation and Enable image generation options.

Google Cloud VMware Engine

VMware Engine ve2 nodes are now available in the following additional region:

  • Doha, Qatar (me-central1, v-zone-a)
Guest Environment

Version 20250926.00 of the guest agent is now available. This guest agent version introduces the plugin-based architecture to Debian 12.

For more information about the plugin-based architecture, see Guest agent.

Identity and Access Management

For Privileged Access Manager, notification emails for grant activation, activation failure, or denial no longer include approver details.

To learn how to view the approver details, see Check grant status.

NetApp Volumes

Selective file restore feature is now generally available for Google Cloud NetApp Volumes, supporting the Standard, Premium, and Extreme service levels. For more information, see Selective file restore.

Virtual Private Cloud

The following features of VPC Flow Logs are available in General Availability:

For more information, see About VPC Flow Logs records.

September 25, 2025

Access Approval

Cloud TPU is generally available (GA).

Access Transparency

Cloud TPU is generally available (GA).

BigQuery

The ARRAY_FIRST, ARRAY_LAST, and ARRAY_SLICE GoogleSQL functions are now generally available (GA).

BigQuery data canvas now supports destination table nodes. Destination table nodes let you persist query results to a new or existing table. This feature is generally available (GA).

Cloud SQL for MySQL

Cloud SQL for MySQL now supports minor version 8.0.43. To upgrade your existing instance to the new version, see Upgrade the database minor version.

Cloud SQL for PostgreSQL

Cloud SQL Managed Connection Pooling is now generally available (GA). Managed Connection Pooling lets you scale your workloads by optimizing resource utilization for Cloud SQL instances using pooling. You can now also use IAM authentication to secure connections when using Managed Connection Pooling.

For more information, see Managed Connection Pooling overview.

Cloud Service Mesh

Support for the following features will end on March 17, 2027:

Note that there are no changes to the other features of GKE attached clusters or Google Distributed Cloud (software only or air-gapped),

You must migrate to an alternative service mesh solution or an alternative Istio-based solution using your existing CSM configuration files by March 17, 2027.

Generative AI on Vertex AI

New preview models for Gemini 2.5 Flash and 2.5 Flash-Lite are now available. These models are available at the following versioned endpoints:

  • gemini-2.5-flash-preview-09-2025
  • gemini-2.5-flash-lite-preview-09-2025
Google Cloud Contact Center as a Service

Web SDK version 2 will be shut down on June 26, 2026

On June 26, 2025, we announced the launch of Web SDK version 3. Starting on June 26, 2026, the web SDK v2 will no longer function. Be sure to update your website to use the web SDK v3 before that date to avoid breaking your integration with the web SDK. We are no longer adding new features to the web SDK v2.

Google Kubernetes Engine

You can now let GKE auto-create node pools with ComputeClasses without having to enable node auto-provisioning for the entire cluster. This provides more granular control over auto-created node pools, enabling you to target specific workloads and optimize resource usage. For more information, see Node auto-provisioning and ComputeClasses.

To use this feature, your cluster must meet both of the following requirements:

  • Enrolled in the Rapid release channel.
  • Running GKE version 1.33.3-gke.1136000 or later.

GKE Standard clusters now support Autopilot features, including the container-optimized compute platform and fully managed nodes, letting you use Autopilot's advantages without migrating to a dedicated Autopilot cluster. For more information, see Run Autopilot workloads in GKE Standard clusters.

To use these features, your cluster must meet the following requirements:

  • Enrolled in the Rapid release channel.
  • Running GKE version 1.33.1-gke.1107000 or later.

Issue with A4X machine type compatibility on certain GKE versions

Certain GKE versions are not compatible with the A4X machine type. The issue is that a Container-Optimized OS (COS) image that these GKE versions depend on was not built as a multi-architecture image. This incompatibility causes an exec format error on the Arm-based A4X machines. The issue affects GKE versions 1.33.2-gke.1377000 or later, and any versions earlier than 1.33.4-gke.1036000.

Google SecOps Marketplace

New Apache Kafka integration

Microsoft Azure Sentinel: Version 57.0

  • The following new job has been added:

    • Sync Incidents

Any.Run: Version 8.0

  • Updated the available privacy settings in the following actions:

    • Analyze URL

    • Analyze File URL

    • Analyze File

CrowdStrike Falcon: Version 64.0

  • Updated timeout handling in the following connector:

    • Crowdstrike Falcon - Streaming Events Connector

  • Integration: Updated authentication to support multi-tenancy execution.

Google Workspace: Version 21.0

  • Expanded capabilities of the following action:

    • List OU Of Account

  • Updated processing of the organization unit inside the following actions:

    • Block Extension

    • Delete Extension

    • List OU Of Account

Orca Security: Version 12.0

  • Integration: (REGRESSIVE) Updated to support the latest API version.

    Ontology has been updated. Overwrite current ontology mapping to align with the new API alert structure.

Google Chronicle: Version 65.0

  • Updated the filtering mechanism of the following action:

    • Get Data Tables
Google SecOps SIEM

New Apache Kafka integration

Microsoft Azure Sentinel: Version 57.0

  • The following new job has been added:

    • Sync Incidents

Any.Run: Version 8.0

  • Updated the available privacy settings in the following actions:

    • Analyze URL

    • Analyze File URL

    • Analyze File

CrowdStrike Falcon: Version 64.0

  • Updated timeout handling in the following connector:

    • Crowdstrike Falcon - Streaming Events Connector

  • Integration: Updated authentication to support multi-tenancy execution.

Google Workspace: Version 21.0

  • Expanded capabilities of the following action:

    • List OU Of Account

  • Updated processing of the organization unit inside the following actions:

    • Block Extension

    • Delete Extension

    • List OU Of Account

Orca Security: Version 12.0

  • Integration: (REGRESSIVE) Updated to support the latest API version.

    Ontology has been updated. Overwrite current ontology mapping to align with the new API alert structure.

Google Chronicle: Version 65.0

  • Updated the filtering mechanism of the following action:

    • Get Data Tables
Google SecOps SOAR

New Apache Kafka integration

Microsoft Azure Sentinel: Version 57.0

  • The following new job has been added:

    • Sync Incidents

Any.Run: Version 8.0

  • Updated the available privacy settings in the following actions:

    • Analyze URL

    • Analyze File URL

    • Analyze File

CrowdStrike Falcon: Version 64.0

  • Updated timeout handling in the following connector:

    • Crowdstrike Falcon - Streaming Events Connector

  • Integration: Updated authentication to support multi-tenancy execution.

Google Workspace: Version 21.0

  • Expanded capabilities of the following action:

    • List OU Of Account

  • Updated processing of the organization unit inside the following actions:

    • Block Extension

    • Delete Extension

    • List OU Of Account

Orca Security: Version 12.0

  • Integration: (REGRESSIVE) Updated to support the latest API version.

    Ontology has been updated. Overwrite current ontology mapping to align with the new API alert structure.

Google Chronicle: Version 65.0

  • Updated the filtering mechanism of the following action:

    • Get Data Tables
Looker Studio

Table charts support up to 10 sort fields

Report editors can now configure up to 10 sort fields for table charts.

Learn more about configuring sort fields for table charts.

Looker connector enhancements

Looker data sources now display the names of fields without their prepended view names. Fields are now nested under their corresponding views.

Learn more about how Looker Explore data appears in Looker Studio.

User interface change: "Add quick filter" is now "Add filter"

We've made a wording change to the filter bar in the report editor. The button label that previously said "Add quick filter" is now "Add filter." The functionality of quick filters hasn't changed. Learn more about quick filters.

Partner connection launch update The following partner connectors have been added to the Looker Studio Connector Gallery:

The following partner connectors were released during the week of Sep 15, 2025:

Spanner

The Cassandra interface for Spanner is now generally available. The Cassandra interface lets you take advantage of Spanner's fully managed, scalable, and highly available infrastructure using familiar Cassandra tools and syntax. For more information, see Cassandra interface, Migrate from Cassandra to Spanner, and Connect to Spanner using the Cassandra interface.

Virtual Private Cloud

The following features of VPC Flow Logs are available in General Availability through the Network Management API:

For more information, see Supported configurations.

September 24, 2025

AlloyDB for PostgreSQL

You can create and manage query plan patches. Query plan patches let you specify the details of the execution plan of your queries. This feature is generally available (GA).

Apigee UI

On September 24, 2025, we released an updated version of Apigee.

ApigeeBackendService for the Apigee Operator for Kubernetes (GA)

The ApigeeBackendService resource for the Apigee Operator for Kubernetes is Generally Available (GA).

This new resource enables the integration of the Apigee Operator for Kubernetes with the Google Kubernetes Engine (GKE) Inference Gateway. The GKE Inference Gateway is an extension to the GKE Gateway that provides optimized routing and load balancing for serving generative Artificial Intelligence (AI) workloads. It simplifies the deployment, management, and observability of AI inference workloads.

With this new integration, GKE Inference Gateway users can now leverage Apigee's full suite of features to manage, govern and monetize their AI workload through APIs.

To learn more, see Create an ApigeeBackendService.

Apigee hybrid

Apigee Operator for Kubernetes for Apigee Hybrid (Preview)

On September 24, 2025 we released the Apigee Operator for Kubernetes for Apigee Hybrid 1.15.0 and newer.

The Apigee Operator for Kubernetes allows you to perform API management tasks, such as defining API products and operations, using Kubernetes tools. This preview release allows you to integrate this capability with your Apigee hybrid (v1.15.0 or newer) installation.

For more information, see:

BigQuery

BigQuery ML now supports visualization of model monitoring metrics. This feature lets you use charts and graphs to analyze model monitoring function output. You can use metric visualization with the ML.VALIDATE_DATA_SKEW and ML.VALIDATE_DATA_DRIFT functions. This feature is generally available (GA).

For command-line users, BigQuery is now integrated with the Gemini CLI to provide an agentic CLI experience. Using the dedicated Gemini CLI extensions for BigQuery, you can search, explore, analyze, and gain insights from your data by asking natural language questions, generating forecasts, and running contribution analysis directly from the command line. This feature is available in beta.

Cloud Run

Support for setting multiple environment variables using the .env file is in General Availability (GA). For more information, see Configure environment variables for services, jobs, and worker pools.

Cloud SQL for MySQL

Cloud SQL for MySQL 8.4.5 is upgraded to MySQL 8.4.6. For more information, see the MySQL 8.4.6 Release Notes.

Config Connector

Config Connector version 1.134.1 is now available.

Bug Fixes:

  • #5230: Fixed an issue that could lead to premature certificate rotation by ensuring errors are not swallowed when reading a Secret.
  • #5231: Add more verbose logging during certificate validation to assist with debugging.
Container Optimized OS

cos-beta-125-19216-0-53

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Updated cos-gpu-installer to v2.5.7.

Added support for the fwctl subsystem and the Mellanox fwctl driver for ARM64.

Added support for NVIDIA driver v580.82.07. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.82.07.

Upgraded dev-libs/libxslt to version 1.1.43-r1.

Updated the Linux kernel to v6.12.46.

Upgraded dev-libs/libxml2 to version 2.13.9. This fixes CVE-2025-9714.

Runtime sysctl changes:

  • Changed: fs.file-max: 811500 -> 811534

Enabled Coherent Driver Memory Management by default when installing GPU drivers on GB2000.

cos-117-18613-339-70

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v24.0.9 v1.7.28 See List

Updated cos-gpu-installer to v2.5.7.

Updated golang.org/x/crypto in google-osconfig-agent to v0.31.0.

Added support for NVIDIA driver v580.82.07. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.82.07.

Upgraded dev-libs/libxslt to version 1.1.43-r1.

Updated the Linux kernel to v6.6.105.

Upgraded dev-libs/libxml2 to version 2.13.9. This fixes CVE-2025-9714.

Runtime sysctl changes:

  • Changed: fs.file-max: 811774 -> 811794

Enabled Coherent Driver Memory Management by default when installing GPU drivers on GB2000.

cos-113-18244-448-50

Kernel Docker Containerd GPU Drivers
COS-6.1.151 v24.0.9 v1.7.27 See List

Updated cos-gpu-installer to v2.5.7.

Updated golang.org/x/crypto in google-guest-agent to v0.31.0.

Updated golang.org/x/crypto in google-osconfig-agent to v0.31.0.

Upgraded dev-libs/libxslt to version 1.1.43-r1.

Updated the Linux kernel to v6.1.151.

Upgraded dev-libs/libxml2 to version 2.13.9. This fixes CVE-2025-9714.

Runtime sysctl changes:

  • Changed: fs.file-max: 811983 -> 812054

Enabled Coherent Driver Memory Management by default when installing GPU drivers on GB2000.

cos-dev-129-19284-0-0

Kernel Docker Containerd GPU Drivers
COS-6.12.47 v27.5.1 v2.1.3 See List

Updated cos-gpu-installer to v2.5.7.

Updated the Linux kernel to v6.12.47.

Added support for NVIDIA driver v580.82.07. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.82.07.

Upgraded dev-libs/libxslt to version 1.1.43-r1.

Upgraded dev-libs/libxml2 to version 2.13.9. This fixes CVE-2025-9714, CVE-2025-32415 and CVE-2025-32414.

Runtime sysctl changes:

  • Changed: fs.file-max: 811423 -> 811483
  • Changed: net.ipv4.udp_mem: 188034 250715 376068 -> 188034 250714 376068

Enabled Coherent Driver Memory Management by default when installing GPU drivers on GB2000.

cos-109-17800-570-50

Kernel Docker Containerd GPU Drivers
COS-6.1.151 v24.0.9 v1.7.27 See List

Updated cos-gpu-installer to v2.5.7.

Updated golang.org/x/crypto in google-osconfig-agent to v0.31.0.

Upgraded dev-libs/libxslt to version 1.1.43-r1.

Updated the Linux kernel to v6.1.151.

Upgraded dev-libs/libxml2 to version 2.13.9. This fixes CVE-2025-9714.

Runtime sysctl changes:

  • Changed: fs.file-max: 812272 -> 812258

Enabled Coherent Driver Memory Management by default when installing GPU drivers on GB2000.

cos-121-18867-199-73

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v27.5.1 v2.0.6 See List

Updated cos-gpu-installer to v2.5.7.

Added support for NVIDIA driver v580.82.07. Updated all latest driver version and default driver versions for NVIDIA_GB200 and NVIDIA_B200 to v580.82.07.

Upgraded dev-libs/libxslt to version 1.1.43-r1.

Upgraded dev-libs/libxml2 to version 2.13.9. This fixes CVE-2025-9714.

Runtime sysctl changes:

  • Changed: fs.file-max: 811710 -> 811752

Enabled Coherent Driver Memory Management by default when installing GPU drivers on GB2000.

Dataflow

For jobs that use GPUs, Dataflow now supports the flex-start provisioning model. This flex-start provisioning model can improve your ability to get access to constrained GPU resources for short-duration workloads. This feature is available in Preview and is for batch pipelines only. For more information, see Configure a provisioning model.

Eventarc

Eventarc Advanced support for publishing events from multiple projects is available in Preview.

Gemini Enterprise

Google Agentspace: Knowledge base filter for catalog entities in ServiceNow connectors (GA)

In your ServiceNow connectors, you can filter your knowledge base entities by catalog IDs. This lets you selectively ingest only those catalog entities whose catalogSysId matches the filter. If no values are specified, then the connector ingests all catalog entities. This feature is Generally available (GA).

For information about ServiceNow connectors, see Connect ServiceNow.

Google Agentspace: Interface updates

  • File uploads can be canceled at any time.
  • The Star and Share buttons now appear after a user has initiated a session by submitting a prompt.
Generative AI on Vertex AI

Access to Gemini's 1.5 models has been discontinued. For more information, see our Model versions page.

Google Cloud Armor

Cloud Armor's support for Network Threat Intelligence (NTI) in globally scoped edge security policies for Media CDN edge cache services is Generally Available.

Cloud Armor's support for Autonomous System Numbers (ASNs) in globally scoped edge security policies for Media CDN edge cache services is Generally Available.

Google Cloud Managed Service for Apache Kafka

Integration with VPC Service Controls is generally available (GA).

Google Cloud VMware Engine

All 3-year Committed Use Discounts (CUDs) for VMware Engine ve1 SKUs are now End-of-Sale across all regions where the service is available.

The following specific 3-year commitments are impacted by this change:

  • 3-year commitment (monthly payments), Fully Licensed Pricing - "postpaid"
  • 3-year commitment (upfront payments), Fully Licensed Pricing - "prepay"
  • 3-year commitment (monthly payments), Fully Licensed convertible commitment - "postpaid"
  • 3-year commitment (upfront payments), Fully Licensed convertible commitment - "prepay"
  • 3-year commitment (monthly payments), Portable License Pricing - "postpaid"
  • 3-year commitment (upfront payments), Portable License Pricing - "prepay"
  • 3-year commitment (monthly payments), Protected License Pricing - "postpaid"
  • 3-year commitment (upfront payments), Protected License Pricing - "prepay"

Refer to VMware Engine node types for the regional availability of ve1 SKUs.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.32.500-gke.48 is now available for download. To upgrade, see Upgrade a cluster. Distributed Cloud 1.32.500-gke.48 runs on Kubernetes v1.32.8-gke.500.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following issues were fixed in 1.32.500-gke.48:

Google Distributed Cloud (software only) for bare metal

Google Distributed Cloud for bare metal 1.32.500-gke.48 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.32.500-gke.48 runs on Kubernetes v1.32.8-gke.500.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

The following issues were fixed in 1.32.500-gke.48:

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Media CDN

You can use Autonomous System Numbers (ASN) based rules from Cloud Armor for Media CDN. ASN-based rules allow you to create security policies that specifically permit or deny traffic based on the ASN of the client requesting your content. This feature is Generally Available.

For more information, see Google Cloud Armor support.

You can use Network Threat Intelligence (NTI) from Cloud Armor in Edge Security Policies for Media CDN edge cache services for Enterprise users. NTI helps identify and block requests originating from known malicious IP addresses and networks. This feature is Generally Available.

For an example, see Example: Block traffic from known malicious IPs.

For more information, see Google Cloud Armor support.

NetApp Volumes

Google Cloud NetApp Volumes now supports the FlexCache feature in allow-listed General Availability (GA) for the Premium and Extreme service levels. For more information, see FlexCache.

September 23, 2025

Agent Assist

Agent Assist offers a bidirectional API for next-generation audio and multi-modal experiences in both Conversational Agents and Agent Assist. The BiDiStreamingAnalyzeContent API facilitates the streaming of audio data and returns either transcripts or human agent suggestions to you.

AlloyDB for PostgreSQL

You can now provision, manage, and query your databases using the dedicated Gemini CLI extensions for AlloyDB. The extensions provide full lifecycle control of your database - from provisioning instances to exploring schemas and troubleshooting issues. This feature is available in beta.

Artifact Registry

Layer-based scanning for Artifact Analysis is in Preview. You can view vulnerability metadata for a specific layer of your image digest in the Google Cloud Console and in the GCloud CLI. For more information, see the following topics:

Google Cloud Console:

GCloud CLI

Cloud Key Management Service

Cloud KMS now supports key encapsulation mechanisms (KEMs) for sharing secrets in Preview. KEMs are designed to be resistant to post-quantum attacks. You can use the following KEM algorithms:

  • ML_KEM_768
  • ML_KEM_1024
  • KEM_XWING

For more information about key encapsulation mechanisms, see Key encapsulation mechanisms. To learn how to use key encapsulation mechanisms to share secrets, see Encapsulate and decapsulate using KEMs.

Cloud NAT

Cloud NAT gateways for Public NAT support source-based NAT rules for IPv4 addresses. This feature is available in Preview.

Cloud NGFW

You can use the URL filtering service to filter your workload traffic by using domain and Server Name Indication (SNI) information available in the egress HTTP(S) messages. For more information, see URL filtering service overview. This feature is available in Preview.

Cloud Run

You can specify mount options when you configure Cloud Storage volume mounts for Cloud Run services, jobs, and worker pools. (GA)

Cloud SQL for MySQL

You can now provision, manage and query your databases using the dedicated Gemini CLI extension for Cloud SQL for MySQL. The extension provides full lifecycle control of your database—from provisioning instances, to exploring schemas and troubleshooting issues—from your command-line interface.

For more information, see Use Cloud SQL for MySQL with MCP, Gemini CLI, and other agents.

You can now retain point-in-time recovery (PITR) logs for an instance after its deletion for a specified retention period. These logs can be used to restore the deleted instance to a specific point in time. For more information, see Restore a deleted instance using PITR.

Cloud SQL for PostgreSQL

You can now provision, manage and query your databases using the dedicated Gemini CLI extension for Cloud SQL for PostgreSQL. The extension provides full lifecycle control of your database—from provisioning instances, to exploring schemas and troubleshooting issues—from your command-line interface.

For more information, see Use Cloud SQL for PostgreSQL with MCP, Gemini CLI, and other agents.

You can now retain point-in-time recovery (PITR) logs for an instance after its deletion for a specified retention period. These logs can be used to restore the deleted instance to a specific point in time. For more information, see Restore a deleted instance using PITR.

Cloud SQL for SQL Server

You can now provision, manage and query your databases using the dedicated Gemini CLI extension for Cloud SQL for SQL Server. The extension provides full lifecycle control of your database—from provisioning instances, to exploring schemas and troubleshooting issues—from your command-line interface.

For more information, see Use Cloud SQL for SQL Server with MCP, Gemini CLI, and other agents.

You can now retain point-in-time recovery (PITR) logs for an instance after its deletion for a specified retention period. These logs can be used to restore the deleted instance to a specific point in time. For more information, see Restore a deleted instance using PITR.

Cloud Service Mesh

1.27.1-asm.2 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.1-asm.2 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.27.1 subject to the list of supported features.

The following environment variables and annotations are not supported:

  • ENVOY_STATUS_PORT_ENABLE_PROXY_PROTOCOL
  • PILOT_DNS_CARES_UDP_MAX_QUERIES
  • PILOT_IP_AUTOALLOCATE_IPV4_PREFIX and PILOT_IP_AUTOALLOCATE_IPV6_PREFIX
  • sidecar.istio.io/bootstrapOverride

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.27.1-asm.2 uses Envoy v 1.35.3-dev.

Dataplex

You can now connect your Dataplex Universal Catalog instance to your favorite developer tools, such as the Gemini CLI and other IDEs. This integration enables AI-driven data discovery and asset management directly within your development environment. For more information, see Use Dataplex Universal Catalog with MCP, Gemini, and other agents.

Datastream

Datastream support for MongoDB as a source is now generally available (GA). For more information, see the documentation.

Document AI

Custom classifier model pretrained-classifier-v1.5-2025-08-05 powered by Gemini 2.5 Flash is in Preview. It has ML processing available for US and EU regions, a maximum page limit of 30 pages, and processing requests of 120 pages per minute.

Unlike the prior custom classifier, which used classical machine learning, this version features a new platform. It accommodates:

  • High accuracy immediately, based on the document classes you define.
  • Few-shot learning to further improve accuracy.
  • Use of descriptions when labeling for more context and insight for document classes.
  • More accurate results with the same training dataset on the fine-tuned generative AI model, compared to the trained version.
  • Autolabeling documents for fine-tuning and evaluation.
  • Generative AI to fine-tune and heighten accuracy.

For more information on processor versions, see Managing processor versions.

Firestore

You can now query your databases and update data using the dedicated Gemini CLI extension for Firestore. This feature is available in beta.

Gemini Enterprise

Google Agentspace: Change in ACLs for incidents in ServiceNow

The access-control list (ACL) behavior for ServiceNow incidents has significantly changed, from too permissive to least-privilege behavior. This change drastically reduces the possibility of data leaks, but might be too restrictive for your needs.

For more information about ServiceNow, see Connect ServiceNow and Add ServiceNow actions.

Generative AI on Vertex AI

Gemini 2.5 Flash with Live API Native Audio Preview

Gemini 2.5 Flash with Live API Native Audio (gemini-live-2.5-flash-preview-native-audio-09-2025) is available in Preview. A single, unified model processes audio input and generates audio output directly, eliminating separate text-to-speech/speech-to-text conversions. This results in-low latency, high-quality, and incredibly human-like conversations. New features and capabilities include:

  • Improved Barge-in: Interrupt Gemini more naturally and reliably, even in loud and noisy environments.

  • Robust Function Calling: We've improved the triggering rate, allowing Gemini to successfully execute the functions you define with greater precision.

  • Accurate Transcription: The accuracy of audio-to-text transcription has been significantly enhanced.

  • Seamless Multilingual Support: Speak to Gemini in multiple languages, and it will effortlessly switch between them without any pre-configuration. Language is no longer a barrier!

  • Enhanced Audio Quality: Experience a dramatically improved audio quality that truly feels like speaking with a person.

  • Proactive Audio: Define Gemini's expertise and set conditions for when it should respond. Gemini can act as a "silent listener," only chiming in when the conversation touches upon its designated area of expertise.

  • Affective Dialog: Gemini can adapt and adjust its generated voice to match the emotional tone of the speaker, creating more empathetic and natural interactions.

Watch our comprehensive demo to see these features in action, including seamless language switching, expert mode, emotionally aware responses, memory recall, and interactive screen sharing for engineering tasks – all demonstrated directly within Vertex AI Studio without writing a single line of code!

Google Kubernetes Engine

The following metrics are now only billed through Cloud Monitoring. If you were using any of these features through GKE Enterprise, your billing is automatically transitioned to the Cloud Monitoring SKU.

These metrics use Google Cloud Managed Service for Prometheus to load metrics into Cloud Monitoring. The Cloud Monitoring charges for the ingestion of these metrics are based on the number of samples ingested. For more information, see Cloud Monitoring pricing.

Google SecOps SIEM

Transport-layer migration for third-party API feeds

Google SecOps is migrating the transport layer for third-party API feeds to a new platform to improve performance and reliability. This migration will be completed in phases and is expected to finish by the end of October 2025. The migration should not impact any existing or new, third-party API feeds. If you experience any unexpected issues with your feeds during the migration, contact your Google SecOps representative.

Looker

You can now connect to your Looker instance with the Gemini CLI using a dedicated Gemini extension. The Gemini extension can run queries, create Looks and dashboards, and retrieve elements of your LookML models.

Managed Lustre

Google Cloud Managed Lustre now supports file system quotas, allowing you to set limits on the amount of disk space and the number of files that users, groups, or projects can consume within your file system.

For details, see File system quotas in the Managed Lustre documentation.

Oracle Database@Google Cloud

Oracle Database@Google Cloud supports Exadata Database Service on Exascale Infrastructure, which lets you create and manage Exascale VM Clusters and Exascale Storage Vaults. This feature is generally available (GA).

Security Command Center

Bulk export findings to BigQuery is available in General Availability. Bulk exports are supported for organizations, projects, and folders.

The upgraded model for the prompt injection and jailbreak detection filter is available in EU multi-region. This model has improved detection rates across several attack vectors, including the following:

  • Do Anything Now prompts
  • System instruction manipulation
  • Unauthorized action execution
  • Sensitive information retrieval
Spanner

You can now use read lease regions to reduce latency for strong reads in multi-region or dual-region instances. Read leases use designated non-leader, read-write or read-only regions to serve strong reads locally, eliminating the network round trip to the leader region that is typically required. This feature is generally available (GA).

You can now use the dedicated Gemini CLI extension for Spanner to execute SQL statements and query your Spanner instance using natural language controls.

VPC Service Controls

General availability support for the following integration:

Virtual Private Cloud

Service producers can publish services that are hosted on cross-region internal Application Load Balancers. This feature is available in General Availability. For more information, see Publish services by using Private Service Connect.

September 22, 2025

AlloyDB for PostgreSQL

The available memory metric now accurately reflects the memory available to AlloyDB by taking into consideration usable memory from the OS page cache. This improvement can lead to a lower value of the metric, which you might notice when you update your version to PG 17 or later. This feature is generally available (GA) and is available for AlloyDB for PostgreSQL version 17 and later. For more information, see System insights metrics reference.

Database server compatibility with PostgreSQL version 17 is now generally available (GA). You can create AlloyDB clusters with PostgreSQL 17 compatibility.

BigQuery

You can now run federated queries against PostgreSQL dialect databases in Spanner using BigQuery external datasets with GoogleSQL; this includes cross-region federated queries. This feature is generally available (GA).

Python

3.38.0 (2025-09-15)

Features
Cloud Logging

Cloud Logging has removed the quota for write requests per minute, which has been replaced by volume-based regional quotas. We've also removed the references to August dates for the removal of the old quota from the public documentation. For more information, see Logging API quotas and limits.

Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for storage/internal/apiv2

1.56.2 (2025-09-15)

Bug Fixes

Python

Changes for google-cloud-storage

3.4.0 (2025-09-15)

Features
Bug Fixes
  • GAPIC generation failed with 'Directory not empty' (#1542) (c80d820)
Compute Engine

Generally available: You can create and use Flex-start VMs. Flex-start VMs are virtual machine (VM) instances that can run for up to seven days, and that use the flex-start provisioning model. This model provisions resources from a secure pool of capacity, increasing your chances of obtaining high-demand resources like GPUs. These features make Flex-start VMs suitable for short-duration workloads that can start at any time, such as the following:

  • Small model pre-training
  • Model fine-tuning
  • High performance computing (HPC) simulation
  • Batch inference

You can create standalone Flex-start VMs, or add Flex-start VMs all at once to a managed instance group (MIG) by using resize requests. Based on the machine type that your Flex-start VMs use, you get discounts for vCPUs, memory, and any attached GPUs.

For more information, see About Flex-start VMs.

Config Connector

Config Connector version 1.135.0 is now available.

New Beta Resources (Direct Reconciler):

  • AssetSavedQuery
  • PubSubSnapshot

Modified Beta Reconciliation: We migrated the following resources from the Terraform-based or DCL-based controller to the new Direct Controller.

  • VMWareEngineExternalAddress

New Fields:

  • AlloyDBCluster
    • Added spec.databaseVersion field

Bug Fixes:

  • PR#5009 Fix the nil pointer dereference error in AlloyDB direct controller
Generative AI on Vertex AI

DeepSeek-V3.1-Terminus is available through Model Garden.

Google Cloud Architecture Center

Design storage for AI and ML workloads in Google Cloud: Updated storage recommendations for training and serving workflows. Revised the scaling capacity and performance tiers for Managed Lustre.

Design an optimal storage strategy for your cloud workload: Revised the scaling capacity and performance tiers for Managed Lustre.

Security Command Center

Graph search lets you explore the security graph using custom queries. This product is available in Preview in the Security Command Center Enterprise tier.

Sensitive Data Protection

The DOCUMENT_TYPE/FINANCE/INVOICE and DOCUMENT_TYPE/MEDICAL/RECORD infoType detectors are available in global and the asia, europe, and us multi-regions. For more information about all infoTypes, see InfoType detector reference.

Spanner

You can now run federated queries against PostgreSQL dialect databases in Spanner using BigQuery external datasets using GoogleSQL; this includes cross-region federated queries. This feature is generally available (GA).

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-spanner

3.58.0 (2025-09-10)

Features
Dependencies
  • Remove Python 3.7 and 3.8 as supported runtimes (#1395) (fc93792)
Vertex AI

DeepSeek-V3.1-Terminus is available through Model Garden.

September 19, 2025

Apigee Advanced API Security

On September 19, 2025 we released an updated version of Advanced API Security

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

New security actions status icons and "expired" note in the security actions UI

This release adds security status icons to the Apigee UI to make it easier to see, at a glance, whether a security action is enabled, disabled, or paused, and an "expired" note when an action is expired.

The status icons display next to the action's status in the security actions list and in the security action details page.

For information on security actions and security action statuses, see the Security Actions customer documentation.

Apigee UI

On September 19, 2025, we released an updated version of the Apigee UI.

Bug ID Description
444579842 Fixed browser hang issue when uploading large bundles. Fixed an issue where the browser would hang when creating a new proxy or proxy revision from a large uploaded zip bundle.
Cluster Toolkit

Cluster Toolkit release version v1.67.0 is available. This release introduces additional support for aarch64-based architecture, as well as other minor changes. For more information about this release, see the Release Announcement on GitHub.

Cortex Framework
  • 1-Click Deployer: 1-Click deployer now deploys the Sustainability module when SAP ECC or S/4 is selected.
  • SAP:
    • The CDC script now considers the L flag alongside I and U when determining which records are updated in the raw dataset. This is to account for situations where the pipeline is somehow re-configured after data load, but the CDC dataset can still be reused to avoid re-processing existing data.
    • Column names in StockInHand views (ECC and S/4) for MATNR and WERKS have been aligned with other views to be MaterialNumber_MATNR and Plant_WERKS. Previous column names ArticleNumber_MATNR and Site_WERKS still exist for compatibility reasons, but will be removed in a future release. Customers are advised to change their upstream consumption assets accordingly.
    • Column names in SalesOrders_V2 views (ECC and S/4) for ERDAT and ERZET have been aligned to new names SalesDocumentCreationDate_ERDAT, SalesOrderItemCreationDate_ERDAT, SalesOrderCreationTime_ERZET and SalesDocumentItemCreationTime_ERZET to account for the correct granularity of their source table (either VBAP or VBAK) . Previous column names CreationDate_ERDAT and CreationTime_ERZET still exist for compatibility reasons, but will eventually be removed in a future release. Customers are advised to change their upstream consumption assets accordingly. Also, Sales Order Item level calendar dimensions are now added by default.
    • Column names in Deliveries view for VGBEL, VGPOS, and XBLNR are updated to InternalReferenceDocumentNumber_VGBEL, InternalReferenceDocumentItem_VGPOS ExternalReferenceDocumentNumber_XBLNR for more clarity. Previous column names SalesOrderNumber_VGBEL, SalesOrderItem_VGPOS, and ReferenceDocumentNumber_XBLNR still exist for compatibility reasons, but will eventually be removed in a future release. Customers are advised to change their upstream consumption assets accordingly.
    • Sales Order Item level calendar dimensions are now added by default.
    • In AccountingDocuments view as well as the downstream AccountingDocumentsReceivables views, DoubtfulReceivables, and DaysInArrear metrics are now positive instead of negative to align with official SAP guidelines.
    • SalesFulfillment and SalesFulfillment_PerOrder views are updated to use SalesOrders_V2 instead of SalesOrders view as their upstream source for both ECC and S/4. The view signatures are unchanged.
    • ERD for both ECC and S/4 have been cleaned up and updated based on the latest changes.
  • Marketing: Cortex for Meridian reporting views adapted to TikTok, Meta, and YouTube (DV360) to focus on top of the funnel marketing campaigns. Search Ads data is skipped from aggregates as higher quality data is now available from Marketing Mix Modeling (MMM) Data Platform.
  • SAP:
    • Qty field data type in StockInHand views (ECC and S/4) has been changed from STRING to NUMERIC.
    • Currency conversion and currency decimal shift in PurchaseDocuments_Flow views (ECC and S/4) now align with the logic implemented in all other SAP reporting views.
    • Fixed incorrect GR quantity caused by an incorrect JOIN condition.
    • Removed an excessive LEFT JOIN in the Unit of Measure Function and View Utility code to avoid possible duplicate rows.
    • Cleaned up unnecessary date casting and ORDER BY clauses in some views to improve performance.
  • Salesforce (SFDC):
    • Currency conversion logic is now updated to account for possible source currency fields that are not corporate currency in the objects (for example, Opportunities).
    • Updated ERD to include proper linkage to calendar dimension.
  • SAP: The views GLDocumentsHdr and RegionsMD are now removed as they are no longer relevant.
  • Oracle builds may time out when using a private worker pool created with default parameters.

Release 6.3.2

Memorystore for Valkey

The customer-managed encryption keys (CMEK) feature for Memorystore for Valkey is now Generally Available.

Sensitive Data Protection

When you inspect a BigQuery table for sensitive data, you can send the inspection findings to Dataplex Universal Catalog. For more information, see Send inspection results to Dataplex Universal Catalog as aspects.

September 18, 2025

Anthos Config Management

Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.

Upgraded the Open Telemetry image from v0.118.0 to v0.119.0 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.

Apigee Advanced API Security

On September 18, 2025 we released an updated version of Advanced API Security

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Improvements to the Abuse Detection incident model

This release includes improvements to the incident model, including lower noise and higher accuracy for abuse detection incidents.

Note: This feature is not currently available to customers with VPC-SC enabled.

For information on abuse detection incidents, see the Abuse Detection customer documentation.

Buildpacks

Ubuntu 24 builder with the google-24 stack is available for Google Cloud's Buildpacks. For more information, see Builders and Use a specific builder.

Compute Engine

Version 20250918.01 of the guest agent is now available. This guest agent version introduces the plugin-based architecture to the following Debian and Enterprise Linux 10 operating systems:

  • Red Hat Enterprise Linux (RHEL) 10
  • Rocky Linux 10
  • CentOS Stream 10
  • Debian 13

For more information about the plugin-based architecture, see Guest agent.

Version 20250918.01 includes the following fixes for issues found in plugin-based architecture. For more information about the plugin-based architecture, see Guest agent.

  • Corrects an issue in the OS Login module that was incorrectly writing perm_denied=die PAM module configuration when two-factor authentication isn't enabled.
  • Fixes an issue in the metadata-based SSH module where re-adding a user didn't add the user to the sudoers group.
Generative AI on Vertex AI

Grounding with Google Maps

Grounding with Google Maps has implemented the following changes:

  • Removed the following fields from the API response:
    • grounding_chunk.maps.text
    • grounding_chunk.maps.place_answer_sources.review_snippets.author_attribution
    • grounding_chunk.maps.place_answer_sources.flag_content_uri
    • grounding_chunk.maps.place_answer_sources.review_snippets.flag_content_uri
  • The widget context token is only returned when the optional widget_token_enable input flag is set.

To learn more, see Grounding with Google Maps.

Google Kubernetes Engine

(2025-R39) Version updates

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2564000
    • 1.28.15-gke.2630000
    • 1.29.15-gke.1773000
    • 1.29.15-gke.1851000
    • 1.30.14-gke.1059000
    • 1.31.12-gke.1060000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2599000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2599000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1820000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1134000 with this release.

(2025-R39) Version updates

(2025-R39) Version updates

  • Version 1.34.0-gke.1662000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1130000
    • 1.31.12-gke.1060000
    • 1.31.12-gke.1083000
    • 1.32.8-gke.1108000
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
    • 1.34.0-gke.1477000
    • 1.34.0-gke.1497000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1110000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1245000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1110000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1245000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.34 to version 1.34.0-gke.1662000 with this release.

(2025-R39) Version updates

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1059000
    • 1.31.12-gke.1060000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1134000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1134000 with this release.

(2025-R39) Version updates

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1011000
    • 1.32.7-gke.1079000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.

(2025-R39) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

  • Version 1.34.0-gke.1662000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1130000
    • 1.31.12-gke.1060000
    • 1.31.12-gke.1083000
    • 1.32.8-gke.1108000
    • 1.32.8-gke.1134000
    • 1.33.4-gke.1172000
    • 1.34.0-gke.1477000
    • 1.34.0-gke.1497000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1110000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1245000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1150000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1110000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.8-gke.1170000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1245000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.34 to version 1.34.0-gke.1662000 with this release.

Regular channel

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1059000
    • 1.31.12-gke.1060000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1134000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1134000 with this release.

Stable channel

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.14-gke.1011000
    • 1.32.7-gke.1079000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.

Extended channel

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2564000
    • 1.28.15-gke.2630000
    • 1.29.15-gke.1773000
    • 1.29.15-gke.1851000
    • 1.30.14-gke.1059000
    • 1.31.12-gke.1060000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2599000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2599000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1820000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1134000 with this release.

No channel
Guest Environment

Version 20250918.01 of the guest agent is now available. This guest agent version introduces the plugin-based architecture to the following Debian and Enterprise Linux 10 operating systems:

  • Red Hat Enterprise Linux (RHEL) 10
  • Rocky Linux 10
  • CentOS Stream 10
  • Debian 13

For more information about the plugin-based architecture, see Guest agent.

Version 20250918.01 includes the following fixes for issues found in plugin-based architecture. For more information about the plugin-based architecture, see Guest agent.

  • Corrects an issue in the OS Login module that was incorrectly writing perm_denied=die PAM module configuration when two-factor authentication isn't enabled.
  • Fixes an issue in the metadata-based SSH module where re-adding a user didn't add the user to the sudoers group.
Organization Policy

Select Cloud Load Balancing resources let you use custom constraints to define your own restrictions on Google Cloud services. To learn which load balancing resources support custom constraints and to view sample use cases, see Manage Cloud Load Balancing resources using custom constraints.

This feature is available in General Availability.

Resource Manager

Select Cloud Load Balancing resources let you use custom constraints to define your own restrictions on Google Cloud services. To learn which load balancing resources support custom constraints and to view sample use cases, see Manage Cloud Load Balancing resources using custom constraints.

This feature is available in General Availability.

VPC Service Controls

General availability support for the following integration:

September 17, 2025

Cloud Load Balancing

A security fix was made which changes the behavior of requests and responses sent with the Transfer-Encoding: Chunked header to be more RFC 9112 compliant. The RFC states that both the chunked_body and the last-chunk fields must end in CRLF. This is now enforced.

Cloud SQL for PostgreSQL

The rollout of the following minor version upgrades is complete:

Minor versions

  • 13.21 is upgraded to 13.22.
  • 14.18 is upgraded to 14.19.
  • 15.13 is upgraded to 15.14.
  • 16.9 is upgraded to 16.10.
  • 17.5 is upgraded to 17.6.

Cloud SQL for PostgreSQL adds support for the following extensions:

Extensions

  • plpgsql_check 2.8 is available for PostgreSQL version 14 and later.
  • roaringbitmap 0.5 is available for PostgreSQL version 12 and later.

To use these minor versions and the new extensions, update your instance to [PostgreSQL version].R20250727.00_23.

If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.

For more information on checking your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

Cloud Service Mesh

The following rollouts have completed for managed Cloud Service Mesh:

  • 1.21.5-asm.55 has rolled out to the rapid release channel.
  • 1.20.8-asm.48 has rolled out to the regular release channel.
  • 1.19.10-asm.48 has rolled out to the stable release channel.

While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

Cloud Storage

The bucket_attributes_view and bucket_attributes_latest_snapshot_view tables in Storage Insights datasets are updated with two new fields: objectCount and totalSize. objectCount reflects the total number of objects in the bucket and totalSize reflects the total size of the bucket in bytes. The tables are automatically updated with the new fields in all existing datasets and are included in all new dataset configurations.

Compute Engine

Compute Engine enforces limits to the total baseline performance that a project's Hyperdisk Balanced and Hyperdisk Balanced High Availability disks that are in the same zone can consume at the same time. The aggregate baseline performance limit is 50 GiB/s of throughput and 500,000 IOPS, and it only applies to baseline performance. For a detailed explanation, see Concurrent consumption limits for baseline performance.

Contact Center AI Insights

Conversational Insights offers the following subscriptions:

  • Standard edition provides a suite of tools to analyze customer service conversations.
  • Enterprise edition includes the standard edition tools and Quality AI.
  • Standalone Quality AI provides only automated evaluation tools.

Pricing is based on how you interact with your customers:

  • Chat conversations are billed per message.
  • Voice conversations are billed per minute.
Google Cloud Architecture Center

(New guide) VPC Network Peering Cross-Cloud Network with NVAs and regional affinity: Describes how to deploy network virtual appliances (NVAs) in a single-region Cross-Cloud Network architecture.

Google Cloud Managed Service for Apache Kafka

Managed Service for Apache Kafka now supports Organization Policy Service custom constraints. Custom constraints allow you to restrict specific operations on Managed Service for Apache Kafka resources.

Google SecOps Marketplace

SentinelOneV2: Version 41.0

  • The following new action has been added:

    • Update Alert

  • The following new connector has been added:

    • SentinelOne - Alert Connector

  • A new predefined widget has been added to the following action:

    • Update Alert

Google Threat Intelligence: Version 4.0

  • The following new action has been added:

    • Set DTM Alert Analysis

Palo Alto Cortex XDR: Version 18.0

  • The following new actions have been added:

    • Add Comment To Incident

    • Execute XQL Search

    • Get Incident Details

Google Threat Intelligence: Version 4.0

  • Updated the processing of the threat actor entity in the following action:

    • Enrich Entities

  • Updated the predefined widget in the following actions:

    (REGRESSIVE) The widget now works with GTI information. To see the changes, the widget must be re-added to the existing views in playbooks.

    • Enrich Entities

    • Enrich IOCs

  • Added JSON samples to the following action:

    • Enrich Entities

Trend Vision One: Version 6.0

  • Added support for Agent UUID in the following actions:

    • Enrich Entities

    • Execute Custom Script

    • Isolate Endpoint

    • Unisolate Endpoint

Splunk: Version 58.0

  • Updated the alert processing logic in the following connector:

    • Splunk ES - Notable Events Connector

Jira: Version 48.0

  • Integration: Updated the SDK version.

Added the ability to modify the API Root and Login API Root in the following integrations:

  • Azure Active Directory: Version 18.0

  • Azure AD Identity Protection: Version 7.0

  • Microsoft Teams: Version 28.0

Vertex AI: Version 4.0

  • Integration: Increased the default timeout for API requests.

Microsoft Azure Sentinel: Version 56.0

  • Updated mapping for the ScheduledAlert event types in the following connector:

    • Microsoft Azure Sentinel Incident Connector v2
Google SecOps SIEM

SentinelOneV2: Version 41.0

  • The following new action has been added:

    • Update Alert

  • The following new connector has been added:

    • SentinelOne - Alert Connector

  • A new predefined widget has been added to the following action:

    • Update Alert

Google Threat Intelligence: Version 4.0

  • The following new action has been added:

    • Set DTM Alert Analysis

Palo Alto Cortex XDR: Version 18.0

  • The following new actions have been added:

    • Add Comment To Incident

    • Execute XQL Search

    • Get Incident Details

Google Threat Intelligence: Version 4.0

  • Updated the processing of the threat actor entity in the following action:

    • Enrich Entities

  • Updated the predefined widget in the following actions:

    (REGRESSIVE) The widget now works with GTI information. To see the changes, the widget must be re-added to the existing views in playbooks.

    • Enrich Entities

    • Enrich IOCs

  • Added JSON samples to the following action:

    • Enrich Entities

Trend Vision One: Version 6.0

  • Added support for Agent UUID in the following actions:

    • Enrich Entities

    • Execute Custom Script

    • Isolate Endpoint

    • Unisolate Endpoint

Splunk: Version 58.0

  • Updated the alert processing logic in the following connector:

    • Splunk ES - Notable Events Connector

Jira: Version 48.0

  • Integration: Updated the SDK version.

Added the ability to modify the API Root and Login API Root in the following integrations:

  • Azure Active Directory: Version 18.0

  • Azure AD Identity Protection: Version 7.0

  • Microsoft Teams: Version 28.0

Vertex AI: Version 4.0

  • Integration: Increased the default timeout for API requests.

Microsoft Azure Sentinel: Version 56.0

  • Updated mapping for the ScheduledAlert event types in the following connector:

    • Microsoft Azure Sentinel Incident Connector v2
Google SecOps SOAR

SentinelOneV2: Version 41.0

  • The following new action has been added:

    • Update Alert

  • The following new connector has been added:

    • SentinelOne - Alert Connector

  • A new predefined widget has been added to the following action:

    • Update Alert

Google Threat Intelligence: Version 4.0

  • The following new action has been added:

    • Set DTM Alert Analysis

Palo Alto Cortex XDR: Version 18.0

  • The following new actions have been added:

    • Add Comment To Incident

    • Execute XQL Search

    • Get Incident Details

Google Threat Intelligence: Version 4.0

  • Updated the processing of the threat actor entity in the following action:

    • Enrich Entities

  • Updated the predefined widget in the following actions:

    (REGRESSIVE) The widget now works with GTI information. To see the changes, the widget must be re-added to the existing views in playbooks.

    • Enrich Entities

    • Enrich IOCs

  • Added JSON samples to the following action:

    • Enrich Entities

Trend Vision One: Version 6.0

  • Added support for Agent UUID in the following actions:

    • Enrich Entities

    • Execute Custom Script

    • Isolate Endpoint

    • Unisolate Endpoint

Splunk: Version 58.0

  • Updated the alert processing logic in the following connector:

    • Splunk ES - Notable Events Connector

Jira: Version 48.0

  • Integration: Updated the SDK version.

Added the ability to modify the API Root and Login API Root in the following integrations:

  • Azure Active Directory: Version 18.0

  • Azure AD Identity Protection: Version 7.0

  • Microsoft Teams: Version 28.0

Vertex AI: Version 4.0

  • Integration: Increased the default timeout for API requests.

Microsoft Azure Sentinel: Version 56.0

  • Updated mapping for the ScheduledAlert event types in the following connector:

    • Microsoft Azure Sentinel Incident Connector v2
Spanner

Spanner Graph support of schemaless schemas is generally available (GA). For more information, see Manage schemaless data with Spanner Graph.

Vertex AI Workbench

M133 release

The M133 release of Vertex AI Workbench instances includes the following:

  • Patched an incompatibility with the Dataproc JupyterLab plugin (dataproc-jupyter-plugin) and instances with end-user credentials enabled.
reCAPTCHA

reCAPTCHA Mobile SDK v18.8.0 is available for Android. This version contains reliability improvements and bug fixes.

September 16, 2025

Application Integration

Salesforce connected app requires installation for OAuth 2.0 authentication

A new security requirement from Salesforce restricts the use of uninstalled connected apps. To ensure your Salesforce triggers remain functional, you must install the connected app in your Salesforce account.

When establishing a new Salesforce trigger using OAuth 2.0 authentication, you are now required to install the connected app within your Salesforce account. This step is also necessary for existing triggers using OAuth 2.0 authentication if the connected app is not already installed, as failure to do so may cause them to stop working.

For more information, see Install the OAuth 2.0 connected app.

Backup for GKE

Backup for GKE now supports restoring disks in pre-existing Storage Pools for Hyperdisk Balanced and Hyperdisk Throughput volumes. This feature is available in clusters running the following GKE versions:

  • 1.33: Versions 1.33.4-gke.1245000 and later
  • 1.34 and later: All versions from 1.34.0-gke.1532000 onwards
BigQuery

You can now access snapshots of Apache Iceberg external tables that are retained in your Iceberg metadata by using the FOR SYSTEM_TIME AS OF clause. This feature is generally available (GA).

You can use the JSON_KEYS function to extract unique JSON keys from a JSON expression, and you can specify a mode for some JSON functions that take a JSONPath to allow more flexibility in how the path matches the JSON structure. These features are generally available (GA).

SQL code completion is now available for all BigQuery projects. To learn how to enable and activate Gemini in BigQuery features, see Set up Gemini in BigQuery. This feature is available in preview.

Container Optimized OS

cos-121-18867-199-65

Kernel Docker Containerd GPU Drivers
COS-6.6.105 v27.5.1 v2.0.6 See List

Added GDRCopy kernel module for NVIDIA drivers.

Added support for NVIDIA MFT Tools on arm64.

Updated the Linux kernel to v6.6.105.

Fixed CVE-2025-39782 in the Linux kernel.

Fixed CVE-2025-38608 in the Linux kernel.

Fixed CVE-2025-38622 in the Linux kernel.

Fixed CVE-2025-38639 in the Linux kernel.

Fixed CVE-2025-38572 in the Linux kernel.

Fixed CVE-2025-38588 in the Linux kernel.

Fixed CVE-2025-38349 in the Linux kernel.

Fixed CVE-2025-38550 in the Linux kernel.

Fixed CVE-2025-38568 in the Linux kernel.

Fixed CVE-2025-38645 in the Linux kernel.

Fixed CVE-2025-38640 in the Linux kernel.

Fixed CVE-2025-38528 in the Linux kernel.

Fixed CVE-2025-38563 in the Linux kernel.

Fixed CVE-2025-38539 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811788 -> 811710

cos-117-18613-339-65

Kernel Docker Containerd GPU Drivers
COS-6.6.97 v24.0.9 v1.7.28 See List

Added GDRCopy kernel module for NVIDIA drivers.

Added support for NVIDIA MFT Tools on arm64.

Fixed CVE-2025-38588 in the Linux kernel.

Fixed CVE-2025-38622 in the Linux kernel.

Fixed CVE-2025-38608 in the Linux kernel.

Fixed CVE-2025-38587 in the Linux kernel.

Fixed CVE-2025-38527 in the Linux kernel.

Fixed CVE-2025-38571 in the Linux kernel.

Fixed CVE-2025-38572 in the Linux kernel.

Fixed CVE-2025-38566 in the Linux kernel.

Fixed CVE-2025-38568 in the Linux kernel.

Fixed CVE-2025-38565 in the Linux kernel.

Fixed CVE-2025-38639 in the Linux kernel.

Fixed CVE-2025-38645 in the Linux kernel.

Fixed CVE-2025-38640 in the Linux kernel.

Fixed CVE-2025-38528 in the Linux kernel.

Fixed CVE-2025-38539 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811749 -> 811774

cos-beta-125-19216-0-47

Kernel Docker Containerd GPU Drivers
COS-6.12.41 v27.5.1 v2.1.3 See List

Fixed a kernel bug which caused boot to fail for n4 machine types.

Added GDRCopy kernel module for NVIDIA drivers.

Added support for NVIDIA MFT Tools on arm64.

Fixed CVE-2025-38640 in the Linux kernel.

Fixed CVE-2025-38614 in the Linux kernel.

Fixed CVE-2025-38587 in the Linux kernel.

Fixed CVE-2025-38588 in the Linux kernel.

Fixed CVE-2025-38572 in the Linux kernel.

Fixed CVE-2025-38622 in the Linux kernel.

Fixed CVE-2025-38608 in the Linux kernel.

Fixed CVE-2025-38565 in the Linux kernel.

Fixed CVE-2025-38645 in the Linux kernel.

Fixed CVE-2025-38571 in the Linux kernel.

Fixed CVE-2025-38568 in the Linux kernel.

Fixed CVE-2025-38639 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811507 -> 811500

cos-113-18244-448-43

Kernel Docker Containerd GPU Drivers
COS-6.1.144 v24.0.9 v1.7.27 See List

Added GDRCopy kernel module for NVIDIA drivers.

Added IPv6 support for machines using the IDPF driver.

Fixed CVE-2025-38608 in the Linux kernel.

Fixed CVE-2025-38639 in the Linux kernel.

Fixed CVE-2025-38572 in the Linux kernel.

Fixed CVE-2025-38553 in the Linux kernel.

Fixed CVE-2025-38550 in the Linux kernel.

Fixed CVE-2025-38588 in the Linux kernel.

Fixed CVE-2025-38587 in the Linux kernel.

Fixed CVE-2025-38527 in the Linux kernel.

Fixed CVE-2025-38622 in the Linux kernel.

Fixed CVE-2025-38528 in the Linux kernel.

Fixed CVE-2025-38563 in the Linux kernel.

Fixed CVE-2025-38565 in the Linux kernel.

Fixed CVE-2025-38539 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812017 -> 811983

cos-109-17800-570-46

Kernel Docker Containerd GPU Drivers
COS-6.1.143 v24.0.9 v1.7.27 See List

Added GDRCopy kernel module for NVIDIA drivers.

Fixed CVE-2025-38608 in the Linux kernel.

Fixed CVE-2025-38639 in the Linux kernel.

Fixed CVE-2025-38622 in the Linux kernel.

Fixed CVE-2025-38572 in the Linux kernel.

Fixed CVE-2025-38588 in the Linux kernel.

Fixed CVE-2025-38565 in the Linux kernel.

Fixed CVE-2025-38587 in the Linux kernel.

Fixed CVE-2025-38539 in the Linux kernel.

Fixed CVE-2025-38645 in the Linux kernel.

Fixed CVE-2025-38528 in the Linux kernel.

Fixed CVE-2025-38527 in the Linux kernel.

Fixed CVE-2025-38553 in the Linux kernel.

Fixed CVE-2025-38550 in the Linux kernel.

Fixed CVE-2025-38563 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812270 -> 812272

cos-dev-129-19279-0-0

Kernel Docker Containerd GPU Drivers
COS-6.12.46 v27.5.1 v2.1.3 See List

Fixed a kernel bug which caused boot to fail for n4 machine types.

Updated the Linux kernel to v6.12.46.

Added GDRCopy kernel module for NVIDIA drivers.

Added support for NVIDIA MFT Tools on arm64.

Runtime sysctl changes:

  • Changed: fs.file-max: 811510 -> 811423

Google Cloud Architecture Center

(New guide) Multi-agent AI system in Google Cloud: A reference architecture to help you design robust multi-agent AI systems in Google Cloud.

Google Cloud Armor

Cloud Armor support for organization-scoped address groups for security policies is Generally Available.

Google Kubernetes Engine

Backup for GKE now supports restoring disks in pre-existing Storage Pools for Hyperdisk Balanced and Hyperdisk Throughput volumes. This feature is available in clusters running the following GKE versions:

  • 1.33: Versions 1.33.4-gke.1245000 and later
  • 1.34 and later: All versions from 1.34.0-gke.1532000 onwards
Google SecOps

Migrate SOAR to Google Cloud

We're actively migrating all SOAR customers and partners to their respective Google Cloud projects. This migration unifies your SOAR experience with your existing cloud environment. For more information, see SOAR migration overview and FAQ.

Google SecOps SIEM

Migrate SOAR to Google Cloud

We're actively migrating all SOAR customers and partners to their respective Google Cloud projects. This migration unifies your SOAR experience with your existing cloud environment. For more information, see SOAR migration overview and FAQ.

Migrate SOAR to Google Cloud

All customers and partners are being migrated from SOAR to Google Cloud. For more information, see SOAR migration overview and FAQ.

Release 6.3.61 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

Google SecOps SOAR

Migrate SOAR to Google Cloud

All customers and partners are being migrated from SOAR to Google Cloud. For more information, see SOAR migration overview and FAQ.

Release 6.3.61 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

Model Armor

Model Armor is integrated with Google Agentspace to provide greater insights and enhanced security of your agent interactions by default. For more information, see Integration with Google Agentspace.

Oracle Database@Google Cloud

Oracle Database@Google Cloud introduces zones in existing supported regions. You can select a zone for Exadata Infrastructure instances, VM clusters, ODB Networks, and DB systems while provisioning these resources. This feature is generally available (GA). See Supported regions and zones.

Security Command Center

Model Armor is integrated with Google Agentspace to provide greater insights and enhanced security of your agent interactions by default. For more information, see Integration with Google Agentspace.

September 15, 2025

BigQuery

In the BigQuery Studio, in the Explorer pane, you can now open saved queries in Connected Sheets. This feature is generally available (GA).

You can now enable the BigQuery advanced runtime to improve query execution time and slot usage. This feature is generally available (GA). Between September 15, 2025 and early 2026, the BigQuery advanced runtime will become the default runtime for all projects.

Java

2.55.0 (2025-09-12)

Features
  • bigquery: Add custom ExceptionHandler to BigQueryOptions (#3937) (de0914d)
Dependencies
  • Update dependency com.google.cloud:google-cloud-bigquerystorage-bom to v3.17.0 (#3954) (e73deed)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#3952) (79b7557)

Python

3.37.0 (2025-09-08)

Features
Bug Fixes
  • Remove deepcopy while setting properties for _QueryResults (#2280) (33ea296)
Documentation
  • Clarify that the presence of XyzJob.errors doesn't necessarily mean that the job has not completed or was unsuccessful (#2278) (6e88d7d)
  • Clarify the api_method arg for client.query() (#2277) (8a13c12)
Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigtable

6.4.1 (2025-09-09)

Bug Fixes
  • Directly import JS-native impl for crc32c on non-x64 platforms to avoid segfault (#1715) (9848963)

Java

Changes for google-cloud-bigtable

2.66.0 (2025-09-10)

Features
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#2668) (06ac93e)
Cloud Asset Inventory

The following resource types are publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Identity and Access Management

    • iam.googleapis.com/OauthClient
    • iam.googleapis.com/OauthClientCredential
    • iam.googleapis.com/WorkforcePool
    • iam.googleapis.com/WorkforcePoolProvider
    • iam.googleapis.com/WorkforcePoolProviderKey
    • iam.googleapis.com/WorkloadIdentityPool
    • iam.googleapis.com/WorkloadIdentityPoolProvider
    • iam.googleapis.com/WorkloadIdentityPoolProviderKey
Cloud Database Migration Service

Gemini-powered conversion features for heterogeneous migrations in Database Migration Service are now generally available (GA).

For more information, see Accelerate code and schema conversion with Gemini.

Cloud Logging

Java

3.23.4 (2025-09-11)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.1 (1438bff)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#1853) (c21a635)
  • Update googleapis/sdk-platform-java action to v2.62.1 (#1855) (b6ce498)
Cloud Monitoring

When viewing a chart, you can now open a flyout that displays the chart and related log entries. To explore your metric and log data in more detail, you can then use the toolbars and menus in the flyout. To learn more, see the following:

Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/storage

7.17.1 (2025-08-27)

Bug Fixes
  • Respect useAuthWithCustomEndpoint flag for resumable uploads (#2637) (707b4f2)

Java

Changes for google-cloud-storage

2.57.0 (2025-09-09)

Features
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.1 (0e348db)
  • Update BlobAppendableUpload implementation to periodically flush for large writes (#3278) (d0ffe18)
  • Update otel integration to properly activate span context for lazy RPCs such as reads & writes pt.2 (#3277) (3240f67)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#3280) (d046ea3)
  • Update googleapis/sdk-platform-java action to v2.62.1 (#3281) (c9078bb)
Cluster Toolkit

Cluster Toolkit release version v1.66.0 is available. This release enables Cloud Storage FUSE for H4D machine types and sets the default cluster availability to zonal, as well as other minor changes. For more information about this release, see the Release Announcement on GitHub.

Compute Engine

Generally available: You can decrease a Compute Engine instance shutdown time by skipping the guest OS shutdown. This action speeds up an instance stop or deletion operation to release resources and quota faster. However, as abrupt guest OS shutdowns may cause data loss or corrupt file system data, we recommend that you skip a guest OS shutdown only when you delete instances, or when you stop instances which boot disks you don't plan to reuse. For more information, see Decrease Compute Engine instances shutdown time.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.149-debian10, 2.0.149-ubuntu18, 2.0.149-rocky8
  • 2.1.98-debian11, 2.1.98-ubuntu20, 2.1.98-ubuntu20-arm, 2.1.98-rocky8
  • 2.2.66-debian12, 2.2.66-ubuntu22, 2.2.66-ubuntu22-arm, 2.2.66-rocky9
  • 2.3.13-debian12, 2.3.13-ubuntu22, 2.3.13-ubuntu22-arm, 2.3.13-ml-ubuntu22, 2.3.13-rocky9
Firestore in Datastore mode

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-datastore

2.32.0 (2025-09-12)

Features
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#1963) (833a34a)
Gemini Enterprise

Google Agentspace and Google NotebookLM Enterprise: Model Armor

Model Armor helps proactively screen prompts and responses within Agentspace apps and NotebookLM Enterprise instances. For more information on how administrators can enable this feature, see:

Google Agentspace: Real-time sync (Public preview)

Real-time sync uses webhooks to receive notifications when data is created, updated, and deleted in a third-party data source. Notifications typically arrive within minutes of the event. The following data stores support real-time sync:

Support for real-time sync for these data stores is in Public preview.

Generative AI on Vertex AI

Imagen

We improved Imagen's virtual try-on model, virtual-try-on-preview-08-04, so that it is better at preserving the person's body shape and preserving the garment product's identity.

Google Cloud VMware Engine

VMware Engine ve2 nodes are now available in the following additional region and zone:

  • The Milan, Italy, Europe region (europe-west8-a).
  • The Melbourne, Australia (australia-southeast2-b) zone in the Melbourne, Australia region (australia-southeast2).
Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.31.900-gke.38 is now available for download. To upgrade, see Upgrade a cluster. Distributed Cloud 1.31.900-gke.38 runs on Kubernetes v1.31.12-gke.200.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following issues were fixed in 1.31.900-gke.38:

Google Distributed Cloud (software only) for bare metal

Google Distributed Cloud for bare metal 1.31.900-gke.38 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.31.900-gke.38 runs on Kubernetes v1.31.10-gke.300.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

The following issues were fixed in 1.31.900-gke.38:

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google Distributed Cloud connected

This is a minor release of Google Distributed Cloud connected (version 1.11.0). Google Distributed Cloud software updates roll out gradually across regions. The latest version might not be immediately available on your Google Distributed Cloud connected deployment.

The following new functionality has been introduced in this release of Google Distributed Cloud connected:

  • Backup for VM workloads on GDC connected servers. You can now backup and restore virtual machine workloads on your Google Distributed Cloud connected servers deployment, including scheduling. For more information, see Back up a virtual machine.

  • Configurable runtime class for container workloads. As part of gVisor integration in Google Distributed Cloud connected, you can now specify the default runtime class for container workloads at both Pod and cluster level. Cluster-level runtime class selection is a preview-level feature. For more information, see Configure the runtime class for a Pod.

  • Island mode networking. Google Distributed Cloud connected now supports island mode networking on secondary network interfaces. For more information, see (Optional) Configure island mode.

  • AppArmor sandboxing audit logs for VM workloads. Google Distributed Cloud connected now lets you enable audit logs for virtual machine workloads sandboxed using AppArmor policies. To enable audit log emission on an existing virtual machine workload, restart the corresponding virtual machine. For more information, see View AppArmor sandboxing audit logs.

  • CoreDNS resolution for secondary networks. Google Distributed Cloud connected now supports specifying a CIDR block for use with secondary networks at both Pod and cluster level. This allows for CoreDNS resolution on secondary network interfaces. For more information, see Network resource.

  • Access clusters through Connect Gateway. You can now access your Google Distributed Cloud connected clusters through Connect Gateway. For more information, see Obtain cluster credentials through Connect Gateway.

  • VNC support for accessing VM workloads through Connect Gateway. You can now use VNC to access your virtual machine workloads through Connect Gateway.

Security mitigations for the following vulnerabilities have been implemented in this release of Google Distributed Cloud connected:

  • OS layer security mitigations: CVE-2025-31498, CVE-2024-48615, CVE-2016-1585.

  • GDC software-only security mitigations: All mitigations listed in the GDC software-only release notes up to version 1.32.100 (inclusive).

The following Google Distributed Cloud connected components have been updated:

  • GDC software-only has been updated to version 1.32.100. (This component was formerly known as GKE on Bare Metal and as Anthos Clusters on Bare Metal.)

  • Kubernetes has been updated to version 1.32.4-gke.200.

The following issues have been resolved in this release of Google Distributed Cloud connected:

  • Machines no longer experience intermittent connectivity loss. Google Distributed Cloud connected machines no longer experience intermittent connectivity loss; the underlying rare condition that can occur with fleet credential management has been resolved.

  • VNC sessions through Connect Gateway are now more resilient. The stability of VNC sessions to virtual machine workloads through Connect Gateway has been improved.

This release of Google Distributed Cloud connected contains the following known issues:

  • The gvisor runtime class is incompatible with Symcloud Storage persistent volumes in block mode. If you set a workload that uses Symcloud Storage persistent volumes in block mode to use the gvisor runtime class, the workload fails. Symcloud Storage persistent volumes in filesystem mode are not affected.

  • Cilium does not differentiate between TCP and UDP protocols. Cilium does not differentiate between TCP and UDP protocols for services that use both protocols on the same port number and routes traffic for both protocols to the same backend pods. This can render such services non-functional. To work around this issue, use a different port for each protocol.

  • Overlapping the Pod and cluster CIDR blocks for secondary networks causes network failure. If you specify overlapping CIDR blocks for Pods and clusters using the annotations.networking.gke.io/gdce-pod-cidr and annotations.networking.gke.io/gke-gateway-clusterip-cidr annotations in the Network resource, the Google Distributed Cloud connected virtual networking subsystem might behave erratically, including loss of connectivity. Follow the guidelines in (Optional) Configure island mode to prevent this issue.

  • The anthos-multinet container might take up to two hours to fully start. You might intermittently experience a slower than normal startup for the anthos-multinet container (up to two hours). To remedy this issue, contact Google Support.

Google SecOps SIEM

Release 6.3.60 is now available for all regions.

Google SecOps SOAR

Release 6.3.60 is now available for all regions.

Model Armor Oracle Database@Google Cloud

Oracle Database@Google Cloud supports Oracle Base Database Service, which lets you create DB systems through Google Cloud Console and Google Cloud API. This feature is generally available (GA).

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-pubsub

1.141.4 (2025-09-11)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.62.1 (ac08d5f)
Dependencies
  • Update actions/checkout action to v5 (#2531) (f687f11)
  • Update actions/setup-java action to v5 (#2535) (2ed87d2)
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.54.2 (#2538) (10a8283)
  • Update dependency com.google.cloud:google-cloud-storage to v2.56.0 (#2536) (80d9ca1)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.1 (#2544) (9fe7550)
  • Update googleapis/sdk-platform-java action to v2.62.1 (#2545) (17f28ef)
Retail API

Vertex AI Search for commerce: Additional languages added to search (GA)

Additional languages, including Urdu and Serbian (Cyrillic), are supported in Vertex AI Search for commerce.

For a list of the languages supported, see Supported world languages.

Security Command Center

The Findings page in Security Command Center has been improved.

  • With Security Command Center Premium and Enterprise, the page includes the following predefined filter views that return a specific category of findings.

    • Premium service tier: All Findings, Vulnerabilities, Identity, and Threats.
    • Enterprise service tier: All Findings, Vulnerabilities, Identity, Data, and Code.

  • With Security Command Center Enterprise, the page includes a selector to filter by cloud provider: Google Cloud, Amazon Web Service (AWS), and Microsoft Azure.

For more information, see Review and manage findings.

Service Extensions

To protect AI workloads, you can configure traffic extensions to call the Model Armor service on supported Application Load Balancers. This feature is in General Availability.

Text-to-Speech

Chirp 3: HD voices is available on the asia-northeast1 endpoint. For more information, see Chirp 3: HD voices.

Vertex AI

Vector Search indexes optimized for storage (Preview)

Storage-optimized Vector Search offers a cost-effective solution for searching massive datasets. This new tier is ideal for large-scale RAG and semantic search applications, and simplifies development with a new auto-tuning feature that eliminates the need to manage the underlying index configuration. This feature is available in Preview.

For more information, see Storage-optimized Vector Search.

reCAPTCHA

reCAPTCHA Mobile SDK 18.8.0 is available for iOS. This version contains the following changes:

September 14, 2025

Apigee UI

On September 14, 2025, we released an updated version of the Apigee UI.

Added icon to proxy and sharedflow editor to mark unused policies

If a policy has yet to be attached to any flow in the configuration, an icon now displays next to that policy in the Proxy Editor side navigation to signify that the policy is currently unused in the proxy or sharedflow.

September 12, 2025

Apigee APIM Operator

On September 12, 2025, we released an updated version of Apigee (1-16-0-apigee-2).

Bug ID Description
N/A Security fix for apigee-runtime.
Apigee X

On September 12, 2025, we released an updated version of Apigee (1-16-0-apigee-2).

Bug ID Description
N/A Security fix for apigee-runtime.
Carbon Footprint

We have corrected an issue affecting the market-based Scope 2 emissions for the europe-west2 (London) region in the July 2025 Carbon Footprint data.

In the July 2025 methodology update, renewable energy coverage was misapplied to the Scope 2 market-based emissions in the europe-west2 (London) region. This resulted in non-zero Scope 2 market-based emissions for europe-west2. This inconsistency arose from evolving RE100 market-boundary guidance following Brexit. While RE100 guidance excludes the UK from the EU market-boundary post-Brexit, it allows for the use of previously purchased EU energy attribute certificates (EACs) with sufficiently close vintages to be applied against UK consumption in 2024. Google's application of these EACs to UK consumption results in zero Scope 2 market-based emissions in the europe-west2 (London).

We have corrected our data to align with the RE100 market boundaries guidance and our corporate environmental reporting of matched renewable energy. Scope 2 market-based emissions for europe-west2 are now correctly reported as zero for July 2025, using 2024 renewable energy coverage consistent with Google's environmental report.

  • To correct your historical data, please run a backfill for July 2025 in your carbon footprint export. Due to a half-month lag in our data release, you will need to backfill the data for August 15, 2025, which will then update the July 2025 data in your BigQuery table.

Data for August 2025, available on September 15, 2025, will automatically reflect this correction. Data for all previous periods remains unaffected.

Cloud Healthcare API
  • Accept-Encoding compression headers on DICOM frame requests that contain uncompressed pixel data (as defined by the DICOM transfer syntax) are now supported and can return compressed results

Note: For very large downlinks and very large files where downlink vastly outpaces compression speed, latency may slightly increase. Compression can be disabled by not including the header in these cases.

Cloud Load Balancing

The global and classic external Application Load Balancers implemented on Google Front-Ends (GFEs) now support HTTP/1.0 explicitly as a protocol during ALPN (Application-Layer Protocol Negotiation) negotiation.

Previously, when the GFEs didn't support HTTP/1.0 explicitly, the GFE would return an SSL_TLSEXT_ERR_NOACK response, disable ALPN, and fall back to using HTTP/1 (which includes HTTP/1.0 and HTTP/1.1) as the default application protocol. After this change, GFEs will instead return HTTP/1.0, which provides clients with positive confirmation that their advertised HTTP/1.0 was accepted.

You are not expected to make any changes with this update. If a TLS handshake with HTTP/1.0 is unsuccessful, please contact support.

Cloud SQL for PostgreSQL

If a specific active query is blocked or running much longer than expected, it can block other dependent queries. Cloud SQL for PostgreSQL offers an optional feature that lets you terminate specific long-running or blocked active queries.

For more information, see Blocked active queries (Preview).

Compute Engine

Preview: H4D VMs, designed for high performance computing (HPC) workloads, are now in preview. Based on 5th generation AMD EPYC Turin with Cloud RDMA 200 Gbps networking, H4D VMs offer 192 cores (SMT disabled), up to 1,488 GB of memory, and 3,750 GiB of Local SSD. H4D is optimized for tightly-coupled applications that scale across multiple nodes and offers RDMA-enabled 200 Gbps networking.

For more information, see H4D machine series.

Identity and Access Management

IAM offers predefined roles that are tailored to specific job functions. These roles cover all of the permissions that a user might need to perform their job. This feature is generally available.

For more information, see Predefined roles for job functions.

Permission errors in the Google Cloud console contain actionable steps for remediation. For more information, see Troubleshoot permission error messages.

Security Command Center

Security Command Center has improved the automatic selection of resources when running attack path simulations using the default high-value resource set.

Risk Engine uses heuristics to identify resources used for non-production purposes. To help ensure that you have information about the most important assets, Risk Engine calculates the attack exposure score for all other resources in the default high-value resource set before calculating the attack exposure score for these non-production resources.

To customize the high-value resource set, see Define and manage your high-value resource set. For information about Risk Engine, see Attack exposure scores and attack paths.

Security Command Center changed how Google Cloud subnets are handled when running attack path simulations. The result is that attack paths are more accurate in relation to networking. Certain customers with specific Google Cloud subnet configurations, for example, when a VPC connector accesses a subnetwork, may see significant changes to toxic combinations, chokepoints, and attack exposure scores.

Virtual Private Cloud

You can create a VPC network that supports RDMA over Falcon transport, which lets you run AI and high performance computing (HPC) workloads on VM instances that have the IRDMA network interface type in Google Cloud, such as H4D instances. This feature is available in Preview. For more information, see RDMA network profiles.

September 11, 2025

AlloyDB for PostgreSQL

AlloyDB supports C4A Arm VMs on Google's custom-built Axion processors. C4A VMs are available as predefined configurations from 1, 4, 8, 16, 32, 48, 64, and 72 vCPUs, up to 576 GB of DDR5 memory. C4A machines are available in limited regions. For more information, see Considerations when using the C4A Axion-based machine series. This feature is generally available (GA).

Apigee API hub

API hub navigation update

The API hub section is now moved to the top level of the Apigee left navigation menu. This change improves discoverability and access to the API hub features.

Updated Go client library. For more information, see apihub: v0.2.0.

Apigee APIM Operator

API hub navigation update

The API hub section is now moved to the top level of the Apigee left navigation menu. This change improves discoverability and access to the API hub features.

Apigee X

API hub navigation update

The API hub section is now moved to the top level of the Apigee left navigation menu. This change improves discoverability and access to the API hub features.

Assured Open Source Software

Assured Open Source Software (Assured OSS) now supports Go packages. For more information, see Download Go packages using direct repository access for the free tier.

BigQuery

Use the BigQuery migration assessment for Informatica to assess the complexity of migrating data from your Informatica platform to BigQuery. This feature is in Preview.

Gemini now recommends natural language prompts for you in the SQL generation tool. This feature is in Preview.

When you use the Data Science Agent in BigQuery, you can now use the Apache Spark or PySpark keywords in your prompt. The Data Science Agent is in Preview.

Cloud Composer

New images are available in Cloud Composer 2:

Fixed an issue where values of Airflow configuration options were evaluated before being set. As a result, the actual value was set to the evaluated result.

Fixed Airflow logs not exporting to Cloud Logging because of a GKE version mismatch between Airflow worker and GKE Control plane nodes.

Dataproc

New Serverless for Apache Spark runtime versions:

  • 1.2.61
  • 2.2.61
  • 2.3.12
  • 3.0.0-RC4
Gemini Enterprise

Google Agentspace: Interface updates

  • The LLM model selector has moved from the search bar to directly below the product logo in the top-left corner.
  • The web grounding tool and source has been renamed Google Search and Enterprise web search, depending on the type of web grounding configured.
  • The Sources button in the search bar has been renamed Data.
  • The Data menu (formerly Sources) now shows which sources are selected.
Google Cloud Architecture Center

(New guide) RAG infrastructure for generative AI using Google Agentspace and Vertex AI: Design infrastructure for a generative AI application with retrieval-augmented generation (RAG) using Google Agentspace and Vertex AI.

Google Cloud VMware Engine

You can now use Privileged Access Manager (PAM) to accelerate the deletion of "soft deleted" private clouds. For more information, see the documentation on how to delete a private cloud.

Google Kubernetes Engine

The accelerator-optimized A4X VM, an exascale platform based on NVIDIA GB200 NVL72, is now Generally Available on GKE. A4X is the first GPU VM to run on Arm with the NVIDIA GB200 Grace Blackwell Superchips. You can use A4X to run your large artificial intelligence (AI) models, machine learning (ML), and high performance computing (HPC) workloads.

The A4X machine type is available as a4x-highgpu-4g in the us-central1-a zone with the following GKE versions:

  • For GKE Standard 1.32, use 1.32.8-gke.1108000 or later.
  • For GKE Autopilot 1.33, use 1.33.4-gke.1036000 or later.

To create GKE clusters with A4X, see the following instructions:

GKE now provisions fast-starting nodes, which have significantly lower startup time, in Autopilot mode for G2 nodes with NVIDIA L4 GPUs. Fast-starting nodes are in Public Preview for clusters in the Rapid channel, and are available on a best-effort basis when workloads use compatible configurations. For more information, see About quicker workload startup with fast-starting nodes.

(2025-R38) Version updates

  • Version 1.33.4-gke.1036000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2547000
    • 1.28.15-gke.2610000
    • 1.29.15-gke.1756000
    • 1.29.15-gke.1835000
    • 1.30.14-gke.1036000
    • 1.31.12-gke.1014000
    • 1.32.7-gke.1079000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2564000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2564000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1773000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1036000 with this release.

(2025-R38) Version updates

(2025-R38) Version updates

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1059000
    • 1.30.14-gke.1108000
    • 1.31.12-gke.1014000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
    • 1.33.4-gke.1134000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1060000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1172000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1060000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1172000 with this release.

(2025-R38) Version updates

  • Version 1.33.4-gke.1036000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1036000
    • 1.31.12-gke.1014000
    • 1.32.7-gke.1079000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1036000 with this release.

(2025-R38) Version updates

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.12-gke.1414000
    • 1.32.7-gke.1016000
    • 1.33.2-gke.1043000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1011000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.33 to version 1.33.3-gke.1136000 with this release.

(2025-R38) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

  • Version 1.33.4-gke.1172000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1059000
    • 1.30.14-gke.1108000
    • 1.31.12-gke.1014000
    • 1.32.8-gke.1026000
    • 1.33.4-gke.1036000
    • 1.33.4-gke.1134000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1060000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1172000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1130000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1060000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.8-gke.1108000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1172000 with this release.

Regular channel

  • Version 1.33.4-gke.1036000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1036000
    • 1.31.12-gke.1014000
    • 1.32.7-gke.1079000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.33.4-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.4-gke.1036000 with this release.

Stable channel

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.12-gke.1414000
    • 1.32.7-gke.1016000
    • 1.33.2-gke.1043000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.14-gke.1011000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.33 to version 1.33.3-gke.1136000 with this release.

Extended channel

  • Version 1.33.4-gke.1036000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2547000
    • 1.28.15-gke.2610000
    • 1.29.15-gke.1756000
    • 1.29.15-gke.1835000
    • 1.30.14-gke.1036000
    • 1.31.12-gke.1014000
    • 1.32.7-gke.1079000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2564000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2564000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1773000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.4-gke.1036000 with this release.

No channel
Google SecOps

SecOps Labs

This feature is in preview.

You can now configure and run Google SecOps Gemini and other intelligence experiments without disrupting your existing production systems—and benefit from their output. The experiments comply with the Role-Based Access Control (RBAC) configuration of your environment, and they have streamlined configurations with clear actionable results and output.

For details, see Use Gemini and other experiments in Google SecOps.

Google SecOps SIEM

SecOps Labs

This feature is in preview.

You can now configure and run Google SecOps Gemini and other intelligence experiments without disrupting your existing production systems—and benefit from their output. The experiments comply with the Role-Based Access Control (RBAC) configuration of your environment, and they have streamlined configurations with clear actionable results and output.

For details, see Use Gemini and other experiments in Google SecOps.

Looker Studio

Looker Studio Explorer (beta) feature deprecation

The Looker Studio Explorer (beta) feature is being deprecated and will no longer be available.

NO ACTION is required. Existing explorations that were created with the Explorer will be converted to reports automatically.

Learn more about the deprecation timeline and details.

Hyperlinks and images are disabled for data sources that use Viewer's Credentials

When you enable Viewer's Credentials for a data source, Looker Studio won't render hyperlinks or images in dimensions from that data source.

This limitation does not apply if the report creator and the viewer are members of the same team workspace.

Treemap chart improvements

Improvements to Treemap charts include the following:

[Pro feature] Number of scheduled reports increased to 200

You can create a maximum of 200 schedules per Looker Studio Pro report.

Partner connection launch update

The following partner connectors have been added to the Looker Studio Connector Gallery:

Organization Policy

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Live Stream API resources. For more information, see Use custom custom constraints.

Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Live Stream API resources. For more information, see Use custom custom constraints.

Security Command Center

Assured Open Source Software (Assured OSS) now supports Go packages. For more information, see Download Go packages using direct repository access.

September 10, 2025

AI Hypercomputer

Generally available: The accelerator-optimized A4X machine type, the first GPU VM to run on Arm, is available on AI Hypercomputer. The A4X machine series has the NVIDIA GB200 Grace Blackwell Superchips attached and runs on the NVIDIA GB200 NVL72 platform. Use this machine type to run your large artificial intelligence (AI) models and machine learning (ML) workloads. The A4X machine type is currently available in the us-central1-a zone.

Generally available: You can receive a notification when maintenance for an A4X reservation sub-block is scheduled, starts, or is completed. Additionally, you can now view and trigger maintenance for an A4X reservation sub-block. These features give you more control over maintenance for your A4X reservations, helping you minimize downtimes for your workloads. For more information, see Manage host events across reservations.

You can receive at least seven days of advance notice for unplanned hardware maintenance for a reservation. This feature helps you more proactively control disruptions to your workloads when unplanned maintenance is scheduled after a host error or faulty host report. For more information, see Manage hardware emergency maintenance notifications.

Generally available: You can use the following Cloud Monitoring metrics to monitor your A4X VMs, and help you identify and troubleshoot issues with your GPUs:

  • NVLink runtime error
  • Uncorrectable DRAM ECC errors
  • Uncorrectable DRAM row remapping count
  • Uncorrectable DRAM row remapping failed
  • Uncorrectable PCIe errors
  • Uncorrectable cache ECC errors

For more information, see Monitor VMs and Slurm clusters.

Generally available: You can view and manage the topology of your A4X reservations, including sub-blocks. This feature helps you better understand the topology of the VMs in your workload to further minimize network latency, as well as understand the health of your reservation blocks or sub-blocks. For more information, see View reserved capacity.

Generally available: When you reserve capacity for creating VMs, you can specify the reservation operational mode for your reserved capacity. A reservation operational mode defines how your VMs behave after a host error or faulty host report, and it determines your level of visibility and control over the reservation's infrastructure. For more information, see Reservation operational mode.

Generally available: When you reserve capacity for creating VMs, you can specify a maintenance scheduling type for your reservations. This feature helps you minimize downtimes by letting you specify whether you want to group VMs and have synchronized maintenance scheduling (grouped), or loosely couple VMs have independent maintenance scheduling (independent). For more information, see Maintenance scheduling types.

Access Approval

Access Approval supports Chrome Enterprise Premium secure gateway in the GA stage.

Access Transparency

Access Transparency supports Chrome Enterprise Premium secure gateway in the GA stage.

BigQuery Cloud Run

You can deploy and configure a multi-region service from a single gcloud CLI command or by using a YAML or Terraform file (GA).

Cloud Service Mesh

1.26.4-asm.1 in-cluster Cloud Service Mesh already includes the fixes for these CVEs.

1.25.4-asm.0 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.4 subject to the list of supported features. Cloud Service Mesh version 1.25.4-asm.0 uses envoy v1.33.8-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

1.24.6-asm.12 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.12 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.6 subject to the list of supported features. Cloud Service Mesh version 1.24.6-asm.12 uses envoy v1.33.8-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

These patches address the following CVEs:

CVE Proxy Control Plane CNI Distroless
CVE-2025-32990 Yes Yes Yes -
CVE-2025-32988 Yes Yes Yes -
CVE-2025-40909 Yes Yes Yes -
CVE-2025-32989 Yes Yes Yes -
CVE-2025-47268 Yes Yes Yes -
CVE-2025-5702 Yes Yes Yes -
CVE-2025-6395 Yes Yes Yes -
CVE-2025-48964 Yes Yes Yes -
Cloud Storage

Cloud Storage FUSE now supports buffered reads, which can improve sequential read performance for large files by two to five times. When enabled, Cloud Storage FUSE asynchronously prefetches parts of a file into an in-memory buffer, allowing subsequent reads to be served from the buffer instead of requiring network calls.

To learn more about buffered reads, see Enable buffered reads.

Compute Engine

Generally available: The accelerator-optimized A4X machine type, the first GPU VM to run on Arm, is available on Compute Engine. The A4X machine series has the NVIDIA GB200 Grace Blackwell Superchips attached and runs on the NVIDIA GB200 NVL72 platform. Use this machine type to run your large artificial intelligence (AI) models, machine learning (ML), and high performance computing (HPC) workloads. The A4X machine type is currently available in the us-central1-a zone.

Document AI

Custom Extractor version pretrained-foundation-model-v1.4-2025-02-05 will no longer be accessible on February 5, 2026.

To avoid service disruptions, migrate to a later version such as pretrained-foundation-model-v1.5-2025-05-05 or pretrained-foundation-model-v1.5-pro-2025-06-20. To learn more about the migration process, refer to our Manage processor versions documentation.

Generative AI on Vertex AI

Vertex AI Agent Engine

Agent Engine now supports the following features:

  • Agent Engine Code Execution, now in Preview, lets your agent run code in an isolated sandbox environment. For more information, see Code Execution.

  • You can now develop, deploy, and use agents that support the Agent-to-Agent (A2A) protocol on Agent Engine. For more information, see Develop an Agent2Agent agent.

  • Agent Engine now supports bidirectional streaming. For more information, see Bidirectional streaming.

  • The Agent Engine page in the Cloud Console UI now has a new Memory Bank tab for displaying and managing memories.

Vertex AI Agent Engine

In version v1.112.0 of the Vertex AI SDK for Python, the agent_engines module has been refactored to a client-based design. For information about updating your existing code to the new design, see the Migration guide.

Google SecOps

View data retention start date

You can now view the start date for your account's data retention period. A new, read-only page, Data Retention, is available under SIEM Settings. This page also shows the start date for your Google SecOps account's data retention period.

For more information, see View data retention in your Google SecOps account.

Google SecOps SIEM

View data retention start date

You can now view the start date for your account's data retention period. A new, read-only page, Data Retention, is available under SIEM Settings. This page also shows the start date for your Google SecOps account's data retention period.

For more information, see View data retention in your Google SecOps account.

View data retention start date

You can now view the start date for your account's data retention period. A new, read-only page, Data Retention, is available under SIEM Settings. This page also shows the start date for your Google SecOps account's data retention period.

For more information, see View data retention in your Google SecOps account.

Looker

Looker 25.16 is expected to include the following changes, features, and fixes:

  • Expected Looker (original) deployment start: Monday, September 15, 2025

  • Expected Looker (original) final deployment and download available: Thursday, September 25, 2025

  • Expected Looker (Google Cloud core) deployment start: Monday, September 15, 2025

  • Expected Looker (Google Cloud core) final deployment: Monday, September 29, 2025

Looker no longer supports connections to Firebolt.

The Looker-Excel Connector is now generally available. When your Looker admin enables the Looker-Excel Connector on the BI Connections admin page, Looker Explores display the Open in Excel option in the Explore gear menu. This option downloads the Explore results to a Windows PC in a format that Microsoft Excel recognizes.

The Looker–Power BI Connector is now supported for customer-hosted Looker instances and for Looker (Google Cloud core) instances that use private connections. Note: This item was added on September 19, 2025.

The Looker–Tableau BI Connector is now supported for customer-hosted Looker instances and for Looker (Google Cloud core) instances that use private connections. Note: This item was added on September 19, 2025.

Suggest queries now respect the concurrency limit in the connection configuration.

The Spanner JDBC Driver has been updated to version 2.32.1. This driver is used for connections to Google Spanner.

An issue has been fixed where changing the size of a visualization could cause the visualization to flicker. This feature now performs as expected.

An issue has been fixed where users could enter color codes that were longer than six characters when they were updating custom color collections. This feature now performs as expected.

An issue has been fixed where Explore drill links would not open correctly if cookieless embed was enabled. This feature now performs as expected.

An issue has been fixed where generating a view inside a folder could fail if the folder's name contained special characters. This feature now performs as expected.

An issue has been fixed where generating an embed URL from a LookML dashboard could fail with the following error: 'models' param cannot be converted to an array of String. This feature now performs as expected.

An issue has been fixed where loading JavaScript files for custom visualizations could take more than one second. This feature now performs as expected.

An issue has been fixed where non-admin users were unable to select a project when they added a connection. This feature now performs as expected.

An issue has been fixed where scheduled deliveries could fail with the following error message: Async delivery failed due to errors Internal server error. [Google Cloud Storage] undefined. This feature now performs as expected.

An issue has been fixed where subtotal rows could fail to appear in downloaded result sets. This feature now performs as expected.

An issue has been fixed where the OAuth client secret could not be updated in the Connections page. This feature now performs as expected.

An issue has been fixed where total references and row total references in table calculations could return the following error if there was no data: Field either does not exist in the current query or is a measure. This feature now performs as expected.

An issue has been fixed where updating a Spanner connection could fail to save changes. This feature now performs as expected.

An issue has been fixed where users with only the embed_browse_spaces permission could be incorrectly classified as Standard users instead of Viewer users. This feature now performs as expected.

An issue has been fixed where using the matches_filter function in custom filters could return an error. This feature now performs as expected.

An issue has been fixed where visualizations could render twice when they were first loaded on an Explore or a dashboard. This feature now performs as expected.

The Athena JDBC driver version has been downgraded from 2.2.1 to 2.1.5 to fix an issue with result set streaming. This feature now performs as expected. The Athena JDBC driver is used for connections to Amazon Athena.

Dashboards that are not configured to run on load no longer show past query results when you revisit the dashboard in the same browser session. You must click the Load button to run the queries again.

An issue has been fixed where the Collapse subtotal toggle on table visualizations was unresponsive. This feature now performs as expected.

An issue has been fixed where updating a customer-hosted instance could fail with the following error message: Data import is in progress and some features will not be available. This feature now performs as expected.

An issue has been fixed where SQL Runner could fail to return new results after running a second query. This feature now performs as expected.

Looker 25.16 contains the following accessibility improvements:

  • Improved keyboard navigation for embed folders.

  • Added ARIA labels to filter drop-down menu items.

  • Added ARIA labels to schedule options.

  • Added focus rings to navigation links.

  • Improved VoiceOver support for filter navigation.

  • Added the ability for users to close modals by using the Esc key. Users will be prevented from closing modals this way if there are unsaved changes in the modal.

When you upload a p12 file to a database connection, Looker now checks that it is a valid file before completing the upload.

An issue has been fixed where adding multiple filters to the same field could cause filter conditions to overwrite each other. This feature now performs as expected.

The Full Screen Visualizations Labs feature is now generally available. You can turn it on and off on the Admin - General page.

A new Labs feature, Favoriting LookML Dashboards, enables LookML dashboards to be marked as favorites causing the LookML dashboards to appear on the Looker Favorites tab.

An issue has been fixed where updating the Host URL in the Admin - Settings page could fail to be saved. This feature now performs as expected.

An issue has been fixed where visualization templates could be edited by API users without the need for the explore permission.

Looker (Google Cloud core) 90-day trial instances are now available.

The Full Screen Visualizations feature is now generally available. You can turn it on and off on the Admin - General page.

Oracle Database@Google Cloud

For Autonomous Database Service, Oracle Database@Google Cloud supports region northamerica-northeast1 (Montréal, Québec, Canada, North America).

For a full list of supported locations, see Regional availability

Resource Manager

Designate project environments with tags: You can now use tags to visually distinguish projects based on their environment—such as production, staging, or development—directly within the Google Cloud console. This new visual indicator helps prevent errors and improves awareness when you're working in sensitive environments. For information, see Designate project environments with tags.

Secure Source Manager Security Command Center Vertex AI

Vertex AI Agent Engine

Agent Engine now supports the following features:

  • Agent Engine Code Execution, now in Preview, lets your agent run code in an isolated sandbox environment. For more information, see Code Execution.

  • You can now develop, deploy, and use agents that support the Agent-to-Agent (A2A) protocol on Agent Engine. For more information, see Develop an Agent2Agent agent.

  • Agent Engine now supports bidirectional streaming. For more information, see Bidirectional streaming.

  • The Vertex AI Agent Engine page in the Google Cloud console has a Memory Bank tab for displaying and managing memories.

Vertex AI Agent Engine

In version v1.112.0 of the Vertex AI SDK for Python, the agent_engines module has been refactored to a client-based design. For information about updating your existing code to the new design, see the Migration guide.

September 09, 2025

Agent Assist

Agent assist offers summarization automatic evaluation in preview. This feature evaluates the quality of AI-generated summaries based on the following three metrics:

  • Accuracy
  • Completeness
  • Adherence
Apigee APIM Operator

On September 9, 2025, we released an updated version of Apigee (1-16-0-apigee-1).

Bug ID Description
N/A Updates to security infrastructure and libraries.
Apigee X

On September 9, 2025, we released an updated version of Apigee (1-16-0-apigee-1).

Bug ID Description
N/A Updates to security infrastructure and libraries.
BigQuery

The batch and interactive translators now caches your metadata, which can improve latency when you run a SQL translation. This feature is generally available (GA).

You can now perform supervised tuning on a BigQuery ML remote model based on a Vertex AI gemini-2.5-pro or gemini-2.5-flash-lite model.

You can configure reusable, default Cloud resource connections in a project. Default connections are generally available (GA).

Cloud Data Fusion

The Salesforce plugin version 1.7.0 is available in Cloud Data Fusion version 6.8.0 and later. This release includes the following change:

  • Upgrade of Salesforce Bulk API V1 version from 62.0 to 64.0 (PLUGIN-1926).

Salesforce has deprecated certain fields in the API version 64.0. Upgrading to Salesforce plugin version 1.7.0 might cause pipelines that use these fields, to fail. To ensure your pipelines continue to work, you must manually update your pipeline schema to either load a new schema or remove the deprecated fields. For more information, see Prerequisites for upgrading to Salesforce plugin version 1.7.0.

Cloud SQL for PostgreSQL

The rollout of the following extension versions is complete:

Extensions and plugins

  • pg_ivm is upgraded from 1.9 to 1.11.
  • pg_background is upgraded from 1.2 to 1.3.
  • google_ml_integration is upgraded from 1.4.2 to 1.4.3.

To use these versions of the extensions, update your instance to [PostgreSQL version].R20250727.00_14. If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.

For more information on checking your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

Cloud Service Mesh

The managed Cloud Service Mesh rollouts previously announced address the following vulnerabilities. While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

1.21.5-asm.55

Name Envoy Proxy Envoy Proxy distroless Control plane
CVE-2025-32462 Yes - -
CVE-2025-4877 Yes - -
CVE-2025-3576 Yes - -
CVE-2025-4802 Yes - -
CVE-2025-4878 Yes - -
CVE-2025-5318 Yes - -
CVE-2025-6020 Yes - -
CVE-2025-46836 Yes - -
CVE-2025-4598 Yes - -
CVE-2024-56406 Yes - -
CVE-2025-30258 Yes - -
CVE-2025-5372 Yes - -
CVE-2025-1372 Yes - -
CVE-2025-1377 Yes - -
CVE-2023-4039 - Yes -

1.20.8-asm.48

Name Envoy Proxy Envoy Proxy distroless Control plane
CVE-2025-32462 Yes - -
CVE-2025-4877 Yes - -
CVE-2025-3576 Yes - -
CVE-2025-4802 Yes - -
CVE-2025-4878 Yes - -
CVE-2025-5318 Yes - -
CVE-2025-6020 Yes - -
CVE-2025-46836 Yes - -
CVE-2025-4598 Yes - -
CVE-2024-56406 Yes - -
CVE-2025-30258 Yes - -
CVE-2025-5372 Yes - -
CVE-2025-1372 Yes - -
CVE-2025-1377 Yes - -

1.19.10-asm.48

Name Envoy Proxy Envoy Proxy distroless Control plane
CVE-2025-32462 Yes - -
CVE-2025-22872 Yes Yes Yes
CVE-2025-4877 Yes - -
CVE-2025-3576 Yes - -
CVE-2025-4802 Yes - -
CVE-2025-4878 Yes - -
CVE-2025-5318 Yes - -
CVE-2025-6020 Yes - -
CVE-2025-46836 Yes - -
CVE-2025-4598 Yes - -
CVE-2024-56406 Yes - -
CVE-2025-30258 Yes - -
CVE-2025-5372 Yes - -
Cluster Toolkit

Cluster Toolkit version v1.65.0 is available. This release includes expanded support for Managed Lustre on A4X instances and an improved GPU network wait solution for A-family machine types. This version also deprecates the use of Debian-based blueprints for A3 Mega GPUs. For a full list of changes, please refer to the release announcement on GitHub.

Compute Engine

Version 20250907.00 of the guest agent, which introduces the plugin-based architecture to Enterprise Linux 8 operating systems, is now available. For more information about the plugin-based architecture, see Guest agent.

With this version, the plugin-based guest agent is now also available for the following operating systems:

  • Red Hat Enterprise Linux (RHEL) 8
  • Rocky Linux 8
  • CentOS Stream 8
  • Oracle Linux 8
  • AlmaLinux 8

Version 20250907.00 includes the following fixes for issues found in guest agent version 20250901.00:

  • Corrects an issue in the OS Login module that was incorrectly handling optional runtime systemd dependencies and causing an error log.
  • Fixes a bug that could cause the metadata SSH key module to enter an infinite loop when setting up SSH keys. This occurred if an initial setup attempt failed and the metadata server returned the SSH keys in a different order on a subsequent retry.

Hyperdisk Balanced High Availability disks are available in all regions. Hyperdisk Balanced High Availability disks synchronously replicate disk data from one zone to another. Cross-zonal replication provides data protection in the unlikely event of a zonal outage. For more information, see About Hyperdisk Balanced High Availability.

Preview: Eight new organization policy constraints are available to help you enforce security best practices for Compute Engine virtual machine (VM) instances.

These managed constraints simplify governance for common security scenarios and integrate with safe rollout tools like dry-run and simulation, letting you test their impact before enforcement.

The new constraints are as follows:

  • compute.managed.disableNestedVirtualization
  • compute.managed.disableSerialPortAccess
  • compute.managed.disableSerialPortLogging
  • compute.managed.disallowGlobalDns
  • compute.managed.requireOsConfig
  • compute.managed.requireOsLogin
  • compute.managed.vmCanIpForward
  • compute.managed.vmExternalIpAccess

These constraints can evaluate metadata values at the VM instance, project, or zonal level. For more information about these managed constraints, see Managed Constraints in the Resource Manager documentation.

Config Controller

Config Controller now uses the following versions of its included products:

Data Transfer Essentials

General Availability release of Data Transfer Essentials.

Data Transfer Essentials offers a cost-effective option for data transfer in intra-enterprise applications, while adhering to regulatory requirements.

Document AI

Document AI supports two service tiers and associated quotas: provisioned and best effort tiers.

The base is provisioned tier quota, which provides 120 pages per minute for Gemini 2.0 and 2.5 Flash LLM and 30 pages per minute for Gemini 2.5 Pro LLM.

If you require more volume, best effort tier quota provides 120 pages per minute for Gemini 2.0 2.5 Flash and 60 pages per minute for Gemini 2.5 Pro, and is only used once the provisioned quota has been exhausted. This applies to quotas BestEffortOnlineProcessDocumentPagesPerMinutePerProjectUS, and EU, and best_effort_online_process_document_pages_us and eu in the console.

Best effort can get up to 240 pages per minute for custom data extractor models v1.4 and v1.5 with a quota increase request (QIR). You can make a QIR by contacting your sales team representative.

There is no service level agreement (SLA) for best effort tier.

Generative AI on Vertex AI

AI Singapore's SEA-LION V4 models are available through Model Garden. They are open models for Southeast Asian languages, built by leveraging Vertex Model Development Service for enhanced training efficiency and model accuracy.

EmbeddingGemma and DeepSeek-V3.1 models are available through Model Garden.

Google Cloud Managed Service for Apache Kafka

General availability: You can now use mutual TLS (mTLS) for certificate-based authentication with your Managed Service for Apache Kafka brokers. This feature is available for clusters created after June 24, 2025. For more information, see Authentication types for Kafka brokers.

Guest Environment

Version 20250907.00 of the guest agent, which introduces the plugin-based architecture to Enterprise Linux 8 operating systems, is now available. For more information about the plugin-based architecture, see Guest agent.

With this version, the plugin-based guest agent is now also available for the following operating systems:

  • Red Hat Enterprise Linux (RHEL) 8
  • Rocky Linux 8
  • CentOS Stream 8
  • Oracle Linux 8
  • AlmaLinux 8

Version 20250907.00 includes the following fixes for issues found in guest agent version 20250901.00:

  • Corrects an issue in the OS Login module that was incorrectly handling optional runtime systemd dependencies and causing an error log.
  • Fixes a bug that could cause the metadata SSH key module to enter an infinite loop when setting up SSH keys. This occurred if an initial setup attempt failed and the metadata server returned the SSH keys in a different order on a subsequent retry.
Organization Policy

Preview: Eight new organization policy constraints are available to help you enforce security best practices for Compute Engine virtual machine (VM) instances.

These managed constraints simplify governance for common security scenarios and integrate with safe rollout tools like dry-run and simulation, letting you test their impact before enforcement.

The new constraints are as follows:

  • compute.managed.disableNestedVirtualization
  • compute.managed.disableSerialPortAccess
  • compute.managed.disableSerialPortLogging
  • compute.managed.disallowGlobalDns
  • compute.managed.requireOsConfig
  • compute.managed.requireOsLogin
  • compute.managed.vmCanIpForward
  • compute.managed.vmExternalIpAccess

These constraints can evaluate metadata values at the VM instance, project, or zonal level. For more information about these managed constraints, see Managed Constraints in the Resource Manager documentation.

Resource Manager

Preview: Eight new organization policy constraints are available to help you enforce security best practices for Compute Engine virtual machine (VM) instances.

These managed constraints simplify governance for common security scenarios and integrate with safe rollout tools like dry-run and simulation, letting you test their impact before enforcement.

The new constraints are as follows:

  • compute.managed.disableNestedVirtualization
  • compute.managed.disableSerialPortAccess
  • compute.managed.disableSerialPortLogging
  • compute.managed.disallowGlobalDns
  • compute.managed.requireOsConfig
  • compute.managed.requireOsLogin
  • compute.managed.vmCanIpForward
  • compute.managed.vmExternalIpAccess

These constraints can evaluate metadata values at the VM instance, project, or zonal level. For more information about these managed constraints, see Managed Constraints in the Resource Manager documentation.

Vertex AI

EmbeddingGemma and DeepSeek-V3.1 models are available through Model Garden.

AI Singapore's SEA-LION V4 models are available through Model Garden. They are open models for Southeast Asian languages, built by leveraging Vertex AI Model Development Service for enhanced training efficiency and model accuracy.

September 08, 2025

Access Approval

Image streaming is generally available (GA).

Access Transparency

Image streaming is generally available (GA).

Apigee API hub

Enable and disable semantic search

You can now enable and disable semantic search from the API hub > Settings> Actions page in the Google Cloud console.

For more information, see Enable and disable semantic search.

Automatic discovery of OpenAPI Spec from Apigee proxy resources

API hub now automatically discovers and ingests valid OpenAPI specifications when they are included in an Apigee API proxy resource. This applies to all new and existing Apigee and Apigee hybrid runtime projects that are attached in API hub.

For more information, see Auto-discovery of OpenAPI specs from Apigee proxies.

Deprecation of Vertex AI Extensions in API hub

The Vertex AI Extensions feature is no longer supported in API hub as of September 8, 2025.

Apigee Integrated Portal

On September 8, 2025 we released a new version of the Apigee integrated portal.

Workforce Identity Federation users can now manage Integrated Portals using the Apigee Cloud console. This previous limitation has been removed from Accessing features only available in the Classic Apigee UI.

Apigee UI

On September 8, 2025 we released a new version of the Apigee integrated portal.

Workforce Identity Federation users can now manage Integrated Portals using the Apigee Cloud console. This previous limitation has been removed from Accessing features only available in the Classic Apigee UI.

BigQuery

You can now add tables and views as tasks to BigQuery pipelines. For more information, see Add a pipeline task. This feature is in Preview.

When you use the Data Science Agent in BigQuery, you can now use the @ symbol to search for BigQuery tables in your project, and you can use the + symbol to search for files to upload. The Data Science Agent is in Preview.

You can now include table parameters when you create a table-valued function (TVF). This feature is in Preview.

Cloud Logging

Node.js

11.2.1 (2025-09-03)

Bug Fixes
  • logging: Specifying resourceNames should fetch logs only from those resources (#1597) (ff7899f)
Cloud SQL for MySQL

Cloud SQL read pools are now generally available and provide operational simplicity and scaling for your read workloads.

Read pools provide a single endpoint in front of up to 20 read pool nodes and automatically load balance traffic.

You can scale your read pool in several ways:

  • Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports up to 20 read pool nodes.
  • Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.

For more information, see About read pools.

You can have Cloud SQL create a Private Service Connect endpoint automatically. You can use this endpoint to access Cloud SQL instances through a VPC network. For more information, see Create a Private Service Connect endpoint automatically.

This feature is now generally available (GA).

Cloud SQL for PostgreSQL

Cloud SQL read pools are now generally available and provide operational simplicity and scaling for your read workloads.

Read pools provide a single endpoint in front of up to 20 read pool nodes and automatically load balance traffic.

You can scale your read pool in several ways:

  • Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports up to 20 read pool nodes.
  • Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.

For more information, see About read pools.

You can have Cloud SQL create a Private Service Connect endpoint automatically. You can use this endpoint to access Cloud SQL instances through a VPC network. For more information, see Create a Private Service Connect endpoint automatically.

This feature is now generally available (GA).

Cloud SQL for SQL Server

You can have Cloud SQL create a Private Service Connect endpoint automatically. You can use this endpoint to access Cloud SQL instances through a VPC network. For more information, see Create a Private Service Connect endpoint automatically.

This feature is now generally available (GA).

Container Optimized OS

cos-dev-129-19271-0-0

Kernel Docker Containerd GPU Drivers
COS-6.12.43 v27.5.1 v2.1.3 See List

Added kernel support for bare-metal on the NVIDIA Grace platform.

Updated the Linux kernel to v6.12.43.

Added iRDMA support in the Linux kernel.

Enabled dynamic vlan configuration for non-primary NICs.

Added TDX RTMR support.

Disabled DNSSEC by default for COS TPU VMs.

Added IPv6 support for machines using the IDPF driver.

Upgraded sys-auth/pambase to v20250826.

Upgraded app-admin/google-guest-configs to v20250826.00.

Upgraded app-admin/google-guest-configs to v20250818.00.

Installed app-misc/c_rehash.

Upgraded chromeos-base/google-breakpad to v2025.08.18.161925-r245.

Upgraded sys-apps/file to v5.46-r3.

Upgraded sys-apps/hwdata to v0.398.

Fixed an issue where cpusets cgroups did not work with cgroup v1 enabled.

Fixed CVE-2025-6052 in dev-libs/glib.

Runtime sysctl changes:

  • Changed: fs.file-max: 811419 -> 811510

cos-beta-125-19216-0-38

Kernel Docker Containerd GPU Drivers
COS-6.12.41 v27.5.1 v2.1.3 See List

Added NVIDIA GPU driver's R580 branch. Updated the LATEST GPU driver label to version 580.65.06.

Disabled network management by the google-guest-agent.

Fixed CVE-2025-38676 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811504 -> 811507

cos-117-18613-339-56

Kernel Docker Containerd GPU Drivers
COS-6.6.97 v24.0.9 v1.7.28 See List

Fixed CVE-2025-38351 in the Linux kernel.

Fixed CVE-2025-38676 in the Linux kernel.

Fixed CVE-2025-38322 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811812 -> 811749

cos-113-18244-448-39

Kernel Docker Containerd GPU Drivers
COS-6.1.144 v24.0.9 v1.7.27 See List

Fixed CVE-2025-38676 in the Linux kernel.

Fixed CVE-2025-38322 in the Linux kernel.

Fixed CVE-2024-58240 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812049 -> 812017

cos-109-17800-570-43

Kernel Docker Containerd GPU Drivers
COS-6.1.143 v24.0.9 v1.7.27 See List

Fixed CVE-2025-38676 in the Linux kernel.

Fixed CVE-2025-38322 in the Linux kernel.

Fixed CVE-2024-58240 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812262 -> 812270

cos-121-18867-199-56

Kernel Docker Containerd GPU Drivers
COS-6.6.97 v27.5.1 v2.0.6 See List

Upgraded sys-apps/file to v5.46-r3.

Fixed CVE-2025-38351 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811774 -> 811788

Dataflow

Dataflow now supports using secure tags to set firewall rules on worker VMs. For more information, see Use secure tags with Dataflow.

Dataform Dataproc

Announcing the Preview release of Dataproc on Compute Engine image version 3.0.0-RC1:

  • Spark 4.0.0
  • Hadoop 3.4.1
  • Hive 4.1.0
  • Tez 0.10.5
  • Cloud Storage Connector 3.1.4
  • Conda 24.11
  • Java 17
  • Python 3.11
  • R 4.3
  • Scala 2.13

Announcing the Preview release of Serverless for Apache Spark 3.0.0-RC3 runtime:

  • Spark 4.0.0
  • BigQuery Spark Connector 0.42.3
  • Cloud Storage Connector 3.1.5
  • Conda 25.3.0
  • Java 21
  • Python 3.12
  • R 4.4
  • Scala 2.13

New Dataproc on Compute Engine subminor image versions:

  • 2.3.11-debian12, 2.3.11-ubuntu22, 2.3.11-ubuntu22-arm, 2.3.11-ml-ubuntu22, 2.3.11-rocky9
Generative AI on Vertex AI

Veo video generation

Veo 3 support for short-duration videos is generally available. You can use Veo 3 to create 4, 6, or 8 second videos. For more information, see the following:

Google Kubernetes Engine

Starting with GKE version 1.33.4-gke.1036000, ComputeClass supports the following new sysctls configurations:

  • kernel.shmmni
  • kernel.shmmax
  • kernel.shmall
  • net.core.rmem_default
  • net.netfilter.nf_conntrack_max
  • net.netfilter.nf_conntrack_buckets
  • net.netfilter.nf_conntrack_tcp_timeout_close_wait
  • net.netfilter.nf_conntrack_tcp_timeout_time_wait
  • net.netfilter.nf_conntrack_tcp_timeout_time_wait
  • net.netfilter.nf_conntrack_acct
  • vm.dirty_background_ratio
  • vm.dirty_writeback_centisecs
  • vm.overcommit_memory
  • vm.overcommit_ratio
  • vm.vfs_cache_pressure
  • fs.aio-max-nr
  • fs.file-max
  • fs.inotify.max_user_instances
  • fs.inotify.max_user_watches
  • fs.nr_open

For more information, see the ComputeClass CRD reference.

Google SecOps Google SecOps SIEM Model Armor

The Model Armor monitoring dashboard provides a centralized view to track interactions and violations within your projects. This feature is available in Preview. For more information, see View the monitoring dashboard.

Organization Policy

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Deploy resources. For more information, see Use custom organization policies.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for pubsub/apiv1

2.0.1 (2025-09-03)

Bug Fixes
  • pubsub/v2: Update flowcontrol metrics even when disabled (#12590) (c153495)
Documentation

1.50.1 (2025-09-04)

Bug Fixes
  • pubsub/v2: Update flowcontrol metrics even when disabled (#12590) (c153495)
Documentation
Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Deploy resources. For more information, see Use custom organization policies.

Security Command Center

The Model Armor monitoring dashboard provides a centralized view to track interactions and violations within your projects. This feature is available in Preview. For more information, see View the monitoring dashboard.

Multiple pages in Security Command Center Premium have been improved:

  • The Risk overview page is enhanced to provide a view of threats, vulnerabilities, and misconfigurations.
  • The Findings page includes predefined filter views for vulnerabilities and identity findings.
  • Information previously on the Threats page is available in the Threats dashboard on the Risk overview page.
  • Information previously on the Vulnerabilities page is now available on the Vulnerabilities dashboard on the Risk overview page.
Sensitive Data Protection

Fixed the issue preventing Sensitive Data Protection from detecting sensitive data in the headers and footers of certain rich document types.

September 07, 2025

Google SecOps

Advanced job scheduling

The job scheduling functionality has been enhanced with advanced options. This functionality provides more precise control and flexible, calendar-like scheduling for your scripts.

For more information, see Configure a new job with advanced scheduling.

Use custom fields in the Close Case dialog

Administrators can now add custom fields to the Close Case dialog. This new functionality provides a more streamlined workflow and replaces the Dynamic Fields feature.

For more information, see Use custom fields in the Close Case dialog.

Google SecOps SIEM

Advanced job scheduling

The job scheduling functionality has been enhanced with advanced options. This functionality provides more precise control and flexible, calendar-like scheduling for your scripts.

For more information, see Configure a new job with advanced scheduling.

Use custom fields in the Close Case dialog

Administrators can now add custom fields to the Close Case dialog. This new functionality provides a more streamlined workflow and replaces the Dynamic Fields feature.

For more information, see Use custom fields in the Close Case dialog.

Release 6.3.60 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan.

This release contains the following features:

Advanced job scheduling

The job scheduling functionality has been enhanced with advanced options. This functionality provides more precise control and flexible, calendar-like scheduling for your scripts.

For more information, see Configure a new job with advanced scheduling.

Use custom fields in the Close Case dialog

Administrators can now add custom fields to the Close Case dialog. This new functionality provides a more streamlined workflow and replaces the Dynamic Fields feature.

For more information, see Use custom fields in the Close Case dialog.

Google SecOps SOAR

Release 6.3.60 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan.

This release contains the following features:

Advanced job scheduling

The job scheduling functionality has been enhanced with advanced options. This functionality provides more precise control and flexible, calendar-like scheduling for your scripts.

For more information, see Configure a new job with advanced scheduling.

Use custom fields in the Close Case dialog

Administrators can now add custom fields to the Close Case dialog. This new functionality provides a more streamlined workflow and replaces the Dynamic Fields feature.

For more information, see Use custom fields in the Close Case dialog.

September 06, 2025

Google SecOps SIEM

Release 6.3.59 is now available for all regions.

Google SecOps SOAR

Release 6.3.59 is now available for all regions.

September 05, 2025

Assured Workloads

The Data Boundary for Impact Level 4 (IL4) supports the following products:

  • External passthrough Network Load Balancer
  • Identity-Aware Proxy (IAP)
  • Internal passthrough Network Load balancer
  • Regional external Application Load Balancer
  • Regional external proxy Network Load Balancer
  • Regional internal Application Load Balancer
  • Regional internal proxy Network Load Balancer
  • Speech-to-Text

The Data Boundary for Impact Level 5 (IL5) now supports the following products:

  • External passthrough Network Load Balancer
  • Identity-Aware Proxy (IAP)
  • Internal passthrough Network Load balancer
  • Regional external Application Load Balancer
  • Regional external proxy Network Load Balancer
  • Regional internal Application Load Balancer
  • Regional internal proxy Network Load Balancer
  • Speech-to-Text

See Supported products by control package for more information.

The IRS 1075 control package supports the following products:

  • App Hub
  • Cloud Asset Inventory
  • Cloud Deploy
  • Database Center
  • Key Access Justifications
  • Model Armor
  • Network Connectivity Center
  • Vertex AI Batch prediction
  • Vertex AI Model Monitoring
  • Vertex AI Model Registry
  • Vertex AI Online prediction
  • Vertex AI Pipelines
  • Vertex AI Training
  • Web Risk
  • Workforce Identity Federation
Cloud Database Migration Service

Database Migration Service for heterogeneous Oracle and SQL Server migrations now supports table-level observability features. In addition to metrics aggregated for the whole database, you can now monitor the migration progress individually for each table. For more information, see the monitoring pages for your scenario:

Dataproc Gemini Enterprise

Google NotebookLM Enterprise: Notebook creation and management using the API (GA)

Use standalone APIs to programmatically create and manage your notebooks. For more information, see Create and manage notebooks using the API.

Google SecOps

Advanced filtering in alerts and search results

You can now filter alerts and search results by any field in the detection object. This update provides more granular control over your queries, letting you filter by nested fields from events and entities within a detection.

Google SecOps SIEM

Advanced filtering in alerts and search results

You can now filter alerts and search results by any field in the detection object. This update provides more granular control over your queries, letting you filter by nested fields from events and entities within a detection.

Advanced filtering in alerts and search results

You can now filter alerts and search results by any field in the detection object. This update provides more granular control over your queries, letting you filter by nested fields from events and entities within a detection.

NetApp Volumes

The auto-tiering feature for the Flex service level is now generally available for custom-performance Flex zonal pools. For more information, see Manage auto-tiering.

Retail API

Vertex AI Search for commerce: Conversational product filtering

As part of Search for commerce's Guided search package, ConversationalSearchSpec sits on top of the Vertex AI Search for commerce. When coverage parameters are met, Search for commerce users can enable this feature in the console or by setting the followup_conversation_requested flag to true in the search service interface. Conversational product filtering uses an LLM-generated question for each catalog attribute where allowed_in_conversation field is enabled.

For more information, see Conversational product filtering.

September 04, 2025

AlloyDB for PostgreSQL

Parameterized secure views in AlloyDB for PostgreSQL enhance data security and row access control while using SQL, providing a new secure interface for application developers. Access to this Preview feature no longer requires a signup.

AlloyDB AI natural language delivers secure and accurate responses for application end user natural language questions. Natural language offers fragment-based templates, autogenerated concept types, and SQL summaries. Access to this Preview feature no longer requires a signup.

Apigee APIM Operator

On September 4, 2025, we released an updated version of Apigee.

Apigee policies for LLM/GenAI workloads are Generally Available (GA)

Four new Apigee policies supporting LLM/GenAI workloads are now GA:

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

Apigee X

On September 4, 2025, we released an updated version of Apigee.

Apigee policies for LLM/GenAI workloads are Generally Available (GA)

Four new Apigee policies supporting LLM/GenAI workloads are now GA:

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

Cloud SQL for MySQL

The release note on August 13, 2025 regarding Private Service Connect (PSC) outbound connectivity has been updated.

PSC outbound connectivity is required for homogeneous migrations to PSC-enabled Cloud SQL instances using Database Migration Service. For more information, see PSC outbound connections.

Cloud SQL for PostgreSQL

The release note on August 13, 2025 regarding Private Service Connect (PSC) outbound connectivity has been updated.

PSC outbound connectivity is required for homogeneous migrations to PSC-enabled Cloud SQL instances using Database Migration Service. For more information, see PSC outbound connections.

Compute Engine

Hyperdisk Balanced High Availability (Hyperdisk Balanced HA) volumes attached to C3 instances have increased performance limits for several C3 machine types. The new limits for the updated machine types are as follows:

  • c3-*-8: 50,000 IOPS and 800 MiB/s of throughput
  • c3-*-22: 120,000 IOPS and 1,800 MiB/s of throughput
  • c3-*-44: 160,000 IOPS and 2,400 MiB/s of throughput
  • c3-*-88: 160,000 IOPS and 4,800 MiB/s of throughput
  • c3-*-176: 160,000 IOPS and 10,000 MiB/s of throughput
  • c3-*-192: 160,000 IOPS and 10,000 MiB/s of throughput

For more information, see Performance limits when attached to an instance.

Generally available: Windows OS images have been updated with a new version of the gVNIC driver. Third generation and later compute instances that use these updated Windows OS images support up to 200 Gbps networking bandwidth and Jumbo frames.

Dialogflow

Dialogflow CX (Conversational Agents): This is a correction of the release note posted on August 7, 2025. All deactivated models are now automatically upgraded to model gemini- 2.5-flash with the exception of generative fallback, which is automatically upgraded to gemini-2.5-flash-lite.

Dialogflow CX (Conversational Agents): The following regions are now available:

  • asia-southeast2
  • europe-west4
  • europe-west6

Dialogflow CX (Conversational Agents): New prompt security controls are available in agent settings. See the agent settings documentation for details.

Dialogflow CX (Conversational Agents) The model gemini-2.5-flash-lite is now available in all regions, and gemini-2.5-flash is now GA. These changes apply to the following features:

  • Generators
  • Playbooks
  • Data store tools
Google Cloud Contact Center as a Service

Agent desktop is GA

Agent desktop is now generally available (GA). Agent desktop is a customizable interface that provides agents quick access to the information and tools they need to handle customer sessions. The desktop layout includes the agent adapter as well as configurable panels that display information or tools. You can configure a distinct desktop layout for each session type: inbound calls, outbound calls, or chats. You can then configure which desktop layout that an agent sees when they answer an inbound call, place an outbound call, or handle a chat. You can also configure announcements to communicate updates, alerts, and other important information directly to agents. For more information, see Agent desktop.

The agent desktop provides the following capabilities:

  • Create desktop layouts. With agent desktop, you can create customized desktop layouts for different use cases for your human agents. These include receiving inbound calls, placing outbound calls, and handling chat sessions. Your layouts can contain call adapters, chat adapters, and a wide variety of panels for other capabilities such as live transcripts, knowledge assist, disposition codes, and session data feeds. You can also configure custom panels to use as widgets that you can drag into panels. For more information, see Create desktop layouts.

  • Configure custom panels. A custom panel displays one or more URLs for external resources. These can be documentation, tools, or other resources. A custom panel appears as a widget in the desktop layout builder. Then, when you create desktop layouts, you can drag widgets into panels. For more information, see Configure custom panels.

  • Use widgets. Widgets are containers of specific functionality that you can drag into panels in the desktop layout builder. The desktop layout builder comes with a number of pre-defined widgets, such as Session Data Feed, Disposition Codes and Notes, Knowledge Assist, and Live Transcript.

  • Configure desktop layouts for agents. You can configure which desktop layout that agents see when they answer an inbound call, place an outbound call, or handle a chat. You can configure this globally, at the queue level, and at the team level. Queue-level layout settings take priority over global settings. Team-level settings take priority over both queue-level settings and default settings. For more information, see Configure desktop layouts for agents.

  • Configure announcements. With announcements, you can communicate updates, alerts, and other important information directly to agents. Announcements appear in the agent desktop as notification banners that persist until the agent dismisses them. Announcements also appear in the agent's announcement list. For more information, see Configure announcements.

Google Cloud Managed Service for Apache Kafka

Integration with VPC Service Controls is in preview.

Google Kubernetes Engine

Kubernetes 1.34 is now available in the Rapid channel

Kubernetes 1.34 is now available in the Rapid channel. For more information about the content of Kubernetes 1.34, read the Kubernetes 1.34 Release Notes.

Other changes in 1.34

  • containerd 2.1: GKE nodes are now upgraded to containerd 2.1. This release includes performance improvements such as faster image downloads. For a complete list of changes, see the official containerd 2.1 release notes.
  • VPA InPlaceOrRecreate: This version introduces a new InPlaceOrRecreate mode in Vertical Pod Autoscaler (VPA) (Public Preview) powered by In-Place Pod Resize (IPPR/IPPU) that allows automatically rightsizing workloads often without recreating the Pod. This mode ensures seamless service continuity while minimizing costs during idle periods. If you haven't used VPA with your workloads before, enable Vertical Pod Autoscaler on your cluster and then create a VPA Object for a workload.

Deprecated in 1.34

The v1beta1 gRPC API between the Kubelet and DRA drivers is deprecated in this release in favor of the v1 API. This API will continue to function but we recommend that all drivers move to the v1 API to prepare for the eventual removal of the v1beta1 API.

CNI spec version for GKE Dataplane V2 updated to v1.1.0

Starting with GKE patch version 1.34, clusters using GKE Dataplane V2 are being updated from CNI spec v0.3.1 to v1.1.0.

Action required: If you use your own CNI plugins in your GKE cluster (such as self-managed open-source Istio), you must upgrade them to a version compatible with CNI spec v1.1.0 to prevent errors.

New features in Kubernetes 1.34

  • The Kubernetes Dynamic Resource Allocation (DRA) APIs are now generally available. For more information about using DRA in GKE, see About dynamic resource allocation in GKE. The Prioritized list and Admin access features have been promoted to beta and will be enabled by default. The kubelet API has been updated to report status on resources allocated through DRA.
  • The Sleep Action for Pod prestop lifecycle hook is now GA. This can be used to delay Pod termination for graceful shutdown.
  • Streaming List Response Encoding is now GA. It enables efficient handling of requests for large object collections, improving API server reliability and performance.
  • In-Place Pod Resize, which was in beta, is now improved by adding support for decreasing memory limits with best-effort OOM protection. Improved deferred resize retries are also added, which are now prioritized and more responsive to resources becoming available. A new ResizeCompleted event records when a resize is completed.

On clusters with GKE Dataplane V2 that are on GKE version 1.34 and later, the ptp plugin is removed from the Container Network Interface (CNI) path. Pods that are created on new nodes have interfaces named lxc[INTERFACE_HASH] instead of gke[INTERFACE_HASH]. Additionally, the CNI configuration is moving from the netd DaemonSet to the cni-writer container in the anetd DaemonSet. For more information, see Overview of GKE Dataplane V2.

GKE alpha clusters enable all alpha and the default beta feature gates, which help you to test and validate upcoming Kubernetes capabilities. You can now modify the feature gates to enable or disable differently from the default values, which provides more granular control when leveraging these experimental features. Note that alpha clusters shouldn't be used for production workloads to ensure that your workloads remain stable and performant. For more information, see Alpha clusters.

Google SecOps

Time zone override for forwarder logs

Google SecOps now lets you override the default time zone for your logs when you create or configure a forwarder.

For details, see Add collector configuration.

Improved Okta and Symantec Endpoint Protection parsers

These changes are currently in Preview.

The Okta and Symantec Endpoint Protection parsers are now more efficient, with increased log-field coverage and more-accurate log-field mappings. These changes include new UDM fields and updated field mappings. We advise you to opt-in and get these new versions.

CBN alerts functionality removed from all prebuilt parsers

As part of deprecating the Configuration Based Normalization (CBN) alerts functionality, all prebuilt parsers that included the CBN alerts functionality were updated, and the functionality was removed.

Google SecOps SIEM

CBN alerts functionality removed from all prebuilt parsers

As part of deprecating the Configuration Based Normalization (CBN) alerts functionality, all prebuilt parsers that included the CBN alerts functionality were updated, and the functionality was removed.

Time zone override for forwarder logs

Google SecOps now lets you override the default time zone for your logs when you create or configure a forwarder.

For details, see Add collector configuration.

Improved Okta and Symantec Endpoint Protection parsers

These changes are currently in Preview.

The Okta and Symantec Endpoint Protection parsers are now more efficient, with increased log-field coverage and more-accurate log-field mappings. These changes include new UDM fields and updated field mappings. We advise you to opt-in and get these new versions.

Time zone override for forwarder logs

Google SecOps now lets you override the default time zone for your logs when you create or configure a forwarder.

For details, see Add collector configuration.

Improved Okta and Symantec Endpoint Protection parsers

These changes are currently in Preview.

The Okta and Symantec Endpoint Protection parsers are now more efficient, with increased log-field coverage and more-accurate log-field mappings. These changes include new UDM fields and updated field mappings. We advise you to opt-in and get these new versions.

CBN alerts functionality removed from all prebuilt parsers

As part of deprecating the Configuration Based Normalization (CBN) alerts functionality, all prebuilt parsers that included the CBN alerts functionality were updated, and the functionality was removed.

reCAPTCHA

reCAPTCHA Mobile SDK v18.8.0-beta03 is available for Android. This version contains reliability improvements and bug fixes.

reCAPTCHA Mobile SDK 18.8.0-beta02 is now available for iOS. This version contains reliability improvements and bug fixes.

September 03, 2025

Anti Money Laundering AI

New minor engine versions released for retail line of business within the v004 tuning version. This extends support for the major version and includes no significant changes compared to the previous minor version.

New minor engine version released for commercial line of business within the v004 tuning version. This extends support for the major version and includes no significant changes versus the previous minor version.

Apigee APIM Operator

On September 3, 2025, we released an updated version of Apigee.

Apigee Server-Sent Events (SSE) and EventFlows are supported for use with the Apigee Extension Processor.

The Apigee SSE feature enables continuous response streaming from server-sent event (SSE) endpoints to clients in real time. To learn more about this feature, see Streaming server-sent events.

The Apigee Extension Processor is a traffic extension that lets you use Cloud Load Balancing to send callouts from the data processing path of the application load balancer to the Apigee Extension Processor. To learn more, see the Apigee Extension Processor overview.

Apigee X

On September 3, 2025, we released an updated version of Apigee.

Apigee Server-Sent Events (SSE) and EventFlows are supported for use with the Apigee Extension Processor.

The Apigee SSE feature enables continuous response streaming from server-sent event (SSE) endpoints to clients in real time. To learn more about this feature, see Streaming server-sent events.

The Apigee Extension Processor is a traffic extension that lets you use Cloud Load Balancing to send callouts from the data processing path of the application load balancer to the Apigee Extension Processor. To learn more, see the Apigee Extension Processor overview.

Backup and DR

An issue where Backup and DR Service management charges for SAP HANA backup were calculated using the allocated size of the database disk volume, rather than the amount of data in the database. This issue only affected Backup and DR Service deployments where SAP HANA was backed up using either the Volume level (LVM CBT) or Persistent Disk snapshot backup methods.

BigQuery

BigQuery now supports soft failover with managed disaster recovery. This feature is generally available (GA).

You can flatten records in BigQuery data preparation with a single operation. This feature is generally available (GA).

The INFORMATION_SCHEMA.RESERVATIONS_TIMELINE view now includes the per_second_details schema field. This new field provides information regarding reservation capacity and usage on a per-second basis, and also includes details on autoscale utilization. This feature is generally available (GA).

Carbon Footprint

We recently released a new technical paper, "Measuring the Environmental Impact of Delivering AI at Google Scale" and blogpost. This research establishes a more comprehensive methodology for measuring the energy, emissions, and water consumption of AI inference in a live production environment. Our goal is to promote greater transparency and encourage the industry to align on more standardized, comprehensive measurement frameworks.

Currently, the data in Google Cloud Carbon Footprint for AI services does not fully reflect this comprehensive approach, which we believe is the most transparent environmental impact assessment from AI labs today. To better align with this new, more detailed methodology, we will be updating our carbon accounting pipeline for services that use AI, such as Vertex AI.

The new methodology provides a more accurate and complete picture of the environmental impact of AI services. We anticipate that this change, which will be implemented during our next semi-annual methodology refresh, may result in an increase in the emissions data for some of our Cloud AI services. However, we believe this move to more actionable data will enable us to more readily incentivize and track optimizations for these AI services.

The updated data will be released with the January 2026 methodology refresh, which is expected to be available in mid-February 2026. We believe this is an important step toward providing you with the most accurate and actionable data possible to manage your cloud usage more sustainably.

Cloud Composer

(Cloud Composer 2) Cloud Composer's high availability infrastructure was enhanced to provide greater resilience against zonal outages. This change rolls out gradually over several releases to all regions supported by Cloud Composer 2.

(Available without upgrading) Cloud Composer 3 now supports DNS resolution for regional service endpoints. You can now reach regional service endpoints from DAGs in your environment. This change is available in Public IP environments without additional configuration. For Private IP environments, an environment must be connected to a VPC network where private endpoints are configured.

You can now check if a Cloud Composer 2 environment's configuration is compatible with Cloud Composer 3. We recommend doing this check before migrating to Cloud Composer 3.

New images are available in Cloud Composer 2:

The following Cloud Composer versions and builds have reached their end of support period: composer-2.9.2-*, composer-2.9.3-*, and composer-3-airflow-2.7.3-build.15.

Cloud Run

You can configure GPU in your Cloud Run worker pool (Preview).

Cloud SQL for MySQL

Cloud SQL Managed Connection Pooling is now generally available (GA). Managed Connection Pooling lets you scale your workloads by optimizing resource utilization for Cloud SQL instances using pooling.

For more information, see Managed Connection Pooling overview.

You can now enable your instance to take a final backup at instance deletion and define its retention period by setting the final backup instance setting.

You can also create a custom organization policy to define final backup instance settings. For more information, see Final backup.

Cloud SQL for PostgreSQL

You can now enable your instance to take a final backup at instance deletion and define its retention period by setting the final backup instance setting.

You can also create a custom organization policy to define final backup instance settings. For more information, see Final backup.

Cloud SQL for SQL Server

You can now enable your instance to take a final backup at instance deletion and define its retention period by setting the final backup instance setting.

You can also create a custom organization policy to define final backup instance settings. For more information, see Final backup.

Compute Engine

Starting with version 20250901.00, the guest agent is migrated to a new plugin-based architecture to improve modularity. You can revert to the previous version by setting the metadata attribute enable-guest-agent-core-plugin to FALSE. For more information about the plugin-based architecture, see Guest agent.

This plugin-based guest agent is available for the following operating systems:

  • Red Hat Enterprise Linux (RHEL) 9
  • Rocky Linux 9
  • CentOS Stream 9
  • Oracle Linux 9
  • AlmaLinux 9

With the introduction of the plugin-based architecture, the guest agent includes the following updates:

  • A new command-line tool, ggactl_plugin, is available to manage and restart the guest agent core plugin. To restart the agent, run:

    ggactl_plugin coreplugin restart

    For more information, see Restarting the guest agent.

  • All guest agent components now use a new logging framework. This framework lets you set the logging level in the guest agent configuration file. For more information about the logging options, see core settings in the configuration options table.

  • The workload refresh service gce-workload-cert-refresher is now part of the guest agent's core plugin. It is no longer a separate systemd service.

  • The guest agent updates the metadata script runner and the Authorized Keys binary (Windows only) to use the new, configurable logging framework. Compatibility managers are included to facilitate the migration.

An issue is fixed where network routes were not consistently applied (GitHub Issue #516). The system now consistently applies network routes by monitoring the route table and re-adding routes when they disappear.

Config Connector

Bug Fixes:

  • ConfigConnectorContext:
    • PR#4995: status.observedGeneration is now being set on the ConfigConnectorContext.
    • PR#4657: Added spec.managerNamespace.
  • SQLInstance:
    • PR#4838: Fixed bug in SQLInstance maintenanceVersion UPDATE operation
    • PR#4843: Set status on acquisition for SQLInstance controller
    • PR#4857: Support SQLInstance maintenanceVersion in CREATE operation

Config Connector version 1.134.0 is now available.

Improved reconciliation by migrating the following resources from the Terraform-based or DCL-based controller to the new direct controller. These resources are migrated automatically and you no longer need to apply the opt-in annotation to enable the direct controller:

New Fields:

  • ContainerCluster: DNS endpoint is supported in ContainerCluster.
Dataplex

Natural language search in Dataplex Universal Catalog is available in preview.

Natural language search extends keyword search to support natural language queries. It lets you find resources using everyday language, eliminating the need for complex syntax.

Document AI

Custom extractor model pretrained-foundation-model-v1.5-pro-2025-06-20 is available as General Availability (GA).

For more information about available models, see the custom extractor page.

Gemini on GDC API on GDC connected

This is the Public Preview release of Gemini on Google Distributed Cloud connected API.

This release of Gemini on GDC connected API contains the following known issues:

  • Servo metrics not captured by Cloud Monitoring. Servo metrics for Gemini on GDC connected API are not captured by Cloud Monitoring. Other supported metrics are captured as expected.

  • User identity is not supported. To successfully deploy a Gemini on GDC connected API endpoint, you must use a service account to generate the access credentials.

  • Service account keys expire after 14 days. If you use a service account key older than 14 days, you can't use it to generate endpoint access credentials. In such situations, you must generate a fresh service account key.

  • Disabling Cloud projects or Cloud services is not supported. To disable a Cloud project or a Cloud service on your Gemini on GDC connected API deployment, contact your Google representative.

  • Model deployment might intermittently fail. If you encounter a model deployment failure, contact your Google representative to resolve this issue.

Generative AI on Vertex AI

Vertex AI RAG Engine: Managed Database (Spanner)

Customers will be charged for the use of a Google-managed Spanner instance that's provisioned in a Google tenant project, using standard Spanner SKUs.

For more information, see Vertex AI RAG Engine billing.

Google Kubernetes Engine

(2025-R37) Version updates

  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2527000
    • 1.28.15-gke.2599000
    • 1.29.15-gke.1713000
    • 1.29.15-gke.1820000
    • 1.30.14-gke.1011000
    • 1.31.11-gke.1101000
    • 1.32.7-gke.1016000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2547000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2547000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1756000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.7-gke.1079000 with this release.

In GKE version 1.33.3-gke.1392000 or later, you can use ComputeClasses to provision Confidential GKE Nodes with any supported Confidential Computing type. This feature is now generally available. For more information, see Confidential GKE Nodes.

(2025-R37) Version updates

(2025-R37) Version updates

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1036000
    • 1.31.11-gke.1101000
    • 1.32.7-gke.1079000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1014000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1014000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.34 to version 1.34.0-gke.1477000 with this release.

(2025-R37) Version updates

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1011000
    • 1.31.11-gke.1101000
    • 1.32.7-gke.1016000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.7-gke.1079000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.7-gke.1079000 with this release.

(2025-R37) Version updates

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.12-gke.1390000
    • 1.31.11-gke.1002000
    • 1.32.6-gke.1125000
    • 1.33.2-gke.1240000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.12-gke.1414000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.31.11-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.12-gke.1414000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.11-gke.1036000 with this release.

(2025-R37) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

  • Version 1.33.4-gke.1134000 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1036000
    • 1.31.11-gke.1101000
    • 1.32.7-gke.1079000
    • 1.33.3-gke.1136000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.12-gke.1014000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.33.4-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1059000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.12-gke.1014000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.8-gke.1026000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.4-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.34 to version 1.34.0-gke.1477000 with this release.

Regular channel

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.14-gke.1011000
    • 1.31.11-gke.1101000
    • 1.32.7-gke.1016000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.7-gke.1079000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.7-gke.1079000 with this release.

Stable channel

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.12-gke.1390000
    • 1.31.11-gke.1002000
    • 1.32.6-gke.1125000
    • 1.33.2-gke.1240000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.12-gke.1414000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.31.11-gke.1036000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.12-gke.1414000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.11-gke.1036000 with this release.

Extended channel

  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2527000
    • 1.28.15-gke.2599000
    • 1.29.15-gke.1713000
    • 1.29.15-gke.1820000
    • 1.30.14-gke.1011000
    • 1.31.11-gke.1101000
    • 1.32.7-gke.1016000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2547000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2547000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1756000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.7-gke.1079000 with this release.

No channel
Google SecOps

Extended match window for multi-event rules

You can now configure rules to analyze data over a longer period. The maximum match window for these rules has been extended to 14 days. The run frequency for multi-event rules is automatically set based on the rule's match window:

  • For a window size of 1 to 48 hours, the run frequency is 1 hour.

  • For a window size greater than 48 hours, the run frequency is 24 hours.

Google SecOps Marketplace

Google Threat Intelligence: Version 3.0

  • Extended supported filters in the following connector:

    • Google Threat Intelligence - ASM Issues Connector
Google SecOps SIEM

Extended match window for multi-event rules

You can now configure rules to analyze data over a longer period. The maximum match window for these rules has been extended to 14 days. The run frequency for multi-event rules is automatically set based on the rule's match window:

  • For a window size of 1 to 48 hours, the run frequency is 1 hour.

  • For a window size greater than 48 hours, the run frequency is 24 hours.

Extended match window for multi-event rules

You can now configure rules to analyze data over a longer period. The maximum match window for these rules has been extended to 14 days. The run frequency for multi-event rules is automatically set based on the rule's match window:

  • For a window size of 1 to 48 hours, the run frequency is 1 hour.

  • For a window size greater than 48 hours, the run frequency is 24 hours.

Google Threat Intelligence: Version 3.0

  • Extended supported filters in the following connector:

    • Google Threat Intelligence - ASM Issues Connector
Google SecOps SOAR

Google Threat Intelligence: Version 3.0

  • Extended supported filters in the following connector:

    • Google Threat Intelligence - ASM Issues Connector
Guest Environment

Starting with version 20250901.00, the guest agent is migrated to a new plugin-based architecture to improve modularity. You can revert to the previous version by setting the metadata attribute enable-guest-agent-core-plugin to FALSE. For more information about the plugin-based architecture, see Guest agent.

This plugin-based guest agent is available for the following operating systems:

  • Red Hat Enterprise Linux (RHEL) 9
  • Rocky Linux 9
  • CentOS Stream 9
  • Oracle Linux 9
  • AlmaLinux 9

With the introduction of the plugin-based architecture, the guest agent includes the following updates:

  • A new command-line tool, ggactl_plugin, is available to manage and restart the guest agent core plugin. To restart the agent, run:

    ggactl_plugin coreplugin restart

    For more information, see Restarting the guest agent.

  • All guest agent components now use a new logging framework. This framework lets you set the logging level in the guest agent configuration file. For more information about the logging options, see core settings in the configuration options table.

  • The workload refresh service gce-workload-cert-refresher is now part of the guest agent's core plugin. It is no longer a separate systemd service.

  • The guest agent updates the metadata script runner and the Authorized Keys binary (Windows only) to use the new, configurable logging framework. Compatibility managers are included to facilitate the migration.

An issue is fixed where network routes were not consistently applied (GitHub Issue #516). The system now consistently applies network routes by monitoring the route table and re-adding routes when they disappear.

Retail API

Vertex AI Search for commerce: Conversational Commerce agent, GA

The Conversational Commerce agent uses LLM and conversational product filtering to provide users with a real-time, ongoing conversational experience. The conversational product filtering feature functions as part of the Guided Search package, helping narrow down search queries sooner by presenting users with either relevant products, follow-up questions, or both.

The Conversational Commerce agent is generally available (GA). For information, see Conversational Commerce agent and Conversational product filtering.

Spanner

You can import your own data into a Spanner database by using a CSV file, a MySQL dump file, or a PostgreSQL dump file.

Additionally, you can populate new databases in an existing Spanner instance from sample datasets that help you explore Spanner capabilities such as its relational model, full-text search, vector search, or Spanner Graph.

For more information, see Create and manage databases.

VPC Service Controls

Preview stage support for the following integration:

September 02, 2025

Access Approval

Access Approval supports Web Risk in the GA stage.

Access Transparency

Access Transparency supports Web Risk in the GA stage.

AlloyDB for PostgreSQL

You can create organization policies with custom constraints for AlloyDB backups and clusters, and a custom constraint with any field for an AlloyDB instance. This feature is generally available (GA).

Anthos Config Management

Config Sync is now available as part of the standard GKE offering and no longer requires GKE Enterprise. For more details on the removal of GKE Enterprise, see the GKE release notes.

BigQuery

You can now create a remote model based on an open embedding model from Vertex Model Garden or Hugging Face that is deployed to Vertex AI. Options include E5 Embedding and other leading open embedding generation models. You can then use the ML.GENERATE_EMBEDDING function with this remote model to generate embeddings.

Try this feature with the Generate text embeddings by using an open model and the ML.GENERATE_EMBEDDING function tutorial.

This feature is in Preview.

You can now create a remote model based on the Vertex AI gemini-embedding-001 model. You can then use the ML.GENERATE_EMBEDDING function with this remote model to generate embeddings. This feature is in Preview.

You can now reference BigQuery ML and DataFrames in your prompts when you use the Data Science Agent in a BigQuery notebook. The Data Science Agent is in Preview.

You can now configure listings for multiple regions for shared datasets and linked dataset replicas in BigQuery sharing. For more information, see Create a listing. This feature is in preview.

You can now enable the automatic selection of a processing location in your pipeline configurations. For more information, see Create pipelines. This feature is generally available (GA).

Cloud Build

Dark theme is now available for Cloud Build. To enable the dark theme, in the Google Cloud console, click Settings and utilities > Preferences. In the navigation menu, click Appearance, and then select your color theme and click Save.

Cloud Deploy

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Deploy resources. For more information, see Use custom organization policies.

Cloud Service Mesh

1.26.4-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains a fix for a use-after-free (UAF) vulnerability in the DNS cache. For more information, see the security bulletin.

Only clusters running in-cluster Cloud Service Mesh version 1.26 are affected. If you are running an earlier in-cluster version or managed Cloud Service Mesh, you are not affected and do not need to take any action.

For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh.

Confidential Space

A new Confidential Space image (250800) is available.

Config Controller

Config Controller is now available as part of the standard GKE offering and no longer requires GKE Enterprise. For more details on the removal of GKE Enterprise, see the GKE release notes.

Container Optimized OS

cos-beta-125-19216-0-33

Kernel Docker Containerd GPU Drivers
COS-6.12.41 v27.5.1 v2.1.3 See List

Added iRDMA support in the Linux kernel.

Enabled dynamic vlan configuration for non-primary NICs.

Added support for the Lustre 2.14.0_p216 drivers.

Upgraded sys-apps/file to v5.46-r3.

Upgraded sys-apps/hwdata to v0.398.

Fixed CVE-2025-6052 in dev-libs/glib.

Fixed KCTF-aba0c94 in the Linux kernel.

Fixed KCTF-62708b9 in the Linux kernel.

Fixed KCTF-6db015f in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811541 -> 811504

cos-117-18613-339-52

Kernel Docker Containerd GPU Drivers
COS-6.6.97 v24.0.9 v1.7.28 See List

Upgraded sys-apps/hwdata to v0.398.

Upgraded sys-apps/file to v5.46-r3.

Fixed CVE-2025-6052 in dev-libs/glib.

Fixed KCTF-aba0c94 in the Linux kernel.

Fixed KCTF-62708b9 in the Linux kernel.

Fixed KCTF-6db015f in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811728 -> 811812

cos-121-18867-199-52

Kernel Docker Containerd GPU Drivers
COS-6.6.97 v27.5.1 v2.0.6 See List

Upgraded sys-apps/hwdata to v0.398.

Fixed CVE-2025-6052 in dev-libs/glib.

Fixed KCTF-aba0c94 in the Linux kernel.

Fixed KCTF-62708b9 in the Linux kernel.

Fixed KCTF-6db015f in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811817 -> 811774

cos-113-18244-448-36

Kernel Docker Containerd GPU Drivers
COS-6.1.144 v24.0.9 v1.7.27 See List

Upgraded sys-apps/file to v5.46-r3.

Upgraded sys-apps/hwdata to v0.398.

Fixed KCTF-62708b9 in the Linux kernel.

Fixed KCTF-aba0c94 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812035 -> 812049

cos-109-17800-570-40

Kernel Docker Containerd GPU Drivers
COS-6.1.143 v24.0.9 v1.7.27 See List

Fixed KCTF-62708b9 in the Linux kernel.

Fixed KCTF-aba0c94 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812214 -> 812262

Database Center

You can create alerting policies for new database resources and signals, using filters to restrict the monitored metric data. This feature lets you get detailed insights into the health of your database fleet and troubleshoot issues. You can filter data based on metric labels, such as signal type, or by resource labels, such as the resource's location or name. For more information, see Metrics and alerting policy filters.

The following performance recommendations and insights are available in Database Center:

  • Replication lag for Bigtable.
  • Outdated client for Bigtable.
  • Connections burdening disk for Cloud SQL for SQL Server.
  • Location org policy not satisfied for Spanner.

For more information, see Supported health issues.

Dataform

Dataform now automatically selects a processing location based on the datasets referenced in your SQL queries. This makes setting the default location optional in your workflow configurations. For more information, see About repository settings. This feature is generally available (GA).

Dataproc

Multi-tenant clusters are now available in Preview. Many data engineers and scientists can share a multi-tenant cluster to execute their workloads in isolation from each other.

Firestore

Use Query insights to view query performance metrics for your database. This feature is now generally available (GA).

Firestore in Datastore mode

Use Query insights to view query performance metrics for your database. This feature is now generally available (GA).

Google Cloud Contact Center as a Service

Mobile SDK 2.14 is released

Mobile SDK 2.14 includes the following updates:

  • Android SDK and iOS SDK:

    • Support for virtual agent to virtual agent chat transfers by queue.

    • Support for hiding the download transcript button in the options menu, the post-chat screen, or both. For the Android SDK, see SDK configuration. For the iOS SDK, see Show or hide the download transcript button.

    • Improved accessibility, including better navigation and screen reader support.

  • Android SDK:

    • Support for hiding the SDK using the Ujet.hideSDK() method. For more information, see Hide the SDK.

    • New event types: MessageLinkClicked and QuickReplyClicked. For more information, see Event Notifications.

To support the new virtual agent chat transfer capabilities of this release, we've added a new configuration setting in the Google Cloud CCaaS portal. You can use this setting to hide transfer system messages in chat sessions with virtual agent to virtual agent transfers.

Administrators: In the Settings > Chat > Web & Mobile Chat Settings pane, there's a new Transfers checkbox.

For more information, see Hide transfer messages in chat sessions.

Google Cloud Managed Service for Apache Kafka

Managed Service for Apache Kafka now supports HIPAA Compliance on Google Cloud.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.33.0-gke.799 is now available for download. To upgrade, see Upgrade a cluster. Distributed Cloud 1.33.0-gke.799 runs on Kubernetes v1.33.2-gke.700.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

  • GA: Changed the cluster creation process so that all new clusters are advanced clusters. Additionally, all cluster upgrades to 1.33 are automatically converted to advanced clusters.
  • Upgraded the etcd component to version 3.4.33.
  • GA: Enabled the vsphere-metrics-exporter component for advanced clusters. This exporter provides greater visibility into the VMware vSphere environment by collecting key performance and health metrics.
  • GA: Added support for VM-Host affinity groups in advanced clusters. This feature allows for the creation of rules that constrain cluster nodes to run on specific, predefined groups of hosts.
  • GA: Added support for automatic node resizing in advanced clusters. This feature optimizes resource use by automatically adjusting the CPU and memory allocated to control plane nodes in response to workload demands.
  • Public Preview: Added support for Virtual Machine (VM) tracking using vSphere tags in advanced clusters. This feature simplifies resource management by automatically applying identifying tags to cluster VMs.
  • GA: Introduced an Envoy proxy sidecar to the GKE Identity Service for clusters that use Controlplane V2. This change enhances the security, reliability, and performance of the authentication service.

The following issues were fixed in 1.33.0-gke.799:

Google Distributed Cloud (software only) for bare metal

Google Distributed Cloud for bare metal 1.33.0-gke.799 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.33.0-gke.799 runs on Kubernetes v1.33.2-gke.700.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

The following features were added in 1.33.0-gke.799:

  • GA: Introduced an Envoy sidecar into the GKE Identity Service to increase security, reliability, and performance.

  • GA: Added support for the Ubuntu 24.04 LTS operating system with Linux kernel versions, such as 6.8 and 6.11. Support for Linux kernel 6.14 is explicitly excluded.

  • GA: Added the ability to override the cluster-level pod density setting for individual node pools.

  • Preview: Added Node Agent to give you the ability to transition from using Ansible over SSH for cluster operations to a more secure, agent-based model. Added bmctl nodeagent commands to provide a straightforward and reliable process of migrating existing clusters to use Node Agent.

  • Preview: Added a bundled version of the NVIDIA GPU Operator (version 25.3.1). The bundled operator is an open-source solution for managing the NVIDIA software components needed to provision and manage GPU devices.

  • Preview: Added Dynamic Resource Allocation, a Kubernetes API that lets you request and share generic resources, such as GPUs, among pods and containers. When enabled, this capability helps you run AI workloads by dynamically and precisely allocating the GPU resources within your bare metal clusters, improving resource utilization and performance for demanding workloads.

  • Preview: Added vertical Pod autoscaling, which lets you analyze and set CPU and memory resources required by Pods. Instead of having to set up-to-date CPU requests and limits and memory requests and limits for the containers in your Pods, you can configure vertical Pod autoscaling to provide recommended values for CPU and memory requests and limits that you can use to manually update your Pods, or you can configure vertical Pod autoscaling to automatically update the values.

  • Preview: Added support for skip minor version cluster upgrades. You can directly upgrade your cluster control plane nodes (and entire cluster if worker node pools aren't pinned at a lower version) to two minor versions above the current version. Added the bmctl upgrade intermediate-version to print the intermediate version for a skip minor version upgrade.

  • Surface failures from node pool status to the RecentFailures field in cluster status.

  • Surface failures from failed preflight checks triggered by the cluster controller to the RecentFailures field in cluster status.

The following functional changes were made in 1.33.0-gke.799:

  • Changed logging behavior so that kubeadm logs show up in the journald of the node machine where kubeadm runs.

  • To help prevent stale ARP cache issues, iptables-persistent is installed in Debian nodes.

  • Cluster manifests are deployed using a Kubernetes job, allowing the cluster operator to be more responsive to cluster events.

  • Updated the validation checks for cluster upgrades to enforce the cluster version skew rules for user clusters. If the upgrade version information for a user cluster doesn't comply with the version skew rules, the upgrade is halted.

  • Updated health checks and upgrade preflight checks to inspect for kubeadm certificate expiration.

  • Updated etcd version to 3.5.21.

  • Removed support for Red Hat Enterprise Linux 8.8 as it is beyond the Red Hat support window.

  • Removed support for Ubuntu 20.04 LTS as it has reached the end of standard security maintenance in May 2025.

  • Upgraded ansible-core to 2.16.4 to support Python 3.12.

  • Increased the RSA key size for Cluster API certifications to 4096 bits for improved security.

The following issues were fixed in 1.33.0-gke.799:

  • Fixed an issue where restoring a cluster that has a node with a GPU causes instability of pods on the nodes.

  • Fixed an issue that caused the Ansible playbook for handling Cloud Audit Logging to fail and not complete.

  • Fixed an issue that caused nodes to get stuck in maintenance mode. Health checks have been updated so that the network check job skips connectivity checks for nodes that are in maintenance mode.

  • Fixed an issue where the CronJob for periodic health checks wasn't updating after configuration changes.

  • Fixed vulnerabilities listed in Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google Kubernetes Engine

Features that were part of GKE Enterprise are now available as part of the standard GKE offering, or offered as standalone SKUs.

The following advanced multi-cluster management and networking features are included in the GKE offering at no additional cost:

  • Fleet dashboard
  • Multi-team Management
  • Config Sync
  • Config Controller
  • Managed Policy Controller
  • Connect Gateway
  • Network Function Optimizer
  • Fully Qualified Domain Name (FQDN) Network Policy
  • Inter-node Transparent Encryption

The following GKE Enterprise features continue to be available using their current standalone SKUs. If you are using any of these features, your billing is automatically transitioned to the corresponding standalone SKU.

  • Managed Cloud Service Mesh
  • Multicluster Gateways; Multicluster Ingress
  • Binary Authorization
  • Advanced Vulnerability Scanning
  • GKE Extended Support (LTS)
Policy Controller

Policy Controller is now available as part of the standard GKE offering and no longer requires GKE Enterprise. For more details on the removal of GKE Enterprise, see the GKE release notes.

SAP on Google Cloud

Support for version 2 of Google Cloud's Agent for SAP has ended

Support for version 2 of Google Cloud's Agent for SAP ended on July 31, 2025.

If you're using version 2 of the agent, then we strongly recommend that you update to using a supported version as soon as possible. For information about how to update the agent, see Update Google Cloud's Agent for SAP.

Security Command Center

Vulnerability assessment for Google Cloud supports scanning disks configured with customer-managed encryption keys (CMEK) for projects that are outside of VPC Service Controls perimeters. For more information about how to scan disks configured with CMEK, see Run Vulnerability Scans for CMEK disks.

Sensitive Data Protection

When configuring schedules for Cloud Storage data discovery, you can select data based on specific tags. For more information, see Profile Cloud Storage data in an organization or folder or Profile Cloud Storage data in a single project.

September 01, 2025

Apigee API hub

New API versions view

API version information is now available as a separate tab in the API details page. You can view your API version details, copy API ID, create new API versions and more using the API versions tab.

For more information, see Manage versions.

BigQuery

Go

1.70.0 (2025-08-28)

Features
  • bigquery/reservation: Add Reservation.max_slots field to Reservation proto, indicating the total max number of slots this reservation can use up to (f1de706)
  • bigquery/reservation: Add Reservation.scaling_mode field and its corresponding enum message ScalingMode. This field should be used together with Reservation.max_slots (f1de706)
  • bigquery/storage/managedwriter: Allow overriding proto conversion mapping (#12579) (ce9d29b), refs #12578
  • bigquery: Add load/extract job completion ratio (#12471) (3dab483)
  • bigquery: Load job and external table opts for custom time format, null markers and source column match (#12470) (67b0320)

Java

2.54.2 (2025-08-26)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.0 (#3939) (794bf83)
Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.65.1 (2025-08-27)

Dependencies
Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-storage

2.56.0 (2025-08-25)

Features
  • breaking behavior rewrite Storage.blobAppendableUpload to be non-blocking and have improved throughput (#3231) (7bd73d3)
  • Add AppendableUploadWriteableByteChannel#flush() (#3261) (950c56f)
  • Add MinFlushSizeFlushPolicy#withMaxPendingBytes(long) (#3231) (7bd73d3)
  • Add StorageChannelUtils to provide helper methods to perform blocking read/write to/from non-blocking channels (#3231) (7bd73d3)
Bug Fixes
  • Make FlushPolicy${Min,Max}FlushSizeFlushPolicy constructors private (#3217) (7bd73d3)
  • Update BlobAppendableUploadConfig and FlushPolicy.MinFlushSizeFlushPolicy to default to 4MiB minFlushSize and 16MiB maxPendingBytes (#3249) (7bd73d3)
  • Update otel integration to properly activate span context for lazy RPCs such as reads & writes (#3255) (d6587f4)
Dependencies
  • Update actions/checkout action to v5 (#3239) (33f024b)
  • Update dependency com.google.apis:google-api-services-storage to v1-rev20250815-2.0.0 (#3245) (87afe1a)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.52.0 (#3250) (0782e62)

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-storage

3.3.1 (2025-08-25)

Bug Fixes
  • Provide option to user to set entire object checksum at "initiate a resumable upload session" and send the same.(#1525) (a8109e0)
  • Send part's checksum for XML MPU part upload (#1529) (2ad77c7)
Cluster Toolkit

Cluster Toolkit version v1.64.0 is available. This release introduces a GKE Managed Lustre integration, allowing for high-performance, scalable storage for your GKE clusters. The storage for A3 Ultra machine types now uses basic SSD for improved performance. Additionally, this version includes improvements to allow for alternative services for private service access. For more details on these changes and other version updates, see the release announcement on GitHub.

Live Stream API

You can now distribute live stream content to remote endpoints by using the Secure Reliable Transport (SRT) protocol or the Real-Time Messaging Protocol (RTMP).

Added support for UHD (4K) inputs and outputs.

Added support for H.265 (HEVC) inputs and outputs, which allows for more efficient compression.

You can now generate Web Video Text Tracks format (WebVTT) subtitles from cea608 or cea708 embedded captions in the input stream.

You can now update the encryption key of your encrypted live stream contents while the channel is running.

You can now preview your input streams with ultra-low latency, which allows you to take corrective actions and maintain high-quality viewing experience for your viewers.

Secret Manager

Automatic secret rotation with the Secret Manager add-on for Google Kubernetes Engine (GKE): You can configure the Secret Manager add-on to automatically rotate secrets so that secrets updated in Secret Manager after initial pod deployment are automatically and periodically pushed to the pod. This feature is now Generally available (GA).

For more information, see Configure automatic rotation of secrets.

August 31, 2025

Google SecOps SIEM

Release 6.3.59 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

Google SecOps SOAR

Release 6.3.59 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

August 30, 2025

Google SecOps SIEM

Release 6.3.58 is now available for all regions.

Google SecOps SOAR

Release 6.3.58 is now available for all regions.

August 29, 2025

Anthos clusters on Azure

The following Kubernetes versions are retired and are no longer available for creating new clusters:

  • 1.31.4-gke.500
  • 1.30.8-gke.100
  • 1.29.12-gke.100

To create a cluster, use another available Kubernetes version.

Artifact Registry Cloud DNS

Monitoring your internet-bound DNS queries for malicious activity using advanced threat detection from DNS Armor is now available in Preview.

For more information, see Advanced threat detection overview.

Cloud SQL for SQL Server

Max degree of parallelism (MAXDOP) is a Microsoft database flag available for use in Cloud SQL for SQL Server. This flag lets you limit the maximum number of threads used when running a single query in a parallel plan.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.147-debian10, 2.0.147-ubuntu18, 2.0.147-rocky8
  • 2.1.96-debian11, 2.1.96-ubuntu20, 2.1.96-ubuntu20-arm, 2.1.96-rocky8
  • 2.2.64-debian12, 2.2.64-ubuntu22, 2.2.64-ubuntu22-arm, 2.2.64-rocky9
  • 2.3.10-debian12, 2.3.10-ubuntu22, 2.3.10-ubuntu22-arm, 2.3.10-ml-ubuntu22, 2.3.10-rocky9
Document AI

Derived entity and signature detection are now supported in Custom Extractor models pretrained-foundation-model-v1.4-2025-02-05 as General Availability (GA), and pretrained-foundation-model-v1.5-2025-05-05 and pretrained-foundation-model-v1.5-pro-2025-06-20 as Preview.

Signature detection lets you identify handwritten signatures by using visual cues in the document. Derived entity detection lets you deduce entities by inference without requiring the value to be explicitly present in the text. You can use this feature to deduce the country in an address, counting items in a table, or detecting if an ID is fake.

These can be enabled in the console when creating new labels or by using the DocumentSchema.EntityType resource in the API.

For more information, read Custom extractor with derived fields, and choose label attributes.

Google Cloud Contact Center as a Service

Fixed an issue where the Android SDK wouldn't minimize when an end-user clicked a deep link.

Google Kubernetes Engine

A fix is available for an issue with Cloud Storage FUSE CSI driver that could cause Pod to be stuck during startup after a node restart event. Cloud Storage FUSE CSI driver now gracefully handles a node restart behavior.

The fix is available in the following GKE versions:

  • 1.32.6-gke.1125000 and later
  • 1.33.1-gke.1959000 and later
Google SecOps

MITRE ATT&CK coverage dashboard is now available

This feature is currently in Preview.

The new MITRE ATT&CK coverage dashboard lets you measure your security posture against the MITRE ATT&CK framework, helping you:

  • Assess threat coverage
  • Identify gaps
  • Prioritize security efforts
Google SecOps SIEM

MITRE ATT&CK coverage dashboard is now available

This feature is currently in Preview.

The new MITRE ATT&CK coverage dashboard lets you measure your security posture against the MITRE ATT&CK framework, helping you:

  • Assess threat coverage
  • Identify gaps
  • Prioritize security efforts

MITRE ATT&CK coverage dashboard is now available

This feature is currently in Preview.

The new MITRE ATT&CK coverage dashboard lets you measure your security posture against the MITRE ATT&CK framework, helping you:

  • Assess threat coverage
  • Identify gaps
  • Prioritize security efforts
Manufacturing Data Engine

Release 1.5.1

This release is a critical update if you have an existing deployment of MDE version 1.5.0. This release resolves a bug regarding materialization of metadata instances created prior to MDE 1.5.0. This release also includes other minor improvements and bug fixes.

Release signature

b0fc163
1.5.1
ffb87d39d343c20abebd2f52df74a2d3
  • Fix (417666631): Fixed an issue with metadata materialization for metadata instances that had been created prior to migrating to MDE 1.5.0.
  • Fix (420921890): Fixed an error when attempting to update an instance tag metadata and saved it for instances that had been created prior to migrating to MDE 1.5.0.
  • Fix (423535516): Fixed inconsistent API response codes when trying to delete non-existing entities.
  • Fix (383519276): Fixed missing fields in MDE logging and added more details to make troubleshooting easier.
  • Fix (424077359): Fixed instance bucket creation through API. It now adds default createdTime as the time when the API call was received.
  • Fix (422991109 and 424084607): Fixed ghost deletion of Types and Metadata Buckets after removing a configuration package.
  • Fix (423859259): Fixed removal of BigQuery views when a Type is manually deleted.
  • Fix (406803212): Fixed wrong version materialization on MDE system tables.
  • Fix (407015039): Fixed Delete button in MDE UI when the system is in PROD mode (Production mode).
  • Fix (435653743): Fixed missing Grafana Terraform module.
  • Improvement (427447932): Brought Docker images to versions without vulnerabilities reported at the time of the release.
  • Improvement (361290775): Modified Terraform deployment scripts to enforce TLS v1.2 for an external MDE UI Load Balancer.
  • Improvement (407009198): Improved the error handling when upload and parsing configuration packages.
  • Improvement (423531705): Improved MDE logging for BigQuery sink related operations.
  • Improvement (423530033): Improved manifest validation on configuration package uploads.
  • Improvement (423554635): Added CreatedAt column with default sorting on the MDE UI configuration packages page.
  • Improvement (430962108): Added more sorting options on the MDE UI Configurations and Metadata Instances pages.
  • Improvement (423531714): Various improvements on Helm charts, including image tag management, and k8s secrets/configmaps.
  • Improvement (407037164): More descriptive message added to MDE UI to confirm Type deletion.
Memorystore for Redis Cluster

You can now simulate maintenance events on your clusters in Memorystore for Redis Cluster. This feature helps you test how your application behaves during a maintenance event by triggering a simulation of the operations that occur during maintenance. This feature is available in Preview.

Memorystore for Valkey

You can now simulate maintenance events on your Memorystore for Valkey instances. This feature helps you test how your application behaves during a maintenance event by triggering a simulation of the operations that occur during maintenance. This feature is available in Preview.

Network Connectivity Center

Static routes for Network Connectivity Center are available in GA.

You can use static routes to define the next hop along the path that network traffic takes to reach a given destination. For more information about using static routes with Network Connectivity Center, see the Static routes overview.

Sensitive Data Protection

The August 25 release note announcing the release of the DOCUMENT_TYPE/FINANCE/INVOICE and DOCUMENT_TYPE/MEDICAL/RECORD infoType detectors was published in error. These infotypes are not available.

Spanner

A monthly digest of client library updates from across the Cloud SDK.

Go

Changes for spanner/admin/database/apiv1

1.84.0 (2025-08-05)

Features
  • spanner/adapter: Add last field in AdaptMessageResponse for internal optimization usage (c574e28)
  • spanner/admin/database: Proto changes for an internal api (eeb4b1f)
  • spanner: A new field snapshot_timestamp is added to message .google.spanner.v1.CommitResponse (ac4970b)
  • spanner: Add Google Cloud standard otel attributes (#11652) (f59fcff)
Bug Fixes
  • spanner: Context cancel in traces in case of skipping trailers (#12635) (509dc90)
  • spanner: Enforce only one resource header (#12618) (4e04b7e)
  • spanner: Fix blind retry for ResourceExhausted (#12523) (f9b6e88)
  • spanner: Remove stream wrapper for direct path check (#12622) (88a36cd)
Documentation
  • spanner: A comment for enum value OPTIMISTIC in enum ReadLockMode is changed (ac4970b)
  • spanner: A comment for enum value PESSIMISTIC in enum ReadLockMode is changed (ac4970b)
  • spanner: A comment for enum value READ_LOCK_MODE_UNSPECIFIED in enum ReadLockMode is changed (ac4970b)
  • spanner: A comment for field commit_stats in message .google.spanner.v1.CommitResponse is changed (ac4970b)
  • spanner: A comment for field exclude_txn_from_change_streams in message .google.spanner.v1.TransactionOptions is changed (ac4970b)
  • spanner: A comment for field multiplexed_session_previous_transaction_id in message .google.spanner.v1.TransactionOptions is changed (ac4970b)
  • spanner: A comment for field precommit_token in message .google.spanner.v1.CommitResponse is changed (ac4970b)
  • spanner: A comment for message .google.spanner.v1.MultiplexedSessionPrecommitToken is changed (ac4970b)
  • spanner: A comment for message .google.spanner.v1.TransactionOptions is changed (ac4970b)

1.84.1 (2025-08-06)

Features
Miscellaneous Chores

DO NOT USE This version is retracted due to https://github.com/googleapis/google-cloud-go/issues/12659, use version >=v1.84.1

Java

Changes for google-cloud-spanner

6.98.0 (2025-07-31)

Features
  • Proto changes for an internal api (675e90b)
  • spanner: A new field snapshot_timestamp is added to message .google.spanner.v1.CommitResponse (675e90b)
  • Support Exemplar (#3997) (fcf0a01)
  • Use multiplex sessions for RW and Partition Ops (#3996) (a882204)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.60.2 (675e90b)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.50.2 (#4004) (986c0e0)

6.98.1 (2025-08-11)

Bug Fixes
  • Add missing span.end calls for AsyncTransactionManager (#4012) (1a4adb4)
  • deps: Update the Java code generator (gapic-generator-java) to 2.61.0 (8156ef3)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.51.0 (#4013) (4e90c29)

Node.js

Changes for @google-cloud/spanner

8.1.0 (2025-07-28)

Features
  • Add Custom OpenTelemetry Exporter in for Service Metrics (#2272) (610d1b9)
  • Add methods from gax to cache proto root and process custom error details (#2330) (1b3931a)
  • Add metrics tracers (#2319) (192bf2b)
  • Add support for AFE latency metrics (#2348) (0666f05)
  • Add throughput_mode to UpdateDatabaseDdlRequest to be used by Spanner Migration Tool. See https://github.com/GoogleCloudPlatform/spanner-migration-tool (#2304) (a29af56)
  • Operation, Attempt, and GFE metrics (#2328) (646e6ea)
  • Proto changes for an internal api (#2356) (380e770)
  • spanner: A new field snapshot_timestamp is added to message .google.spanner.v1.CommitResponse (#2350) (0875cd8)
  • spanner: Add new change_stream.proto (#2315) (57d67be)
  • spanner: Add tpc support (#2333) (a381cab)
  • Track precommit token in r/w apis(multiplexed session) (#2312) (3676bfa)
Bug Fixes
Performance Improvements
  • Skip gRPC trailers for StreamingRead & ExecuteStreamingSql (#2313) (8bd0781)

Python

Changes for google-cloud-spanner

3.57.0 (2025-08-14)

Features
  • Support configuring logger in dbapi kwargs (#1400) (ffa5c9e)
Speech-to-Text

Speech-to-Text has just launched chirp_3 in Public Preview. With this Public Preview, Chirp 3: Transcription we are now expanding language transcription in more than 85+ languages and locales, in addition to StreamingRecognize and SyncRecognize requests for real-time and short-form audio. Under the chirp_3 model flag, you can experience significant improvements in accuracy and speed, and leverage powerful features like Speaker Diarization and language-agnostic transcription.

To explore the new Chirp 3: Transcription model's capabilities and learn how to leverage its full potential, please visit our official documentation page.

Vertex AI Workbench

M132 release

The M132 release of Vertex AI Workbench instances includes the following:

  • The new scheduler Jupyter plugin (scheduler-jupyter-plugin) is now preinstalled in the Jupyterlab 4 environment, with support for both the Cloud Composer and Vertex AI notebook schedulers.

  • Updated the Dataproc JupyterLab plugin (dataproc-jupyter-plugin) to version 0.1.90.

  • Patched bugs related to the managed end user credentials feature (Preview), resolving an incompatibility with listing Dataproc remote kernels.

  • Patched a bug that caused instances with disabled proxy access to get stuck in provisioning.

  • Removed the archived Debian 11 backports repository, resolving an issue with running apt update within the instance.

August 28, 2025

BigQuery

For additional layers of security and control, you can now use query templates to predefine and limit the queries that can be run in data clean rooms. For more information, see Use query templates. This feature is in preview.

Bigtable

Bigtable tools are available in Agent Development Kit (ADK). With these tools, you can build AI agents that can interact with Bigtable data and metadata in the following ways:

  • Obtain metadata about Bigtable tables and instances.
  • Execute LLM-powered SQL queries.
Cloud Data Fusion

The ServiceNow plugin version 1.2.7 is available in Cloud Data Fusion version 6.10.1. This release includes the following change:

  • Fixed an issue related to schema backward compatibility while upgrading from plugin version 1.1.0 (PLUGIN-1902).
Cloud Storage

Beginning October 31, 2025, if you set an object's age condition to a value of 0 when setting Object Lifecycle Management rules, the condition is satisfied at midnight UTC after the object is created, which helps reduce unintended data loss. To learn more about the age condition, see Lifecycle conditions.

Compute Engine

Generally available: M4 memory-optimized hypermem VMs are now generally available. These smaller machine types expand the memory-optimized family to allow for greater flexibility in matching your specific application needs. Hypermem VMs have a GB/vCPU ratio of 15.5:1 and are offered in the following sizes:

  • m4-hypermem-16
  • m4-hypermem-32
  • m4-hypermem-64

See the Regions and zones page to learn where you can create M4 VMs.

Gemini Enterprise

Google NotebookLM Enterprise: Generate podcasts using the Podcast API (GA with allowlist)

Use a standalone API to programmatically generate NotebookLM-style podcasts. No data store required; provide the source content directly to the Podcast API.

This feature is available to select Google Cloud customers (GA with allowlist). For more information, see Generate podcasts (API method).

Google Cloud VMware Engine

VMware Engine ve2 nodes are now available in the London, England, Europe region (europe-west2-a).

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.32.400-gke.68 is now available for download. To upgrade, see Upgrade a cluster. Distributed Cloud 1.32.400-gke.68 runs on Kubernetes v1.32.7-gke.200.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following issues were fixed in 1.32.400-gke.68:

Google Distributed Cloud (software only) for bare metal

Google Distributed Cloud for bare metal 1.32.400-gke.68 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.32.400-gke.68 runs on Kubernetes v1.32.7-gke.200.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

The following issues were fixed in 1.32.400-gke.68:

  • Fixed an issue that caused the Ansible playbook for handling Customer-Acquired Licenses (CAL) to fail and not complete.

  • Fixed vulnerabilities listed in Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google Kubernetes Engine

You can now run GPU workloads on Confidential GKE Nodes with the A3 High machine type and NVIDIA H100 GPUs. This feature is available in GKE version 1.32.2-gke.1297000 and later for manual GPU driver installation, and in version 1.33.3-gke.1392000 and later for automatic driver installation. This enables stronger data protection and integrity for GPU-accelerated computations running within GKE clusters and nodes. This feature is in General Availability.

For more information, see Encrypt GPU workload data in use with Confidential GKE Nodes.

GKE version 1.33.0-gke.1276000 and later remediate a low severity vulnerability, in which an attacker with the ability to patch Node resources by using the Kubernetes API could change specific node labels in clusters that use Workload Identity Federation for GKE. This could result in the attacker gaining access to node metadata, such as the IAM service account. To remediate this vulnerability, a validation policy is enforced that prevents unauthorized modifications to the node labels that control metadata protection.

Google SecOps

Composite detections for MITRE ATT&CK

The Curated Detections feature has been enhanced with new composite rules that define chains of MITRE ATT&CK tactics and techniques.

These powerful new rule packs are now in public preview for customers with a Google SecOps Enterprise or Enterprise Plus license.

To learn more, a companion blog post will be published on the Google Security Cloud Community on September 9, 2025.

Google SecOps SIEM

Composite detections for MITRE ATT&CK

The Curated Detections feature has been enhanced with new composite rules that define chains of MITRE ATT&CK tactics and techniques.

These powerful new rule packs are now in public preview for customers with a Google SecOps Enterprise or Enterprise Plus license.

To learn more, a companion blog post will be published on the Google Security Cloud Community on September 9, 2025.

Composite detections for MITRE ATT&CK

The Curated Detections feature has been enhanced with new composite rules that define chains of MITRE ATT&CK tactics and techniques.

These powerful new rule packs are now in public preview for customers with a Google SecOps Enterprise or Enterprise Plus license.

To learn more, a companion blog post will be published on the Google Security Cloud Community on September 9, 2025.

Looker Studio

Vertical stacking in responsive reports

Responsive reports now support vertical stacking. You can add multiple components to a column within a section.

Managed Lustre

You can now increase the storage capacity of your Managed Lustre instances after they've been created.

See Increase the capacity of a Managed Lustre instance.

Organization Policy

Certain Organization Policy managed constraints that were released on August 21, 2025 were not functioning as intended. The Organization Policy Service evaluated these constraints as if the effectiveInstanceMetadata field of the resources that they were enforced on was empty, causing them to always evaluate to either allow or deny access to the resource.

The following managed constraints were evaluated to always allow creation of resources where they were enforced:

  • constraints/compute.managed.disableGuestAttributesAccess
  • constraints/compute.managed.disableSerialPortAccess
  • constraints/compute.managed.disableSerialPortLogging

The following managed constraints were evaluated to always block creation of resources where they were enforced:

  • constraints/compute.managed.disallowGlobalDns
  • constraints/compute.managed.requireOsConfig
  • constraints/compute.managed.requireOsLogin

This issue has been corrected, and these constraints now properly evaluate the effectiveInstanceMetadata field to determine whether resource creation should be allowed or blocked.

Resource Manager

Certain Organization Policy managed constraints that were released on August 21, 2025 were not functioning as intended. The Organization Policy Service evaluated these constraints as if the effectiveInstanceMetadata field of the resources that they were enforced on was empty, causing them to always evaluate to either allow or deny access to the resource.

The following managed constraints were evaluated to always allow creation of resources where they were enforced:

  • constraints/compute.managed.disableGuestAttributesAccess
  • constraints/compute.managed.disableSerialPortAccess
  • constraints/compute.managed.disableSerialPortLogging

The following managed constraints were evaluated to always block creation of resources where they were enforced:

  • constraints/compute.managed.disallowGlobalDns
  • constraints/compute.managed.requireOsConfig
  • constraints/compute.managed.requireOsLogin

This issue has been corrected, and these constraints now properly evaluate the effectiveInstanceMetadata field to determine whether resource creation should be allowed or blocked.

reCAPTCHA

Transaction Defense Reasons is generally available. This feature enhances transparency by providing clear, human-readable explanations for why a particular transaction receives a high transaction risk score. The reasons help you better understand the risk assessments and take more informed actions to protect against fraud.

For more information, see Risk reason.

We've enhanced the reCAPTCHA Admin console to provide a more intuitive interface for configuring risk score thresholds. These improvements help you define how to act on different risk scores. You can also get a better understanding of the transactions that will exceed the threshold which can help in deciding what you allow, block or further reviewing transactions.

For more information, see Protect payment transactions with Fraud Prevention.

August 27, 2025

Google Kubernetes Engine

(2025-R36) Version updates

  • Version 1.33.3-gke.1136000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2507000
    • 1.28.15-gke.2564000
    • 1.29.15-gke.1686000
    • 1.29.15-gke.1773000
    • 1.30.12-gke.1414000
    • 1.31.11-gke.1064000
    • 1.32.6-gke.1125000
    • 1.33.2-gke.1240000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2527000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2527000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1713000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.7-gke.1016000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.3-gke.1136000 with this release.

(2025-R36) Version updates

(2025-R36) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1011000
    • 1.31.11-gke.1064000
    • 1.31.11-gke.1135000
    • 1.32.7-gke.1016000
    • 1.32.8-gke.1005000
    • 1.33.3-gke.1392000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.11-gke.1101000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.7-gke.1079000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.11-gke.1101000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.7-gke.1079000 with this release.

(2025-R36) Version updates

  • Version 1.33.3-gke.1136000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.12-gke.1414000
    • 1.31.11-gke.1064000
    • 1.32.6-gke.1125000
    • 1.33.2-gke.1240000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.7-gke.1016000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.7-gke.1016000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.3-gke.1136000 with this release.

(2025-R36) Version updates

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.12-gke.1372000
    • 1.31.10-gke.1067000
    • 1.32.6-gke.1096000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.12-gke.1390000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.31.11-gke.1002000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.12-gke.1390000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.11-gke.1002000 with this release.

(2025-R36) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.14-gke.1011000
    • 1.31.11-gke.1064000
    • 1.31.11-gke.1135000
    • 1.32.7-gke.1016000
    • 1.32.8-gke.1005000
    • 1.33.3-gke.1392000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.11-gke.1101000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.7-gke.1079000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.14-gke.1036000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.11-gke.1101000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.7-gke.1079000 with this release.

Regular channel

  • Version 1.33.3-gke.1136000 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.12-gke.1414000
    • 1.31.11-gke.1064000
    • 1.32.6-gke.1125000
    • 1.33.2-gke.1240000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.32.7-gke.1016000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.7-gke.1016000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.33 to version 1.33.3-gke.1136000 with this release.

Stable channel

  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.30.12-gke.1372000
    • 1.31.10-gke.1067000
    • 1.32.6-gke.1096000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.12-gke.1390000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.31.11-gke.1002000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.12-gke.1390000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.11-gke.1002000 with this release.

Extended channel

  • Version 1.33.3-gke.1136000 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.28.15-gke.2507000
    • 1.28.15-gke.2564000
    • 1.29.15-gke.1686000
    • 1.29.15-gke.1773000
    • 1.30.12-gke.1414000
    • 1.31.11-gke.1064000
    • 1.32.6-gke.1125000
    • 1.33.2-gke.1240000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2527000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2527000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.15-gke.1713000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.14-gke.1011000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.7-gke.1016000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.33 to version 1.33.3-gke.1136000 with this release.

No channel