To protect Google Cloud Platform instances, you must assign certain permissions to your GCP service accounts.
If you plan to use encryption, shared virtual private cloud (VPC) networks, or node affinity groups, then assign the permissions described in the relevant section in addition to the permissions in the General section.
General
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.addresses.get |
-- |
Yes |
Yes |
Yes |
compute.addresses.list |
-- |
Yes |
Yes |
-- |
compute.addresses.use |
-- |
Yes |
Yes |
-- |
compute.addresses.useInternal |
-- |
Yes |
Yes |
Yes |
compute.disks.create |
Yes |
Yes |
Yes |
Yes |
compute.disks.createSnapshot |
Yes |
Yes |
Yes |
Yes |
compute.disks.delete |
Yes |
Yes |
Yes |
Yes |
compute.disks.get |
Yes |
Yes |
Yes |
Yes |
compute.disks.list |
Yes |
-- |
-- |
-- |
compute.disks.resize |
-- |
Yes |
Yes |
Yes |
compute.disks.setLabels |
Yes |
Yes |
Yes |
Yes |
compute.disks.use |
Yes |
Yes |
Yes |
Yes |
compute.diskTypes.get |
Yes |
-- |
-- |
-- |
compute.globalOperations.get |
Yes |
Yes |
Yes |
Yes |
compute.instances.attachDisk |
Yes |
Yes |
Yes |
Yes |
compute.instances.create |
-- |
Yes |
Yes |
Yes |
compute.instances.delete |
-- |
Yes |
Yes |
Yes |
compute.instances.detachDisk |
Yes |
Yes |
Yes |
Yes |
compute.instances.get |
Yes |
-- |
-- |
-- |
compute.instances.list |
Yes |
-- |
-- |
-- |
compute.instances.setLabels |
-- |
Yes |
Yes |
Yes |
compute.instances.setMetadata |
-- |
Yes |
Yes |
Yes |
compute.instances.setServiceAccount |
-- |
Yes |
Yes |
Yes |
compute.instances.setTags |
-- |
Yes |
Yes |
Yes |
compute.instances.start |
-- |
Yes |
Yes |
Yes |
compute.instances.stop |
-- |
Yes |
Yes |
Yes |
compute.instances.updateDisplayDevice |
-- |
Yes |
Yes |
Yes |
compute.machineTypes.get |
Yes |
Yes |
Yes |
Yes |
compute.machineTypes.list |
-- |
Yes |
Yes |
Yes |
compute.networks.get |
-- |
Yes |
Yes |
Yes |
compute.networks.list |
-- |
Yes |
Yes |
Yes |
compute.projects.get |
Yes |
Yes |
Yes |
Yes |
compute.regionoperations.get |
Yes |
Yes |
Yes |
Yes |
compute.regions.get |
Yes |
Yes |
Yes |
Yes |
compute.regions.list |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.create |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.delete |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.get |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.setLabels |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.useReadOnly |
Yes |
Yes |
Yes |
Yes |
compute.subnetworks.get |
Yes |
Yes |
Yes |
Yes |
compute.subnetworks.list |
-- |
Yes |
Yes |
Yes |
compute.subnetworks.use |
-- |
Yes |
Yes |
Yes |
compute.subnetworks.useExternalIp |
-- |
Yes |
Yes |
Yes |
compute.zoneOperations.get |
Yes |
Yes |
Yes |
Yes |
compute.zones.get |
Yes |
Yes |
Yes |
Yes |
compute.zones.list |
Yes |
Yes |
Yes |
Yes |
iam.serviceAccounts.actAs |
Yes |
Yes |
Yes |
Yes |
iam.serviceAccounts.get |
Yes |
Yes |
Yes |
Yes |
iam.serviceAccounts.list |
Yes |
Yes |
Yes |
Yes |
resourcemanager.projects.get |
Yes |
Yes |
Yes |
Yes |
resourcemanager.projects.list |
Yes |
Yes |
Yes |
Yes |
Note
While replicating instances to a GCP destination using the RTO option Hot site replication, the software uses a JSON config file to create the instance. The software saves the JSON config file in a storage bucket during the replication operation, and then after the instance is created, deletes the JSON config file. Configure the relevant permissions for the GCP Service Account in the destination project to create a storage bucket, otherwise replication will fail.
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
storage.buckets.create |
-- |
-- |
-- |
Yes |
storage.buckets.delete |
-- |
-- |
-- |
Yes |
storage.buckets.get |
-- |
-- |
-- |
Yes |
storage.buckets.update |
-- |
-- |
-- |
Yes |
storage.objects.create |
-- |
-- |
-- |
Yes |
storage.objects.delete |
-- |
-- |
-- |
Yes |
storage.objects.get |
-- |
-- |
-- |
Yes |
storage.objects.list |
-- |
-- |
-- |
Yes |
storage.objects.update |
-- |
-- |
-- |
Yes |
Encryption
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
cloudkms.cryptoKeyEncrypterDecrypter |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeyVersions.useToDecrypt |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeyVersions.useToEncrypt |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeys.create |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeys.get |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeys.update |
Yes |
Yes |
Yes |
Yes |
cloudkms.keyRings.create |
Yes |
Yes |
Yes |
Yes |
cloudkms.keyRings.get |
Yes |
Yes |
Yes |
Yes |
Node Affinity
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.nodeGroups.get |
-- |
Yes |
Yes |
-- |
compute.nodeGroups.list |
-- |
Yes |
Yes |
-- |
Power Management for MediaAgents
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.instances.list |
Yes |
Yes |
Yes |
Yes |
compute.instances.start |
Yes |
Yes |
Yes |
Yes |
compute.instances.stop |
Yes |
Yes |
Yes |
Yes |
compute.machineTypes.get |
Yes |
Yes |
Yes |
Yes |
compute.zone.list |
Yes |
Yes |
Yes |
Yes |
Shared VPC
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.subnetworks.use |
-- |
Yes |
Yes |
Yes |