Backup and DR Service installation permissions and roles reference
Stay organized with collections
Save and categorize content based on your preferences.
During the deployment process, a service account created on your behalf uses
these permissions for the duration of the deployment.
The service account uses these permissions to install the backup/recovery appliance
The service account is highly privileged in the target, VPC project,
and consumer projects during the installation. Most of these permissions are
removed as the installation progresses. The following table contains the roles
granted to the service account and the permissions needed within each role.
Role
Permissions needed
If Shared VPC, then assign to:
resourcemanager.projectIamAdmin
resourcemanager.projects.getIamPolicy
VPC Owner, Backup Admin, and Workload projects
resourcemanager.projects.setIamPolicy
VPC Owner, Backup Admin, and Workload projects
iam.serviceAccountUser
iam.serviceAccounts.actAs
Workload project
iam.serviceAccountTokenCreator
iam.serviceAccounts.getOpenIdToken
Workload project
cloudkms.admin
cloudkms.keyRings.create
VPC Owner, Backup Admin, and Workload projects
cloudkms.keyRings.getIamPolicy
VPC Owner, Backup Admin, and Workload projects
cloudkms.keyRings.setIamPolicy
VPC Owner, Backup Admin, and Workload projects
logging.logWriter
logging.logs.write
Workload project
compute.admin
compute.instances.create
Workload project
compute.instances.delete
Workload project
compute.disks.create
Workload project
compute.disks.delete
Workload project
compute.instances.setMetadata
Workload project
compute.subnetworks.get
VPC project
compute.subnetworks.use
VPC project
compute.subnetworks.setPrivateIpGoogleAccess
VPC project
compute.firewalls.create
VPC project
compute.firewalls.delete
VPC project
backupdr.admin
backupdr.managementservers.manageInternalACL
Backup Admin project
After installation is finished, for daily operation on the workload project
All of the permissions required for deployment and installation are removed
except for iam.serviceAccountUser and iam.serviceAccounts.actAs. Two cloudkms
roles needed for daily operation are added, restricted to a single key ring.
Role
Permissions needed
iam.serviceAccountUser
iam.serviceAccounts.actAs
cloudkms.cryptoKeyEncrypterDecrypter*
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.admin*
cloudkms.keyRings.get
backupdr.computeEngineOperator*
All permissions listed in the role.
backupdr.cloudStorageOperator**
All permissions listed in the role.
* The cloudkms roles are on a single key ring. ** The cloudStorageOperator role is on buckets with names that start with
the name of the backup/recovery appliance.
Permissions used to create a firewall on the project
These IAM permissions are used to create a firewall on the
project that owns the VPC only during firewall creation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eA highly privileged service account is temporarily used during the backup/recovery appliance deployment process, which is utilized to perform the installation.\u003c/p\u003e\n"],["\u003cp\u003eThe service account is granted specific roles and permissions in the target, VPC, and consumer projects, as detailed in the provided table, including project IAM admin, service account user, and Cloud KMS administration roles, among others.\u003c/p\u003e\n"],["\u003cp\u003eAfter the installation is complete, most of the granted permissions are removed, and only \u003ccode\u003eiam.serviceAccountUser\u003c/code\u003e and \u003ccode\u003eiam.serviceAccounts.actAs\u003c/code\u003e remain, along with two restricted Cloud KMS roles.\u003c/p\u003e\n"],["\u003cp\u003eCertain IAM permissions are also used for creating a firewall on the VPC project, but they are only needed during firewall creation.\u003c/p\u003e\n"],["\u003cp\u003eAll permissions granted during the deployment process are no longer required after the completion of installation, except those specified for daily operation.\u003c/p\u003e\n"]]],[],null,["# Backup and DR Service installation permissions and roles reference\n\nDuring the deployment process, a service account created on your behalf uses\nthese permissions for the duration of the deployment.\n\nThe service account uses these permissions to install the backup/recovery appliance\n-----------------------------------------------------------------------------------\n\nThe service account is highly privileged in the target, VPC project,\nand consumer projects during the installation. Most of these permissions are\nremoved as the installation progresses. The following table contains the roles\ngranted to the service account and the permissions needed within each role.\n\nAfter installation is finished, for daily operation on the workload project\n---------------------------------------------------------------------------\n\nAll of the permissions required for deployment and installation are removed\nexcept for `iam.serviceAccountUser` and `iam.serviceAccounts.actAs`. Two cloudkms\nroles needed for daily operation are added, restricted to a single key ring.\n\n`*` The `cloudkms` roles are on a single key ring. \n\n`**` The `cloudStorageOperator` role is on buckets with names that start with\nthe name of the backup/recovery appliance.\n\nPermissions used to create a firewall on the project\n----------------------------------------------------\n\nThese IAM permissions are used to create a firewall on the\nproject that owns the VPC only during firewall creation. \n\n compute.firewalls.create\n compute.firewalls.delete\n compute.firewalls.get\n compute.firewalls.list\n compute.firewalls.update\n compute.networks.list\n compute.networks.get\n compute.networks.updatePolicy\n\n**All other permissions are no longer needed after installation.**"]]
