Yandex Identity and Access Management release notes
Written by
Updated at December 19, 2025
Labels next to update description indicate the interface supporting the update: management console, CLI, API, or Terraform.
October 2025
Added the following roles:
Managed databases
| User role | Description |
|---|---|
mdb.restorer |
Enables restoring managed database clusters from backups and grants read access to such clusters and their logs. |
Yandex Identity Hub
| User role | Description |
|---|---|
organization-manager.groups.externalConverter |
Enables adding an attribute with an external group ID to Identity Hub user groups when synchronizing with user groups in Active Directory or another external source. |
organization-manager.groups.externalCreator |
Enables creating Identity Hub user groups when synchronizing with user groups in Active Directory or another external source. |
organization-manager.userpools.syncAgent |
Enables synchronizing Identity Hub users and groups with users and groups in Active Directory or another external source. |
Yandex Managed Service for Apache Kafka®
| User role | Description |
|---|---|
managed-kafka.restorer |
Enables restoring Apache Kafka® clusters from backups, viewing information about such clusters and their logs, as well as information about Managed Service for Apache Kafka® quotas and resource operations. |
Yandex Managed Service for ClickHouse®
| User role | Description |
|---|---|
managed-clickhouse.restorer |
Enables restoring ClickHouse® clusters from backups, viewing information about ClickHouse® clusters and their logs, as well as information about Managed Service for ClickHouse® quotas and resource operations. |
Yandex Managed Service for MySQL®
| User role | Description |
|---|---|
managed-mysql.restorer |
Enables restoring MySQL® clusters from backups, viewing information about MySQL® clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for MySQL® quotas and resource operations. |
Yandex Managed Service for OpenSearch
| User role | Description |
|---|---|
managed-opensearch.restorer |
Enables restoring OpenSearch clusters from backups, viewing information about OpenSearch clusters and their logs, as well as information about Managed Service for OpenSearch quotas and resource operations. |
Yandex Managed Service for PostgreSQL
| User role | Description |
|---|---|
managed-postgresql.restorer |
Enables restoring PostgreSQL clusters from backups, viewing information about PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for PostgreSQL quotas and resource operations. |
Yandex Managed Service for Sharded PostgreSQL
| User role | Description |
|---|---|
managed-spqr.restorer |
Enables restoring Sharded PostgreSQL clusters from backups, viewing information about Sharded PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for Sharded PostgreSQL quotas and resource operations. |
Yandex Managed Service for Valkey™
| User role | Description |
|---|---|
managed-redis.restorer |
Enables restoring Valkey™ clusters from backups, viewing information about Valkey™ hosts and clusters, their logs, as well as information about Yandex Managed Service for Valkey™ quotas and resource operations. |
Yandex MPP Analytics for PostgreSQL
| User role | Description |
|---|---|
managed-greenplum.restorer |
Enables restoring Greenplum® clusters from backups, viewing information about Greenplum® clusters and hosts, their logs, as well as information about Yandex MPP Analytics for PostgreSQL quotas and resource operations. |
Yandex StoreDoc
| User role | Description |
|---|---|
managed-mongodb.restorer |
Enables restoring MongoDB clusters from backups, viewing information about MongoDB clusters, hosts, shards, databases, and users, cluster logs, as well as information about Yandex StoreDoc quotas and resource operations. |
Q3 2025
- Added the ability to view a list of subject’s accesses using the CLI and API.
Management consoleCLIAPI - Implemented management of OAuth client secrets using the CLI and API.
CLIAPI - Added a group of commands for OAuth client management to the CLI and API.
CLIAPI
Q2 2025
- Enabled creating and using refresh tokens.
CLI
Q1 2025
- Added new scopes for API keys and the ability to assign more than one scope per service.
Management consoleCLITerraformAPI - Workload identity federations are now available to all users.
Management consoleCLITerraformAPI - Added creating an ID token for service account, a special short-lived token for authentication in third-party systems.
Management consoleCLITerraformAPI
Q4 2024
- Added sending the
CreateIamTokendata event when creating an IAM token. - Expanded the scope of limited lifetime API keys to work with Yandex Managed Service for YDB in compatibility mode with PostgreSQL, Yandex Cloud Postbox, and Yandex Serverless Containers.
Management consoleCLITerraformAPI - You can now see the service account's last authentication date and time. You can get the information in the
last_authenticated_atfield using theyc iam user-account getYandex Cloud CLI command.CLI
Q3 2024
- Added Workload Identity Federations that allow you to grant access to external applications without using long-lived access keys.
Management consoleCLITerraformAPI - You can now create API keys with limited scope and validity period.
Management consoleCLITerraformAPI - Added the ResolveAgent REST API method.
API - Added the ability to revoke an IAM token using Yandex Cloud CLI.
CLI - Added
All users in organization XandAll users in federation Nsystem groups. - Added the Terraform data source used to get the service agent ID.
Terraform
Q2 2024
- Added the last used date info for service account access keys. You can find this info on the service account page in the management console or in the
last_used_atfield when using the API to invoke access key management methods.Management consoleAPI
Q1 2024
- Added the Security Token Service component to get temporary access keys compatible with AWS S3 API. This feature is at the Preview stage.
CLIAPI - Added OAuth client authentication support by authenticating a service account token.
- Added the option of using masked token ID for Audit Trails logs.
- Improved the key rotation mechanism in OpenID Connect.