Referensi izin dan peran penginstalan Backup and DR Service
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Selama proses deployment, akun layanan yang dibuat atas nama Anda akan menggunakan izin ini selama durasi deployment.
Akun layanan menggunakan izin ini untuk menginstal appliance pencadangan/pemulihan
Akun layanan memiliki hak istimewa tinggi di target, project VPC, dan project konsumen selama penginstalan. Sebagian besar izin ini
akan dihapus seiring dengan progres penginstalan. Tabel berikut berisi peran
yang diberikan ke akun layanan dan izin yang diperlukan dalam setiap peran.
Peran
Izin diperlukan
Jika VPC Bersama, tetapkan ke:
resourcemanager.projectIamAdmin
resourcemanager.projects.getIamPolicy
Project Pemilik VPC, Admin Pencadangan, dan Workload
resourcemanager.projects.setIamPolicy
Project Pemilik VPC, Admin Pencadangan, dan Workload
iam.serviceAccountUser
iam.serviceAccounts.actAs
Project beban kerja
iam.serviceAccountTokenCreator
iam.serviceAccounts.getOpenIdToken
Project beban kerja
cloudkms.admin
cloudkms.keyRings.create
Project Pemilik VPC, Admin Pencadangan, dan Workload
cloudkms.keyRings.getIamPolicy
Project Pemilik VPC, Admin Pencadangan, dan Workload
cloudkms.keyRings.setIamPolicy
Project Pemilik VPC, Admin Pencadangan, dan Workload
logging.logWriter
logging.logs.write
Project beban kerja
compute.admin
compute.instances.create
Project beban kerja
compute.instances.delete
Project beban kerja
compute.disks.create
Project beban kerja
compute.disks.delete
Project beban kerja
compute.instances.setMetadata
Project beban kerja
compute.subnetworks.get
Project VPC
compute.subnetworks.use
Project VPC
compute.subnetworks.setPrivateIpGoogleAccess
Project VPC
compute.firewalls.create
Project VPC
compute.firewalls.delete
Project VPC
backupdr.admin
backupdr.managementservers.manageInternalACL
Project Backup Admin
Setelah penginstalan selesai, untuk operasi harian pada project beban kerja
Semua izin yang diperlukan untuk deployment dan penginstalan akan dihapus
kecuali iam.serviceAccountUser dan iam.serviceAccounts.actAs. Dua peran cloudkms
yang diperlukan untuk operasi harian ditambahkan, dibatasi untuk satu ring kunci.
Peran
Izin diperlukan
iam.serviceAccountUser
iam.serviceAccounts.actAs
cloudkms.cryptoKeyEncrypterDecrypter*
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.admin*
cloudkms.keyRings.get
backupdr.computeEngineOperator*
Semua izin yang tercantum dalam peran.
backupdr.cloudStorageOperator**
Semua izin yang tercantum dalam peran.
* Peran cloudkms berada di satu ring kunci. ** Peran cloudStorageOperator ada di bucket dengan nama yang diawali dengan
nama perangkat pencadangan/pemulihan.
Izin yang digunakan untuk membuat firewall di project
Izin IAM ini digunakan untuk membuat firewall di project yang memiliki VPC hanya selama pembuatan firewall.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-11 UTC."],[[["\u003cp\u003eA highly privileged service account is temporarily used during the backup/recovery appliance deployment process, which is utilized to perform the installation.\u003c/p\u003e\n"],["\u003cp\u003eThe service account is granted specific roles and permissions in the target, VPC, and consumer projects, as detailed in the provided table, including project IAM admin, service account user, and Cloud KMS administration roles, among others.\u003c/p\u003e\n"],["\u003cp\u003eAfter the installation is complete, most of the granted permissions are removed, and only \u003ccode\u003eiam.serviceAccountUser\u003c/code\u003e and \u003ccode\u003eiam.serviceAccounts.actAs\u003c/code\u003e remain, along with two restricted Cloud KMS roles.\u003c/p\u003e\n"],["\u003cp\u003eCertain IAM permissions are also used for creating a firewall on the VPC project, but they are only needed during firewall creation.\u003c/p\u003e\n"],["\u003cp\u003eAll permissions granted during the deployment process are no longer required after the completion of installation, except those specified for daily operation.\u003c/p\u003e\n"]]],[],null,["# Backup and DR Service installation permissions and roles reference\n\nDuring the deployment process, a service account created on your behalf uses\nthese permissions for the duration of the deployment.\n\nThe service account uses these permissions to install the backup/recovery appliance\n-----------------------------------------------------------------------------------\n\nThe service account is highly privileged in the target, VPC project,\nand consumer projects during the installation. Most of these permissions are\nremoved as the installation progresses. The following table contains the roles\ngranted to the service account and the permissions needed within each role.\n\nAfter installation is finished, for daily operation on the workload project\n---------------------------------------------------------------------------\n\nAll of the permissions required for deployment and installation are removed\nexcept for `iam.serviceAccountUser` and `iam.serviceAccounts.actAs`. Two cloudkms\nroles needed for daily operation are added, restricted to a single key ring.\n\n`*` The `cloudkms` roles are on a single key ring. \n\n`**` The `cloudStorageOperator` role is on buckets with names that start with\nthe name of the backup/recovery appliance.\n\nPermissions used to create a firewall on the project\n----------------------------------------------------\n\nThese IAM permissions are used to create a firewall on the\nproject that owns the VPC only during firewall creation. \n\n compute.firewalls.create\n compute.firewalls.delete\n compute.firewalls.get\n compute.firewalls.list\n compute.firewalls.update\n compute.networks.list\n compute.networks.get\n compute.networks.updatePolicy\n\n**All other permissions are no longer needed after installation.**"]]
