Google Compute Engine IAM User Permissions

To enable restore of workloads to Google Compute Engine, do the following:

  1. Grant the following roles to the IAM user whose credentials you plan to use to connect to Google Compute Engine:
  • Compute Admin role (roles/compute.admin)

To avoid granting the Compute Admin role to the IAM user Compute Engine service account for security reasons, you can create a custom role with the following Compute Engine IAM permissions and grant it instead:

compute.addresses.list
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.stop
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regions.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list

  • Cloud Build Editor role (roles/cloudbuild.builds.editor)
  • Project IAM Admin role (roles/resourcemanager.projectIamAdmin)
  • Storage Admin role (roles/storage.admin)
  • Storage HMAC Key Admin (roles/storage.hmacKeyAdmin)
  • Viewer role (roles/viewer)

For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.

  1. Make sure that the Cloud Build API is enabled. Then grant the following roles to the Cloud Build service account in Google Compute Engine:
  • Compute Admin role (roles/compute.admin)

To avoid granting the Compute Admin role to the Cloud Build service account for security reasons, you can use the custom role that you created for the IAM user Compute Engine service account and grant it instead.

  • Service Account Token Creator role (roles/iam.serviceAccountTokenCreator)
  • Service Account User role (roles/iam.serviceAccountUser)
  • [Optional: to export or import images that use shared VPCs] Compute Network User role (roles/compute.networkUser)

For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.

 

Page updated 1/25/2024

Page content applies to build 12.1.1.56