Backup Permissions
To allow Veeam Backup for Google Cloud to perform backup operations, the service account associated with the Google Cloud project managing instances that you want to protect must have the following permissions.
VM Backup Permissions
compute.addresses.list compute.regions.list compute.disks.list compute.disks.createSnapshot compute.disks.get compute.instances.get compute.instances.list compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.list compute.snapshots.getIamPolicy compute.snapshots.setIamPolicy compute.snapshots.setLabels compute.subnetworks.list compute.routes.list compute.machineTypes.get compute.zones.list compute.globalOperations.list compute.globalOperations.get compute.zoneOperations.get compute.regionOperations.get compute.projects.get compute.regions.get compute.networks.list compute.firewalls.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list logging.sinks.update pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.consume pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsub.topics.update cloudkms.keyRings.list cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.cryptoKeys.getIamPolicy serviceusage.services.list |
Important |
To allow Veeam Backup for Google Cloud to back up a VM instance connected to a Shared VPC network, the service account associated with the project to which the instance belongs must also have either the compute.networkUser role for the whole Shared VPC host project, or the compute.networkViewer role for the whole host project plus compute.networkUser for specific subnets in the host project. To learn how to provide access to Shared VPC networks, see Google Cloud documentation. |
Cloud SQL Backup Permissions
cloudsql.backupRuns.create cloudsql.backupRuns.delete cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.update cloudsql.users.list compute.regions.list compute.zones.list logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy serviceusage.services.list cloudkms.keyRings.list cloudkms.cryptoKeys.list compute.projects.get resourcemanager.projects.get |
Important |
To allow Veeam Backup for Google Cloud to use Cloud IAM credentials while backing up a MySQL instance, the service account associated with the project to which the instance belongs must also have the cloudsql.instances.login permission assigned. |
Cloud Spanner Backup Permissions
spanner.databases.list spanner.databases.get spanner.databases.getDdl spanner.databases.beginReadOnlyTransaction spanner.databases.partitionQuery spanner.databases.select spanner.instanceConfigs.get spanner.instanceConfigs.list spanner.instances.get spanner.instances.list spanner.sessions.create spanner.sessions.delete compute.regions.list compute.zones.list logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription, pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy serviceusage.services.list cloudkms.keyRings.list cloudkms.cryptoKeys.list compute.projects.get monitoring.timeSeries.list resourcemanager.projects.get |