Google Compute Engine IAM User Permissions

In this article

    To enable restore of workloads to Google Compute Engine, do the following:

    1. Grant the following roles to the IAM user whose credentials you plan to use to connect to Google Compute Engine:
    • Compute Admin role (roles/compute.admin)

    To avoid granting the Compute Admin role to the IAM user Compute Engine service account for security reasons, you can create a custom role with the following Compute Engine IAM permissions and grant it instead:

    compute.addresses.list
    compute.disks.create
    compute.disks.delete
    compute.disks.get
    compute.disks.use
    compute.disks.useReadOnly
    compute.firewalls.create
    compute.firewalls.delete
    compute.firewalls.list
    compute.globalOperations.get
    compute.images.create
    compute.images.delete
    compute.images.get
    compute.images.useReadOnly
    compute.instances.attachDisk
    compute.instances.create
    compute.instances.delete
    compute.instances.detachDisk
    compute.instances.get
    compute.instances.getGuestAttributes
    compute.instances.list
    compute.instances.setLabels
    compute.instances.setMetadata
    compute.instances.setTags
    compute.instances.stop
    compute.machineTypes.list
    compute.networks.get
    compute.networks.list
    compute.networks.updatePolicy
    compute.projects.get
    compute.regions.list
    compute.subnetworks.get
    compute.subnetworks.list
    compute.subnetworks.use
    compute.subnetworks.useExternalIp
    compute.zoneOperations.get
    compute.zones.get
    compute.zones.list

    • Cloud Build Editor role (roles/cloudbuild.builds.editor)
    • Project IAM Admin role (roles/resourcemanager.projectIamAdmin)
    • Storage Admin role (roles/storage.admin)
    • Storage HMAC Key Admin (roles/storage.hmacKeyAdmin)
    • Viewer role (roles/viewer)

    For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.

    1. Make sure that the Cloud Build API is enabled. Then grant the following roles to the Cloud Build service account in Google Compute Engine:
    • Compute Admin role (roles/compute.admin)

    To avoid granting the Compute Admin role to the Cloud Build service account for security reasons, you can use the custom role that you created for the IAM user Compute Engine service account and grant it instead.

    • Service Account Token Creator role (roles/iam.serviceAccountTokenCreator)
    • Service Account User role (roles/iam.serviceAccountUser)
    • [Optional: to export or import images that use shared VPCs] Compute Network User role (roles/compute.networkUser)

    For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.