Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

May 14, 2025

AlloyDB for PostgreSQL Apigee X

On May 14, 2025, we released an updated version of Apigee (1-15-0-apigee-4).

Large message payload support in Apigee

Apigee now supports message payloads up to 30MB. For more information, see:

Improvements to the PublishMessage policy

The PublishMessage policy now supports two new elements:

  • The <UseMessageAsSource> element uses request or response message content as the source of data to be written to Pub/Sub. For more information, see <UseMessageAsSource>.

  • The <Attributes> element lets you specify string attributes (key/value pairs) to include with the request or response message that is written to Pub/Sub. For more information, see <Attributes>.

Bug ID Description
391140293 Resolved scaling issue resulting in 503 errors

Added drainDuration and updated the values for terminationDrainDuration and terminationGracePeriodSeconds.

391862684 Resolved issue with requests stuck at Message Processor causing timeouts.
N/A Updates to security infrastructure and libraries.
BigQuery

You can now schedule automated data transfers from Snowflake to BigQuery using the BigQuery Data Transfer Service. This feature is in preview.

BigQuery now supports cross-region transfers for batch loading and exporting data. You can load or export your data from any region or multi-region to any other region or multi-region using a single bq load, LOAD DATA, bq extract, or EXPORT DATA statement. This feature is generally available (GA).

Vector indexes support the TreeAH index type, which uses Google's ScaNN algorithm. The TreeAH index is optimized for efficient batch processing, capable of handling anywhere from a few thousand to hundreds of thousands of embeddings at once. This feature is generally available (GA).

Cloud SQL for SQL Server

Cloud SQL for SQL Server now supports TLS connections to Active Directory endpoints without requiring server certificate trust or the use of IP addresses. Existing server certificates will need to be rotated to use this feature.

Gemini Code Assist

Create custom commands

You can now configure and use custom commands with IntelliJ Gemini Code Assist (version 1.15.0). Create, save, and execute your own pre-configured prompts to perform repetitive tasks faster and more easily in the IDE.

To view the custom commands settings, go to Settings > Tools > Gemini > Prompt Library.

IntelliJ Prompt Library

Chat responses with error messages now have action buttons for IntelliJ Gemini Code Assist (version 1.15.0).

Google Cloud Contact Center as a Service

Mobile SDK 2.12 is released

Mobile SDK 2.12 includes the following updates:

  • Added support for the following languages:
    • Ukrainian
    • English - India
    • Hindi
    • Romanian
    • Croatian
    • Russian
    • Tagalog
  • End-users can receive and download attachments during sessions. The following file types are supported:
    • Images: JPEG, JPG, PNG, GIF, WebP
    • Video: MP4, MOV, AVI, WMV, WebM
    • Audio: MP3, WAV, M4A, WEBA
    • Other file types: PDF, DOC, XLS, PPT, CSV, TXT
Google Distributed Cloud (software only) for VMware

Preview: You can use the Google Cloud console to create admin clusters and view admin cluster details. For more information, see Create an admin cluster.

Google SecOps

New premium versions of the following parsers are now available:

  • ZSCALER_WEBPROXY
  • ZSCALER_FIREWALL
  • ZSCALER_DNS
  • ZSCALER_INTERNET_ACCESS
  • ZSCALER_VPN
  • ZSCALER_ZPA
  • ZSCALER_TUNNEL
  • ZSCALER_CASB
  • ZSCALER_DLP
  • ZSCALER_ADMIN_AUDIT

We recommend using the documented topology for each parser.

Google SecOps SIEM

New premium versions of the following parsers are now available:

  • ZSCALER_WEBPROXY
  • ZSCALER_FIREWALL
  • ZSCALER_DNS
  • ZSCALER_INTERNET_ACCESS
  • ZSCALER_VPN
  • ZSCALER_ZPA
  • ZSCALER_TUNNEL
  • ZSCALER_CASB
  • ZSCALER_DLP
  • ZSCALER_ADMIN_AUDIT

We recommend using the documented topology for each parser.

Looker

Looker 25.8 is expected to include the following changes, features, and fixes:

  • Expected Looker (original) deployment start: Monday, May 19, 2025

  • Expected Looker (original) final deployment and download available: Thursday, May 29, 2025

  • Expected Looker (Google Cloud core) deployment start: Monday, May 19, 2025

  • Expected Looker (Google Cloud core) final deployment: Monday, June 2, 2025

An issue has been fixed where HTML in a LookML dimension wasn't being applied to Y-axis labels. This feature now performs as expected.

SSL host validation is now enabled by default. If any of your SSL certificates are invalid, certain Looker workflows may break.

You can now create connections using the Amazon Redshift 2.1+ or Amazon Redshift Serverless 2.1+ SQL dialect, both of which use the Redshift JDBC driver. Connections with the original Amazon Redshift SQL dialect option use the Postgres JDBC driver.

The Presto JDBC driver version has been updated to 0.291.

You can now select the JDBC driver version when you create or edit a connection.

The sync_lookml_dashboard API endpoint now accepts an optional dashboard_ids parameter to specify a subset of dashboards to synchronize.

The gemini_in_looker permission can now be applied to selected models on the Looker instance. The Gemini role still applies the gemini_in_looker permission to all models on the Looker instance; however, if needed, Looker admins can manually restrict use of Gemini in Looker to specific models by creating and assigning a Looker role with gemini_in_looker permissions on limited models.

When you create a custom measure, suggestions are now displayed for tier filters.

An issue has been fixed where some of the Project API endpoints wouldn't create a fresh dev mode copy of the LookML project files if no dev mode copy already existed. These endpoints now work as expected.

An issue has been fixed where Elite System Activity data could be delayed. This feature now performs as expected.

An issue has been fixed where navigating between Looks could cause the System Activity Explore to correlate an incorrect Look ID with a query ID. This feature now performs as expected.

An issue has been fixed where filtering on a pivoted field while Grid Layout by Row was enabled could return a server error. This feature now performs as expected.

An issue has been fixed where duplicating a dashboard tile and editing it could cause the tile to load indefinitely. This feature now performs as expected.

An issue has been fixed where scheduled reports could include limited columns even if All Results was enabled for the schedule. This feature now performs as expected.

An issue has been fixed where links in data tables couldn't be clicked. This feature now performs as expected.

An issue has been fixed where changes to the row limit and visualization configuration that were applied by custom visualizations were not saved in the System Activity query record. This feature now performs as expected.

An issue has been fixed where Looks could appear before dashboards in embedded folder navigation. This feature now performs as expected.

An issue has been fixed where running queries would not be canceled if a user navigated away from a dashboard, for example, by clicking an Explore from here link. This feature now performs as expected.

An issue has been fixed where all the folders in the IDE would collapse when a user toggled a folder on a new session. This feature now performs as expected.

An issue has been fixed where a scatterplot visualization could crash if there were less than three rows of data and clustering was enabled. This feature now performs as expected.

An issue has been fixed where additional queries that were used for totals and pivots would not include context comments. These queries now include context comments, and this feature performs as expected.

An issue has been fixed where blank measure filters could prevent Looker from correctly displaying subtotals in table visualizations. This feature now performs as expected.

An issue has been fixed where the BigQuery storage project ID could be set to a user attribute value, even though Looker doesn't support user attributes in this field. The user interface for the Connections page has been updated, and this feature now performs as expected.

Previously, using Application Default Credentials (ADC) with a BigQuery connection caused Looker to incorrectly display the service account file upload button on the PDT Override panel; this button has now been removed and this feature now performs as expected.

May 13, 2025

BigQuery

The following SQL features are now generally available (GA) in BigQuery:

Bigtable

You can export query results from Bigtable Studio. This feature is generally available (GA).

For more information, see Manage your data using Bigtable Studio.

Cloud Run

Labels you previously set for your Cloud Run functions using either gcloud functions commands or the Cloud Functions v2 API propagate to Cloud Run when you deploy your functions in Cloud Run. For more information on creating labels in Cloud Run, see Configure labels for services.

Cloud Run functions

Labels you previously set for your Cloud Run functions using either gcloud functions commands or the Cloud Functions v2 API propagate to Cloud Run when you deploy your functions in Cloud Run. For more information on creating labels in Cloud Run, see Configure labels for services.

Compute Engine

Google has applied fixes for a vulnerability (CVE-2024-45332) affecting the following Intel processors: CascadeLake, Ice Lake XeonSP, Ice Lake XeonD, Sapphire Rapids and Emerald Rapids. For more information, see the GCP-2025-025 security bulletin.

Dataplex

Bulk export of universal catalog metadata is generally available (GA).

You can export universal catalog metadata into Cloud Storage and then use it for tasks that require comprehensive retrieval of metadata. You can also query and analyze the exported metadata in BigQuery.

For more information, see Export metadata.

Datastream

Datastream is now available in the europe-north2 (Stockholm) region. For the list of all available regions, see IP allowlists and regions.

Google Cloud Contact Center as a Service

Version 3.34 is released

All release notes published on this date are part of version 3.34.

The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.

Co-browse is renamed to Screen Share

We've renamed the Co-browse capability to Screen Share. We've made this change in the user interface and in the documentation. However, we haven't renamed any endpoint, property, object, or other programmatic element in the APIs or the SDKs for this update.

Manual wrap-up is automatically assigned to the last completed chat

When an agent manually enters wrap-up status, wrap-up is automatically assigned to the agent's last completed chat.

Spelling and grammar check is available for SMS and WhatsApp sessions

Spelling and grammar check is now available for SMS and WhatsApp chat sessions.

Virtual agent to virtual agent chat transfers

A virtual agent can now transfer a chat session to another virtual agent by transferring to the queue that the destination virtual agent is assigned to.

The following issues were addressed in this release:

  • Fixed an issue that prevented agents from calling other agents using a phone number with an extension.
  • Fixed an issue where a phone number with an extension and a comma separator was not displaying correctly.
  • Fixed an issue where some properties in the session metadata file were not correct for a session that was monitored by another user.
  • Fixed an issue where chat duration was incorrect in reporting.
  • Fixed an issue where a user was unable to change from the wrap-up status to another status.
  • Fixed an issue where call IDs mistakenly appeared in agent activity timeline reports.
  • Fixed an issue where the scroll bar didn't appear in the chat navigation panel of the chat adapter. This prevented agents from scrolling to chats that were hidden from view.
  • Fixed an issue where error messages were mistakenly sent to end-users while they were waiting for a virtual agent to connect to their session.
  • Fixed an issue where the Performance Overview Dashboard was displaying incorrect information on the Chats > Queue Abandoned and Virtual Agent Chat > Total Escalations tiles.
  • Fixed an issue where sessions that were escalated by a virtual agent arrived in the destination queue and were never assigned to an agent because of an error in prioritization.
  • Fixed an issue where auto-generated session summaries for the virtual agent segments of a session were not appearing in the agent adapter.
  • Fixed an issue where a Screen Share error message mistakenly appeared the next time Screen Share was attempted.
  • Fixed an issue where links that agents sent to end-users in a chat session did not have underscores, despite rich messaging being turned on.
  • Fixed an issue where email was causing abnormally high CPU usage.
  • Fixed an issue where message preview was not working in the agent adapter for web SDK and chat.
  • Fixed an issue where the incorrect error message appeared when SSO sign-in failed.
  • Fixed an issue where manual wrap-up caused high CPU usage.
  • Fixed an issue where Chat ID was not available as an incoming field type when adding a parameter for post-session chat transfers.
  • Fixed an issue where agents were unable to send messages in the chat adapter.
  • Fixed an issue where the chat shortcut list continued to display after the agent deleted the shortcut keyword from the chat text field.
  • Fixed an issue where chat shortcut categories were appearing in the shortcut list in the chat adapter despite the fact that they contained no chat shortcuts.
  • Fixed an issue in the chat adapter where the View original and View translation links where not translated into the language of the chat adapter.
  • Fixed a Workforce Management issue where login durations for events that spanned multiple intervals were incorrectly reported.
  • Fixed a Workforce Management issue where short abandoned chat counts were incorrectly reported.
  • Fixed a Workforce Management issue where the historical or ready time values exceeded 900 seconds.
  • Fixed an Workforce Management issue where reporting data was missing for sessions over 45 minutes.
  • Fixed a Workforce Management issue where hold duration was counted multiple times in reporting.
  • Fixed a Workforce Management issue where query performance was sub-optimal.
  • Fixed a Workforce Management issue where the OutboundCount and OutboundHandleTime calculations were incorrect in the AgentSystem report.
  • Fixed a Workforce Management issue where agent queue data was not given the same treatment for calls as it was for chats.
  • Fixed an agent desktop issue where the calls waiting and chats waiting fields in the menu bar displayed incorrect text when the French language was selected.
  • Fixed an agent desktop issue where the Insert summary button (for inserting a generated session summary) appeared during wrap-up even when session summarization was turned off.
  • Fixed an agent desktop issue where a View Previous banner mistakenly appeared when clicking the chats field in the menu bar.
  • Fixed an agent desktop issue in the session data feed, where the date and time were not formatted correctly in French.
  • Fixed an agent desktop issue where an agent who transferred a session and then left it was unable to see the chat adapter after being re-added to the session.
Google Kubernetes Engine

GKE now provides insights and recommendations that help you to identify and troubleshoot clusters with Custom Resource Definitions that contain an invalid or malformed Certificate Authority bundle, which might disrupt cluster operations. Implementing the recommendation helps you to keep your clusters stable and performant.

GKE Autopilot clusters fail to update the cgroup_mode field and display the following error:

ERROR: (gcloud.container.clusters.update) 
    ResponseError: code=400,
    message=INVALID_ARGUMENT: invalid node_pool_auto_config.linux_node_config.
    Allowed fields are: ["cgroup_mode"]

This issue occurs in all GKE versions. A fix for this issue is in progress. For more information, see Migrate nodes to Linux cgroupv2.

Looker

You can now create Looker (Google Cloud core) instances that use Private Service Connect with a hybrid network configuration. Instances that have this type of configuration will allow secure inbound access through a web URL and will connect to external services through a private network.

Spanner

Spanner now supports the INTERVAL data type in GoogleSQL and PostgreSQL, which represents a duration or an amount of time.

For more information, see Interval functions in GoogleSQL and PostgreSQL data types.

Spanner now supports the SPLIT_SUBSTR() GoogleSQL function, which splits an input string using a delimiter and returns a substring composed of a specific number of segments, starting from a given segment index.

Spanner also supports the following GoogleSQL aliases:

May 12, 2025

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigquery

2.50.0 (2025-05-06)

Features
  • Add WRITE_TRUNCATE_DATA as an enum value for write disposition (#3752) (acea61c)
  • bigquery: Add support for reservation field in jobs. (#3768) (3e97f7c)
Dependencies
  • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.63.0 (#3770) (934389e)
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250404-2.0.0 (#3754) (1381c8f)
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250427-2.0.0 (#3773) (c0795fe)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.3 (#3772) (ab166b6)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.47.0 (#3779) (b27434b)

BigQuery resource utilization charts have the following changes:

  • The default timeline shown in the event timeline chart has changed from one to six hours.
  • Several improvements have been made to the views, including a new reservation slot usage view. This view helps monitor idle, baseline, and autoscaled slot usage.

This feature is in Preview.

You can now view the Query text section in a BigQuery execution graph to understand how the stage steps are related to the query text. This feature is in preview.

You can now use BigQuery and BigQuery DataFrames to enable multimodal analysis, transformation, and data engineering (ELT) workflows in both SQL and Python. Use multimodal data features to do the following:

This feature is in Preview.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.58.2 (2025-05-08)

Bug Fixes
  • Use service name as the default audience (#2579) (af6d7bd)
Dependencies
Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-logging

3.22.3 (2025-05-06)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.56.3 (844f4fa)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.3 (#1801) (d7aa7bc)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.47.0 (#1803) (5967ffe)
  • Update googleapis/sdk-platform-java action to v2.57.0 (#1804) (e9a27ec)
Compute Engine

A vulnerability (CVE-2024-28956) affecting Intel Cascade Lake processors and Intel Ice Lake processors was discovered and is being addressed. For more information, see the GCP-2025-024 security bulletin.

Public preview: In a managed instance group (MIG), you can use a health check to monitor your application health without triggering repairs of an unhealthy VM, if the application fails the health check. You can prevent the MIG from repairing an unhealthy VM by turning off autohealing. For more information, see Turn off repairs in a MIG.

Container Optimized OS

cos-113-18244-382-15

Kernel Docker Containerd GPU Drivers
COS-6.1.134 v24.0.9 v1.7.27 See List

Fixed issue where modinfo could not display module signatures.

Updated apparmor to 3.1.6. This fixes CVE-2016-1585.

Upgraded containerd to 1.7.27. Fixes CVE-2024-40635.

Fixed CVE-2024-50063 in the Linux kernel.

Fixed CVE-2024-26739 in the Linux kernel.

Fixed CVE-2025-21853 in the Linux kernel.

Fixed KCTF-342debc in the Linux kernel.

Fixed KCTF-3df275e in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812040 -> 812054

cos-dev-125-19041-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.89 v27.5.1 v2.0.4 See List

Upgraded app-admin/google-guest-configs to v20250501.00.

Added support for 7th generation TPU devices.

Updated the Linux kernel to v6.6.89.

Increased kdump memory reservation.

Fixed issue where modinfo could not display module signatures.

Updated apparmor to 3.1.6. This fixes CVE-2016-1585.

Runtime sysctl changes:

  • Changed: fs.file-max: 811773 -> 811729

cos-117-18613-263-13

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v24.0.9 v1.7.27 See List

Upgraded app-admin/google-guest-configs to v20250501.00.

Added support for 7th generation TPU devices.

Fixed issue where modinfo could not display module signatures.

Updated apparmor to 3.1.6. This fixes CVE-2016-1585.

Upgraded containerd to 1.7.27. Fixes CVE-2024-40635.

Fixed KCTF-3df275e in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811816 -> 811830

cos-109-17800-519-7

Kernel Docker Containerd GPU Drivers
COS-6.1.135 v24.0.9 v1.7.27 See List

Fixed issue where modinfo could not display module signatures.

Updated apparmor to 3.1.6. This fixes CVE-2016-1585.

Upgraded containerd to 1.7.27. Fixes CVE-2024-40635.

Updated NVIDIA GPU drivers to v535.247.01 for default/ R535, v550.163.01 for R550 and v570.133.20 for latest/R570. This resolves CVE‑2025‑23244.

Fixed CVE-2024-26739 in the Linux kernel.

Fixed KCTF-3df275e in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812287 -> 812270

cos-121-18867-90-23

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v27.5.1 v2.0.4 See List

Upgraded app-admin/google-guest-configs to v20250501.00.

Added support for 7th generation TPU devices.

Fixed issue where modinfo could not display module signatures.

Updated apparmor to 3.1.6. This fixes CVE-2016-1585.

Fixed KCTF-3df275e in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811788 -> 811731

Dataflow

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for dataflow/apiv1beta3

0.11.0 (2025-05-06)

Features
  • dataflow: A new enum StreamingMode is added (2f22244)
  • dataflow: A new field bugs is added to message .google.dataflow.v1beta3.SdkVersion (2f22244)
  • dataflow: A new field data_sampling is added to message .google.dataflow.v1beta3.DebugOptions (2f22244)
  • dataflow: A new field default_streaming_mode is added to message .google.dataflow.v1beta3.TemplateMetadata (2f22244)
  • dataflow: A new field default_value is added to message .google.dataflow.v1beta3.ParameterMetadata (2f22244)
  • dataflow: A new field disk_size_gb is added to message .google.dataflow.v1beta3.RuntimeEnvironment (2f22244)
  • dataflow: A new field dynamic_destinations is added to message .google.dataflow.v1beta3.PubsubLocation (2f22244)
  • dataflow: A new field enable_launcher_vm_serial_port_logging is added to message .google.dataflow.v1beta3.FlexTemplateRuntimeEnvironment (2f22244)
  • dataflow: A new field enum_options is added to message .google.dataflow.v1beta3.ParameterMetadata (2f22244)
  • dataflow: A new field group_name is added to message .google.dataflow.v1beta3.ParameterMetadata (2f22244)
  • dataflow: A new field hidden_ui is added to message .google.dataflow.v1beta3.ParameterMetadata (2f22244)
  • dataflow: A new field image_repository_cert_path is added to message .google.dataflow.v1beta3.ContainerSpec (2f22244)
  • dataflow: A new field image_repository_password_secret_id is added to message .google.dataflow.v1beta3.ContainerSpec (2f22244)
  • dataflow: A new field image_repository_username_secret_id is added to message .google.dataflow.v1beta3.ContainerSpec (2f22244)
  • dataflow: A new field name is added to message .google.dataflow.v1beta3.ListJobsRequest (2f22244)
  • dataflow: A new field parent_name is added to message .google.dataflow.v1beta3.ParameterMetadata (2f22244)
  • dataflow: A new field parent_trigger_values is added to message .google.dataflow.v1beta3.ParameterMetadata (2f22244)
  • dataflow: A new field runtime_updatable_params is added to message .google.dataflow.v1beta3.Job (2f22244)
  • dataflow: A new field satisfies_pzi is added to message .google.dataflow.v1beta3.Job (2f22244)
  • dataflow: A new field service_resources is added to message .google.dataflow.v1beta3.Job (2f22244)
  • dataflow: A new field step_names_hash is added to message .google.dataflow.v1beta3.PipelineDescription (2f22244)
  • dataflow: A new field straggler_info is added to message .google.dataflow.v1beta3.WorkItemDetails (2f22244)
  • dataflow: A new field straggler_summary is added to message .google.dataflow.v1beta3.StageSummary (2f22244)
  • dataflow: A new field streaming_mode is added to message .google.dataflow.v1beta3.Environment (2f22244)
  • dataflow: A new field streaming_mode is added to message .google.dataflow.v1beta3.FlexTemplateRuntimeEnvironment (2f22244)
  • dataflow: A new field streaming_mode is added to message .google.dataflow.v1beta3.RuntimeEnvironment (2f22244)
  • dataflow: A new field streaming is added to message .google.dataflow.v1beta3.TemplateMetadata (2f22244)
  • dataflow: A new field supports_at_least_once is added to message .google.dataflow.v1beta3.TemplateMetadata (2f22244)
  • dataflow: A new field supports_exactly_once is added to message .google.dataflow.v1beta3.TemplateMetadata (2f22244)
  • dataflow: A new field trie is added to message .google.dataflow.v1beta3.MetricUpdate (2f22244)
  • dataflow: A new field update_mask is added to message .google.dataflow.v1beta3.UpdateJobRequest (2f22244)
  • dataflow: A new field use_streaming_engine_resource_based_billing is added to message .google.dataflow.v1beta3.Environment (2f22244)
  • dataflow: A new field user_display_properties is added to message .google.dataflow.v1beta3.JobMetadata (2f22244)
  • dataflow: A new message DataSamplingConfig is added (2f22244)
  • dataflow: A new message HotKeyDebuggingInfo is added (2f22244)
  • dataflow: A new message ParameterMetadataEnumOption is added (2f22244)
  • dataflow: A new message RuntimeUpdatableParams is added (2f22244)
  • dataflow: A new message SdkBug is added (2f22244)
  • dataflow: A new message ServiceResources is added (2f22244)
  • dataflow: A new message Straggler is added (2f22244)
  • dataflow: A new message StragglerInfo is added (2f22244)
  • dataflow: A new message StragglerSummary is added (2f22244)
  • dataflow: A new message StreamingStragglerInfo is added (2f22244)
  • dataflow: A new method_signature job,update_mask is added to method UpdateJob in service JobsV1Beta3 (2f22244)
  • dataflow: A new value BIGQUERY_TABLE is added to enum ParameterType (2f22244)
  • dataflow: A new value BOOLEAN is added to enum ParameterType (2f22244)
  • dataflow: A new value ENUM is added to enum ParameterType (2f22244)
  • dataflow: A new value GO is added to enum Language (2f22244)
  • dataflow: A new value JAVASCRIPT_UDF_FILE is added to enum ParameterType (2f22244)
  • dataflow: A new value KAFKA_READ_TOPIC is added to enum ParameterType (2f22244)
  • dataflow: A new value KAFKA_TOPIC is added to enum ParameterType (2f22244)
  • dataflow: A new value KAFKA_WRITE_TOPIC is added to enum ParameterType (2f22244)
  • dataflow: A new value KMS_KEY_NAME is added to enum ParameterType (2f22244)
  • dataflow: A new value MACHINE_TYPE is added to enum ParameterType (2f22244)
  • dataflow: A new value NUMBER is added to enum ParameterType (2f22244)
  • dataflow: A new value SERVICE_ACCOUNT is added to enum ParameterType (2f22244)
  • dataflow: A new value WORKER_REGION is added to enum ParameterType (2f22244)
  • dataflow: A new value WORKER_ZONE is added to enum ParameterType (2f22244)
Bug Fixes
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
  • dataflow: An existing oauth_scope `https (2f22244)
Documentation
  • dataflow: A comment for enum JobState is changed (2f22244)
  • dataflow: A comment for enum WorkerIPAddressConfiguration is changed (2f22244)
  • dataflow: A comment for enum value JOB_VIEW_ALL in enum JobView is changed (2f22244)
  • dataflow: A comment for field additional_experiments in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field additional_user_labels in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field bypass_temp_dir_validation in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field capabilities in message .google.dataflow.v1beta3.SdkHarnessContainerImage is changed (2f22244)
  • dataflow: A comment for field current_state in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field dataset in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field debug_options in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field dump_heap_on_oom in message .google.dataflow.v1beta3.FlexTemplateRuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field dynamic_template in message .google.dataflow.v1beta3.LaunchTemplateRequest is changed (2f22244)
  • dataflow: A comment for field enable_hot_key_logging in message .google.dataflow.v1beta3.DebugOptions is changed (2f22244)
  • dataflow: A comment for field enable_streaming_engine in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field environment in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field flex_resource_scheduling_goal in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field gcs_path in message .google.dataflow.v1beta3.DynamicTemplateLaunchParams is changed (2f22244)
  • dataflow: A comment for field gcs_path in message .google.dataflow.v1beta3.LaunchTemplateRequest is changed (2f22244)
  • dataflow: A comment for field id in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field ip_configuration in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field job_name in message .google.dataflow.v1beta3.LaunchTemplateParameters is changed (2f22244)
  • dataflow: A comment for field kms_key_name in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field launch_parameters in message .google.dataflow.v1beta3.LaunchTemplateRequest is changed (2f22244)
  • dataflow: A comment for field location in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field machine_type in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field max_workers in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field name in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field network in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field num_workers in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field project_id in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field requested_state in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field save_heap_dumps_to_gcs_path in message .google.dataflow.v1beta3.FlexTemplateRuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field service_account_email in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field service_account_email in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field service_kms_key_name in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field service_options in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field set in message .google.dataflow.v1beta3.MetricUpdate is changed (2f22244)
  • dataflow: A comment for field subnetwork in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field temp_location in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field transform_name_mapping in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field type in message .google.dataflow.v1beta3.Job is changed (2f22244)
  • dataflow: A comment for field worker_region in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field worker_region in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field worker_zone in message .google.dataflow.v1beta3.Environment is changed (2f22244)
  • dataflow: A comment for field worker_zone in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for field zone in message .google.dataflow.v1beta3.RuntimeEnvironment is changed (2f22244)
  • dataflow: A comment for message DynamicTemplateLaunchParams is changed (2f22244)
  • dataflow: A comment for message Job is changed (2f22244)
  • dataflow: A comment for message JobExecutionStageInfo is changed (2f22244)
  • dataflow: A comment for message JobMetrics is changed (2f22244)
  • dataflow: A comment for message LaunchTemplateParameters is changed (2f22244)
  • dataflow: A comment for message MetricUpdate is changed (2f22244)
  • dataflow: A comment for message SdkHarnessContainerImage is changed (2f22244)
  • dataflow: A comment for message Step is changed (2f22244)
  • dataflow: A comment for method AggregatedListJobs in service JobsV1Beta3 is changed (2f22244)
  • dataflow: A comment for method CreateJob in service JobsV1Beta3 is changed (2f22244)
  • dataflow: A comment for method CreateJobFromTemplate in service TemplatesService is changed (2f22244)
  • dataflow: A comment for method GetTemplate in service TemplatesService is changed (2f22244)
  • dataflow: A comment for method LaunchTemplate in service TemplatesService is changed (2f22244)
  • dataflow: A comment for method ListJobs in service JobsV1Beta3 is changed (2f22244)
  • dataflow: A comment for service FlexTemplatesService is changed (2f22244)
Dataproc

Dataproc Serverless for Spark: Spark UI for Dataproc Serverless batches and interactive sessions, which lets you monitor and debug your serverless Spark workloads, now features Event Timeline and Task Quantile views for enhanced troubleshooting.

Google Kubernetes Engine

In GKE version 1.33 and later, the Compute Engine persistent disk CSI Driver supports provisioning Hyperdisk Balanced High Availability volumes in the ReadWriteOnce, ReadWriteOncePod, and ReadWriteMany access modes. For more information, see Provisioning Hyperdisk Balanced High Availability volumes.

Google SecOps

A feature rollout on May 8, 2025, introduced new APIs that may require updated permissions for custom roles to access the detection UI page.

If you encounter access errors, update your permissions, as needed, or select Revert to Previous Detection Table on the detection page to revert to the previous UI.

YARA-L search with data tables updates

  • Data tables are now accessible from the Investigation menu, instead of Detection, in the web interface.
  • Data tables can now be used as a data source in search queries.
  • Role-based access control (RBAC) has been added to manage access to data tables.
Google SecOps SIEM

A feature rollout on May 8, 2025, introduced new APIs that may require updated permissions for custom roles to access the detection UI page.

If you encounter access errors, update your permissions, as needed, or select Revert to Previous Detection Table on the detection page to revert to the previous UI.

YARA-L search with data tables updates

  • Data tables are now accessible from the Investigation menu, instead of Detection, in the web interface.
  • Data tables can now be used as a data source in search queries.
  • Role-based access control (RBAC) has been added to manage access to data tables.
Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-pubsub

1.139.3 (2025-05-06)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.47.0 (#2414) (d78823f)
  • Update googleapis/sdk-platform-java action to v2.57.0 (#2415) (1ddf9b8)

1.139.2 (2025-05-05)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.56.3 (2b928a8)
Dependencies
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.49.2 (#2399) (ff48708)
  • Update dependency com.google.cloud:google-cloud-core to v2.54.3 (#2393) (0ffa26a)
  • Update dependency com.google.cloud:google-cloud-storage to v2.52.1 (#2396) (283a6e1)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.3 (#2406) (8963ed0)
Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Quotas resources. For more information, see Use custom organization policies. This feature is available in Preview.

Sensitive Data Protection

By default, scans for MAC_ADDRESS findings now include MAC_ADDRESS_LOCAL findings. Previously, you could only use this functionality if you set the InfoType.version of MAC_ADDRESS to latest in your InspectConfig.

You can still use the old version of MAC_ADDRESS by setting its InfoType.version to legacy or by using the MAC_ADDRESS_UNIVERSAL infoType. In 90 days, the new functionality will be promoted to legacy.

Virtual Private Cloud

You can exclude IP address ranges from being used for automatic IP address allocation for internal ranges. This feature is available in General Availability. For more information, see Reserve internal ranges.

reCAPTCHA

reCAPTCHA Mobile SDK v18.7.1 is now available for Android

This version contains reliability improvements in the execute() method.

May 11, 2025

Google SecOps SOAR

Release 6.3.45 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

May 10, 2025

AlloyDB for PostgreSQL

Due to a change to report replay_lsn more accurately during parallel replay, metrics might show a slightly higher replication lag.

Google SecOps SOAR

Release 6.3.44 is now available for all regions.

May 09, 2025

AlloyDB Omni

AlloyDB Omni version 16.3.0 with Red Hat Universal Base Image (UBI) as a base image is generally available (GA). The image is RedHat certified and can also be accessed from the Red Hat Ecosystem Catalog. Version UBI 16.3.0 includes third-party extensions, including PostGIS and Orafce, which you can install on RPM-based Linux distributions. For more information about using UBI in AlloyDB Omni, see Install AlloyDB Omni on a VM.

Compute Engine

Public preview: A Security Risk Overview dashboard for Compute Engine, available in the Google Cloud console, shows the top Security Command Center findings that affect your Compute Engine resources.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.140-debian10, 2.0.140-rocky8, 2.0.140-ubuntu18
  • 2.1.88-debian11, 2.1.88-rocky8, 2.1.88-ubuntu20, 2.1.88-ubuntu20-arm
  • 2.2.56-debian12, 2.2.56-rocky9, 2.2.56-ubuntu22
Google Cloud VMware Engine

VMware Engine ve2 nodes are available in Montreal, Canada (northamerica-northeast1).

Google Kubernetes Engine

(2025-R18) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

  • Version 1.32.3-gke.1927002 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.11-gke.1131000
    • 1.31.7-gke.1212000
    • 1.32.2-gke.1297002
    • 1.32.3-gke.1785000
    • 1.32.3-gke.1927000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.11-gke.1157000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.7-gke.1265000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.3-gke.1785003 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.11-gke.1157000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.7-gke.1265000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.3-gke.1785003 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.0-gke.1552000 with this release.

Regular channel

  • Version 1.32.2-gke.1297002 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.10-gke.1070000
    • 1.31.6-gke.1064001
    • 1.32.2-gke.1182003
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.7-gke.1212000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.2-gke.1297002 with this release.

Stable channel

There are no new releases in the Stable channel.

Extended channel

  • Version 1.32.2-gke.1297002 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.27.16-gke.2650000
    • 1.27.16-gke.2703000
    • 1.28.15-gke.2097000
    • 1.28.15-gke.2169000
    • 1.29.15-gke.1240000
    • 1.30.10-gke.1070000
    • 1.31.6-gke.1064001
    • 1.32.2-gke.1182003
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2121000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2664000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2121000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.2-gke.1297002 with this release.

No channel

1.33 is now available in the Rapid channel

Kubernetes 1.33 is now available in the Rapid channel. For more information about the content of Kubernetes 1.33, read the Kubernetes 1.33 Release Notes.

New features in 1.33

Deprecated in 1.33

The gitRepo volume driver is deprecated and disabled for security reasons. For more information, see KEP-5040.

Removed in 1.33

The status.nodeInfo.kubeProxyVersion field in the Node API object is no longer populated in 1.33 and later. This field actually reported the kubelet version, not the kube-proxy version. You can use status.nodeInfo.kubeletVersion to get the kubelet version. For more information, see KEP-4004.

Other changes in 1.33

containerd 2.0 is supported. For more information, see Migrate nodes to containerd 2.

(2025-R18) Version updates

  • Version 1.32.3-gke.1927002 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.11-gke.1131000
    • 1.31.7-gke.1212000
    • 1.32.2-gke.1297002
    • 1.32.3-gke.1785000
    • 1.32.3-gke.1927000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.11-gke.1157000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.7-gke.1265000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.3-gke.1785003 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.11-gke.1157000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.7-gke.1265000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.3-gke.1785003 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.33 to version 1.33.0-gke.1552000 with this release.

(2025-R18) Version updates

  • Version 1.32.2-gke.1297002 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.10-gke.1070000
    • 1.31.6-gke.1064001
    • 1.32.2-gke.1182003
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.7-gke.1212000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.2-gke.1297002 with this release.

(2025-R18) Version updates

There are no new releases in the Stable channel.

(2025-R18) Version updates

  • Version 1.32.2-gke.1297002 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.27.16-gke.2650000
    • 1.27.16-gke.2703000
    • 1.28.15-gke.2097000
    • 1.28.15-gke.2169000
    • 1.29.15-gke.1240000
    • 1.30.10-gke.1070000
    • 1.31.6-gke.1064001
    • 1.32.2-gke.1182003
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2121000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2664000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2121000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.2-gke.1297002 with this release.

(2025-R18) Version updates

Google SecOps

Google SecOps supports Self Service creation of custom log types. Self service custom log types let you create custom log types instantly instead of going through SecOps support, allowing quicker data onboarding. This feature will be available as a public preview starting the week of May 12, 2025.

Google SecOps SIEM

Google SecOps supports Self Service creation of custom log types. Self service custom log types let you create custom log types instantly instead of going through SecOps support, allowing quicker data onboarding. This feature will be available as a public preview starting the week of May 12, 2025.

Looker

If the Force mobile authentication setting is enabled, mobile users will be logged out after 60 minutes, rather than 30 minutes, of inactivity.

Memorystore for Valkey

Memorystore for Valkey now provides node-level metrics. This feature is Generally Available (GA). For more information, see Supported monitoring metrics.

Security Command Center

A Security Risk Overview dashboard for Compute Engine is available in the Google Cloud console. The dashboard, available in Preview, shows the top Security Command Center findings that affect your Compute Engine resources.

May 08, 2025

AlloyDB for PostgreSQL

AlloyDB supports IAM authentication in AlloyDB Studio. For more information, see Choose a database authentication method.

Cloud Database Migration Service

You can now use additional concurrency settings for heterogeneous SQL Server migration jobs with Database Migration Service. This lets you adjust the migration process to better align with your scenario.

For information about creating migration jobs using the new full dump configuration and maximum concurrent connection settings, see:

Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Logging

Log Analytics can now automatically infer fields of a column when the data type is JSON. You can also view how often these inferred fields appear in your data.

Cloud SQL for MySQL

If you create an instance using the Google Cloud Console, then the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA) option is now the default server certificate authority (CA) mode for your Cloud SQL instance.

For users of the Cloud SQL Auth Proxy:

  • If the Cloud SQL instance to which you're connecting is using shared certificate authority (CA) for its serverCaMode setting, then on the client side, you must use Cloud SQL Auth Proxy version 2.13.0 or later.
  • If the Cloud SQL instance to which you're connecting is using customer-managed CA for its serverCaMode setting, then on the client side, you must use Cloud SQL Auth Proxy version 2.14.3 or later.
Cloud SQL for PostgreSQL

If you create an instance using the Google Cloud Console, then the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA) option is now the default server certificate authority (CA) mode for your Cloud SQL instance.

For users of the Cloud SQL Auth Proxy:

  • If the Cloud SQL instance to which you're connecting is using shared certificate authority (CA) for its serverCaMode setting, then on the client side, you must use Cloud SQL Auth Proxy version 2.13.0 or later.
  • If the Cloud SQL instance to which you're connecting is using customer-managed CA for its serverCaMode setting, then on the client side, you must use Cloud SQL Auth Proxy version 2.14.3 or later.
Cloud SQL for SQL Server

If you create an instance using the Google Cloud Console, then the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA) option is now the default server certificate authority (CA) mode for your Cloud SQL instance.

For users of the Cloud SQL Auth Proxy:

  • If the Cloud SQL instance to which you're connecting is using shared certificate authority (CA) for its serverCaMode setting, then on the client side, you must use Cloud SQL Auth Proxy version 2.13.0 or later.
  • If the Cloud SQL instance to which you're connecting is using customer-managed CA for its serverCaMode setting, then on the client side, you must use Cloud SQL Auth Proxy version 2.14.3 or later.
Dataproc Google Kubernetes Engine

In GKE version 1.32 and later, GKE Sandbox (gVisor) can now be configured with SYS_ADMIN privileges in GKE Autopilot. This lets you use Docker-in-Docker with gVisor in GKE Autopilot.

ClusterProfile sync is now available to generate a cluster inventory for an existing fleet. A cluster inventory lets you work with open source and third party integrations that use the ClusterProfile specification.

Looker Studio

New grid lines options for cartesian charts

New grid line options let you set colors and line styles for individual axis grid lines, which makes it easier to distinguish between left or right y-axis grid lines.

The new grid line options are available only for cartesian charts in reports that have modern charts enabled.

Network Connectivity Center

You can use custom constraints to define your own restrictions on Google Cloud services for Network Connectivity Center resources. To learn about which Network Connectivity Center resources support custom constraints, and some sample use cases, see Use custom organization policies for Network Connectivity Center.

This feature is available in General Availability for the following resources:

  • Hubs
  • Spokes

It is available in Public preview for the Groups resource.

Security Command Center

The following Security Command Center Enterprise pages that you previously accessed through the Google Security Operations console are now under Security Command Center in the Google Cloud console:

The Security Command Center Enterprise left navigation also includes links to pages in the Google Security Operations console. For information about this navigation and accessing Google Security Operations pages, see Security Command Center Enterprise console.

Security Command Center Enterprise uses predefined security graph rules to identify issues. This feature is in Preview.

For more information, see Predefined security graph rules.

May 07, 2025

AlloyDB for PostgreSQL

You can migrate from Cloud SQL for PostgreSQL to AlloyDB for PostgreSQL using your Cloud SQL for PostgreSQL backup (GA). The Google Cloud CLI is also supported. For more information, see Migrate from Cloud SQL for PostgreSQL to AlloyDB.

AlloyDB lets you configure a deny maintenance period on clusters running the latest version. The feature is generally available (GA).

You can now build a vector embedding Extract, Transform, Load (ETL) pipeline that lets you generate and ingest embeddings from files or real time sources to AlloyDB using Google Cloud Dataflow. For more information, see Build realtime vector embedding pipeline for AlloyDB with Dataflow.

Assured Workloads

The following products are now supported by the following control packages. See supported products for more information:

  • Cloud Build, Cloud SQL for PostgreSQL, Cloud Workstations, Document AI, Firebase Security Rules, Cloud OS Login API, Storage Transfer Service:
    • Australia Regions
    • Australia Regions with Assured Support
    • Brazil Regions
    • Canada Protected B
    • Canada Regions
    • Canada Regions and Support
    • Chile Regions
    • EU Regions
    • EU Regions and Support
    • Hong Kong Regions
    • India Regions
    • Indonesia Regions
    • Israel Regions
    • Israel Regions and Support
    • Japan Regions
    • Qatar Regions
    • Singapore Regions
    • South Africa Regions
    • South Korea Regions
    • Switzerland Regions
    • Taiwan Regions
    • UK Regions
    • US Regions
    • US Regions and Support
  • Google Cloud NetApp Volumes:
    • Canada Regions
    • EU Regions
    • Singapore Regions
    • US Regions
  • Google Security Operations (Google SecOps) SOAR
    • Australia Regions:
    • Australia Regions with Assured Support
    • Brazil Regions
    • Chile Regions
    • Hong Kong Regions
    • India Regions
    • Indonesia Regions
    • Israel Regions
    • Israel Regions and Support
    • Japan Regions
    • Qatar Regions
    • Singapore Regions
    • South Africa Regions
    • South Korea Regions
    • Switzerland Regions
    • Taiwan Regions
    • UK Regions
    • US Regions
    • US Regions and Support
Bigtable

You can use Data Boost when you analyze your Bigtable data with BigQuery. This feature is available in Preview.

Cloud Composer

A new Cloud Composer release has started on May 07, 2025. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.

Data lineage in Cloud Composer now uses OpenLineage in all regions supported by Cloud Composer. For more information about this feature, see the previous announcement.

For newly created Cloud Composer 3 environments, the minimum amount of memory is changed to 2 GB.

For newly created environments, database retention policy is now enabled by default in Google Cloud CLI, API, and Terraform. Before this change, it was enabled by default only in Google Cloud Console.

Improved the environment liveness monitoring. This change addresses some cases of transient failures that caused "Liveness probe failed" warnings in the environment's logs.

(Airflow 2.10.5) The apache-airflow-providers-google package was upgraded to version 15.1.0 in Cloud Composer 2 images and Cloud Composer 3 builds.

For more information about changes, see the apache-airflow-providers-google changelog from version 14.0.0 to version 15.1.0.

(Airflow 2.10.5) Changes in preinstalled packages:

  • apache-airflow-providers-standard was upgraded to 1.0.0 from 0.4.0.
  • aiosqlite was removed from preinstalled packages.
  • json-merge-patch was removed from preinstalled packages.
  • time-machine was removed from preinstalled packages.

The default version of Airflow is changed to 2.10.5.

Airflow 2.10.2 is no longer included in Cloud Composer images and builds.

New Airflow builds are available in Cloud Composer 3:

  • composer-3-airflow-2.10.5-build.2 (default)
  • composer-3-airflow-2.9.3-build.22

New images are available in Cloud Composer 2:

  • composer-2.13.0-airflow-2.10.5 (default)
  • composer-2.13.0-airflow-2.10.2

Cloud Composer versions 2.7.0 and 2.7.1 have reached their end of support period.

Cloud Monitoring

Version 2.56.0 of the Ops Agent using the Prometheus receiver can fail to send metrics and report negative start times. To resolve this issue, downgrade to version 2.55.0. For more information, see Known issue: Ops Agent version 2.56.0 fails to send metrics.

Cloud SQL for PostgreSQL

You can migrate to AlloyDB for PostgreSQL using your Cloud SQL for PostgreSQL backup (GA). The Google Cloud CLI is also supported. For more information, see Migrate from Cloud SQL for PostgreSQL to AlloyDB.

Dataplex

Custom connectors for managed connectivity pipelines are available for a variety of third-party data sources. These connectors are contributed by the community. For more information, see Community-contributed custom connectors.

Dataproc

Dataproc on Compute Engine: The default enabling of the following cluster properties previously announced to occur on May 10, 2025 (see the February 10, 2025 release note) has been postponed to a future date. The future date will be announced in a release note at least one month in advance of the change. Until then, these diagnostic properties will continue to be set to false by default unless set to true by the user.

  • dataproc:diagnostic.capture.enabled
  • dataproc:dataproc.logging.extended.enabled
  • dataproc:dataproc.logging.syslog.enabled
Generative AI on Vertex AI

Gemini 2.0 Flash with image generation (gemini-2.0-flash-preview-image-generation) is now available as a public preview offering.

For more information, see Generate images with Gemini.

Seed parameter is now in GA and supports Gemini 2.5 model family.

Google SecOps

We are moving service health updates for Google Cloud Security products from the Cloud Status Dashboard to a new security-specific status dashboard.

This dashboard displays service status and incident history for the following products:

  • Google SecOps
  • Google Threat Intelligence
  • Mandiant Advantage Threat Intelligence
  • Mandiant Attack Surface Management
  • Mandiant Digital Threat Monitoring
  • Mandiant Hunt
  • Mandiant Managed Defense
  • Mandiant Security Validation
Google SecOps SIEM

We are moving service health updates for Google Cloud Security products from the Cloud Status Dashboard to a new security-specific status dashboard.

This dashboard displays service status and incident history for the following products:

  • Google SecOps
  • Google Threat Intelligence
  • Mandiant Advantage Threat Intelligence
  • Mandiant Attack Surface Management
  • Mandiant Digital Threat Monitoring
  • Mandiant Hunt
  • Mandiant Managed Defense
  • Mandiant Security Validation
Identity and Access Management Looker

The following features have been added to Studio in Looker, which is available in preview:

Migrate to Virtual Machines

Migrate to Virtual Machines now introduces an expiration time for a migrating VM. A migrating VM is a VM that you create during the migration process to migrate your workloads to Google Cloud.

A migrating VM stays active for 100 days from the time that the VM appears in the VM Migrations tab. After 100 days, the VM is moved to the EXPIRED state and stays in the EXPIRED state for 30 days. If you need more time to complete your migration, you can extend the lifespan of the migrating VM by an additional 100 days. You can only extend the lifespan of a migrating VM two weeks before the VM expires and throughout the expiration period (between 86 to 130 days from the creation of the VM). If you don't extend the lifespan of the VM during this period, the VM expires.

Text-to-Speech

We just released three new voice features for Chirp 3: HD Voices. Pace control is available across all locales; pause control is available across all locales; custom pronunciations is available across all locales except bn-in, gu-in, nl-be, sw-ke, th-th, uk-ua, ur-in, and vi-vn. Be sure to check our Chirp 3: HD Voices documentation for more information.

Virtual Private Cloud

The following features of internal ranges are available in General Availability:

  • Reserving internal ranges with IPv6 addresses
  • Creating immutable ranges (ranges that can't be edited, except for the description)
  • Editable descriptions

For more information, see Internal ranges overview.

When you reserve an internal range with an automatically allocated IPv4 CIDR block, you can specify the allocation strategy that is used to select a free block. This feature is available in Preview.

May 06, 2025

Apigee UI

On May 6, 2025, we released a new Apigee REST resource for debug sessions.

Apigee now offers a Management API that allows users to list all recent debug sessions for a given proxy, regardless of revision or environment and current deployment status. This API is available for use, and is now used to populate all recent debug sessions in the Apigee Debug UI.

For more information on this method, see: organizations.apis.debugsessions.list

Apigee X

On May 6, 2025, we released a new Apigee REST resource for debug sessions.

Apigee now offers a Management API that allows users to list all recent debug sessions for a given proxy, regardless of revision or environment and current deployment status. This API is available for use, and is now used to populate all recent debug sessions in the Apigee Debug UI.

For more information on this method, see: organizations.apis.debugsessions.list

BigQuery

In the Google Cloud console, Analytics Hub has been renamed BigQuery sharing (Analytics Hub).

Cloud Asset Inventory

The following resource types are now publicly available through the Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Eventarc
    • eventarc.googleapis.com/Channel
    • eventarc.googleapis.com/ChannelConnection
Cloud Composer

The Deployment Manager API is no longer automatically enabled when you enable Cloud Composer API because this API isn't used by the Cloud Composer service.

Environments with Cloud Composer versions 2.0.* still rely on the Deployment Manager API for updates, upgrades, and environment deletion. It won't be possible to perform these operations if this API is disabled. We recommend to upgrade your 2.0.* environments to a later version to remove this dependency.

Cloud Monitoring

When you create a snooze for a single alerting policy, you can now use resource, metric, and metadata label types to filter applicable incidents. For more information, see Create a snooze.

Cloud NAT

Private NAT supports Cloud Run in Preview. For more information, see Supported resources.

Cloud Run Cloud Service Mesh

The following images are now rolling out for managed Cloud Service Mesh:

  • 1.21.5-asm.42 is rolling out to the rapid release channel.
  • 1.20.8-asm.33 is rolling out to the regular release channel.
  • 1.19.10-asm.33 is rolling out to the stable release channel.

A behavioral change regarding user-provided credentials (private key and certificate) for TLS termination at ingress is now rolling out to the Rapid release channel. Subsequent announcements will appear for additional release channels.

The Kubernetes Secrets denoted by Gateway.servers.port.tls.credentialName will be read by each ingress gateway pod directly instead of the Control Plane. This change enhances security because the user-provided secret is read directly by the workloads instead of passing any managed component.

This change is compatible with previous behavior aside from the propagation speed of the updated secrets. Previously, updated secrets would propagate immediately. Now, updated secrets will propagate within 60 minutes. If you need immediate secret rotation, restart the gateway pods.

Each gateway pod reads Kubernetes secrets, so the number of the gateway pods becomes a scalability factor. We recommend the following maximum number of gateway pods:

  • If the GKE cluster is regional, 1500 or fewer pods
  • If the GKE cluster is zonal or using autopilot, 500 or fewer pods

If this change in behavior doesn't work for you, consider using the deployment with mounted credentials.

This change only affects clusters using Traffic Director and version 1.21.5-asm.42 or later.

Container Optimized OS

cos-113-18244-382-8

Kernel Docker Containerd GPU Drivers
COS-6.1.123 v24.0.9 v1.7.24 See List

Upgraded sys-apps/grep to v3.12.

Upgraded net-dns/libidn2 to v2.3.8.

Upgraded sys-apps/makedumpfile to v1.7.7.

Fixed CVE-2025-32414, CVE-2025-32415 in dev-libs/libxml2.

Fixed CVE-2025-1178,CVE-2025-1182 and CVE-2025-1181 in sys-libs/binutils-libs.

Updated dev-go/protobuf to v1.33.0. This fixes CVE-2024-24786.

Updated dev-go/net to v0.39.0. This fixes CVE-2025-22870.

Updated NVIDIA GPU drivers to v535.247.01 for default/ R535, v550.163.01 for R550 and v570.133.20 for latest/R570. This resolves CVE-2025-23244.

Added support for 7th generation TPU devices.

Gemini Code Assist

Prompt with folders in your local workspace (Preview)

You can now include folders from your local IDE project for IntelliJ Gemini Code Assist (version 1.14.0) to use as context for your prompts, in Preview. To specify a folder in your chat prompt, type @ and select the folder you want to specify.

Directing Code Assist to add folders to your chat can improve responses by specifying use of the contents within your selected folder(s), with support up to a 1M token context window.

folders gif

Google Cloud Managed Service for Apache Kafka

General availability: Managed Service for Apache Kafka now supports configuring standard Apache Kafka ACLs using REST, gRPC, and gcloud CLI. For more information, see Access control with IAM and Kafka ACLs.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.32.0-gke.1087 is now available for download. To upgrade, see Upgrade a cluster. Google Distributed Cloud 1.32.0-gke.1087 runs on Kubernetes v1.32.3-gke.1000.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

Version changes in 1.32.0-gke.1087:

  • The etcd version upgraded to 3.4.33
  • COS upgraded to milestone 117
  • containerd upgraded to 1.7
  • Cilium upgraded to 1.15.6

Other changes in 1.32.0-gke.1087:

  • The following legacy features are blocked during cluster upgrade:

    • Dataplane V1 (Calico)
    • Integrated F5 Big IP load balancer configuration
    • Non-HA admin cluster
    • Kubeception user cluster
    • Seesaw load balancer

    You must migrate your clusters to recommended features before upgrading to 1.32.

  • The following changes to MetalLB address pools were made to behave the same as advanced clusters:

    • Can't remove existing address pools
    • Can't remove addresses in an existing address pool
    • Can't change address pool name
  • The cert-manager component is available on advanced clusters.

  • Allow changing stackdriver.projectID to be the same as gkeconnect.projectID.

  • Removed support in the Konnectivity server (konnectivity-server) for the following weak cryptographic cipher suites: TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256.

  • Windows Server OS node pools are deprecated in version 1.32 and will be unavailable in version 1.33 and higher. Support for Windows Server OS node pools ends May 25, 2026. We recommend that you begin migration planning immediately to ensure a smooth transition before the support period ends.

The following issues were fixed in 1.32.0-gke.1087:

  • Fixed an issue that prevented user cluster upgrades when Dataplane V2 was explicitly configured with forward mode.
  • Skip checking additional IP address requirements for HA admin cluster upgrade.

  • Fixed missing validators for HA admin cluster and Controlplane V2 user control plane.

  • Fixed an issue during non-HA to HA admin cluster migration that prevented the migration from completing.

  • Fixed an issue where the VM template wasn't updated when HA admin control-plane machines were recreated.

  • Fixed an issue where resource validation counted customer workloads and reported warnings when customers ran high resource request workloads.

The 1.32.0-gke.1087 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

Google Distributed Cloud (software only) for bare metal

Release 1.32.0-gke.1087

Google Distributed Cloud for bare metal 1.32.0-gke.1087 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.32.0-gke.1087 runs on Kubernetes v1.32.3-gke.1000.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

Version 1.29 end of life: In accordance with the Version Support Policy, version 1.29 (all patch releases) of Google Distributed Cloud for bare metal has reached its end of life and is no longer supported.

  • GA: Added support for new diagnosis utility for GKE Identity Service, which provides diagnostics information related to the login flow. This makes it easier to troubleshoot login and OIDC configuration issues. For more information, see See GKE Identity Service diagnostic utility.

  • GA: For high availability control planes, Google Distributed Cloud automatically configures the Keepalived virtual router redundancy protocol (VRRP) configuration to make failover behaviour deterministic and prevent interleaving of ARP replies with different MAC addresses:

    • By default, each Keepalived instance is configured with a different priority value.
    • Each Keepalived instance is configured with nopreempt to avoid elections when a non-master instance is restarted.
  • GA: Added support for a new field, controlPlane.loadBalancer.keepalivedVRRPGARPMasterRepeat, in the cluster configuration file that maps to the vrrp_garp_master_repeat setting for Keepalived. This field specifies the number of gratuitous ARP (GARP) messages to send at a time after a control plane node transitions to the role of the master server. The default value is 5.

  • GA: Added a new controlPlane.loadBalancer.mode, field for Layer 2 load balancing. This field lets you separate control plane load balancing from data plane load balancing:

    • At cluster creation, if you set controlPlane.loadBalancer.mode to bundled and loadBalancer.nodePoolSpec is configured, the control plane load balancer runs in the control plane node pool and the data plane load balancer runs in the load balancer node pool.
    • For an existing cluster where controlPlane.loadBalancer.mode isn't set and loadBalancer.nodePoolSpec isn't specified, both the control plane load balancer and the data plane load balancer run in the control plane node pool. You can migrate the data plane load balancer to a load balancer node pool by updating the cluster spec to specify a load balancer node pool (loadBalancer.nodePoolSpec) and to add controlPlane.loadBalancer.mode set to bundled.
  • Upgraded etcd to v3.4.33-0-gke.3.

  • Upgraded containerd to version 1.7.

  • Upgraded the SR-IOV operator, sriov-network-operator, to version 1.4.

  • Added Compress=yes to /etc/systemd/journald.conf to ensure that objects larger than 512 bytes are compressed before they are written to the file system.

  • Added new, default periodic health checks to ensure that Kubernetes cluster resources are configured correctly and functioning properly.

  • Added more namespaces to the default snapshot scenarios.

  • Added preflight check for kernel fsnotify settings for Red Hat Enterprise Linux (RHEL) 8.x.

  • Removed the leading timestamp from the bmctl version response. Temporarily, we've provided -t and --timestamps flags to revert to the old format.

  • Added a check for the FailedCgroupRemoval node condition to the node problem detector (NPD) to look for orphan container processes on nodes. By default, a new plugin for NPD automatically fixes this condition on the node.

  • Updated the cluster delete process to delete worker node pools prior to removing any control plane nodes. This change applies to supported cluster deletion flows, including bmctl, the Google Cloud CLI, and the Google Cloud console.

  • Updated the log entries in the backup.log file created by the bmctl backup command to improve readability.

  • Updated the cluster upgrade operation to keep only the three latest kubeadm backups of etcd and configuration information for a node. Previously, kubeadm kept node backups for every attempted upgrade.

  • Added the kubelet config, CPU Manager state, and Memory Manager state to node snapshots.

  • Fixed an issue that resulted in an excessive creation of periodic kube-proxy-cleanup jobs on cluster nodes with high pod utilization.

  • Fixed an issue that caused cluster creation to fail because kubelet restarted before required static pods are running.

  • Fixed an issue where node upgrades failed due to a missing super-admin.conf file.

  • Fixed an issue where the bmctl update cluster command fails for user clusters that were created with the cloudOperationsServiceAccountKeyPath setting in the header section of the cluster configuration file.

  • Fixed an issue where prompting during bmctl update cluster prevented use of automation. You can now use the --quiet flag to skip prompting.

  • Fixed an issue where node machines didn't update when the registry mirror hosts field was updated.

The 1.32.0-gke.1086 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Resource Manager

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataplex and data lineage resources. For more information, see Manage Dataplex resources using custom constraints and Manage data lineage resources using custom constraints. This feature is generally available (GA).

May 05, 2025

App Engine flexible environment PHP

Support for PHP 8.4 runtime is in Preview.

App Engine flexible environment Python App Engine flexible environment Ruby

Support for Ruby 3.4 runtime is in Preview.

App Engine standard environment PHP

Support for PHP 8.4 runtime is in Preview.

App Engine standard environment Python App Engine standard environment Ruby

Support for Ruby 3.4 runtime is in Preview.

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigquery

8.0.0 (2025-04-23)

⚠ BREAKING CHANGES
  • migrate to node 18 (#1458)
Miscellaneous Chores

Changes that you make to your saved queries are now automatically saved. This feature is in preview.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigtable

6.0.0 (2025-04-22)

⚠ BREAKING CHANGES
  • Migrate to Node 18 (#1582)
Features
  • Add fields and the BackupType proto for Hot Backups (#1439) (433a8e3)
  • Add MergeToCell to Mutation APIs (433a8e3)
  • Add min, max, hll aggregators and more types (433a8e3)
  • Add plumbing PR for client side metrics to support the open telemetry instruments (#1569) (c37a451)
  • Add the MetricsCollector for client side metrics (#1566) (d475ef2)
  • Add the plumbing for application blocking latencies client side metrics (#1575) (967f440)
  • Bigtable authorized views requests on the Data plane (#1509) (da373b5)
  • Move the metrics handler fixture (#1570) (c97ebcc)
  • Publish ProtoRows Message (433a8e3)
  • Publish the Cloud Bigtable ExecuteQuery API (433a8e3)
  • Update Go Bigtable import path (433a8e3)
  • Update Go Datastore import path (433a8e3)
Bug Fixes
  • Address assertion error in TestReadRows_Retry_LastScannedRow conformance test (#1521) (0552638)
  • Check and mutate generic header conformance test (#1551) (7f1099a)
  • Conformance test sample rowkeys generic deadline (#1562) (2fdf98f)
  • Fix plumbing errors for client side metrics collection (#1583) (574c2f4)
  • Fix TestReadRows_Generic_CloseClient conformance test by passing grpc status codes for closed client errors (#1524) (8524174)
  • Fix paused scan test (#1539) (d009a8f)
  • Sample rowkey generic header conformance test (#1550) (6ef7671)
  • TestMutateRow_Generic_Headers (#1540) (f6176c1)
  • Update owlbot.py to exculde sync repo (#1549) (f1ad565)
  • Update sync-repo-settings.yaml to make owl bot optional (#1547) (d745412)
  • Use the universe domain if it is provided by the user (#1563) (d26ecb8)
Miscellaneous Chores

Java

Changes for google-cloud-bigtable

2.58.1 (2025-04-28)

Bug Fixes

2.58.0 (2025-04-28)

Features
  • Add deletion_protection support for LVs (43c97a3)
  • bigtable: Add integration tests for Materialized/Logical Views (#2518) (4d3a7e6)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.56.2 (43c97a3)
  • Fix retry info algorithm setting (#2562) (c424ccb)
  • Use universe domain when creating the monitoring client (#2570) (3b51e12)
Cloud CDN

Invalidation using cache tags is Generally Available.

Cloud CDN now also offers faster performance and higher rate limits for invalidation requests using all invalidation matchers. For more information, see Cache validation overview.

Cloud Composer

It is now possible to migrate from Cloud Composer 1 to Cloud Composer 3 using snapshots. For more information, see the new migration guide.

This feature will gradually roll out to all regions supported by Cloud Composer 3. At the moment it is available in the africa-south1, asia-south1, me-central1, me-central2, me-west1, southamerica-east1, and southamerica-west1 regions.

Cloud Run

Support for the Ruby 3.4 runtime is in Preview.

Support for the PHP 8.4 runtime is in Preview.

Cloud Run functions

Support for the Ruby 3.4 runtime is in Preview.

Support for the PHP 8.4 runtime is in Preview.

Cloud SQL for SQL Server

Cloud SQL for Enterprise Plus edition supports AI-assisted troubleshooting. With AI-assisted troubleshooting, you can resolve complex database performance issues like slow queries and high load for your instances in a guided manner. To use AI-assisted troubleshooting, you need Gemini Cloud Assist and query insights for Enterprise Plus edition. AI-assisted troubleshooting is available in Preview.

Container Optimized OS

cos-117-18613-263-4

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v24.0.9 v1.7.24 See List

This is an LTS Refresh release.

Upgraded sys-apps/makedumpfile to v1.7.7.

Upgraded app-containers/docker-credential-helpers to v0.9.3.

Upgraded app-admin/google-guest-configs to v20250328.00.

Upgraded app-containers/cni-plugins to v1.6.2.

Upgraded dev-lang/go to v1.23.8.

Upgraded sys-apps/grep to v3.12.

Upgraded net-dns/libidn2 to v2.3.8.

Upgraded net-nds/rpcbind to v1.2.7.

Upgraded net-fs/cifs-utils to v7.3, Upgraded sys-libs/talloc to v2.4.2.

Upgraded sys-apps/acl to v2.3.2-r2.

Upgraded sys-libs/libseccomp to v2.6.0-r2.

Upgraded dev-libs/expat to v2.7.1.

Upgraded dev-db/sqlite to v3.49.1.

Upgraded dev-libs/double-conversion to v3.3.1.

Upgraded app-arch/unzip to v6.0_p29.

Upgraded app-admin/sudo to v1.9.16_p2-r1.

Upgraded net-libs/libnetfilter_conntrack to v1.1.0.

Upgraded net-libs/libtirpc to v1.3.6.

Upgraded sys-apps/gentoo-functions to v1.7.3.

Upgraded sys-libs/libcap to v2.71.

Upgraded dev-libs/nss to v3.109.

Updated NVIDIA GPU drivers to v535.247.01 for default/ R535, v550.163.01 for R550 and v570.133.20 for latest/R570. This resolves CVE‑2025‑23244.

Update dev-go/net in policy manager to v0.39.0. This fixes CVE-2025-22870.

Fix CVE-2025-32414, CVE-2025-32415 in dev-libs/libxml2.

Fixed CVE-2025-1178,CVE-2025-1182 and CVE-2025-1181 in sys-libs/binutils-libs.

Updated dev-vcs/git to version 2.49.0. This fixed CVE-2024-52006, CVE-2024-50349

Fixed KCTF-342debc in the Linux kernel.

Fixed CVE-2025-22097 in the Linux kernel.

Fixed CVE-2025-22035 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811753 -> 811816

cos-109-17800-519-1

Kernel Docker Containerd GPU Drivers
COS-6.1.135 v24.0.9 v1.7.24 See List

This is an LTS Refresh release.

Upgraded sys-apps/makedumpfile to v1.7.7.

Upgraded app-containers/docker-credential-helpers to v0.9.2.

Upgraded app-admin/google-guest-configs to v20250221.00.

Upgraded sys-auth/pambase to v20250228.

Upgraded app-admin/google-guest-configs to v20250124.00.

Upgraded dev-lang/go to v1.21.13.

Upgraded sys-apps/grep to v3.12.

Upgraded net-dns/libidn2 to v2.3.8.

Upgraded net-nds/rpcbind to v1.2.7.

Upgraded net-fs/cifs-utils to v7.3, Upgraded sys-libs/talloc to v2.4.2.

Upgraded net-firewall/iptables to v1.8.11-r1.

Upgraded app-arch/gzip to v1.13-r1.

Upgraded sys-apps/acl to v2.3.2-r2.

Upgraded dev-db/sqlite to v3.49.1.

Upgraded app-admin/sudo to v1.9.16_p2-r1.

Upgraded net-libs/libnetfilter_conntrack to v1.1.0.

Upgraded dev-libs/nss to v3.107.

Upgraded dev-python/configobj to v5.0.9.

Upgraded sys-libs/libcap to v2.71.

Upgraded net-libs/libtirpc to v1.3.6.

Upgraded dev-libs/expat to v2.6.4.

Updated dev-go/protobuf to v1.33.0. This fixes CVE-2024-24786.

Updated dev-go/net to v0.39.0. This fixes CVE-2025-22870.

Fixed CVE-2025-32414, CVE-2025-32415 in dev-libs/libxml2.

Fixed CVE-2025-1178,CVE-2025-1182 and CVE-2025-1181 in sys-libs/binutils-libs.

Fixed CVE-2025-32728 in net-misc/openssh.

Updated dev-vcs/git to version 2.49.0. This fixed CVE-2024-52006, CVE-2024-50349

Fixed CVE-2025-22035 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812262 -> 812287

cos-dev-125-19025-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.88 v27.5.1 v2.0.4 See List

Upgraded app-admin/google-guest-configs to v20250409.00.

Upgraded app-admin/google-guest-agent to v20250418.00.

Upgraded sys-apps/makedumpfile to v1.7.7.

Upgraded app-benchmarks/microbenchmarks to v0.0.1-r20.

Upgraded chromeos-base/minijail to v18-r167.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r664.

Upgraded chromeos-base/google-breakpad to v2025.04.09.155244-r236.

Upgraded chromeos-base/shill-client to v0.0.1-r4853.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2968.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2480.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2829.

Upgraded chromeos-base/debugd-client to v0.0.1-r2733.

Upgraded app-arch/gzip to v1.14.

Upgraded net-dns/libidn2 to v2.3.8.

Upgraded sys-apps/grep to v3.12.

Updated NVIDIA GPU drivers to v535.247.01 for default/ R535 and v570.133.20 for latest/R570. This resolves CVE‑2025‑23244.

Fixed CVE-2025-32414, CVE-2025-32415 in dev-libs/libxml2.

Updated the Linux kernel to v6.6.88.

Updated the Linux kernel to v6.6.88.

Runtime sysctl changes:

  • Changed: fs.file-max: 811785 -> 811773

cos-121-18867-90-15

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v27.5.1 v2.0.4 See List

Upgraded sys-apps/makedumpfile to v1.7.7.

Upgraded sys-apps/grep to v3.12.

Upgraded net-dns/libidn2 to v2.3.8.

Updated NVIDIA GPU drivers to v535.247.01 for default/ R535 and v570.133.20 for latest/R570. This resolves CVE‑2025‑23244.

Fixed CVE-2025-32414, CVE-2025-32415 in dev-libs/libxml2.

Fixed KCTF-342debc in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811806 -> 811788

Dataplex

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataplex and data lineage resources. For more information, see Manage Dataplex resources using custom constraints and Manage data lineage resources using custom constraints. This feature is generally available (GA).

Datastream

You can now use Private Service Connect interfaces as a private connectivity method in Datastream. For more information, see the documentation.

Document AI

Custom extractor model pretrained-foundation-model-v1.5-2025-04-25 powered by Gemini 2.5 Flash LLM is available as Public Preview in US regions. The custom extractor model supports a quota of up to 15 pages per minute for online process requests.

For more information about available models, see Custom extractor model versions.

Generative AI on Vertex AI Google SecOps

New Light Theme

Google SecOps has introduced a new light theme option in the platform. The light theme includes a color palette for visual clarity.

Google SecOps SIEM

New Light Theme

Google SecOps has introduced a new light theme option in the platform. The light theme includes a color palette for visual clarity.

Identity and Access Management

A new enforcement version, enforcement version 3, is available for principal access boundary policies. To learn more about enforcement versions and see the permissions that enforcement version 3 can block, see Permissions that principal access boundary policies can block.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/pubsub

5.0.0 (2025-04-28)

⚠ BREAKING CHANGES
  • migrate to Node 18 (#2024)
  • remove (broken) legacy OTel support
  • remove legacy ack deadline options
  • move maxExtension into subscriber options
Miscellaneous Chores
Security Command Center

Web Security Scanner, a built-in service of Security Command Center, released new detectors. The following detectors, which are available with the Enterprise and Premium tiers of Security Command Center, detect misconfigurations in web applications:

  • HSTS_MISCONFIGURATION
  • CSP_MISSING
  • CSP_MISCONFIGURATION
  • COOP_MISSING
  • CLICKJACKING_PROTECTION_MISSING

For more information, see Web Security Scanner misconfiguration findings.

May 03, 2025

Google SecOps SOAR

Release 6.3.44 is being rolled out to the first phase of regions as listed here.

Light Theme Enhancements

We've improved the color palette for the light theme to enhance visual clarity.

May 02, 2025

Apigee X

On May 2, 2025, we released an updated version of Apigee (1-15-0-apigee-3).

Large message payload support in Apigee

Apigee now supports message payloads up to 30MB. For more information, see:

Improvements to the PublishMessage policy

The PublishMessage policy now supports two new elements:

  • The <UseMessageAsSource> element uses request or response message content as the source of data to be written to Pub/Sub. For more information, see <UseMessageAsSource>.

  • The <Attributes> element lets you specify string attributes (key/value pairs) to include with the request or response message that is written to Pub/Sub. For more information, see <Attributes>.

Bug ID Description
391140293 Resolved scaling issue resulting in 503 errors

Added drainDuration and updated the values for terminationDrainDuration and terminationGracePeriodSeconds.

391862684 Resolved issue with requests stuck at Message Processor causing timeouts.
N/A Updates to security infrastructure and libraries.
Apigee hybrid

hybrid v1.14.2

On May 2, 2025 we released an updated version of the Apigee hybrid software, 1.14.2.

Large message payload support in Apigee hybrid

Apigee now supports message payloads up to 30MB. For information see:

Starting with v1.14.2, third-party container images will be labeled with a version tag that matches the Apigee hybrid image tag. This affects the image tags returned by the apigee-pull-push command line tool. For more information, see:

Bug ID Description
399447688 API proxy deployment could become stuck in PROGRESSING state.
396571537 Rotating Cassandra credentials in Kubernetes secrets fixed for Multi-region deployments.
368155212 Auto Cassandra secret rotation could fail when Enhanced per-environment proxy limits are enabled.
384937220 Fixed ApigeeRoute name collision on internal chaining gateway for Enhanced Proxy Limits.
412324617 Fixed issue where Runtime container could spin at 100% cpu limit.
Bug ID Description
391923260 Security fixes for apigee-udca.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-fluent-bit.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra.
This addresses the following vulnerability:
N/A Security fixes for apigee-hybrid-cassandra-client.
This addresses the following vulnerability:
N/A Security fixes for apigee-mint-task-scheduler.
This addresses the following vulnerability:
N/A Security fixes for apigee-open-telemetry-collector.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-operators.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-prometheus-adapter.
This addresses the following vulnerability:
N/A Security fixes for apigee-redis.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-stackdriver-logging-agent.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-watcher.
This addresses the following vulnerabilities:
Assured Workloads

The Sovereign Controls for Kingdom of Saudi Arabia control package now supports the following products. See Supported products by control package for more information:

  • Access Context Manager
  • Certificate Authority Service
  • Connect
  • GKE Hub
  • GKE Identity Service

The Sovereign Controls for EU control package now supports the following products. See Supported products by control package for more information:

  • Access Context Manager
  • Certificate Authority Service
  • Cloud Service Mesh
  • Connect
  • GKE Hub
  • MemoryStore for Redis
  • Speech-to-Text

The ITAR control package now supports Service Directory.

Cloud Monitoring

The limit for the number of widgets on a custom dashboard has increased to 100, from 40. For information about dashboards, see the following:

Cloud SQL for MySQL

You can now set up custom DNS names by configuring the custom subject alternative name (SAN) for your instance. After you set up DNS name resolution, you can connect to your Cloud SQL instance using the custom DNS name instead of using an IP address. This feature is available only for instances that are configured with the customer-managed certificate authority (CA) (CUSTOMER_MANAGED_CAS_CA) option as its server CA mode.

Custom SAN configuration for instances is generally available (GA).

Cloud SQL for PostgreSQL

You can now set up custom DNS names by configuring the custom subject alternative name (SAN) for your instance. After you set up DNS name resolution, you can connect to your Cloud SQL instance using the custom DNS name instead of using an IP address. This feature is available only for instances that are configured with the customer-managed certificate authority (CA) (CUSTOMER_MANAGED_CAS_CA) option as its server CA mode.

Custom SAN configuration for instances is generally available (GA).

Cloud SQL for SQL Server

You can now set up custom DNS names by configuring the custom subject alternative name (SAN) for your instance. After you set up DNS name resolution, you can connect to your Cloud SQL instance using the custom DNS name instead of using an IP address. This feature is available only for instances that are configured with the customer-managed certificate authority (CA) (CUSTOMER_MANAGED_CAS_CA) option as its server CA mode.

Custom SAN configuration for instances is generally available (GA).

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.139-debian10, 2.0.139-rocky8, 2.0.139-ubuntu18
  • 2.1.87-debian11, 2.1.87-rocky8, 2.1.87-ubuntu20, 2.1.87-ubuntu20-arm
  • 2.2.55-debian12, 2.2.55-rocky9, 2.2.55-ubuntu22

Dataproc on Compute Engine: Upgraded NodeProblemDetector to 0.8.20 based version for 2.2 image.

Dataproc on Compute Engine: Upgraded oauth2l to v1.3.3 to address CVEs.

Dataproc on Compute Engine: Fixed an issue with Apache Hudi that caused failure in Hudi CLI.

Generative AI on Vertex AI

The global endpoint is generally available (GA). For details, see Global endpoint.

Google Kubernetes Engine

(2025-R17) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

  • Version 1.32.2-gke.1297002 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.10-gke.1070000
    • 1.30.10-gke.1102000
    • 1.31.6-gke.1064001
    • 1.31.6-gke.1099001
    • 1.32.2-gke.1182003
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1297002 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1297002 with this release.

Regular channel

Stable channel

  • Version 1.32.1-gke.1357001 is no longer available in the Stable channel.
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

Extended channel

No channel

(2025-R17) Version updates

  • Version 1.32.2-gke.1297002 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.30.10-gke.1070000
    • 1.30.10-gke.1102000
    • 1.31.6-gke.1064001
    • 1.31.6-gke.1099001
    • 1.32.2-gke.1182003
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1297002 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.11-gke.1131000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.7-gke.1212000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1297002 with this release.

(2025-R17) Version updates

(2025-R17) Version updates

  • Version 1.32.1-gke.1357001 is no longer available in the Stable channel.
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

(2025-R17) Version updates

(2025-R17) Version updates

Google SecOps

Auto extraction of JSON logs

Google SecOps supports Auto Extraction of JSON logs. The auto extraction feature lets you use raw log fields directly in search, detection rules, and Native Dashboards, with or without a parser. Public preview for this feature begins the week of May 5, 2025.

Google SecOps SIEM

Auto extraction of JSON logs

Google SecOps supports Auto Extraction of JSON logs. The auto extraction feature lets you use raw log fields directly in search, detection rules, and Native Dashboards, with or without a parser. Public preview for this feature begins the week of May 5, 2025.

Storage Transfer Service

Cloud Logging for agent-based transfers now logs skipped files. A skipped file is logged when the file already exists in the sink, and your transfer job is configured to ignore existing files.

See Cloud Logging for Storage Transfer Service for details.

May 01, 2025

Anthos Config Management

The Config Sync auto-upgrades feature is now unavailable. You can no longer configure auto-upgrade settings and must manually upgrade the Config Sync version. If you currently use auto-upgrades, you must first disable auto-upgrades before you can manually update Config Sync.

Upgraded the Open Telemetry Collector image from v0.103.0 to v0.118.0. This upgrade includes a breaking change where the default OTLP component endpoint is now localhost instead of 0.0.0.0. You will be impacted only if you use a customized configuration for the built-in Otel Collector within Config Sync, and you can explicitly specify 0.0.0.0 for endpoints to ensure that your monitoring solution continues to function correctly. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.

The nomos vet command now supports a --threshold flag to proactively validate the number of objects in your Config Sync repository. You can use this flag in validation pipelines to prevent sync failures caused by exceeding the underlying etcd size limits when your repository contains a large number of objects. For more information, see Enforce the maximum number of objects to sync.

Deleting a RootSync or RepoSync now removes its management metadata from all managed objects. This allows objects to be adopted by their new managers, simplifying the procedure for splitting a large configuration repository across multiple RootSync or RepoSync objects. For more information, see Break up a repository into multiple repositories.

Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.

Fixed an issue impacting the Ignore object mutations feature. The client.lifecycle.config.k8s.io/mutation: ignore annotation was not always effective, causing Config Sync to potentially overwrite changes made directly to annotated resources in the cluster. Config Sync now correctly ignores mutations on these resources.

Fixed an issue preventing ResourceGroup objects from being garbage collected when their corresponding RootSync or RepoSync objects were deleted.

Fixed several issues to improve ResourceGroup status reporting and reliability.

Fixed an issue where drift prevention incorrectly blocked modifications of abandoned resources.

Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud SQL for MySQL

Cloud SQL gives you the flexibility to choose between three CA hierarchy options when you create a Cloud SQL instance.

You can choose between the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA), the shared CA (GOOGLE_MANAGED_CAS_CA), or the customer-managed CA (CUSTOMER_MANAGED_CAS_CA) options as the server certificate authority (CA) mode for your instance. If you create an instance using the Google Cloud Console, then the shared CA option, (GOOGLE_MANAGED_CAS_CA), is the default configuration. If you create an instance using gcloud, the Cloud SQL Admin REST API, or Terraform, then the per-instance CA option (GOOGLE_MANAGED_INTERNAL_CA) is the default configuration.

The shared CA and customer-managed CA options are now generally available (GA).

Cloud SQL for PostgreSQL

Cloud SQL gives you the flexibility to choose between three CA hierarchy options when you create a Cloud SQL instance.

You can choose between the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA), the shared CA (GOOGLE_MANAGED_CAS_CA), or the customer-managed CA (CUSTOMER_MANAGED_CAS_CA) options as the server certificate authority (CA) mode for your instance. If you create an instance using the Google Cloud Console, then the shared CA option, (GOOGLE_MANAGED_CAS_CA), is the default configuration. If you create an instance using gcloud, the Cloud SQL Admin REST API, or Terraform, then the per-instance CA option (GOOGLE_MANAGED_INTERNAL_CA) is the default configuration.

The shared CA and customer-managed CA options are now generally available (GA).

Cloud SQL for SQL Server

Cloud SQL gives you the flexibility to choose between three CA hierarchy options when you create a Cloud SQL instance.

You can choose between the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA), the shared CA (GOOGLE_MANAGED_CAS_CA), or the customer-managed CA (CUSTOMER_MANAGED_CAS_CA) options as the server certificate authority (CA) mode for your instance. If you create an instance using the Google Cloud Console, then the shared CA option, (GOOGLE_MANAGED_CAS_CA), is the default configuration. If you create an instance using gcloud, the Cloud SQL Admin REST API, or Terraform, then the per-instance CA option (GOOGLE_MANAGED_INTERNAL_CA) is the default configuration.

The shared CA and customer-managed CA options are now generally available (GA).

Config Connector

Config Connector version 1.131.0 is now available.

New Beta resources (direct reconciler)

New Alpha resources (direct reconciler)

  • ComputeNetworkAttachment
  • ComputeNetworkEdgeSecurityService
  • DataplexEntryGroup
  • DataplexEntryType
  • DataplexTask
  • DataplexZone
  • DatastreamRoute
  • DocumentAIVersion
  • GKEBackupBackup
  • GKEBackupRestore
  • PubSubSnapshot
  • SpeechCustomClass
  • VMwareEngineExternalAddress
  • MetastoreService
  • MetastoreFederation
  • MetastoreBackup
  • APIQuotaPreference
  • APIQuotaAdjusterSettings
  • EventarcGoogleChannelConfig
  • EventarcChannel
  • AssetSavedQuery
  • AssetFeed
  • EssentialContactsContact
  • DataCatalogEntryGroup
  • DataCatalogEntry
  • DataCatalogTagTemplate
  • DataCatalogTag
  • Fixed an issue: excessive compute.firewallPolicies.patchRule Logs triggered by Config Connector direct reconciliation.
Dataproc

Native Query Execution now supports reading Apache ORC complex types.

Dialogflow

Dialogflow CX (Conversational Agents): Models gemini-2.0-flash-001 and gemini-2.0-flash-lite-001 are now GA. They are available in all supported regions.

This change applies to the following features:

  • Playbooks
  • Data store tools in playbooks
  • Generators
Google Cloud Architecture Center

Design an optimal storage strategy for your cloud workload: Added information about Filestore replication, Hyperdisk Balanced High Availability, Anywhere Cache, and capacity specifications for Google Cloud NetApp Volumes.

Sensitive Data Protection

On or after September 30, 2025, you can no longer send inspection and discovery results from Sensitive Data Protection to Data Catalog. Data Catalog is deprecated and will be discontinued on January 30, 2026. For Sensitive Data Protection, no action is required from you. No inspection or discovery configuration will break.

For discovery operations, we recommend that you add Dataplex Catalog aspects based on insights from data profiles instead.

You can automatically attach aspects to Dataplex entries after profiling supported data resources. For more information, see Add Dataplex Catalog aspects based on insights from data profiles.

Spanner

Spanner Graph now lets you model schemaless data with a dynamic label and properties. For more information, see Manage schemaless data with Spanner Graph.

April 30, 2025

Cloud Composer

Starting from 5 May, 2025, new Cloud Composer 3 environments will use 1 CPU and 4 GB of memory for the Airflow web server by default. The minimum and maximum values for these parameters will not change.

Cloud SQL for PostgreSQL

The rollout of the following extension versions and plugin versions is complete:

Extensions and plugins

  • pg_partman is upgraded from 5.0.1 to 5.2.4 (for PostgreSQL versions 14 and later).

To use this version of the extension, update your instance to [PostgreSQL version].R20250302.00_10.

If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.

For more information on checking your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

Gemini Code Assist

You can now include folders from your local IDE project for IntelliJ Gemini Code Assist (version 1.14.0) to use as context for your prompts, in Preview.

Generative AI on Vertex AI
Google Cloud Architecture Center

Multi-regional deployment on Compute Engine: Technical updates to align design recommendations with Google Cloud Well-Architected Framework core principles.

Single-zone deployment on Compute Engine: Technical updates to align design recommendations with Google Cloud Well-Architected Framework core principles.

Spanner

A monthly digest of client library updates from across the Cloud SDK.

Go

Changes for spanner/admin/database/apiv1

1.79.0 (2025-04-08)

Features

0.1.0 (2025-04-15)

Bug Fixes
  • spanner/benchmarks: Update google.golang.org/api to 0.229.0 (3319672)

1.80.0 (2025-04-23)

Features
Bug Fixes
  • spanner/benchmarks: Update google.golang.org/api to 0.229.0 (3319672)
  • spanner/test/opentelemetry/test: Update google.golang.org/api to 0.229.0 (3319672)
  • spanner: Retry INTERNAL retriable auth error (#12034) (65c7461)
  • spanner: Update google.golang.org/api to 0.229.0 (3319672)
Performance Improvements
  • spanner: Skip gRPC trailers for StreamingRead & ExecuteStreamingSql (#11854) (10dc8b7)

Java

Changes for google-cloud-spanner

6.90.0 (2025-03-31)

Features
  • Add default_isolation_level connection property (#3702) (9472d23)
  • Adds support for Interval datatype in Java client (#3416) (8be8f5e)
  • Integration test for End to End tracing (#3691) (bf1a07a)
  • Specify isolation level per transaction (#3704) (868f30f)
  • Support PostgreSQL isolation level statements (#3706) (dda2e1d)

6.91.0 (2025-04-17)

Features
  • [Internal] open telemetry built in metrics for GRPC (#3709) (cd76c73)
  • Add java sample for the pre-splitting feature (#3713) (e97b92e)
  • Add TransactionMutationLimitExceededException as cause to SpannerBatchUpdateException (#3723) (4cf5261)
  • Built in metrics for afe latency and connectivity error (#3724) (e13a2f9)
  • Support unnamed parameters (#3820) (1afd815)
Bug Fixes
  • Add default implementations for Interval methods in AbstractStructReader (#3722) (97f4544)
  • Set transaction isolation level had no effect (#3718) (b382999)
Performance Improvements
  • Cache the key used for OTEL traces and metrics (#3814) (c5a2045)
  • Optimize parsing in Connection API (#3800) (a2780ed)
  • Qualify statements without removing comments (#3810) (d358cb9)
  • Remove all calls to getSqlWithoutComments (#3822) (0e1e14c)

6.91.1 (2025-04-21)

Bug Fixes
  • SkipHint in the internal parser skipped too much (#3827) (fbf7b4c)

Node.js

Changes for @google-cloud/spanner

7.20.0 (2025-04-11)

Features
  • Add support for Interval (#2192) (8c886cb)
  • debugging: Implement x-goog-spanner-request-id propagation per request (#2205) (e42caea)
  • spanner: Add support for snapshot isolation (#2245) (b60a683)
  • spanner: Support for Multiplexed Session Partitioned Ops (#2252) (e7ce471)

7.21.0 (2025-04-15)

Features
Bug Fixes
  • Adding span attributes for request tag and transaction tag (#2236) (3f69dad)

The enhance_query option on the SEARCH, SCORE, and SNIPPET functions is now updated to provide automatic synonym matching and spell correction of single words, by default. Previously, if you provided a single word as the search string it would likely not return any matches and required a phrase with context to perform the enhanced search.

Virtual Private Cloud

If you're a service producer that makes a service available through VPC Network Peering, you can migrate your service to Private Service Connect without changing the IPv4 address that consumers use to access the service. This feature is available in General Availability.

April 29, 2025

Apigee API hub

On April 29, 2025, we released an updated version of Apigee.

Apigee API hub is enabled for existing Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for existing Apigee organizations in regions where API hub is supported. All existing Apigee organizations, including hybrid organizations, that selected an API hub-supported region for their Apigee Analytics region will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

The process of enabling API hub for these organizations will continue over the next several weeks until all eligible organizations are updated. No action on your part is required to provision API hub for your organization, with the following exceptions:

Contact Google Cloud Support for questions or assistance.

Apigee X

On April 29, 2025, we released an updated version of Apigee.

Apigee API hub is enabled for existing Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for existing Apigee organizations in regions where API hub is supported. All existing Apigee organizations, including hybrid organizations, that selected an API hub-supported region for their Apigee Analytics region will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

The process of enabling API hub for these organizations will continue over the next several weeks until all eligible organizations are updated. No action on your part is required to provision API hub for your organization, with the following exceptions:

Contact Google Cloud Support for questions or assistance.

Bigtable

Similarity vector search in Bigtable by finding the K-nearest neighbors is generally available (GA).

The MCP Toolbox for Databases includes a Bigtable connector. This feature is available in Preview.

Cloud Billing

Find and eliminate waste using FinOps hub 2.0 with Gemini Cloud Assist (preview)

FinOps hub 2.0 adds a new dashboard, Utilization insights, designed to help you quickly identify and reduce cloud waste to get the most value from Google Cloud. You can do the following with FinOps hub's Utilization insights dashboard:

  • Assess estimated costs from underutilized resources (for example, idle, overprovisioned, underprovisioned and suboptimal configurations).
  • Use the visual Waste map to find the top waste drivers by projects and waste category, helping you focus your optimization efforts.
  • Leverage data-driven recommendations to optimize key services (Compute Engine, Kubernetes Engine (GKE), Cloud SQL, and Cloud Run) and App Hub applications.

Use Gemini Cloud Assist in FinOps hub to save time and simplify collaboration. If you have enabled Gemini Cloud Assist in Billing, Gemini generates summaries of top wasted usage insights and drafts email reports of utilization insights that you can share with your engineering teams for quicker remediation.

For more information about the FinOps hub Utilization insights dashboard, see:

For more information about Gemini Cloud Assist features in FinOps hub, see:

App Hub applications are now integrated with billing reports and the FinOps hub, to let you analyze costs by application. This integration provides detailed cost analysis for your specific applications, so FinOps and DevOps can see the cost of their applications and get recommendations on how to optimize their cloud efficiency.

Cloud Composer

A script for migrating from Cloud Composer 2 to Cloud Composer 3 is now available on GitHub.

For instructions about migrating with the script, see the new migration guide in Cloud Composer documentation.

Cloud Load Balancing

All Application and Proxy Network Load Balancers now support deployments where the load balancer frontend and the load balancer backend use different VPC networks. This is supported without the use of a Shared VPC deployment.

For regional and cross-region load balancers, connectivity between the load balancer's VPC network and the backend VPC network must be configured using either VPC Network Peering, Cloud VPN tunnels, Cloud Interconnect VLAN attachments, or a Network Connectivity Center framework.

For global and classic load balancers, the different VPC networks don't need to be connected using VPC Network Peering because GFEs communicate directly with backends in their respective VPC networks.

For more details, see the following pages:

Colab Enterprise

Gemini in Colab Enterprise, which is a product in the Gemini for Google Cloud portfolio, now includes additional capabilities in Preview. See the following:

To enable and activate Gemini in Colab Enterprise features, see Set up Gemini in Colab Enterprise.

Container Optimized OS

cos-113-18244-382-3

Kernel Docker Containerd GPU Drivers
COS-6.1.134 v24.0.9 v1.7.24 See List

This is an LTS Refresh Release.

Upgraded app-admin/google-guest-configs to v20250221.00.

Upgraded sys-auth/pambase to v20250228.

Upgraded app-containers/docker-credential-helpers to v0.9.2.

Upgraded app-admin/google-guest-configs to v20250124.00.

Upgraded dev-lang/go to v1.21.13.

Upgraded app-arch/unzip to v6.0_p29.

Upgraded net-nds/rpcbind to v1.2.7.

Upgraded net-fs/cifs-utils to v7.3, Upgraded sys-libs/talloc to v2.4.2.

Upgraded dev-libs/double-conversion to v3.3.1.

Upgraded dev-db/sqlite to v3.49.1.

Upgraded sys-apps/acl to v2.3.2-r2.

Upgraded dev-libs/expat to v2.6.4.

Upgraded sys-process/procps to v4.0.4-r2.

Upgraded net-libs/libnetfilter_conntrack to v1.1.0.

Upgraded dev-libs/nss to v3.107.

Upgraded app-admin/sudo to v1.9.16_p2-r1.

Upgraded net-libs/libtirpc to v1.3.6.

Upgraded sys-libs/libcap to v2.71.

Fixed CVE-2025-32728 in net-misc/openssh.

Updated dev-vcs/git to version 2.49.0. This fixed CVE-2024-52006, CVE-2024-50349

Runtime sysctl changes:

  • Changed: fs.file-max: 812031 -> 812035

cos-121-18867-90-4

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v27.5.1 v2.0.4 See List

This is an LTS Refresh Release.

Fixed an issue in containerd that potentially breaks metric collection

Fixed an issue in containerd that prevented some v2 shims from shutting down properly.

Upgraded sys-auth/pambase to v20250228.

Upgraded app-containers/docker-credential-helpers to v0.9.2.

Upgraded app-admin/google-guest-agent to v20250304.03.

Upgraded app-admin/google-guest-configs to v20250221.00.

Upgraded app-admin/google-guest-configs to v20250124.00.

Upgraded app-containers/docker-registry-test to v2.8.3.

Upgraded dev-lang/go to v1.23.8.

Upgraded dev-db/sqlite to v3.49.1.

Upgraded sys-apps/acl to v2.3.2-r2.

Upgraded dev-libs/double-conversion to v3.3.1.

Upgraded sys-libs/libseccomp to v2.6.0.

Updated dev-go/net in policy manager to v0.39.0. This fixes CVE-2025-22870.

Fixed CVE-2025-32728 in net-misc/openssh.

Updated dev-vcs/git to version 2.49.0. This fixed CVE-2024-52006, CVE-2024-50349

Runtime sysctl changes:

  • Changed: fs.file-max: 811714 -> 811806

cos-dev-125-19014-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v27.5.1 v2.0.4 See List

Patched a null ptr exception bug in NVIDIA 570.124.06 OSS driver

Fixed an issue in containerd that potentially breaks metric collection

Fixed an issue in containerd that prevented some v2 shims from shutting down properly.

Updated dev-go/net in policy manager to v0.39.0. This fixes CVE-2025-22870.

Fixed CVE-2025-32728 in net-misc/openssh.

Fixed CVE-2025-31498 in net-dns/c-ares.

Runtime sysctl changes:

  • Changed: fs.file-max: 811798 -> 811785

cos-117-18613-164-124

Kernel Docker Containerd GPU Drivers
COS-6.6.72 v24.0.9 v1.7.24 See List

Fixed CVE-2025-32728 in net-misc/openssh.

Runtime sysctl changes:

  • Changed: fs.file-max: 811760 -> 811753

Dataproc

New Dataproc on Compute Engine subminor image versions:

2.0.138-debian10, 2.0.138-rocky8, 2.0.138-ubuntu18

2.1.86-debian11, 2.1.86-rocky8, 2.1.86-ubuntu20, 2.1.86-ubuntu20-arm

2.2.54-debian12, 2.2.54-rocky9, 2.2.54-ubuntu22

Dataproc on Compute Engine: Fixed Job ID retrieval in Dataproc job logs for clusters created with 2.0, 2.1 image versions, by ignoring timestamp prefix.

Dataproc on Compute Engine: Added an temporary object hold on the spark-job-history folder in Cloud Stroage to prevent deletion by Cloud Storage life cycling.

Gemini Code Assist

VS Code Gemini Code Assist (version 2.32.0) now supports creation and management of multiple chats.

VS Code Gemini Code Assist (version 2.32.0) now supports streamlined multi-part chat code suggestions. You have the option to accept a single code change or all suggested changes.

You can now specify and apply rules to each chat request with VS Code Gemini Code Assist (version 2.32.0).

Generative AI on Vertex AI

Gemini 1.5 Pro and Gemini 1.5 Flash models are not available in projects that have no prior usage of these models, including new projects. For details, see Model versions and lifecycle.

Google Cloud Contact Center as a Service

Advanced reporting dashboards are released for GA

Advanced reporting dashboards can help you gain insights into the performance of your contact center. You can create new custom dashboards based on tiles from other dashboards and use powerful editing capabilities to customize dashboards to suit your business needs. Advanced reporting dashboards are released for General Availability. For more information, see Advanced reporting dashboards.

Looker

For dialects that support period-over-period measures, Looker developers can create a measure of type: period_over_period to enable period-over-period analysis in the corresponding Looker Explores. See Period-over-period measures in Looker for more information.

For Looker connections with Google BigQuery, Looker admins can now specify a Temp Project that is used to write PDTs to your database and a PDT Override Billing Project ID that is used for billing for PDT build and maintenance queries.

In addition to automated 24-hour backups, Looker (Google Cloud core) now supports customer-initiated backups and self-service restore.

Network Connectivity Center

IPv4 address range filtering for VPC spokes is available in public preview.

This feature lets you change IPv4 address ranges for VPC spokes that are specified to be exported to hub.

VPC Service Controls

Preview stage support for the following integration:

April 28, 2025

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigquery

2.49.1 (2025-04-24)

Bug Fixes
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.0 (#3753) (a335927)
  • Update netty.version to v4.2.0.final (#3745) (bb811c0)

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigquery

2.49.2 (2025-04-26)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2 (#3756) (907e39f)

When you translate SQL queries from your source database, you can use configuration YAML files to optimize and improve the performance of your translated SQL. This feature is generally available (GA).

Dataplex automatic discovery in BigQuery scans your data in Cloud Storage buckets to extract and catalog metadata, creating BigLake, external, or object tables for analytics and AI for insights, security, and governance. This feature is generally available (GA).

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Security Command Center
    • securitycenter.googleapis.com/BigQueryExport
    • securitycenter.googleapis.com/ContainerThreatDetectionSettings
    • securitycenter.googleapis.com/EventThreatDetectionSettings
    • securitycenter.googleapis.com/MuteConfig
    • securitycenter.googleapis.com/NotificationConfig
    • securitycenter.googleapis.com/ResourceValueConfig
    • securitycenter.googleapis.com/SecurityHealthAnalyticsSettings
    • securitycenter.googleapis.com/VirtualMachineThreatDetectionSettings
    • securitycenter.googleapis.com/WebSecurityScannerSettings
  • Oracle Database@Google Cloud
    • oracledatabase.googleapis.com/AutonomousDatabase
    • oracledatabase.googleapis.com/CloudExadataInfrastructure
    • oracledatabase.googleapis.com/CloudVmCluster
Cloud DNS

Using a fully qualified domain name (FQDN) forwarding target is available for outbound DNS forwarding in Preview.

Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-logging

3.22.2 (2025-04-25)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2 (#1796) (1f88271)

3.22.1 (2025-04-25)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.56.2 (7cce5b5)

Python

Changes for google-cloud-logging

3.12.1 (2025-04-21)

Bug Fixes
  • Make logging handler close conditional to having the transport opened (#990) (66c6b91)
Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for storage/internal/apiv2

1.52.0 (2025-04-22)

Features
  • storage/control: Add Anywhere cache control APIs (#11807) (12bfa98)
  • storage: Add CurrentState function to determine state of stream in MRD (#11688) (14e8e13)
  • storage: Add OwnerEntity to bucketAttrs (#11857) (4cd4a0c)
  • storage: Takeover appendable object (#11977) (513b937)
  • storage: Unfinalized appendable objects. (#11647) (52c0218)
Bug Fixes
  • storage: Fix Attrs for append takeover (#11989) (6db35b1)
  • storage: Fix panic when Flush called early (#11934) (7d0b8a7)
  • storage: Fix unfinalized write size (#12016) (6217f8f)
  • storage: Force first message on next sendBuffer when nothing sent on current (#11871) (a1a2292)
  • storage: Populate Writer.Attrs after Flush() (#12021) (8e56f74)
  • storage: Remove check for FinalizeOnClose (#11992) (2664b8c)
  • storage: Wrap read response parsing errors (#11951) (d2e6583)

Java

Changes for google-cloud-storage

2.51.0 (2025-04-23)

Features
  • Add @BetaApi Storage#blobAppendableUpload for gRPC Transport (#3020) (62b6248)
  • Add @BetaApi Storage#blobReadSession for gRPC Transport (#3020) (62b6248)
  • Implement improved retry context information (#3020) (62b6248)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.56.0 (8f9f5ec)
  • Ensure object generation is sent for Storage#update(BlobInfo) using HTTP Transport (#3006) (2a3e0e7), closes #2980
  • Update 416 handling for ReadChannel (#3018) (4a9c3e4)
  • Update gRPC Bidi resumable upload to have more robust error message generation (#2998) (79b5d85)
  • Update gRPC implementation for storage.buckets.get to translate NOT_FOUND to null (#3005) (704af65)
Dependencies
  • Remove explicit version declarations for packages that are in shared-dependencies (#3014) (61cdb30)
  • Update dependency com.google.apis:google-api-services-storage to v1-rev20250312-2.0.0 (#3000) (78fc076)
  • Update dependency com.google.cloud.opentelemetry:exporter-trace to v0.34.0 (#2938) (ff6f696)
  • Update sdk-platform-java dependencies (#3046) (861f958)
  • Update sdk-platform-java dependencies (#3053) (921d1ba)
Compute Engine

Public preview: Resize request in a managed instance group (MIG) lets you specify the name of the VMs to create all at once. This feature helps if your orchestration mechanism or workload requires specific VM naming. For more information, see About resize requests in a MIG.

Generally available: The Memory-optimized machine family has added two new M4 machine types:

  • m4-megamem-28
  • m4-ultramem-224

The m4-megamem-28 offers 28 vCPUs with 372 GB of memory. The m4-ultramem-224 offers 224 vCPUs with 5,952 GB of memory.

Contact Center AI Insights

Quality AI offers the following conversation filters:

  • CSAT
  • Sentiment score
  • Silence duration
Dataplex

Dataplex automatic discovery scans your data in Cloud Storage buckets to extract and catalog metadata, creating BigLake, external, or object tables for analytics and AI for insights, security, and governance. This feature is generally available (GA).

Filestore

Custom performance is now generally available for Filestore instances.

Google Cloud Architecture Center

AI and ML perspective: Operational excellence: Major update to expand the operational excellence recommendations in the AI and ML perspective.

Google Kubernetes Engine

(2025-R16) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.29.14-gke.1067000
    • 1.29.14-gke.1086000
    • 1.29.15-gke.1170000
    • 1.30.11-gke.1131000
    • 1.31.7-gke.1013002
    • 1.31.7-gke.1212000
    • 1.32.3-gke.1717000

Regular channel

  • The following versions are no longer available in the Regular channel:
    • 1.29.14-gke.1018000
    • 1.29.14-gke.1067000

Stable channel

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.29.13-gke.1038000
    • 1.29.13-gke.1169000

Extended channel

  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.27.16-gke.2595000
    • 1.27.16-gke.2664000
    • 1.28.15-gke.2027000
    • 1.28.15-gke.2121000
    • 1.29.14-gke.1018000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2072000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2633000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2072000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.14-gke.1067000 with this release.

No channel

(2025-R16) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.29.14-gke.1067000
    • 1.29.14-gke.1086000
    • 1.29.15-gke.1170000
    • 1.30.11-gke.1131000
    • 1.31.7-gke.1013002
    • 1.31.7-gke.1212000
    • 1.32.3-gke.1717000

(2025-R16) Version updates

  • The following versions are no longer available in the Regular channel:
    • 1.29.14-gke.1018000
    • 1.29.14-gke.1067000

(2025-R16) Version updates

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.29.13-gke.1038000
    • 1.29.13-gke.1169000

(2025-R16) Version updates

  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.27.16-gke.2595000
    • 1.27.16-gke.2664000
    • 1.28.15-gke.2027000
    • 1.28.15-gke.2121000
    • 1.29.14-gke.1018000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.28.15-gke.2072000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2633000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2072000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.14-gke.1067000 with this release.

(2025-R16) Version updates

Google SecOps

Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so changes may take one-to-four days to appear in your region.

The following supported default parsers have been updated. Each parser is listed by product name and log_type value, if applicable. This list now includes both released default parsers and pending parser updates.

  • 1Password Audit Events (ONEPASSWORD_AUDIT_EVENTS)
  • AIX system (AIX_SYSTEM)
  • Akamai DataStream 2 (AKAMAI_DATASTREAM_2)
  • Alveo Risk Data Management (ALVEO_RDM)
  • Amazon API Gateway (AWS_API_GATEWAY)
  • Apache Tomcat (TOMCAT)
  • Appian Cloud (APPIAN_CLOUD)
  • Arcsight CEF (ARCSIGHT_CEF)
  • Asset Panda (ASSET_PANDA)
  • Aware Audit (AWARE_AUDIT)
  • Aware Signals (AWARE_SIGNALS)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS CloudWatch (AWS_CLOUDWATCH)
  • AWS ECS Metrics (AWS_ECS_METRICS)
  • AWS Elastic Load Balancer (AWS_ELB)
  • AWS GuardDuty (GUARDDUTY)
  • AWS Inspector (AWS_INSPECTOR)
  • AWS Lambda Function (AWS_LAMBDA_FUNCTION)
  • AWS RDS (AWS_RDS)
  • AWS Redshift (AWS_REDSHIFT)
  • AWS Route 53 DNS (AWS_ROUTE_53)
  • AWS Security Hub (AWS_SECURITY_HUB)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • AWS WAF (AWS_WAF)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Azure Application Gateway (AZURE_GATEWAY)
  • Azure Firewall (AZURE_FIREWALL)
  • Azure Key Vault logging (AZURE_KEYVAULT_AUDIT)
  • Barracuda CloudGen Firewall (BARRACUDA_CLOUDGEN_FIREWALL)
  • Barracuda WAF (BARRACUDA_WAF)
  • BeyondTrust BeyondInsight (BEYONDTRUST_BEYONDINSIGHT)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Broadcom Support Portal Audit Logs (BROADCOM_SUPPORT_PORTAL)
  • Cato Networks (CATO_NETWORKS)
  • Cequence Bot Defense (CEQUENCE_BOT_DEFENSE)
  • Check Point (CHECKPOINT_FIREWALL)
  • ChromeOS XDR (CHROMEOS_XDR)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Cisco EStreamer (CISCO_ESTREAMER)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco FireSIGHT Management Center (CISCO_FIRESIGHT)
  • Cisco Internetwork Operating System (CISCO_IOS)
  • Cisco IronPort (CISCO_IRONPORT)
  • Cisco ISE (CISCO_ISE)
  • Cisco NX-OS (CISCO_NX_OS)
  • Cisco Switch (CISCO_SWITCH)
  • Cisco Umbrella Cloud Firewall (UMBRELLA_FIREWALL)
  • Cisco vManage SD-WAN (CISCO_SDWAN)
  • Cisco VPN (CISCO_VPN)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Citrix Storefront (CITRIX_STOREFRONT)
  • Claroty Xdome (CLAROTY_XDOME)
  • Cloud Audit Logs (N/A)
  • Cloud Data Loss Prevention (N/A)
  • Cloudflare Network Analytics (CLOUDFLARE_NETWORK_ANALYTICS)
  • Cloudflare WAF (CLOUDFLARE_WAF)
  • Cloudflare Warp (CLOUDFLARE_WARP)
  • CommVault (COMMVAULT)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • CrowdStrike Falcon (CS_EDR)
  • CrowdStrike Falcon Stream (CS_STREAM)
  • CrowdStrike Identity Protection Services (CS_IDP)
  • CrushFTP (CRUSHFTP)
  • Custom Application Access Logs (CUSTOM_APPLICATION_ACCESS)
  • CyberArk Privileged Access Manager (PAM) (CYBERARK_PAM)
  • Cybereason EDR (CYBEREASON_EDR)
  • Cyolo Secure Remote Access for OT (CYOLO_OT)
  • Datadog (DATADOG)
  • Delinea Secret Server (DELINEA_SECRET_SERVER)
  • Dell CyberSense (DELL_CYBERSENSE)
  • Digicert (DIGICERT)
  • Edgio WAF (EDGIO_WAF)
  • Elastic Packet Beats (ELASTIC_PACKETBEATS)
  • F5 ASM (F5_ASM)
  • F5 DNS (F5_DNS)
  • Forcepoint DLP (FORCEPOINT_DLP)
  • Forcepoint NGFW (FORCEPOINT_FIREWALL)
  • Forgerock OpenIdM (FORGEROCK_OPENIDM)
  • FortiGate (FORTINET_FIREWALL)
  • Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
  • Fortinet Fortimanager (FORTINET_FORTIMANAGER)
  • Fortinet Web Application Firewall (FORTINET_FORTIWEB)
  • GitHub (GITHUB)
  • Gitlab (GITLAB)
  • Harness IO (HARNESS_IO)
  • Hashicorp Vault (HASHICORP)
  • Hillstone Firewall (HILLSTONE_NGFW)
  • Huawei Switches (HUAWEI_SWITCH)
  • IBM Guardium (GUARDIUM)
  • Imperva Database (IMPERVA_DB)
  • Intel Endpoint Management Assistant (INTEL_EMA)
  • JAMF Security Cloud (JAMF_SECURITY_CLOUD)
  • JFrog Artifactory (JFROG_ARTIFACTORY)
  • JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
  • Juniper (JUNIPER_FIREWALL)
  • Kaspersky AV (KASPERSKY_AV)
  • Kaspersky Endpoint (KASPERSKY_ENDPOINT)
  • Kolide Endpoint Security (KOLIDE)
  • Kubernetes Audit (KUBERNETES_AUDIT)
  • Layer7 SiteMinder (SITEMINDER_SSO)
  • Linux Auditing System (AuditD) (AUDITD)
  • Looker Audit (LOOKER_AUDIT)
  • ManageEngine ADAudit Plus (ADAUDIT_PLUS)
  • ManageEngine ADManager Plus (ADMANAGER_PLUS)
  • McAfee Web Gateway (MCAFEE_WEBPROXY)
  • Metabase (METABASE)
  • Microsoft AD FS (ADFS)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
  • Microsoft CyberX (CYBERX)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Defender for Identity (MICROSOFT_DEFENDER_IDENTITY)
  • Microsoft Defender for Office 365 (MICROSOFT_DEFENDER_MAIL)
  • Microsoft IIS (IIS)
  • Microsoft PowerShell (POWERSHELL)
  • Microsoft Sentinel (MICROSOFT_SENTINEL)
  • Microsoft System Center Endpoint Protection (MICROSOFT_SCEP)
  • Mikrotik Router (MIKROTIK_ROUTER)
  • Mimecast (MIMECAST_MAIL)
  • MISP Threat Intelligence (MISP_IOC)
  • NetIQ eDirectory (NETIQ_EDIRECTORY)
  • Netskope V2 (NETSKOPE_ALERT_V2)
  • Nozomi Networks Scada Guardian (NOZOMI_GUARDIAN)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • Okta User Context (OKTA_USER_CONTEXT)
  • One Identity Identity Manager (ONE_IDENTITY_IDENTITY_MANAGER)
  • Oort Security Tool (OORT)
  • Open Cybersecurity Schema Framework (OCSF) (OCSF)
  • Open LDAP (OPENLDAP)
  • Opnsense (OPNSENSE)
  • Ops Genie (OPS_GENIE)
  • Oracle (ORACLE_DB)
  • Oracle Cloud Guard (OCI_CLOUDGUARD)
  • Oracle Cloud Infrastructure Audit Logs (OCI_AUDIT)
  • Orca Cloud Security Platform (ORCA)
  • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Panorama (PAN_PANORAMA)
  • Palo Alto Prisma Access (PAN_CASB)
  • Palo Alto Prisma Cloud Alert payload (PAN_PRISMA_CA)
  • Pharos (PHAROS)
  • Privacy-I (PRIVACY_I)
  • Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
  • Proofpoint Tap Alerts (PROOFPOINT_MAIL)
  • Proofpoint Threat Response (PROOFPOINT_TRAP)
  • Radware Web Application Firewall (RADWARE_FIREWALL)
  • ReviveSec (REVIVESEC)
  • Rubrik (RUBRIK)
  • Salesforce (SALESFORCE)
  • Sangfor Proxy (SANGFOR_PROXY)
  • Security Command Center Posture Violation (GCP_SECURITYCENTER_POSTURE_VIOLATION)
  • Security Command Center Threat (N/A)
  • Security Command Center Toxic Combination (GCP_SECURITYCENTER_TOXIC_COMBINATION)
  • ServiceNow CMDB (SERVICENOW_CMDB)
  • Snare System Diagnostic Logs (SNARE_SOLUTIONS)
  • Snipe-IT (SNIPE_IT)
  • Snyk Group level audit/issues logs (SNYK_ISSUES)
  • SonicWall (SONIC_FIREWALL)
  • Sophos Central (SOPHOS_CENTRAL)
  • Swimlane Platform (SWIMLANE)
  • Symantec DLP (SYMANTEC_DLP)
  • Symantec Event export (SYMANTEC_EVENT_EXPORT)
  • Symantec Web Security Service (SYMANTEC_WSS)
  • Tanium Question (TANIUM_QUESTION)
  • Tanium Threat Response (TANIUM_THREAT_RESPONSE)
  • Teleport Access Plane (TELEPORT_ACCESS_PLANE)
  • Tenable Active Directory Security (TENABLE_ADS)
  • Tenable CSPM (TENABLE_CSPM)
  • tenable.io (TENABLE_IO)
  • Terraform Enterprise Audit (TERRAFORM_ENTERPRISE)
  • Thinkst Canary (THINKST_CANARY)
  • ThreatX WAF (THREATX_WAF)
  • Trend Micro Email Security Advanced (TRENDMICRO_EMAIL_SECURITY)
  • Trend Micro Vision One (TRENDMICRO_VISION_ONE)
  • TrendMicro Apex Central (TRENDMICRO_APEX_CENTRAL)
  • TXOne Stellar (TRENDMICRO_STELLAR)
  • UKG (UKG)
  • Unix system (NIX_SYSTEM)
  • UPX AntiDDoS (UPX_ANTIDDOS)
  • VanDyke SFTP (VANDYKE_SFTP)
  • Varonis (VARONIS)
  • Vectra Alerts (VECTRA_ALERTS)
  • Vectra Stream (VECTRA_STREAM)
  • VMware AirWatch (AIRWATCH)
  • Vmware Avinetworks iWAF (VMWARE_AVINETWORKS_IWAF)
  • VMware ESXi (VMWARE_ESX)
  • VMware Horizon (VMWARE_HORIZON)
  • Watchguard EDR (WATCHGUARD_EDR)
  • Windows Defender AV (WINDOWS_DEFENDER_AV)
  • Windows DHCP (WINDOWS_DHCP)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)
  • Windows Event (XML) (WINEVTLOG_XML)
  • Windows Sysmon (WINDOWS_SYSMON)
  • Workday Audit Logs (WORKDAY_AUDIT)
  • Workday User Activity (WORKDAY_USER_ACTIVITY)
  • WPEngine (WPENGINE)
  • Zimperium (ZIMPERIUM)
  • Zscaler (ZSCALER_WEBPROXY)
  • ZScaler DNS (ZSCALER_DNS)
  • Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)
  • ZScaler NGFW (ZSCALER_FIREWALL)

The following log types were added without a default parser. Each parser is listed by product name and log_type value, if applicable.

  • Accenture Synthetic (ACCENTURE_SYNTHETIC)
  • Adyen Platform (ADYEN)
  • AliCloud ActionTrail (ALICLOUD_ACTIONTRAIL)
  • Apache LOG4J Java Application Log (LOG4J)
  • AppSmith Audit (APPSMITH_AUDIT)
  • Arctic Security Arctic Node (ARCTIC_NODE)
  • Arista CorvilNet DANZ Integration (ARISTA_CORVILNET)
  • Arista Extensible Operating System (ARISTA_EOS)
  • AvePoint EnPower (AVEPOINT_ENPOWER)
  • Avigilon Alta Cloud Security (AVIGILON_ALTA_CLOUD_SECURITY)
  • Avigilon Ava Security Camera (AVIGILON_AVA_SECURITY_CAMERA)
  • AWS Dasha (AWS_DASHA)
  • AWS Elastic Kubernetes Service (AWS_EKS)
  • Azure Network Security Group Event (AZURE_NSG_EVENT)
  • Azure Windows Virtual Desktop Connections Logs (AZURE_WVD_CONNECTIONS)
  • Azure Windows Virtual Desktop Management Logs (AZURE_WVD_MANAGEMENT)
  • Barracuda Load Balancer ADC (BARRACUDA_LOAD_BALANCER)
  • Broadcom Edge Secure Web Gateway (BROADCOM_EDGE_SWG)
  • Celonis Audit Logs (CELONIS)
  • Chopin PrePay Solutions (CHOPIN_PPS)
  • Cisco Duo Authentication Proxy (DUO_AUTH_PROXY)
  • Cloudflare CASB Findings (CLOUDFLARE_CASB_FINDINGS)
  • Cloudflare Device posture results (CLOUDFLARE_DEVICE_POSTURE_RESULTS)
  • Cloudflare DLP Forensic Copies (CLOUDFLARE_DLP_FORENSIC_COPIES)
  • Cloudflare DNS Firewall Logs (CLOUDFLARE_DNS_FIREWALL_LOGS)
  • Cloudflare DNS logs (CLOUDFLARE_DNS_LOGS)
  • Cloudflare Email Security Alerts (CLOUDFLARE_EMAIL_SECURITY_ALERTS)
  • Cloudflare Firewall Events (CLOUDFLARE_FIREWALL_EVENTS)
  • Cloudflare Gateway DNS (CLOUDFLARE_GATEWAY_DNS)
  • Cloudflare Gateway HTTP (CLOUDFLARE_GATEWAY_HTTP)
  • Cloudflare Gateway Network (CLOUDFLARE_GATEWAY_NETWORK)
  • Cloudflare HTTP requests (CLOUDFLARE_HTTP_REQUESTS)
  • Cloudflare Magic IDS Detections (CLOUDFLARE_MAGIC_IDS_DETECTIONS)
  • Cloudflare NEL reports (CLOUDFLARE_NEL_REPORTS)
  • Cloudflare Sinkhole HTTP Logs (CLOUDFLARE_SINKHOLE_HTTP_LOGS)
  • Cloudflare SSH Logs (CLOUDFLARE_SSH_LOGS)
  • Cloudflare Workers Trace Events (CLOUDFLARE_WORKERS_TRACE_EVENTS)
  • Cloudflare Zero Trust Network Session (CLOUDFLARE_ZERO_TRUST_NETWORK_SESSION)
  • CloudWave Honeypot (CLOUDWAVE_HONEYPOT)
  • ColorTokens (COLORTOKENS)
  • Contrast Security (CONTRAST_SECURITY)
  • Conversational Agents and Dialogflow (CONVERSATIONAL_AGENT)
  • Corero SmartWall One (CORERO_SMARTWALL_ONE)
  • Cytracom Control One (CYTRACOM_CONTROL_ONE)
  • Datadog Application Security Management (DATADOG_ASM)
  • Express NodeJS (EXPRESS_NODEJS)
  • F5 Distributed Cloud WAF (F5_DCS_WAF)
  • Figma Developers (FIGMA)
  • FIS Trax Payment Factory (TRAX)
  • Fortinet FortiDeceptor (FORTINET_FORTIDECEPTOR)
  • Fortinet FortiSASE (FORTINET_FORTISASE)
  • Gemini Code Assist (GEMINI_CODE_ASSIST)
  • Genea Access Control (GENEA_ACCESS_CONTROL)
  • Genetec Synergis (GENETEC_SYNERGIS)
  • GL TRADE (GL_TRADE)
  • HP Inc MFP (HP_INC_MFP)
  • HP Tandem (HP_TANDEM)
  • Huawei Versatile Routing Platform (HUAWEI_VRP)
  • Human Security (HUMAN_SECURITY)
  • iManage Threat Manager (IMANAGE_THREAT_MANAGER)
  • Indefend DLP (INDEFEND_DLP)
  • Invicti (INVICTI)
  • Isonline ISL Light (ISL_LIGHT)
  • Itential Pronghorn (ITENTIAL_PRONGHORN)
  • Jit (JIT)
  • Kodem Security (KODEM_SECURITY)
  • Konica Minolta YSoft SafeQ (YSOFT_SAFEQ)
  • LayerX (LAYERX)
  • LinOTP (LIN_OTP)
  • Magento Cloud (MAGENTO_CLOUD)
  • Mandiant Advantage Security Validation (MA_SV)
  • NetApp ONTAP Audit (NETAPP_ONTAP_AUDIT)
  • Netscout Arbor Threat Mitigation System (NETSCOUT_TMS)
  • Netwrix Privilege Secure (NETWRIX_PRIVILEGE_SECURE)
  • NeuVector SUSE (NEUVECTOR)
  • Novidea Insurance Management System (NOVIDEA_CLAIM_HISTORY)
  • OneTrust (ONETRUST)
  • Openpath Context (OPENPATH_CONTEXT)
  • Oracle Audit Vault Database Firewall (ORACLE_AVDF)
  • Oracle CPQ (ORACLE_CPQ)
  • Oracle Exadata Database Machine (ORACLE_EXADATA)
  • Palo Alto Prisma Cloud Workload Protection (PAN_PRISMA_CWP)
  • Palo Alto Prisma Dig Cloud DSPM (PAN_PRISMA_DIG_CLOUD_DSPM)
  • Panorays (PANORAYS)
  • Pathlock Identity Security Platform (PATHLOCK)
  • Procore (PROCORE)
  • ProofPoint Email Protection (PROOFPOINT_EMAIL_PROTECTION)
  • Radiantone (RADIANTONE)
  • Radware Cloud WAF Service Access (RADWARE_ACCESS)
  • Reblaze Web Application Firewall (REBLAZE_WAF)
  • Red Access Browsing Security (RED_ACCESS)
  • SafeNet Network HSM (SAFENET_HSM)
  • Salesforce Marketing Cloud Audit (SALESFORCE_MARKETING_CLOUD_AUDIT)
  • Salesforce Shield (SALESFORCE_SHIELD)
  • Sangfor IAG (SANGFOR_IAG)
  • SAP Leasing (SAP_LEASING)
  • SAS Institute (SAS_INSTITUTE)
  • Securden (SECURDEN)
  • SecurEnvoy SecurAccess (SECURENVOY_MFA)
  • Securesoft Sniper IPS (SECURESOFT_SNIPER_IPS)
  • Sentra Data Loss Prevention (SENTRA_DLP)
  • Shield IoT (SHIELD_IOT)
  • Siemens Simatic S7 PLC SNMP (SIEMENS_S7_PLC_SNMP)
  • Siemens Simatic S7 PLC SYSLOG (SIEMENS_S7_PLC_SYSLOG)
  • Smartsheet User Context (SMARTSHEET_USER_CONTEXT)
  • Snowflake Access (SNOWFLAKE_ACCESS)
  • SOCRadar Incidents (SOCRADAR_INCIDENTS)
  • Strata Maverics Identity Orchestration Platform (STRATA_MAVERICS)
  • Stripe Payments (STRIPE)
  • Suridata (SURIDATA)
  • Teradata Access (TERADATA_ACCESS)
  • Thales payShield 10K HSM (THALES_PS10K_HSM)
  • Trend Micro TippingPoint Security Management System (TREND_MICRO_TIPPING_POINT)
  • Valence Security (VALENCE)
  • Vertica Audit (VERTICA_AUDIT)
  • Windows NTP (WINDOWS_NTP)
  • Winget Autoupdate (WINGET_AUTOUPDATE)
  • Wiz Runtime Execution Data (WIZ_RUNTIME_EXECUTION_DATA)
  • Workiva Wdesk (WORKIVA_WDESK)
  • XL Release (XLR)
  • Yugabyte Database (YUGABYTE_DATABASE)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

Google SecOps SIEM

Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so changes may take one-to-four days to appear in your region.

The following supported default parsers have been updated. Each parser is listed by product name and log_type value, if applicable. This list now includes both released default parsers and pending parser updates.

  • 1Password Audit Events (ONEPASSWORD_AUDIT_EVENTS)
  • AIX system (AIX_SYSTEM)
  • Akamai DataStream 2 (AKAMAI_DATASTREAM_2)
  • Alveo Risk Data Management (ALVEO_RDM)
  • Amazon API Gateway (AWS_API_GATEWAY)
  • Apache Tomcat (TOMCAT)
  • Appian Cloud (APPIAN_CLOUD)
  • Arcsight CEF (ARCSIGHT_CEF)
  • Asset Panda (ASSET_PANDA)
  • Aware Audit (AWARE_AUDIT)
  • Aware Signals (AWARE_SIGNALS)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS CloudWatch (AWS_CLOUDWATCH)
  • AWS ECS Metrics (AWS_ECS_METRICS)
  • AWS Elastic Load Balancer (AWS_ELB)
  • AWS GuardDuty (GUARDDUTY)
  • AWS Inspector (AWS_INSPECTOR)
  • AWS Lambda Function (AWS_LAMBDA_FUNCTION)
  • AWS RDS (AWS_RDS)
  • AWS Redshift (AWS_REDSHIFT)
  • AWS Route 53 DNS (AWS_ROUTE_53)
  • AWS Security Hub (AWS_SECURITY_HUB)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • AWS WAF (AWS_WAF)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Azure Application Gateway (AZURE_GATEWAY)
  • Azure Firewall (AZURE_FIREWALL)
  • Azure Key Vault logging (AZURE_KEYVAULT_AUDIT)
  • Barracuda CloudGen Firewall (BARRACUDA_CLOUDGEN_FIREWALL)
  • Barracuda WAF (BARRACUDA_WAF)
  • BeyondTrust BeyondInsight (BEYONDTRUST_BEYONDINSIGHT)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Broadcom Support Portal Audit Logs (BROADCOM_SUPPORT_PORTAL)
  • Cato Networks (CATO_NETWORKS)
  • Cequence Bot Defense (CEQUENCE_BOT_DEFENSE)
  • Check Point (CHECKPOINT_FIREWALL)
  • ChromeOS XDR (CHROMEOS_XDR)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Cisco EStreamer (CISCO_ESTREAMER)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco FireSIGHT Management Center (CISCO_FIRESIGHT)
  • Cisco Internetwork Operating System (CISCO_IOS)
  • Cisco IronPort (CISCO_IRONPORT)
  • Cisco ISE (CISCO_ISE)
  • Cisco NX-OS (CISCO_NX_OS)
  • Cisco Switch (CISCO_SWITCH)
  • Cisco Umbrella Cloud Firewall (UMBRELLA_FIREWALL)
  • Cisco vManage SD-WAN (CISCO_SDWAN)
  • Cisco VPN (CISCO_VPN)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Citrix Storefront (CITRIX_STOREFRONT)
  • Claroty Xdome (CLAROTY_XDOME)
  • Cloud Audit Logs (N/A)
  • Cloud Data Loss Prevention (N/A)
  • Cloudflare Network Analytics (CLOUDFLARE_NETWORK_ANALYTICS)
  • Cloudflare WAF (CLOUDFLARE_WAF)
  • Cloudflare Warp (CLOUDFLARE_WARP)
  • CommVault (COMMVAULT)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • CrowdStrike Falcon (CS_EDR)
  • CrowdStrike Falcon Stream (CS_STREAM)
  • CrowdStrike Identity Protection Services (CS_IDP)
  • CrushFTP (CRUSHFTP)
  • Custom Application Access Logs (CUSTOM_APPLICATION_ACCESS)
  • CyberArk Privileged Access Manager (PAM) (CYBERARK_PAM)
  • Cybereason EDR (CYBEREASON_EDR)
  • Cyolo Secure Remote Access for OT (CYOLO_OT)
  • Datadog (DATADOG)
  • Delinea Secret Server (DELINEA_SECRET_SERVER)
  • Dell CyberSense (DELL_CYBERSENSE)
  • Digicert (DIGICERT)
  • Edgio WAF (EDGIO_WAF)
  • Elastic Packet Beats (ELASTIC_PACKETBEATS)
  • F5 ASM (F5_ASM)
  • F5 DNS (F5_DNS)
  • Forcepoint DLP (FORCEPOINT_DLP)
  • Forcepoint NGFW (FORCEPOINT_FIREWALL)
  • Forgerock OpenIdM (FORGEROCK_OPENIDM)
  • FortiGate (FORTINET_FIREWALL)
  • Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
  • Fortinet Fortimanager (FORTINET_FORTIMANAGER)
  • Fortinet Web Application Firewall (FORTINET_FORTIWEB)
  • GitHub (GITHUB)
  • Gitlab (GITLAB)
  • Harness IO (HARNESS_IO)
  • Hashicorp Vault (HASHICORP)
  • Hillstone Firewall (HILLSTONE_NGFW)
  • Huawei Switches (HUAWEI_SWITCH)
  • IBM Guardium (GUARDIUM)
  • Imperva Database (IMPERVA_DB)
  • Intel Endpoint Management Assistant (INTEL_EMA)
  • JAMF Security Cloud (JAMF_SECURITY_CLOUD)
  • JFrog Artifactory (JFROG_ARTIFACTORY)
  • JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
  • Juniper (JUNIPER_FIREWALL)
  • Kaspersky AV (KASPERSKY_AV)
  • Kaspersky Endpoint (KASPERSKY_ENDPOINT)
  • Kolide Endpoint Security (KOLIDE)
  • Kubernetes Audit (KUBERNETES_AUDIT)
  • Layer7 SiteMinder (SITEMINDER_SSO)
  • Linux Auditing System (AuditD) (AUDITD)
  • Looker Audit (LOOKER_AUDIT)
  • ManageEngine ADAudit Plus (ADAUDIT_PLUS)
  • ManageEngine ADManager Plus (ADMANAGER_PLUS)
  • McAfee Web Gateway (MCAFEE_WEBPROXY)
  • Metabase (METABASE)
  • Microsoft AD FS (ADFS)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
  • Microsoft CyberX (CYBERX)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Defender for Identity (MICROSOFT_DEFENDER_IDENTITY)
  • Microsoft Defender for Office 365 (MICROSOFT_DEFENDER_MAIL)
  • Microsoft IIS (IIS)
  • Microsoft PowerShell (POWERSHELL)
  • Microsoft Sentinel (MICROSOFT_SENTINEL)
  • Microsoft System Center Endpoint Protection (MICROSOFT_SCEP)
  • Mikrotik Router (MIKROTIK_ROUTER)
  • Mimecast (MIMECAST_MAIL)
  • MISP Threat Intelligence (MISP_IOC)
  • NetIQ eDirectory (NETIQ_EDIRECTORY)
  • Netskope V2 (NETSKOPE_ALERT_V2)
  • Nozomi Networks Scada Guardian (NOZOMI_GUARDIAN)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • Okta User Context (OKTA_USER_CONTEXT)
  • One Identity Identity Manager (ONE_IDENTITY_IDENTITY_MANAGER)
  • Oort Security Tool (OORT)
  • Open Cybersecurity Schema Framework (OCSF) (OCSF)
  • Open LDAP (OPENLDAP)
  • Opnsense (OPNSENSE)
  • Ops Genie (OPS_GENIE)
  • Oracle (ORACLE_DB)
  • Oracle Cloud Guard (OCI_CLOUDGUARD)
  • Oracle Cloud Infrastructure Audit Logs (OCI_AUDIT)
  • Orca Cloud Security Platform (ORCA)
  • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Panorama (PAN_PANORAMA)
  • Palo Alto Prisma Access (PAN_CASB)
  • Palo Alto Prisma Cloud Alert payload (PAN_PRISMA_CA)
  • Pharos (PHAROS)
  • Privacy-I (PRIVACY_I)
  • Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
  • Proofpoint Tap Alerts (PROOFPOINT_MAIL)
  • Proofpoint Threat Response (PROOFPOINT_TRAP)
  • Radware Web Application Firewall (RADWARE_FIREWALL)
  • ReviveSec (REVIVESEC)
  • Rubrik (RUBRIK)
  • Salesforce (SALESFORCE)
  • Sangfor Proxy (SANGFOR_PROXY)
  • Security Command Center Posture Violation (GCP_SECURITYCENTER_POSTURE_VIOLATION)
  • Security Command Center Threat (N/A)
  • Security Command Center Toxic Combination (GCP_SECURITYCENTER_TOXIC_COMBINATION)
  • ServiceNow CMDB (SERVICENOW_CMDB)
  • Snare System Diagnostic Logs (SNARE_SOLUTIONS)
  • Snipe-IT (SNIPE_IT)
  • Snyk Group level audit/issues logs (SNYK_ISSUES)
  • SonicWall (SONIC_FIREWALL)
  • Sophos Central (SOPHOS_CENTRAL)
  • Swimlane Platform (SWIMLANE)
  • Symantec DLP (SYMANTEC_DLP)
  • Symantec Event export (SYMANTEC_EVENT_EXPORT)
  • Symantec Web Security Service (SYMANTEC_WSS)
  • Tanium Question (TANIUM_QUESTION)
  • Tanium Threat Response (TANIUM_THREAT_RESPONSE)
  • Teleport Access Plane (TELEPORT_ACCESS_PLANE)
  • Tenable Active Directory Security (TENABLE_ADS)
  • Tenable CSPM (TENABLE_CSPM)
  • tenable.io (TENABLE_IO)
  • Terraform Enterprise Audit (TERRAFORM_ENTERPRISE)
  • Thinkst Canary (THINKST_CANARY)
  • ThreatX WAF (THREATX_WAF)
  • Trend Micro Email Security Advanced (TRENDMICRO_EMAIL_SECURITY)
  • Trend Micro Vision One (TRENDMICRO_VISION_ONE)
  • TrendMicro Apex Central (TRENDMICRO_APEX_CENTRAL)
  • TXOne Stellar (TRENDMICRO_STELLAR)
  • UKG (UKG)
  • Unix system (NIX_SYSTEM)
  • UPX AntiDDoS (UPX_ANTIDDOS)
  • VanDyke SFTP (VANDYKE_SFTP)
  • Varonis (VARONIS)
  • Vectra Alerts (VECTRA_ALERTS)
  • Vectra Stream (VECTRA_STREAM)
  • VMware AirWatch (AIRWATCH)
  • Vmware Avinetworks iWAF (VMWARE_AVINETWORKS_IWAF)
  • VMware ESXi (VMWARE_ESX)
  • VMware Horizon (VMWARE_HORIZON)
  • Watchguard EDR (WATCHGUARD_EDR)
  • Windows Defender AV (WINDOWS_DEFENDER_AV)
  • Windows DHCP (WINDOWS_DHCP)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)
  • Windows Event (XML) (WINEVTLOG_XML)
  • Windows Sysmon (WINDOWS_SYSMON)
  • Workday Audit Logs (WORKDAY_AUDIT)
  • Workday User Activity (WORKDAY_USER_ACTIVITY)
  • WPEngine (WPENGINE)
  • Zimperium (ZIMPERIUM)
  • Zscaler (ZSCALER_WEBPROXY)
  • ZScaler DNS (ZSCALER_DNS)
  • Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)
  • ZScaler NGFW (ZSCALER_FIREWALL)

The following log types were added without a default parser. Each parser is listed by product name and log_type value, if applicable.

  • Accenture Synthetic (ACCENTURE_SYNTHETIC)
  • Adyen Platform (ADYEN)
  • AliCloud ActionTrail (ALICLOUD_ACTIONTRAIL)
  • Apache LOG4J Java Application Log (LOG4J)
  • AppSmith Audit (APPSMITH_AUDIT)
  • Arctic Security Arctic Node (ARCTIC_NODE)
  • Arista CorvilNet DANZ Integration (ARISTA_CORVILNET)
  • Arista Extensible Operating System (ARISTA_EOS)
  • AvePoint EnPower (AVEPOINT_ENPOWER)
  • Avigilon Alta Cloud Security (AVIGILON_ALTA_CLOUD_SECURITY)
  • Avigilon Ava Security Camera (AVIGILON_AVA_SECURITY_CAMERA)
  • AWS Dasha (AWS_DASHA)
  • AWS Elastic Kubernetes Service (AWS_EKS)
  • Azure Network Security Group Event (AZURE_NSG_EVENT)
  • Azure Windows Virtual Desktop Connections Logs (AZURE_WVD_CONNECTIONS)
  • Azure Windows Virtual Desktop Management Logs (AZURE_WVD_MANAGEMENT)
  • Barracuda Load Balancer ADC (BARRACUDA_LOAD_BALANCER)
  • Broadcom Edge Secure Web Gateway (BROADCOM_EDGE_SWG)
  • Celonis Audit Logs (CELONIS)
  • Chopin PrePay Solutions (CHOPIN_PPS)
  • Cisco Duo Authentication Proxy (DUO_AUTH_PROXY)
  • Cloudflare CASB Findings (CLOUDFLARE_CASB_FINDINGS)
  • Cloudflare Device posture results (CLOUDFLARE_DEVICE_POSTURE_RESULTS)
  • Cloudflare DLP Forensic Copies (CLOUDFLARE_DLP_FORENSIC_COPIES)
  • Cloudflare DNS Firewall Logs (CLOUDFLARE_DNS_FIREWALL_LOGS)
  • Cloudflare DNS logs (CLOUDFLARE_DNS_LOGS)
  • Cloudflare Email Security Alerts (CLOUDFLARE_EMAIL_SECURITY_ALERTS)
  • Cloudflare Firewall Events (CLOUDFLARE_FIREWALL_EVENTS)
  • Cloudflare Gateway DNS (CLOUDFLARE_GATEWAY_DNS)
  • Cloudflare Gateway HTTP (CLOUDFLARE_GATEWAY_HTTP)
  • Cloudflare Gateway Network (CLOUDFLARE_GATEWAY_NETWORK)
  • Cloudflare HTTP requests (CLOUDFLARE_HTTP_REQUESTS)
  • Cloudflare Magic IDS Detections (CLOUDFLARE_MAGIC_IDS_DETECTIONS)
  • Cloudflare NEL reports (CLOUDFLARE_NEL_REPORTS)
  • Cloudflare Sinkhole HTTP Logs (CLOUDFLARE_SINKHOLE_HTTP_LOGS)
  • Cloudflare SSH Logs (CLOUDFLARE_SSH_LOGS)
  • Cloudflare Workers Trace Events (CLOUDFLARE_WORKERS_TRACE_EVENTS)
  • Cloudflare Zero Trust Network Session (CLOUDFLARE_ZERO_TRUST_NETWORK_SESSION)
  • CloudWave Honeypot (CLOUDWAVE_HONEYPOT)
  • ColorTokens (COLORTOKENS)
  • Contrast Security (CONTRAST_SECURITY)
  • Conversational Agents and Dialogflow (CONVERSATIONAL_AGENT)
  • Corero SmartWall One (CORERO_SMARTWALL_ONE)
  • Cytracom Control One (CYTRACOM_CONTROL_ONE)
  • Datadog Application Security Management (DATADOG_ASM)
  • Express NodeJS (EXPRESS_NODEJS)
  • F5 Distributed Cloud WAF (F5_DCS_WAF)
  • Figma Developers (FIGMA)
  • FIS Trax Payment Factory (TRAX)
  • Fortinet FortiDeceptor (FORTINET_FORTIDECEPTOR)
  • Fortinet FortiSASE (FORTINET_FORTISASE)
  • Gemini Code Assist (GEMINI_CODE_ASSIST)
  • Genea Access Control (GENEA_ACCESS_CONTROL)
  • Genetec Synergis (GENETEC_SYNERGIS)
  • GL TRADE (GL_TRADE)
  • HP Inc MFP (HP_INC_MFP)
  • HP Tandem (HP_TANDEM)
  • Huawei Versatile Routing Platform (HUAWEI_VRP)
  • Human Security (HUMAN_SECURITY)
  • iManage Threat Manager (IMANAGE_THREAT_MANAGER)
  • Indefend DLP (INDEFEND_DLP)
  • Invicti (INVICTI)
  • Isonline ISL Light (ISL_LIGHT)
  • Itential Pronghorn (ITENTIAL_PRONGHORN)
  • Jit (JIT)
  • Kodem Security (KODEM_SECURITY)
  • Konica Minolta YSoft SafeQ (YSOFT_SAFEQ)
  • LayerX (LAYERX)
  • LinOTP (LIN_OTP)
  • Magento Cloud (MAGENTO_CLOUD)
  • Mandiant Advantage Security Validation (MA_SV)
  • NetApp ONTAP Audit (NETAPP_ONTAP_AUDIT)
  • Netscout Arbor Threat Mitigation System (NETSCOUT_TMS)
  • Netwrix Privilege Secure (NETWRIX_PRIVILEGE_SECURE)
  • NeuVector SUSE (NEUVECTOR)
  • Novidea Insurance Management System (NOVIDEA_CLAIM_HISTORY)
  • OneTrust (ONETRUST)
  • Openpath Context (OPENPATH_CONTEXT)
  • Oracle Audit Vault Database Firewall (ORACLE_AVDF)
  • Oracle CPQ (ORACLE_CPQ)
  • Oracle Exadata Database Machine (ORACLE_EXADATA)
  • Palo Alto Prisma Cloud Workload Protection (PAN_PRISMA_CWP)
  • Palo Alto Prisma Dig Cloud DSPM (PAN_PRISMA_DIG_CLOUD_DSPM)
  • Panorays (PANORAYS)
  • Pathlock Identity Security Platform (PATHLOCK)
  • Procore (PROCORE)
  • ProofPoint Email Protection (PROOFPOINT_EMAIL_PROTECTION)
  • Radiantone (RADIANTONE)
  • Radware Cloud WAF Service Access (RADWARE_ACCESS)
  • Reblaze Web Application Firewall (REBLAZE_WAF)
  • Red Access Browsing Security (RED_ACCESS)
  • SafeNet Network HSM (SAFENET_HSM)
  • Salesforce Marketing Cloud Audit (SALESFORCE_MARKETING_CLOUD_AUDIT)
  • Salesforce Shield (SALESFORCE_SHIELD)
  • Sangfor IAG (SANGFOR_IAG)
  • SAP Leasing (SAP_LEASING)
  • SAS Institute (SAS_INSTITUTE)
  • Securden (SECURDEN)
  • SecurEnvoy SecurAccess (SECURENVOY_MFA)
  • Securesoft Sniper IPS (SECURESOFT_SNIPER_IPS)
  • Sentra Data Loss Prevention (SENTRA_DLP)
  • Shield IoT (SHIELD_IOT)
  • Siemens Simatic S7 PLC SNMP (SIEMENS_S7_PLC_SNMP)
  • Siemens Simatic S7 PLC SYSLOG (SIEMENS_S7_PLC_SYSLOG)
  • Smartsheet User Context (SMARTSHEET_USER_CONTEXT)
  • Snowflake Access (SNOWFLAKE_ACCESS)
  • SOCRadar Incidents (SOCRADAR_INCIDENTS)
  • Strata Maverics Identity Orchestration Platform (STRATA_MAVERICS)
  • Stripe Payments (STRIPE)
  • Suridata (SURIDATA)
  • Teradata Access (TERADATA_ACCESS)
  • Thales payShield 10K HSM (THALES_PS10K_HSM)
  • Trend Micro TippingPoint Security Management System (TREND_MICRO_TIPPING_POINT)
  • Valence Security (VALENCE)
  • Vertica Audit (VERTICA_AUDIT)
  • Windows NTP (WINDOWS_NTP)
  • Winget Autoupdate (WINGET_AUTOUPDATE)
  • Wiz Runtime Execution Data (WIZ_RUNTIME_EXECUTION_DATA)
  • Workiva Wdesk (WORKIVA_WDESK)
  • XL Release (XLR)
  • Yugabyte Database (YUGABYTE_DATABASE)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

Looker

The new gcp.restrictTLSCipherSuites organization policy constraint can be applied to Looker (Google Cloud core) instances that use a public IP networking configuration. See the Restrict TLS cipher suites on a Looker (Google Cloud core) instance documentation page for more information.

Oracle Database@Google Cloud

For VM Clusters on Exadata Infrastructure, you can now select a guest OS version that is optimized for your VMs. This feature is generally available (GA). See Create VM Clusters.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-pubsub

1.139.1 (2025-04-25)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2 (#2394) (17f7fd7)

1.139.0 (2025-04-25)

Features
  • Generate renamed go pubsub admin clients (4472d7b)
Bug Fixes
  • Add retries for ack and modack operations that don't return with a metadata map (#2385) (00070b7)
  • deps: Update the Java code generator (gapic-generator-java) to 2.56.2 (4472d7b)
Dependencies
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.49.0 (#2380) (405e485)
  • Update dependency com.google.cloud:google-cloud-core to v2.53.1 (#2365) (748058f)
  • Update dependency com.google.cloud:google-cloud-storage to v2.50.0 (#2372) (b81164a)
  • Update dependency com.google.protobuf:protobuf-java-util to v4.30.1 (#2364) (05eb9c0)
  • Update dependency com.google.protobuf:protobuf-java-util to v4.30.2 (#2383) (4119cc0)
Documentation
  • Update documentation for JavaScriptUDF to indicate that the message_id metadata field is optional instead of required (f904786)
Security Command Center

Security Command Center provides increased support for Microsoft Azure data.

Toxic Combinations for Amazon Web Services (AWS) has been released to General Availability.

Sensitive Data Protection

The discovery service of Sensitive Data Protection now supports Azure Blob Storage. You can run discovery to generate data profiles of your Blob Storage containers. Data profiles provide metrics and insights about the sensitivity and risk levels of your data to help you plan your data protection and governance workflows.

This feature is available only to Security Command Center Enterprise customers. To use this feature, you need an Azure connector in Security Command Center that has permissions for Sensitive Data Protection discovery.

To get started on profiling Blob Storage data, see the following:

Spanner

Manually adding split points to your Spanner database is now generally available. Spanner automatically splits, or partitions, data in response to traffic changes to spread load across all available resources in an instance. For large, anticipated traffic changes, such as for a product launch, you can now pre-split the database with split boundaries that represent future traffic. This warmup can yield significant performance benefits for large scaling events.

For more information about configuring split points for your database, see Pre-splitting overview.

April 27, 2025

Google SecOps SOAR

Release 6.3.43 is now available for all regions.

April 25, 2025

Agent Assist

Summarization with custom sections, generative knowledge assist, and proactive generative knowledge assist are available in the following regions:

  • northamerica-northeast1 (Montreal)
  • northamerica-northeast2 (Toronto)
  • europe-west4 (Eemshaven)
  • europe-west6 (Zurich)
  • asia-southeast2 (Jakarta)
  • me-west1 (Tel Aviv)
AlloyDB for PostgreSQL Bigtable

Bigtable is supported by Database Center, which is generally available (GA). The Database Center now provides performance, availability, and data protection in the form of recommender-related health issues. You can also view these performance recommendations in Recommendation Hub.

Cloud Load Balancing

Starting April 28, 2025, the Global external Application Load Balancer and the Classic Application Load Balancer will no longer allow the use of custom request headers that reference connection-specific hop-by-hop headers.

This change applies only to HTTP/1.1 traffic. Connection-specific hop-by-hop headers are already disallowed by the HTTP/2 and HTTP/3 protocols.

This change is in accordance with RFC 2616 which states that these connection-specific hop-by-hop headers headers are meaningful only for a single transport-level connection and should not be forwarded by proxies.

The impacted hop-by-hop headers are: Connection, Keep-Alive, TE, Trailer, Transfer-Encoding, and Upgrade.

Starting April 28, 2025, connection-specific hop-by-hop headers that were configured by using custom headers will no longer be applied. These headers will only be set by the load balancer during normal connection handling.

Starting June 30, 2025, any configuration changes that reference the connection-specific hop-by-hop custom headers will no longer be accepted.

What you need to do

If you are an HTTP/1.1 user affected by this change, complete the following steps:

  1. Determine if your application depends on the values of any hop-by-hop headers configured as custom headers. If any dependencies are found, replace them with an allowed custom header and modify your application accordingly.

  2. Review your backend service and URL map headerAction configuration to remove any references to connection-specific hop-by-hop headers.

Compute Engine

Public Preview: License Manager lets you subscribe, manage, and track your third-party license usage on Google Cloud. As an administrator, you can use License Manager to offer per-user licensing products, like Microsoft Office, to your users with no long-term commitments and no overhead of managing compliance.

For more information, see About License Manager.

Confidential VM

Support for accelerator-optimized a3-highgpu-1g machine type for securely running AI and ML workloads is now available in Preview, with the following specifications:

  • 4th Generation Intel Xeon Scalable processor (Sapphire Rapids)
  • Intel TDX
  • 1 NVIDIA H100 GPU
Container Optimized OS

cos-117-18613-164-121

Kernel Docker Containerd GPU Drivers
COS-6.6.72 v24.0.9 v1.7.24 See List

Updated cos-gpu-installer to v2.5.0: Support IMEX Driver installation for NVIDIA_GB200 GPU device.

Upgraded app-admin/node-problem-detector to v0.8.20.

Reverted a change in the linux kernel which caused nfs directories to unexpectedly be mounted as ro instead of rw.

Fixed CVE-2024-48615 in app-arch/libarchive.

Fixed CVE-2025-21963 in the Linux kernel.

Fixed CVE-2025-21964 in the Linux kernel.

Fixed CVE-2025-21962 in the Linux kernel.

Fixed CVE-2025-21908 in the Linux kernel.

Fixed CVE-2025-21898 in the Linux kernel.

Fixed CVE-2025-21959 in the Linux kernel.

Fixed CVE-2025-21919 in the Linux kernel.

Fixed CVE-2025-21922 in the Linux kernel.

Fixed CVE-2025-21920 in the Linux kernel.

Fixed CVE-2025-21997 in the Linux kernel.

Fixed CVE-2025-22005 in the Linux kernel.

Fixed CVE-2025-21991 in the Linux kernel.

Fixed CVE-2025-21980 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811760 -> 811799

cos-121-18867-0-104

Kernel Docker Containerd GPU Drivers
COS-6.6.74 v27.5.1 v2.0.4 See List

Updated cos-gpu-installer to v2.5.0: Support IMEX Driver installation for NVIDIA_GB200 GPU device.

Reverted a change in the linux kernel which caused nfs directories to unexpectedly be mounted as ro instead of rw.

Fixed CVE-2025-31498 in net-dns/c-ares.

Fixed CVE-2024-48615 in app-arch/libarchive.

Fixed CVE-2025-21963 in the Linux kernel.

Fixed CVE-2025-21964 in the Linux kernel.

Fixed CVE-2025-21908 in the Linux kernel.

Fixed CVE-2025-21898 in the Linux kernel.

Fixed CVE-2025-21959 in the Linux kernel.

Fixed CVE-2025-21962 in the Linux kernel.

Fixed CVE-2025-21919 in the Linux kernel.

Fixed CVE-2025-21920 in the Linux kernel.

Fixed CVE-2025-21922 in the Linux kernel.

Fixed CVE-2025-21980 in the Linux kernel.

Fixed CVE-2025-22005 in the Linux kernel.

Fixed CVE-2025-21997 in the Linux kernel.

Fixed CVE-2025-21991 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811714 -> 811816

cos-109-17800-436-106

Kernel Docker Containerd GPU Drivers
COS-6.1.124 v24.0.9 v1.7.24 See List

Reverted a change in the linux kernel which caused nfs directories to unexpectedly be mounted as ro instead of rw.

Fixed CVE-2024-48615 in app-arch/libarchive.

Fixed CVE-2025-21962 in the Linux kernel.

Fixed CVE-2025-21964 in the Linux kernel.

Fixed CVE-2025-21963 in the Linux kernel.

Fixed CVE-2025-21959 in the Linux kernel.

Fixed CVE-2025-21898 in the Linux kernel.

Fixed CVE-2025-21980 in the Linux kernel.

Fixed CVE-2025-22005 in the Linux kernel.

Fixed CVE-2025-21997 in the Linux kernel.

Fixed CVE-2025-21999 in the Linux kernel.

Fixed CVE-2025-21922 in the Linux kernel.

Fixed CVE-2025-21920 in the Linux kernel.

Fixed CVE-2025-21919 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812288 -> 812262

cos-dev-125-19000-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.87 v27.5.1 v2.0.4 See List

Updated cos-gpu-installer to v2.5.0: Support IMEX Driver installation for NVIDIA_GB200 GPU device.

Updated the Linux kernel to v6.6.87.

Upgraded app-admin/google-guest-agent to v20250408.00.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2479.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2967.

Upgraded chromeos-base/shill-client to v0.0.1-r4850.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2828.

Upgraded chromeos-base/debugd-client to v0.0.1-r2732.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r663.

Reverted a change in the linux kernel which caused nfs directories to unexpectedly be mounted as ro instead of rw.

Fixed CVE-2024-53427 in app-misc/jq.

Fixed CVE-2024-48615 in app-arch/libarchive.

Updated dev-vcs/git to version 2.49.0. This fixed CVE-2024-52006, CVE-2024-50349

Runtime sysctl changes:

  • Changed: fs.file-max: 811798 -> 811749

cos-113-18244-291-109

Kernel Docker Containerd GPU Drivers
COS-6.1.123 v24.0.9 v1.7.24 See List

Reverted a change in the linux kernel which caused nfs directories to unexpectedly be mounted as ro instead of rw.

Fixed CVE-2024-48615 in app-arch/libarchive.

Fixed CVE-2025-21963 in the Linux kernel.

Fixed CVE-2025-21959 in the Linux kernel.

Fixed CVE-2025-21898 in the Linux kernel.

Fixed CVE-2025-21964 in the Linux kernel.

Fixed CVE-2025-21962 in the Linux kernel.

Fixed CVE-2025-21919 in the Linux kernel.

Fixed CVE-2025-21922 in the Linux kernel.

Fixed CVE-2025-21920 in the Linux kernel.

Fixed CVE-2025-21997 in the Linux kernel.

Fixed CVE-2025-21980 in the Linux kernel.

Fixed CVE-2025-22005 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812031 -> 812016

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.31.400-gke.110 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.31.400-gke.110 runs on Kubernetes v1.31.7-gke.800.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

Upgraded etcd to v3.4.33-0-gke.3.

Fixed an issue that prevented user cluster upgrades when Dataplane V2 was explicitly configured with forward mode.

The 1.31.400-gke.110 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

Google Distributed Cloud (software only) for bare metal

Release 1.31.400-gke.110

Google Distributed Cloud (software only) for VMware 1.31.400-gke.110 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.31.400-gke.110 runs on Kubernetes v1.31.7-gke.800.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following functional change was made in 1.31.400-gke.110:

  • Updated the cluster upgrade operation to keep only the three latest kubeadm backups of etcd and configuration information for a node. Previously, kubeadm kept node backups for every attempted upgrade.

  • Upgraded etcd to v3.4.33-0-gke.3.

The following fixes were made in 1.31.400-gke.110:

  • Fixed an issue where network interfaces were being leaked, preventing namespace deletion.

  • Fixed an issue that resulted in an excessive creation of periodic kube-proxy-cleanup jobs on cluster nodes with high pod utilization.

  • Fixed an issue that caused cluster creation to fail because kubelet restarted before required static pods are running.

  • Fixed an issue that allowed bmctl reset to run in situations where the reset resulted in the loss of quorum for control plane nodes. To run the command without enforcing the quorum, use the newly added --bypass-quorum-check flag.

The 1.31.400-gke.110 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google SecOps

Google SecOps now supports native integration with Azure Event Hub through the feed management API or web interface. This enhancement enables real-time log ingestion without requiring Azure blob storage. For more information, see Create an Azure Event Hub feed.

Google SecOps SIEM

Google SecOps now supports native integration with Azure Event Hub through the feed management API or web interface. This enhancement enables real-time log ingestion without requiring Azure blob storage. For more information, see Create an Azure Event Hub feed.

Memorystore for Valkey

The maintenance feature for Memorystore for Valkey is now Generally Available (GA).

SAP on Google Cloud

New SAP certifications: Additional M4 memory-optimized machine types

For use with SAP HANA scale-up (OLAP and OLTP) and SAP NetWeaver workloads, SAP has certified the following Compute Engine M4 memory-optimized machine types: 372 GB m4-megamem-28 and 6 TB m4-ultramem-224.

For more information, see:

New SAP certification: 3 TB m4-megamem-224 for SAP HANA scale-out workloads

For use with SAP HANA scale-out (OLAP and OLTP) workloads, SAP has certified the 3 TB m4-megamem-224 memory-optimized machine type. For more information, see M4 memory-optimized VM types.

VPC Service Controls

Updated the limitations for the following integration in the Supported products and limitations page:

  • Firestore: using Firestore Enterprise edition with restricted VIP requires adding IP ranges to an allowlist.

April 24, 2025

AI Applications

Vertex AI Search: Obtain claim-level grounding scores (GA)

Claim-level scores from the check grounding API is Generally available (GA). In addition to the answer-level support score, you can obtain a support score for each claim in an answer candidate.

For more information, see Obtain claim-level scores for an answer candidate.

BigQuery

You can now work with a Gemini powered assistant in a BigQuery data canvas. The data canvas assistant is an agent-like tool, capable of constructing and modifying a data canvas to answer data analytics questions from user prompting. This feature is now in Preview.

Cloud Composer

Starting from June 2025, the default version for new Cloud Composer environments changes from Cloud Composer 2 to Cloud Composer 3. New environments will use the latest default Airflow build (composer-3-airflow-2). Currently, the default version is composer-2-airflow-2.

Cloud Database Migration Service

Database Migration Service for heterogeneous migrations to PostgreSQL now supports migrating to PostgreSQL versions 16 and 17.

  • PostgreSQL versions 16 and 17 are supported for migrations from Oracle and SQL Server to Cloud SQL for PostgreSQL.
  • PostgreSQL version 16 is supported for migrations from Oracle and SQL Server to AlloyDB for PostgreSQL.

For more information, see Supported source and destination databases.

Cloud NGFW

You can use a single request to batch update all the firewall policy rules for hierarchical and network firewall policies. For more information, see Overview of batch update to firewall policy rules. This feature is available in General Availability.

Cloud SQL for MySQL

Private Service Connect endpoint propagation is now generally available (GA). You can use the Network Connectivity Center hub to propagate the Private Service Connect endpoints of your Cloud SQL instances in a VPC network.

Cloud SQL for PostgreSQL

Private Service Connect endpoint propagation is now generally available (GA). You can use the Network Connectivity Center hub to propagate the Private Service Connect endpoints of your Cloud SQL instances in a VPC network.

Cloud SQL for SQL Server

Private Service Connect endpoint propagation is now generally available (GA). You can use the Network Connectivity Center hub to propagate the Private Service Connect endpoints of your Cloud SQL instances in a VPC network.

Dialogflow

Dialogflow CX (Conversational Agents): You can now create personalized voice models with voice cloning.

Dialogflow CX (Conversational Agents): You can now use code blocks to get better control over playbooks.

Dialogflow CX (Conversational Agents): You can now use the console to test your tools.

Google Kubernetes Engine

Saxml on GKE is de-prioritized beginning April 24, 2025. This means the project won't get further updates. Existing Saxml deployments will continue to function as is without disruption. We strongly suggest that you migrate to JetStream, Google's up to date open source inference framework for high-performance LLM serving on TPUs and GPUs. JetStream offers continuous batching and quantization for better throughput and memory efficiency. For a migration example, see Serve Gemma using TPUs on GKE with JetStream.

Looker

After May 23, 2025, Gemini in Looker will be enabled by default for Looker (original) instances outside of the EMEA region.

Looker admins can opt out of automatic enablement by disabling the Automated Gemini in Looker enablement and user management setting on the Settings page in the Looker Admin panel, now available for Looker (original) instances on Looker 25.6.

For instances outside of the EMEA region that are slated to update to Looker 25.6 after May 23, 2025, Gemini in Looker will be enabled automatically, and Looker admins must disable Gemini in Looker manually.

Note: This item was updated on April 29, 2025.

April 23, 2025

BigQuery

You can now set a maximum slot limit for a reservation. You can configure the maximum reservation size when creating or updating a reservation. This feature is in public preview.

You can now specify which reservation a query uses at runtime, and set IAM policies directly on reservations. This provides more flexibility and fine-grained control over resource management. This feature is in public preview.

You can now allocate idle slots fairly across reservations within a single admin project. This ensures each reservation receives an approximately equal share of available capacity. This feature is in public preview.

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, and Feed APIs.

  • GKE Hub API
    • gkehub.googleapis.com/MembershipFeature
Cloud Billing

Cloud Billing supports Dark theme in the Google Cloud console (in preview)

Dark theme is now available in the Billing section of the Google Cloud console (preview). To enable the Dark theme, in the Google Cloud console, click Settings > Preferences > Appearance. Choose Dark theme and click Save.

Contact Center AI Insights

Quality AI offers fine-grained access control in preview. Use IAM custom roles and authorized views to control who can view which portions of your dataset.

Google SecOps

This feature is currently in Preview. Google SecOps now supports composite detections. Composite detections lets users link multiple YARA-L rules to detect complex, multistage threats. This capability enhances detection by correlating alerts that individual rules might not detect.

Google SecOps SIEM

This feature is currently in Preview. Google SecOps now supports composite detections. Composite detections lets users link multiple YARA-L rules to detect complex, multistage threats. This capability enhances detection by correlating alerts that individual rules might not detect.

April 22, 2025

Apigee Integrated Portal

On April 22, 2025 we released a new version of the Apigee integrated portal.

Public Preview: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

Cloud Build

You can now specify build dependencies in your build configuration file. For more information, see Manage build dependencies.

Cloud Run

Cloud KMS with Autokey is now in General Availability (GA) for Cloud Run.

Compute Engine

Public Preview: General purpose C4D machine types have reached Public Preview. C4D is powered by the fifth generation AMD EPYC processor (Turin) and Google Titanium.

C4D is designed to run mission critical workloads including web app and game servers, AI inference, web serving, video streaming, and data centric applications like analytics, relational, and in-memory databases.

C4D is available in standard, highmem, and highcpu machine types and only supports Google Cloud Hyperdisk storage.

To learn where to create C4D instances, see the Regions and zones page.

Cortex Framework

Release 6.3

  • Cortex for Meridian.
    • Cortex Framework for Meridian, Google's open-source Marketing Mix Modeling (MMM) tool (v1.0.5), delivers ready data models and automation of Meridian Model execution using Google Cloud tools like Enterprise Colab and Cloud Workflows.
    • This integration empowers users to make data-driven marketing decisions by providing accurate campaign performance measurement and budget optimization.
    • Cortex for Meridian simplifies the pre-modeling process by gathering and transforming data from core Cortex Framework data sources, including:
  • Task Dependent DAGs:
    • Provided out-of-the-box, recommended DAGs and task dependencies for SAP ECC/S4 reporting.
    • Enabled the creation and deployment of customized task-dependent reporting settings for all data sources.
  • CATGAP has been deprecated.
  • SAP Machine Learning (ML) models have been deprecated.
  • Resolved duplicate entries from VendorsMD
  • Fixed DATE_ADD overflow issue inInventoryByPlant.
  • Fixed mislabeled columns in AccountingDocumentsReceivable.
  • Addressed JSON parsing errors related to FLOAT numbers in Meta Raw to DAG Change Data Capture (CDC).
  • Fixed a typo in the LeadsCaptureConversions Salesforce (SFDC) reporting table: LeadFirstResponeDatestamp corrected to LeadFirstResponseDatestamp.
Dataproc Metastore

Dataproc Metastore multi-regional services now support the use of customer-managed encryption keys (CMEKs) -- (in preview).

Firestore

Committed use discounts are now generally available (GA) for Firestore in exchange for a commitment to continuously spend a certain amount on Firestore read/write/delete operations for one year or three years. For details, see Committed use discounts.

Firestore in Datastore mode

Committed use discounts are now generally available (GA) for Firestore in Datastore mode in exchange for a commitment to continuously spend a certain amount on read/write/delete operations for one year or three years. For details, see Committed use discounts.

Google SecOps

The following parser documentation is now available:

Collect Barracuda Email Security Gateway logs

Collect Barracuda WAF logs

Collect CrowdStrike Falcon logs in CEF

Collect Juniper NetScreen Firewall logs

Collect Micro Focus NetIQ Access Manager logs

Collect Symantec DLP logs

Collect Aruba ClearPass logs

Collect Aruba Wireless Controller and Access Point logs

Collect BeyondTrust Secure Remote Access logs

Collect CyberArk Privileged Threat Analytics logs

Collect Fortinet FortiMail logs

Collect Sophos Central logs

Collect Sophos XG Firewall logs

Collect AWS EC2 Hosts logs

Collect AWS EC2 Instance logs

Collect AWS IAM logs

Collect Cisco Stealthwatch logs

Collect Cisco Umbrella audit logs

Collect Cisco Umbrella DNS logs

Collect Cisco Umbrella Web Proxy logs

Collect CommVault Backup and Recovery logs

Collect Forcepoint Proxy logs

Collect Fortinet FortiAnalyzer logs

Collect Fortinet FortiAuthenticator logs

Collect Fortinet Firewall logs

Collect Palo Alto Networks Traps logs

Collect SecureAuth Identity Platform logs

Collect Claroty CTD logs

Collect Claroty xDome logs

Collect F5 BIG-IP ASM logs

Collect FireEye HX logs

Collect Microsoft IIS logs

Collect PowerShell logs

Collect Snort logs

Collect A10 Network Load Balancer logs

Collect Alcatel switch logs

Collect AlgoSec Security Management logs

Collect Arbor Edge Defense logs

Collect Epic Systems logs

Collect Fortra Digital Guardian DLP logs

Collect MobileIron logs

Collect Microsoft Windows Defender ATP logs

Collect Nokia Router logs

Collect Broadcom Symantec SiteMinder Web Access logs

Google SecOps SIEM

The following parser documentation is now available:

Collect Barracuda Email Security Gateway logs

Collect Barracuda WAF logs

Collect CrowdStrike Falcon logs in CEF

Collect Juniper NetScreen Firewall logs

Collect Micro Focus NetIQ Access Manager logs

Collect Symantec DLP logs

Collect Aruba ClearPass logs

Collect Aruba Wireless Controller and Access Point logs

Collect BeyondTrust Secure Remote Access logs

Collect CyberArk Privileged Threat Analytics logs

Collect Fortinet FortiMail logs

Collect Sophos Central logs

Collect Sophos XG Firewall logs

Collect AWS EC2 Hosts logs

Collect AWS EC2 Instance logs

Collect AWS IAM logs

Collect Cisco Stealthwatch logs

Collect Cisco Umbrella audit logs

Collect Cisco Umbrella DNS logs

Collect Cisco Umbrella Web Proxy logs

Collect CommVault Backup and Recovery logs

Collect Forcepoint Proxy logs

Collect Fortinet FortiAnalyzer logs

Collect Fortinet FortiAuthenticator logs

Collect Fortinet Firewall logs

Collect Palo Alto Networks Traps logs

Collect SecureAuth Identity Platform logs

Collect Claroty CTD logs

Collect Claroty xDome logs

Collect F5 BIG-IP ASM logs

Collect FireEye HX logs

Collect Microsoft IIS logs

Collect PowerShell logs

Collect Snort logs

Collect A10 Network Load Balancer logs

Collect Alcatel switch logs

Collect AlgoSec Security Management logs

Collect Arbor Edge Defense logs

Collect Epic Systems logs

Collect Fortra Digital Guardian DLP logs

Collect MobileIron logs

Collect Microsoft Windows Defender ATP logs

Collect Nokia Router logs

Collect Broadcom Symantec SiteMinder Web Access logs

Looker

The Looker Mobile (Legacy) application will be deprecated on March 1, 2026. Use the Looker application instead.

Looker (Google Cloud core) now supports Google group mirroring when using OAuth authentication.

Memorystore for Valkey

Memorystore for Valkey supports storing and querying vector data. This feature is now Generally Available (GA). For more information, see About vector search.

Policy Controller

Policy Controller version 1.20.2 is now available.

April 21, 2025

App Engine flexible environment Python

Python 3.13 is now available in Preview.

App Engine standard environment Python

Python 3.13 is now available in Preview.

Application Integration

New Canvas View is enabled by default in the Integration Editor

The new Canvas View is now enabled by default in the integration editor. This change is a default setting and no manual enablement is required. You can switch to the old canvas view by disabling the New canvas view toggle.

For more information, see Use the new canvas view.

Backup and DR

There is a new committed use discount (CUD) for customers using Backup and DR Service to protect Oracle databases into a backup vault. This is a way to lower backup costs in consideration of a 1-year or 3-year commitment. You can purchase CUDs from Google Cloud Marketplace via the standard process.

Introduced logging and alerting capabilities to monitor the health and status of your backup/recovery appliances. You can configure email notifications via Cloud Logging to receive timely alerts on appliance status changes or potential issues.

Backup and DR Service now supports backup and restore of Db2 databases using persistent disk snapshots. This is typically faster and simpler than previous methods and in some cases may also reduce costs.

These issues have been fixed:

  • An issue in which multiple snapshot/Direct OnVault jobs became stuck in an unresponsive state after attempting to connect to vCenter with an openssl command.
  • An issue in which database persistent disk snapshot backup jobs failed with the unhelpful error message resource not found now has a useful error message.
  • An issue in which Log explorer was showing some spurious "read error, check permissions" results on backup/recovery appliances.
  • An issue in which a backup/recovery appliance could come out of synchronization with a management console following a Trying to release lock or Failed to acquire lock error.
  • A rare issue in which a backup/recovery appliance became unresponsive after a very heavy load exhausted all job threads and /var/log/ was 100% full. Thread management is now more efficient.
  • An issue in which persistent disk database snapshot images were failing to import log backups, and the recovery range was missing on imported backups.
  • An issue in which some backups of PostgreSQL version 15 failed due to a premature timeout.
  • An issue in which some mount jobs failed if the host's lvmconfig has global/system_id_source set to uname.
  • An issue in which database names provided in mount screen were not honored correctly when creating child applications on the target host.
  • The Staging disk is full error message has been made more useful.

Vulnerabilities CVE-2024-42301, CVE-2024-42284, and CVE-2024-41092 have been fixed at kernel version 4.18.0-553.33.1.el8_10.

Introduced management console events for the Appliance Connectivity Events and Dynamic Protection Events.

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigquery

7.9.4 (2025-04-02)

Bug Fixes
  • MergeSchemaWithRows can be called with empty schema if result set is empty (#1455) (e608601)

BigQuery now provides spend-based committed use discounts (CUDs). Spend-based committed use discounts provide a discount in exchange for your commitment to spend a minimum amount per hour on PAYG compute resources listed here. You can purchase CUDs with a one or three year commitment period.

You can get the required permissions to use BigQuery data preparation through the BigQuery Studio User (roles/bigquery.studioUser) and Gemini for Google Cloud User (roles/cloudaicompanion.user) roles, and permission to access the data you're preparing.

BigQuery data preparation no longer requires that you have the permissions granted by the following IAM roles:

For more information about the required roles, see Manage data preparations.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-bigtable

2.30.1 (2025-04-17)

Bug Fixes
  • Populate SQL app_profile_id header even when it is unset (#1109) (17b75bd)
Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

DICOM files have a limit of 4 GB per tag. This limit does not apply for values with undefined length. For more information, see Resource limits.

Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-logging

3.12.0 (2025-04-10)

Features
  • Add REST Interceptors which support reading metadata (681bcc5)
  • Add support for opt-in debug logging (681bcc5)
  • Added flushes/close functionality to logging handlers (#917) (d179304)
Bug Fixes
  • Allow protobuf 6.x (#977) (6757890)
  • deps: Require google-cloud-audit-log >= 0.3.1 (#979) (1cc00ec)
  • Fix typing issue with gRPC metadata when key ends in -bin (681bcc5)
Documentation
  • Added documentation on log_level and excluded_loggers params in setup_logging (#971) (70d9d25)
  • Update README to break infinite redirect loop (#972) (52cd907)

Cloud Logging adds support for the europe-north2 region. For a complete list of supported regions, see Supported regions.

Cloud Run

Support for the Python 3.13 runtime is now in Preview.

Cloud Run functions

Cloud Run functions now supports the Python 3.13 runtime at the Preview release level.

Colab Enterprise

The notebook gallery is now available.

The notebook gallery is a curated collection of notebooks to help you get started using Colab Enterprise. This collection consists of ready-to-use templates and examples to make it easier to learn new techniques, understand best practices, and get projects started quickly. Browse the notebooks by category or use the search bar to find a notebook that helps you get started. See the notebook gallery.

Compute Engine

Generally available: Compute flexible committed use discounts (CUDs) are available for the sole-tenancy premium that you pay for eligible sole-tenant node types. Flexible CUDs add flexibility to your Compute Engine spending capabilities by eliminating the need to restrict your commitments to a single project, region, or machine series.

For more information, see Compute flexible CUDs.

Dataflow

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for dataflow/apiv1beta3

0.10.6 (2025-04-15)

Bug Fixes
  • dataflow: Update google.golang.org/api to 0.229.0 (3319672)
Firestore in Datastore mode

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-datastore

2.21.0 (2025-04-10)

Features
  • Add REST Interceptors which support reading metadata (7be9c4c)
  • Add support for opt-in debug logging (7be9c4c)
Bug Fixes
  • Allow protobuf 6.x (#598) (7c1171b)
  • Backwards-compatibility for previous meaning format (#603) (ed92e8e)
  • Fix typing issue with gRPC metadata when key ends in -bin (7be9c4c)
Google SecOps

Curated Detections has been enhanced with new detection content for Cloud Threats to include rule packs covering Office 365 and Okta. These rule packs are in public preview for customers with a Google Security Operations or Enterprise Plus license.

Google SecOps SIEM

Curated Detections has been enhanced with new detection content for Cloud Threats to include rule packs covering Office 365 and Okta. These rule packs are in public preview for customers with a Google Security Operations or Enterprise Plus license.

Network Intelligence Center

Network Analyzer includes an insight that indicates if a GKE cluster's pod CIDR range isn't included in the ip-masq-agent ConfigMap. For more information, see GKE IP masquerade configuration insights.

Security Command Center

The Execution: Ingress Nightmare Vulnerability Execution detector of Container Threat Detection is in Preview.

April 20, 2025

Google SecOps SOAR

Release 6.3.43 is being rolled out to the first phase of regions as listed here.

This release contains internal and customer bug fixes.

April 19, 2025

Google SecOps SOAR

Release 6.3.42 is now available for all regions.

April 18, 2025

Cloud SQL for MySQL

Cloud SQL for MySQL 8.0.40 is now the default minor version. To upgrade your existing instance to the new version, see Upgrade the database minor version.

Dataproc Developer Connect

The ability to use Git proxy for Git calls to your SCM connections is now generally available.

Google Cloud Architecture Center

Parallel file systems for HPC workloads: Added guidance about Google Cloud Managed Lustre.

Google Kubernetes Engine

(2025-R15) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.29.14-gke.1132000
    • 1.29.15-gke.1017000
    • 1.29.15-gke.1058000
    • 1.29.15-gke.1108000
    • 1.29.15-gke.1134000
    • 1.30.10-gke.1145000
    • 1.30.10-gke.1227000
    • 1.30.10-gke.1227001
    • 1.30.11-gke.1008001
    • 1.30.11-gke.1072000
    • 1.30.11-gke.1093000
    • 1.31.5-gke.1169001
    • 1.31.5-gke.1233001
    • 1.31.6-gke.1020001
    • 1.31.6-gke.1064000
    • 1.31.6-gke.1099000
    • 1.31.6-gke.1140000
    • 1.31.6-gke.1221000
    • 1.31.6-gke.1221001
    • 1.31.7-gke.1013001
    • 1.31.7-gke.1112000
    • 1.31.7-gke.1149000
    • 1.32.2-gke.1182001
    • 1.32.2-gke.1182002
    • 1.32.2-gke.1297001
    • 1.32.2-gke.1400003
    • 1.32.2-gke.1652000
    • 1.32.2-gke.1652003
    • 1.32.3-gke.1057001
    • 1.32.3-gke.1170000
    • 1.32.3-gke.1440000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182003 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

Regular channel

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.10-gke.1022000
    • 1.31.6-gke.1020000
    • 1.31.6-gke.1064000
    • 1.32.1-gke.1357001
    • 1.32.2-gke.1182001
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

Stable channel

  • Version 1.31.6-gke.1064001 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.29.13-gke.1109000
    • 1.30.9-gke.1127000
    • 1.30.9-gke.1201000
    • 1.30.10-gke.1022000
    • 1.31.5-gke.1169000
    • 1.31.5-gke.1233000
    • 1.31.6-gke.1020000
    • 1.31.6-gke.1064000
    • 1.32.2-gke.1182001
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.

Extended channel

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.27.16-gke.2451000
    • 1.27.16-gke.2477000
    • 1.27.16-gke.2528000
    • 1.27.16-gke.2573000
    • 1.27.16-gke.2650000
    • 1.28.15-gke.1844000
    • 1.28.15-gke.1881000
    • 1.28.15-gke.1940000
    • 1.28.15-gke.2003000
    • 1.28.15-gke.2097000
    • 1.30.10-gke.1022000
    • 1.31.6-gke.1020000
    • 1.31.6-gke.1064000
    • 1.32.1-gke.1357001
    • 1.32.2-gke.1182001
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2595000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2027000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

No channel

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation.
  • The following versions are now available:
  • The following node versions are now available:
  • The following versions are no longer available:
    • 1.29.13-gke.1109000
    • 1.29.14-gke.1132000
    • 1.29.15-gke.1017000
    • 1.29.15-gke.1058000
    • 1.29.15-gke.1108000
    • 1.29.15-gke.1134000
    • 1.30.9-gke.1046000
    • 1.30.9-gke.1201000
    • 1.30.10-gke.1022000
    • 1.30.10-gke.1145000
    • 1.30.10-gke.1227000
    • 1.30.10-gke.1227001
    • 1.30.11-gke.1008001
    • 1.30.11-gke.1072000
    • 1.30.11-gke.1093000
    • 1.31.5-gke.1169000
    • 1.31.5-gke.1169001
    • 1.31.5-gke.1233000
    • 1.31.5-gke.1233001
    • 1.31.6-gke.1020001
    • 1.31.6-gke.1064000
    • 1.31.6-gke.1099000
    • 1.31.6-gke.1140000
    • 1.31.6-gke.1221000
    • 1.31.6-gke.1221001
    • 1.31.7-gke.1013001
    • 1.31.7-gke.1112000
    • 1.31.7-gke.1149000
    • 1.32.1-gke.1729000
    • 1.32.2-gke.1182002
    • 1.32.2-gke.1297001
    • 1.32.2-gke.1400003
    • 1.32.2-gke.1652000
    • 1.32.2-gke.1652003
    • 1.32.3-gke.1057001
    • 1.32.3-gke.1170000
    • 1.32.3-gke.1440000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

(2025-R15) Version updates

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.29.14-gke.1132000
    • 1.29.15-gke.1017000
    • 1.29.15-gke.1058000
    • 1.29.15-gke.1108000
    • 1.29.15-gke.1134000
    • 1.30.10-gke.1145000
    • 1.30.10-gke.1227000
    • 1.30.10-gke.1227001
    • 1.30.11-gke.1008001
    • 1.30.11-gke.1072000
    • 1.30.11-gke.1093000
    • 1.31.5-gke.1169001
    • 1.31.5-gke.1233001
    • 1.31.6-gke.1020001
    • 1.31.6-gke.1064000
    • 1.31.6-gke.1099000
    • 1.31.6-gke.1140000
    • 1.31.6-gke.1221000
    • 1.31.6-gke.1221001
    • 1.31.7-gke.1013001
    • 1.31.7-gke.1112000
    • 1.31.7-gke.1149000
    • 1.32.2-gke.1182001
    • 1.32.2-gke.1182002
    • 1.32.2-gke.1297001
    • 1.32.2-gke.1400003
    • 1.32.2-gke.1652000
    • 1.32.2-gke.1652003
    • 1.32.3-gke.1057001
    • 1.32.3-gke.1170000
    • 1.32.3-gke.1440000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182003 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

(2025-R15) Version updates

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.30.10-gke.1022000
    • 1.31.6-gke.1020000
    • 1.31.6-gke.1064000
    • 1.32.1-gke.1357001
    • 1.32.2-gke.1182001
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

(2025-R15) Version updates

  • Version 1.31.6-gke.1064001 is now the default version for cluster creation in the Stable channel.
  • The following versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.29.13-gke.1109000
    • 1.30.9-gke.1127000
    • 1.30.9-gke.1201000
    • 1.30.10-gke.1022000
    • 1.31.5-gke.1169000
    • 1.31.5-gke.1233000
    • 1.31.6-gke.1020000
    • 1.31.6-gke.1064000
    • 1.32.2-gke.1182001
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.

(2025-R15) Version updates

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Extended channel.
  • The following versions are now available in the Extended channel:
  • The following versions are no longer available in the Extended channel:
    • 1.27.16-gke.2451000
    • 1.27.16-gke.2477000
    • 1.27.16-gke.2528000
    • 1.27.16-gke.2573000
    • 1.27.16-gke.2650000
    • 1.28.15-gke.1844000
    • 1.28.15-gke.1881000
    • 1.28.15-gke.1940000
    • 1.28.15-gke.2003000
    • 1.28.15-gke.2097000
    • 1.30.10-gke.1022000
    • 1.31.6-gke.1020000
    • 1.31.6-gke.1064000
    • 1.32.1-gke.1357001
    • 1.32.2-gke.1182001
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2595000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2027000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.

(2025-R15) Version updates

  • Version 1.32.2-gke.1182003 is now the default version for cluster creation.
  • The following versions are now available:
  • The following node versions are now available:
  • The following versions are no longer available:
    • 1.29.13-gke.1109000
    • 1.29.14-gke.1132000
    • 1.29.15-gke.1017000
    • 1.29.15-gke.1058000
    • 1.29.15-gke.1108000
    • 1.29.15-gke.1134000
    • 1.30.9-gke.1046000
    • 1.30.9-gke.1201000
    • 1.30.10-gke.1022000
    • 1.30.10-gke.1145000
    • 1.30.10-gke.1227000
    • 1.30.10-gke.1227001
    • 1.30.11-gke.1008001
    • 1.30.11-gke.1072000
    • 1.30.11-gke.1093000
    • 1.31.5-gke.1169000
    • 1.31.5-gke.1169001
    • 1.31.5-gke.1233000
    • 1.31.5-gke.1233001
    • 1.31.6-gke.1020001
    • 1.31.6-gke.1064000
    • 1.31.6-gke.1099000
    • 1.31.6-gke.1140000
    • 1.31.6-gke.1221000
    • 1.31.6-gke.1221001
    • 1.31.7-gke.1013001
    • 1.31.7-gke.1112000
    • 1.31.7-gke.1149000
    • 1.32.1-gke.1729000
    • 1.32.2-gke.1182002
    • 1.32.2-gke.1297001
    • 1.32.2-gke.1400003
    • 1.32.2-gke.1652000
    • 1.32.2-gke.1652003
    • 1.32.3-gke.1057001
    • 1.32.3-gke.1170000
    • 1.32.3-gke.1440000
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
    • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
Google SecOps

Chrome Enterprise Threats Category

This feature is currently in Preview.

Google SecOps has introduced a new detection category, Chrome Enterprise Threats, as part of the Curated Detections feature. This category provides rule sets for extension and browser threats. For more information, see Overview of Chrome Enterprise Threats Category.

Google SecOps SIEM

Chrome Enterprise Threats Category

This feature is currently in Preview.

Google SecOps has introduced a new detection category, Chrome Enterprise Threats, as part of the Curated Detections feature. This category provides rule sets for extension and browser threats. For more information, see Overview of Chrome Enterprise Threats Category.

Memorystore for Redis Cluster

The backups feature for Memorystore for Redis Cluster is now Generally Available (GA).

Memorystore for Valkey

You can now manage backups for Memorystore for Valkey instances. This feature is Generally Available (GA).

Oracle Database@Google Cloud

Oracle Database@Google Cloud now lets you provision the Exadata Infrastructure instances with the new model X11M. This feature is generally available (GA). See Create Exadata Infrastructure instances.

Security Command Center

The ability of Event Threat Detection to analyze foundational log sources is generally available (GA).

April 17, 2025

Anti Money Laundering AI

New minor engine versions released for retail and commercial lines of business within the v004 tuning version. These extend support for the major version and include no significant changes versus the previous minor versions.

Assured Workloads

The CJIS control package now supports the following products:

  • Access Transparency
  • Cloud Tasks
  • Cloud OS Login API
  • Eventarc
  • Firebase Security Rules
  • Generative AI on Vertex AI
BigQuery

You can now use BigQuery DataFrames version 2.0, which makes security and performance improvements to the BigQuery DataFrames API, adds new features, and introduces breaking changes.

You can use partial ordering mode in BigQuery DataFrames to generate efficient queries. This feature is generally available (GA).

Cloud Composer

Airflow 2.10.5 is available in Cloud Composer.

Database retention policy is now enabled by default in Google Cloud console and remains disabled in Google Cloud CLI, API, and Terraform.

This feature helps to maintain the Airflow database size. You can enable or disable the database retention policy or adjust the retention period for new and existing environments.

The default environment's service account setting is gradually removed in Cloud Composer. After the change, you'll need to explicitly specify a service account when you create a new Cloud Composer environment. For more information about addressing the change, see the eariler announcement of this change.

In this release, the change is rolling out to the following regions: africa-south1, asia-northeast2, asia-south2, australia-southeast2, europe-north2, europe-southwest1, europe-west8, europe-west10, europe-west12, me-central1, me-central2, me-west1, northamerica-northeast2, northamerica-south1, southamerica-west1, us-east7, and us-south1. It will be rolled out to more regions in future releases.

Cloud Composer 2 environments now always use the environment's service account for performing PyPI packages installations:

  • Existing Cloud Composer 2 environments that previously used the default Cloud Build service account now use the environment's service account instead.
  • Cloud Composer 2 environments created in versions 2.10.2 and later already have this change.
  • Cloud Composer 3 environments already use the environment's service account, and are not affected by this change.
  • This change is gradually rolled out to all regions supported by Cloud Composer 2.

Cloud Composer now detects situations when asynchronous tasks are blocked in Airflow triggerers. If a trigger's execution is blocked for more than five minutes, Cloud Composer restarts the triggerer, which solves this transient issue.

(Cloud Composer 3) Key Access Justifications now correctly works for Customer Managed Encryption Keys (CMEK).

The bucket synchronization process doesn't fail if the /plugins folder isn't available in the environment's bucket.

(Cloud Composer 3) It's now possible to override the default scopes of access tokens. Before the fix, the scope always defaulted to https://www.googleapis.com/auth/cloud-platform and https://www.googleapis.com/auth/userinfo.email. This resulted in authentication failures when accessing non-Google Cloud services.

The change is gradually rolled out to the following regions: africa-south1, asia-south2, australia-southeast2, europe-north2, europe-west3, europe-west10, europe-west12, northamerica-south1, southamerica-west1, us-east7, and us-south1. It will be rolled out to more regions in future releases.

New Airflow builds are available in Cloud Composer 3:

  • composer-3-airflow-2.10.5-build.0
  • composer-3-airflow-2.10.2-build.13 (default)
  • composer-3-airflow-2.9.3-build.20

New images are available in Cloud Composer 2:

  • composer-2.12.1-airflow-2.10.5
  • composer-2.12.1-airflow-2.10.2 (default)
  • composer-2.12.1-airflow-2.9.3

Support dates for previous Cloud Composer 3 builds are available. All Cloud Composer 3 builds with Airflow 2.10.2 are supported until April 17, 2026.

Cloud Logging

In the Logs Explorer, you can now view the most frequently occurring fields and values in the JSON payload of your logs. For more information, see the Fields pane documentation.

Cloud Storage Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.137-debian10, 2.0.137-rocky8, 2.0.137-ubuntu18
  • 2.1.85-debian11, 2.1.85-rocky8, 2.1.85-ubuntu20, 2.1.85-ubuntu20-arm
  • 2.2.53-debian12, 2.2.53-rocky9, 2.2.53-ubuntu22

Dataproc on Compute Engine: The Spark BigQuery connector has been upgraded to version 0.34.1 in the latest 2.2 image version.

Fixed a bug in which Jupyter fails to restart upon cluster restart on Personal Authentication clusters.

Filestore

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Filestore resources. For more information, see Creating custom constraints for Filestore.

Generative AI on Vertex AI

Gemini 2.5 Flash with thinking and other well-rounded capabilities is now available in Preview.

Google Cloud Architecture Center

(New guide) Oracle E‑Business Suite with Oracle Database on Compute Engine VMs: Shows how to build the infrastructure to run Oracle E‑Business Suite applications with Oracle Database on Compute Engine VMs in Google Cloud.

Google Kubernetes Engine

GKE Inference Gateway is now available to significantly improve the performance, efficiency, and observability of generative AI workloads on GKE.

GKE Inference Gateway provides:

  • Improved performance: AI serving tail latency is reduced, and AI serving throughput is increased through inference-optimized load balancing.
  • Efficient resource utilization: Enables dense multi-workload serving of multiple LoRA fine-tuned models on a shared accelerator, leading to higher GPU/TPU utilization.
  • Simplified operations: Features include model-aware routing, model-specific serving priority, and integrated AI Safety.
  • Enhanced observability: Golden signals of observability are provided for inference requests.
Google SecOps

Entity Context in Search

This feature enhances security investigations and incident response by letting users search for and view context events related to entities. It incorporates UDM entity context data to provide deeper insights into security incidents.

This feature is currently in Preview.

Google SecOps SIEM

Entity Context in Search

This feature enhances security investigations and incident response by letting users search for and view context events related to entities. It incorporates UDM entity context data to provide deeper insights into security incidents.

This feature is currently in Preview.

Looker Studio

Looker connector enhancements

You can now authorize the Looker connector to use the BigQuery OAuth credentials that you use with Looker, letting you view and interact with Looker Explores that use BigQuery data in Looker Studio. Learn more about how to authorize Looker data sources to use BigQuery OAuth credentials.

Resource Manager

Custom organization policies are now generally available for Filestore. For more information, see Creating custom constraints for Filestore.

Security Command Center

The discovery findings that Sensitive Data Protection generates in Security Command Center include recommended next steps. This improvement applies to the finding categories listed in Publish data profiles to Security Command Center.

Sensitive Data Protection

The discovery findings that Sensitive Data Protection generates in Security Command Center include recommended next steps. This improvement applies to the finding categories listed in Publish data profiles to Security Command Center.

April 16, 2025

Cloud Service Mesh

New troubleshooting tools for your service mesh are now available. You can get detailed error codes for your Istio resources and check the state of your mesh to identify and resolve configuration problems. Learn more about Resolving configuration issues and Understanding Feature State Conditions.

In-cluster Cloud Service Mesh 1.21 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.

Deep Learning VM Images

M129 release

  • Updated the Dataproc JupyterLab plugin to version 0.1.85.
Memorystore for Valkey

You can now create Memorystore for Valkey instances with the Cluster Mode Disabled configuration. This configuration is in addition to the Cluster Mode Enabled configuration that we already support. The Cluster Mode Disabled feature is available in Preview. For more information, see Enable and disable cluster mode.

Text-to-Speech

The polyglot voices feature is only supported in multi-regions.

Vertex AI

Persistent resources for custom training is generally available (GA) and supports rebooting.

Vertex AI Workbench

M129 release

The M129 release of Vertex AI Workbench instances includes the following:

  • Updated the Dataproc JupyterLab plugin to version 0.1.85.

April 15, 2025

Apigee Analytics

On April 15, 2025 we released an updated version of Apigee Analytics and the Apigee UI.

Starting with this release, the Analytics dashboards available in the Apigee Classic UI redirect to the comparable dashboards in Apigee UI in Cloud console. These dashboards are available exclusively in the Apigee UI in Cloud console going forward.

For information and usage instructions for the Analytics dashboards, see Apigee API Analytics overview.

Apigee UI

On April 15, 2025 we released an updated version of Apigee Analytics and the Apigee UI.

Starting with this release, the Analytics dashboards available in the Apigee Classic UI redirect to the comparable dashboards in Apigee UI in Cloud console. These dashboards are available exclusively in the Apigee UI in Cloud console going forward.

For information and usage instructions for the Analytics dashboards, see Apigee API Analytics overview.

Artifact Registry

Artifact Registry attachments are available in Preview for all repository formats. Attachments are artifacts that store metadata about a related artifact stored in Artifact Registry. To get started with attachments, see Store artifact metadata in attachments.

Gemini Code Assist

Fixed markdown rendering issues in chat for IntelliJ Gemini Code Assist.

Google SecOps

We are releasing updated versions of the following premium parsers:

  • Crowdstrike Detection Monitoring (CS_DETECTS)
  • Crowdstrike Falcon (CS_EDR)
  • Microsoft Defender for Endpoint

These updates include significant improvements to parser mappings. For a detailed list of all mapping changes, contact your Google SecOps representative.

The new versions will remain in an extended Release Candidate period through the end of May 2025. We recommend that you opt-in early and make any necessary adjustments before these updates become the default.

Google SecOps SIEM

We are releasing updated versions of the following premium parsers:

  • Crowdstrike Detection Monitoring (CS_DETECTS)
  • Crowdstrike Falcon (CS_EDR)
  • Microsoft Defender for Endpoint

These updates include significant improvements to parser mappings. For a detailed list of all mapping changes, contact your Google SecOps representative.

The new versions will remain in an extended Release Candidate period through the end of May 2025. We recommend that you opt-in early and make any necessary adjustments before these updates become the default.

Secure Source Manager

Regional endpoints are now available in Secure Source Manager. For more information, see Configure data locality by using regional endpoints.

April 14, 2025

Apigee X

On April 14, 2025 we released an updated version of Apigee.

Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.

Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.

See Data residency compatibility for information.

Apigee hybrid

hybrid 1.11.2-hotfix.3

On April 14, 2025 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.3.

Apply this hotfix with the following steps:

  1. In your overrides file, update the image.url and image.tag properties of ao and runtime:

    runtime:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-runtime"
        tag: "1.11.2-hotfix.3"
    
  2. Install the hotfix release:

    • For Helm-managed releases, update the apigee-env chart with the helm upgrade command and your current overrides files:

      For each environment in your Apigee org:

      helm upgrade ENV_RELEASE_NAME apigee-env/ \
        --namespace APIGEE_NAMESPACE \
        --set env=ENV_NAME \
        --atomic \
        -f OVERRIDES_FILE 
      
      • ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the apigee-env chart. This name must be unique from the other Helm release names in your installation. Usually this is the same as ENV_NAME. However, if your environment has the same name as your environment group, you must use different release names for the environment and environment group, for example dev-env-release and dev-envgroup-release. For more information on releases in Helm, see Three big concepts in the Helm documentation.
      • APIGEE_NAMESPACE is your installation's namespace. The default is apigee.
      • ENV_NAME is the name of the environment you are upgrading.
      • OVERRIDES_FILE is your edited overrides file.
    • For apigeectl-managed releases:

      1. Install the hotfix release with apigeectl init using your updated overrides file:

        ${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client 
        

        Followed by:

        ${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE 
        
      2. Apply the hotfix release with apigeectl apply:

        ${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs --dry-run=client 
        

        Followed by:

        ${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs
        

Stricter class instantiation checks included in this release.

JavaCallout policy now includes additional security during Java class instantiation. The enhanced security measure prevents the deployment of policies that directly or indirectly attempt actions that require permissions that are not allowed.

In most cases, existing policies will continue to function as expected without any issues. However, there is a possibility that policies relying on third-party libraries, or those with custom code that indirectly triggers operations requiring elevated permissions, could be affected.

To test your installation, follow the procedure in Validate policies after upgrade to 1.11.2-hotfix.3 to validate policy behavior.

Bug ID Description
382967738 Fixed a vulnerability in PythonScript policy.

On April 14, 2025 we released an updated version of Apigee.

Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.

Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.

See Data residency compatibility for information.

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, and Feed APIs.

  • Eventarc
    • eventarc.googleapis.com/Channel
    • eventarc.googleapis.com/ChannelConnection
Container Optimized OS

cos-dev-125-18986-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.86 v27.5.1 v2.0.4 See List

Updated app-containers/containerd to v2.0.4.

Updated the Linux kernel to v6.6.86.

Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.

Upgraded app-admin/google-guest-agent to v20250331.00.

Upgraded app-admin/google-guest-configs to v20250328.00.

Upgraded app-containers/docker-credential-helpers to v0.9.3.

Fixed EINTR error in app-container/cni-plugins.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r662.

Upgraded chromeos-base/shill-client to v0.0.1-r4848.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2966.

Upgraded sys-apps/dbus to v1.14.10-r196.

Upgraded chromeos-base/google-breakpad to v2025.04.01.213855-r235.

Upgraded chromeos-base/debugd-client to v0.0.1-r2731.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2827.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2478.

Upgraded chromeos-base/minijail to v18-r164.

Upgraded sys-apps/diffutils to v3.11-r2.

Upgraded net-nds/rpcbind to v1.2.7.

Upgraded net-misc/rsync to v3.4.1.

Upgraded dev-libs/nss to v3.110.

Upgraded sys-libs/libseccomp to v2.6.0-r2.

Upgraded dev-libs/expat to v2.7.1.

Upgraded app-arch/unzip to v6.0_p29.

Runtime sysctl changes:

  • Changed: fs.file-max: 811816 -> 811798

cos-121-18867-0-94

Kernel Docker Containerd GPU Drivers
COS-6.6.74 v27.5.1 v2.0.4 See List

Updated app-containers/containerd to v2.0.4.

Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.

Fixed EINTR error in app-container/cni-plugins.

Upgraded sys-apps/diffutils to v3.11-r2.

Fixed CVE-2024-58083 in the Linux kernel.

Fixed CVE-2025-21999 in the Linux kernel.

Fixed CVE-2025-21887 in the Linux kernel.

Fixed CVE-2025-21867 in the Linux kernel.

Fixed CVE-2024-58070 in the Linux kernel.

Fixed CVE-2025-21853 in the Linux kernel.

Fixed CVE-2025-21853 in the Linux kernel.

Fixed CVE-2025-21763 in the Linux kernel.

Fixed CVE-2025-21762 in the Linux kernel.

Fixed CVE-2025-21764 in the Linux kernel.

Fixed CVE-2025-21759 in the Linux kernel.

Fixed CVE-2025-21760 in the Linux kernel.

Fixed CVE-2025-21726 in the Linux kernel.

Fixed CVE-2025-21796 in the Linux kernel.

Fixed CVE-2024-50138 in the Linux kernel.

Fixed KCTF-0c3057a in the Linux kernel.

Fixed CVE-2024-57979 in the Linux kernel.

Fixed CVE-2025-21727 in the Linux kernel.

Fixed CVE-2025-21812 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811827 -> 811714

cos-117-18613-164-109

Kernel Docker Containerd GPU Drivers
COS-6.6.72 v24.0.9 v1.7.24 See List

Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.

Upgraded sys-apps/diffutils to v3.11-r2.

Upgraded dev-libs/libusb to v1.0.28.

Fixed CVE-2025-21999 in the Linux kernel.

Fixed CVE-2025-21887 in the Linux kernel.

Fixed CVE-2025-21867 in the Linux kernel.

Fixed CVE-2024-58083 in the Linux kernel.

Fixed CVE-2024-58070 in the Linux kernel.

Fixed CVE-2025-21853 in the Linux kernel.

Fixed CVE-2025-21853 in the Linux kernel.

Fixed CVE-2025-21763 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811785 -> 811760

cos-113-18244-291-102

Kernel Docker Containerd GPU Drivers
COS-6.1.123 v24.0.9 v1.7.24 See List

Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.

Upgraded sys-apps/diffutils to v3.11-r2.

Upgraded dev-libs/libusb to v1.0.28.

Fixed CVE-2025-22868 in dev-go/oauth2.

Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.

Fixed KCTF-0c3057a in the Linux kernel.

Fixed CVE-2024-35866 in the Linux kernel.

Fixed CVE-2025-21999 in the Linux kernel.

Fixed CVE-2024-58083 in the Linux kernel.

Fixed CVE-2025-21887 in the Linux kernel.

Fixed CVE-2025-21867 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812050 -> 812031

cos-109-17800-436-99

Kernel Docker Containerd GPU Drivers
COS-6.1.124 v24.0.9 v1.7.24 See List

Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.

Upgraded net-firewall/iptables to v1.8.11-r1.

Upgraded dev-libs/libusb to v1.0.28.

Upgraded sys-apps/diffutils to v3.11-r2.

Fixed CVE-2025-22868 in dev-go/oauth2.

Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.

Fixed CVE-2024-35866 in the Linux kernel.

Fixed KCTF-0c3057a in the Linux kernel.

Fixed CVE-2024-58083 in the Linux kernel.

Fixed CVE-2025-21887 in the Linux kernel.

Fixed CVE-2025-21867 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812258 -> 812288

Dataplex Google Cloud Contact Center as a Service

Headless web SDK 3.6.4 is released

Headless web SDK 3.6.4 fixes a problem where the virtual agent was sending multiple repeated messages to end-users in chat sessions.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.30.800-gke.66 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.30.800-gke.66 runs on Kubernetes v1.30.11-gke.500.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The following functional change was made in 1.30.800-gke.66:

  • Removed support in the Konnectivity server (konnectivity-server) for the following weak cryptographic cipher suites: TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256.

Fixed an issue that prevented user cluster upgrades when Dataplane V2 was explicitly configured with forward mode.

The 1.30.800-gke.66 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

Google Distributed Cloud (software only) for bare metal

Release 1.30.800-gke.66

Google Distributed Cloud for bare metal 1.30.800-gke.66 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.800-gke.66 runs on Kubernetes v1.30.11-gke.500.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

The following functional change was made in 1.30.800-gke.66:

  • Updated the cluster upgrade operation to keep only the three latest kubeadm backups of etcd and configuration information for a node. Previously, kubeadm kept node backups for every attempted upgrade.

The following issues are fixed in 1.30.800-gke.66:

  • Fixed an issue that resulted in an excessive creation of periodic kube-proxy-cleanup jobs on cluster nodes with high pod utilization.

  • Fixed an issue that caused cluster creation to fail because kubelet restarted before required static pods are running.

  • Fixed an issue that allowed bmctl reset to run in situations where the reset resulted in the loss of quorum for control plane nodes. To run the command without enforcing the quorum, use the newly added --bypass-quorum-check flag.

The 1.30.800-gke.66 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for pubsub/apiv1

1.49.0 (2025-04-07)

Features
SAP on Google Cloud

ABAP SDK for Google Cloud version 1.10 (On-premises or any cloud edition)

Version 1.10 of the on-premises or any cloud edition of the ABAP SDK for Google Cloud is generally available (GA). In addition to offering expanded support for more than 294 Google Cloud APIs and few other enhancements, this version introduces the BigQuery AI and ML SDK for ABAP, Business Eventing Toolkit, and the ability to use Cloud Storage as content repository for SAP.

For more information, see What's new with the on-premises or any cloud edition of the ABAP SDK for Google Cloud.

Spanner

End-to-end tracing is now generally available (GA). Spanner now supports end-to-end tracing, along with client-side tracing in the Node.js and Python client libraries, in addition to Java and Go. For more information, see Trace collection overview.

April 11, 2025

Access Transparency

Access Transparency supports Backup for GKE in the GA stage.

Agent Assist

Agent Assist offers a UI Connector with Salesforce to integrate with voice conversations.

Eventarc

For applicable events, if a context attribute value size limit is exceeded, you are notified through a publishing error (Eventarc Advanced), or attribute names for truncated values are listed in an extension attribute (Eventarc Standard). For more information, see Quotas and limits.

Google Cloud Architecture Center

(New guide) Harness CI/CD pipeline for RAG applications: Shows how to implement a continuous integration (CI) and continuous deployment (CD) pipeline for a retrieval-augmented generation (RAG) application in Google Cloud. The architecture uses CI/CD products from Harness to deploy containers to Cloud Run services.

SAP on Google Cloud

Use of Oracle Linux images provided by Compute Engine with Oracle Database

To run Oracle Database with SAP NetWeaver based applications on Google Cloud, SAP and Oracle have validated the use of the Oracle Linux images provided by Compute Engine.

For more information, see Supported operating systems.

Sensitive Data Protection

If you set InfoType.version to latest when including the MAC_ADDRESS infoType in your InspectConfig, Sensitive Data Protection will now include MAC_ADDRESS_LOCAL findings as type MAC_ADDRESS in the scan results.

You can still use the old functionality by setting InfoType.version to stable, by leaving InfoType.version unset when using the MAC_ADDRESS infoType, or by using the MAC_ADDRESS_UNIVERSAL infoType. In 30 days, the new functionality will be promoted to stable.

April 10, 2025

Apigee X

On April 10, 2025, we released an updated version of Apigee.

The Apigee Extension Processor is now generally available (GA).

The Apigee Extension Processor lets Apigee customers add API management capabilities to Google Cloud and third-party products and services exposed using Cloud Load Balancing. Select from a range of Apigee policies that enable you to:

  • Secure access to your workloads.
  • Apply quota enforcement to network traffic.
  • Manage Google access token and Google ID token injection to authenticate requests.
  • Support native protocols like gRPC, SSE, and HTTP/3.

For more information, see the Apigee Extension Processor overview.

Bigtable

The Cassandra-Bigtable proxy adapter, which lets you connect your Apache Cassandra-based applications to Bigtable, is available in Preview.

The Bigtable Kafka sink, which lets you directly connect Apache Kafka and Google Cloud Managed Service for Apache Kafka, is now generally available (GA).

Generative AI on Vertex AI

Managed APIs for Llama 4 Maverick and Scout are in Preview on Vertex AI. For more information, see the Llama 4 model card.

Google Cloud Architecture Center

Design an optimal storage strategy for your cloud workload: Added guidance about Google Cloud Managed Lustre.

Looker Studio

The following partner connectors have been added to the Looker Studio Connector Gallery:

Virtual Private Cloud

When you create a Private Service Connect endpoint to connect to a regional endpoint of a supported service, you can use the public hostname in your configuration—for example, spanner.me-central2.rep.googleapis.com.

April 09, 2025

AlloyDB Omni

AlloyDB Omni is in General Availability on the Aiven Platform. Aiven provides managed AlloyDB Omni as a service on multiple public clouds. For more information, see Store your data on any major cloud.

The alloydb_scann extension is updated to include the following vector search improvements. These features are generally available (GA):

  • Inline filtering enables the execution of vector search and filter evaluation through the combined use of vector and secondary indexes. For more information, see "Inline filtering" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • You can let AlloyDB automatically create multiple parallel workers during index creation when the dataset grows, leading to faster build times. For more information, see "Build indexes in parallel" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • A distribution histogram is available in the pg_stat_ann_indexes view, which helps you understand the distribution of vectors between partitions of your ScaNN index. For more information, including recommendations about tuning the distributionpercentile metric, see "Tuning metrics" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.

  • You can use a query recall evaluator to find the recall for a vector query for a given configuration, and to tune your parameters to achieve the desired vector query recall results for different vector indexes. For more information, see "Measure vector query recall" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.

The alloydb_scann extension is updated to include the following vector search improvements in (Preview):

  • You can enable auto-maintenance for your ScaNN index and let incrementally manage the index such that when your dataset grows, AlloyDB splits large outlier partitions, and tries to provide better QPS and search results. For more information, see "Maintain indexes automatically" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • Adaptive filtering for ScaNN significantly improves the speed of filtered vector searches. Adaptive filtering automatically selects the most efficient filtering method at runtime. For more information, see "Filtered vector search" and "Adaptive filtering" in the documentation for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • You can enable index auto maintenance and adaptive inline filtering together using the scann.enable_preview_features Grand Unified Configuration (GUC) parameters. For more information, see "AlloyDB flags" for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

AlloyDB for PostgreSQL

AlloyDB for PostgreSQL supports a 1 virtual central processing unit (vCPU) configuration with 8GB of memory, which is suitable for development and sandbox environments. For information about 1 vCPU supported regions and limitations, see Considerations when using 1 vCPU. This feature is in Preview.

AlloyDB supports AI-assisted troubleshooting that helps you resolve complex database performance issues like slow queries and high load. AI-assisted troubleshooting is available in Preview.

AlloyDB AI query engine that builds on model endpoint management, and adds support for AI operators and Vertex AI multimodal and ranking models is available in (Preview). You can combine natural language phrases with SQL queries, like ai.if() for filters and joins, ai.rank() for ordering using ranking models, and ai.generate() for generating summaries of your data, and generate multimodal embeddings.

The alloydb_scann extension is updated to include the following vector search improvements. These features are generally available (GA):

  • Inline filtering enables the execution of vector search and filter evaluation through the combined use of vector and secondary indexes. For more information, see "Inline filtering" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • You can let AlloyDB automatically create multiple parallel workers during index creation when the dataset grows, leading to faster build times. For more information, see "Build indexes in parallel" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • A distribution histogram is available in the pg_stat_ann_indexes view, which helps you understand the distribution of vectors between partitions of your ScaNN index. For more information, including recommendations about tuning the distributionpercentile metric, see "Tuning metrics" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.

  • You can use a query recall evaluator to find the recall for a vector query for a given configuration, and to tune your parameters to achieve the desired vector query recall results for different vector indexes. For more information, see "Measure vector query recall" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.

The alloydb_scann extension is updated to include the following vector search improvements in (Preview):

  • You can enable auto-maintenance for your ScaNN index and let incrementally manage the index such that when your dataset grows, AlloyDB splits large outlier partitions, and tries to provide better QPS and search results. For more information, see "Maintain indexes automatically" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • Adaptive filtering for ScaNN significantly improves the speed of filtered vector searches. Adaptive filtering automatically selects the most efficient filtering method at runtime. For more information, see "Filtered vector search" and "Adaptive filtering" in the documentation for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

  • You can enable index auto maintenance and adaptive inline filtering together using the scann.enable_preview_features Grand Unified Configuration (GUC) parameters. For more information, see "AlloyDB flags" for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.

AlloyDB for PostgreSQL supports parameterized secure views, which provide a secure interface for application developers by improving data security and row access control while using SQL. This feature is in (Preview). For more information, see Parameterized secure views overview.

AlloyDB AI natural language (Preview) delivers secure and accurate responses for application end user natural language questions. For more information, see AlloyDB AI natural language overview.

AlloyDB supports C4A Arm VMs on Google's custom-built Axiom processors. C4A VMs are available as predefined configurations from 1, 4, 8, 16, 32, 48, 64, and 72 vCPUs, up to 576 GB of DDR5 memory. C4A machines are available in limited regions. This feature is in Preview. For more information, see Considerations when using the 1 vCPU machine type.

AlloyDB now supports managed connection pooling in Preview. You can use managed connection pooling on your instances to improve the reliability, scalability, and performance of your workloads by optimizing resource utilization. For more information, see Configure managed connection pooling.

Anti Money Laundering AI

A bug was identified that can occasionally lead to parties appearing multiple times in prediction results. For engine versions v004.005 and later, this can also impact risk scores.

As of April 09, 2025 this bug has been fixed in-place for all existing engine versions in major version v004.004 and later.

Google recommends checking the risk scores output generated prior to this fix, or with engine versions that have not been fixed.

  • For impacted engine versions within major versions v003.000, v004.002 or v004.004: Check whether the same party_id occurs multiple times in predictions output for a given risk_period_end_time. If so, remove these duplicate rows. The risk scores themselves are not affected.
  • For impacted engine versions within major version v004.005 or later: Re-run prediction results. Risk scores might have been impacted for this run.
App Hub

Gemini Cloud Assist in App Hub is supported in Preview. You can use the chat panel to retrieve information about your application in your app-enabled folder with Gemini assistance.

Artifact Registry

Gemini Cloud Assist for Artifact Registry is in Preview. You can learn about your container images with Gemini assistance.

To learn more, read the Gemini Cloud Assist overview.

BigQuery

Updated pricing, packaging, and setup guidance is now available for Gemini in BigQuery.

You can now combine raster and vector data with the ST_REGIONSTATS geography function to perform geospatial analysis in BigQuery. For more information, see Work with raster data and try the tutorial that shows you how to use raster data to analyze global temperature by country. This feature is in preview.

You can now use the Apache Arrow format to stream data to BigQuery with the Storage Write API. This feature is available in preview.

Analytics Hub has been renamed BigQuery sharing. You'll see this new name in the documentation set and the marketing collateral. The product functionality and endpoints remain the same. For more information, see Introduction to data governance in BigQuery.

Dataplex Catalog has been renamed BigQuery universal catalog. You'll see this new name in the product page of the Google Cloud console, the documentation set, and the marketing collateral. Universal catalog brings together the data catalog capabilities of Dataplex Catalog and the runtime metastore capabilities of BigQuery metastore. For more information, see Introduction to data governance in BigQuery.

Bigtable

Continuous materialized views for Bigtable are available in Preview.

SQL support for Bigtable is generally available (GA), including an UNPACK feature that lets you read time series data in a tabular format.

Logical views of Bigtable tables are available in Preview.

The Bigtable Studio query editor is generally available (GA).

Cloud Composer

The Airflow web server in Cloud Composer 3 requires at least 2 GB of memory when an environment is created or updated. This might lead to longer operation times or failures to perform these operations.

As a workaround, when you create a new Cloud Composer 3 environment or upgrade an existing environment, provide at least 2 GB of memory (default value) to the Airflow web server.

Cloud Database Migration Service

Gemini-powered auto-conversion is now available in Preview for all heterogeneous migration scenarios. You can use code and schema conversion enhancements automatically provided by Gemini to significantly reduce the time and complexity of your database migrations.

For more information about auto-conversion and other AI conversion features, such as conversion assistant or pattern matching, see Accelerate code and schema conversion with Gemini.

Database Migration Service support for heterogeneous SQL Server to PostgreSQL migrations is now available in Preview.

For more information, see:

Cloud Interconnect

Cross-Site Interconnect is available in Preview.

Cross-Site Interconnect is a new feature of Cloud Interconnect that helps you establish reliable, high-bandwidth Layer 2 connectivity between your on-premises network sites.

When you order Cross-Site Interconnect wires, Google provisions a transparent Layer 2 overlay over its global network between your two Cross-Site Interconnect locations.

For more information, see the Cross-Site Interconnect overview.

Cloud Key Management Service

To help you get the right Cloud KMS keys on-demand, for consistent alignment with recommended encryption practices, Cloud KMS Autokey now has a free tier. The free tier covers the following usage:

  • 100 free active key versions monthly
  • 10,000 free cryptographic operations monthly

The free tier only applies to keys created using Cloud KMS Autokey. Key administration operations including key rotation are always free. For more details, see Cloud Key Management Service pricing

Cloud Monitoring

Application Monitoring lets you monitor the resources and infrastructure from the perspective of an App Hub application. The out-of-the-box (OOTB) dashboards generated for your application display log, metric, and incident data. These dashboards can help you understand how your application's resources are performing, and they can help you to diagnose issues. This feature is in Public Preview.

Application Monitoring now supports app-enabled folders and App Hub host projects. For app-enabled folders, the metrics scope of the management project is automatically synchronized with the list of projects in the folder, provided quota is available. This feature is in Public Preview.

Cloud Run

Gemini Cloud Assist in Cloud Run is supported in Preview. You can use the chat panel to design, optimize, and troubleshoot your Cloud Run apps with Gemini assistance.

Cloud SQL for MySQL

Cloud SQL Enterprise Plus edition now supports a new machine series called the C4A machine series, which provides optimized price-performance and delivers predictable high performance for high demand Cloud SQL workloads. C4A uses a new type of storage called Hyperdisk Balanced, and offers up to 72 vCPUs and up to 576 GB memory. The C4A machine series is available in Preview.

For more information about the C4A machine series and its availability, see Machine series overview.

Query insights for Cloud SQL Enterprise Plus edition is now generally available (GA) for your Cloud SQL Enterprise Plus edition for MySQL instances. Query insights for Cloud SQL Enterprise Plus edition offers fine-grained metrics such as wait events and granular query plan samples for faster root-cause analysis and intelligent index recommendations.

For more information, see Use query insights to improve query performance.

Cloud SQL for Enterprise Plus edition supports AI-assisted troubleshooting. With AI-assisted troubleshooting, you can resolve complex database performance issues like slow queries and high load for your instances in a guided manner. To use AI-assisted troubleshooting, you need Gemini Cloud Assist and query insights for Enterprise Plus edition. AI-assisted troubleshooting is available in Preview.

Cloud SQL for PostgreSQL

Cloud SQL Enterprise Plus edition now supports a new machine series called the C4A machine series, which provides optimized price-performance and delivers predictable high performance for high demand Cloud SQL workloads. C4A uses a new type of storage called Hyperdisk Balanced, and offers up to 72 vCPUs and up to 576 GB memory. The C4A machine series is available in Preview.

For more information about the C4A machine series and its availability, see Machine series overview.

Query insights for Cloud SQL Enterprise Plus edition is now generally available (GA) for your Cloud SQL Enterprise Plus edition for PostgreSQL instances. Query insights for Cloud SQL Enterprise Plus edition offers fine-grained metrics such as wait events and granular query plan samples for faster root-cause analysis and intelligent index recommendations.

For more information, see Use query insights to improve query performance.

Cloud SQL for Enterprise Plus edition supports AI-assisted troubleshooting. With AI-assisted troubleshooting, you can resolve complex database performance issues like slow queries and high load for your instances in a guided manner. To use AI-assisted troubleshooting, you need Gemini Cloud Assist and query insights for Enterprise Plus edition. AI-assisted troubleshooting is available in Preview.

Cloud SQL for SQL Server

Query insights for Cloud SQL Enterprise edition and Cloud SQL Enterprise Plus edition is now generally available (GA) for Cloud SQL for SQL Server. You can also now view the query details, query plans, and statistical query execution charts for your top queries.

For more information, see Use query insights to improve query performance.

Data Catalog

Dataplex Catalog has been renamed BigQuery universal catalog.

Database Center

Database Center is generally available (GA). Database Center is an AI-assisted dashboard that gives you a centralized view across your database fleet. You can view database fleet health issues and recommendations, and you can ask questions about database fleet health issues, including availability configuration, data protection, security, and industry compliance. For more information, see Database Center overview.

Additional supported health issues are available in Database Center. Database Center detects health issues in multiple database products to help you maintain and troubleshoot your database fleet. For more information, see Supported health issues in the Database Center documentation.

You can view incidents and alerting policies in Database Center. Use incidents to be notified when a metric specific to a resource is more or less than a threshold value. Use an alerting policy to create incidents to help you monitor your database fleet resources. For more information, see Monitor your database fleet with alerting policies.

You can create a customized dashboard view that shows only the health issues in your database fleet that you want to see. A dashboard view can be for only you, or it can be shared with other users who have access to your Google Cloud project. For more information, see Create customized dashboard views.

Database Center is integrated with VPC Service Controls to secure data and resources. Use VPC Service Controls to create service perimeters that protect the resources in your database fleet and data of services that you explicitly specify. For more information, see Configure VPC Service Controls.

When you enable Gemini, the following performance recommendations and insights are available in Database Center:

  • Inefficient query/index advisor for Cloud SQL
  • Analyze option for high resource utilization health recommendation for Cloud SQL and AlloyDB.

For more information, see Supported health issues.

To use Gemini chat, you must open a Google Cloud project. Use Gemini chat to learn more about database fleet health issues in Database Center. For more information, see Use Gemini chat.

Dataplex

Dataplex Catalog has been renamed BigQuery universal catalog. You'll see this new name in the product page of the Google Cloud console, the documentation set, and the marketing collateral. Universal catalog brings together the data catalog capabilities of Dataplex Catalog and the runtime metastore capabilities of BigQuery metastore. For more information, see Introduction to data governance in BigQuery.

Dataproc

Dataproc Serverless for Spark: Gemini Cloud Assist Investigations is available in Preview for the following runtimes:

  • 1.1
  • 1.2
  • 2.2
Datastream

The Datastream API now supports streaming data to BigLake managed tables. For more information, see Stream data to BigLake managed tables (BLMT).

Developer Connect

You can now use account connectors to connect your Google Cloud account with individual accounts on supported non-Google Developer Tools providers. This feature is in Preview.

Firestore

You can now use Query insights to view query performance metrics for your database. This feature is in Preview.

Firestore is now available on Database Center. You can track your Firestore resources in the fleet inventory section and the resource table in the Database Center. You can also use Database Center to monitor the following health issues for your Firestore resources:

  • No automated backup policy
  • No point-in-time recovery

For more information about Database Center, see Database Center overview. For more information about health issues supported for Firestore, see Supported health issues.

Firestore in Datastore mode

You can now use Query insights to view query performance metrics for your database. This feature is in Preview.

Gemini Code Assist

Gemini Code Assist tools are in Preview. You can use tools to access external services from your IDE. To learn more about tools, see the Gemini Code Assist Tools overview.

Generative AI on Vertex AI

Agent Development Kit (ADK) is now available in Preview. For more information, see Agent Development Kit.

Vertex AI Agent Engine

The following features are now available for Vertex AI Agent Engine in Preview:

The following features are now generally available for Vertex AI Agent Engine:

Gemini Live API is now available as a public preview offering and has been updated with the following features:

  • Support for responses in 8 voices and 31 languages using Chirp 3
  • Updated UI support in Vertex AI Studio
  • Expanded conversation session window
  • Ability to extend conversation sessions
  • Support to share your current screen with Gemini during conversations
  • Transcription support for audio in and audio out
  • Support to change or update the system instructions mid-session

For more information, see Gemini 2.0 Flash Live API.

Agent Garden is now available in Preview. For more information, see Vertex AI Agent Builder overview or go directly to Agent Garden in the Cloud Console.

Gemini 2.5 Pro is now available as a public preview offering.

For more information, see Gemini 2.5 Pro.

Vertex AI Agent Builder now refers to a suite of features for building and deploying AI agents in Vertex AI. For more information see, Vertex AI Agent Builder overview.

The original Vertex AI Agent Builder product has been renamed AI Applications. The product functionality and endpoints remain the same. For more information, see What is AI Applications?.

Grounding: Grounding with Google Maps is now available as a Public Experimental feature. For more information, see Grounding with Google Maps.

Grounding: Web Grounding for Enterprise is now Generally available. For more information, see Web Grounding for Enterprise.

Google Cloud Architecture Center

Design storage for AI and ML workloads in Google Cloud: Updated to include Cloud Storage FUSE, Anywhere Cache, Hyperdisk ML, and Google Cloud Managed Lustre.

(New guide) Optimize AI and ML workloads with Cloud Storage FUSE: Learn how to optimize performance for AI and ML workloads on Google Kubernetes Engine (GKE) by using Cloud Storage FUSE.

Google Cloud Contact Center as a Service

Web SDK 2.24.4 patch is released

This patch fixes a cross-site scripting vulnerability.

Looker

Looker 25.6 is expected to include the following changes, features, and fixes:

  • Expected Looker (original) deployment start: Monday, April 14, 2025

  • Expected Looker (original) final deployment and download available: Thursday, April 24, 2025

  • Expected Looker (Google Cloud core) deployment start: Monday, April 14, 2025

  • Expected Looker (Google Cloud core) final deployment: Monday, April 28, 2025

In the Chart Config Editor, you can save a configuration as a template so that you can reuse it in other visualizations or share it as a starting point for other users.

The classification for the version, versions, and page_events API endpoints have been changed from "Admin" to "N/A" in System Activity queries. These endpoints no longer count toward Admin API endpoint quotas.

The Druid JDBC driver has been updated from 1.22.0 to 1.25.0.

The Athena JDBC driver has been updated from 2.0.35.1000 to 2.1.5.1000.

The Dremio JDBC driver has been updated from 4.5.0 to 25.2.0.

The Spark Databricks JDBC driver has been updated from 2.6.34 to 2.7.1.

The Exasol JDBC driver has been updated from 6.2.3 to 24.2.1.

The Denodo JDBC driver has been updated from 8.8.0 to 9.1.3.

The Trino JDBC driver has been updated from 402 to 468.

Looker now supports key-pair authentication for Snowflake connections. Note: This feature is available only in Looker 25.6.17 and later.

An issue has been fixed where an Action Hub query could finish with a complete status even if the query failed. This feature now performs as expected.

An issue has been fixed where sorting on a table visualization could fail to retrieve cached results, even if cached results were available for the query. This feature now performs as expected.

An issue has been fixed where a dashboard tile could appear to load indefinitely if a user didn't have permission to the model. This feature now performs as expected.

The file browser in the Looker IDE can now display files nested in 21 or fewer folders. The previous limit was 6.

An issue has been fixed where certain LookML validation errors could prevent Looker from successfully retrieving a list of models on the instance. This feature now performs as expected.

If a user doesn't have an email address associated with their Looker account, the schedule dialog will not display the Send Test button.

An issue has been fixed where an empty manifest file could cause the LookML Validator to display an error. This feature now performs as expected.

An issue has been fixed where changing the subtotal column sort on dashboard tiles wouldn't properly update the sort order. This feature now performs as expected.

An issue has been fixed where schedules to SFTP destinations could time out because of long SSH key generation times. This feature now performs as expected.

An issue has been fixed where an embedded folder could still be loading content but not display a loading indicator. This feature now performs as expected.

When uploading a JSON database authentication file to a connection, Looker now requires the file to be configured with the service_account type.

An issue has been fixed where Looker would return a 500 error when it displayed a visualization with no results when the Grid Layout was set to By Row. This feature now performs as expected.

A new Labs feature, Fast Dev Mode Transition, improves the performance of Development Mode on your instance by loading LookML projects in read-only mode until a developer clicks the Create Developer Copy button for the project.

The New Database Connection Setup feature is now out of Labs and generally available. This feature updates the Add/Edit Connection page with a modernized UI, enhanced validation, connection testing capabilities, and a comprehensive configuration summary. If you want to revert to the legacy connections workflow, you can enable the Use Legacy Connections Page legacy toggle.

The Content Validator scoping feature is now generally available for customer-hosted Looker deployments (the feature is already available for Looker-hosted deployments). This feature lets developers scope the validation to specific LookML projects and a specific content folder (including its subfolders, if any). This can improve the performance of the Content Validator.

An issue has been fixed where embed users could save Looks to shared folders that they didn't have access to if the New Explore & Look Saving Labs feature was enabled. This feature now performs as expected.

The New Database Connection Setup feature is now generally available. This feature updates the Add/Edit Connection page with a modernized UI, enhanced validation, connection testing capabilities, and a comprehensive configuration summary. If you want to revert to the legacy connections workflow, you can enable the Use Legacy Connections Page legacy toggle.

Memorystore for Redis

Recommendations for Memorystore for Redis are now available at Database Center. With this release, Database Center displays health issues about the manageability and performance of Memorystore for Redis. This feature is in Preview. For more information, see Database Center overview and Database health issues.

Memorystore for Redis Cluster

Recommendations for Memorystore for Redis Cluster are now available at Database Center. With this release, Database Center displays health issues about the manageability and performance of Memorystore for Redis. This feature is in Preview. For more information, see Database Center overview and Database health issues.

Network Intelligence Center

Gemini Cloud Assist for Flow Analyzer is in Preview. You can generate SQL queries for VPC Flow Logs with Gemini assistance.

Security Command Center

Model Armor and GKE integration

Model Armor now enforces security policies uniformly on generative AI inference traffic using a traffic extension. This applies to all application load balancers, including Google Kubernetes Engine Inference Gateway. This feature is in Preview. For more information, see Integration with Google Kubernetes Engine.

IAM recommender findings are now available with project-level activations of Security Command Center.

Service Extensions

The Google Kubernetes Engine (GKE) Gateway supports using extensions to add custom logic into the load balancing processing path. For more information, see GKE extensions. This feature is in Preview.

You can configure Model Armor with Service Extensions to protect AI workloads on supported Application Load Balancers. For more information, see Callouts to Google services. This feature is in Preview.

Spanner

You can use Gemini assistance to help you use system insights to optimize and troubleshoot Spanner resources. For more information, see Optimize and troubleshoot with Gemini assistance.

Spanner offers Cassandra compatibility with API support and new migration tools allowing seamless lift-and-shift migrations of Cassandra applications. For more information, see Migrate from Cassandra to Spanner.

VPC Service Controls

General availability support for the following integration:

April 08, 2025

AlloyDB Omni

AlloyDB Omni version 16.3.0 is generally available (GA). Version 16.3.0 includes the following features and changes:

  • AlloyDB Omni supports PostgreSQL version 16.3.
  • Asynchronous I/O improves performance on systems with atomic writes for high concurrency Online Transaction Processing (OLTP) workloads. This feature is available in Preview.
  • You can upgrade your AlloyDB Omni PostgreSQL 15-based containers to AlloyDB Omni PostgreSQL 16 using pg_upgrade. For more information, see Upgrade to AlloyDB Omni version 16.3.0 on a VM.
  • AlloyDB Omni provides additional low-level logs (called "internal logs"), which are useful for debugging database issues. Production users are encouraged to enable this feature for greater observability. We recommend that you enable this feature to improve production observability.
  • Active Directory integration lets you use your Active Directory Server to authenticate users for accessing your AlloyDB Omni 16.3.0 databases. This feature is available in Preview. For more information, see Integrate Active Directory with AlloyDB Omni.
  • Multiple extensions are updated.
  • Multiple GUCs have been updated or added.
  • Security fixes for CVE-2024-7348 are implemented.
  • Various bug fixes.

AlloyDB Omni version 15.7.1 is generally available (GA). Version 15.7.1 includes the following features and changes:

  • AlloyDB Omni supports PostgreSQL version 15.7.
  • AlloyDB Omni provides additional low-level logs (called internal logs), which are useful for debugging database issues. Production users are encouraged to enable this feature for greater observability. We recommend that you enable this feature to improve production observability.
  • Multiple extensions are updated.
  • Multiple GUCs have been updated or added.
  • Security fixes for CVE-2024-7348 are implemented.
  • Bug fixes.

The PostgreSQL Audit Extension (pgaudit) logging fix In AlloyDB Omni 15.7.0, which enables the pgAudit extension together with the PostgreSQL logging_collector parameter, might have resulted in audit logs loss. This issue is fixed in AlloyDB Omni versions 15.7.1 and 16.3.0.

The AlloyDB Omni Kubernetes operator version 1.4.0 is generally available (GA). Version 1.4.0 includes the following new features and changes:

  • You can enable Active Directory integration on your Kubernetes-based AlloyDB Omni database cluster so that you can allow your existing Active Directory-based users to access your AlloyDB Omni database. This feature is available in Preview. For more information, see Integrate Active Directory with AlloyDB Omni on Kubernetes.
  • You can create backups in any cloud or on-premises object storage systems that are compatible with the Amazon S3 API. For more information, see Create backups to S3-compatible storage (AlloyDB Omni 15.7.1 and 16.3.0).
  • You can now access log files from sidecar containers.
  • You can manually upgrade your AlloyDB Omni 15 database clusters to AlloyDB Omni 16.3.0 using pg_upgrade. For more information, see Migrate to the latest version of AlloyDB Omni on Kubernetes.
  • Beginning with Kubernetes operator version 1.4.0, the alloydb_omni_instance_postgresql_wait_time_second_total metric is renamed to alloydb_omni_instance_postgresql_wait_time_us_total to reflect the correct unit of the metric value. If you are not already using microseconds (us) for your metric unit, your queries and dashboard calculations need to change to reflect the correct unit of this metric: seconds -> us. For more information, see Upgrade your AlloyDB Omni Kubernetes operator to version 1.4.0.
  • The PgBouncer connection pooler is generally available (GA). This release includes g-pgBouncer 1.4.0, which incorporates features and bug fixes from PgBouncer 1.24.0.
  • You can configure the monitoring dashboard on your Grafana operator to visualize metrics using the monitoring endpoint of the Kubernetes operator.
  • When the AlloyDB Omni Kubernetes Operator detects low disk space, the Kubernetes Operator reports a low disk space Critical Incident (CI) on the database cluster.
  • AlloyDB Omni provides internal logs for debugging database issues. We recommend that you enable this feature to improve production observability. See "Enable internal logging" for AlloyDB Omni 15.7.1 and 16.3.0 for details.
  • Disk cache metrics alloydb_omni_database_postgresql_chill_cache_get_entry_calls_total and alloydb_omni_database_postgresql_chill_cache_num_hits_total are exposed when you enable disk cache on AlloyDB Omni versions 15.7.1 and 16.3.0. These metrics are database container-level metrics. For more information, see AlloyDB Omni metrics (15.7.1 and 16.3.0).
  • Use alloydb_omni_instance_postgresql_version to get the current PostgreSQL major version. For more information, see "Database container-level metrics" for AlloyDB Omni 15.7.1 and 16.3.0.
  • Various bug fixes and performance improvements.

The Kubernetes 1.4.0 DBCluster might have a status of DBClusterReady even though its endpoint, which allows clients to connect, is not yet ready.

If you use mutating admission webhooks in your Kubernetes cluster, you might experience issues when you create database clusters and the webhooks conflict with the AlloyDB Omni Kubernetes Operator. Examples of mutating admission webhooks include LimitRanger and DefaultTolerationSecond. When the conflict occurs, the database pod repeatedly switches between running and terminating. To work around this issue, disable these webhooks where you run your AlloyDB Omni database cluster.

Action required: You can access Kubernetes operator 1.4.0 high availability (HA) improvements for automatic setup, failover, and healing capabilities starting with AlloyDB Omni 15.7.1 and later. To access these features, see "Migrate to the latest version of AlloyDB Omni on Kubernetes" for AlloyDB Omni 15.7.1 and 16.3.0.

Bare Metal Solution

The command to connect to the interactive serial console of a server is changing on May 1, 2025.

Old command:

ssh -i SSH_KEY_ID -p 9600 PROJECT_ID.REGION.SERVER_NAME.USERNAME.bms=true@ssh-serialport.googleapis.com

New command:

ssh -i SSH_KEY_ID -p 9600 PROJECT_ID.REGION.SERVER_NAME.USERNAME.bms=true@\REGION\-ssh-serialport.googleapis.com

We recommend that you update your configurations by April 30, 2025 to avoid any disruptions. For instructions, see Configure serial console.

BigQuery

BigQuery ML now offers a built-in TimesFM univariate time series forecasting model that implements Google Research's open source TimesFM model. You can use BigQuery ML's built-in TimesFM model with the AI.FORECAST function to perform forecasting without having to create and train your own model. This lets you avoid the need for model management.

To try using a TimesFM model with the AI.FORECAST function, see Forecast a time series with a TimesFM univariate model.

This feature is in preview.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.2.52-debian12, 2.2.52-rocky9, 2.2.52-ubuntu22

Dataproc on Compute Engine: Fixed an issue with the retrieval of an Access token when using the ranger-gcs-plugin with 2.2 images.

Document AI

Previous Custom Extractor versions pretrained-foundation-model-v1.0-2023-08-22 and pretrained-foundation-model-v1.1-2024-03-12 will be deprecated on April 9, 2025. To ensure uninterrupted service, prediction traffic to these versions, including any fine-tuned variants, will be automatically redirected to the latest version, pretrained-foundation-model-v1.4-2025-02-05.

For guidance on how to fine-tune a new version, refer to the fine tuning documentation.

Google Cloud Architecture Center

(New guide) Oracle E-Business Suite with Oracle Exadata in Google Cloud: Shows how to build the infrastructure to run Oracle E-Business Suite applications with Oracle Cloud Infrastructure Exadata in Google Cloud.

Google Cloud Contact Center as a Service

Headless web SDK 3.6.3 is released

Headless web SDK 3.6.3 fixes a cross-site scripting vulnerability.

Google Kubernetes Engine

(2025-R14) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

Regular channel

There are no new releases in the Regular channel.

Stable channel

There are no new releases in the Stable channel.

Extended channel

No channel

(2025-R14) Version updates

(2025-R14) Version updates

There are no new releases in the Regular channel.

(2025-R14) Version updates

There are no new releases in the Stable channel.

(2025-R14) Version updates

(2025-R14) Version updates

Managed Lustre

Google Cloud Managed Lustre is now Generally Available (GA) with access by invitation.

Managed Lustre provides a fully managed parallel file system optimized for AI and HPC applications, with storage capacity up to 1 PB.

To request access to Managed Lustre in your Google Cloud project, contact your sales representative.

Resource Manager

Custom organization policies are now generally available for Identity-Aware Proxy. For more information, see Use custom organization policies.

Service Health

April 07, 2025

AI Applications

Vertex AI Search: Stream Google Cloud Storage buckets to data stores

In addition to one time and periodic imports from Cloud Storage, you can stream unstructured data from Cloud Storage into a data store. This lets you serve results from the bucket to your users in near real time.

Streaming must be set up at the bucket-level (not at the folder- or file-level), and the bucket may only contain unstructured data.

For general information about creating data stores, see Create a search data store.

Vertex AI Search: Grounded generation with the generateGroundedContent API

The generateGroundedContent API to that grounds your answers with your inline text, Vertex AI Search data store, and Google Search is no longer available.

Instead, to generate grounded answers, Google recommends that you use the Generally available groundContent API. You can either ground your answers with Google Search or with your own data. For more information, see Overview.

BigQuery

BigQuery data preparation is generally available (GA). It offers AI-powered suggestions from Gemini for data cleansing, transformation, and enrichment. BigQuery supports visual data preparation pipelines and pipeline scheduling with Dataform.

You can now create remote models in BigQuery ML based on Llama and Mistral AI models in Vertex AI.

Use the ML.GENERATE_TEXT function with these remote models to perform generative natural language tasks for text stored in BigQuery tables. Try this feature with the Generate text by using the ML.GENERATE_TEXT function tutorial.

This feature is generally available (GA).

An updated version of JDBC driver for BigQuery is now available.

Smart-tuning is now supported for materialized views when they are in the same project as one of their base tables, or when they are in the project running the query. This feature is generally available (GA).

BigQuery ML now uses dynamic token-based batching for embedding generation requests. Dynamic token-based batching puts as many rows as possible into one request. This change boosts per-request utilization and improves scalability for any queries per minute (QPM) quota. Actual performance varies based on the embedding content length, with an average 10x improvement.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.57.3 (2025-04-01)

Bug Fixes

2.57.2 (2025-03-31)

Bug Fixes
Cloud Composer

All Cloud Composer environment's GKE clusters are set up with maintenance exclusions from March 27, 2025 to April 12, 2025. For more information, see Maintenance exclusions.

Cloud Run

Direct VPC egress support for Cloud Run jobs is now generally available (GA).

You can now configure Identity-Aware Proxy (IAP) for Cloud Run to secure your services with a single click from all ingress paths (in Preview).

Configuring GPU in your Cloud Run service is now generally available (GA).

Cloud SQL for SQL Server

Cloud SQL now supports the Enterprise Plus recommender. Based on your application workloads and resource utilization, the recommender helps you optimize performance by identifying SQL Server instances that might see performance improvements when upgraded to Cloud SQL Enterprise Plus edition.

Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/storage

7.16.0 (2025-03-31)

Features
Config Connector

Config Connector version 1.130.2 is now available.

New Fields

New Alpha resources (direct reconciler)

  • ApphubApplication
  • BackupDRManagementServer
  • BackupDRBackupVault
  • BackupDRBackupPlan
  • BackupDRBackupPlanAssociation
  • BatchJob
  • BigLakeTable
  • BigQueryReservation
  • CodeDeployDeliveryPipeline
  • DataplexLake
  • DatastreamPrivateConnection
  • DatastreamConnectionProfile
  • DocumentAIProcessor
  • GKEBackupBackupPlan
  • GKEBackupRestorePlan
  • NetAppBackupPolicy
  • NotebooksEnvironment
  • SpannerInstanceConfig
  • VertexAIFeaturestore
  • VMwareEnginePrivateCloud
  • VMwareEngineNetwork
  • VMwareEngineNetworkPeering
  • VMwareEngineNetworkPolicy
  • WorkflowExecution

Reconciliation Improvements

Added support for direct reconciliation to more resources, with opt-in behaviour. The API is backward compatible. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support (and we list some of the issues that this fixes):

  • SpannerInstance
    • You can use spec.edition field to optimize your enterprise edition type
    • You can use spec.autoscalingConfig to automate the scaling instead of manually configure spec.processingUnit or spec. numNodes.
    • You can use the defaultBackupScheduleType now.
    • Behavior Change If you use the SpannerInstance Kubernetes metadata.labels to configure your GCP labels, please change them to use the spec.labels field instead.
Filestore

The basic HDD extended range tier is now generally available to all GKE customers through the Filestore CSI driver.

Google SecOps

Premium parsers

Specific high-volume parsers are now categorized as premium. Google aims to address customer issues related to premium parsers as quickly as possible, typically within a few days.

For a complete list of different types of parsers and the level of support that Google provides for each, see Manage prebuilt and custom parsers.

For a complete list of premium parsers, see Default parser configuration and ingestion.

Google SecOps SIEM

Premium parsers

Specific high-volume parsers are now categorized as premium. Google aims to address customer issues related to premium parsers as quickly as possible, typically within a few days.

For a complete list of different types of parsers and the level of support that Google provides for each, see Manage prebuilt and custom parsers.

For a complete list of premium parsers, see Default parser configuration and ingestion.

Identity-Aware Proxy

Preview: You can now enable IAP directly on your Cloud Run services without configuring load balancers.

For more information, see Configure Identity-Aware Proxy for Cloud Run.

Looker

Looker has released version 1.4.2 of the Looker–Power BI Connector. See the Looker–Power BI Connector change log for details about version 1.4.2.

Network Connectivity Center

IPv6 subnet exchange is generally available.

You can use export filters to configure a VPC spoke to exchange IPv6 subnet ranges or both IPv4 and IPv6 subnet ranges. For more information, see VPC connectivity with export filters.

Oracle Database@Google Cloud

For Autonomous Databases, you now have the options to set up public network access and private network access in Google Cloud. This feature is generally available (GA).

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for pubsub/apiv1

1.48.1 (2025-04-01)

Bug Fixes
  • pubsub/pstest: Message ordering issue (#11603) (1d6ffc0)
  • pubsub: Update golang.org/x/net to 0.37.0 (1144978)
Documentation
  • pubsub: Update documentation for JavaScriptUDF to indicate that the message_id metadata field is optional instead of required (f437f08)
Security Command Center

April 06, 2025

Google SecOps

Create a quick action (Preview)

Administrators can now predefine quick actions for analysts to execute directly within cases and alerts.

The Quick Actions widget can be added to default case and alert views, and customized alert views within playbooks.

For more information, see Create a quick action.

What's New in Google SecOps

At the top of your Google SecOps screen, click the question mark and select What's New to display the top five new features in the Google SecOps platform.

Google SecOps SOAR

Release 6.3.41 is now available for all regions.

April 05, 2025

Google SecOps SOAR

Release 6.3.42 is being rolled out to the first phase of regions as listed here.

Create a quick action (Preview)

Administrators can now predefine quick actions for analysts to execute directly within cases and alerts.

The Quick Actions widget can be added to default case and alert views, and customized alert views within playbooks.

For more information, see Create a quick action.

April 04, 2025

Access Approval

Access Approval supports Document AI in the GA stage.

Access Approval supports Storage Intelligence in the GA stage.

BigQuery

BigQuery ML now supports the following generative AI functions, which let you analyze text using a Vertex AI Gemini model. The function output includes a response that matches the type in the function name:

This feature is in preview.

Cloud Asset Inventory

The following resource types are now publicly available through the analyze policy (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) APIs.

  • Compute Engine
    • compute.googleapis.com/StoragePool
  • Discovery Engine
    • discoveryengine.googleapis.com/Engine
Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Logging

You can include pipe syntax in the SQL queries you run on the Log Analytics page. Pipe syntax supports a linear query structure designed to make your queries easier to read, write, and maintain. The pipe syntax feature is generally available (GA).

Cloud Monitoring

If you have enabled logging for failures of an uptime check, you can view the logs from the Uptime details page. For more information, see View details of an uptime check.

Cloud SQL for PostgreSQL

The rollout of the following extension versions and plugin versions is complete:

Extensions and plugins

  • PostGIS is upgraded from 3.4.4 to 3.5.2.

To use these versions of the extensions, update your instance to [PostgreSQL version]. R20250302.00_04.

If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.

For more information on checking your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

Cloud Service Mesh

1.25.0-asm.8 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.0-asm.8 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.0 subject to the list of supported features.

The following environment variables are not supported:

  • PILOT_MX_ADDITIONAL_LABELS
  • PILOT_DNS_CARES_UDP_MAX_QUERIES
  • PILOT_DNS_JITTER_DURATION
  • PILOT_SEND_UNHEALTHY_ENDPOINTS

The following annotations are not supported:

  • networking.istio.io/traffic-distribution
  • istio.io/reroute-virtual-interfaces

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.25.0-asm.8 uses Envoy v1.33.1-dev.

There is a known issue where all gateway CRs will see a downtime for status updates when upgrading from 1.24.3 to 1.25.x .

Compute Engine

On June, 30, 2024, Red Hat Enterprise Linux (RHEL) 7 will reach end of support and the images marked deprecated on Google Cloud. If you use RHEL 7 images in your project, review RHEL end of support.

On June 30th, 2024, CentOS 7 will reach end of support and the images marked deprecated on Google Cloud. If you use CentOS 7 images in your project, review CentOS end of support guidance .

Google SecOps

Optimize log management using extractors

This feature is currently in Preview.

You can now optimize log management by creating extractors to pull specific fields from high-volume log sources. For more information, see Work with extractors.

Google SecOps SIEM

Optimize log management using extractors

This feature is currently in Preview.

You can now optimize log management by creating extractors to pull specific fields from high-volume log sources. For more information, see Work with extractors.

NetApp Volumes

Google Cloud NetApp Volumes now supports SnapMirror-based volume migration for allow-listed users. This feature lets you migrate from ONTAP-based Flex volumes to NetApp Volumes. For more information, see Volume migration.

Risk Manager

Risk Manager is now called Cyber Insurance Hub. Additional insurance partners have been added with expanded customer eligibility.

For detailed information about this product, see the Cyber Insurance Hub documentation.

Secret Manager

The Secret Manager add-on for Google Kubernetes Engine (GKE) now supports the automatic rotation of secrets. You can configure the Secret Manager add-on to automatically rotate secrets so that secrets updated in Secret Manager after initial pod deployment are automatically and periodically pushed to the pod. This feature is available in Preview.

For more information, see Configure automatic rotation of secrets.

Spanner

Spanner has added the PARAMETER_DEFAULT column to the INFORMATION_SCHEMA.PARAMETERS table. This column returns the default value of change stream read functions parameters.

April 03, 2025

BigQuery

BigQuery migration assessment now includes support for Amazon Redshift Serverless. This feature is in preview.

You can now generate structured data by using BigQuery ML's AI.GENERATE_TABLE function with Gemini 1.5 Pro, Gemini 1.5 Flash, and Gemini 2.0 Flash models. You can use the AI.GENERATE_TABLE function's output_schema argument to more easily format the model's response. The output_schema argument lets you specify a SQL schema for formatting, similar to the schema used in the CREATE TABLE statement. By creating structured output, you can more easily convert the function output into a BigQuery table.

Try this feature with the Generate structured data by using the AI.GENERATE_TABLE function tutorial.

This feature is in preview.

Cloud Composer

The unification of Cloud Composer 3 billing with BigQuery is paused until further notice. The change was previously scheduled for April 13, 2025.

In recently released Airflow builds of Cloud Composer 3, the Airflow web server requires more CPU to finish its initialization when an environment is created or updated. This might lead to longer operation times or failures to perform these operations.

As a workaround, when you create a new Cloud Composer 3 environment or upgrade an existing environment, provide at least 1 CPU to the Airflow web server.

This issue currently affects composer-3-airflow-2.10.2-build.12 and composer-3-airflow-2.9.3-build.19 Airflow builds.

Cloud SQL for MySQL

You can now integrate Cloud SQL for MySQL and Vertex AI (in Preview). This allows you to invoke predictions and generate vector embeddings using models hosted in Vertex AI. To use this integration, update your instance to [MySQL version].R20250304.00_01.

For more information, see Integrate Cloud SQL with Vertex AI.

Dataproc

Dataproc Serverless for Spark: Installed CUDA, cuDNN and NCCL NVIDIA libraries in 1.2 and 2.2 runtimes.

Google Cloud VMware Engine

Google Cloud VMware Engine now supports 24 ve2 node types, enabling precise and efficient environment sizing. See VMware Engine node types for full details.

Google Kubernetes Engine

GKE now provides insights and recommendations that help you identify workloads without resource requests or limits so that you can specify the resource needs for these workloads. Configuring CPU and memory requests and limits for containers is the best practice for improving reliability and performance, and is a necessary prerequisite for understanding and optimizing resource utilization by your workloads and their cost.

Migrate to Virtual Machines

Migrate to Virtual Machines supports importing Arm disk images to Google Cloud. For information on operating systems supporting this feature, see Supported operating systems.

Spanner

In Spanner Graph you can view a visualization of graph elements returned by a Spanner Graph query and of a Spanner Graph schema. A graph query visualization helps you understand the query results by revealing patterns, dependencies, and anomalies in the returned graph elements. A graph schema visualization helps you understand how the nodes and edges in a schema are related. For more information, see Work with Spanner Graph visualizations.

April 02, 2025

AI Applications

AI Applications: Renamed from Vertex AI Agent Builder

The Vertex AI Agent Builder product has been renamed AI Applications. You'll see this new name in the product console, the documentation set, and the marketing collateral. The product functionality and endpoints remain the same.

API Gateway

On April 2, 2025, we released an updated version of API Gateway.

With this release, API Gateway meets the regulatory and compliance requirements for support of data residency for data at rest.

For more information, see Google Cloud Platform Services with Data residency.

AlloyDB Omni

When the ScaNN index creation updates the reltuples statistics of a heap table, performance might be degraded for queries involving that table. For information to mitigate the issue, see Analyze your indexed table.

AlloyDB for PostgreSQL

When the ScaNN index creation updates the reltuples statistics of a heap table, performance might be degraded for queries involving that table. For information to mitigate the issue, see "Analyze your indexed table" in the documentation for AlloyDB for PostgreSQL and AlloyDB Omni.

Apigee API hub

VPC Service Controls (VPC-SC) integration (Preview)

API hub now integrates with VPC Service Controls, providing enhanced network security for your API hub instance provisioned in Google Cloud. Establish service perimeters to control ingress and egress traffic. For more information, see VPC Service Controls for API hub.

Data Residency Zone (DRZ) compliance

API hub is now compliant with Data Residency Zone (DRZ) C3 requirements. For more information, see API hub locations.

Terraform support for provisioning

You can now provision API hub instances programmatically using Terraform for Google Cloud within Cloud Shell, enabling infrastructure-as-code practices. For more information, see Provision API hub using Terraform.

Plugin Framework

API hub now uses a plugin framework to connect and ingest API metadata from various Google Cloud services and external sources where your APIs are managed or defined. This provides a flexible and extensible way to integrate with your existing API landscape. For more information, see Plugins overview.

API Metadata Curations

API hub introduces a curation process to transform and enrich API metadata ingested by plugins. This ensures consistency across different sources, enabling effective governance, discovery, and management of your APIs. For more information, see Curations overview.

API Supply chain graph view

Visualize and understand the dependencies within your API ecosystem with the new interactive API supply chain graph view. This directed graph allows you to explore the relationships between your APIs and API operations. For more information, see API Supply chain views.

Enhancements to the Operations entity [API only]

You can now add, edit, or delete operations for an API version even if it lacks a specification file or has an unparsable one. For more information, see Manage operations.

Attach API documents

You can now enhance your API documentation by attaching additional relevant files, such as requirements, design documents, and functionality details, directly to your APIs in API hub.

Deprovision an API hub instance [API only]

You can now delete an API hub instance from your Google Cloud project using the ApiHubInstance API. For more information, see Deprovision Apigee API hub.

Application Integration

Build Conversational Agents with Dialogflow CX (Preview)

Application Integration now simplifies the creation of conversational experiences with direct integration with Conversational Agents (Dialogflow CX). Using API triggers, you can now build intelligent chatbots and automated tools directly within your integration workflows, enhancing user interactions and automating tasks.

For more information, see Build conversational agents with Application Integration.

Enhancements to Replay Execution

Application Integration Replay Execution now provides the following enhancements:

  • Modify input parameters on replay: You can now modify the input parameters of an integration execution when initiating a replay. This provides greater flexibility in fixing failed executions.
  • Continue execution from point of failure: When replaying an integration, you can now choose to continue the execution from the point of the last failure. This will retry the failed task and, upon success, continue the execution from that point, saving time and effort.

For more information, see Introduction to replay executions.

BigQuery

You can now create and use Python user-defined functions (UDFs) in BigQuery. Python UDFs support the use of additional libraries and external APIs. This feature is in preview.

The Python code that you generate using Gemini in BigQuery Notebooks is now much more likely to leverage your data. With this change, BigQuery Notebooks can intelligently pull relevant table names directly from your BigQuery project, resulting in personalized, executable Python code.

You can now generate Dataframes code in BigQuery Notebooks that use BigFrames libraries. In your code generation prompt, include the word BigFrames to generate code that uses BigQuery DataFrames. This feature is in preview.

Cloud Run

Deploying multiple containers (sidecars) to a Cloud Run job is now generally available. (GA)

Compute Engine

Generally available: You can manage OS policy assignments across projects and zones at scale in large organizations using the OS policy orchestrator feature in VM Manager. OS policy assignment was previously available only for zonal resources in a project. For more information, see About OS Policy Orchestrator.

Document AI

All processors can now extend the Maximum page limit for online and synchronous requests up to 30 pages.

To do so, enable imageless_mode in ProcessRequest.

For Custom Extractor, you will need to first request to be allowlisted for this feature by filling out the form Allowlist Request for 30 Page limit in CDE.

Google Cloud Contact Center as a Service

Version 3.33 is released

All release notes published on this date are part of version 3.33.

The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.

Salesforce CRMs: attach a CCaaS session object to a CRM record if a matching CRM record is found

For Salesforce CRMs, when you append a call or chat session to the latest open record, you have the option to attach a CCaaS session object to a CRM record if a matching CRM record is found. For more information, see Session data mapping by CRM.

New options for CRM comments when saving call recordings and chat transcripts to external storage

When you save call recordings and chat transcripts to external storage, you can control how these are referenced in the CRM record. You now have the following options:

  • Add a call recording or chat transcript link as a comment in the CRM record.
  • Add the call recording or chat transcript filename as a comment in the CRM record.
  • Don't add any reference to the call recording or chat transcript in the CRM record.

To make comments consistent across CRM platforms, we've standardized on the following phrases in CRM comments: Chat Transcripts, Call Recordings, and Voicemails.

For more information, see Configure CRM comments.

New call type in reports: Voice Outbound (UCaaS)

We've added the Voice Outbound (UCaaS) report type to the Create Reports page for calls and chats so you can generate reports that contain this type of call. For more information, see Call and chat types.

Conditional overcapacity deflections

You can now enable conditional overcapacity deflections for calls. You can choose from a number of wait-time conditions or time-of-day conditions, and you can create a distinct deflection message for each each condition that you configure.

Administrators: be aware that configuring conditional overcapacity deflections can override queue-level settings.

For more information, see Configure call settings .

New post events for virtual task assistants

The following new virtual task assistant post events are available:

  • Virtual task assistant joined
  • Virtual task assistant left
  • Virtual task assistant session variables received

The agent adapter can use the browser's postMessage() method to send events to the parent iFrame to trigger various actions in your custom CRM application.

Administrators: if you use virtual agents to capture session variables and display them in any downstream integrations such as a CRM or the agent adapter, you must use these new post events. Review your current implementation and remap session variable associations as needed. The existing Dialogflow payload for custom session variables has also been updated to support data selection for virtual task assistant post events.

For more information, see Post events for virtual task assistants.

Bulk agent status import improvements

When you import agent statuses in bulk, the Import Statuses dialog now indicates when the upload is complete and sends you a confirmation email. For more information, see Bulk status management.

Configure a contact list destination to pass data parameters to a SIP header

You can configure a contact list destination to pass data parameters to a SIP URI when an agent uses the destination to make an outbound call or transfer a call. For more information, see Add a destination to a contact list.

View transcripts for completed chats

If you save chat transcripts in external storage, you can view them from the Completed Chats dashboard. This capability is not available in version 3.33. We expect to include it in an upcoming release.

Session metadata contains conversation IDs for virtual agents and Agent Assist

The session metadata file now contains the conversation ID for a virtual agent or for Agent Assist if either of those are involved in a session.

Administrators: if you're directly mapping session metadata fields in downstream systems, review your current implementation and remap your field associations as needed.

For more information, see Sessions metadata content.

Fixed a cross-site scripting vulnerability

This update fixes a cross-site scripting vulnerability.

The following issues were addressed in this release:

  • Fixed an issue where users couldn't deactivate a disposition code or list that was assigned to a queue when the queue was deleted prior to the deactivation.
  • Fixed an issue in Kustomer integrations where an outbound call to a number that wasn't in the CRM wasn't creating a record.
  • Fixed an issue where the button to assign a record ID to a session was missing from the agent adapter.
  • Fixed an issue for the Customer End User Dial '0' Behavior queue settings. After a user selected and saved the Dialing '0' moves user back up one level in IVR setting, an error was returned when they attempted to select a different setting.
  • Fixed an issue where NICE call recordings failed and returned an Exception 12 error.
  • Fixed an issue where agents couldn't transfer call or chat sessions to another queue. This occurred when all assigned agents in the destination queue were unavailable or at the concurrency limit.
  • Fixed an issue where searches for chat shortcuts were case sensitive. These searches are now case insensitive.
  • Fixed an issue where the option to select the account ID and record ID for a session appeared in the agent adapter even when they were configured in the platform to not appear.
  • Fixed an issue where the call flexible inbound record ID for a session was not automatically suggested in the agent adapter.
  • Fixed an issue where no records were displayed in the Record ID field during wrap up.
  • Fixed an issue where the first open record created by the end-user was selected instead of Create New Record being selected.
  • Fixed an issue where the default value for the record ID for a session was not the most recently closed and updated record.
  • Fixed an issue in Salesforce integrations where the Answer button in the agent adapter didn't appear for incoming calls. This happened after the agent clicked the Assign button multiple times while attempting to assign a record ID or account ID to a session during wrap up.
  • Fixed an issue where the Assign button appeared in the agent adapter during wrap-up even when the account ID and record ID were already assigned to the session.
  • Fixed an issue where the Assign button in the agent adapter was clickable multiple times during wrap up. Now, after an agent assigns a record ID or account ID to a session, the Assign button is no longer active.
  • Fixed an issue where the option to assign a record ID or account ID to a session didn't appear during wrap up even though the agent didn't make these assignments during the call.
  • Fixed an issue where the Next button for assigning a record ID or account ID to a session was inactive until the agent made a different selection.
  • Fixed an issue where the Agent Assist icon didn't appear in the agent adapter when an agent returned to an inactive chat.
  • Fixed an issue where an error was returned when a user attempted to assign an email session to another user.
  • Fixed an issue in workforce management where the day planner didn't display the green checkmark after a file was imported.
  • Fixed an issue in workforce management where the green success message didn't appear for some forecast types.
  • Fixed an intermittant issue where the chat adapter was not appearing when incoming chat sessions arrived.
  • Fixed an issue to preserve expected chat adapter behavior when switching to a custom CRM.
  • Fixed an issue where the data passed in SIP headers was malformatted if the SIP endpoint was selected from the contact list.
  • Fixed an issue in the agent desktop where the chat window was unavailable after an agent ended a session that was transferred or routed from a virtual agent chat session.
  • Fixed an issue to ensures that a customer who returns to an inactive chat after hours sees an "after hours" message.
  • Fixed an issue where agents couldn't add attachments to emails.
  • Fixed a date and time mismatch issue in Alvaria agent productivity files generated by Google Cloud CCaaS.
  • Fixed an issue where Chrome's built-in spelling checker was not working in the chat adapter.
Google Kubernetes Engine

(2025-R13) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

Regular channel

There are no new releases in the Regular channel.

Stable channel

There are no new releases in the Stable channel.

Extended channel

No channel

(2025-R13) Version updates

(2025-R13) Version updates

There are no new releases in the Regular channel.

(2025-R13) Version updates

There are no new releases in the Stable channel.

(2025-R13) Version updates

(2025-R13) Version updates

Automatic application monitoring is now generally available in GKE versions 1.28 and later. When configured on GKE clusters, this feature automatically collects key metrics with Google Cloud Managed Service for Prometheus and provides out-of-the-box dashboards for monitoring the supported workloads. Automatic application monitoring supports six new AI model servers (NVIDIA Triton, vLLM, TGI, JetStream, TorchServe and TensorFlow Serving). For more information, see Configure automatic application monitoring.

Google SecOps

Medium Priority rule set

Google SecOps has introduced a new rule set, Medium Priority, in Applied Threat Intelligence (ATI). This rule set extends the capabilities of the ATI indicator prioritization model and expands prioritization logic to include commodity malware. For more information, see Applied Threat Intelligence priority overview.

Google SecOps SIEM

Medium Priority rule set

Google SecOps has introduced a new rule set, Medium Priority, in Applied Threat Intelligence (ATI). This rule set extends the capabilities of the ATI indicator prioritization model and expands prioritization logic to include commodity malware. For more information, see Applied Threat Intelligence priority overview.

Memorystore for Valkey

Memorystore for Valkey is now Generally Available (GA).

Multi-VPC support for Memorystore for Valkey is now Generally Available (GA). This functionality enables you to create Private Service Connect endpoints in multiple VPCs to connect to the same Memorystore for Valkey instance. This provides you with enhanced flexibility and resilience for your network architecture. For more information, see About multiple VPC networking.

The cross-region replication feature for Memorystore for Valkey is now Generally Available (GA). This release includes Terraform support for cross-region replication on Memorystore for Valkey.

You can now upgrade the version of your Memorystore for Valkey instance from 7.2 to 8.0. For more information, see About upgrading the Valkey version of an instance. This feature is Public Preview.

Security Command Center

When activating Security Command Center Enterprise, you can monitor the provisioning status and progress of initial scans. This capability is in Preview.

Sensitive Data Protection

The MAC_ADDRESS_UNIVERSAL infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

Text-to-Speech

Chirp 3: HD voices with 8 speakers and 31 locales is now GA. It offers real-time streaming and batch processing capabilities and is accessible in global, us, eu, and asia-southeast1 regions.

Explore the latest Chirp 3: HD voices capabilities. Find out their full potential by visiting our updated documentation, specifically the voice controls section.

VPC Service Controls

General availability support for the following integration:

April 01, 2025

BigQuery

Pipe syntax supports a linear query structure designed to make your queries easier to read, write, and maintain. This feature is generally available (GA).

You can use a CREATE MODEL statement to create a contribution analysis model in BigQuery ML. The top_k_insights_by_apriori_support and pruning_method model options are now supported. You can use a contribution analysis model with the ML.GET_INSIGHTS function to generate insights about changes to key metrics in your multi-dimensional data. The following metric types are supported:

This feature is generally available (GA).

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.2.51-debian12, 2.2.51-rocky9, 2.2.51-ubuntu22

Dataproc on Compute Engine: Hyperdisk-Balanced is now the default primary disk type when creating a cluster from the console.

Dataproc on Compute Engine: Fixed incorrectly attributed Dataproc job logs in Cloud Logging for clusters created with 2.2+ image versions. This happened when multiple Dataproc jobs were running concurrently on the same cluster.

Dialogflow

Dialogflow CX (Conversational Agents): Data store tools no longer require the use of a playbook and can be used with any agent. For information about configuring data store tools for a flow-based agent, see the data store tools documentation.

Dialogflow CX (Conversational Agents): The gemini-1.0-pro model is deprecated as of March 24, 2025 and has been automatically upgraded to the gemini-1.5-flash-001 model. This change applies to the following features:

  • Playbooks
  • Data stores
  • Generators

Dialogflow CX (Conversational Agents): AI generation of language-specific information, entities and training phrases is now GA.

Dialogflow CX (Conversational Agents): All prebuilt agents are now GA.

Gemini Code Assist

Code customization for chat is generally available (GA) for VS Code and IntelliJ Gemini Code Assist. This feature provides contextually relevant code suggestions and insights in your IDE's Gemini Code Assist chat interface. Code customization for chat is available without any additional configuration required. For more information on how to use code customization for chat effectively, see Use code customization.

Looker

The following features have been added to Studio in Looker, which is available in preview:

SAP on Google Cloud

Terraform support for using NFS solutions with SAP HANA scale-out HA deployments

While using Terraform to deploy an SAP HANA scale-out HA system on Google Cloud, you can use existing NFS solutions to share the /hana/shared and /hanabackup volumes with the worker hosts in your deployment:

  • For the /hana/shared volume, use the primary_sap_hana_shared_nfs and secondary_sap_hana_shared_nfs arguments.
  • For the /hanabackup volume, use the primary_sap_hana_backup_nfs and secondary_sap_hana_backup_nfs arguments.

These optional arguments are available from version 1.3.730053050 of the sap_hana_ha Terraform module provided by Google Cloud. For more information, see Terraform: SAP HANA scale-out high-availability cluster configuration guide.

March 31, 2025

AlloyDB for PostgreSQL

If your cluster is encrypted with a customer-managed encryption key (CMEK), and no specific CMEK key is configured for continuous or automated backups, then backups will be created with the cluster CMEK. For more information, see About CMEK and Configure backup plans.

Apigee X

On March 31, 2025, we released an updated version of Apigee (1-15-0-apigee-2).

New flow variable suffixes available for accessing base64-encoded message content.

There are two new read-only flow variable suffixes available for accessing message content in base64-encoded form:

  • content.as.base64
  • content.as.url.safe.base64

These variable suffixes can be used with the request, response, and message objects, as well as with any Message object created implicitly during API proxy execution when using the AssignMessage or ServiceCallout policies.

For more information, see Flow variables reference.

Bug ID Description

| N/A | Updates to security infrastructure and libraries.

BigQuery

Iceberg external tables now support merge-on-read. You can query Iceberg tables with position deletes and equality deletes. This feature is generally available (GA).

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-bigquery

3.31.0 (2025-03-20)

Features
  • Add query text and total bytes processed to RowIterator (#2140) (2d5f932)
  • Add support for Python 3.13 (0842aa1)
Bug Fixes
  • Add property setter for table constraints, #1990 (#2092) (f8572dd)
  • Allow protobuf 6.x (0842aa1)
  • Avoid "Unable to determine type" warning with JSON columns in to_dataframe (#1876) (968020d)
  • Remove setup.cfg configuration for creating universal wheels (#2146) (d7f7685)
Dependencies
  • Remove Python 3.7 and 3.8 as supported runtimes (#2133) (fb7de39)

On the Scheduling page, you can now view existing schedules, create new schedules, and perform other actions for data preparations, notebooks, BigQuery pipelines, and scheduled queries. For more information, see Create a pipeline schedule. This feature is generally available (GA).

You can build BigQuery pipelines (formerly workflows), composed of SQL queries or notebooks, in BigQuery Studio. You can then run these pipelines on a schedule. You can also configure notebook runtimes for a pipeline, share a pipeline, or share a pipeline link. This feature is generally available (GA).

You can now define a _CHANGE_SEQUENCE_NUMBER for BigQuery change data capture (CDC) to manage streaming UPSERT ordering for BigQuery. This feature is generally available (GA).

BigQuery now supports subqueries in row level access policies. It also includes support for BigLake managed tables and the BigQuery Storage Read API. This feature is now generally available (GA).

You can now use BigQuery Data Transfer Service for Search Ads to view Performance Max (PMax) campaign data for the following tables:

  • CartDataSalesStats
  • ProductAdvertised
  • ProductAdvertisedDeviceStats
  • ProductAdvertisedConversionActionAndDeviceStats

This feature is generally available (GA).

You can now configure the repeat frequency of BigQuery Data Transfer Service for Google Ad Manager. This option has a default of every 8 hours and a minimum of every 4 hours. This feature is generally available (GA).

You can now skip loading match tables for BigQuery Data Transfer Service for Google Ad Manager. If match tables are not needed, you can set parameter load_match_tables to FALSE. This feature is generally available (GA).

You can include data preparation tasks in BigQuery pipelines that execute your code assets in sequence at a scheduled time. This feature is in Preview.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.57.1 (2025-03-24)

Bug Fixes
  • Handling of totalTimeout on SQL plan refresh (#2541) (bf49cf9)

2.57.0 (2025-03-24)

Features
  • Add PreparedStatement and update ExecuteQuery API to use it (#2534) (49d4d09)
Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Security Command Center Management API
    • securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule
    • securitycentermanagement.googleapis.com/SecurityCenterService
    • securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, and Feed APIs.

  • Eventarc
    • eventarc.googleapis.com/Enrollment
    • eventarc.googleapis.com/GoogleApiSource
    • eventarc.googleapis.com/MessageBus
    • eventarc.googleapis.com/Pipeline
Cloud Data Fusion

Cloud Data Fusion version 6.9 is no longer supported. You should upgrade your instances to run in a supported version. For instructions, see Manage version upgrades for instances and pipelines.

Cloud Deploy

Cloud Deploy support for timed promote is now generally available.

Cloud Deploy support for deploy policies is now generally available.

Cloud Deploy support for repair rollout automation is now generally available.

Cloud SQL for MySQL

Cloud SQL now supports Managed Connection Pooling (MCP) in Preview, which lets you scale your workloads by optimizing resource utilization for your Cloud SQL instances using pooling. To use Managed Connection Pooling, update your instance to [MySQL version].R20250302.00_04.

For more information, see Managed Connection Pooling overview.

Cloud SQL for PostgreSQL

Cloud SQL now supports Managed Connection Pooling (MCP) in Preview, which lets you scale your workloads by optimizing resource utilization for your Cloud SQL instances using pooling. To use Managed Connection Pooling, update your instance to [PostgreSQL version].R20250302.00_04.

For more information, see Managed Connection Pooling overview.

Cloud Storage

Additional functionality is now available for the bucket IP filtering feature:

Storage batch operations for Cloud Storage is now generally available (GA). Using storage batch operations, you can perform operations on billions of Cloud Storage objects in a serverless manner. To learn more about storage batch operations, see Overview of storage batch operations.

You can now use metrics to monitor Cloud Storage FUSE performance. For more information, see Cloud Storage FUSE metrics.

Cloud TPU

Flex-start for Cloud TPU, powered by Dynamic Workload Scheduler, is available in Preview. Flex-start is a flexible and cost-effective consumption option for AI workloads. Flex-start enables you to dynamically provision TPUs for up to 7 days using the queued resources API, without long-term reservations. This option is ideal for quick experimentation, small-scale testing, dynamic inference provisioning, and model fine-tuning. For more information about Flex-start for Cloud TPU, see Request Cloud TPUs using Flex-start.

Colab Enterprise

Preview: You can switch to a default runtime with GPUs by using a button in your Colab Enterprise notebook. To enable a default runtime with GPUs for your users, see Enable default runtimes with GPUs.

Compute Engine

Compute Engine provides the interactive serial console for troubleshooting malfunctioning instances. The serial console SSH key endpoint is deprecated and a new serial SSH key endpoint is available. For more information, see Serial console SSH host key endpoint deprecation.

Confidential Space

Support for Confidential Space on Intel CPUs (C3 machine family) with Intel TDX is now generally available.

Confidential Space now allows adding specific Linux capabilities, including CAP_SYS_ADMIN, and provides a namespaced read or write cgroup.

New Confidential Space images (250300 and 250301) are now available.

Container Optimized OS

cos-105-17412-535-98

Kernel Docker Containerd GPU Drivers
COS-5.15.173 v23.0.3 v1.7.23 See List

Updated dev-go/net to v0.33.0. This fixed CVE-2023-45288.

Fixed CVE-2025-21763 in the Linux kernel.

Fixed CVE-2025-21764 in the Linux kernel.

Fixed CVE-2025-21762 in the Linux kernel.

Fixed CVE-2025-21760 in the Linux kernel.

Fixed CVE-2025-21726 in the Linux kernel.

Fixed KCTF-fcdd224 in the Linux kernel.

Fixed CVE-2024-53174 in the Linux kernel.

Fixed CVE-2024-53194 in the Linux kernel.

Fixed CVE-2024-56558 in the Linux kernel.

Fixed CVE-2024-57979 in the Linux kernel.

Fixed CVE-2025-21727 in the Linux kernel.

Fixed CVE-2025-21796 in the Linux kernel.

Fixed CVE-2024-58005 in the Linux kernel.

Fixed CVE-2025-21846 in the Linux kernel.

Fixed CVE-2025-21844 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2025-21745 in the Linux kernel.

Fixed CVE-2025-21814 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812690 -> 812692

cos-109-17800-436-91

Kernel Docker Containerd GPU Drivers
COS-6.1.124 v24.0.9 v1.7.24 See List

Updated dev-go/net to v0.33.0. This fixed CVE-2023-45288.

Fixed CVE-2025-21763 in the Linux kernel.

Fixed CVE-2025-21764 in the Linux kernel.

Fixed CVE-2025-21760 in the Linux kernel.

Fixed CVE-2025-21762 in the Linux kernel.

Fixed CVE-2025-21726 in the Linux kernel.

Fixed KCTF-fcdd224 in the Linux kernel.

Fixed CVE-2024-57979 in the Linux kernel.

Fixed CVE-2025-21727 in the Linux kernel.

Fixed CVE-2025-21796 in the Linux kernel.

Fixed CVE-2025-21812 in the Linux kernel.

Fixed CVE-2024-56549 in the Linux kernel.

Fixed CVE-2023-52927 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2024-58005 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812224 -> 812258

cos-117-18613-164-98

Kernel Docker Containerd GPU Drivers
COS-6.6.72 v24.0.9 v1.7.24 See List

Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.

Fixed CVE-2025-21762 in the Linux kernel.

Fixed CVE-2025-21759 in the Linux kernel.

Fixed CVE-2025-21764 in the Linux kernel.

Fixed CVE-2025-21760 in the Linux kernel.

Fixed CVE-2025-21726 in the Linux kernel.

Fixed CVE-2024-56549 in the Linux kernel.

Fixed KCTF-0c3057a in the Linux kernel.

Fixed CVE-2024-57979 in the Linux kernel.

Fixed CVE-2025-21727 in the Linux kernel.

Fixed CVE-2025-21796 in the Linux kernel.

Fixed CVE-2025-21812 in the Linux kernel.

Fixed CVE-2024-50138 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811744 -> 811785

cos-113-18244-291-93

Kernel Docker Containerd GPU Drivers
COS-6.1.123 v24.0.9 v1.7.24 See List

Update dev-go/net to v0.33.0. This fixed CVE-2023-45288.

Fixed CVE-2025-21763 in the Linux kernel.

Fixed CVE-2025-21762 in the Linux kernel.

Fixed CVE-2025-21764 in the Linux kernel.

Fixed CVE-2025-21760 in the Linux kernel.

Fixed CVE-2025-21726 in the Linux kernel.

Fixed KCTF-fcdd224 in the Linux kernel.

Fixed CVE-2024-57979 in the Linux kernel.

Fixed CVE-2025-21727 in the Linux kernel.

Fixed CVE-2025-21796 in the Linux kernel.

Fixed CVE-2025-21812 in the Linux kernel.

Fixed CVE-2024-56549 in the Linux kernel.

Fixed CVE-2023-52927 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

cos-beta-121-18867-0-75

Kernel Docker Containerd GPU Drivers
COS-6.6.74 v27.5.1 v2.0.2 See List

Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.

Fixed CVE-2024-57977 in the Linux kernel.

Fixed CVE-2024-57977 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811789 -> 811827

cos-dev-125-18971-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.84 v27.5.1 v2.0.2 See List

Updated the Linux kernel to v6.6.84.

Runtime sysctl changes:

  • Changed: fs.file-max: 811727 -> 811816

Dataproc Dataproc Metastore

Dataproc Metastore federation now supports multi-regional Dataproc Metastore services.

Google Cloud Managed Service for Apache Kafka

Public preview: Google Cloud Managed Service for Apache Kafka now supports Kafka Connect. Kafka Connect provides a curated set of built-in connector plugins hosted in Connect clusters. Configure these connector plugins to create connectors that let you stream data at scale between Managed Service for Apache Kafka clusters and other systems, such as external Kafka deployments, BigQuery, Cloud Storage, or Pub/Sub. For more information, see Kafka Connect overview.

Looker Studio

Modern charts general availability

Modern charts offers new chart styling, new default theme colors, new chart configuration options, new axis customization options, and new chart settings that give report creators greater control over how data is curated and presented to users.

This feature is now generally available and is the default for all new Looker Studio reports. Existing reports must be upgraded to use modern charts. Classic report themes are still available in the Themes panel.

Learn more about modern charts.

Looker connector enhancements

The following enhancements to the Looker connector are now generally available:

Responsive reports

You can now select between Freeform and Responsive layouts when creating a report.

  • The freeform report layout is the default option. This layout is tailored for desktop screens.
  • The responsive report layout scales well across many different screen sizes. Choose this layout if you expect your users to regularly view the report on a tablet or other mobile device.

Query results variables

Query result variables let you insert data directly into text elements.You can choose a cell from a table as a "query result" to insert into a text element, and Looker Studio will keep the result up to date.

YouTube Connector update

On March 31, 2025, YouTube changed the way views are calculated. Learn more about this change.

Manufacturing Data Engine

Release 1.5.0

This release is not a critical update, unless you are directly impacted by the bug fixes, you don't need to update, and you can wait for future releases before updating.

  • Metadata Versioning: To enhance the query readability of the metadata instances, MDE v1.5.0 introduced a new field called validFrom that designates the time when a particular metadata instance is effective. MDE uses this field to check which metadata instance picks based on the source message event time, not processing time, enabling accurate historical data representation. For more information, see Versioning metadata buckets.
  • Configuration Packages: Introduces a file-based configuration package system for atomic deployments and GitOps integration. For more information, see Upload configuration package and File content.
  • Development Mode: Adds a "Development Mode" to allow deletion of MDE entities and configuration packages, use with caution. For more information, see Development mode.
Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/pubsub

4.11.0 (2025-03-27)

Features
  • Add required messaging.operation span attrs for OTel sem convs 1.24 (#2019) (70ed2d7)
Bug Fixes
  • deps: Update dependency @opentelemetry/semantic-conventions to ~1.29.0 (#2012) (bfe8243)
  • deps: Update dependency @opentelemetry/semantic-conventions to ~1.30.0 (#2014) (7f8366a)
  • Type widening to match gapic, and two typing fixes (#2020) (9cd73b3)
Spanner

Spanner now supports the following GoogleSQL JSON mutator functions:

  • JSON_ARRAY_APPEND()
  • JSON_ARRAY_INSERT()
  • JSON_REMOVE()
  • JSON_SET()
  • JSON_STRIP_NULLS()

Spanner now supports the following PostgreSQL JSONB mutator functions:

  • jsonb_insert()
  • jsonb_set()
  • jsonb_set_lax()
  • jsonb_strip_nulls()

Spanner also supports the following PostgreSQL JSONB operators:

  • concat: jsonb || jsonb -> jsonb
  • delete: jsonb - text -> jsonb

For more information, see JSON functions in GoogleSQL and Supported PostgreSQL functions.

The GoogleSQL JSON_KEYS and PostgreSQL json_object_keys functions, which extract unique JSON keys from a JSON expression, are generally available.

JSON search indexes are generally available in Spanner. This extension of Spanner's full-text index capabilities accelerates many JSON document queries, even without prior knowledge of the documents' structure. You can create search indexes over any JSON document stored in a JSON column. The JSON_CONTAINS function in GoogleSQL and the @> and <@ operators in PostgreSQL can use search indexes to determine if one document structure is contained in another. Search indexing supports JSON types in GoogleSQL-dialect databases and JSONB in PostgreSQL-dialect databases. For more information, see JSON search indexes.

A monthly digest of client library updates from across the Cloud SDK.

Go

Changes for spanner/admin/database/apiv1

1.77.0 (2025-03-03)

Features
  • spanner: A new enum IsolationLevel is added (#11624) (2c4fb44)
  • spanner: A new field isolation_level is added to message .google.spanner.v1.TransactionOptions (2c4fb44)
  • spanner: Add a last field in the PartialResultSet (#11645) (794ecf7)
  • spanner: Add option for LastStatement in transaction (#11638) (d662a45)
Bug Fixes
  • spanner: Avoid desructive context augmentation that dropped all headers (#11659) (594732d)
Documentation
  • spanner: A comment for enum value OPTIMISTIC in enum ReadLockMode is changed (2c4fb44)
  • spanner: A comment for enum value PESSIMISTIC in enum ReadLockMode is changed (2c4fb44)
  • spanner: A comment for enum value READ_LOCK_MODE_UNSPECIFIED in enum ReadLockMode is changed (2c4fb44)
  • spanner: A comment for field chunked_value in message .google.spanner.v1.PartialResultSet is changed (794ecf7)
  • spanner: A comment for field precommit_token in message .google.spanner.v1.PartialResultSet is changed (794ecf7)
  • spanner: A comment for field precommit_token in message .google.spanner.v1.ResultSet is changed (794ecf7)
  • spanner: A comment for field query_plan in message .google.spanner.v1.ResultSetStats is changed (794ecf7)
  • spanner: A comment for field row_count_lower_bound in message .google.spanner.v1.ResultSetStats is changed (794ecf7)
  • spanner: A comment for field row_type in message .google.spanner.v1.ResultSetMetadata is changed (794ecf7)
  • spanner: A comment for field rows in message .google.spanner.v1.ResultSet is changed (794ecf7)
  • spanner: A comment for field stats in message .google.spanner.v1.PartialResultSet is changed (794ecf7)
  • spanner: A comment for field stats in message .google.spanner.v1.ResultSet is changed (794ecf7)
  • spanner: A comment for field values in message .google.spanner.v1.PartialResultSet is changed (794ecf7)
  • spanner: A comment for message ResultSetMetadata is changed (794ecf7)
  • spanner: A comment for message ResultSetStats is changed (794ecf7)

1.78.0 (2025-03-24)

Features
  • spanner/spansql: Add support for tokenlist and create search index (#11522) (cd894f8)
  • spanner: Support multiplexed sessions for ReadWriteStmtBasedTransaction (#11852) (528d9dd)
Bug Fixes
  • spanner/test/opentelemetry/test: Update golang.org/x/net to 0.37.0 (1144978)
  • spanner: Revert the ALTS bound token enablement (#11799) (68cfb38)
  • spanner: Update golang.org/x/net to 0.37.0 (1144978)

Java

Changes for google-cloud-spanner

6.88.0 (2025-02-27)

Features
  • Add a last field in the PartialResultSet (7c714be)
  • Automatically set default sequence kind in JDBC and PGAdapter (#3658) (e8abf33)
  • Default authentication support for external hosts (#3656) (ace11d5)
  • spanner: A new enum IsolationLevel is added (3fd33ba)
  • spanner: Add instance partitions field in backup proto (3fd33ba)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (57497ad)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.44.0 (#3665) (3543548)

6.89.0 (2025-03-20)

Features
  • Enable ALTS hard bound token in DirectPath (#3645) (42cc961)
  • Next release from main branch is 6.89.0 (#3669) (7a8a29b)
  • Support isolation level REPEATABLE_READ for R/W transactions (#3670) (e62f5ab)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (b959f4c)
  • Revert the ALTS bound token enablement (#3679) (183c1f0)
Performance Improvements
  • Get database dialect using multiplexed session (#3684) (f641a40)
  • Skip gRPC trailers for StreamingRead & ExecuteStreamingSql (#3661) (bd4b1f5)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#3689) (67188df)

Node.js

Changes for @google-cloud/spanner

7.19.0 (2025-02-26)

Features
  • Add AddSplitPoints API (e4d389a)
  • Paging changes for bigquery (e4d389a)
  • spanner: A new enum IsolationLevel is added (#2225) (e4d389a)
  • spanner: A new field isolation_level is added to message .google.spanner.v1.TransactionOptions (e4d389a)
  • spanner: Add instance partitions field in backup proto (e4d389a)
  • spanner: Add support for Multiplexed Session for Read Only Tran… (#2214) (3a7a51b)
  • x-goog-spanner-request-id: Add bases (#2211) (0008038)
Bug Fixes
  • Add x-goog-request params to headers for LRO-polling methods (e4d389a)
  • Error from fill method should not be emitted (#2233) (2cc44cf), closes #2103
  • Finalize fixing typings for headers in generator (e4d389a)
  • Fix typings for headers in generator (e4d389a)
  • Remove extra protos in ESM & capture ESM in headers (e4d389a)
  • Rollback with no id (#2231) (a6919b1), closes #2103

7.19.1 (2025-03-13)

Bug Fixes
  • CreateQueryPartition with query params (91f5afd)

Python

Changes for google-cloud-spanner

3.53.0 (2025-03-12)

Features
  • Add AddSplitPoints API (7a5afba)
  • Add Attempt, Operation and GFE Metrics (#1302) (fb21d9a)
  • Add REST Interceptors which support reading metadata (7a5afba)
  • Add support for opt-in debug logging (7a5afba)
  • Add support for reading selective GAPIC generation methods from service YAML (7a5afba)
  • Add the last statement option to ExecuteSqlRequest and ExecuteBatchDmlRequest (7a5afba)
  • Add UUID in Spanner TypeCode enum (7a5afba)
  • End to end tracing (#1315) (aa5d0e6)
  • Exposing FreeInstanceAvailability in InstanceConfig (7a5afba)
  • Exposing FreeInstanceMetadata in Instance configuration (to define the metadata related to FREE instance type) (7a5afba)
  • Exposing InstanceType in Instance configuration (to define PROVISIONED or FREE spanner instance) (7a5afba)
  • Exposing QuorumType in InstanceConfig (7a5afba)
  • Exposing storage_limit_per_processing_unit in InstanceConfig (7a5afba)
  • Snapshot isolation (#1318) (992fcae)
  • spanner: A new enum IsolationLevel is added (#1224) (7a5afba)
Bug Fixes
  • Allow Protobuf 6.x (#1320) (1faab91)
  • Cleanup after metric integration test (#1322) (d7cf8b9)
  • deps: Require grpc-google-iam-v1>=0.14.0 (7a5afba)
  • Fix typing issue with gRPC metadata when key ends in -bin (7a5afba)
Performance Improvements
Documentation
  • A comment for enum DefaultBackupScheduleType is changed (7a5afba)
  • A comment for enum value AUTOMATIC in enum DefaultBackupScheduleType is changed (7a5afba)
  • A comment for enum value GOOGLE_MANAGED in enum Type is changed (7a5afba)
  • A comment for enum value NONE in enum DefaultBackupScheduleType is changed (7a5afba)
  • A comment for enum value USER_MANAGED in enum Type is changed (7a5afba)
  • A comment for field base_config in message .google.spanner.admin.instance.v1.InstanceConfig is changed (7a5afba)
  • A comment for field default_backup_schedule_type in message .google.spanner.admin.instance.v1.Instance is changed (7a5afba)
  • A comment for field filter in message .google.spanner.admin.instance.v1.ListInstanceConfigOperationsRequest is changed (7a5afba)
  • A comment for field filter in message .google.spanner.admin.instance.v1.ListInstancePartitionOperationsRequest is changed (7a5afba)
  • A comment for field instance_config in message .google.spanner.admin.instance.v1.CreateInstanceConfigRequest is changed (7a5afba)
  • A comment for field instance_partition_deadline in message .google.spanner.admin.instance.v1.ListInstancePartitionOperationsRequest is changed (7a5afba)
  • A comment for field location in message .google.spanner.admin.instance.v1.ReplicaInfo is changed (7a5afba)
  • A comment for field node_count in message .google.spanner.admin.instance.v1.Instance is changed (7a5afba)
  • A comment for field node_count in message .google.spanner.admin.instance.v1.InstancePartition is changed (7a5afba)
  • A comment for field operations in message .google.spanner.admin.instance.v1.ListInstanceConfigOperationsResponse is changed (7a5afba)
  • A comment for field operations in message .google.spanner.admin.instance.v1.ListInstancePartitionOperationsResponse is changed (7a5afba)
  • A comment for field optional_replicas in message .google.spanner.admin.instance.v1.InstanceConfig is changed (7a5afba)
  • A comment for field parent in message .google.spanner.admin.instance.v1.ListInstancePartitionsRequest is changed (7a5afba)
  • A comment for field processing_units in message .google.spanner.admin.instance.v1.Instance is changed (7a5afba)
  • A comment for field processing_units in message .google.spanner.admin.instance.v1.InstancePartition is changed (7a5afba)
  • A comment for field referencing_backups in message .google.spanner.admin.instance.v1.InstancePartition is changed (7a5afba)
  • A comment for field replicas in message .google.spanner.admin.instance.v1.InstanceConfig is changed (7a5afba)
  • A comment for field storage_utilization_percent in message .google.spanner.admin.instance.v1.AutoscalingConfig is changed (7a5afba)
  • A comment for field unreachable in message .google.spanner.admin.instance.v1.ListInstancePartitionsResponse is changed (7a5afba)
  • A comment for message CreateInstanceConfigRequest is changed (7a5afba)
  • A comment for message DeleteInstanceConfigRequest is changed (7a5afba)
  • A comment for message UpdateInstanceConfigRequest is changed (7a5afba)
  • A comment for method CreateInstance in service InstanceAdmin is changed (7a5afba)
  • A comment for method CreateInstanceConfig in service InstanceAdmin is changed (7a5afba)
  • A comment for method CreateInstancePartition in service InstanceAdmin is changed (7a5afba)
  • A comment for method ListInstanceConfigOperations in service InstanceAdmin is changed (7a5afba)
  • A comment for method ListInstanceConfigs in service InstanceAdmin is changed (7a5afba)
  • A comment for method ListInstancePartitionOperations in service InstanceAdmin is changed (7a5afba)
  • A comment for method MoveInstance in service InstanceAdmin is changed (7a5afba)
  • A comment for method UpdateInstance in service InstanceAdmin is changed (7a5afba)
  • A comment for method UpdateInstanceConfig in service InstanceAdmin is changed (7a5afba)
  • A comment for method UpdateInstancePartition in service InstanceAdmin is changed (7a5afba)
  • Fix typo timzeone -> timezone (7a5afba)
Storage Transfer Service

Transfers over a Google-managed private network are now supported from more AWS regions, including regions in Europe and Asia. See the full list of supported regions.

Virtual Private Cloud

You can access global Google APIs by using Private Service Connect backends that are based on cross-region internal Application Load Balancers. This feature is available in General Availability. For more information, see Access global Google APIs through backends.

March 30, 2025

Google SecOps SOAR

Remote Agent Release 2.4.0

Remote agent high availability

Remote agents can now leverage high availability deployment, ensuring increased reliability for remote connectors, actions, and jobs.

This feature also introduces a new cloud-based remote connector scheduler for improved performance and scalability.

For more information, see Deploy high availability in remote agents.

Release 6.3.40 is now available for all regions.

March 29, 2025

Google SecOps SOAR

Release 6.3.41 is being rolled out to the first phase of regions as listed here.

Configure user preferences

The ability to manage platform time zones, date/time settings, and notifications have moved to the new User Preferences dialog, accessible from your avatar.

In addition, a new accessibility option in the User Preferences dialog lets you customize how long feedback messages remain on the screen.

For more information, see Configure user preferences.

March 28, 2025

Access Approval

Access Approval supports Org Lifecycle API in the GA stage.

Access Approval supports Integration Connectors in the GA stage.

Access Transparency

Access Transparency supports Integration Connectors in the GA stage.

Access Transparency supports Org Lifecycle API in the GA stage.

Assured Workloads

The CJIS control package now supports the following products:

  • Bigtable
  • Cloud Armor
  • Cloud Workstations
  • Storage Transfer Service
Cloud Data Fusion

The Python Transform plugin (version 2.3.2) is available in CDAP version 6.10.1. This includes bug fix for the deprecated PROTOCOL_TLSv1 on Dataproc 2.0 and later. The issue occurs when earlier TLS versions, such as TLSv1 and TLSv1.1 are disabled by default due to security concerns. Applications relying on ssl.PROTOCOL_TLSv1 in Python might fail and requires updates to use ssl.PROTOCOL_TLSv1_2 or later.

Cloud Run

The ability to disable the Invoker IAM check for Cloud Run services is now at general availability (GA).

Cloud SQL for SQL Server

When you create a Cloud SQL for SQL Server instance, version SQL Server 2022 Standard is now the default.

Confidential Space

AWS token support for Confidential Space is now generally available.

You can now integrate Confidential Space with AWS resources. For more information, see Integrate AWS resources.

Dataproc

Dataproc Serverless for Spark: Hadoop Native libraries are installed by default in all runtimes.

Filestore

Instance replication is now generally available (GA).

Gemini Code Assist

Local codebase awareness is now available for IntelliJ Gemini Code Assist. You can now include files from your local IDE project in the prompt context by typing @ in the chat prompt box.

You can now see what files are used by IntelliJ Gemini Code Assist chat and can customize the context as needed.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.29.1200-gke.99 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.29.1200-gke.99 runs on Kubernetes v1.29.13-gke.500. This is the final patch for the 1.29 minor release.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The 1.29.1200-gke.99 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

Google Distributed Cloud (software only) for bare metal

Release 1.29.1200-gke.98

Google Distributed Cloud for bare metal 1.29.1200-gke.98 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.29.1200-gke.98 runs on Kubernetes v1.29.13-gke.500. This is the final patch for the 1.29 minor release.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

Updated the cluster upgrade operation to keep only the three latest kubeadm backups of etcd and configuration information for a node. Previously, kubeadm kept node backups for every attempted upgrade.

Fixed an issue that caused cluster creation to fail because kubelet restarted before required static pods are running.

The 1.29.1200-gke.98 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

Google Kubernetes Engine

In version 1.32.1-gke.1729000 and later, you can customize specific kubelet and Linux kernel parameters like sysctls and huge pages by using the nodeSystemConfig field in your GKE compute classes. Additionally, you can now specify default values for fields that are omitted in individual rules in a compute class by using the priorityDefaults field. For details, see About custom compute classes.

Memorystore for Redis Cluster

Finding and setting maintenance windows are now Generally Available (GA) on Memorystore for Redis Cluster.

Memorystore for Valkey

You can now perform maintenance on a Memorystore for Valkey instance. This feature is Public Preview.

NetApp Volumes

The auto-tiering feature which is previously available to allow-listed users, is now generally available. For more information, see Auto-tiering.

You can now create and manage quota rules on a NetApp Volumes volume using the Google Cloud console. For more information, see Manage quota rules.

Added performance benchmark information for the electronic design automation workload.

Spanner

Spanner vector index and approximate nearest neighbor (ANN) distance functions in the GoogleSQL-dialect are Generally Available. If you have a table with a large amount of vector data, you can use a vector index to accelerate similarity searches and nearest neighbor queries. Spanner now also supports the following:

  • ALTER VECTOR INDEX DDL syntax
  • Import and export databases that use ANN
  • Use the STORING clause to store a copy of a column in the vector index to accelerate queries that filter by those columns
  • Use ANN in instances smaller than one node or 1000 processing units

For more information, see Find approximate nearest neighbors, create vector indexes, and query vector embeddings.

Spanner ANN indexes are now supported in Langchain. For more information, see LangChain Quickstart for Spanner.

VPC Service Controls

VPC Service Controls feature (Status: Preview): VPC Service Controls adds support for using IAM roles in ingress and egress rules to allow access to resources protected by service perimeters. This feature is available in Preview.

For more information, see Configure IAM roles in ingress and egress rules.

General availability support for the following integration:

Preview stage support for the following integration:

Workflows

Support for a Kubernetes API connector is generally available (GA). The connector allows you to interact with Kubernetes objects in a Google Kubernetes Engine cluster. For more information, see Access Kubernetes API objects using a connector.

March 27, 2025

Anthos Config Management

Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.

Apigee X

On March 27, 2025, we released an updated version of Apigee.

Availability of client IP resolution functionality with Apigee hybrid.

Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.

See Client IP resolution for information.

On March 26, 2025, we released an updated version of Apigee (1-14-0-apigee-5). This Apigee version applies only to organizations using the JavaCallout policy in production environments.

Bug ID Description
N/A Updates to security infrastructure and libraries.
Apigee hybrid

On March 27, 2025, we released an updated version of Apigee.

Availability of client IP resolution functionality with Apigee hybrid.

Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.

See Client IP resolution for information.

BigQuery

You can now enable metadata caching for SQL translation, which can significantly reduce latency for subsequent translation requests. This feature is in preview.

Cloud Build

In the filtering toolbar of the Build history page, you can now filter builds by region. The region drop-down has been removed. For more information, see View build results.

Cloud Service Mesh

1.24.3-asm.6 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.3-asm.6 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.3 subject to the list of supported features. Cloud Service Mesh version 1.24.3-asm.6 uses envoy v1.32.4-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

1.23.5-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.5-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.5 subject to the list of supported features. Cloud Service Mesh version 1.23.5-asm.3 uses envoy v1.31.6-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

1.22.8-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.8-asm.5 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.8 subject to the list of supported features. Cloud Service Mesh version 1.22.8-asm.5 uses envoy v1.30.10-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

1.21.5-asm.34 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.5-asm.34 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.5 subject to the list of supported features. Cloud Service Mesh version 1.21.5-asm.34 uses envoy v1.29.12-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Cloud Workstations

Cloud Workstations is available in the me-central2 region (Dammam, Saudi Arabia, Middle East). For more information, see Locations.

Dialogflow

Dialogflow CX (Conversational Agents) data stores: Dialogflow now supports additional native and third-party data store sources as a private GA feature. For a list of data store sources, integration instructions, and the request form to be added to the allowlist, see the data stores documentation.

Dialogflow CX (Conversational Agents) data store handlers: The method of adding data store handlers to an agent has been streamlined. You are no longer required to create a Chat app on Agent Builder. For updated implementation instructions, see the data stores tools documentation.

Google SecOps

Google SecOps is renaming Applied Threat Intelligence (ATI) rules to improve clarity and better reflect the associated UDM fields with each rule detection.

Currently, multiple underlying ATI rules with the same name can appear in the Google SecOps console, even though the rules apply to different UDM fields.

This change modifies the rule_name field in the customer metadata to specify the relevant UDM field for each rule.

For example:

Old rule name: ATI Active Breach Rule Match for File IoCs (SHA256)

New rule name: ATI Active Breach Rule Match for File IoCs (about.file.sha256)

Google SecOps SIEM

Google SecOps is renaming Applied Threat Intelligence (ATI) rules to improve clarity and better reflect the associated UDM fields with each rule detection.

Currently, multiple underlying ATI rules with the same name can appear in the Google SecOps console, even though the rules apply to different UDM fields.

This change modifies the rule_name field in the customer metadata to specify the relevant UDM field for each rule.

For example:

Old rule name: ATI Active Breach Rule Match for File IoCs (SHA256)

New rule name: ATI Active Breach Rule Match for File IoCs (about.file.sha256)

Network Connectivity Center

Site-to-site data transfer locations in the following countries have been added to Network Connectivity Center:

  • Belgium
  • Canada
  • Chile
  • Finland
  • Israel
  • Mexico
  • Sweden
Secret Manager

Parameter Manager, an extension to the Secret Manager service, is now Generally available (GA). Parameter Manager lets you store, access, and manage the lifecycle of workload parameters. You can interact with Parameter Manager using the console, gcloud CLI, REST API, and client libraries.

For information, see the Parameter Manager documentation.

Spanner

You can save and manage your SQL scripts in Spanner Studio. This feature is in preview. For more information, see Saved queries overview.

Text-to-Speech

Chirp 3: HD voices in en-US now support experimental features for pace and pause controls.

VPC Service Controls

General availability support for the following integration:

Vertex AI

Generally available: To reduce the cost of running your training and prediction jobs, you can use Spot VMs. Spot VMs are virtual machine (VM) instances that are excess Compute Engine capacity. Spot VMs have significant discounts, but Compute Engine might preemptively stop or delete Spot VMs to reclaim the capacity at any time.

For more information, see Use Spot VMs with training and Use Spot VMs with prediction.

March 26, 2025

API Gateway

On March 26, 2025, we released an updated version of API Gateway.

With this release, customer data in API Gateway is now CMEK-compliant at rest. No configuration is required.

For more information, see CMEK compliance in API Gateway.

To learn more about CMEK, see Customer-managed encryption keys (CMEK).

BigQuery

You can now set the column granularity when you create a search index, which stores additional column information in your search index to further optimize your search query performance. This feature is in preview.

Bigtable

The Monitoring page in the Google Cloud console for Bigtable has been renamed to System insights.

Cloud Composer

Data lineage in Cloud Composer now uses OpenLineage.

Data lineage support for a specific Airflow operator is now provided by the provider package where the operator is located. See Supported classes in the apache-airflow-providers-openlineage documentation for a list of latest supported operators.

For more information about data lineage in Cloud Composer, see Data lineage with Dataplex.

This feature is gradually rolled out. It will be available in us-west1, us-south1, europe-north1, me-west1, asia-northeast2, asia-southeast2, and africa-south1 regions. We plan to provide this feature in other regions in future releases.

(Available without upgrading) Fixed an issue with updating maintenance windows when there is an upcoming Cloud Composer 3 infrastructure operation.

(Airflow 2.10.2 and 2.9.3) The apache-airflow-providers-google package was upgraded to version 14.0.0 in Cloud Composer 2 images and Cloud Composer 3 builds.

This package is a new major version where many previously deprecated Airflow operators are removed. It is not possible to use these operators in your DAGs.

Make sure that you update your DAGs to use up-to-date alternatives of the removed operators. For more information about removed and deprecated Airflow operators and their up-to-date alternatives, see Deprecated and removed Airflow operators.

For more information about changes, see the apache-airflow-providers-google changelog from version 10.26.0 to version 14.0.0.

(Airflow 2.10.2 and 2.9.3) The apache-airflow-providers-cncf-kubernetes package was upgraded to version 10.3.0 in Cloud Composer 2 images and Cloud Composer 3 builds. For more information about changes, see the apache-airflow-providers-cncf-kubernetes changelog from version 10.1.0 to version 10.3.0.

(Airflow 2.10.2 and 2.9.3) Changes in preinstalled packages:

  • apache-airflow-providers-postgres was upgraded to 6.1.0 from 5.14.0.
  • apache-airflow-providers-smtp was upgraded to 2.0.0 from 1.9.0.
  • types-requests was removed from preinstalled packages.

New Airflow builds are available in Cloud Composer 3:

  • composer-3-airflow-2.10.2-build.12 (default)
  • composer-3-airflow-2.9.3-build.19

New images are available in Cloud Composer 2:

  • composer-2.12.0-airflow-2.10.2 (default)
  • composer-2.12.0-airflow-2.9.3

Cloud Composer versions 2.6.4, 2.6.5, and 2.6.6 have reached their end of support period.

Cloud Deploy

Cloud Deploy is now available in the following regions:

  • northamerica-south1 (Mexico)
  • europe-north2 (Stockholm)
Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Run

Cloud Run services configured with Direct VPC egress now use only 2 times (2X) as many IP addresses as the number of instances for the duration of the instance plus up to 20 minutes, reduced from 4X as many IP addresses.

Compute Engine

Generally available: You can use instant snapshots to take in-place backups of the following types of disks:

  • Hyperdisk Balanced
  • Hyperdisk Balanced High Availability
  • Hyperdisk Extreme

Instant snapshots are ideal for rapid data restoration only within the same location as the source disk. You can use an instant snapshot to create a new disk in under a minute. For more information, see About instant snapshots.

Generally available: You can specify a custom ephemeral internal IPv6 address when creating an instance. For more information, see Create instances that use IPv6 addresses.

Generally available: Asynchronous Replication is now generally available for Hyperdisk Balanced, Hyperdisk Balanced High Availability, and Hyperdisk Extreme disks. Asynchronous Replication provides low-RPO and low-RTO block storage replication for cross-region disaster recovery. For more information, see About Asynchronous Replication.

Google Cloud Marketplace

Google Cloud Private Marketplace now lets you control access at the product level, across all deployment surfaces (Cloud Marketplace, API, and the command line), for the following types of products:

  • Compute Engine products
  • Google Kubernetes Engine products
  • Cloud Run
  • Procurable Vertex AI products
  • Procurable data products

If you've ever previously turned on Private Marketplace, you must upgrade it to ensure that it properly blocks API deployments of unapproved products. For more information, see Upgrade Google Cloud Private Marketplace's enforcement capabilities.

Google Kubernetes Engine

(2025-R12) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

Regular channel

There are no new releases in the Regular channel.

Stable channel

Extended channel

No channel

(2025-R12) Version updates

(2025-R12) Version updates

There are no new releases in the Regular channel.

(2025-R12) Version updates

(2025-R12) Version updates

(2025-R12) Version updates

Google SecOps

The managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project will be fully deprecated by April 30, 2025. This applies to non-Enterprise+ customers only.

Google SecOps SIEM

The managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project will be fully deprecated by April 30, 2025. This applies to non-Enterprise+ customers only.

Resource Manager

Custom organization policies are now available in Preview for Cloud Resource Manager. For more information, see Manage resources with custom constraints.

Vertex AI

Generally available: You can consume reservations of VMs that have GPUs attached with your custom training jobs or prediction jobs. Reservations of Compute Engine zonal resources help you gain a high level of assurance that your jobs have the necessary resources to run. For more information, see the following:

Vertex AI Workbench

The ability to back up and restore data on a Vertex AI Workbench instance is now generally available. For more information, see Back up and restore data on an instance.

Virtual Private Cloud

Support for the following is available in General availability for dual-stack configurations:

  • IPv6 static routes with a next hop internal passthrough Network Load Balancer (next-hop-ilb)
  • IPv6 static routes with a next hop instance identified by address (next-hop-address)

For more information, see Next hops and features in the static routes overview.

March 25, 2025

API Gateway

On March 25, 2025, we released an updated version of API Gateway.

API Gateway now supports Workforce Identity Federation.

Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce — a group of users, such as employees, partners, and contractors — using Identity and Access Management (IAM) to access API Gateway services.

See Identity federation: products and limitations for more information.

Apigee Advanced API Security

On March 25, 2025 we released an updated version of Advanced API Security.

Risk Assessment v2 is now the default Risk Assessment version

Starting with this release, Risk Assessment v2 is the default Risk Assessment version in the UI. You will see the see v2 functionality and interfaces unless you choose to switch back to v1 by clicking Switch to v1 in the upper right of the UI.

Note: Rollouts of this functionality to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

New Advanced API Security support when using data residency (DRZ) with Apigee hybrid

Advanced API Security is now available for Apigee hybrid orgs using DRZ, for hybrid versions 1.14.0 and later. See Using data residency with Apigee hybrid.

See Introduction to data residency for information on DRZ and Advanced API Security support across organization types.

New features added to public preview of Risk Assessment v2

This release introduces new features to the Risk Assessment v2 preview:

  • Security monitoring conditions. Security monitoring conditions allow you to map resources (proxies or environments) to security profiles. Cloud Monitoring can then use this mapping to alert or create dedicated dashboards so that you can track security scores over time.
  • Alerts on security monitoring conditions. Once you've created a monitoring condition, you can set up alerts using Alerting in Cloud Monitoring so that you're notified when the security scores change.

For information on monitoring conditions features and usage see monitoring conditions and alerts. For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

Note: Rollouts of this functionality to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Apigee hybrid

On March 25, 2025 we released an updated version of Advanced API Security.

New Advanced API Security support when using data residency (DRZ) with Apigee hybrid

Advanced API Security is now available for Apigee hybrid orgs using DRZ, for hybrid versions 1.14.0 and later. See Using data residency with Apigee hybrid.

See Introduction to data residency for information on DRZ and Advanced API Security support across organization types.

BigQuery

BigQuery ML now supports visualization of model monitoring metrics. This feature lets you use charts and graphs to analyze model monitoring function output. The following functions support metric visualization:

  • ML.VALIDATE_DATA_SKEW: compute the statistics for a set of serving data, and then compare them to the statistics for the data used to train a BigQuery ML model in order to identify anomalous differences between the two data sets.
  • ML.VALIDATE_DATA_DRIFT: compute and compare the statistics for two sets of serving data in order to identify anomalous differences between the two data sets.

This feature is in preview.

Cloud Run

New services using GPUs by default will have zonal redundancy turned on. However, you can now specify GPUs with zonal redundancy or without zonal redundancy, and request quota for either of these configurations. (In Preview)

Cloud SQL for MySQL

Cloud SQL read pools provide operational simplicity and scaling for your large read workloads.

Read pools provide a single endpoint in front of up to 20 read pool nodes and automatically load balance traffic.

You can scale your read pool in several ways:

  • Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports up to 20 read pool nodes.
  • Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.

For more information, see About read pools.

Cloud SQL for PostgreSQL

Cloud SQL read pools provide operational simplicity and scaling for your large read workloads.

Read pools provide a single endpoint in front of up to 20 read pool nodes and automatically load balance traffic.

You can scale your read pool in several ways:

  • Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports up to 20 read pool nodes.
  • Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.

For more information, see About read pools.

Cloud Trace

To send trace data to your Google Cloud project, we recommend that you use the new Telemetry API, which implements the OpenTelemetry OTLP API and provides compatibility and support for the open source ecosystem. The limits for the Telemetry API are often more generous than those for the proprietary Cloud Trace API, which you can continue to use. The Telemetry API supports VPC Service Controls. For more information about the Telemetry API, see the following documents:

Compute Engine

Resolved: Fixed the issue that caused Persistent Disks attached to VMs with n2d-standard-64 machine types to inconsistently reach the maximum performance limit of 100,000 IOPS.

For more information, see Known issues.

Confidential VM

On February 18, 2025, Google released a security fix for Confidential VM instances using AMD SEV-SNP on N2D machine types, which might result in performance degradation. The extent of the performance impact varies depending on the specific workload.

Generative AI on Vertex AI
Google Distributed Cloud (software only) for VMware

Since release 1.30.0-gke.1930, the featureGates.enableGMPForSystemMetrics field in the stackdriver custom resource is always on and can't be disabled. It has been enabled by default since 1.16. If you have manually turned this feature off, upgrading clusters to version 1.30 means a breaking change in the format of some system metrics. For information on this feature, see Using Managed Service for Prometheus.

Google Distributed Cloud (software only) for bare metal

Since release 1.30.0-gke.1930, the featureGates.enableGMPForSystemMetrics field in the stackdriver custom resource is always on and can't be disabled. It has been enabled by default since 1.16. If you've manually turned this feature off, upgrading clusters to version 1.30 means a breaking change in the format of some system metrics. For information on this feature, see Use Google Cloud Managed Service for Prometheus for selected system components.

NetApp Volumes

The backups feature for the Flex service level is now generally available. For more information, see About NetApp Volumes.

Google Cloud NetApp Volumes now supports cross-region backup vaults in Preview. For more information, see Backup vaults.

The Flex service level of Google Cloud NetApp Volumes now supports custom performance in Preview, enabling independent provisioning of capacity and performance with zonal pools in selected regions. For more information, see NetApp Volumes key features.

VPC Service Controls

Preview stage support for the following integration:

March 24, 2025

Apigee X

On March 24, 2025, we released an updated version of Apigee.

Apigee Spaces is now generally available (GA) for use in Apigee organizations.

Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows, and API products.

Spaces also provide the option of resource isolation at a team level, providing a clear separation of resources associated with different teams operating within the same Apigee organization. IAM policies can be applied at the Space level, eliminating the need to manage permissions individually for every API proxy, shared flow, and API product.

Spaces are a brand new resource type with resource-level permissions. This means that Space permissions are not subject to the 64k limitation for project-level IAM conditions. Each space has its own 64k limit.

To learn more, see Apigee Spaces overview.

Backup and DR

The Backup and DR service has added support for activating the management console, for creating backup plans, and for storing backup vault data in the following regions: northamerica-northeast1 (Montréal), northamerica-northeast2 (Toronto), and asia-east2 (Hong Kong).

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigquery

7.9.3 (2025-03-17)

Bug Fixes
  • Make sure to pass selectedFields to tabledata.list method (#1449) (206aff9)

Go

Changes for bigquery/storage/apiv1beta1

1.67.0 (2025-03-14)

Features
  • bigquery/reservation: Add a new field enable_gemini_in_bigquery to .google.cloud.bigquery.reservation.v1.Assignment that indicates if "Gemini in BigQuery" (601e742)
  • bigquery/reservation: Add a new field replication_status to .google.cloud.bigquery.reservation.v1.Reservation to provide visibility into errors that could arise during Disaster Recovery(DR) replication (#11666) (601e742)
  • bigquery/reservation: Add the CONTINUOUS Job type to .google.cloud.bigquery.reservation.v1.Assignment.JobType for continuous SQL jobs (601e742)
  • bigquery: Support MetadataCacheMode for ExternalDataConfig (#11803) (af5174d), refs #11802
Bug Fixes
  • bigquery: Increase timeout for storage api test and remove usage of deprecated pkg (#11810) (f47e038), refs #11801
  • bigquery: Update golang.org/x/net to 0.37.0 (1144978)
Documentation
  • bigquery/reservation: Remove the section about EDITION_UNSPECIFIED in the comment for slot_capacity in .google.cloud.bigquery.reservation.v1.Reservation to clarify that (601e742)
  • bigquery/reservation: Update the google.api.field_behavior for the .google.cloud.bigquery.reservation.v1.Reservation.primary_location and .google.cloud.bigquery.reservation.v1.Reservation.original_primary_location fields to clarify that they are OUTPUT_ONLY (601e742)

Java

Changes for google-cloud-bigquery

2.49.0 (2025-03-20)

Features
  • bigquery: Implement getArray in BigQueryResultImpl (#3693) (e2a3f2c)
  • Next release from main branch is 2.49.0 (#3706) (b46a6cc)
Bug Fixes
  • Retry ExceptionHandler not retrying on IOException (#3668) (83245b9)
Dependencies
  • Exclude io.netty:netty-common from org.apache.arrow:arrow-memor… (#3715) (11b5809)
  • Update actions/upload-artifact action to v4.6.2 (#3724) (426a59b)
  • Update actions/upload-artifact action to v4.6.2 (#3724) (483f930)
  • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.61.0 (#3703) (53b07b0)
  • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.62.0 (#3726) (38e004b)
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250302-2.0.0 (#3720) (c0b3902)
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250313-2.0.0 (#3723) (b8875a8)
  • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.65.0 (#3704) (53b68b1)
  • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.66.0 (#3727) (7339f94)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#3714) (e4512aa)
  • Update dependency com.google.oauth-client:google-oauth-client-java6 to v1.39.0 (#3710) (c0c6352)
  • Update dependency com.google.oauth-client:google-oauth-client-jetty to v1.39.0 (#3711) (43b86e9)
  • Update dependency node to v22 (#3713) (251def5)
  • Update netty.version to v4.1.119.final (#3717) (08a290a)
Documentation
  • Update error handling comment to be more precise in samples (#3712) (9eb555f)

You can now use KLL quantile functions to efficiently compute approximate quantiles. This feature is in preview.

You can now set labels on reservations. These labels can be used to organize your reservations and for billing analysis. This feature is in preview.

The BigQuery Data Transfer Service can now transfer reporting and configuration data from Google Analytics 4 into BigQuery. This feature is in preview.

We have redesigned the Add Data dialog to guide you through loading data into BigQuery with a source-first experience and enhanced search and filtering capabilities. This feature is generally available (GA).

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.56.0 (2025-03-18)

Features
  • bigtable: Add support for Logical Views in Admin API (#2519) (6dac3fd)
  • bigtable: Add support for Materialized Views in Admin API (#2511) (55cd719)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (7992af0)
Dependencies

Python

Changes for google-cloud-bigtable

2.30.0 (2025-03-18)

Features
Bug Fixes
Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Binary Authorization
    • binaryauthorization.googleapis.com/Attestor
    • binaryauthorization.googleapis.com/PlatformPolicy
    • binaryauthorization.googleapis.com/Policy
  • Compute Engine
    • compute.googleapis.com/InstanceSettings
  • Network Security
    • networksecurity.googleapis.com/AuthorizationPolicy
    • networksecurity.googleapis.com/ClientTlsPolicy
    • networksecurity.googleapis.com/ServerTlsPolicy
Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-logging

3.22.0 (2025-03-18)

Features
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (dd25992)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#1779) (a643ab0)
  • Update googleapis/sdk-platform-java action to v2.55.1 (#1780) (505557e)
Cloud SQL for MySQL

Cloud SQL now lets you retain existing backups after an instance is deleted. These consist of on-demand and automatic backups created when the instance was live. For more information, see Retained backups.

Cloud SQL for PostgreSQL

Cloud SQL now lets you retain existing backups after an instance is deleted. These consist of on-demand and automatic backups created when the instance was live. For more information, see Retained backups.

Cloud SQL for SQL Server

Cloud SQL now lets you retain existing backups after an instance is deleted. These consist of on-demand and automatic backups created when the instance was live. For more information, see Retained backups.

Compute Engine

Generally available: Multi-writer support for Hyperdisk Balanced High Availability disks. You can give up to 8 VMs, across two zones, simultaneous read-write access to the same disk. For more information, see Share disks between instances.

Container Optimized OS

cos-dev-125-18964-0-0

Kernel Docker Containerd GPU Drivers
COS-6.6.83 v27.5.1 v2.0.2 See List

Fixed an issue that resulted in missing grub boot measurements in some machine configurations.

Updated Python to v3.11.

Upgraded app-containers/docker to v27.5.1, Upgraded app-containers/docker-test to v27.5.1, Upgraded app-containers/docker-cli to v27.5.1.

Updated app-admin/google-guest-configs to v20250207.00.

Updated the default tag of the GPU driver supporting the NVIDIA H200 GPU device to 570.86.15.

Upgrade cloud-init from 23.4.3 to 24.4.1.

Added support for NVIDIA GB200 GPU with 570.124.06 GPU driver. This driver version has been assigned the latest, default, and R570 tags for this GPU type.

Added support for the Lustre 2.14.0 client drivers.

Added support for NVIDIA 570.124.06 GPU driver. Updated the LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.

Add support for iRDMA devices.

Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.

Applied Intel patches to add iRDMA support in the Linux kernel.

Support for NVIDIA B200 GPU – Added support for the R570 driver series, including version 570.86.15. This version has been assigned the latest, default, and R570 tags.

Updated cos-gpu-installer to v2.4.7: 1.Added Support for NVIDIA B200 GPU. 2.Enabled --prepare-build-tools flag to preload GPU driver metadata for ARM64

Upgraded sys-auth/pambase to v20250228.

Upgraded app-admin/google-guest-agent to v20250304.03.

Upgraded app-containers/docker-credential-helpers to v0.9.2.

Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.

Upgraded app-containers/runc to v1.2.5, Upgraded app-containers/runc-test to v1.2.5.

Upgraded app-admin/google-guest-configs to v20250221.00.

Upgraded app-admin/google-guest-agent to v20250225.00.

Upgraded app-admin/google-guest-agent to v20250204.02.

Upgraded app-admin/node-problem-detector to v0.8.20.

Upgraded app-admin/fluent-bit to v3.2.5.

Upgraded app-admin/google-guest-agent to v20250122.00.

Upgraded app-admin/google-guest-configs to v20250124.00.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r659.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2821.

Upgraded chromeos-base/shill-client to v0.0.1-r4838.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2820.

Upgraded chromeos-base/debugd-client to v0.0.1-r2728.

Upgraded chromeos-base/shill-client to v0.0.1-r4834.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2474.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2963.

Upgraded sys-apps/dbus to v1.14.10-r195.

Upgraded chromeos-base/minijail to v18-r163.

Upgraded chromeos-base/shill-client to v0.0.1-r4825.

Upgraded chromeos-base/minijail to v18-r160.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2471.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2818.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r658.

Upgraded sys-apps/dbus to v1.14.10-r194.

Upgraded chromeos-base/debugd-client to v0.0.1-r2727.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2962.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2961.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2470.

Upgraded chromeos-base/shill-client to v0.0.1-r4818.

Upgraded chromeos-base/debugd-client to v0.0.1-r2726.

Upgraded chromeos-base/google-breakpad to v2024.02.16.014630-r227.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2817.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r657.

Upgraded sys-libs/libseccomp to v2.6.0-r1.

Upgraded sys-apps/acl to v2.3.2-r2.

Upgraded sys-apps/pv to v1.9.31.

Upgraded dev-libs/nss to v3.109.

Updated app-admin/awscli to v1.38.4.

Updated dev-python/s3transfer to v0.11.4.

Updated dev-python/botocore to v1.37.9.

Updated dev-python/python-dateutil to v2.9.0.

Upgraded sys-apps/which to v2.23.

Upgraded dev-db/sqlite to v3.49.1.

Upgraded dev-libs/nss to v3.108.

Upgraded sys-apps/diffutils to v3.11-r1.

Upgraded dev-libs/double-conversion to v3.3.1.

Upgraded net-misc/socat to v1.8.0.3.

Upgraded sys-apps/diffutils to v3.11.

Upgraded sys-apps/pv to v1.9.27.

Upgraded sys-apps/hwdata to v0.391.

Upgraded dev-db/sqlite to v3.47.2-r1.

Upgraded sys-libs/libseccomp to v2.6.0.

Fixed a race condition that could cause a kernel panic.

Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.

Updated dev-go/oauth2 to v0.27.0. Fixes CVE-2025-22868.

Fixed CVE-2024-13176 in dev-libs/openssl.

Fixed CVE-2025-0395 in sys-libs/glibc.

Fixed CVE-2024-9287 in dev-lang/python.

Fixed CVE-2025-0840 in binutils.

Upgraded net-misc/openssh to version 9.9_p2. This fixed CVE-2025-26465 and CVE-2025-26466.

Upgrade sys-libs/binutils-libs to 2.44-r1. This fixes CVE-2024-53589.

Upgraded net-misc/wget to version 1.25.0. Fixes CVE-2024-10524.

Upgraded dev-libs/libxml2 to version 1.12.10. Fixes CVE-2025-27113.

Runtime sysctl changes:

  • Changed: fs.file-max: 811701 -> 811727

cos-beta-121-18867-0-73

Kernel Docker Containerd GPU Drivers
COS-6.6.74 v27.5.1 v2.0.2 See List

Fixed an issue that resulted in missing grub boot measurements in some machine configurations.

Updated Python to v3.11.

Added support for NVIDIA GB200 GPU with 570.124.06 GPU driver. This driver version has been assigned the latest, default, and R570 tags for this GPU type.

Added support for the Lustre 2.14.0 client drivers.

Added support for NVIDIA 570.124.06 GPU driver. Updated the LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.

Upgraded app-admin/node-problem-detector to v0.8.20.

Updated app-admin/awscli to v1.38.4.

Updated dev-python/s3transfer to v0.11.4.

Updated dev-python/botocore to v1.37.9.

Updated dev-python/python-dateutil to v2.9.0.

Upgraded sys-apps/which to v2.23.

Upgraded sys-apps/pv to v1.9.31.

Fixed a race condition that could cause a kernel panic.

Fixed CVE-2024-58005 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed KCTF-647cef2 in the Linux kernel.

Fixed CVE-2025-21785 in the Linux kernel.

Fixed CVE-2025-21716 in the Linux kernel.

Fixed CVE-2025-21857 in the Linux kernel.

Fixed CVE-2024-58088 in the Linux kernel.

Fixed CVE-2025-21844 in the Linux kernel.

Fixed CVE-2025-21779 in the Linux kernel.

Fixed CVE-2025-21854 in the Linux kernel.

Fixed CVE-2025-21846 in the Linux kernel.

Fixed CVE-2025-21864 in the Linux kernel.

Fixed CVE-2025-21858 in the Linux kernel.

Fixed CVE-2025-21791 in the Linux kernel.

Fixed CVE-2025-21863 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811701 -> 811789

cos-109-17800-436-79

Kernel Docker Containerd GPU Drivers
COS-6.1.124 v24.0.9 v1.7.24 See List

Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.

Upgraded sys-apps/which to v2.23.

Fixed a race condition that could cause a kernel panic.

Fixed CVE-2023-45288 in app-containers/docker.

Fixed CVE-2024-53166 in the Linux kernel.

Fixed CVE-2024-53166 in the Linux kernel.

Fixed KCTF-647cef2 in the Linux kernel.

Fixed CVE-2025-21716 in the Linux kernel.

Fixed CVE-2025-21785 in the Linux kernel.

Fixed CVE-2025-21844 in the Linux kernel.

Fixed CVE-2025-21779 in the Linux kernel.

Fixed CVE-2025-21846 in the Linux kernel.

Fixed CVE-2025-21864 in the Linux kernel.

Fixed CVE-2025-21858 in the Linux kernel.

Fixed CVE-2025-21791 in the Linux kernel.

Fixed CVE-2024-26982 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812258 -> 812224

cos-117-18613-164-93

Kernel Docker Containerd GPU Drivers
COS-6.6.72 v24.0.9 v1.7.24 See List

Fixed an issue that resulted in missing grub boot measurements in some machine configurations.

Added support for NVIDIA GB200 GPU with 570.124.06 GPU driver. This driver version has been assigned the latest, default, and R570 tags for this GPU type.

Added support for the Lustre 2.14.0 client drivers.

Upgraded dev-lang/go to v1.23.7.

Fixed a race condition that could cause a kernel panic.

Fixed CVE-2024-58005 in the Linux kernel.

Fixed KCTF-647cef2 in the Linux kernel.

Fixed CVE-2025-21785 in the Linux kernel.

Fixed CVE-2025-21716 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811752 -> 811744

cos-113-18244-291-82

Kernel Docker Containerd GPU Drivers
COS-6.1.123 v24.0.9 v1.7.24 See List

Fixed an issue that resulted in missing grub boot measurements in some machine configurations.

Fixed a race condition that could cause a kernel panic.

Fixed CVE-2024-58005 in the Linux kernel.

Fixed CVE-2024-53166 in the Linux kernel.

Fixed CVE-2024-53166 in the Linux kernel.

Fixed KCTF-647cef2 in the Linux kernel.

Fixed CVE-2025-21716 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812031 -> 812050

cos-105-17412-535-84

Kernel Docker Containerd GPU Drivers
COS-5.15.173 v23.0.3 v1.7.23 See List

Fixed CVE-2024-58017 in the Linux kernel.

Fixed CVE-2022-49728 in the Linux kernel.

Fixed CVE-2025-21785 in the Linux kernel.

Fixed KCTF-638ba50 in the Linux kernel.

Fixed KCTF-647cef2 in the Linux kernel.

Fixed CVE-2025-21858 in the Linux kernel.

Fixed CVE-2025-21791 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812699 -> 812690

Document AI

As we launch Custom Extractor version pretrained-foundation-model-v1.4-2025-02-05 in GA with fine tuning (in Preview), these versions will no longer be accessible effective September 24, 2025:

  • pretrained-foundation-model-v1.2-2024-05-10
  • pretrained-foundation-model-v1.3-2024-08-31

To avoid service disruptions, migrate to a later version, such as pretrained-foundation-model-v1.4-2025-02-05. To learn more about the migration process, refer to our Manage processor versions documentation.

Customers and projects can access pretrained-foundation-model-v1.2-2024-05-10 and pretrained-foundation-model-v1.3-2024-08-31 until September 24, 2025. This includes the ability to create tuning jobs and access fine-tuned processor versions.

Starting March 24, 2025:

  • Newly created processor versions using pretrained-foundation-model-v1.2-2024-05-10 can only be used for batch processing.
  • Newly created processor versions using pretrained-foundation-model-v1.2-2024-05-10 and pretrained-foundation-model-v1.3-2024-08-31 will have a quota limit of 120 pages per minute.

This update requires planning, but if you have questions or need assistance, contact Google Cloud support.

Firestore

Cloud Firestore now supports multi-region nam7 United States (Central and East), which consists of regions us-central1 (Iowa) and us-east4 (Northern Virginia).

For a full list of supported locations, see Locations.

Firestore in Datastore mode

Firestore in Datastore mode now supports multi-region nam7 United States (Central and East), which consists of regions us-central1 (Iowa) and us-east4 (Northern Virginia).

For a full list of supported locations, see Locations.

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-datastore

2.27.1 (2025-03-18)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (ba1ad98)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#1791) (ab5ac8e)
Google SecOps

Purging of expired raw logs and normalized events is now based on the Ingestion Timestamp instead of the Event Timestamp.

Google SecOps SIEM

Purging of expired raw logs and normalized events is now based on the Ingestion Timestamp instead of the Event Timestamp.

Looker

The following features have been added to Studio in Looker, which is available in preview:

Looker Studio

Looker connector enhancements

The following enhancements to the Looker connector are available in Preview:

Partner connection launch update

The following partner connectors have been added to the Looker Studio Connector Gallery:

Media CDN

Media CDN supports dynamic compression in General Availability.

Memorystore for Redis Cluster

After you create a Memorystore for Redis Cluster instance, you can now change the node type for the instance. For more information, see Scale an instance.

Memorystore for Valkey

After you create a Memorystore for Valkey instance, you can now change the node type for the instance. For more information, see Scale an instance.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-pubsub

2.29.0 (2025-03-19)

Features
  • Add REST Interceptors which support reading metadata (4363179)
  • Add support for opt-in debug logging (4363179)
  • Deprecate enabled field for message transforms and add disabled field (4363179)
Bug Fixes
  • Allow logs to propagate upstream for caplog testing (#1374) (fa39b0e)
  • Allow Protobuf 6.x (#1369) (c95b7a5)
  • Fix typing issue with gRPC metadata when key ends in -bin (4363179)
Documentation
  • A comment for field code in message .google.pubsub.v1.JavaScriptUDF is changed (4363179)
  • Add samples and test for ingestion from Kafka sources (#1354) (820f986)
  • Deprecate enabled field for message transforms and add disabled field (4363179)
  • samples: Increase example max_bytes setting for cloud storage subscriptions to encourage more performant subscribe (#1324) (cb760a7)
VPC Service Controls

Preview stage support for the following integration:

The Dialogflow entry has been corrected to reflect that the Dialogflow integration with VPC Service Controls is generally available (GA).

The integration of Dialogflow with VPC Service Controls has been generally available since January 29, 2021.

March 23, 2025

Google SecOps SOAR

Release 6.3.40 is being rolled out to the first wave of regions as listed here.

Theme enhancement for SOAR platform

The header and left hand navigation menu now fully reflect the selected theme. If you select the light theme, both the header and side menu will also appear in light mode. This might impact customers who are using the rebranding feature.

March 22, 2025

Google SecOps SOAR

Release 6.3.39 is now available for all regions.

March 21, 2025

Access Context Manager

Access Context Manager now supports custom organization policies. This feature is generally available (GA). For more information, see Create custom constraints for Access Context Manager.

Assured Workloads

The ITAR control package now supports Cloud Composer.

Cloud Build

In the filtering toolbar of the Triggers page, you can now filter by trigger repository and region. The region drop-down has been removed. For more information, see Create and manage build triggers.

You can now specify, in your build config file, a custom Pub/Sub topic for build notifications. For more information, see Pub/Sub topics for build notifications.

Cloud Deploy

Cloud Deploy now uses Skaffold 2.14 as the default Skaffold version, as of March 21, 2025, for all target types.

Cloud Monitoring

The Google-Built OpenTelemetry Collector is now available. This Collector is an open-source, production-ready build of the upstream OpenTelemetry Collector that is built with upstream OpenTelemetry Collector components. The Google-built Collector lets you send correlated OTLP traces, metrics, and logs to Cloud Observability and other backends from applications instrumented by using OpenTelemetry SDKs. The Collector also captures metadata for Google Cloud resources, so you can correlate application performance data with infrastructure telemetry data.

For information about using this Collector, see Overview of the Google-Built OpenTelemetry Collector.

Cloud Storage

Storage Intelligence for Cloud Storage is now generally available (GA). Storage Intelligence simplifies data management in Cloud Storage at scale by providing a unified platform for data exploration, cost optimization, security enforcement, and governance implementation. To learn more about Storage Intelligence, see Overview of Storage Intelligence.

Storage Insights datasets is now generally available (GA). Storage Insights datasets helps you get insights for your Cloud Storage resources and export the data to BigQuery. Storage Insights datasets is an exclusive feature only available through the Storage Intelligence subscription. To learn more about Storage Insights, see Overview of Storage Insights datasets.

Cross-bucket replication is now generally available (GA). You can use cross-bucket replication to copy new and updated objects asynchronously from a source bucket to a destination bucket.

Compute Engine

Generally available: Resource-based committed use discounts (CUDs) are available for licenses of RHEL operating system images. You can purchase commitments with a 1-year plan for these licenses and receive up to 20% discounts over on-demand prices.

To learn how to purchase these commitments, see Purchase commitments for licenses. For pricing information, reach out to your Technical account manager (TAM).

Config Controller

Config Controller now uses the following versions of its included products:

Dialogflow

The Conversational Agents console is now generally available (GA). This console combines the power of Generative AI playbooks and data stores with deterministic flows. Additional features:

  • The console is now hosted at https://conversational-agents.cloud.google.com/.
  • There is a new menu option for managing languages. Selecting Manage languages from the language drop-down menu at the top of the console now automatically redirects you to the Agent Settings language management section in the Deterministic Flows tab.
  • The simulator now has feature parity with the Dialogflow CX console.

Conversational Agents: Conversational Agents now supports multiple tool versions in addition to playbooks and flows. See the versions and environments documentation for details.

Conversational Agents: You can now toggle a Show latency option in the Conversational Agents Console simulator to view latency per conversation turn for simulator conversations. To view latency breakdown, click the total latency value for the conversation turn. Latency values are also shown in the original response, Cloud logging, and BigQuery export.

Be aware that latency values are not recorded directly in the logs, but are represented as startTime and completeTime values in the traceBlocks field.

Conversational Agents playbooks: New model gemini-2.0-flash (Preview) is now available. For more information and supported regions, see Model support.

Conversational Agents: New Chirp 3 HD Cloud Text-to-Speech voices are now available.

Conversational Agents playbooks: Playbooks now support 38 languages. Playbook language support is displayed on the language support page. Supported languages have been tested for quality with the gemini-2.0-flash-001 and gemini-1.5-flash-002 models.

Conversational Agents playbooks: You can now enable DTMF in playbook Settings and as a conditional actions as a Preview feature. See the playbook settings and DTMF for telephony integrations pages for more information.

Google Kubernetes Engine

In GKE version 1.32.2-gke.1652000 and later, new external LoadBalancer Services use zonal Network Endpoint Group (NEG) backends by default. This applies only to new backend service-based external LoadBalancer Services. Existing LoadBalancer Services are not affected. To learn more, see Create a backend service-based external load balancer.

All GKE clusters now export four new rollup metrics by default at no additional charge. These new metrics are for monitoring GKE TPU NodePools and JobSets:

  • kubernetes.io/node_pool/accelerator/times_to_recover: Distribution of recovery period durations. Each sample indicates a single recovery operation for the NodePool to recover from a downtime period. The data is sampled within 60s after the completion of NodePool recovery, and emitted within 24h. This metric does not include a sample for downtime period longer than 7 days. This metric is only applicable for GKE multi-host TPU node pools.

  • kubernetes.io/jobset/times_between_interruptions: Distribution of times between the end of last interruption and beginning of current interruption for a JobSet. Each sample indicates a single duration between last and current interruption. The data is sampled within 60s after the current interruption starts, and emitted within 24h. The metric does not include a sample for duration between interruptions longer than 7 days. This metric is only applicable for JobSets running on nodes with GPU/TPU and having a single replicated job.

  • kubernetes.io/jobset/times_to_recover: Distribution of recovery period durations. Each sample indicates a single recovery operation for the JobSet to recover from a downtime period. The data is sampled within 60s after the completion of JobSet recovery, and emitted within 24h. This metric does not include samples for downtime periods longer than 7 days. This metric is only applicable for JobSets running on nodes with GPU/TPU and having a single replicated job.

  • kubernetes.io/jobset/uptime: Total time the JobSet has been available. The data is sampled every 60s and emitted within 24h after sampling. This metric is only applicable for JobSets running on nodes with GPU/TPU and having a single replicated job.

Starting in GKE version 1.32.1-gke.1729000, Autopilot clusters will automatically use the new Performance HPA Profile. This new profile enables faster autoscaling on CPU and Memory metrics for up to 1,000 HorizontalPodAutoscaler objects by routing autoscaling metrics through the gke-metrics-agent Daemonset. If desired, users can revert to the old autoscaling profile by disabling the Peformance HPA Profile.

Kf

Upgraded server-side dependencies - Tekton Pipelines, Config Connector

Upgrade upload-pages-artifact dependency

Resource Manager

Custom organization policies are now generally available for Access Context Manager and VPC Service Controls. For more information, see Manage Access Context Manager resources with custom constraints and Create custom constraints for VPC Service Controls.

Security Command Center

Model Armor filter update

The prompt injection and jailbreak detection filter in Model Armor is upgraded with increased efficacy and higher model quality scores.

VPC Service Controls

VPC Service Controls now supports custom organization policies. This feature is generally available (GA). For more information, see Create custom constraints for VPC Service Controls.

March 20, 2025

BigQuery

BigQuery workflows have been renamed to BigQuery pipelines in the Google Cloud console. For more information, see Introduction to BigQuery pipelines.

You can now use repositories and workspaces in BigQuery to perform version control.

Repositories perform version control on files by using Git to record changes and manage file versions. You can use workspaces within repositories to edit the code stored in the repository.

You can have a repository use Git directly on BigQuery, or you can connect a repository to a third-party Git provider.

This feature is in preview.

You can now create remote models in BigQuery ML based on the Anthropic Claude model in Vertex AI.

Use the ML.GENERATE_TEXT function with these remote models to perform generative natural language tasks for text stored in BigQuery tables. Try this feature with the Generate text by using the ML.GENERATE_TEXT function tutorial.

You can also evaluate Claude models by using the ML.EVALUATE function.

This feature is generally available (GA).

Cloud Asset Inventory

The following resource types are now publicly available through the analyze policy (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) APIs.

  • Developer Connect
    • developerconnect.googleapis.com/Connection
    • developerconnect.googleapis.com/GitRepositoryLink
Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Service Mesh

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some networksecurity and networkservices resources.

Cloud Service Mesh now supports dual-stack, extending IPv6 capability to both proxy-based Envoy and proxyless gRPC. For more information, see Configure IPv6 dual-stack for Cloud Service Mesh.

If you use the managed Cloud Service Mesh with the ISTIOD control plane implementation, important changes have been made to how and when you'll receive notifications of upcoming modernization. For details, see Managed control plane modernization.

Datastream

You can now use Secret Manager to securely store authentication resources with Datastream. For more information, see Use Secret Manager to store sensitive data.

Generative AI on Vertex AI

Anthropic's Claude Sonnet 3.7 is GA on Vertex AI and supports Provision Throughput. To learn more, view the Claude Sonnet 3.7 model card in Model Garden.

Looker Studio

Quotas for scheduled emails

Looker Studio now limits the number of recipients to whom a user can send scheduled emails per day and per month. See the Quotas for scheduled email delivery section for more information. If you have Looker Studio Pro, no such quotas apply. However, any reports in the Owned by me folder are considered to be personal reports and will be subject to quotas. To resolve this, you can upgrade a report to Looker Studio Pro.

Scheduled email updates

The following features are now available only for Looker Studio Pro reports:

  • Send Now: The ability to immediately send a report with email using the "Send Now" option is available only for Pro reports.
  • Custom Subject and Messages: The option to customize the email subject and message is available only for Pro reports. Any custom messages in existing schedules will be preserved, but you will no longer be able to edit them.
  • Image in Preview: A preview of the report will be added to emails only for Pro reports.

These features are also unavailable for reports in the Owned by me folder, even if you have Looker Studio Pro. To resolve this, you can upgrade a report to Looker Studio Pro.

Preview your data

The data source editor displays a preview of the data in your fields. This feature is now generally available.

Partner connection launch update

The following partner connectors have been added to the Looker Studio Connector Gallery:

Oracle Database@Google Cloud Security Command Center

The Risk section of the SecOps console has been updated for Security Command Center Enterprise, introducing the following features in Preview:

  • Issues are the most important security risks Security Command Center Enterprise has found in your cloud environments. Sourced from Security Command Center's virtual red teaming and security graph, issues give you all the details you need to understand, triage, and remediate a risk. Explore attack path diagrams, attack exposure scores, exposed resources, related findings, and whether multiple issues exist on a primary resource, all from the one place.
  • Security graph is a graph database that has cloud resources like assets, identities, apps, and data assigned to its nodes, while the edges of the graph determine the risk relationship between those resources following detection rules. When a relationship risk is discovered, the security graph generates an issue.
  • Chokepoints are critical severity issues that focus on common resources or resource groups where multiple attack paths converge. Because of this focus on a common point, resolving a chokepoint can resolve other issues too, like toxic combinations.

The Risk Overview dashboard has also been updated, and a new Issues page added to the Risk section. You can navigate through different security domains in the Risk section using the tabs near the top of the page, such as All risk, Vulnerabilities, and Code.

Vertex AI Workbench

Encrypt your data-in-use by using Confidential Computing. This feature is now available in Preview. You can enable the Confidential VM service when you create a Vertex AI Workbench instance. To get started, see Create an instance with Confidential Computing.

March 19, 2025

AI Applications

Vertex AI Search: Generate and return charts in answers and with follow-ups (Public preview)

The answer method can include a chart in an answer, as well as text. The chart is generated from the data in the data store. A chart is generated if there is sufficient data, and the query either asks for a chart or the answer is sufficiently complex that the method itself determines that a chart is helpful.

This feature is in public preview and is only available through the API. For more information, see Generate charts for answers.

Vertex AI Search: Return corpus images in answers and with follow-ups (Public preview)

The answer method can return images in answers, along with text.

If appropriate, one image from the data store can be returned with the answer. Citations can also include images from the data store.

This feature is restricted to queries made to unstructured data stores where the layout parser is in effect and is only available through the API. For more information, see Retrieve existing images from the data store.

Agent Assist

Build your own Gen AI Assist is available in preview. BYOA is available in all customer engagement suite regions and offers the following:

  • Foundation models
  • Gemini access
  • New trigger events based on agent and customer messages

Agent Assist offers Vertex extensions for Build your own assist (BYOA) in preview. Enable BYOA to access remote APIs with Vertex LLM extensions.

AlloyDB for PostgreSQL

Performing an in-place major version upgrade of your AlloyDB cluster is generally available (GA). You can upgrade your AlloyDB cluster to any higher supported PostgreSQL version. For information about supported PostgreSQL versions, see Database version policies.

Compute Engine

Preview: You can create regionally scoped snapshots. Setting a regional scope ensures that all snapshot data and the metadata necessary to use the snapshot are co-located within the scoped region. Regionally scoped snapshots also support additional location control by letting you restrict allowed snapshot creation and restore locations.

For more information, see Snapshot scopes.

Document AI

Custom Extractor model pretrained-foundation-model-v1.4-2025-02-05 is in General Availability (GA), and has fine-tuning available in Preview for the US and EU.

From version v1.4 and later, we will use a new quota for online processing called Number of online process document pages per minute per processor_type_and_model_version. This quota will be enforced at a per-page and per-foundation model level. There will be no change to the batch processing quota.

Google Kubernetes Engine

(2025-R11) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

Rapid channel

  • Version 1.32.2-gke.1182001 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.32.2-gke.1182000
    • 1.32.2-gke.1400001
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182001 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182001 with this release.

Regular channel

  • Version 1.32.2-gke.1182001 is now available in the Regular channel.
  • Version 1.32.2-gke.1182000 is no longer available in the Regular channel.

Stable channel

Extended channel

No channel

(2025-R11) Version updates

  • Version 1.32.2-gke.1182001 is now the default version for cluster creation in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.32.2-gke.1182000
    • 1.32.2-gke.1400001
  • Auto-upgrade targets are now available for the following minor versions:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182001 with this release.
  • The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182001 with this release.

(2025-R11) Version updates

  • Version 1.32.2-gke.1182001 is now available in the Regular channel.
  • Version 1.32.2-gke.1182000 is no longer available in the Regular channel.

(2025-R11) Version updates

(2025-R11) Version updates

(2025-R11) Version updates

Google SecOps

The following parser documentation is now available:

Collect AWS Config logs

Collect AWS Elastic Load Balancing logs

Collect AWS Route 53 logs

Collect AWS S3 server access logs

Collect AWS WAF logs

Collect Azure Application Gateway logs

Collect Carbon Black App Control logs

Collect Carbon Black EDR logs

Collect Delinea Secret Server logs

Collect Radware WAF logs

Collect AWS Aurora logs

Collect AWS CloudWatch logs

Collect AWS Control Tower logs

Collect AWS Elastic MapReduce logs

Collect AWS Key Management Service logs

Collect AWS Macie logs

Collect AWS Network Firewall logs

Collect AWS Security Hub logs

Collect AWS Session Manager logs

Collect Zscaler DLP logs

Collect Zscaler Tunnel logs

Collect Zscaler VPN logs

Collect Zscaler ZPA Audit logs

Collect Zscaler ZPA logs

Collect Zscaler CASB logs

Collect Azure AD Sign-In logs

Collect Azure API Management logs

Collect Azure APP Service logs

Collect Azure Firewall logs

Collect Azure VPN logs

Collect AWS VPN logs

Collect Azure Storage Audit logs

Collect Azure WAF logs

Collect Cloud IoT logs

Collect Cloud Run logs

Collect Cloud Compute logs

Collect CrowdStrike Falcon Stream logs

Collect SentinelOne Deep Visibility logs

Collect Cloud VPC Flow Logs

Collect Cloud Compute context logs

Collect Cloud Intrusion Detection System (Cloud IDS) logs

Collect Cloud Next Generation Firewall Enterprise logs

Collect Cloud Storage context logs

Collect Cloud Identity and Access Management (IAM) Analysis logs

Collect Cloud Identity Devices logs

Collect Cloud Identity Device Users logs

Collect Cloud Security Command Center Error logs

Collect Cloud Security Command Center Observation logs

Collect Cloud Security Command Center Posture Violation logs

Collect Cloud Security Command Center Toxic Combination logs

Collect Cloud Security Command Center Unspecified logs

Collect Cloud Secure Web Proxy logs

Migrate to Virtual Machines

Generally available: Migrate to Virtual Machines support for the Arm64 migration journey is now generally available. This feature lets you migrate Arm virtual machine (VM) instances from AWS and Azure cloud services to Arm VM instances on Compute Engine, and it is supported for the following operating systems:

  • Debian 11 and 12
  • RHEL 9
  • Rocky Linux 8 and 9
  • SLES 15 SP5
  • Ubuntu 20.04 and 22.04
Sensitive Data Protection

The CZECHIA_PASSPORT infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

March 18, 2025

AI Hypercomputer

Generally available: The A4 accelerator-optimized machine type is now generally available. A4 VMs are powered by NVIDIA B200 GPUs and provide up to 3x performance of previous GPU machine types for most GPU accelerated workloads. A4 is especially recommended for ML training workloads at large scales. A4 is available in the following region and zone:

  • Council Bluffs, Iowa: us-central1-b

When provisioning A4 machine types, you can use Hypercompute Cluster to request capacity and create VMs or clusters. To get started see Overview of creating VMs and clusters.

Software stack updates

The following new Docker images are also released to support workloads running on your A4 GKE clusters that are deployed using Hypercompute Cluster.

  • NeMo docker image: nemo25.02-gib1.0.5-A4
  • MaxText docker image: jax-maxtext-gpu:jax0.5.1-cuda_dl25.02-rev1-maxtext-20150317

For more information, see AI Hypercomputer images.

AlloyDB for PostgreSQL

You can use a query recall evaluator (Preview) to find the recall for a vector query for a given configuration, and to tune your parameters to achieve the desired vector query recall results. For more information, see Measure vector query recall.

App Engine flexible environment .NET

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment Go

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment Java

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment Node.js

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment PHP

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment Python

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment Ruby

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine flexible environment custom runtimes

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine standard environment Go

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine standard environment Java

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine standard environment Node.js

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine standard environment PHP

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine standard environment Python

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

App Engine standard environment Ruby

Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.

Cloud Composer

After April 15, 2025 the database retention policy feature will be enabled by default in newly created Cloud Composer 3 environments.

This feature helps to maintain the Airflow database size. You can enable or disable the database retention policy or adjust the retention period for new and existing environments.

The issue with Cloud Composer 2 upgrade operations is now resolved. The upgrade operations are unblocked in all regions.

Cloud SQL for MySQL Container Registry

Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry shut down and how to migrate to Artifact Registry, see Container Registry deprecation.

Gemini Code Assist

Streamed chat responses are now available in public preview for IntelliJ and VS Code Gemini Code Assist. You can disable this feature in settings.

You can now configure and use custom commands in the inline chat menu and lightbulb menu for VS Code Gemini Code Assist. To view custom commands settings, go to Settings > Gemini Code Assist > Custom Commands.

Fixed an issue with an infinite progress bar while trying to log in to IntelliJ Gemini Code Assist.

Google Cloud VMware Engine

VMware Engine is integrated with Google Cloud Essential Contacts for email notifications. Automatic emails are sent to the appropriate Essential Contacts notification categories for service-impacting events. For more information, see Overview of VMware Engine monitoring.

Google Distributed Cloud (software only) for VMware

Google Distributed Cloud (software only) for VMware 1.31.300-gke.81 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.31.300-gke.81 runs on Kubernetes v1.30.9-gke.500.

If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.

After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

The 1.31.300-gke.81 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

Google Distributed Cloud (software only) for bare metal

Release 1.31.300-gke.81

Google Distributed Cloud for bare metal 1.31.300-gke.81 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.31.300-gke.81 runs on Kubernetes v1.31.5-gke.700.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

The 1.31.300-gke.81 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.

Google Kubernetes Engine

On GKE clusters running versions 1.32.2-gke.1182000 to 1.32.2-gke.1297000, Pods using Cloud Storage FUSE CSI driver volumes (persistent or CSI ephemeral) fail to schedule when both of the following are true:

The fix is available on GKE cluster version 1.32.2-gke.1297001 or later.

Google SecOps

Statistics and aggregations in UDM search using YARA-L 2.0

You can now run statistical queries on UDM events and group the results for analysis using YARA-L 2.0. You can use the statistical queries to track critical metrics, detect anomalous behavior, and analyze trends over time. For more information on how to run statistical queries on UDM events, see Statistics and aggregations in UDM search using YARA-L 2.0.

Google SecOps SIEM

Statistics and aggregations in UDM search using YARA-L 2.0

You can now run statistical queries on UDM events and group the results for analysis using YARA-L 2.0. You can use the statistical queries to track critical metrics, detect anomalous behavior, and analyze trends over time. For more information on how to run statistical queries on UDM events, see Statistics and aggregations in UDM search using YARA-L 2.0.

Resource Manager

Custom organization policies are now generally available for Cloud Service Mesh. For more information, see Set up custom constraints.

Security Command Center

Cloud Infrastructure Entitlement Management (CIEM) has launched support for the following:

  • Log ingestion from Amazon SQS queues.
  • An alternate CIEM only feed to reduce costs.

For more information, see Configure AWS log ingestion for CIEM.

This feature is available in General Availability to the Security Command Center Enterprise tier.

Spanner

The default time zone of your Spanner databases can now be set. For more information, see Set the default time zone of a database. This feature is generally available (GA).

March 17, 2025

AlloyDB for PostgreSQL

Outbound connectivity for Private Service Connect-enabled AlloyDB clusters is generally available (GA). Enabling outbound connectivity allows secure connection between your project and an AlloyDB instance during outbound operations such as migrations or foreign data wrappers (FDW).

You can enforce specific tags on AlloyDB cluster and backup resources using custom organization policies. If a mandatory tag is missing or does not have a value set, AlloyDB resource creation fails. This feature is available in Preview.

Apigee X

On March 17, 2025, Apigee announced the GA support for DNS peering for Apigee organizations that have VPC peering disabled.

For Apigee organizations set up without VPC peering, you can now configure Apigee to resolve your private domains by peering your DNS zones with Apigee. See Connecting with private DNS peering zones.

BigQuery

You can now create an external dataset in BigQuery that links to an existing database in Spanner. This feature is generally available (GA).

You can now use the TYPEOF function to determine the data type of an expression. This feature is generally available (GA).

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.55.0 (2025-03-11)

Features
  • Add MaterializedViewName to ReadRows and SampleRowKeys (1763c6e)
  • Add MaterializedViews and LogicalViews APIs (1763c6e)
  • Add MaterializedViews and LogicalViews APIs (7340527)
  • Add PrepareQuery api and update ExecuteQuery to support it (1763c6e)
  • bigtable: Add support for data APIs for materialized views (#2508) (6310a63)
  • large-row-skip: Added large-row-skip-callable with configurable rowadapter (#2509) (ba193ef)
  • Next release from main branch is 2.55.0 (#2506) (4e45837)
  • Publish row_key_schema fields in table proto and relevant admin APIs to setup a table with a row_key_schema (7340527)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (91e4369)
Documentation
  • Fixed formatting of resource path strings (7340527)
Cloud Data Fusion

Cloud Data Fusion version 6.11.0 is available in Preview.

You can view instance metrics and pipeline metrics in Cloud Monitoring and in the dashboard provided by Cloud Data Fusion. For more information, see Metrics overview and Monitor Cloud Data Fusion system, instance, and pipeline health.

You can view instance logs and pipeline logs in Cloud Logging, and in the dashboard provided by Cloud Data Fusion. For more information, see View Cloud Data Fusion logs.

When a pipeline run fails, you can retrieve detailed error information on the pipeline details page of the Cloud Data Fusion web interface.

Cloud Data Fusion classifies pipeline errors by category, reason, and message. This classification speeds up resolution and reduces the need to examine complex logs. For more information, see Retrieve error information for a failed pipeline run.

Cloud Data Fusion 6.11.0 offers high availability with reduced upgrade downtime.

Changes in Cloud Data Fusion 6.11.0:

  • To create ephemeral clusters, Cloud Data Fusion uses the Dataproc 2.2 image by default. For more information about its limitations in Cloud Data Fusion, see Change the Dataproc image to version 2.1.

  • The maximum concurrent runs limit for triggers is displayed in the console (CDAP-21072).

  • Added support for destination table write preference in the BigQuery Execute plugin (PLUGIN-1438).

Fixed in Cloud Data Fusion 6.11.0:

  • Fixed a null pointer exception in the BigQuery multi-sink plugin when used without a reference name (PLUGIN-1843).

  • Fixed Joiner plugin failures observed on Dataproc 2.2-debian12 instances (CDAP-21075).

  • Fixed an issue that prevented pipelines from accepting empty input in Amazon S3 and Google Cloud Storage source plugins (PLUGIN-1742).

  • Fixed an issue in RBAC-enabled instances where the pipeline details page displayed an incorrect author name (CDAP-21069).

A soft limit of 2 MB for pipeline JSON size is introduced in 6.11.0. Pipelines exceeding this size might encounter deployment failures.

The following APIs for searching and querying metrics are deprecated in 6.11.0:

  • POST v3/metrics/query
  • POST v3/metrics/search

The following APIs for downloading system service and pipeline run logs are deprecated in 6.11.0:

  • GET /v3/namespaces/<NAMESPACE_ID>/apps/<APP_ID>/<PROGRAM_TYPE>/<PROGRAM_ID>/logs
  • GET /v3/system/services/<SERVICE_ID>/logs

The ability to retrieve all applications without pagination using the GET /v3/namespaces/<NAMESPACE_ID>/apps endpoint is deprecated in 6.11.0.

Cloud Load Balancing

Google Cloud periodically renews Google-managed certificates by requesting them from certificate authorities (CAs). Certificate authorities verify domain control by checking DNS settings of the domain and in case of load balancer authorization attempting to contact the server behind the domain's IP address. The CAs that Google Cloud works with have introduced a verification method called Multi-Perspective Issuance Corroboration, that is becoming mandatory for all public CAs and that consists in performing the verification from multiple locations in the world. As a result, if DNS settings do not correctly and consistently resolve from all locations, the validation fails and Google-managed certificates will fail to renew.

To learn more about preventing multi-perspective domain validation failures for misconfigured DNS records, see Multi-perspective domain validation.

Cloud Monitoring

You can now enable and disable uptime-checks by using the disabled field in the Cloud Monitoring API.

Cloud SQL for SQL Server

Cloud SQL for SQL Server supports transparent data encryption (TDE) to encrypt data stored in your Cloud SQL for SQL Server instances.

TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.

TDE provides another layer of encryption in addition to Google's default offering of encryption for data at rest and Google's optional offering of customer-managed encryption keys (CMEK). TDE helps you meet regulatory compliance requirements and supports import or export operations of TDE encrypted backups. For more information, see About transparent data encryption.

Cloud Storage

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for storage/internal/apiv2

1.51.0 (2025-03-12)

Features
  • storage/append: Support appends in w1r3. (#11483) (48bb391)
  • storage: Benchmark with experimental MRD. (#11501) (7b49152)
  • storage: Implement RetryChunkDeadline for grpc writes (#11476) (03575d7)
  • storage: Specify benchmark integrity check. (#11465) (da18845)
  • storage: Use ReadHandle for faster re-connect (#11510) (cac52f7)
  • storage: Wrap NotFound errors for buckets and objects (#11519) (0dd7d3d)
Bug Fixes
  • storage/append: Report progress for appends. (#11503) (96dbb6c)
  • storage: Add a safety check for readhandle (#11549) (c9edb37)
  • storage: Add universe domain to defaultSignBytesFunc (#11521) (511608b)
  • storage: Clone the defaultRetry to avoid modifying it directly (#11533) (7f8d69d)
  • storage: Fix adding multiple range on stream with same read id (#11584) (0bb3434)
  • storage: Modify the callback of mrd to return length of data read instead of limit. (#11687) (9e359f0)
  • storage: Propagate ctx from invoke to grpc upload reqs (#11475) (9ad9d76)
  • storage: Remove duplicate routing header (#11534) (8eeb59c)
  • storage: Return sentinel ErrObjectNotExist for copy and compose (#11369) (74d0c10), refs #10760
  • storage: Wait for XML read req to finish to avoid data races (#11527) (782e12a)

Java

Changes for google-cloud-storage

2.50.0 (2025-03-14)

Features
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (22e7e3d)
  • deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (81c8c61)
  • Improve 503 handling for json resumable uploads (#2987) (9bc2b14)
  • Update usages of String.format to explicitly pass Locale.US (#2974) (8bcb2de), closes #2972
Dependencies
  • Update dependency com.google.apis:google-api-services-storage to v1-rev20250224-2.0.0 (#2969) (80a40c4)
  • Update googleapis/sdk-platform-java action to v2.55.1 (#2985) (e22a2de)
  • Update sdk-platform-java dependencies (#2983) (9eeb82a)
  • Update sdk-platform-java dependencies (#2986) (10b922a)

Cloud Storage now offers the DE configurable dual-region code, which can be used when creating a dual-region bucket in europe-west3 (Frankfurt) and europe-west10 (Berlin). To learn more about Cloud Storage configurable dual-regions, see Configurable dual-regions

Compute Engine

Generally available: The A4 accelerator-optimized machine type is now generally available. A4 instances are powered by NVIDIA B200 GPUs and provide up to 3x performance of previous GPU instance types for most GPU accelerated workloads. A4 is especially recommended for ML training workloads at large scales. A4 is available in the a4-highgpu-8g machine type in the us-central1-b zone.

To create A4 instances, you must either use AI Hypercomputer to request capacity and create VMs or clusters, or use Spot VMs. For detailed instructions, see Create an A3 Ultra or A4 VM.

Container Optimized OS

cos-dev-121-18867-0-53

Kernel Docker Containerd GPU Drivers
COS-6.6.74 v27.5.1 v2.0.2 See List

Upgraded app-containers/docker to v27.5.1, Upgraded app-containers/docker-test to v27.5.1, Upgraded app-containers/docker-cli to v27.5.1.

Added support for iRDMA devices.

Applied Intel patches to add iRDMA support in the Linux kernel.

Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.

Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.

Upgraded net-misc/socat to v1.8.0.3.

Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.

Upgraded dev-go/oauth2 to v0.27.0. This fixes CVE-2025-22868.

Upgraded net-misc/openssh to version 9.9_p2. This fixed CVE-2025-26465 and CVE-2025-26466.

Upgrade sys-libs/binutils-libs to 2.44-r1. This fixes CVE-2024-53589.

Upgraded net-misc/wget to version 1.25.0. This fixes CVE-2024-10524.

Upgraded dev-libs/libxml2 to version 1.12.10. This fixes CVE-2025-27113.

Fixed CVE-2024-58017 in the Linux kernel.

Fixed CVE-2025-21745 in the Linux kernel.

Fixed CVE-2025-21814 in the Linux kernel.

Fixed CVE-2024-50017 in the Linux kernel.

Fixed CVE-2024-50146 in the Linux kernel.

Fixed CVE-2024-50304 in the Linux kernel.

Fixed KCTF-8802766 in the Linux kernel.

Fixed KCTF-fcdd224 in the Linux kernel.

Fixed CVE-2024-56549 in the Linux kernel.

Fixed KCTF-638ba50 in the Linux kernel.

Fixed CVE-2024-50014 in the Linux kernel.

Fixed CVE-2024-49994 in the Linux kernel.

Fixed CVE-2025-21690 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811788 -> 811701
  • Deleted: net.bridge.bridge-nf-call-arptables: 1
  • Deleted: net.bridge.bridge-nf-call-ip6tables: 1
  • Deleted: net.bridge.bridge-nf-call-iptables: 1
  • Deleted: net.bridge.bridge-nf-filter-pppoe-tagged: 0
  • Deleted: net.bridge.bridge-nf-filter-vlan-tagged: 0
  • Deleted: net.bridge.bridge-nf-pass-vlan-input-dev: 0

cos-beta-121-18867-0-53

Kernel Docker Containerd GPU Drivers
COS-6.6.74 v27.5.1 v2.0.2 See List

Upgraded app-containers/docker to v27.5.1, Upgraded app-containers/docker-test to v27.5.1, Upgraded app-containers/docker-cli to v27.5.1.

Added support for iRDMA devices.

Applied Intel patches to add iRDMA support in the Linux kernel.

Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.

Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.

Upgraded net-misc/socat to v1.8.0.3.

Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.

Upgraded dev-go/oauth2 to v0.27.0. This fixes CVE-2025-22868.

Upgraded net-misc/openssh to version 9.9_p2. This fixed CVE-2025-26465 and CVE-2025-26466.

Upgraded sys-libs/binutils-libs to 2.44-r1. This fixes CVE-2024-53589.

Upgraded net-misc/wget to version 1.25.0. This fixes CVE-2024-10524.

Upgraded dev-libs/libxml2 to version 1.12.10. This fixes CVE-2025-27113.

Fixed CVE-2024-58017 in the Linux kernel.

Fixed CVE-2025-21745 in the Linux kernel.

Fixed CVE-2025-21814 in the Linux kernel.

Fixed CVE-2024-50017 in the Linux kernel.

Fixed CVE-2024-50146 in the Linux kernel.

Fixed CVE-2024-50304 in the Linux kernel.

Fixed KCTF-8802766 in the Linux kernel.

Fixed KCTF-fcdd224 in the Linux kernel.

Fixed CVE-2024-56549 in the Linux kernel.

Fixed KCTF-638ba50 in the Linux kernel.

Fixed CVE-2024-50014 in the Linux kernel.

Fixed CVE-2024-49994 in the Linux kernel.

Fixed CVE-2025-21690 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811788 -> 811701
  • Deleted: net.bridge.bridge-nf-call-arptables: 1
  • Deleted: net.bridge.bridge-nf-call-ip6tables: 1
  • Deleted: net.bridge.bridge-nf-call-iptables: 1
  • Deleted: net.bridge.bridge-nf-filter-pppoe-tagged: 0
  • Deleted: net.bridge.bridge-nf-filter-vlan-tagged: 0
  • Deleted: net.bridge.bridge-nf-pass-vlan-input-dev: 0

cos-117-18613-164-81

Kernel Docker Containerd GPU Drivers
COS-6.6.72 v24.0.9 v1.7.24 See List

Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.

Added support for iRDMA devices.

Upgraded net-misc/socat to v1.8.0.3.

Fixed CVE-2023-45288 in app-containers/docker.

Fixed CVE-2025-21857 in the Linux kernel.

Fixed CVE-2024-58088 in the Linux kernel.

Fixed CVE-2025-21844 in the Linux kernel.

Fixed CVE-2025-21779 in the Linux kernel.

Fixed CVE-2025-21854 in the Linux kernel.

Fixed CVE-2025-21846 in the Linux kernel.

Fixed CVE-2025-21864 in the Linux kernel.

Fixed CVE-2025-21858 in the Linux kernel.

Fixed CVE-2025-21791 in the Linux kernel.

Fixed CVE-2025-21863 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2025-21745 in the Linux kernel.

Fixed CVE-2024-58017 in the Linux kernel.

Fixed CVE-2025-21814 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 811757 -> 811752

cos-113-18244-291-73

Kernel Docker Containerd GPU Drivers
COS-6.1.123 v24.0.9 v1.7.24 See List

Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.

Fixed CVE-2023-45288 in app-containers/docker.

Fixed CVE-2025-21785 in the Linux kernel.

Fixed CVE-2025-21844 in the Linux kernel.

Fixed CVE-2025-21779 in the Linux kernel.

Fixed CVE-2025-21846 in the Linux kernel.

Fixed CVE-2025-21864 in the Linux kernel.

Fixed CVE-2025-21858 in the Linux kernel.

Fixed CVE-2025-21791 in the Linux kernel.

Fixed CVE-2024-26982 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-57996 in the Linux kernel.

Fixed CVE-2024-58017 in the Linux kernel.

Fixed CVE-2025-21745 in the Linux kernel.

Fixed CVE-2025-21814 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812049 -> 812031

cos-105-17412-535-78

Kernel Docker Containerd GPU Drivers
COS-5.15.173 v23.0.3 v1.7.23 See List

Updated the default tag of the GPU driver supporting the NVIDIA H200 GPU device to 570.86.15.

Upgraded gzip to v1.13.

Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_H200 GPU devices.

Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.

Fixed console TTY leak in runc shim in containerd.

Fixed CVE-2023-45288 in app-containers/docker.

Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.

Fixed CVE-2025-26465 and CVE-2025-26466 in net-misc/openssh.

Fixed CVE-2024-53589 in sys-libs/libutils-libs.

Upgraded net-misc/wget to version 1.25.0. This fixes CVE-2024-10524.

Upgraded dev-libs/libxml2 to version 1.12.10. This fixes CVE-2024-56171, CVE-2025-27113 and CVE-2025-24928.

Fixed CVE-2024-26982 in the Linux kernel.

Fixed CVE-2024-57946 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812677 -> 812699

cos-109-17800-436-64

Kernel Docker Containerd GPU Drivers
COS-6.1.124 v24.0.9 v1.7.24 See List

Fixed CVE-2025-21814 in the Linux kernel.

Fixed CVE-2024-58017 in the Linux kernel.

Fixed CVE-2025-21745 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812157 -> 812258

Data Catalog

Data Catalog is available in the europe-north2 (Stockholm) region.

Dataflow

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for dataflow/apiv1beta3

0.10.5 (2025-03-13)

Bug Fixes
  • dataflow: Update golang.org/x/net to 0.37.0 (1144978)
Dataplex

Dataplex and data lineage are available in the europe-north2 (Stockholm) region.

Dataplex and data lineage are available in the northamerica-south1 (Mexico) region.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.136-debian10, 2.0.136-rocky8, 2.0.136-ubuntu18
  • 2.1.84-debian11, 2.1.84-rocky8, 2.1.84-ubuntu20, 2.1.84-ubuntu20-arm
  • 2.2.50-debian12, 2.2.50-rocky9, 2.2.50-ubuntu22

Dataproc on Compute Engine: Spark upgraded to version 3.5.3 in the latest Dataproc image version 2.2.

Dataproc on Compute Engine: The latest Dataproc 2.2 image version now supports Spark data lineage.

Dataproc on Compute Engine: Added support for Enhanced Flexibility Mode (EFM) with primary worker shuffle mode on Spark for image version 2.2.50 and above.

Eventarc

Eventarc Standard is available in the europe-north2 (Stockholm, Sweden) region.

Generative AI on Vertex AI

Mistral Small 3.1 (25.03) feature multimodal capabilities and a context of up to 128,000 tokens. For more information, see the Mistral Small 3.1 (25.03) model card in Model Garden.

Looker

The following features have been added to Studio in Looker, which is available in preview:

  • If Studio in Looker is disabled and then re-enabled, reports that had been saved within the previous 30 days will still be available. Recovered reports may appear in the Recovered reports folder after an admin re-enables Studio in Looker.
  • The Looker Search function will include reports.
  • The Looker Trash folder will now contain deleted reports, and Looker admins can restore previously deleted reports.
  • The ability to set an instance or a group locale for Studio in Looker.
  • Looker admins can manage the data source connectors that are available in Studio in Looker.

Note: This item was updated on March 19, 2025.

Looker Studio

Looker connector enhancements

More Looker permissions have been propagated to Looker Studio and can now be granted to Looker Studio Pro users to perform the following the tasks on Looker Studio reports that are built with the Looker connector:

  • Scheduling report deliveries
  • Create alerts
  • Download and export chart and report data

Learn more about permissions to use the Looker connector.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for pubsub/apiv1

1.48.0 (2025-03-12)

Features
  • pubsub/pstest: Support listening on custom address (#11606) (63865a2)
  • pubsub: Add support for message transforms to Topic and Subscription (59fe58a)
  • pubsub: Deprecate enabled field for message transforms and add disabled field (dd0d1d7)
Documentation
  • pubsub: A comment for field code in message .google.pubsub.v1.JavaScriptUDF is changed (#11553) (678944b)
  • pubsub: Deprecate enabled field for message transforms and add disabled field (dd0d1d7)
  • pubsub: Fix link for AnalyticsHubSubscriptionInfo (59fe58a)

Java

Changes for google-cloud-pubsub

1.138.0 (2025-03-14)

Features
  • Deprecate enabled field for message transforms and add disabled field (76b2a3d)
  • Next release from main branch is 1.138.0 (#2361) (b6ba56c)
Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (76b2a3d)
  • Prevent excessive string parsing when publishing and receiving messages to improve performance (#2317) (07b1350)
Dependencies
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.48.1 (#2356) (7d3d2e4)
  • Update dependency com.google.cloud:google-cloud-storage to v2.49.0 (#2358) (81d3435)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#2366) (15899d1)
  • Update googleapis/sdk-platform-java action to v2.55.1 (#2367) (de6f84a)
Resource Manager

You can enforce mandatory tags on resources using custom organization policies. When a user attempts to create a resource, the system checks for the presence of the mandatory tags. If any mandatory tag is missing or does not have a value, the resource creation is blocked. By defining mandatory tags within an organization policy, you can ensure that all newly created resources adhere to your organization's tagging standards. This feature is available in Preview.

For more information, see Enforcing mandatory tags on resources.

Secret Manager

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for secretmanager/apiv1

1.14.6 (2025-03-13)

Bug Fixes
  • secretmanager: Update golang.org/x/net to 0.37.0 (1144978)
Spanner

You can now create an external dataset in BigQuery that links to an existing database in Spanner. This feature is generally available (GA).

Text-to-Speech

Chirp 3: HD voices are only available in the global, us, eu, and asia-southeast1 regions. To use these voices, switch your endpoint to a supported region.

Workload Manager

Generally available: Workload Manager supports deploying Microsoft SQL Server workloads on Google Cloud. You can configure and deploy a SQL Server system using the Guided Deployment Automation tool in Workload Manager. For more information, see Overview of SQL Server deployment.

Workload Manager supports the following features when you deploy SAP S/4HANA workloads on Google Cloud:

  • Deploy SAP S/4HANA workloads on X4 instances.
  • Customize the names of application server VMs.
  • Specify network tags for the deployed instances.
  • Skip the creation of automatic firewall rules.
  • Skip the DNS configuration.
  • Choose an existing NFS shared storage.
  • Specify a service account to be attached to instances for each layer of the deployment.

For more information, see Deploy an SAP S/4HANA application