You can use the IAM recommender to remediate excessive permissions for Google groups by transitioning from permanent role bindings to temporary, on-demand entitlements in Privileged Access Manager (PAM). This feature is in Preview.
To learn how to remediate excessive permissions, see Remediate excessive permissions with Privileged Access Manager.
]]>Privileged Access Manager supports agent identities as grant requesters and approvers.
This feature is available in preview.
For more information, see Privileged Access Manager overview.
Agent Identity auth manager is available in preview. You can use Agent Identity auth manager to help securely authenticate your agents to third-party services using 3-legged OAuth, 2-legged OAuth, or API keys.
For more information, see Agent Identity auth manager.
Agent Identity is generally available (GA). Agent Identity provides a strongly attested, cryptographic identity for each agent that is tied to the lifecycle of the resource hosting the agent.
For more information, see Agent Identity overview.
]]>Requesters can schedule grant requests in Privileged Access Manager up to seven days in advance. This lets requesters align access with scheduled maintenance or on-call shifts.
This feature is in preview.
For more information, see Privileged Access Manager overview.
]]>Organization Policy Service custom constraints are available for managed workload identity and Workload Identity Federation. You can use custom constraints to control how managed workload identity and Workload Identity Federation are used in your organization. For more information, see Custom organization policy constraints for managed workload identity and Custom organization policy constraints for Workload Identity Federation.
]]>Gemini assistance in the IAM role picker is generally available.
For more information, see Get predefined role suggestions with Gemini assistance.
]]>Managed workload identities are generally available.
For more information, see Managed workload identities overview.
]]>Service account principal sets are generally available. You can use service account principal sets to reference all service accounts or service agents in a project, folder, or organization when writing allow policies, deny policies, and access policies.
]]>The ability to self-grant missing permissions from permission error messages is generally available.
To learn how to request missing permissions, see Request missing permissions.
You can disable the option to send auto-generated access requests from permission error messages. This feature is in preview.
To learn how to disable these requests, see Disable auto-generated access request emails.
]]>You can ask Gemini for predefined role suggestions (preview) without enabling any APIs.
In addition, you can get custom role suggestions from Gemini using the Cloud Assist panel in the Google Cloud console.
For more information, see Get predefined role suggestions with Gemini assistance.
A new infinite-scrolling UI for audit logs is available on the Privileged Access Manager > Audit logs page in the Google Cloud console. This interface update replaces pagination with clear data loading indicators and time boundaries to help facilitate event investigations.
This feature is in preview.
]]>Privileged Access Manager (PAM) offers the following features in preview:
For Privileged Access Manager, notification emails for grant activation, activation failure, or denial no longer include approver details.
To learn how to view the approver details, see Check grant status.
]]>IAM offers predefined roles that are tailored to specific job functions. These roles cover all of the permissions that a user might need to perform their job. This feature is generally available.
For more information, see Predefined roles for job functions.
Permission errors in the Google Cloud console contain actionable steps for remediation. For more information, see Troubleshoot permission error messages.
]]>You can ask Gemini for predefined role suggestions using the IAM role picker in the Google Cloud console. This feature is in preview.
For more information, see Get predefined role suggestions with Gemini assistance.
]]>Conditions that check the tags for a resource can also check other attributes, such as the resource name of the timestamp of the request. This feature is available in Preview. For more information, see Resource tags.
]]>Workforce Identity Federation supports detailed audit logging, which you can use to troubleshoot attribute mapping issues. This feature is generally available.
]]>The predefined role reference and the permissions reference have been reorganized to improve performance and searchability. To see the new experience, visit the IAM roles and permissions index.
]]>Workload Identity Federation support for X.509 certificates is generally available.
]]>A new enforcement version, enforcement version 3, is available for principal access boundary policies. To learn more about enforcement versions and see the permissions that enforcement version 3 can block, see Permissions that principal access boundary policies can block.
]]>Workforce Identity Federation can map up to 400 groups from Microsoft Entra ID. The feature is generally available. To learn more, see Configure Workforce Identity Federation with Microsoft Entra ID and a large number of groups.
Workforce Identity Federation supports an attribute mapping of up to 400 groups and a maximum size of 16 KB.
]]>Principal access boundary policies are generally available. You can use principal access boundary policies to limit the resources that a principal is eligible to access.
]]>Using IAM attributes in custom organization policies is generally available. For more information, see Use custom organization policies.
You can use the iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts managed organization policy constraint to prevent default service accounts from being granted the Editor (roles/editor) or Owner (roles/owner) roles. For more information, see Prevent the Owner and Editor role from being granted to default service accounts.
Privileged Access Manager (PAM) is now released to General Availability. The following features have been added:
You can manage IAM deny policies using the Google Cloud console. For more information, see Deny access to resources.
]]>You can attach tags to Identity and Access Management (IAM) service accounts to conditionally grant or deny access to specific service accounts. This feature is in Preview. For more information, see Creating and managing tags for service accounts.
]]>You can use IAM attributes in custom organization policies to control how your allow policies can be modified. For more information, see Use custom organization policies.
]]>You can use principal access boundary policies to limit the resources that a principal is eligible to access. This feature is available in Preview.
]]>Privileged Access Manager (PAM) lets you manage just-in-time temporary privilege elevation for select principals, and to view audit logs afterwards to find out who had access to what and when. This feature is in Preview.
]]>As of May 3, 2024, when you create a new organization, it enforces the following organization policy constraints by default:
iam.disableServiceAccountKeyCreationiam.disableServiceAccountKeyUploadiam.automaticGrantsForDefaultServiceAccountsiam.allowedPolicyMemberDomainsFor more information, see Restricting service account usage and Restricting identities by domain.
]]>You can use the iam.serviceAccountKeyExposureResponse organization policy
constraint to help manage leaked service account credentials.
To improve performance, we've removed the ability to expand abbreviated permissions in the predefined roles table. You can still filter the predefined roles table based on the full list of permissions included in a role.
]]>Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. The feature is in Preview. Google Cloud provisions X.509 credentials, issued from Certificate Authority Service, that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication. For more information, see Managed workload identities overview.
]]>