Yandex Identity and Access Management release notes
Written by
Updated at June 4, 2026
April 2026
Identity and Access Management updates
- Added the
MASKED KEYfield to display the last six characters of the secret part of the key in the API key list.
New roles
Yandex Cloud Notification Service
| Role | Description |
|---|---|
notifications.admin |
Enables the user to manage all notification channels and topics and send notifications to all channels and topics. |
notifications.auditor |
Enables the user to view all notification channel metadata, topic metadata, and info on quotas. |
notifications.editor |
Enables the user to manage all notification channels and topics and send notifications to all channels and topics. |
notifications.publisher |
Enables the user to send notifications to all channels and topics. |
notifications.viewer |
Enables the user to view info on topics, notification channels, and quotas. |
Yandex DataLens
| Role | Description |
|---|---|
datalens.metaReader |
Enables the user to execute requests from the Audit section in the DataLens Public API. |
Yandex Cloud DNS
| Role | Description |
|---|---|
dns.firewallEditor |
Enables the user to manage DNS firewalls and use clouds, folders, and cloud networks as resources for them. |
dns.firewallUser |
Enables the user to use clouds, folders, and cloud networks as resources for DNS firewalls and to view info on resources and quotas of the service. |
Yandex Identity Hub
| Role | Description |
|---|---|
organization-manager.groups.viewer |
Enables the user to view info on user groups and access permissions granted to them, and to view the list of users and service accounts forming part of the group. |
Yandex Managed Service for Kubernetes
| Role | Description |
|---|---|
k8s.cluster-api.admin |
Grants the yc:k8s-core-admin group and the admin role in Kubernetes RBAC. |
Managed databases
| Role | Description |
|---|---|
mdb.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for managed database clusters and modify such tasks, view info on clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the services. |
mdb.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for managed database clusters, as well as info on such clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the services. |
mdb.switcher |
Enables the user to re-assign the master host in managed database clusters, view info on clusters, hosts, databases, and users, cluster logs, data on quotas and operations with resources of the services. |
March 2026
New roles
Yandex Cloud AI Studio
| Role | Description |
|---|---|
ai.guardrails.admin |
Enables the user to view info on model response guardrails, create, apply, modify, and delete such guardrails. |
ai.guardrails.auditor |
Enables the user to view metadata on model response guardrails. |
ai.guardrails.editor |
Enables the user to view info on model response guardrails, create, apply, modify, and delete such guardrails. |
ai.guardrails.user |
Enables the user to apply model response guardrails and view their metadata. |
ai.guardrails.viewer |
Enables the user to view info on model response guardrails. |
Yandex MPP Analytics for PostgreSQL
| Role | Description |
|---|---|
managed-greenplum.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Greenplum® clusters and modify such tasks, view info on Greenplum® clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-greenplum.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for Greenplum® clusters, such clusters themselves and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-greenplum.user |
Enables the use of Greenplum® clusters. |
Yandex Managed Service for Apache Airflow™
| Role | Description |
|---|---|
managed-airflow.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Apache Airflow™ clusters and modify such tasks, view info on Apache Airflow™ clusters and access permissions granted for them, as well as quotas. |
managed-airflow.maintenanceTask.viewer |
Enables the user to view info on Apache Airflow™ clusters and access permissions granted for them, their maintenance tasks, and quotas. |
Yandex Managed Service for Apache Kafka®
| Role | Description |
|---|---|
managed-kafka.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Apache Kafka® clusters and modify such tasks, view info on Apache Kafka® clusters and access permissions granted for them, quotas and operations with resources of the service. |
managed-kafka.maintenanceTask.viewer |
Enables the user to view info on Apache Kafka® clusters and access permissions granted for them, their maintenance tasks, quotas and operations with resources of the service. |
managed-kafka.user |
Enables the use of Apache Kafka® clusters. |
Yandex Managed Service for Apache Spark™
| Role | Description |
|---|---|
managed-spark.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Apache Spark™ clusters and modify such tasks, view info on Apache Spark™ clusters and access permissions granted for them, as well as quotas. |
managed-spark.maintenanceTask.viewer |
Enables the user to view info on Apache Spark™ clusters and access permissions granted for them, their maintenance tasks, and quotas. |
Yandex Managed Service for ClickHouse®
| Role | Description |
|---|---|
managed-clickhouse.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for ClickHouse® clusters and modify such tasks, view info on ClickHouse® clusters and access permissions granted for them, quotas and operations with resources of the service. |
managed-clickhouse.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for ClickHouse® clusters, ClickHouse® clusters and access permissions granted for them, quotas and operations with resources of the service. |
managed-clickhouse.user |
Enables the use of ClickHouse® clusters. |
Yandex Managed Service for MySQL®
| Role | Description |
|---|---|
managed-mysql.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for MySQL® clusters and modify such tasks, view info on MySQL® clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-mysql.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for MySQL® clusters, such clusters themselves and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-mysql.switcher |
Enables the user to re-assign the master host in MySQL® clusters, view info on MySQL® clusters, hosts, databases, and users, view cluster logs, data on quotas and operations with resources of the service. |
managed-mysql.user |
Enables the use of MySQL® clusters. |
Yandex Managed Service for OpenSearch
| Role | Description |
|---|---|
managed-opensearch.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for OpenSearch clusters and modify such tasks, view info on OpenSearch clusters and access permissions granted for them, quotas and operations with resources of the service. |
managed-opensearch.maintenanceTask.viewer |
Enables the user to view info on OpenSearch clusters and access permissions granted for them, their maintenance tasks, quotas and operations with resources of the service. |
managed-opensearch.user |
Enables the use of OpenSearch clusters. |
Yandex Managed Service for PostgreSQL
| Role | Description |
|---|---|
managed-postgresql.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for PostgreSQL clusters and modify such tasks, view info on PostgreSQL clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-postgresql.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for PostgreSQL clusters, such clusters themselves and access permissions granted for them, hosts and backups, quotas and operations with resources of the service. |
managed-postgresql.switcher |
Enables the user to re-assign the master host in PostgreSQL clusters, view info on PostgreSQL clusters, hosts, databases, and users, view cluster logs, data on quotas and operations with resources of the service. |
managed-postgresql.user |
Enables the use of PostgreSQL clusters. |
Yandex Managed Service for Sharded PostgreSQL
| Role | Description |
|---|---|
managed-spqr.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Sharded PostgreSQL clusters and modify such tasks, view info on Sharded PostgreSQL clusters and access permissions granted for them, cluster hosts, quotas and operations with resources of the service. |
managed-spqr.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for Sharded PostgreSQL clusters, such clusters themselves and access permissions granted for them, cluster hosts, quotas and operations with resources of the service. |
Yandex Managed Service for Trino
| Role | Description |
|---|---|
managed-trino.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Trino clusters and modify such tasks, view info on Trino clusters and access permissions granted for them, as well as quotas. |
managed-trino.maintenanceTask.viewer |
Enables the user to view info on Trino clusters and access permissions granted for them, their maintenance tasks, and quotas. |
Yandex Managed Service for Valkey™
| Role | Description |
|---|---|
managed-redis.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Valkey™ clusters and modify such tasks, view info on Valkey™ clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-redis.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for Valkey™ clusters, such clusters themselves and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-redis.switcher |
Enables the user to re-assign the master host in Valkey™ clusters, view info on Valkey™ hosts and clusters, their logs, view data on quotas and operations with resources of the service. |
managed-redis.user |
Enables the use of Valkey™ clusters. |
Yandex StoreDoc
| Role | Description |
|---|---|
managed-mongodb.maintenanceTask.editor |
Enables the user to view info on maintenance tasks for Yandex StoreDoc clusters and modify such tasks, view info on Yandex StoreDoc clusters and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-mongodb.maintenanceTask.viewer |
Enables the user to view info on maintenance tasks for Yandex StoreDoc clusters, such clusters themselves and access permissions granted for them, hosts and cluster backups, quotas and operations with resources of the service. |
managed-mongodb.switcher |
Enables the user to re-assign the master host in Yandex StoreDoc clusters, view info on Yandex StoreDoc clusters, hosts, shards, databases, and users, view cluster logs, data on quotas and operations with resources of the service. |
managed-mongodb.user |
Enables the use of Yandex StoreDoc clusters. |
February 2026
Identity and Access Management updates
- Added access policies.
New roles
Yandex Cloud Backup
| Role | Description |
|---|---|
backup.auditor |
Enables the user to view info on BareMetal virtual machines and servers connected to Cloud Backup, backup policies and quotas of the service, cloud and folder. |
December 2025
Identity and Access Management updates
- Added ephemeral keys.
- In the
yandex_iam_oauth_clientTerraform resource, fixed the comparison between thescopesandredirect_urisfields: now their type issetto avoid comparison conflicts.
New roles
Yandex Cloud Backup
| Role | Description |
|---|---|
backup.user |
Enables the user to connect backup providers, connect Yandex BareMetal VMs and servers, link and unlink backup policies to Yandex BareMetal VMs and servers, and view info on resources and quotas of the service. |
Yandex Managed Service for MySQL®
| Role | Description |
|---|---|
managed-mysql.clusters.connector |
Enables Yandex Cloud users to connect to databases in Yandex Managed Service for MySQL® clusters via Yandex Identity and Access Management. |
Yandex Managed Service for PostgreSQL
| Role | Description |
|---|---|
managed-postgresql.clusters.connector |
Enables Yandex Cloud users to connect to databases in Yandex Managed Service for PostgreSQL clusters via Yandex Identity and Access Management. |
Yandex Monium
| Role | Description |
|---|---|
monium.admin |
Enables the user to manage Monium resources, view and record all types of telemetry, manage projects and access to projects. |
monium.editor |
Enables the user to manage Monium resources, view and record all types of telemetry. |
monium.viewer |
Enables the user to view info on Monium resources and read all types of telemetry. |
monium.auditor |
Enables the user to view info on Monium resources. |
monium.alerts.editor |
Enables the user to view the list of alerts, their settings and trigger history, as well as to create, modify, and delete alerts. |
monium.alerts.viewer |
Enables the user to view the list of alerts, their settings and trigger history. |
monium.channels.editor |
Enables the user to view the list of alert notification channels and their info, as well as to create, modify, and delete such channels. |
monium.channels.viewer |
Enables the user to view the list of alert notification channels and their info. |
monium.contextLinks.editor |
Enables the user to view configured context links on dashboard charts, as well as to create, edit, and delete context links. |
monium.contextLinks.viewer |
Enables the user to view configured context links on dashboard charts. |
monium.dashboards.editor |
Enables the user to view dashboards and their widgets, as well as to create, edit, and delete dashboards. |
monium.dashboards.viewer |
Enables the user to view dashboards and their widgets. |
monium.escalationPolicies.editor |
Enables the user to view the list of alert escalation policies and their settings, as well as to create, update, and delete escalation policies. |
monium.escalationPolicies.viewer |
Enables the user to view the list of alert escalation policies and their settings. |
monium.escalations.editor |
Enables the user to view info on alert notifications and escalations, as well as to create, edit, and delete escalations. |
monium.escalations.viewer |
Enables the user to view info on alert notifications and escalations. |
monium.logErrorLabels.editor |
Enables the user to view, edit, and delete existing labels attached to errors in logs and to add new ones. |
monium.logErrorLabels.viewer |
Enables the user to view labels attached to errors in logs. |
monium.logs.reader |
Enables the user to read logs and view log error statistics. |
monium.logs.writer |
Enables the user to write logs. |
monium.metrics.reader |
Enables the user to read metrics, their values and labels. |
monium.metrics.writer |
Enables the user to write metrics. |
monium.mutes.editor |
Enables the user to view, create, edit, and delete mutes, i.e., rules for temporary muting of alert notifications. |
monium.mutes.viewer |
Enables the user to view mutes, i.e., rules for temporary muting of alert notifications. |
monium.quickLinks.editor |
Enables the user to view the list of configured quick links and their info in the project menu, as well as to create, edit, and delete such links. |
monium.quickLinks.viewer |
Enables the user to view the list of configured quick links and their info in the project menu. |
monium.serviceLevelObjectives.editor |
Enables the user to view configured service level objectives (SLOs), as well as to create, edit, and delete them. |
monium.serviceLevelObjectives.viewer |
Enables the user to view configured service level objectives (SLOs). |
monium.shards.editor |
Enables the user to view info on shards, clusters, services and their quotas, as well as to create, update, and delete shards. |
monium.shards.viewer |
Enables the user to view info on shards, clusters, services and their quotas. |
monium.telemetry.reader |
Enables the user to read all types of Monium telemetry: metrics, logs, and distributed tracing data. |
monium.telemetry.writer |
Enables the user to write all types of Monium telemetry: metrics, logs, and distributed tracing data. |
monium.traces.reader |
Enables the user to view distributed tracing data. |
monium.traces.writer |
Enables the user to write distributed tracing data. |
Yandex MPP Analytics for PostgreSQL
| Role | Description |
|---|---|
managed-greenplum.clusters.connector |
Enables Yandex Cloud users to connect to databases in Yandex MPP Analytics for PostgreSQL clusters via Yandex Identity and Access Management. |
Yandex Security Deck
| Role | Description |
|---|---|
security-deck.alertSinks.admin |
Enables the user to manage alert sinks, alerts, and access to them. |
security-deck.alertSinks.editor |
Enables the user to manage alert sinks, alerts, and comments in them. |
security-deck.alertSinks.user |
Enables the user to view info on alert sinks and use them. |
security-deck.alertSinks.viewer |
Enables the user to view info on alerts, alert sinks, and access permissions granted for them. |
security-deck.alertSinks.auditor |
Enables the user to view info on alert sinks and access permissions granted for them. |
November 2025
Identity and Access Management updates
- Added the ability to view a list of a subject's accesses.
New roles
Yandex Cloud Interconnect
| Role | Description |
|---|---|
cic.admin |
Enables the user to manage Cloud Interconnect resources. |
Yandex Cloud Router
| Role | Description |
|---|---|
cloud-router.admin |
Enables the user to manage Cloud Router resources. |
cloud-router.prefixEditor |
Enables the user to manage IP prefixes of cloud subnets in routing instances and view info on Cloud Router resources. |
Yandex Identity Hub
| Role | Description |
|---|---|
organization-manager.idpInstances.billingAdmin |
Enables the user to manage subscription to paid Yandex Identity Hub features. |
organization-manager.idpInstances.billingViewer |
Enables the user to view the list of users on Yandex Identity Hub authentication quota in the current reporting period, view info on subscription to paid Yandex Identity Hub features and statistics on the use of quotas under this subscription. |
October 2025
Identity and Access Management updates
- Added the ability to manage the access of services to the user's resources.
New roles
Managed databases
| Role | Description |
|---|---|
mdb.restorer |
Enables the user to restore managed database clusters from backups and grants read access to clusters and their logs. |
Yandex Identity Hub
| Role | Description |
|---|---|
organization-manager.groups.externalConverter |
Enables the user to add an external group ID attribute to Yandex Identity Hub user groups when synchronizing with user groups in Active Directory or another external source. |
organization-manager.groups.externalCreator |
Enables the user to create Yandex Identity Hub user groups when synchronizing with user groups in Active Directory or another external source. |
organization-manager.userpools.syncAgent |
Enables the user to synchronize Yandex Identity Hub users and groups with users and groups in Active Directory or another external source. |
Yandex Managed Service for Apache Kafka®
| Role | Description |
|---|---|
managed-kafka.restorer |
Enables the user to restore Apache Kafka® clusters from backups, view cluster info and logs, as well as data on Managed Service for Apache Kafka® quotas and operations with resources. |
Yandex Managed Service for ClickHouse®
| Role | Description |
|---|---|
managed-clickhouse.restorer |
Enables the user to restore ClickHouse® clusters from backups, view ClickHouse® cluster info and logs, as well as data on Managed Service for ClickHouse® quotas and operations with resources. |
Yandex Managed Service for MySQL®
| Role | Description |
|---|---|
managed-mysql.restorer |
Enables the user to restore MySQL® clusters from backups, view info on MySQL® clusters, hosts, databases, and users, view cluster logs, as well as data on Managed Service for MySQL® quotas and operations with resources. |
Yandex Managed Service for OpenSearch
| Role | Description |
|---|---|
managed-opensearch.restorer |
Enables the user to restore OpenSearch clusters from backups, view OpenSearch cluster info and logs, as well as data on Managed Service for OpenSearch quotas and operations with resources. |
Yandex Managed Service for PostgreSQL
| Role | Description |
|---|---|
managed-postgresql.restorer |
Enables the user to restore PostgreSQL clusters from backups, view info on PostgreSQL clusters, hosts, databases, and users, view cluster logs, as well as data on Managed Service for PostgreSQL quotas and operations with resources. |
Yandex Managed Service for Sharded PostgreSQL
| Role | Description |
|---|---|
managed-spqr.restorer |
Enables the user to restore Sharded PostgreSQL clusters from backups, view info on Sharded PostgreSQL clusters, hosts, databases, and users, view cluster logs, data on Managed Service for Sharded PostgreSQL quotas and operations with resources. |
Yandex Managed Service for Valkey™
| Role | Description |
|---|---|
managed-redis.restorer |
Enables the user to restore Valkey™ clusters from backups, view info on Valkey™ hosts and clusters, their logs, data on Yandex Managed Service for Valkey™ quotas and operations with resources. |
Yandex MPP Analytics for PostgreSQL
| User role | Description |
|---|---|
managed-greenplum.restorer |
Enables the user to restore Yandex MPP Analytics for PostgreSQL clusters from backups, view info on clusters and hosts, their logs, as well as data on Yandex MPP Analytics for PostgreSQL quotas and operations with resources. |
Yandex StoreDoc
| Role | Description |
|---|---|
managed-mongodb.restorer |
Enables the user to restore MongoDB clusters from backups, view info on MongoDB clusters, hosts, shards, databases, and users, view cluster logs, as well as data on Yandex StoreDoc quotas and operations with resources. |
Q3 2025
- Implemented management of OAuth client secrets using the CLI and API.
CLIAPI - Added a group of commands for OAuth client management to the CLI and API.
CLIAPI
Q2 2025
- Enabled creating and using refresh tokens.
CLI
Q1 2025
- Added new scopes for API keys and the ability to assign more than one scope per service.
Management consoleCLITerraformAPI - Workload identity federations are now available to all users.
Management consoleCLITerraformAPI - Added creating an ID token for service account, a special short-lived token for authentication in third-party systems.
Management consoleCLITerraformAPI
Q4 2024
- Added sending the
CreateIamTokendata event when creating an IAM token. - Expanded the scope of limited lifetime API keys to work with Yandex Managed Service for YDB in compatibility mode with PostgreSQL, Yandex Cloud Postbox, and Yandex Serverless Containers.
Management consoleCLITerraformAPI - You can now see the service account's last authentication date and time. You can get the information in the
last_authenticated_atfield using theyc iam user-account getYandex Cloud CLI command.CLI
Q3 2024
- Added Workload Identity Federations that allow you to grant access to external applications without using long-lived access keys.
Management consoleCLITerraformAPI - You can now create API keys with limited scope and validity period.
Management consoleCLITerraformAPI - Added the ResolveAgent REST API method.
API - Added the ability to revoke an IAM token using the Yandex Cloud CLI.
CLI - Added
All users in organization XandAll users in federation Nsystem groups. - Added the Terraform data source used to get the service agent ID.
Terraform
Q2 2024
- Added the last used date info for service account access keys. You can find this info on the service account page in the management console or in the
last_used_atfield when using the API to invoke access key management methods.Management consoleAPI
Q1 2024
- Added the Security Token Service component to get temporary access keys compatible with AWS S3 API. This feature is at the Preview stage.
CLIAPI - Added OAuth client authentication support by authenticating a service account token.
- Added the option of using masked token ID for Audit Trails logs.
- Improved the key rotation mechanism in OpenID Connect.