IAM roles and permissions

This page describes how to grant the Backup for GKE service permissions for a Google Cloud project, backups, or restores.

Predefined roles

Backup for GKE has the following predefined roles:

Role Title Description Lowest resource
gkebackup.admin
Backup for GKE Admin Full read-write access to all Backup for GKE resources Project
gkebackup.backupAdmin
Backup for GKE Backup Admin Creates and manages backup plans and backups. Can delegate manual backup creation to Delegated Backup Admins . Project
gkebackup.delegatedBackupAdmin
Backup for GKE Delegated Backup Admin Creates and manages backups within a backup plan. BackupPlan
gkebackup.viewer
Backup for GKE Viewer Read-only access to all Backup for GKE resources Project
gkebackup.restoreAdmin
Backup for GKE Restore Admin Creates and manages restore plans and restores. Can delegate restore creation to Delegated Restore Admins. Project
gkebackup.delegatedRestoreAdmin
Backup for GKE Delegated Restore Admin Creates and manages restores within a restore plan. RestorePlan

Set project-level permissions

You can grant Identity and Access Management permissions for an entire Google Cloud project to an account in the IAMpage of the Google Cloud console or by using the Google Cloud CLI. Adding permissions at the project level grants the IAM permissions to an account for the following roles:

  • Backup for GKE Admin
  • Backup for GKE Backup Admin
  • Backup for GKE Viewer

  • Backup for GKE Restore Admin

gcloud

To set permissions, run the following command:

 gcloud projects add-iam-policy-binding PROJECT_ID 
\
    --role roles/ ROLE_ID 
\
    --member PRINCIPAL

Replace the following:

  • PROJECT_ID : the ID of your Google Cloud project.
  • ROLE_ID : the type of role, for example gkebackup.backupAdmin .
  • PRINCIPAL : An identifier for the principal, which usually has the following form: member-type:id . For example, user:my-user@example.com .

Console

Perform the following tasks in the Google Cloud console:

  1. Go to your project's IAM page.

    Go to IAM

  2. Click the Grant accessbutton below the toolbar.

  3. In the New principalsbox, enter the email for the account that you want to add.

  4. Select a role in the drop-down list, for example Backup for GKE Admin.

  5. Click Save.