How to Assign Permissions to Service Accounts Used by Veeam Backup for Google Cloud Platform

KB ID: 4062
Product: Veeam Backup for Google Cloud | 2.0
Published: 2020-11-26
Last Modified: 2021-09-13
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

Veeam Backup for Google Cloud Platform requires a service account in each GCP project where data protection and disaster recovery tasks will be performed. The tasks include the following:

Solution

To apply the necessary permissions to a service account, you can use a script that is automatically generated while adding the project to the Veeam Backup for GCP infrastructure. Download the script and run it under an account that has permissions both to get and set project IAM policies and to create custom IAM roles (for example, it can have the iam.securityAdmin and iam.roleAdmin roles assigned). To learn what permissions and roles are required to create custom roles in IAM, see Google Cloud documentation.

NOTE: You can click Check permissions to ensure that the account now has all the permissions required to perform data protection and disaster recovery tasks for the project. Keep in mind that it may take some time for Google Cloud to apply the changes to the account, and the permission check may display the permissions as missing right after you click Check permissions. To work around the issue, try checking permissions once again in 5–10 minutes.

Alternatively, you can assign the permissions to the service account manually. The permissions are listed below.

Expand each heading below to see specific permissions.

Default Permissions
compute.disks.addResourcePolicies
compute.disks.get
compute.instances.get
compute.resourcePolicies.create
compute.resourcePolicies.get
compute.resourcePolicies.use
compute.zones.get
serviceusage.services.list
Backup Permissions
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.keyRings.list
compute.addresses.list
compute.disks.createSnapshot
compute.disks.get
compute.disks.list
compute.firewalls.list
compute.globalOperations.get
compute.globalOperations.list
compute.instances.get
compute.instances.list
compute.machineTypes.get
compute.networks.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.subnetworks.list
compute.zoneOperations.get
compute.zones.list
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.services.list
Snapshot Permissions
cloudkms.cryptoKeys.list
cloudkms.keyRings.list
compute.addresses.list
compute.disks.createSnapshot
compute.disks.get
compute.disks.list
compute.firewalls.list
compute.globalOperations.get
compute.globalOperations.list
compute.instances.get
compute.instances.list
compute.networks.list
compute.regionOperations.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.list
compute.snapshots.setLabels
compute.subnetworks.list
compute.zoneOperations.get
compute.zones.list
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager.projects.get
serviceusage.services.list
Repository Permissions
resourcemanager.projects.get
serviceusage.services.list
storage.buckets.get
storage.buckets.list
storage.hmacKeys.create
storage.hmacKeys.get
storage.hmacKeys.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Restore Permissions
Note: To allow Veeam Backup for GCP to perform restore to the original location while source VM instances still exist there, you must also add the permission compute.instances.setName. The ability to rename VM instances is currently in pre-GA state. For more information, see Google Cloud documentation.
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.keyRings.list
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.list
compute.globalOperations.get
compute.globalOperations.list
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.setDeletionProtection
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.list
resourcemanager.projects.get
serviceusage.services.list
Worker Permissions
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.machineTypes.get
compute.networks.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.routes.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list
iam.serviceAccounts.actAs
logging.sinks.delete
logging.sinks.get
logging.sinks.list
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.services.list
Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.