This page lists the roles and permissions required to back up, mount, and restore Compute Engine instances.
Required roles
To back up, mount, and restore an instance, we recommend that you grant the following IAM roles to the service account used by the backup/recovery appliance.
To get the permissions that
you need to back up, mount, and restore Compute Engine instances,
ask your administrator to grant you the
Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator)
IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
If you prefer to use custom roles, you must include all permissions listed in the following section.
Granular permissions
The following table compares the granular permissions required for different Compute Engine operations.
| Permission | Backup | Mount (existing) | Restore / Mount (new) |
|---|---|---|---|
| Compute Engine | |||
compute.addresses.list |
Yes | ||
compute.disks.create |
Yes | Yes | |
compute.disks.createSnapshot |
Yes | Yes | |
compute.disks.delete |
Yes | Yes | |
compute.disks.get |
Yes | Yes | Yes |
compute.disks.setLabels |
Yes | ||
compute.disks.use |
Yes | Yes | |
compute.diskTypes.get |
Yes | Yes | |
compute.diskTypes.list |
Yes | Yes | |
compute.firewalls.list |
Yes | ||
compute.globalOperations.get |
Yes | ||
compute.images.create |
Yes | Yes | |
compute.images.delete |
Yes | Yes | |
compute.images.get |
Yes | Yes | |
compute.images.useReadOnly |
Yes | Yes | |
compute.instances.attachDisk |
Yes | Yes | |
compute.instances.create |
Yes | Yes | |
compute.instances.delete |
Yes | Yes | |
compute.instances.detachDisk |
Yes | Yes | |
compute.instances.get |
Yes | Yes | |
compute.instances.list |
Yes | Yes | Yes |
compute.instances.setLabels |
Yes | Yes | |
compute.instances.setMetadata |
Yes | Yes | |
compute.instances.setServiceAccount |
Yes | ||
compute.instances.setTags |
Yes | ||
compute.instances.start |
Yes | ||
compute.instances.stop |
Yes | ||
compute.machineTypes.get |
Yes | ||
compute.machineTypes.list |
Yes | ||
compute.networks.list |
Yes | ||
compute.nodeGroups.get |
Yes | ||
compute.nodeGroups.list |
Yes | ||
compute.nodeTemplates.get |
Yes | ||
compute.projects.get |
Yes | ||
compute.regions.get |
Yes | Yes | Yes |
compute.regions.list |
Yes | ||
compute.regionOperations.get |
Yes | Yes | Yes |
compute.snapshots.create |
Yes | Yes | |
compute.snapshots.delete |
Yes | ||
compute.snapshots.get |
Yes | Yes | |
compute.snapshots.setLabels |
Yes | Yes | |
compute.snapshots.useReadOnly |
Yes | Yes | |
compute.subnetworks.list |
Yes | ||
compute.subnetworks.use |
Yes | ||
compute.subnetworks.useExternalIp |
Yes | ||
compute.zoneOperations.get |
Yes | Yes | |
compute.zones.list |
Yes | Yes | Yes |
| IAM | |||
iam.serviceAccounts.actAs |
Yes | Yes | Yes |
iam.serviceAccounts.get |
Yes | Yes | Yes |
iam.serviceAccounts.list |
Yes | Yes | Yes |
| Resource Manager | |||
resourcemanager.projects.get |
Yes | Yes | Yes |
resourcemanager.projects.list |
Yes |
Permissions for CMEK
If the source disk uses customer-managed encryption keys (CMEK), the Compute Engine service agent requires the roles/cloudkms.cryptoKeyEncrypterDecrypter role on the key in the source project.
To grant this permission, follow these steps:
- In the Google Cloud console, go to the IAM page for your target project. Go to IAM
- Select Include Google-provided role grants.
- Find the Compute Engine Service Agent service account and copy its email address (the principal).
- Switch to the source project where the KMS key is located.
- Click Grant Access and paste the service account email.
- Select the Cloud KMS CryptoKey Encrypter/Decrypter role and click Save.
Related information
- Cloud credentials required for the backup/recovery appliance
- Discover and protect Compute Engine instances
- Mount backups of Compute Engine instances
- Restore a Compute Engine instance
- Import persistent disk snapshot images