IAM roles and permissions to backup, mount, and restore Compute Engine instances
Stay organized with collections
Save and categorize content based on your preferences.
This page lists the IAMroles and permissions that are required to backup,
mount, and restore a Compute Engine instance.
IAM roles and permissions
To backup, mount, and restore an instance you need to assign the
Backup and DR Compute Engine Operatorrole to the service account of the
backup/recovery appliance or create a custom role and assign all the permissions listed on
this page.
The following lists the predefined Compute Engine IAM
permissions that are required to back up, mount, and restore Compute Engine
instances.
Backup Compute Engine instance
compute.disks.createSnapshot
compute.disks.get
compute.instances.list
compute.instances.setLabels
compute.regions.get
compute.regionOperations.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.zones.list
compute.zoneOperations.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Mount to existing Compute Engine instance
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.use
compute.diskTypes.get
compute.diskTypes.list
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setMetadata
compute.regions.get
compute.regions.list
compute.regionOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
Mount to new Compute Engine instance and restore instance
compute.addresses.list
compute.diskTypes.get
compute.diskTypes.list
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.machineTypes.get
compute.machineTypes.list
compute.networks.list
compute.nodeGroups.list
compute.nodeGroups.get
compute.nodeTemplates.get
compute.projects.get
compute.regions.get
compute.regionOperations.get
compute.snapshots.create
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
Permissions to mount Compute Engine instance with customer managed encryption keys
To mount a Compute Engine backup image as an existing or new Compute Engine
instance, where the source disk is using customer-managed encryption keys
(CMEK), you need to copy the service account name of the Compute Engine
service agent from the target project and add it in the source project and
assign the role CryptoKey Encrypter/Decrypter detailed as follows.
Use the following instructions to add permissions when using CMEK:
From the Project drop-down, select your target project.
From the left-navigation menu, go to IAM & Admin>IAM
Select Include Google-provided role grants.
Find the Compute Engine Service Agent service account and copy the ID of
the Principal. This is in an email address format, such as
my-service-account@my-project.iam.gserviceaccount.com.
Select your source project from the Project drop-down where the key was
created.
From the left-navigation menu, go to IAM & Admin>IAM.
Select Grant Access.
In Add Principals, paste the ID of the Compute Engine service agent
from the target project.
In Assign roles, assign the Cloud KMS CryptoKey Encrypter/Decrypter
role.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page details the required IAM roles and permissions for backing up, mounting, and restoring Compute Engine instances.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eBackup and DR Compute Engine Operator\u003c/code\u003e role, or a custom role with equivalent permissions, is necessary for the service account managing these operations.\u003c/p\u003e\n"],["\u003cp\u003eSpecific permissions are outlined for backing up instances, mounting to existing instances, and mounting to new instances or restoring an instance.\u003c/p\u003e\n"],["\u003cp\u003eFor instances using customer-managed encryption keys (CMEK), additional steps are required to grant the Compute Engine service agent in the target project the \u003ccode\u003eCloud KMS CryptoKey Encrypter/Decrypter\u003c/code\u003e role in the source project.\u003c/p\u003e\n"],["\u003cp\u003eThere are links to the Backup and DR Compute Engine guide for more in-depth explanations of cloud credentials, protecting Compute Engine instances, mounting backup images, and restoring instances, among others.\u003c/p\u003e\n"]]],[],null,["# IAM roles and permissions to backup, mount, and restore Compute Engine instances\n\nThis page lists the IAMroles and permissions that are required to backup,\nmount, and restore a Compute Engine instance.\n\nIAM roles and permissions\n-------------------------\n\nTo backup, mount, and restore an instance you need to assign the\n`Backup and DR Compute Engine Operator`role to the service account of the\nbackup/recovery appliance or create a [custom role](/iam/docs/creating-custom-roles#creating_a_custom_role) and assign all the permissions listed on\nthis page.\n\nThe following lists the predefined Compute Engine IAM\npermissions that are required to back up, mount, and restore Compute Engine\ninstances.\n\n- Backup Compute Engine instance\n\n - `compute.disks.createSnapshot`\n - `compute.disks.get`\n - `compute.instances.list`\n - `compute.instances.setLabels`\n - `compute.regions.get`\n - `compute.regionOperations.get`\n - `compute.snapshots.create`\n - `compute.snapshots.delete`\n - `compute.snapshots.get`\n - `compute.snapshots.setLabels`\n - `compute.snapshots.useReadOnly`\n - `compute.zones.list`\n - `compute.zoneOperations.get`\n - `iam.serviceAccounts.actAs`\n - `iam.serviceAccounts.get`\n - `iam.serviceAccounts.list`\n - `resourcemanager.projects.get`\n - `resourcemanager.projects.list`\n- Mount to existing Compute Engine instance\n\n - `compute.disks.create`\n - `compute.disks.delete`\n - `compute.disks.get`\n - `compute.disks.use`\n - `compute.diskTypes.get`\n - `compute.diskTypes.list`\n - `compute.images.create`\n - `compute.images.delete`\n - `compute.images.get`\n - `compute.images.useReadOnly`\n - `compute.instances.attachDisk`\n - `compute.instances.create`\n - `compute.instances.delete`\n - `compute.instances.detachDisk`\n - `compute.instances.get`\n - `compute.instances.list`\n - `compute.instances.setMetadata`\n - `compute.regions.get`\n - `compute.regions.list`\n - `compute.regionOperations.get`\n - `compute.zones.list`\n - `iam.serviceAccounts.actAs`\n - `iam.serviceAccounts.get`\n - `iam.serviceAccounts.list`\n - `resourcemanager.projects.get`\n- Mount to new Compute Engine instance and restore instance\n\n - `compute.addresses.list`\n - `compute.diskTypes.get`\n - `compute.diskTypes.list`\n - `compute.disks.create`\n - `compute.disks.createSnapshot`\n - `compute.disks.delete`\n - `compute.disks.get`\n - `compute.disks.setLabels`\n - `compute.disks.use`\n - `compute.firewalls.list`\n - `compute.globalOperations.get`\n - `compute.images.create`\n - `compute.images.delete`\n - `compute.images.get`\n - `compute.images.useReadOnly`\n - `compute.instances.attachDisk`\n - `compute.instances.create`\n - `compute.instances.delete`\n - `compute.instances.detachDisk`\n - `compute.instances.get`\n - `compute.instances.list`\n - `compute.instances.setLabels`\n - `compute.instances.setMetadata`\n - `compute.instances.setServiceAccount`\n - `compute.instances.setTags`\n - `compute.instances.start`\n - `compute.instances.stop`\n - `compute.machineTypes.get`\n - `compute.machineTypes.list`\n - `compute.networks.list`\n - `compute.nodeGroups.list`\n - `compute.nodeGroups.get`\n - `compute.nodeTemplates.get`\n - `compute.projects.get`\n - `compute.regions.get`\n - `compute.regionOperations.get`\n - `compute.snapshots.create`\n - `compute.snapshots.get`\n - `compute.snapshots.setLabels`\n - `compute.snapshots.useReadOnly`\n - `compute.subnetworks.list`\n - `compute.subnetworks.use`\n - `compute.subnetworks.useExternalIp`\n - `compute.zoneOperations.get`\n - `compute.zones.list`\n - `iam.serviceAccounts.actAs`\n - `iam.serviceAccounts.get`\n - `iam.serviceAccounts.list`\n - `resourcemanager.projects.get`\n\n| **Note:** To list the Shared VPC and related subnets in the mount as new Compute Engine instance screen, assign the `compute.subnetworks.use` permission to the service account of the shared host project.\n\nPermissions to mount Compute Engine instance with customer managed encryption keys\n----------------------------------------------------------------------------------\n\nTo mount a Compute Engine backup image as an existing or new Compute Engine\ninstance, where the source disk is using customer-managed encryption keys\n(CMEK), you need to copy the service account name of the Compute Engine\nservice agent from the target project and add it in the source project and\nassign the role `CryptoKey Encrypter/Decrypter` detailed as follows.\n| **Note:** The service account added here is created automatically when the Compute Engine API is enabled and is not the service account being used by Backup and DR to create Compute Engine instance backups.\n\nUse the following instructions to add permissions when using CMEK:\n\n1. From the **Project** drop-down, select your target project.\n2. From the left-navigation menu, go to **IAM \\& Admin** \\\u003e **IAM**\n3. Select **Include Google-provided role grants**.\n4. Find the **Compute Engine Service Agent** service account and copy the ID of the **Principal**. This is in an email address format, such as my-service-account@my-project.iam.gserviceaccount.com.\n5. Select your source project from the **Project** drop-down where the key was created.\n6. From the left-navigation menu, go to **IAM \\& Admin** \\\u003e **IAM**.\n7. Select **Grant Access**.\n8. In **Add Principals**, paste the ID of the Compute Engine service agent from the target project.\n9. In **Assign roles** , assign the `Cloud KMS CryptoKey Encrypter/Decrypter` role.\n10. Select **Save**.\n\nThe Backup and DR Compute Engine guide\n--------------------------------------\n\n- [Check for the cloud credentials](/backup-disaster-recovery/docs/configuration/create-cloud-credentials)\n- [Discover and protect Compute Engine instances](/backup-disaster-recovery/docs/configuration/discover-and-protect-ce-inst)\n- [Mount backup images of Compute Engine instances](/backup-disaster-recovery/docs/access-data/mount-snapshot-images-of-cloud-instances)\n- [Restore a Compute Engine instance](/backup-disaster-recovery/docs/restore-data/restore-instance)\n- [Import persistent disk snapshot images](/backup-disaster-recovery/docs/configuration/import-pdsnapshot-images)"]]
