To access data captured in an instant snapshot, you must restore, or create a new disk from the instant snapshot.
This page explains how to create a disk from an instant snapshot. After you create the disk, you can use it by attaching it to a virtual machine (VM).
Before you begin
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
Required roles and permissions
To get the permissions that you need to create a disk from an instant snapshot, ask your administrator to grant you the following IAM roles on the project:
-
Compute Instance Admin (v1) (
roles/compute.instanceAdmin.v1
) -
To connect to a VM that can run as a service account:
Service Account User (v1) (
roles/iam.serviceAccountUser
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to create a disk from an instant snapshot. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to create a disk from an instant snapshot:
-
To create a disk:
-
compute.disks.create
on the destination project for the new disk -
compute.instantSnapshots.useReadOnly
on the source instant snapshot
-
You might also be able to get these permissions with custom roles or other predefined roles.
Restrictions
The following restrictions apply:
When you create a disk from an instant snapshot, the new disk always has the same type, storage location, and encryption as the source disk of the snapshot.
You can't create a VM directly from an instant snapshot. You must create a disk from the instant snapshot and then use the new disk to create a VM.
If the source disk of the instant snapshot uses customer-managed or customer-supplied encryption keys, you must provide the same encryption key when you create a new disk from the instant snapshot.
Consider this example. Imagine you have a disk,
DISK-1
encrypted with a customer-supplied encryption key (CSEK),KEY-1
. You also have an instant snapshot,IS-1
, created fromDISK-1
. To create a new disk fromIS-1
, you must provide the same key,KEY-1
, when you create the new disk.If the disk is encrypted with customer-managed encryption keys (CMEK), you only have to provide the key if you use the REST or the gcloud CLI to create the disk. If you use the Google Cloud console, you don't need to specify the encryption key.
Create a disk from an instant snapshot
An instant snapshot is encrypted with the same encryption as its source disk. The steps to create a disk from an instant snapshot depend on how the instant snapshot's source disk is encrypted.
Each source disk is encrypted with one of the following methods:
- Google-owned and Google-managed encryption keys. This is the default.
- Customer-managed encryption keys (CMEK)
- Customer-supplied encryption keys (CSEK).
To find out how a particular disk is encrypted, see View information about a disk's encryption.
Create a disk from an instant snapshot encrypted with default encryption
You can create a disk from an instant snapshot with the gcloud CLI, the Google Cloud console, or the REST.
Console
Find the instant snapshot that you want to restore:
In the Google Cloud console, go to the Snapshots page.
Click the Instant snapshots tab.
In the Name column, click the name of the instant snapshot you want to restore.
Click Create disk.
In the Name field, enter a new name for the disk.
Optional: In the Description field, enter additional details.
Verify that the Disk source type is Instant snapshot.
In the Source instant snapshot list, choose the instant snapshot.
Optional: Configure additional customizations for the disk.
- Enter a size: In the Size field, specify a size for the disk in GB. The size must be equal to or larger than the size of the source disk for the snapshot.
- Schedule backups: If you want Compute Engine to create standard snapshots of this new disk on a schedule, select the Enable snapshot schedule checkbox and choose a snapshot schedule. Otherwise, clear the checkbox.
Optional: To organize your project, add one or more labels.
To create the disk, click Create.
gcloud
Use the
gcloud compute disks create
command.
The arguments you specify depend on whether you're creating a zonal or
regional disk.
Create a zonal disk
Specify the zone with the --zone
flag:
gcloud compute disks create DISK_NAME --zone=ZONE \ --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME
Replace the following:
DISK_NAME
: the name of the new disk.ZONE
: the zone for the new disk, for example,europe-west1-a
.SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot.
Create a regional disk
Specify the region with --region
and the new disk's target replication zones zones with --replica-zones
.
gcloud compute disks create DISK_NAME \ --region=REGION \ --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \ --replica-zones=ZONE1,ZONE2
Replace the following:
DISK_NAME
: the name of the new disk.REGION
: the region for the regional disk to reside in, for example:europe-west1
.SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot.ZONE1,ZONE2
: the zones within the region where the two disk replicas are located, for example:europe-west1-b,europe-west1-c
.
REST
To create a zonal or regional disk from an instant snapshot, use the
disks.insert
method. The
new disk must be the same type as that of the source disk of the instant
snapshot. For example, you can't create a regional disk from a snapshot of a
zonal disk.
Create a zonal disk
Make a POST
request, specifying the source instant snapshot.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/SOURCE_ZONE/disks/insert { "name": "NEW_DISK_NAME", "sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME" }
Replace the following:
PROJECT
: the project in which to create the new disk.SOURCE_ZONE
: the zone where the instant snapshot is located, for example,us-central1-a
. The disk is created in this zone.NEW_DISK_NAME
: a unique name for the new disk.SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot.
Create a regional disk
Make a POST
request, specifying the source instant snapshot and the
zones where the disk should be replicated to.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT/region/SOURCE_REGION/disks/insert { "name": "NEW_DISK_NAME", "sourceInstantSnapshot": "projects/PROJECT/regions/SOURCE_REGION/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME", "replicaZones": [ "projects/PROJECT/zones/ZONE1", "projects/PROJECT/zones/ZONE2" ] }
Replace the following:
PROJECT
: the project in which to create the new disk.SOURCE_REGION
: the region where the instant snapshot is located. The disk is created in this region.NEW_DISK_NAME
: a unique name for the new disk.SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot.ZONE1,ZONE2
: the zones within the region for the two disk replicas, for example,europe-west1-b
,europe-west1-c
.
API request response
If the POST
request is successful, the response body will be an object that you can poll to get the status of the disk's creation. See
Handling API responses
for more information.
Create a disk from a CMEK- or CSEK-encrypted instant snapshot
Console
If the instant snapshot uses Google default or CMEK encryption, Google Cloud console automatically provides the encryption key when you create a disk from the instant snapshot. Otherwise, if the instant snapshot is CSEK-encrypted, you must provide the encryption key to create a disk.
Follow the steps in the Google-managed encryption section, specifying the encryption key using these instructions:
- In the Decryption section, enter the encryption key in the Encryption key field.
- If the key is wrapped with the public RSA key, select Wrapped key.
gcloud
Use the
gcloud compute disks create
command.
If the source disk is CMEK-encrypted, use the
--kms-key
parameter to provide the name of the key.
If the source disk is CSEK-encrypted, use the --csek-key-file
parameter
to specify the source disk's encryption key.
CMEK
To create a zonal disk from a CMEK encrypted instant snapshot, use the following command:
gcloud compute disks create NEW_DISK_NAME \ --zone=SOURCE_ZONE \ --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \ --kms-key=projects/KMS_PROJECT_NAME/locations/KEYRING_LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME
Replace the following:
NEW_DISK_NAME
: the name of the new disk.SOURCE_ZONE
: the zone where the instant snapshot is stored, for example,europe-west1-a
.-
SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot. KMS_PROJECT_NAME
: the project containing the key.KEYRING_LOCATION
: the location of the key ring that the key belongs to. If the key ring is global, specifyglobal
. Otherwise, specify the name of the region where the key ring is located, for example,us-west1
.KEY_RING_NAME
: the name of the key ring that includes the key, for example,key-ring-1
.KEY_NAME
: the name of the key used to encrypt the disk.
CSEK
To create a zonal disk from a CSEK-encrypted instant snapshot, use the following command:
gcloud compute disks create NEW_DISK_NAME \ --zone=SOURCE_ZONE \ --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \ --csek-key-file=PATH_TO_CSEK_JSON_FILE
Replace the following:
NEW_DISK_NAME
: the name of the new disk.SOURCE_ZONE
: the zone where the instant snapshot is stored, for example,europe-west1-a
.-
SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot. CSEK_JSON_FILE
: Path to a JSON file containing the key. See an example of the CSEK file format.
To create a regional disk, replace the --zone
flag in the
preceding example with the following flags:
--region
: the region for the new disk--replica-zones
: the zones within the region for the two disk replicas.
REST
To create a zonal or regional disk from a CMEK- or CSEK-encrypted instant snapshot,
make a POST
request to the
disks.insert
method
using the properties listed in the
Google-managed encryption section.
Additionally, provide the source disk's encryption key with the diskEncryptionKey
field. The properties of the diskEncryptionKey
field depend on whether or not
the disk is CMEK- or CSEK-encrypted.
The following examples show how to create a new zonal disk for each encryption type.
CMEK
In the request body, specify the name of the key with the
diskEncryptionKey.kmsKeyName
property:
{ "name": "NEW_DISK_NAME", "sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME", "diskEncryptionKey": { "kmsKeyName": "projects/KMS_PROJECT/locations/LOCATION/keyRings/KEYRING_LOCATION/cryptoKeys/KEY_NAME" } }
Replace the following:
NEW_DISK_NAME
: a unique name for the new disk.PROJECT
: the project in which to create the new disk.SOURCE_ZONE
: the zone where the instant snapshot is located, for example,us-central1-a
. The disk is created in this zone.SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot.KMS_PROJECT
: the project containing the key.LOCATION
: the location of the key ring that the key belongs to. If the key ring is global, specifyglobal
. Otherwise, specify the name of the region where the key ring is located, for example,us-west1
.KEY_RING
: the name of the key ring that includes the key, for example,key-ring-1
.KEY
: the name of the key used to encrypt the disk.
CSEK
The request body depends on whether the CSEK used to encrypt the instant snapshot is RSA-encrypted or not.
To use a raw (non-RSA encrypted) key, specify the key in the
diskEncryptionKey.rawKey
property of the request body:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/SOURCE_ZONE/disks/insert { "name": "NEW_DISK_NAME", "sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/INSTANT_SNAPSHOT_NAME, "diskEncryptionKey": { "rawKey": "RAW_ENCRYPTION_KEY" } }
Replace the following with the corresponding values:
PROJECT
: the project in which to create the new disk.SOURCE_ZONE
: the zone where the instant snapshot is located, for example,us-central1-a
. The disk is created in this zone.NEW_DISK_NAME
: a unique name for the new disk.SOURCE_INSTANT_SNAPSHOT_NAME
: the name of the source instant snapshot.RAW_ENCRYPTION_KEY
: The key used to encrypt the instant snapshot and its source disk, for example,SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
.
To use an RSA-encrypted key, modify the preceding example as follows:
Make a
POST
request to thedisks.insert
method:POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/insert
Specify the key in the
diskEncryptionKey.rsaEncryptedKey
property of the request body:"diskEncryptionKey": { "rsaEncryptedKey": "RSA_ENCRYPTED_KEY" }
Replace RSA_ENCRYPTED_KEY
with your encrypted key.
API request response
If the POST
request is successful, the response body will be an object that you can poll to get the status of the disk's creation. See
Handling API responses
for more information.