This page shows you how to resolve issues with Backup and DR Service for resources that are backed up within the backup vault using the backup plan. To find solutions for resources protected using the backup template in the management console, see Event IDs and error messages.
PERMISSION_DENIED issue
The backup job failed due to missing permissions in the source project and the following error message is displayed:
Backup and DR agent or backup vault service agent is missing the permissions required to take backups of resources in the source project.
To resolve the issue, do the following:
- If the backup vault and the resource are in the same project,
assign the Backup and DR agent (
roles/backupdr.serviceAgent) IAM role to the backup dr service agent, which is in theservice-<project-number>@gcp-sa-backupdr.iam.gserviceaccount.comformat. - If the backup vault and the resource to protect are in different
projects, assign the Compute instance admin (v1) (
roles/compute.instanceAdmin.v1) IAM role to the backup dr service agent, which is in theservice-<project-number>@gcp-sa-backupdr.iam.gserviceaccount.comformat.
FAILED_PRECONDITION issue
The backup job failed when the protected resource was deleted and the following error message is displayed:
Backup job failed due to unmet conditions. Check for source resource deletion or backup misconfigurations.
To resolve this issue, do the following:
Verify that the protected resource still exists from the VM instances page.
If the deletion was intentional, unprotect the Compute Engine instance.
Error 412: constraints/compute.storageResourceUseRestrictions violated
Error 412 occurs when an attempt to back up a Persistent Disk or Google Cloud Hyperdisk
fails due to an organization policy constraint violation during backup creation,
resulting in an error message stating
Error 412: Constraint constraints/compute.storageResourceUseRestrictions violated for project aaaaa. projects/aaax/zones/aa-aaaaa-a/disks/aaaa can't be used within your project., conditionNotMet
Backup and DR creates backups of your Persistent Disks and Google Cloud Hyperdisks. The backups reside in your Google Cloud project (also known as the tenant project) that is managed by Google Cloud. The tenant project exists within the google.com organization, separate from your own organization.
Your organization policy dictates where you can create storage resources.
The Constraint constraints/compute.storageResourceUseRestrictions violated
error means that a resource or backup is violating the policy by being created
in a tenant project that isn't part of your allowed organizational structure.
Because the tenant project is within the google,com organization, it falls outside of
your defined policy, which leads to the backup failure.
To resolve this error, use the following instructions:
Locate the organization policy that implements the
constraints/compute.storageResourceUseRestrictionsconstraint. For more information about how to view organization policies using the Google Cloud console, see Viewing organization policies.Modify the
constraints/compute.storageResourceUseRestrictionspolicy to include thefolders/238813353932tenant project folder used by Backup for GKE in its allowlist.Save the policy changes after you add the folder to the allowlist.
Retest the backup operation after the organization policy updates and propagates, which usually takes a few minutes. The backup should proceed without violating the storage resource use restrictions. If the operation is still unsuccessful, contact Cloud Customer Care for further assistance.