To protect Google Cloud Platform instances, you must assign the certain permissions to your GCP service accounts.
If you plan to use encryption, shared virtual private cloud (VPC) networks, or node affinity groups, then assign the permissions described in the relevant section in addition to the permissions in the General section.
General
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.addresses.get |
-- |
Yes |
Yes |
Yes |
compute.addresses.useInternal |
-- |
Yes |
Yes |
Yes |
compute.disks.create |
Yes |
Yes |
Yes |
Yes |
compute.disks.createSnapshot |
Yes |
Yes |
Yes |
Yes |
compute.disks.delete |
Yes |
Yes |
Yes |
Yes |
compute.disks.get |
Yes |
Yes |
Yes |
Yes |
compute.disks.list |
Yes |
-- |
-- |
-- |
compute.disks.resize |
-- |
Yes |
Yes |
Yes |
compute.disks.setLabels |
Yes |
Yes |
Yes |
Yes |
compute.disks.use |
Yes |
Yes |
Yes |
Yes |
compute.diskTypes.get |
Yes |
-- |
-- |
-- |
compute.globalOperations.get |
Yes |
Yes |
Yes |
Yes |
compute.instances.attachDisk |
Yes |
Yes |
Yes |
Yes |
compute.instances.create |
-- |
Yes |
Yes |
Yes |
compute.instances.delete |
-- |
Yes |
Yes |
Yes |
compute.instances.detachDisk |
Yes |
Yes |
Yes |
Yes |
compute.instances.get |
Yes |
-- |
-- |
-- |
compute.instances.list |
Yes |
-- |
-- |
-- |
compute.instances.setLabels |
-- |
Yes |
Yes |
Yes |
compute.instances.setMetadata |
-- |
Yes |
Yes |
Yes |
compute.instances.setServiceAccount |
-- |
Yes |
Yes |
Yes |
compute.instances.setTags |
-- |
Yes |
Yes |
Yes |
compute.instances.start |
-- |
Yes |
Yes |
Yes |
compute.instances.stop |
-- |
Yes |
Yes |
Yes |
compute.instances.updateDisplayDevice |
-- |
Yes |
Yes |
Yes |
compute.machineTypes.get |
-- |
Yes |
Yes |
Yes |
compute.machineTypes.list |
-- |
Yes |
Yes |
Yes |
compute.networks.get |
-- |
Yes |
Yes |
Yes |
compute.networks.list |
-- |
Yes |
Yes |
Yes |
compute.projects.get |
Yes |
Yes |
Yes |
Yes |
compute.regionoperations.get |
Yes |
Yes |
Yes |
Yes |
compute.regions.get |
Yes |
Yes |
Yes |
Yes |
compute.regions.list |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.create |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.delete |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.get |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.setLabels |
Yes |
Yes |
Yes |
Yes |
compute.snapshots.useReadOnly |
Yes |
Yes |
Yes |
Yes |
compute.subnetworks.get |
Yes |
Yes |
Yes |
Yes |
compute.subnetworks.list |
-- |
Yes |
Yes |
Yes |
compute.subnetworks.use |
-- |
Yes |
Yes |
Yes |
compute.subnetworks.useExternalIp |
-- |
Yes |
Yes |
Yes |
compute.zoneOperations.get |
Yes |
Yes |
Yes |
Yes |
compute.zones.get |
Yes |
Yes |
Yes |
Yes |
compute.zones.list |
Yes |
Yes |
Yes |
Yes |
iam.serviceAccounts.actAs |
Yes |
Yes |
Yes |
Yes |
iam.serviceAccounts.get |
Yes |
Yes |
Yes |
Yes |
iam.serviceAccounts.list |
Yes |
Yes |
Yes |
Yes |
resourcemanager.projects.get |
Yes |
Yes |
Yes |
Yes |
resourcemanager.projects.list |
Yes |
Yes |
Yes |
Yes |
Encryption
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
cloudkms.cryptoKeyEncrypterDecrypter |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeyVersions.useToDecrypt |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeyVersions.useToEncrypt |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeys.create |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeys.get |
Yes |
Yes |
Yes |
Yes |
cloudkms.cryptoKeys.update |
Yes |
Yes |
Yes |
Yes |
cloudkms.keyRings.create |
Yes |
Yes |
Yes |
Yes |
cloudkms.keyRings.get |
Yes |
Yes |
Yes |
Yes |
Node Affinity
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.nodeGroups.get |
-- |
Yes |
Yes |
-- |
compute.nodeGroups.list |
-- |
Yes |
Yes |
-- |
Power Management for MediaAgents
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.instances.list |
Yes |
Yes |
Yes |
Yes |
compute.instances.start |
Yes |
Yes |
Yes |
Yes |
compute.instances.stop |
Yes |
Yes |
Yes |
Yes |
compute.machineTypes.get |
Yes |
Yes |
Yes |
Yes |
compute.zone.list |
Yes |
Yes |
Yes |
Yes |
Shared VPC
Permission |
Backups |
Restores |
VM conversions |
Replication |
---|---|---|---|---|
compute.subnetworks.use |
-- |
Yes |
Yes |
Yes |