Bytebase 3.15.0 - Feb 12, 2026

​

🔔 Project-level Service Accounts & Workload Identities

• UI & scope changes
  • Workspace Members page now has separate tabs for Users&Groups, Service Accounts, and Workload Identities.
  • Service accounts and workload identities can now be created at both workspace and project levels, governed by their respective IAM policies.
  • Project-level identities are scoped to a single project to enable isolated automation.
  • The account selector for role assignment now supports users, groups, service accounts, and workload identities. Service accounts and workload identities require entering the full email address.
• Breaking changes (API / Terraform users)
  • Machine identities are managed via dedicated APIs (ServiceAccountService, WorkloadIdentityService) instead of the User API.
  • IAM member prefixes updated: user:{email} → serviceAccount:{email} / workloadIdentity:{email}
  • Workspace-level Service Account and Workload Identity APIs now require explicit parent workspaces/- instead of an empty string.
    Affected APIs: CreateServiceAccount, ListServiceAccounts, CreateWorkloadIdentity, ListWorkloadIdentities.
    Endpoint change:
    /v1/serviceAccounts → /v1/workspaces/-/serviceAccounts
  • Terraform users must update IAM member prefixes and use the new service account/workload identity resources. Latest provider documentation

​

🔔 Other Notable Changes

• DDL and DML execution control update
  • Environment condition is added to bb.sql.ddl and bb.sql.dml role grants as a replacement for the disallow_ddl and disallow_dml environment policy. The environment condition is only available when granting roles at the project level for a specific project. Roles granted at the workspace level (which apply to all projects) do not have the environment condition option.
  • Each project-level IAM Policy (i.e. role grant) has a single environment condition that applies to both bb.sql.ddl and bb.sql.dml permissions together. This means you cannot allow DDL but disallow DML (or vice versa) within the same role. If you need different environment restrictions for DDL and DML, the recommended practice is to create 2 separate roles — one with bb.sql.ddl and one with bb.sql.dml — each with its own environment condition.
  • disallow_ddl and disallow_dml are automatically migrated to be reflected in role grants in an OR manner — if for a specific environment, either disallow_ddl or disallow_dml is set to OFF, this environment condition will be configured for the role with bb.sql.ddl or bb.sql.dml permission. This could lead to breaking changes to DDL and DML control if your disallow_ddl and disallow_dml settings differ across environment policies. Please review after upgrading and follow the recommended practice to configure your role grants.
  • Add bb.sql.ddl and bb.sql.dml permissions to the SQL Editor User and Project Owner role.
  • For Terraform users, update the environment policy and your role grants accordingly. Latest provider documentation
• SQL Editor settings consolidation & policy updates
  • Add a dedicated SQL Editor section under Workspace Settings > General, consolidating data export, data copying, admin data source access, max result size, max result rows, and max query time.
  • Max result rows can also be configured at the project level.
  • DataSourceQueryPolicy is merged into QueryDataPolicy and deprecated (auto-migrated).
  • For Terraform users, update bytebase_policy configuration. Latest provider documentation
• Role & permission adjustments
  • Add bb.taskRuns.create permission to the Project Owner role.
  • Remove bb.rollouts.create permission from the Project Developer role (use Project Releaser or Project Owner).
  • Allow managing project IAM policy without the Project Owner role.
• Online migration configuration change
  • Move gh-ost configuration from Plan spec to SQL directive in sheet content (-- gh-ost = { ... }).
  • Remove enable_ghost and ghost_flags from ChangeDatabaseConfig in the Plan API.
• Execution & validation improvements
  • Skip DML dry-run checks when DDL statements are present to reduce false positives. Primarily applied to SQL Review rule Validate the executability of DML statements.
• Cleanup & removals
  • Remove the Archived page (archived projects and instances now appear directly in the dashboard).
  • Remove auto_enable_backup and skip_backup_errors from project settings.
  • Deprecate the legacy issue page and route.

​

🚀 Features

• MongoDB
  • Use native driver for queries by default, with fallback to mongosh.
  • SQL Editor now supports auto-complete, current statement highlighting, and syntax checking.
  • Support statement-type access control in SQL Editor, allowing administrators to control Read and Write permissions.
• Elasticsearch
  • Support statement-type access control in SQL Editor, allowing administrators to control Read and Write permissions.

​

🎄 Enhancements

• SQL Editor query results support multi-select via Cmd/Ctrl + Click for rows and columns. Copied data now includes column names.
• Improve the SQL Editor database connection panel layout.
• Normalize Unicode emails to prevent creating accounts with visually identical but technically different addresses.

​

🐞 Bug Fixes

• Fix access token refresh on SQL Editor LSP websocket reconnection.
• Fix incorrect Learn More link for online migration.
• Google Cloud SQL - Fix IAM authentication while creating instances in Bytebase Cloud.
• PostgreSQL - Support Common Table Expressions (CTE) in backup statement execution.

​

⚙️ Install and Upgrade

• Fresh install
• Upgrade