Creating a Google Cloud Platform Service Account

Updated

To back up and restore Google Cloud Platform (GCP) instances, you must create a GCP service account, and download the JSON file for service account authentication.

Before You Begin

  • To back up and restore Google Cloud Platform (GCP) instances, your GCP service account must have one of the following roles assigned:

    • Owner

    • Compute Instance Admin (v1) and Service Account User.

  • To back up instances from multiple projects, your GCP service account must have access rights to all of the projects (including the projects where access nodes exist).

  • Verify that your GCP service account has the required permissions. Refer to the following table.

Operation

Permission Required

Notes

To backup and restore encrypted instance disks (this includes creating the encryption keys)

  • cloudkms.cryptoKeyEncrypterDecrypter

  • cloudkms.keyRings.get

  • cloudkms.keyRings.create

  • cloudkms.cryptoKeys.get

  • cloudkms.cryptoKeys.create

  • cloudkms.cryptoKeys.update

*For IntelliSnap backup operations only, assign the permission to your GCP service account on the source and destination projects (both must have the same permissions)

For IntelliSnap only, to restore encrypted instances from one project to another project

  • cloudkms.cryptoKeyEncrypterDecrypter

Assign the permission to your GCP service account on the source and destination projects.

Note: While replicating instances to a GCP destination using the Deploy virtual machine only during failover option, the software uses a JSON config file to create the instance. The software saves the JSON config file in a storage bucket during the replication operation, and then after the instance is created, deletes the JSON config file. Configure the following permissions for the GCP Service Account in the destination project to create a storage bucket, otherwise replication will fail:

  • storage.buckets.create

  • storage.buckets.delete

  • storage.buckets.get

  • storage.buckets.update

  • storage.objects.create

  • storage.objects.delete

  • storage.objects.get

  • storage.objects.list

  • storage.objects.update

Important: You must enable the Cloud Resource Manager API. If you do not enable the API, all backup jobs will fail (including backup jobs for clients that were created in a previous release).

Procedure

  1. Create a GCP service account through the GCP Console. Refer to Creating and managing service accounts.

  2. Assign the roles accordingly through the GCP Console.

  3. Make a note of the service account ID, project ID, and name of the JSON file for service account authentication.

    Note: If after you create the GCP hypervisor, you plan to edit the configuration to use a P12 private key file for service account authentication, you must also take note of the P12 private key file name and the P12 key password.

  4. Download the JSON file for service account authentication. You will need this file when you add a GCP hypervisor to your environment.

    Note: If after you create the GCP hypervisor, you plan to edit the configuration to use a P12 private key file for service account authentication, you must also copy the P12 private key file to the <Commvault base folder>/certificates/external directory on each access node. If the <Commvault base folder>/certificates/external directory does not already exist, create the directory.