Yandex Identity and Access Management release notes
Written by
Updated at May 19, 2026
April 2026
Identity and Access Management updates
- Added the
MASKED KEYfield to display the last six characters of the secret part of the key in the API key list.
New roles
Yandex Cloud Notification Service
| Role | Description |
|---|---|
notifications.admin |
Enables managing all notification channels and topics, as well as sending notifications to all channels and topics. |
notifications.auditor |
Enables viewing all notification channel metadata, topic metadata, and info on the service quotas. |
notifications.editor |
Enables managing all notification channels and topics, as well as sending notifications to all channels and topics. |
notifications.publisher |
Enables sending notifications to all channels and topics. |
notifications.viewer |
Enables viewing info on topics, notification channels, and service quotas. |
Yandex DataLens
| Role | Description |
|---|---|
datalens.metaReader |
Enables executing requests from the Audit section in the DataLens Public API. |
Yandex Cloud DNS
| Role | Description |
|---|---|
dns.firewallEditor |
Enables managing DNS firewalls and using clouds, folders, and cloud networks as resources for them. |
dns.firewallUser |
Enables using clouds, folders, and cloud networks as resources for DNS firewalls, as well as viewing info on resources and service quotas. |
Yandex Identity Hub
| Role | Description |
|---|---|
organization-manager.groups.viewer |
Enables viewing info on user groups and access permissions granted for them, as well as viewing the list of users and service accounts that are members of groups. |
Yandex Managed Service for Kubernetes
| Role | Description |
|---|---|
k8s.cluster-api.admin |
Grants the yc:k8s-core-admin group and the admin role in Kubernetes RBAC. |
Managed databases
| Role | Description |
|---|---|
mdb.maintenanceTask.editor |
Enables viewing info on maintenance tasks for managed database clusters and modifying such tasks, as well as viewing info on clusters and access permissions granted for them, on hosts and cluster backups, and on quotas and service resource operations. |
mdb.maintenanceTask.viewer |
Enables viewing info on maintenance tasks for managed database clusters, as well as info on such clusters and access permissions granted for them, info on hosts and cluster backups, quotas and service resource operations. |
mdb.switcher |
Enables re-assigning the master host in managed database clusters, viewing info on clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and service resource operations. |
March 2026
New roles
Yandex Cloud AI Studio
| Role | Description |
|---|---|
ai.guardrails.admin |
Enables viewing info on guardrails for model responses, as well as creating, applying, modifying, and deleting such guardrails. |
ai.guardrails.auditor |
Enables viewing metadata on guardrails for model responses. |
ai.guardrails.editor |
Enables viewing info on guardrails for model responses, as well as creating, applying, modifying, and deleting such guardrails. |
ai.guardrails.user |
Enables applying guardrails for model responses and viewing metadata on such guardrails. |
ai.guardrails.viewer |
Enables viewing info on guardrails for model responses. |
Yandex MPP Analytics for PostgreSQL
| Role | Description |
|---|---|
managed-greenplum.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Greenplum® clusters and modifying such tasks, as well as viewing info on Greenplum® clusters and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations. |
managed-greenplum.maintenanceTask.viewer |
Enables viewing info on Greenplum® clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations. |
managed-greenplum.user |
Enables using Greenplum® clusters. |
Yandex Managed Service for Apache Airflow™
| Role | Description |
|---|---|
managed-airflow.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Apache Airflow™ clusters and modifying such tasks, as well as viewing info on Apache Airflow™ clusters, access permissions granted for them, and on the service quotas. |
managed-airflow.maintenanceTask.viewer |
Enables viewing info on Apache Airflow™ clusters, access permissions granted for them, and their maintenance tasks, as well as on the service quotas. |
Yandex Managed Service for Apache Kafka®
| Role | Description |
|---|---|
managed-kafka.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Apache Kafka® clusters and modifying such tasks, as well as viewing info on Apache Kafka® clusters, access permissions granted for them, and on the service quotas and resource operations. |
managed-kafka.maintenanceTask.viewer |
Enables viewing info on Apache Kafka® clusters, access permissions granted for them, their maintenance tasks, and on the service quotas and resource operations. |
managed-kafka.user |
Enables using Apache Kafka® clusters. |
Yandex Managed Service for Apache Spark™
| Role | Description |
|---|---|
managed-spark.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Apache Spark™ clusters and modifying such tasks, as well as viewing info on Apache Spark™ clusters, access permissions granted for them, and on service quotas. |
managed-spark.maintenanceTask.viewer |
Enables viewing info on Apache Spark™ clusters, access permissions granted for them, their maintenance tasks, and on service quotas. |
Yandex Managed Service for ClickHouse®
| Role | Description |
|---|---|
managed-clickhouse.maintenanceTask.editor |
Enables viewing info on maintenance tasks for ClickHouse® clusters and modifying such tasks, as well as viewing info on ClickHouse® clusters, access permissions granted for them, and on the service quotas and resource operations. |
managed-clickhouse.maintenanceTask.viewer |
Enables viewing info on ClickHouse® clusters, their maintenance tasks, access permissions granted for them, and on the service quotas and resource operations. |
managed-clickhouse.user |
Enables using ClickHouse® clusters. |
Yandex Managed Service for MySQL®
| Role | Description |
|---|---|
managed-mysql.maintenanceTask.editor |
Enables viewing info on maintenance tasks for MySQL® clusters and modifying such tasks, as well as viewing info on MySQL® clusters and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations. |
managed-mysql.maintenanceTask.viewer |
Enables viewing info on MySQL® clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations. |
managed-mysql.switcher |
Enables re-assigning the master host in MySQL® clusters, viewing info on MySQL® clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and resource operations. |
managed-mysql.user |
Enables using MySQL® clusters. |
Yandex Managed Service for OpenSearch
| Role | Description |
|---|---|
managed-opensearch.maintenanceTask.editor |
Enables viewing info on maintenance tasks for OpenSearch clusters and modifying such tasks, as well as viewing info on OpenSearch clusters, access permissions granted for them, and on the service quotas and resource operations. |
managed-opensearch.maintenanceTask.viewer |
Enables viewing info on OpenSearch clusters, access permissions granted for them, their maintenance tasks, and on the service quotas and resource operations. |
managed-opensearch.user |
Enables using OpenSearch clusters. |
Yandex Managed Service for PostgreSQL
| Role | Description |
|---|---|
managed-postgresql.maintenanceTask.editor |
Enables viewing info on maintenance tasks for PostgreSQL clusters and modifying such tasks, as well as viewing info on PostgreSQL clusters and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations. |
managed-postgresql.maintenanceTask.viewer |
Enables viewing info on PostgreSQL clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations. |
managed-postgresql.switcher |
Enables re-assigning the master host in PostgreSQL clusters, viewing info on PostgreSQL clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and resource operations. |
managed-postgresql.user |
Enables using PostgreSQL clusters. |
Yandex Managed Service for Sharded PostgreSQL
| Role | Description |
|---|---|
managed-spqr.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Sharded PostgreSQL clusters and modifying such tasks, as well as viewing info on Sharded PostgreSQL clusters, access permissions granted for them, cluster hosts, the service quotas, and resource operations. |
managed-spqr.maintenanceTask.viewer |
Enables viewing info on Sharded PostgreSQL clusters, their maintenance tasks, access permissions granted for them, hosts, and on the service quotas and resource operations. |
Yandex Managed Service for Trino
| Role | Description |
|---|---|
managed-trino.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Trino clusters and modifying such tasks, as well as viewing info on Trino clusters, access permissions granted for them, and on the service quotas. |
managed-trino.maintenanceTask.viewer |
Enables viewing info on Trino clusters, access permissions granted for them, their maintenance tasks, and on the service quotas. |
Yandex Managed Service for Valkey™
| Role | Description |
|---|---|
managed-redis.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Valkey™ clusters and modifying such tasks, as well as viewing info on Valkey™ clusters and access permissions granted for them, on hosts and cluster backups, and on the service quotas and resource operations. |
managed-redis.maintenanceTask.viewer |
Enables viewing info on Valkey™ clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations. |
managed-redis.switcher |
Enables re-assigning the master host in Valkey™ clusters and viewing info on Valkey™ hosts and clusters, their logs, as well as info on quotas and resource operations. |
managed-redis.user |
Enables using Valkey™ clusters. |
Yandex StoreDoc
| Role | Description |
|---|---|
managed-mongodb.maintenanceTask.editor |
Enables viewing info on maintenance tasks for Yandex StoreDoc clusters and modifying such tasks, as well as viewing info on Yandex StoreDoc clusters and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations. |
managed-mongodb.maintenanceTask.viewer |
Enables viewing info on Yandex StoreDoc clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, and on quotas and resource operations. |
managed-mongodb.switcher |
Enables re-assigning the master host in Yandex StoreDoc clusters and viewing info on Yandex StoreDoc clusters, hosts, shards, databases, users, cluster logs, quotas, and resource operations. |
managed-mongodb.user |
Enables using Yandex StoreDoc clusters. |
February 2026
Identity and Access Management updates
- Added access policies.
New roles
Yandex Cloud Backup
| Role | Description |
|---|---|
backup.auditor |
Allows viewing details on virtual machines and BareMetal servers connected to Cloud Backup, backup policies and service quotas, your cloud and folder. |
December 2025
Identity and Access Management updates
- Added ephemeral keys.
- In the
yandex_iam_oauth_clientTerraform resource, fixed the comparison between thescopesandredirect_urisfields: now their type issetto avoid comparison conflicts.
New roles
Yandex Cloud Backup
| Role | Description |
|---|---|
backup.user |
Enables connecting backup providers, connecting VMs and Yandex BareMetal servers to Cloud Backup, associating and disassociating backup policies with VMs and Yandex BareMetal servers, and viewing Cloud Backup resource and quota details. |
Yandex Managed Service for MySQL®
| Role | Description |
|---|---|
managed-mysql.clusters.connector |
Enables Yandex Cloud users to connect to databases in Yandex Managed Service for MySQL® clusters via Yandex Identity and Access Management. |
Yandex Managed Service for PostgreSQL
| Role | Description |
|---|---|
managed-postgresql.clusters.connector |
Enables Yandex Cloud users to connect to databases in Yandex Managed Service for PostgreSQL clusters via Yandex Identity and Access Management. |
Yandex Monium
| Role | Description |
|---|---|
monium.admin |
Enables managing Monium resources, viewing and writing all types of telemetry data, and managing projects and access to projects. |
monium.editor |
Enables managing Monium resources, viewing and writing all types of telemetry data. |
monium.viewer |
Enables viewing details on Monium resources and reading all types of telemetry data. |
monium.auditor |
Enables viewing details on Monium resources. |
monium.alerts.editor |
Enables viewing the list of alerts, their settings, and trigger history, as well as creating, modifying, and deleting alerts. |
monium.alerts.viewer |
Enables viewing the list of alerts, their settings, and trigger history. |
monium.channels.editor |
Enables viewing the list of alert notification channels and their details, as well as creating, modifying, and deleting such channels. |
monium.channels.viewer |
Enables viewing the list of alert notification channels and their details. |
monium.contextLinks.editor |
Enables viewing configured context links on dashboard charts, as well as creating, editing, and deleting such links. |
monium.contextLinks.viewer |
Enables viewing configured context links on dashboard charts. |
monium.dashboards.editor |
Enables viewing dashboards and their widgets, as well as creating, editing, and deleting dashboards. |
monium.dashboards.viewer |
Enables viewing dashboards and their widgets. |
monium.escalationPolicies.editor |
Enables viewing the list of alert escalation policies and their settings, as well as creating, updating, and deleting such policies. |
monium.escalationPolicies.viewer |
Enables viewing the list of alert escalation policies and their settings. |
monium.escalations.editor |
Enables viewing details on alert notifications and escalations, as well as creating, editing, and deleting escalations. |
monium.escalations.viewer |
Enables viewing details on alert notifications and escalations. |
monium.logErrorLabels.editor |
Enables viewing, editing, and deleting the existing labels as well as adding new ones to errors in logs. |
monium.logErrorLabels.viewer |
Enables viewing labels for log errors. |
monium.logs.reader |
Enables reading logs and viewing log error statistics. |
monium.logs.writer |
Enables writing logs. |
monium.metrics.reader |
Enables reading metrics, their values, and labels. |
monium.metrics.writer |
Enables writing metrics. |
monium.mutes.editor |
Enables viewing, creating, editing, and deleting mutes, i.e., rules for temporarily disabling alert notifications. |
monium.mutes.viewer |
Enables viewing mutes, i.e., rules for temporarily disabling alert notifications. |
monium.quickLinks.editor |
Enables viewing the list of configured quick links and their details in the project menu, as well as creating, editing, and deleting such links. |
monium.quickLinks.viewer |
Enables viewing the list of configured quick links and their details in the project menu. |
monium.serviceLevelObjectives.editor |
Enables viewing configured service level objectives (SLOs), as well as creating, editing, and deleting them. |
monium.serviceLevelObjectives.viewer |
Enables viewing configured service level objectives (SLOs). |
monium.shards.editor |
Enables viewing details on shards, clusters, services and their quotas, as well as creating, updating, and deleting shards. |
monium.shards.viewer |
Enables viewing details on shards, clusters, services and their quotas. |
monium.telemetry.reader |
Enables reading all types of Monium telemetry data, such as metrics, logs, and distributed tracing data. |
monium.telemetry.writer |
Enables writing all types of Monium telemetry data, such as metrics, logs, and distributed tracing data. |
monium.traces.reader |
Enables viewing distributed tracing data. |
monium.traces.writer |
Enables writing distributed tracing data. |
Yandex MPP Analytics for PostgreSQL
| Role | Description |
|---|---|
managed-greenplum.clusters.connector |
Enables Yandex Cloud users to connect to databases in Yandex MPP Analytics for PostgreSQL clusters via Yandex Identity and Access Management. |
Yandex Security Deck
| Role | Description |
|---|---|
security-deck.alertSinks.admin |
Enables managing alert sinks and alerts, as well as access to them. |
security-deck.alertSinks.editor |
Enables managing alert sinks, alerts, and comments in them. |
security-deck.alertSinks.user |
Enables viewing details on alert sinks and using them. |
security-deck.alertSinks.viewer |
Enables viewing details on alerts and alert sinks as well as on access permissions granted for them. |
security-deck.alertSinks.auditor |
Enables viewing details on alert sinks and access permissions granted for them. |
November 2025
Identity and Access Management updates
- Added the ability to view a list of a subject's accesses.
New roles
Yandex Cloud Interconnect
| Role | Description |
|---|---|
cic.admin |
Enables managing Cloud Interconnect resources. |
Yandex Cloud Router
| Role | Description |
|---|---|
cloud-router.admin |
Enables managing Cloud Router resources. |
cloud-router.prefixEditor |
Enables managing IP prefixes of cloud subnets in routing instances, as well as viewing info on Cloud Router resources. |
Yandex Identity Hub
| Role | Description |
|---|---|
organization-manager.idpInstances.billingAdmin |
Enables managing your subscription to the paid Yandex Identity Hub features. |
organization-manager.idpInstances.billingViewer |
Enables viewing the list of users who employ the Yandex Identity Hub authentication quota in the current reporting period, as well as viewing info on a subscription to the paid-for Yandex Identity Hub features and stats regarding the use of the quotas within this subscription. |
October 2025
Identity and Access Management updates
- Added the ability to manage the access of services to the user's resources.
New roles
Managed databases
| Role | Description |
|---|---|
mdb.restorer |
Enables restoring managed database clusters from backups and grants read access to such clusters and their logs. |
Yandex Identity Hub
| Role | Description |
|---|---|
organization-manager.groups.externalConverter |
Enables adding an attribute with an external group ID to Yandex Identity Hub user groups when synchronizing with user groups in Active Directory or another external source. |
organization-manager.groups.externalCreator |
Enables creating Yandex Identity Hub user groups when synchronizing with user groups in Active Directory or another external source. |
organization-manager.userpools.syncAgent |
Enables synchronizing Yandex Identity Hub users and groups with users and groups in Active Directory or another external source. |
Yandex Managed Service for Apache Kafka®
| Role | Description |
|---|---|
managed-kafka.restorer |
Enables restoring Apache Kafka® clusters from backups, viewing information about such clusters and their logs, as well as information about Managed Service for Apache Kafka® quotas and resource operations. |
Yandex Managed Service for ClickHouse®
| Role | Description |
|---|---|
managed-clickhouse.restorer |
Enables restoring ClickHouse® clusters from backups, viewing information about ClickHouse® clusters and their logs, as well as information about Managed Service for ClickHouse® quotas and resource operations. |
Yandex Managed Service for MySQL®
| Role | Description |
|---|---|
managed-mysql.restorer |
Enables restoring MySQL® clusters from backups, viewing information about MySQL® clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for MySQL® quotas and resource operations. |
Yandex Managed Service for OpenSearch
| Role | Description |
|---|---|
managed-opensearch.restorer |
Enables restoring OpenSearch clusters from backups, viewing information about OpenSearch clusters and their logs, as well as information about Managed Service for OpenSearch quotas and resource operations. |
Yandex Managed Service for PostgreSQL
| Role | Description |
|---|---|
managed-postgresql.restorer |
Enables restoring PostgreSQL clusters from backups, viewing information about PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for PostgreSQL quotas and resource operations. |
Yandex Managed Service for Sharded PostgreSQL
| Role | Description |
|---|---|
managed-spqr.restorer |
Enables restoring Sharded PostgreSQL clusters from backups, viewing information about Sharded PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about Managed Service for Sharded PostgreSQL quotas and resource operations. |
Yandex Managed Service for Valkey™
| Role | Description |
|---|---|
managed-redis.restorer |
Enables restoring Valkey™ clusters from backups, viewing information about Valkey™ hosts and clusters, their logs, as well as information about Yandex Managed Service for Valkey™ quotas and resource operations. |
Yandex MPP Analytics for PostgreSQL
| User role | Description |
|---|---|
managed-greenplum.restorer |
Enables restoring Greenplum® clusters from backups, viewing information about Greenplum® clusters and hosts, their logs, as well as information about Yandex MPP Analytics for PostgreSQL quotas and resource operations. |
Yandex StoreDoc
| Role | Description |
|---|---|
managed-mongodb.restorer |
Enables restoring MongoDB clusters from backups, viewing information about MongoDB clusters, hosts, shards, databases, and users, cluster logs, as well as information about Yandex StoreDoc quotas and resource operations. |
Q3 2025
- Implemented management of OAuth client secrets using the CLI and API.
CLIAPI - Added a group of commands for OAuth client management to the CLI and API.
CLIAPI
Q2 2025
- Enabled creating and using refresh tokens.
CLI
Q1 2025
- Added new scopes for API keys and the ability to assign more than one scope per service.
Management consoleCLITerraformAPI - Workload identity federations are now available to all users.
Management consoleCLITerraformAPI - Added creating an ID token for service account, a special short-lived token for authentication in third-party systems.
Management consoleCLITerraformAPI
Q4 2024
- Added sending the
CreateIamTokendata event when creating an IAM token. - Expanded the scope of limited lifetime API keys to work with Yandex Managed Service for YDB in compatibility mode with PostgreSQL, Yandex Cloud Postbox, and Yandex Serverless Containers.
Management consoleCLITerraformAPI - You can now see the service account's last authentication date and time. You can get the information in the
last_authenticated_atfield using theyc iam user-account getYandex Cloud CLI command.CLI
Q3 2024
- Added Workload Identity Federations that allow you to grant access to external applications without using long-lived access keys.
Management consoleCLITerraformAPI - You can now create API keys with limited scope and validity period.
Management consoleCLITerraformAPI - Added the ResolveAgent REST API method.
API - Added the ability to revoke an IAM token using the Yandex Cloud CLI.
CLI - Added
All users in organization XandAll users in federation Nsystem groups. - Added the Terraform data source used to get the service agent ID.
Terraform
Q2 2024
- Added the last used date info for service account access keys. You can find this info on the service account page in the management console or in the
last_used_atfield when using the API to invoke access key management methods.Management consoleAPI
Q1 2024
- Added the Security Token Service component to get temporary access keys compatible with AWS S3 API. This feature is at the Preview stage.
CLIAPI - Added OAuth client authentication support by authenticating a service account token.
- Added the option of using masked token ID for Audit Trails logs.
- Improved the key rotation mechanism in OpenID Connect.