Yandex Identity and Access Management release notes

Labels next to update description indicate the interface supporting the update: management console, CLI, API, or Terraform.

November 2025November 2025

• Added the ability to view a list of subject’s accesses using the CLI and API. Management console CLI API

• Added the following roles:

  Yandex Cloud Interconnect

  User role	Description
  cic.admin	Enables managing Cloud Interconnect resources.

  Yandex Cloud Router

  User role	Description
  cloud-router.admin	Enables managing Cloud Router resources.
  cloud-router.prefixEditor	Enables managing IP prefixes of cloud subnets in routing instances, as well as viewing info on Cloud Router resources.

  Yandex Identity Hub

  User role	Description
  organization-manager.idpInstances.billingAdmin	Enables managing your subscription to the paid Identity Hub features.
  organization-manager.idpInstances.billingViewer	Enables viewing the list of users who employ the Identity Hub authentication quota in the current reporting period, as well as viewing info on a subscription to the paid-for Identity Hub features and stats regarding the use of the quotas within this subscription.

October 2025October 2025

• Supported managing service access to user resources via the management console. Management console

• Added the following roles:

  Managed databases

  User role	Description
  mdb.restorer	Allows restoring managed database clusters from backups and grants read access to such clusters and their logs.

  Yandex Identity Hub

  User role	Description
  organization-manager.groups.externalConverter	Allows adding an attribute with an external group ID to Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.
  organization-manager.groups.externalCreator	Allows creating Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.
  organization-manager.userpools.syncAgent	Allows synchronizing Identity Hub users and groups with users and groups in Active Directory or another external source.

  Yandex Managed Service for Apache Kafka®

  User role	Description
  managed-kafka.restorer	Allows restoring Apache Kafka® clusters from backups, viewing information about such clusters and their logs, as well as information about quotas and Managed Service for Apache Kafka® resource operations.

  Yandex Managed Service for ClickHouse®

  User role	Description
  managed-clickhouse.restorer	Allows restoring ClickHouse® clusters from backups, viewing information about ClickHouse® clusters and their logs, as well as information about quotas and Managed Service for ClickHouse® resource operations.

  Yandex Managed Service for MySQL®

  User role	Description
  managed-mysql.restorer	Allows restoring MySQL® clusters from backups, viewing information about MySQL® clusters, hosts, databases, and users, cluster logs, as well as information about quotas and Managed Service for MySQL® resource operations.

  Yandex Managed Service for OpenSearch

  User role	Description
  managed-opensearch.restorer	Allows restoring OpenSearch clusters from backups, viewing information about OpenSearch clusters and their logs, as well as information about quotas and Managed Service for OpenSearch resource operations.

  Yandex Managed Service for PostgreSQL

  User role	Description
  managed-postgresql.restorer	Allows restoring PostgreSQL clusters from backups, viewing information about PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about quotas and Managed Service for PostgreSQL resource operations.

  Yandex Managed Service for Sharded PostgreSQL

  User role	Description
  managed-spqr.restorer	Allows restoring Sharded PostgreSQL clusters from backups, viewing information about Sharded PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as information about quotas and Managed Service for Sharded PostgreSQL resource operations.

  Yandex Managed Service for Valkey™

  User role	Description
  managed-redis.restorer	Allows restoring Valkey™ clusters from backups, viewing information about Valkey™ hosts and clusters, their logs, as well as information about quotas and Yandex Managed Service for Valkey™ resource operations.

  Yandex MPP Analytics for PostgreSQL

  User role	Description
  managed-greenplum.restorer	Allows restoring Greenplum® clusters from backups, viewing information about Greenplum® clusters and hosts, their logs, as well as information about quotas and Yandex MPP Analytics for PostgreSQL resource operations.

  Yandex StoreDoc

  User role	Description
  managed-mongodb.restorer	Allows restoring MongoDB clusters from backups, viewing information about MongoDB clusters, hosts, shards, databases, and users, cluster logs, as well as information about quotas and Yandex StoreDoc resource operations.

Q3 2025Q3 2025

• Implemented management of OAuth client secrets using the CLI and API. CLI API
• Added a group of commands for OAuth client management to the CLI and API. CLI API

Q2 2025Q2 2025

• Enabled creating and using refresh tokens. CLI

Q1 2025Q1 2025

• Added new scopes for API keys and the ability to assign more than one scope per service. Management console CLI Terraform API
• Workload identity federations are now available to all users. Management console CLI Terraform API
• Added creating an ID token for service account, a special short-lived token for authentication in third-party systems. Management console CLI Terraform API

Q4 2024Q4 2024

• Added sending the CreateIamToken data event when creating an IAM token.
• Expanded the scope of limited lifetime API keys to work with Yandex Managed Service for YDB in compatibility mode with PostgreSQL, Yandex Cloud Postbox, and Yandex Serverless Containers. Management console CLI Terraform API
• You can now see the service account's last authentication date and time. You can get the information in the last_authenticated_at field using the yc iam user-account get Yandex Cloud CLI command. CLI

Q3 2024Q3 2024

• Added Workload Identity Federations that allow you to grant access to external applications without using long-lived access keys. Management console CLI Terraform API
• You can now create API keys with limited scope and validity period. Management console CLI Terraform API
• Added the ResolveAgent REST API method. API
• Added the ability to revoke an IAM token using the Yandex Cloud CLI. CLI
• Added All users in organization X and All users in federation N system groups.
• Added the Terraform data source used to get the service agent ID. Terraform

Q2 2024Q2 2024

• Added the last used date info for service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods. Management console API

Q1 2024Q1 2024

• Added the Security Token Service component to get temporary access keys compatible with AWS S3 API. This feature is at the Preview stage. CLI API
• Added OAuth client authentication support by authenticating a service account token.
• Added the option of using masked token ID for Audit Trails logs.
• Improved the key rotation mechanism in OpenID Connect.