IAM roles and permissions required to back up, mount, and restore Compute Engine instances in the appliance management console

This page lists the roles and permissions required to back up, mount, and restore Compute Engine instances.

Required roles

To back up, mount, and restore an instance, we recommend that you grant the following IAM roles to the service account used by the backup/recovery appliance.

To get the permissions that you need to back up, mount, and restore Compute Engine instances, ask your administrator to grant you the Backup and DR Compute Engine Operator ( roles/backupdr.computeEngineOperator ) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

If you prefer to use custom roles, you must include all permissions listed in the following section .

Granular permissions

The following table compares the granular permissions required for different Compute Engine operations.

Permission Backup Mount (existing) Restore / Mount (new)
Compute Engine
compute.addresses.list
Yes
compute.disks.create
Yes Yes
compute.disks.createSnapshot
Yes Yes
compute.disks.delete
Yes Yes
compute.disks.get
Yes Yes Yes
compute.disks.setLabels
Yes
compute.disks.use
Yes Yes
compute.diskTypes.get
Yes Yes
compute.diskTypes.list
Yes Yes
compute.firewalls.list
Yes
compute.globalOperations.get
Yes
compute.images.create
Yes Yes
compute.images.delete
Yes Yes
compute.images.get
Yes Yes
compute.images.useReadOnly
Yes Yes
compute.instances.attachDisk
Yes Yes
compute.instances.create
Yes Yes
compute.instances.delete
Yes Yes
compute.instances.detachDisk
Yes Yes
compute.instances.get
Yes Yes
compute.instances.list
Yes Yes Yes
compute.instances.setLabels
Yes Yes
compute.instances.setMetadata
Yes Yes
compute.instances.setServiceAccount
Yes
compute.instances.setTags
Yes
compute.instances.start
Yes
compute.instances.stop
Yes
compute.machineTypes.get
Yes
compute.machineTypes.list
Yes
compute.networks.list
Yes
compute.nodeGroups.get
Yes
compute.nodeGroups.list
Yes
compute.nodeTemplates.get
Yes
compute.projects.get
Yes
compute.regions.get
Yes Yes Yes
compute.regions.list
Yes
compute.regionOperations.get
Yes Yes Yes
compute.snapshots.create
Yes Yes
compute.snapshots.delete
Yes
compute.snapshots.get
Yes Yes
compute.snapshots.setLabels
Yes Yes
compute.snapshots.useReadOnly
Yes Yes
compute.subnetworks.list
Yes
compute.subnetworks.use
Yes
compute.subnetworks.useExternalIp
Yes
compute.zoneOperations.get
Yes Yes
compute.zones.list
Yes Yes Yes
IAM
iam.serviceAccounts.actAs
Yes Yes Yes
iam.serviceAccounts.get
Yes Yes Yes
iam.serviceAccounts.list
Yes Yes Yes
Resource Manager
resourcemanager.projects.get
Yes Yes Yes
resourcemanager.projects.list
Yes

Permissions for CMEK

If the source disk uses customer-managed encryption keys (CMEK), the Compute Engine service agent requires the roles/cloudkms.cryptoKeyEncrypterDecrypter role on the key in the source project.

To grant this permission, follow these steps:

  1. In the Google Cloud console, go to the IAMpage for your targetproject. Go to IAM
  2. Select Include Google-provided role grants.
  3. Find the Compute Engine Service Agentservice account and copy its email address (the principal).
  4. Switch to the source projectwhere the KMS key is located.
  5. Click Grant Accessand paste the service account email.
  6. Select the Cloud KMS CryptoKey Encrypter/Decrypterrole and click Save.

Related information

Create a Mobile Website
View Site in Mobile | Classic
Share by: