Google Compute Engine IAM User Permissions
To enable restore of workloads to Google Compute Engine, do the following:
- Grant the following roles to the IAM user whose credentials you plan to use to connect to Google Compute Engine:
- Compute Admin role (roles/compute.admin)
To avoid granting the Compute Admin role to the IAM user Compute Engine service account for security reasons, you can create a custom role with the following Compute Engine IAM permissions and grant it instead:
compute.addresses.list |
- Cloud Build Editor role (roles/cloudbuild.builds.editor)
- Project IAM Admin role (roles/resourcemanager.projectIamAdmin)
- Storage Admin role (roles/storage.admin)
- Storage HMAC Key Admin (roles/storage.hmacKeyAdmin)
- Viewer role (roles/viewer)
For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.
- Make sure that the Cloud Build API is enabled. Then grant the following roles to the Cloud Build service account in Google Compute Engine:
- Compute Admin role (roles/compute.admin)
To avoid granting the Compute Admin role to the Cloud Build service account for security reasons, you can use the custom role that you created for the IAM user Compute Engine service account and grant it instead.
- Service Account Token Creator role (roles/iam.serviceAccountTokenCreator)
- Service Account User role (roles/iam.serviceAccountUser)
- [Optional: to export or import images that use shared VPCs] Compute Network User role (roles/compute.networkUser)
For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.