Console
    Contact Us Start free

    IAM roles and permissions to backup, mount, and restore Compute Engine instances

    This page lists the IAMroles and permissions that are required to backup, mount, and restore a Compute Engine instance.

    IAM roles and permissions

    To backup, mount, and restore an instance you need to assign the Backup and DR Compute Engine Operator role to the service account of the backup/recovery appliance or create a custom role and assign all the permissions listed on this page.

    The following lists the predefined Compute Engine IAM permissions that are required to back up, mount, and restore Compute Engine instances.

    • Backup Compute Engine instance

      • compute.disks.createSnapshot
      • compute.disks.get
      • compute.instances.list
      • compute.instances.setLabels
      • compute.regions.get
      • compute.regionOperations.get
      • compute.snapshots.create
      • compute.snapshots.delete
      • compute.snapshots.get
      • compute.snapshots.setLabels
      • compute.snapshots.useReadOnly
      • compute.zones.list
      • compute.zoneOperations.get
      • iam.serviceAccounts.actAs
      • iam.serviceAccounts.get
      • iam.serviceAccounts.list
      • resourcemanager.projects.get
      • resourcemanager.projects.list

    • Mount to existing Compute Engine instance

      • compute.disks.create
      • compute.disks.delete
      • compute.disks.get
      • compute.disks.use
      • compute.diskTypes.get
      • compute.diskTypes.list
      • compute.images.create
      • compute.images.delete
      • compute.images.get
      • compute.images.useReadOnly
      • compute.instances.attachDisk
      • compute.instances.create
      • compute.instances.delete
      • compute.instances.detachDisk
      • compute.instances.get
      • compute.instances.list
      • compute.instances.setMetadata
      • compute.regions.get
      • compute.regions.list
      • compute.regionOperations.get
      • compute.zones.list
      • iam.serviceAccounts.actAs
      • iam.serviceAccounts.get
      • iam.serviceAccounts.list
      • resourcemanager.projects.get

    • Mount to new Compute Engine instance and restore instance

      • compute.addresses.list
      • compute.diskTypes.get
      • compute.diskTypes.list
      • compute.disks.create
      • compute.disks.createSnapshot
      • compute.disks.delete
      • compute.disks.get
      • compute.disks.setLabels
      • compute.disks.use
      • compute.firewalls.list
      • compute.globalOperations.get
      • compute.images.create
      • compute.images.delete
      • compute.images.get
      • compute.images.useReadOnly
      • compute.instances.attachDisk
      • compute.instances.create
      • compute.instances.delete
      • compute.instances.detachDisk
      • compute.instances.get
      • compute.instances.list
      • compute.instances.setLabels
      • compute.instances.setMetadata
      • compute.instances.setServiceAccount
      • compute.instances.setTags
      • compute.instances.start
      • compute.instances.stop
      • compute.machineTypes.get
      • compute.machineTypes.list
      • compute.networks.list
      • compute.nodeGroups.list
      • compute.nodeGroups.get
      • compute.nodeTemplates.get
      • compute.projects.get
      • compute.regions.get
      • compute.regionOperations.get
      • compute.snapshots.create
      • compute.snapshots.get
      • compute.snapshots.setLabels
      • compute.snapshots.useReadOnly
      • compute.subnetworks.list
      • compute.subnetworks.use
      • compute.subnetworks.useExternalIp
      • compute.zoneOperations.get
      • compute.zones.list
      • iam.serviceAccounts.actAs
      • iam.serviceAccounts.get
      • iam.serviceAccounts.list
      • resourcemanager.projects.get

    Permissions to mount Compute Engine instance with customer managed encryption keys

    To mount a Compute Engine backup image as an existing or new Compute Engine instance, where the source disk is using customer-managed encryption keys (CMEK), you need to copy the service account name of the Compute Engine service agent from the target project and add it in the source project and assign the role CryptoKey Encrypter/Decrypter detailed as follows.

    Use the following instructions to add permissions when using CMEK:

    1. From the Projectdrop-down, select your target project.
    2. From the left-navigation menu, go to IAM & Admin > IAM
    3. Select Include Google-provided role grants.
    4. Find the Compute Engine Service Agentservice account and copy the ID of the Principal. This is in an email address format, such as my-service-account@my-project.iam.gserviceaccount.com.
    5. Select your source project from the Projectdrop-down where the key was created.
    6. From the left-navigation menu, go to IAM & Admin > IAM.
    7. Select Grant Access.
    8. In Add Principals, paste the ID of the Compute Engine service agent from the target project.
    9. In Assign roles, assign the Cloud KMS CryptoKey Encrypter/Decrypter role.
    10. Select Save.

    The Backup and DR Compute Engine guide
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: