1-800-691-1991 | 9am - 8pm ET
EN

How to Assign Permissions to Service Accounts Used by Veeam Backup for Google Cloud Platform

KB ID: 4062
Product: Veeam Backup for Google Cloud Platform 2.0
Published: 2020-11-26
Last Modified: 2021-09-13

Challenge

Veeam Backup for Google Cloud Platform requires a service account in each GCP project where data protection and disaster recovery tasks will be performed. The tasks include the following:

Solution

To apply the necessary permissions to a service account, you can use a script that is automatically generated while adding the project to the Veeam Backup for GCP infrastructure. Download the script and run it under an account that has permissions both to get and set project IAM policies and to create custom IAM roles (for example, it can have the iam.securityAdmin and iam.roleAdmin roles assigned). To learn what permissions and roles are required to create custom roles in IAM, see Google Cloud documentation.

NOTE: You can click Check permissions to ensure that the account now has all the permissions required to perform data protection and disaster recovery tasks for the project. Keep in mind that it may take some time for Google Cloud to apply the changes to the account, and the permission check may display the permissions as missing right after you click Check permissions. To work around the issue, try checking permissions once again in 5–10 minutes.

Alternatively, you can assign the permissions to the service account manually. The permissions are listed below.

Expand each heading below to see specific permissions.

Default Permissions
compute.disks.addResourcePolicies
compute.disks.get
compute.instances.get
compute.resourcePolicies.create
compute.resourcePolicies.get
compute.resourcePolicies.use
compute.zones.get
serviceusage.services.list
Backup Permissions
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.keyRings.list
compute.addresses.list
compute.disks.createSnapshot
compute.disks.get
compute.disks.list
compute.firewalls.list
compute.globalOperations.get
compute.globalOperations.list
compute.instances.get
compute.instances.list
compute.machineTypes.get
compute.networks.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.subnetworks.list
compute.zoneOperations.get
compute.zones.list
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.services.list
Snapshot Permissions
cloudkms.cryptoKeys.list
cloudkms.keyRings.list
compute.addresses.list
compute.disks.createSnapshot
compute.disks.get
compute.disks.list
compute.firewalls.list
compute.globalOperations.get
compute.globalOperations.list
compute.instances.get
compute.instances.list
compute.networks.list
compute.regionOperations.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.list
compute.snapshots.setLabels
compute.subnetworks.list
compute.zoneOperations.get
compute.zones.list
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager.projects.get
serviceusage.services.list
Repository Permissions
resourcemanager.projects.get
serviceusage.services.list
storage.buckets.get
storage.buckets.list
storage.hmacKeys.create
storage.hmacKeys.get
storage.hmacKeys.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Restore Permissions
Note: To allow Veeam Backup for GCP to perform restore to the original location while source VM instances still exist there, you must also add the permission compute.instances.setName. The ability to rename VM instances is currently in pre-GA state. For more information, see Google Cloud documentation.
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.keyRings.list
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.list
compute.globalOperations.get
compute.globalOperations.list
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.setDeletionProtection
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.list
resourcemanager.projects.get
serviceusage.services.list
Worker Permissions
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.machineTypes.get
compute.networks.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list
iam.serviceAccounts.actAs
logging.sinks.delete
logging.sinks.get
logging.sinks.list
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.services.list
KB ID: 4062
Product: Veeam Backup for Google Cloud Platform 2.0
Published: 2020-11-26
Last Modified: 2021-09-13

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Your report was sent to the responsible team. Our representative will contact you by email you provided.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you for your interest in Veeam products!
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please try again later.