IAM roles and permissions to backup, mount, and restore Compute Engine instances

This page lists the IAM roles and permissions that are required to backup, mount, and restore a Compute Engine instance.

IAM roles and permissions

To backup, mount, and restore an instance you need to assign the Backup and DR Compute Engine Operatorrole to the service account of the backup/recovery appliance or create a custom role and assign all the permissions listed on this page.

The following lists the predefined Compute Engine IAM permissions that are required to backup, mount, and restore Compute Engine instances.

  • Backup Compute Engine instance

    • compute.disks.createSnapshot
    • compute.disks.get
    • compute.instances.list
    • compute.instances.setLabels
    • compute.regions.get
    • compute.regionOperations.get
    • compute.snapshots.create
    • compute.snapshots.delete
    • compute.snapshots.get
    • compute.snapshots.setLabels
    • compute.snapshots.useReadOnly
    • compute.zones.list
    • compute.zoneOperations.get
    • iam.serviceAccounts.actAs
    • iam.serviceAccounts.get
    • iam.serviceAccounts.list
    • resourcemanager.projects.get
    • resourcemanager.projects.list

  • Mount to existing Compute Engine instance

    • compute.disks.create
    • compute.disks.delete
    • compute.disks.get
    • compute.disks.use
    • compute.diskTypes.get
    • compute.diskTypes.list
    • compute.images.create
    • compute.images.delete
    • compute.images.get
    • compute.images.useReadOnly
    • compute.instances.attachDisk
    • compute.instances.create
    • compute.instances.delete
    • compute.instances.detachDisk
    • compute.instances.get
    • compute.instances.list
    • compute.instances.setMetadata
    • compute.regions.get
    • compute.regions.list
    • compute.regionOperations.get
    • compute.zones.list
    • iam.serviceAccounts.actAs
    • iam.serviceAccounts.get
    • iam.serviceAccounts.list
    • resourcemanager.projects.get

  • Mount to new Compute Engine instance and restore instance

    • compute.addresses.list
    • compute.diskTypes.get
    • compute.diskTypes.list
    • compute.disks.create
    • compute.disks.createSnapshot
    • compute.disks.delete
    • compute.disks.get
    • compute.disks.setLabels
    • compute.disks.use
    • compute.firewalls.list
    • compute.globalOperations.get
    • compute.images.create
    • compute.images.delete
    • compute.images.get
    • compute.images.useReadOnly
    • compute.instances.attachDisk
    • compute.instances.create
    • compute.instances.delete
    • compute.instances.detachDisk
    • compute.instances.get
    • compute.instances.list
    • compute.instances.setLabels
    • compute.instances.setMetadata
    • compute.instances.setServiceAccount
    • compute.instances.setTags
    • compute.instances.start
    • compute.instances.stop
    • compute.machineTypes.get
    • compute.machineTypes.list
    • compute.networks.list
    • compute.nodeGroups.list
    • compute.nodeGroups.get
    • compute.nodeTemplates.get
    • compute.projects.get
    • compute.regions.get
    • compute.regionOperations.get
    • compute.snapshots.create
    • compute.snapshots.get
    • compute.snapshots.setLabels
    • compute.snapshots.useReadOnly
    • compute.subnetworks.list
    • compute.subnetworks.use
    • compute.subnetworks.useExternalIp
    • compute.zoneOperations.get
    • compute.zones.list
    • iam.serviceAccounts.actAs
    • iam.serviceAccounts.get
    • iam.serviceAccounts.list
    • resourcemanager.projects.get

Permissions to mount Compute Engine instance with customer managed encryption keys

To mount a Compute Engine backup image as an existing or new Compute Engine instance, where the source disk is using customer-managed encryption keys (CMEK), you need to copy the service account name of the Compute Engine service agent from the target project and add it in the source project and assign the role CryptoKey Encrypter/Decrypter as detailed below.

Use the instructions below to add permissions when using CMEK:

  1. From the Project drop-down, select your target project.
  2. From the left-navigation menu, go to IAM & Admin > IAM
  3. Select Include Google-provided role grants.
  4. Find the Compute Engine Service Agent service account and copy the ID of the Principal. This is in an email address format, such as service-1234@compute-system.iam.gserviceaccount.com.
  5. Select your source project from the Project drop-down where the key was created.
  6. From the left-navigation menu, go to IAM & Admin > IAM.
  7. Select Grant Access.
  8. In Add Principals, paste the ID of the Compute Engine service agent from the target project.
  9. In Assign roles, assign the Cloud KMS CryptoKey Encrypter/Decrypter role.
  10. Select Save.

The Backup and DR Compute Engine guide