Cockroach Labs has introduced a feature in CockroachDB 22.2 that allows users to use Cloud IAM roles for backup-restore and changefeed operations, addressing customer concerns about cloud resource credential security. This enhancement enables the obfuscation of cloud credentials, eliminating the need for AWS access keys or GCP service account credentials in SQL commands, thus reducing the risk of data exfiltration. Customers can now configure cloud IAM roles with necessary permissions, trust a CockroachDB identity, and share the role name with SQL users, allowing for secure access to cloud resources without exposing sensitive credentials. This approach uses short-lived credentials, automatically refreshed by CockroachDB, making it a seamless solution for long-duration operations like full cluster backups or continuous changefeeds. The functionality is available for both CockroachDB dedicated and self-hosted clusters, with specific configurations recommended for each deployment type, enhancing security and simplifying processes for cloud-native databases.