https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2I0MDYyIiwiaGFzaCI6ImQwNzk4ODEyLTA3NTMtNDI0Ny1hZjMyLTdiY2EzYmU4YzU3MSJ9
1-800-691-1991 | 9am - 8pm ET
EN

How to Assign Permissions to Service Accounts Used by Veeam Backup for Google Cloud Platform

Challenge

Veeam Backup for GCP requires a service account in each GCP project where data protection and disaster recovery tasks will be performed. The tasks include the following:

Solution

To apply the necessary permissions to a service account, you can use a script that is automatically generated while adding the project to the Veeam Backup for GCP infrastructure. Download the script and run it under an account that has permissions both to get and set project IAM policies and to create custom IAM roles (for example, it can have the iam.securityAdmin and iam.roleAdmin roles assigned). To learn what permissions and roles are required to create custom roles in IAM, see Google Cloud documentation.

Alternatively, you can assign the permissions to the service account manually. The permissions are listed below.

NOTE: You can click Check permissions to ensure that the account now has all the permissions required to perform data protection and disaster recovery tasks for the project. Keep in mind that it may take some time for Google Cloud to apply the changes to the account, and the permission check may display the permissions as missing right after you click Check permissions. To work around the issue, try checking permissions once again in 5–10 minutes.

 

Default Permissions

  • compute.disks.addResourcePolicies
  • compute.disks.get
  • compute.instances.get
  • compute.resourcePolicies.create
  • compute.resourcePolicies.get
  • compute.resourcePolicies.use
  • compute.zones.get

 

Backup Permissions

  • compute.addresses.list
  • compute.regions.list
  • compute.disks.list
  • compute.disks.createSnapshot
  • compute.disks.get
  • compute.instances.get
  • compute.instances.list
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.list
  • compute.snapshots.getIamPolicy
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.subnetworks.list
  • compute.routes.list
  • compute.machineTypes.get
  • compute.zones.list
  • compute.globalOperations.list
  • compute.globalOperations.get
  • compute.zoneOperations.get
  • compute.regionOperations.get
  • compute.projects.get
  • compute.regions.get
  • compute.networks.list
  • compute.firewalls.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • logging.sinks.list
  • logging.sinks.update
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.consume
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.setIamPolicy
  • pubsub.topics.update
  • cloudkms.keyRings.list
  • cloudkms.cryptoKeys.list
  • cloudkms.cryptoKeys.setIamPolicy
  • cloudkms.cryptoKeys.getIamPolicy

 

Snapshot Permissions

  • compute.addresses.list
  • compute.firewalls.list
  • compute.regions.list
  • compute.disks.list
  • compute.disks.createSnapshot
  • compute.disks.get
  • compute.instances.get
  • compute.instances.list
  • compute.networks.list
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.list
  • compute.subnetworks.list
  • compute.routes.list
  • compute.zones.list
  • compute.globalOperations.list
  • compute.globalOperations.get
  • compute.zoneOperations.get
  • compute.regionOperations.get
  • resourcemanager.projects.get
  • compute.snapshots.setLabels
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • logging.sinks.list
  • logging.sinks.update
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.consume
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.setIamPolicy
  • pubsub.topics.update
  • cloudkms.keyRings.list
  • cloudkms.cryptoKeys.list

 

Repository Permissions

  • storage.buckets.list
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list
  • storage.objects.get
  • storage.hmacKeys.create
  • storage.hmacKeys.list
  • storage.hmacKeys.get
  • resourcemanager.projects.get

 

Restore Permissions

  • compute.addresses.list
  • compute.disks.create
  • compute.disks.get
  • compute.disks.setLabels
  • compute.disks.use
  • compute.disks.delete
  • compute.disks.useReadOnly
  • compute.firewalls.list
  • compute.globalOperations.list
  • compute.globalOperations.get
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setScheduling
  • compute.instances.setServiceAccount
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.stop
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.setDeletionProtection
  • compute.machineTypes.list
  • compute.networks.list
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regions.get
  • compute.regions.list
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.get
  • compute.zones.list
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.disks.list
  • compute.instances.list
  • compute.routes.list
  • cloudkms.cryptoKeys.setIamPolicy
  • cloudkms.cryptoKeys.getIamPolicy

 

Note: To allow Veeam Backup for GCP to perform restore to the original location while source VM instances still exist there, you must also add the permission compute.instances.setName. The ability to rename VM instances is currently in pre-GA state. For more information, see Google Cloud documentation.

Worker Permissions

  • compute.regions.list
  • compute.disks.list
  • compute.instances.get
  • compute.instances.list
  • compute.snapshots.get
  • compute.snapshots.list
  • compute.zones.get
  • compute.zones.list
  • compute.globalOperations.get
  • compute.zoneOperations.get
  • compute.regionOperations.get
  • resourcemanager.projects.get
  • compute.projects.get
  • compute.firewalls.list
  • compute.snapshots.getIamPolicy
  • compute.networks.list
  • compute.subnetworks.list
  • resourcemanager.projects.getIamPolicy
  • iam.serviceAccounts.actAs
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.setLabels
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.detachDisk
  • compute.instances.setMetadata
  • compute.instances.setServiceAccount
  • compute.instances.setLabels
  • compute.instances.setTags
  • compute.routes.list
  • compute.regions.get
  • compute.snapshots.create
  • compute.snapshots.setLabels
  • compute.snapshots.setIamPolicy
  • compute.snapshots.delete
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.list
  • pubsub.subscriptions.get
  • logging.sinks.get
  • logging.sinks.delete
  • logging.sinks.list
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.list
  • pubsub.topics.get
  • pubsub.topics.publish
  • compute.machineTypes.get
  • compute.subnetworks.get
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.disks.use

More information

KB ID:
4062
Product:
Veeam Backup for Google Cloud Platform 1.0
Published:
2020-11-26
Last Modified:
2021-02-03
Please rate how helpful this article was to you:
5 out of 5 based on 1 ratings
Thank you for helping us improve!
An error occurred during voting. Please try again later.

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.