Yandex Identity and Access Management release notes

Labels next to update description indicate the interface supporting the update: management console, CLI, API, or Terraform.

Q3 2025Q3 2025

• Added the ability to view a list of subject’s accesses using the CLI and API. Management console CLI API
• Implemented management of OAuth client secrets using the CLI and API. CLI API
• Added a group of commands for OAuth client management to the CLI and API. CLI API

Q2 2025Q2 2025

• Enabled creating and using refresh tokens. CLI

Q1 2025Q1 2025

• Added new scopes for API keys and the ability to assign more than one scope per service. Management console CLI Terraform API
• Workload identity federations are now available to all users. Management console CLI Terraform API
• Added creating an ID token for service account, a special short-lived token for authentication in third-party systems. Management console CLI Terraform API

Q4 2024Q4 2024

• Added sending the CreateIamToken data event when creating an IAM token.
• Expanded the scope of limited lifetime API keys to work with Yandex Managed Service for YDB in compatibility mode with PostgreSQL, Yandex Cloud Postbox, and Yandex Serverless Containers. Management console CLI Terraform API
• You can now see the service account's last authentication date and time. You can get the information in the last_authenticated_at field using the yc iam user-account get Yandex Cloud CLI command. CLI

Q3 2024Q3 2024

• Added Workload Identity Federations that allow you to grant access to external applications without using long-lived access keys. Management console CLI Terraform API
• You can now create API keys with limited scope and validity period. Management console CLI Terraform API
• Added the ResolveAgent REST API method. API
• Added the ability to revoke an IAM token using Yandex Cloud CLI. CLI
• Added All users in organization X and All users in federation N system groups.
• Added the Terraform data source used to get the service agent ID. Terraform

Q2 2024Q2 2024

• Added the last used date info for service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods. Management console API

Q1 2024Q1 2024

• Added the Security Token Service component to get temporary access keys compatible with AWS S3 API. This feature is at the Preview stage. CLI API
• Added OAuth client authentication support by authenticating a service account token.
• Added the option of using masked token ID for Audit Trails logs.
• Improved the key rotation mechanism in OpenID Connect.