You can ask Gemini for predefined role suggestions(preview) withoutenabling any APIs.

In addition, you can get custom role suggestions from Geminiusing the Cloud Assist panel in the Google Cloud console.

For more information, seeGet predefined role suggestions withGemini assistance.

A new infinite-scrolling UI for audit logs is available on thePrivileged Access Manager > Audit logs page in the Google Cloud console.This interface update replaces pagination with clear data loading indicatorsand time boundaries to help facilitate event investigations.

This feature is inpreview.

For Privileged Access Manager, notification emails for grant activation, activation failure, or denial no longer include approver details.

To learn how to view the approver details, seeCheck grant status.

Privileged Access Manager (PAM)offers the following features inpreview:

• Multi-level and multi-party approvals
• Scope customization
• Service account approvals
• Inheritance support
• Notification preferences customization
• Grant withdrawal

Permission errors in the Google Cloud console contain actionable steps for remediation. For more information, seeTroubleshoot permission error messages.

IAM offers predefined roles that are tailored to specific job functions. These roles cover all of the permissions that a user might need to perform their job. This feature isgenerally available.

For more information, seePredefined roles for job functions.

You can ask Gemini for predefined role suggestions using the IAM role picker in the Google Cloud console. This feature is inpreview.

For more information, seeGet predefined role suggestions with Gemini assistance.

Conditions that check the tags for a resource can also check other attributes, such as the resource name of the timestamp of the request. This feature is available in Preview. For more information, seeResource tags.

Workforce Identity Federation supportsdetailed audit logging, which you can use to troubleshoot attribute mapping issues. This feature isgenerally available.

The predefined role reference and the permissions reference have been reorganized to improve performance and searchability. To see the new experience, visit theIAM roles and permissions index.

Workload Identity Federation support for X.509 certificates isgenerally available.

A new enforcement version, enforcement version 3, is available for principal access boundary policies. To learn more about enforcement versions and see the permissions that enforcement version 3 can block, seePermissions that principal access boundary policies can block.

Workforce Identity Federation supports anattribute mapping of up to 400 groups and a maximum size of 16 KB.

Workforce Identity Federation can map up to 400 groups from Microsoft Entra ID. The feature is generally available. To learn more, seeConfigure Workforce Identity Federation with Microsoft Entra ID and a large number of groups.

Principal access boundary policies are generally available. You can use principal access boundary policies to limit the resources that a principal is eligible to access.

You can use theiam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts managed organization policy constraint to prevent default service accounts from being granted the Editor (roles/editor) or Owner (roles/owner) roles. For more information, seePrevent the Owner and Editor role from being granted to default service accounts.

Using IAM attributes in custom organization policies is generally available. For more information, seeUse custom organization policies.

Privileged Access Manager (PAM) is now released to General Availability. The following features have been added:

• Alerting on any external modifications to access grants outside of PAM.
• VPC Service Controls integration for PAM, which allows customers to enforce authorized network access or require specific access context while using PAM.
• Pub/Sub integration for custom alerting and monitoring.

You can manage IAM deny policies using the Google Cloud console. For more information, seeDeny access to resources.

You can attach tags to Identity and Access Management (IAM) service accounts to conditionally grant or deny access to specific service accounts. This feature is inPreview. For more information, seeCreating and managing tags for service accounts.

You can use IAM attributes in custom organization policies to control how your allow policies can be modified. For more information, seeUse custom organization policies.

You can useprincipal access boundary policies to limit the resources that a principal is eligible to access. This feature is available in Preview.

Privileged Access Manager (PAM) lets you manage just-in-time temporary privilege elevation for select principals, and to view audit logs afterwards to find out who had access to what and when. This feature is in Preview.

As of May 3, 2024, when you create a new organization, it enforces the following organization policy constraints by default:

• iam.disableServiceAccountKeyCreation
• iam.disableServiceAccountKeyUpload
• iam.automaticGrantsForDefaultServiceAccounts
• iam.allowedPolicyMemberDomains

For more information, seeRestricting service account usage andRestricting identities by domain.

You can use theiam.serviceAccountKeyExposureResponse organization policyconstraint to help manage leaked service account credentials.

To improve performance, we've removed the ability to expand abbreviated permissions in thepredefined roles table. You can still filter the predefined roles table based on the full list of permissions included in a role.

Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. The feature is in Preview. Google Cloud provisions X.509 credentials, issued from Certificate Authority Service, that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication. For more information, seeManaged workload identities overview.

IAM deny policies let you deny groups of permissions for certain services. For more information, seePermission groups.

You can use identities from workforce and workload identity pools inIAM deny policies. For more information, seePrincipal identifiers.

You can now configureIAM workforce identity federation using the Google Cloud console. To learn more, see the configuration guides forAzure AD,Okta, or otherOIDC and SAML 2.0 providers. The feature is in General Availability (GA).

You can now configureIAM workforce identity federation using the Google Cloud console. To learn more, see the configuration guides forAzure AD,Okta, or otherOIDC and SAML 2.0 providers. The feature is in Preview.

ForCredential Access Boundaries, removed the requirement to enableuniform bucket-level access for your Cloud Storage bucket.

Workforce identity federation now supports browser-based sign-in with the Google Cloud CLI. The feature is generally available (GA). To use it, seeBrowser-based sign-in in Obtain short-lived tokens for workforce identity federation, or locate theBrowser-based sign-in section in the configuration guide for your identity provider.

You can trigger service agent creation instead of waiting for service agents to be created automatically. This feature is inPreview.

Workforce identity federation andworkload identity federation can now accept encrypted SAML assertions. The feature is generally available (GA). To use the feature, locate theCreate the workload identity pool and provider section in the configuration guide for your identity provider and follow the gcloud CLI instructions for the SAML workflow.

Workforce identity federation now supports browser-based sign-in with the Google Cloud CLI. The feature is inPreview. To use it, seeBrowser-based sign-in in Obtain short-lived tokens for workforce identity federation, or locate theBrowser-based sign-in section in the configuration guide for your identity provider.

You can nowset an expiry time for all newly created service account keys in your project, folder, or organization. This feature is generally available (GA).

The IAM documentation has been reorganized. We made the following changes:

• Reorganized the left-hand navigation for theGuides tab.
• Removed theSupport tab and relocated its documents to theResources andGuides tabs.

Workforce identity federation is generally available (GA). The feature lets you use an external identity provider to authenticate and authorize users to accesssupported Google Cloud products.

For information about issues with workforce identity federation, seeTroubleshoot workforce identity federation

For some users, theIAM basic and predefined roles reference is crashing or is very slow to load. We are working to mitigate this issue.

You can use the Google Cloud console toview authentication activities, which indicate when your service accounts and keys were last used to call a Google API.

Deny policies are generally available (GA). Use deny policies to prevent principals from using certain permissions, regardless of the roles they're granted.

Conceptual andreference information for IAM basic and predefined roles has been improved. You can now filter the predefined roles table, expand abbreviated permissions to see all included permissions, and quickly identifyowner permissions.

Workforce identity federation now lets users from external identity providers sign in to theGoogle Cloud workforce identity federation console, also known as the console (federated). The console (federated) provides UI access tosupported Google Cloud products. This feature is available in Preview.

Workforce identity federation lets you authenticate and authorize users from external identity providers to access supported Google Cloud products. This feature is available in Preview.

In June 2022, IAM had an issue that resulted in excessusage metrics for service accounts and service account keys when any of the following actions were performed:

• Listing service account keys
• Getting a service account key
• Disabling a service account key
• Enabling a service account key

Each time you took any of these actions, Cloud Monitoring recorded an authentication usage metric for the parent service account, and for each of its service account keys, regardless of whether you used the service account or its keys to authenticate. These excess metrics were visible inCloud Monitoring, and in themetrics for individual service accounts and keys, from June 7, 2022, through June 17, 2022.

In addition, these excess metrics were visible in other systems that use data from Cloud Monitoring, includingActivity Analyzer, which shows when service accounts and keys were used to authenticate, andservice account insights, which provide findings about unused service accounts. Excess metrics were visible in these systems from June 7, 2022, through June 22, 2022.

This issue has been corrected, and Cloud Monitoring is no longer recording these excess metrics. However, thelast authentication time for each service account and key will continue to reflect the excess metrics indefinitely, until you authenticate with the service account or key again.

Documentation for Activity Analyzer, IAM insights, IAM Policy Troubleshooter, IAM role recommendations, and IAM Policy Simulator has moved to thePolicy Intelligence documentation.

Support for usingworkload identity federation with any SAML 2.0-compatible identity provider is now generally available.

The IAM documentation now refers to "IAM policies" as "allow policies." You might continue to see references to "IAM policies" in other documentation.

This change does not affect REST APIs, client libraries, or flags for thegcloud CLI.

IAM Conditions now providesresource attributes for Cloud SQL backup sets. You can use these resource attributes to grant access to a subset of your Cloud SQL resources.

IAM Conditions now providesresource attributes for Apigee X. You can use these resource attributes to grant access to a subset of your Apigee X resources.

You can now usedeny policies to prevent principals from using certain permissions, regardless of the roles they're granted. This feature is in Preview.

You can nowset an expiry time for all newly created service account keys in your project, folder, or organization. This feature is in Preview. To use this feature,request access to the Preview release.

The IAM documentation now explains how tochoose the most appropriate predefined roles.

ForCredential Access Boundaries, you can now use updated authentication libraries for Go, Java, Node.js, and Python to automatically exchange OAuth 2.0 access tokens for downscoped tokens.

For details, seeExchange and refresh the access token automatically.

The IAM page of the Cloud Console now listslateral movement insights in addition to policy insights. Lateral movement insights are in Preview.

You can now useworkload identity federation with any SAML 2.0-compatible identity provider. This feature is in Preview.

IAM role recommendations for folder- and organization-level roles are now generally available.

Thereference documentation for predefined roles now uses a new format that is easier to browse.

The IAM documentation now refers to the identities that can be granted access to a resource asprincipals. Previously, these identities were known asmembers.

This change does not affect the REST API, the client libraries, or the flags for thegcloud command-line tool.

You can nowdisable and enable service account keys.

Managing Google Groups from the Cloud Console is now generally available.

You can now useActivity Analyzer to see when your service accounts and keys were last used to call a Google API. This feature is in Preview.

Recommender now generateslateral movement insights, which identify roles that allow a service account in one project to impersonate a service account in another project. You canmanage lateral movement insights using thegcloud command-line tool or the Recommender REST API. This feature is available in Preview.

A C++client library for IAM is now available. The client library supports theIAM API and theService Account Credentials API.

You can nowset limits on the Cloud Storage roles that a member can grant and revoke. This is possible because Cloud Storage now recognizes themodifiedGrantsByRole API attribute in conditions.

The documentation forIAM role recommendations now has more detail about how insights are used to generate recommendations.

You can now use the Google Cloud Console to manageworkload identity federation. For details, see the documentation for your identity provider:

• Access resources from AWS
• Access resources from Microsoft Azure
• Access resources from an OIDC identity provider

The ability toattach service accounts to resources in other projects is now generally available.

Workload identity federation is now generally available. You can use workload identity federation to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

You can now getrecommendations for folder- and organization-level role bindings using thegcloud command-line tool and REST API. This feature is available in Preview.

Policy Simulator is now generally available. You can use Policy Simulator tosimulate policy changes before you apply them.

Tags are now generally available. You can attach tags to resources, thenuse the tags to manage access to your resources.

Forworkload identity federation, available in beta, you can now use updated client libraries for C++, Go, Java, Node.js, and Python to automatically obtain Google credentials.

For details, see the documentation for your identity provider:

• Generating Google credentials on AWS
• Generating Google credentials on Azure
• Generating Google credentials with other providers

You can now usePolicy Simulator tosimulate policy changes before you apply them. This feature is available in Preview.

You can now use IAM conditions toset limits on the roles that a member can grant and revoke. This feature is generally available.

You can now attach tags to resources, thenuse the tags to manage access to your resources. This feature is available in Preview.

If you run one of thegcloud tool'sadd-iam-policy-binding commands, and the IAM policy contains conditional role bindings for that role, thegcloud tool prompts you to choose one of the condition expressions that exists in the policy. If you choose a condition expression that contains a comma, the command fails.

To work around this issue, use the--condition flag to specify a condition expression on the command line.

You can nowtroubleshoot conditional role bindings by troubleshooting directly from audit log entries. This feature is available in Preview.

You can nowattach service accounts to resources in other projects. This feature is available in Preview.

You can now use Cloud Monitoring tocheck when your service accounts and service account keys were used. This feature is generally available.

IAM Conditions: Starting on February 26, 2021, if a permission check encounters an unsupported attribute in a conditional role binding, it will never interpret that part of the condition as granting access.

To prevent access issues,limit the scope of conditions when necessary, especially if a condition checks theresource.name attribute.

IAM Conditions now providesresource attributes for Pub/Sub Lite. You can use these resource attributes to grant access to a subset of your Pub/Sub Lite subscriptions and topics.

Credential Access Boundaries are nowgenerally available. Use Credential Access Boundaries to downscope the permissions that a short-lived credential can use to access a Cloud Storage bucket.

You can nowmanage service account insights generated by the IAM recommender. This feature is available in beta.

If a role binding in an IAM policy refers to a deleted member (for example,deleted:user:tamika@example.com?uid=123456789012345678901), you can now add role bindings for a newly created member with the same name (in this case,user:tamika@example.com). The role bindings always apply to the newly created member.

For details, see the documentation forpolicies with deleted members.

The documentation now providesdetails about service agents for all publicly available services. A service agent is a special type of service account that is created and managed by Google, and is used by Google Cloud services to access your resources.

You can now useworkload identity federation, available in beta, to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

The issue with undeleting service accounts has been resolved. You can now undelete most service accounts that meet thecriteria for undeletion.

The documentation now includes aquickstart demonstrating how to modify IAM policies using client libraries.

You cannotundelete most service accounts at this time. Our engineering team is working to resolve this issue.

New features are available forCredential Access Boundaries, currently in beta:

• You can now manage permissions for Cloud Storage objects, in addition to buckets.
• You can now use IAM Conditions to control which permissions are available in a short-lived OAuth 2.0 access token. For an example, seeLimit permissions for specific objects.
• You can now use Credential Access Boundaries with a Cloud Storage bucket that does not useuniform bucket-level access.

ForCredential Access Boundaries, currently in beta, you must migrate to a new API endpoint,sts.googleapis.com. To learn how to use the new API endpoint, seeExchanging the OAuth 2.0 access token.

Uploading public keys for service accounts is now generally available.

The documentation now provides alist of the resource types that accept IAM policies.

You can now use Cloud Monitoring tocheck when your service accounts and service account keys were used. This feature is available in beta.

You can now use an organization policy toextend the maximum lifetime for OAuth 2.0 access tokens that you create for a service account.

You can nowmanage policy insights generated by the IAM recommender. This feature is generally available.

The documentation now describesbest practices for using the IAM recommender.

We are delaying the upcoming changes fordeleted members that are bound to a role. These changes will take effect starting on September 14, 2020.

We are delaying the upcoming changes fordeleted members that are bound to a role. These changes will take effect starting on August 31, 2020.

The organization policy constraint toprevent automatic role grants to IAM service accounts is nowgenerally available. To improve security, we strongly recommend that you enable this constraint.

Starting on July 27, 2020, IAM policies will identify deleted members that are bound to a role. Deleted members have the prefixdeleted: and the suffix?uid=numeric-id.

For example, if you delete the account for the usertamika@example.com, and a policy binds that user to a role, the policy shows an identifier similar todeleted:user:tamika@example.com?uid=123456789012345678901.

ForSetIamPolicy requests, you can use this new syntax starting on July 27. ForGetIamPolicy andSetIamPolicy responses, you might see the new prefix and suffix in some, but not all, responses until we finish rolling out the change. We expect to complete the rollout by July 31, 2020.

See the documentation for adetailed example, as well as guidance onupdating policies that contain deleted members.

Starting on July 27, 2020, if a binding in a policy refers to a deleted member (for example,deleted:user:tamika@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case,user:tamika@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

To resolve this issue, see our guidance onupdating policies that contain deleted members.

Using the IAM API to sign JSON Web Tokens (JWTs) or binary blobs is now deprecated.

• If you use the IAM API or its client libraries to sign JWTs or binary blobs, you mustmigrate to the Service Account Credentials API before July 1, 2021.
• If you use thegcloud command-line tool to sign JWTs, you mustprepare for changes to thegcloud tool before July 1, 2021.

You can nowmanage Google Groups from the Cloud Console. This feature is available in beta.

Recommendations from theIAM recommender can now includesuggestions to create custom roles.

When youuse a service account key to access Google Cloud, your audit logs now identify the key that was used.

Forwarding rule attributes for IAM Conditions are nowgenerally available. You can use these attributes to specify the types offorwarding rules that a member can create.

For Cloud Storage buckets, you can now useCredential Access Boundaries, currently in beta, to downscope the permissions that a short-lived credential can use.

IAM Conditions are nowgenerally available. You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

For IAM Conditions, you can now use theextract() function toextract a value from a resource name. This function enables condition expressions to refer to an arbitrary part of the resource name.

A version 1IAM policy can now includeconditional role bindings. The role name in these bindings includes the stringwithcond, followed by a hash value. For example:roles/iam.serviceAccountAdmin_withcond_2b17cc25d2cd9e2c54d8

If you see the stringwithcond in an IAM policy, follow the steps in thetroubleshooting guide.

You can now learn aboutIAM audit logging for service accounts and seeexamples of audit logs for service accounts.

TheIAM recommender is nowgenerally available. The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

IAM Conditions now supportsforwarding rule attributes, currently in beta. You can use these attributes to specify the types offorwarding rules that a member can create.

Policy Troubleshooter is nowgenerally available. Use Policy Troubleshooter to determine why a user has access to a resource or doesn't have permission to call an API.

On December 9, weannounced that IAM policies would now identify deleted members. We have temporarily reverted this change. IAM policies no longer identify deleted members.

IAM Conditions are now available in public beta. You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources.

IAM policies now identify deleted members that are bound to a role. Deleted members have the prefixdeleted: and the suffix?uid=[NUMERIC_ID].

For example, if you delete the account for the userbob@example.com, and a policy binds that user to a role, the policy shows an identifier similar todeleted:user:bob@example.com?uid=123456789012345678901.

ForSetIamPolicy requests, you can use this new syntax starting today. ForGetIamPolicy andSetIamPolicy responses, because we are still rolling out this change, you might see the new prefix and suffix in some, but not all, responses. We expect to complete the rollout by December 13, 2019.

If a binding in a policy refers to a deleted member (for example,deleted:user:bob@example.com?uid=123456789012345678901), you cannot add a binding for a newly created member with the same name (in this case,user:bob@example.com). If you try to add a binding for the newly created member, IAM will apply the binding to the deleted member instead.

TheIAM recommender is now available in beta. The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually use.

You can nowupload a public key for a service account, which causes service account keys to be signed with that public key. This feature is available in beta.

The Service Account Credentials API is nowgenerally available. Use this API tocreate short-lived service account credentials.

When youcreate orupdate a service account, you can now provide a description of the service account.

You can nowcreate short-lived service account credentials with the Service Account Credentials API, available in beta.

You can now learn how toconfigure IAM roles to facilitate audit logging.

Custom roles are nowgenerally available. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

For more information, see the following topics:

• Understanding custom roles
• Creating and managing custom roles
• Maintaining custom roles with Deployment Manager
• Support level for permissions in custom roles

Custom roles are now available in beta. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

You can now refer to theIAM permissions change log to determine what permissions have changed recently. Use this change log to help you maintain and troubleshoot your custom roles.

You can now learn how to configureIAM roles for networking-related job functions.

Custom roles are now available in a public alpha. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

You can now learn how to configureIAM roles for billing-related job functions.

Custom roles are now available in a private alpha. You can create a custom IAM role with one or more permissions, then grant that custom role to users in your organization.

IAM is nowgenerally available.

Documentation is now available to help youunderstand service accounts anduse IAM securely.

IAM is now available in beta.