Yandex Identity and Access Management release notes

Labels next to update description indicate the interface supporting the update: management console, CLI, API, or Terraform.

March 2026March 2026

• Added the following roles:

  Yandex Cloud AI Studio

  User role	Description
  ai.guardrails.admin	Enables viewing info on guardrails for model responses, as well as creating, applying, modifying, and deleting such guardrails.
  ai.guardrails.auditor	Enables viewing metadata on guardrails for model responses.
  ai.guardrails.editor	Enables viewing info on guardrails for model responses, as well as creating, applying, modifying, and deleting such guardrails.
  ai.guardrails.user	Enables applying guardrails for model responses and viewing metadata on such guardrails.
  ai.guardrails.viewer	Enables viewing info on guardrails for model responses.

  Yandex MPP Analytics for PostgreSQL

  User role	Description
  managed-greenplum.maintenanceTask.editor	Enables viewing info on maintenance tasks for Greenplum® clusters and modifying such tasks, as well as viewing info on Greenplum® clusters and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations.
  managed-greenplum.maintenanceTask.viewer	Enables viewing info on Greenplum® clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations.
  managed-greenplum.user	Enables using Greenplum® clusters.

  Yandex Managed Service for Apache Airflow™

  User role	Description
  managed-airflow.maintenanceTask.editor	Enables viewing info on maintenance tasks for Apache Airflow™ clusters and modifying such tasks, as well as viewing info on Apache Airflow™ clusters, access permissions granted for them, and on the service quotas.
  managed-airflow.maintenanceTask.viewer	Enables viewing info on Apache Airflow™ clusters, access permissions granted for them, and their maintenance tasks, as well as on the service quotas.

  Yandex Managed Service for Apache Kafka®

  User role	Description
  managed-kafka.maintenanceTask.editor	Enables viewing info on maintenance tasks for Apache Kafka® clusters and modifying such tasks, as well as viewing info on Apache Kafka® clusters, access permissions granted for them, and on the service quotas and resource operations.
  managed-kafka.maintenanceTask.viewer	Enables viewing info on Apache Kafka® clusters, access permissions granted for them, their maintenance tasks, and on the service quotas and resource operations.
  managed-kafka.user	Enables using Apache Kafka® clusters.

  Yandex Managed Service for Apache Spark™

  User role	Description
  managed-spark.maintenanceTask.editor	Enables viewing info on maintenance tasks for Apache Spark™ clusters and modifying such tasks, as well as viewing info on Apache Spark™ clusters, access permissions granted for them, and on service quotas.
  managed-spark.maintenanceTask.viewer	Enables viewing info on Apache Spark™ clusters, access permissions granted for them, their maintenance tasks, and on service quotas.

  Yandex Managed Service for ClickHouse®

  User role	Description
  managed-clickhouse.maintenanceTask.editor	Enables viewing info on maintenance tasks for ClickHouse® clusters and modifying such tasks, as well as viewing info on ClickHouse® clusters, access permissions granted for them, and on the service quotas and resource operations.
  managed-clickhouse.maintenanceTask.viewer	Enables viewing info on ClickHouse® clusters, their maintenance tasks, access permissions granted for them, and on the service quotas and resource operations.
  managed-clickhouse.user	Enables using ClickHouse® clusters.

  Yandex Managed Service for MySQL®

  User role	Description
  managed-mysql.maintenanceTask.editor	Enables viewing info on maintenance tasks for MySQL® clusters and modifying such tasks, as well as viewing info on MySQL® clusters and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations.
  managed-mysql.maintenanceTask.viewer	Enables viewing info on MySQL® clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations.
  managed-mysql.switcher	Enables re-assigning the master host in MySQL® clusters, viewing info on MySQL® clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and resource operations.
  managed-mysql.user	Enables using MySQL® clusters.

  Yandex Managed Service for OpenSearch

  User role	Description
  managed-opensearch.maintenanceTask.editor	Enables viewing info on maintenance tasks for OpenSearch clusters and modifying such tasks, as well as viewing info on OpenSearch clusters, access permissions granted for them, and on the service quotas and resource operations.
  managed-opensearch.maintenanceTask.viewer	Enables viewing info on OpenSearch clusters, access permissions granted for them, their maintenance tasks, and on the service quotas and resource operations.
  managed-opensearch.user	Enables using OpenSearch clusters.

  Yandex Managed Service for PostgreSQL

  User role	Description
  managed-postgresql.maintenanceTask.editor	Enables viewing info on maintenance tasks for PostgreSQL clusters and modifying such tasks, as well as viewing info on PostgreSQL clusters and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations.
  managed-postgresql.maintenanceTask.viewer	Enables viewing info on PostgreSQL clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations.
  managed-postgresql.switcher	Enables re-assigning the master host in PostgreSQL clusters, viewing info on PostgreSQL clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and resource operations.
  managed-postgresql.user	Enables using PostgreSQL clusters.

  Yandex Managed Service for Sharded PostgreSQL

  User role	Description
  managed-spqr.maintenanceTask.editor	Enables viewing info on maintenance tasks for Sharded PostgreSQL clusters and modifying such tasks, as well as viewing info on Sharded PostgreSQL clusters, access permissions granted for them, cluster hosts, the service quotas, and resource operations.
  managed-spqr.maintenanceTask.viewer	Enables viewing info on Sharded PostgreSQL clusters, their maintenance tasks, access permissions granted for them, hosts, and on the service quotas and resource operations.

  Yandex Managed Service for Trino

  User role	Description
  managed-trino.maintenanceTask.editor	Enables viewing info on maintenance tasks for Trino clusters and modifying such tasks, as well as viewing info on Trino clusters, access permissions granted for them, and on the service quotas.
  managed-trino.maintenanceTask.viewer	Enables viewing info on Trino clusters, access permissions granted for them, their maintenance tasks, and on the service quotas.

  Yandex Managed Service for Valkey™

  User role	Description
  managed-redis.maintenanceTask.editor	Enables viewing info on maintenance tasks for Valkey™ clusters and modifying such tasks, as well as viewing info on Valkey™ clusters and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations.
  managed-redis.maintenanceTask.viewer	Enables viewing info on Valkey™ clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations.
  managed-redis.switcher	Enables re-assigning the master host in Valkey™ clusters and viewing info on Valkey™ hosts and clusters, their logs, as well as info on quotas and resource operations.
  managed-redis.user	Enables using Valkey™ clusters.

  Yandex StoreDoc

  User role	Description
  managed-mongodb.maintenanceTask.editor	Enables viewing info on maintenance tasks for Yandex StoreDoc clusters and modifying such tasks, as well as viewing info on Yandex StoreDoc clusters and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations.
  managed-mongodb.maintenanceTask.viewer	Enables viewing info on Yandex StoreDoc clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations.
  managed-mongodb.switcher	Enables re-assigning the master host in Yandex StoreDoc clusters and viewing info on Yandex StoreDoc clusters, hosts, shards, databases, users, cluster logs, quotas, and resource operations.
  managed-mongodb.user	Enables using Yandex StoreDoc clusters.

February 2026February 2026

• Added support for managing access policies. Management console

• Added commands for access policy management at the organization, cloud, and folder level:

  • yc organization-manager organization list-access-policy-bindings
  • yc organization-manager organization bind-access-policy
  • yc organization-manager organization unbind-access-policy CLI

• Added the following roles:

  Yandex Cloud Backup

  User role	Description
  backup.auditor	Allows viewing details on virtual machines and BareMetal servers connected to Cloud Backup, backup policies and service quotas, your cloud and folder.

December 2025December 2025

• Added the yc iam access-key issue-ephemeral command for issuing ephemeral keys. CLI

• Added support for the yandex_iam_oauth_client_secret resource to manage OAuth client secrets. Terraform

• Added the labels field to the yandex_iam_service_account resource to work with labels. Terraform

• For the yandex_iam_oauth_client resource, changed the scopes and redirect_uris fields to the set type to prevent comparison collisions. Terraform

• Added the following roles:

  Yandex Cloud Backup

  User role	Description
  backup.user	Enables connecting backup providers, connecting VMs and Yandex BareMetal servers to Cloud Backup, associating and disassociating backup policies with VMs and Yandex BareMetal servers, and viewing Cloud Backup resource and quota details.

  Yandex Managed Service for MySQL®

  User role	Description
  managed-mysql.clusters.connector	Enables Yandex Cloud users to connect to databases in Yandex Managed Service for MySQL® clusters via Yandex Identity and Access Management.

  Yandex Managed Service for PostgreSQL

  User role	Description
  managed-postgresql.clusters.connector	Enables Yandex Cloud users to connect to databases in Yandex Managed Service for PostgreSQL clusters via Yandex Identity and Access Management.

  Yandex Monium

  User role	Description
  monium.admin	Enables managing Monium resources, viewing and writing all types of telemetry data, and managing projects and access to projects.
  monium.editor	Enables managing Monium resources, viewing and writing all types of telemetry data.
  monium.viewer	Enables viewing details on Monium resources and reading all types of telemetry data.
  monium.auditor	Enables viewing details on Monium resources.
  monium.alerts.editor	Enables viewing the list of alerts, their settings, and trigger history, as well as creating, modifying, and deleting alerts.
  monium.alerts.viewer	Enables viewing the list of alerts, their settings, and trigger history.
  monium.channels.editor	Enables viewing the list of alert notification channels and their details, as well as creating, modifying, and deleting such channels.
  monium.channels.viewer	Enables viewing the list of alert notification channels and their details.
  monium.contextLinks.editor	Enables viewing configured context links on dashboard charts, as well as creating, editing, and deleting such links.
  monium.contextLinks.viewer	Enables viewing configured context links on dashboard charts.
  monium.dashboards.editor	Enables viewing dashboards and their widgets, as well as creating, editing, and deleting dashboards.
  monium.dashboards.viewer	Enables viewing dashboards and their widgets.
  monium.escalationPolicies.editor	Enables viewing the list of alert escalation policies and their settings, as well as creating, updating, and deleting such policies.
  monium.escalationPolicies.viewer	Enables viewing the list of alert escalation policies and their settings.
  monium.escalations.editor	Enables viewing details on alert notifications and escalations, as well as creating, editing, and deleting escalations.
  monium.escalations.viewer	Enables viewing details on alert notifications and escalations.
  monium.logErrorLabels.editor	Enables viewing, editing, and deleting the existing labels as well as adding new ones to errors in logs.
  monium.logErrorLabels.viewer	Enables viewing labels for log errors.
  monium.logs.reader	Enables reading logs and viewing log error statistics.
  monium.logs.writer	Enables writing logs.
  monium.metrics.reader	Enables reading metrics, their values, and labels.
  monium.metrics.writer	Enables writing metrics.
  monium.mutes.editor	Enables viewing, creating, editing, and deleting mutes, i.e., rules for temporarily disabling alert notifications.
  monium.mutes.viewer	Enables viewing mutes, i.e., rules for temporarily disabling alert notifications.
  monium.quickLinks.editor	Enables viewing the list of configured quick links and their details in the project menu, as well as creating, editing, and deleting such links.
  monium.quickLinks.viewer	Enables viewing the list of configured quick links and their details in the project menu.
  monium.serviceLevelObjectives.editor	Enables viewing configured service level objectives (SLOs), as well as creating, editing, and deleting them.
  monium.serviceLevelObjectives.viewer	Enables viewing configured service level objectives (SLOs).
  monium.shards.editor	Enables viewing details on shards, clusters, services and their quotas, as well as creating, updating, and deleting shards.
  monium.shards.viewer	Enables viewing details on shards, clusters, services and their quotas.
  monium.telemetry.reader	Enables reading all types of Monium telemetry data, such as metrics, logs, and distributed tracing data.
  monium.telemetry.writer	Enables writing all types of Monium telemetry data, such as metrics, logs, and distributed tracing data.
  monium.traces.reader	Enables viewing distributed tracing data.
  monium.traces.writer	Enables writing distributed tracing data.

  Yandex MPP Analytics for PostgreSQL

  User role	Description
  managed-greenplum.clusters.connector	Enables Yandex Cloud users to connect to databases in Yandex MPP Analytics for PostgreSQL clusters via Yandex Identity and Access Management.

  Yandex Security Deck

  User role	Description
  security-deck.alertSinks.admin	Enables managing alert sinks and alerts, as well as access to them.
  security-deck.alertSinks.editor	Enables managing alert sinks, alerts, and comments in them.
  security-deck.alertSinks.user	Enables viewing details on alert sinks and using them.
  security-deck.alertSinks.viewer	Enables viewing details on alerts and alert sinks as well as on access permissions granted for them.
  security-deck.alertSinks.auditor	Enables viewing details on alert sinks and access permissions granted for them.

November 2025November 2025

• Added the ability to view a list of subject’s accesses using the CLI and API. Management console CLI API

• Added the following roles:

  Yandex Cloud Interconnect

  User role	Description
  cic.admin	Enables managing Cloud Interconnect resources.

  Yandex Cloud Router

  User role	Description
  cloud-router.admin	Enables managing Cloud Router resources.
  cloud-router.prefixEditor	Enables managing IP prefixes of cloud subnets in routing instances, as well as viewing info on Cloud Router resources.

  Yandex Identity Hub

  User role	Description
  organization-manager.idpInstances.billingAdmin	Enables managing your subscription to the paid Yandex Identity Hub features.
  organization-manager.idpInstances.billingViewer	Enables viewing the list of users who employ the Yandex Identity Hub authentication quota in the current reporting period, as well as viewing info on a subscription to the paid-for Yandex Identity Hub features and stats regarding the use of the quotas within this subscription.

October 2025October 2025

• Supported managing service access to user resources via the management console. Management console

• Added the following roles:

  Managed databases

  User role	Description
  mdb.restorer	Enables restoring managed database clusters from backups and grants read access to such clusters and their logs.

  Yandex Identity Hub

  User role	Description
  organization-manager.groups.externalConverter	Enables adding an attribute with an external group ID to Yandex Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.
  organization-manager.groups.externalCreator	Enables creating Yandex Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.
  organization-manager.userpools.syncAgent	Enables synchronizing Yandex Identity Hub users and groups with users and groups in Active Directory or another external source.

  Yandex Managed Service for Apache Kafka®

  User role	Description
  managed-kafka.restorer	Enables restoring Apache Kafka® clusters from backups, viewing information about such clusters and their logs, as well as information about Managed Service for Apache Kafka® quotas and resource operations.

  Yandex Managed Service for ClickHouse®

  User role	Description
  managed-clickhouse.restorer	Enables restoring ClickHouse® clusters from backups, viewing information about ClickHouse® clusters and their logs, as well as information about Managed Service for ClickHouse® quotas and resource operations.

  Yandex Managed Service for MySQL®

  User role	Description
  managed-mysql.restorer	Enables restoring MySQL® clusters from backups, viewing information about MySQL® clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for MySQL® quotas and resource operations.

  Yandex Managed Service for OpenSearch

  User role	Description
  managed-opensearch.restorer	Enables restoring OpenSearch clusters from backups, viewing information about OpenSearch clusters and their logs, as well as information about Managed Service for OpenSearch quotas and resource operations.

  Yandex Managed Service for PostgreSQL

  User role	Description
  managed-postgresql.restorer	Enables restoring PostgreSQL clusters from backups, viewing information about PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for PostgreSQL quotas and resource operations.

  Yandex Managed Service for Sharded PostgreSQL

  User role	Description
  managed-spqr.restorer	Enables restoring Sharded PostgreSQL clusters from backups, viewing information about Sharded PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for Sharded PostgreSQL quotas and resource operations.

  Yandex Managed Service for Valkey™

  User role	Description
  managed-redis.restorer	Enables restoring Valkey™ clusters from backups, viewing information about Valkey™ hosts and clusters, their logs, as well as information about Yandex Managed Service for Valkey™ quotas and resource operations.

  Yandex MPP Analytics for PostgreSQL

  User role	Description
  managed-greenplum.restorer	Enables restoring Greenplum® clusters from backups, viewing information about Greenplum® clusters and hosts, their logs, as well as information about Yandex MPP Analytics for PostgreSQL quotas and resource operations.

  Yandex StoreDoc

  User role	Description
  managed-mongodb.restorer	Enables restoring MongoDB clusters from backups, viewing information about MongoDB clusters, hosts, shards, databases, and users, cluster logs, as well as information about Yandex StoreDoc quotas and resource operations.

Q3 2025Q3 2025

• Implemented management of OAuth client secrets using the CLI and API. CLI API
• Added a group of commands for OAuth client management to the CLI and API. CLI API

Q2 2025Q2 2025

• Enabled creating and using refresh tokens. CLI

Q1 2025Q1 2025

• Added new scopes for API keys and the ability to assign more than one scope per service. Management console CLI Terraform API
• Workload identity federations are now available to all users. Management console CLI Terraform API
• Added creating an ID token for service account, a special short-lived token for authentication in third-party systems. Management console CLI Terraform API

Q4 2024Q4 2024

• Added sending the CreateIamToken data event when creating an IAM token.
• Expanded the scope of limited lifetime API keys to work with Yandex Managed Service for YDB in compatibility mode with PostgreSQL, Yandex Cloud Postbox, and Yandex Serverless Containers. Management console CLI Terraform API
• You can now see the service account's last authentication date and time. You can get the information in the last_authenticated_at field using the yc iam user-account get Yandex Cloud CLI command. CLI

Q3 2024Q3 2024

• Added Workload Identity Federations that allow you to grant access to external applications without using long-lived access keys. Management console CLI Terraform API
• You can now create API keys with limited scope and validity period. Management console CLI Terraform API
• Added the ResolveAgent REST API method. API
• Added the ability to revoke an IAM token using the Yandex Cloud CLI. CLI
• Added All users in organization X and All users in federation N system groups.
• Added the Terraform data source used to get the service agent ID. Terraform

Q2 2024Q2 2024

• Added the last used date info for service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods. Management console API

Q1 2024Q1 2024

• Added the Security Token Service component to get temporary access keys compatible with AWS S3 API. This feature is at the Preview stage. CLI API
• Added OAuth client authentication support by authenticating a service account token.
• Added the option of using masked token ID for Audit Trails logs.
• Improved the key rotation mechanism in OpenID Connect.