This page lists the roles and permissions required to back up, mount, and restore Compute Engine instances.
Required roles
To back up, mount, and restore an instance, we recommend that you grant the following IAM roles to the service account used by the backup/recovery appliance.
To get the permissions that
you need to back up, mount, and restore Compute Engine instances,
ask your administrator to grant you the Backup and DR Compute Engine Operator
( roles/backupdr.computeEngineOperator
)
IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
You might also be able to get the required permissions through custom roles or other predefined roles .
If you prefer to use custom roles, you must include all permissions listed in the following section .
Granular permissions
The following table compares the granular permissions required for different Compute Engine operations.
| Permission | Backup | Mount (existing) | Restore / Mount (new) |
|---|---|---|---|
|
Compute Engine
|
|||
compute.addresses.list
|
Yes | ||
compute.disks.create
|
Yes | Yes | |
compute.disks.createSnapshot
|
Yes | Yes | |
compute.disks.delete
|
Yes | Yes | |
compute.disks.get
|
Yes | Yes | Yes |
compute.disks.setLabels
|
Yes | ||
compute.disks.use
|
Yes | Yes | |
compute.diskTypes.get
|
Yes | Yes | |
compute.diskTypes.list
|
Yes | Yes | |
compute.firewalls.list
|
Yes | ||
compute.globalOperations.get
|
Yes | ||
compute.images.create
|
Yes | Yes | |
compute.images.delete
|
Yes | Yes | |
compute.images.get
|
Yes | Yes | |
compute.images.useReadOnly
|
Yes | Yes | |
compute.instances.attachDisk
|
Yes | Yes | |
compute.instances.create
|
Yes | Yes | |
compute.instances.delete
|
Yes | Yes | |
compute.instances.detachDisk
|
Yes | Yes | |
compute.instances.get
|
Yes | Yes | |
compute.instances.list
|
Yes | Yes | Yes |
compute.instances.setLabels
|
Yes | Yes | |
compute.instances.setMetadata
|
Yes | Yes | |
compute.instances.setServiceAccount
|
Yes | ||
compute.instances.setTags
|
Yes | ||
compute.instances.start
|
Yes | ||
compute.instances.stop
|
Yes | ||
compute.machineTypes.get
|
Yes | ||
compute.machineTypes.list
|
Yes | ||
compute.networks.list
|
Yes | ||
compute.nodeGroups.get
|
Yes | ||
compute.nodeGroups.list
|
Yes | ||
compute.nodeTemplates.get
|
Yes | ||
compute.projects.get
|
Yes | ||
compute.regions.get
|
Yes | Yes | Yes |
compute.regions.list
|
Yes | ||
compute.regionOperations.get
|
Yes | Yes | Yes |
compute.snapshots.create
|
Yes | Yes | |
compute.snapshots.delete
|
Yes | ||
compute.snapshots.get
|
Yes | Yes | |
compute.snapshots.setLabels
|
Yes | Yes | |
compute.snapshots.useReadOnly
|
Yes | Yes | |
compute.subnetworks.list
|
Yes | ||
compute.subnetworks.use
|
Yes | ||
compute.subnetworks.useExternalIp
|
Yes | ||
compute.zoneOperations.get
|
Yes | Yes | |
compute.zones.list
|
Yes | Yes | Yes |
|
IAM
|
|||
iam.serviceAccounts.actAs
|
Yes | Yes | Yes |
iam.serviceAccounts.get
|
Yes | Yes | Yes |
iam.serviceAccounts.list
|
Yes | Yes | Yes |
|
Resource Manager
|
|||
resourcemanager.projects.get
|
Yes | Yes | Yes |
resourcemanager.projects.list
|
Yes |
Permissions for CMEK
If the source disk uses customer-managed encryption keys (CMEK), the Compute Engine service agent requires the roles/cloudkms.cryptoKeyEncrypterDecrypter
role on the key in the source project.
To grant this permission, follow these steps:
- In the Google Cloud console, go to the IAMpage for your targetproject. Go to IAM
- Select Include Google-provided role grants.
- Find the Compute Engine Service Agentservice account and copy its email address (the principal).
- Switch to the source projectwhere the KMS key is located.
- Click Grant Accessand paste the service account email.
- Select the Cloud KMS CryptoKey Encrypter/Decrypterrole and click Save.
