Plug-In Permissions

To perform backup and restore operations, accounts that Google Cloud Plug-in for Veeam Backup & Replication uses to perform data protection and disaster recovery operations must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you use when installing and working with Veeam Backup & Replication must have the permissions listed in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.

Veeam Backup for Google Cloud User Account Permissions

A user account that Veeam Backup & Replication uses to authenticate against a backup appliance and get access to the appliance functionality must be assigned the Portal Administrator role. For more information on user roles, see Managing User Accounts.

Note

When you deploy a backup appliance from the Veeam Backup & Replication console, Veeam Backup & Replication automatically creates the necessary user account that is assigned all the required permissions.

Google Cloud Service Account Permissions

Google Cloud Plug-in for Veeam Backup & Replication requires the following service accounts:

If you instruct Veeam Backup & Replication to create the service account automatically, the account is assigned the Owner role with a wide scope of permissions and capabilities. If you create a new service account in Google Cloud manually, consider that the service account must have the following minimal set of permissions:

Plug-In PermissionsList of permissions

{

   compute.addresses.list

   compute.disks.create

   compute.disks.createSnapshot

   compute.disks.delete

   compute.disks.get

   compute.disks.setLabels

   compute.disks.use

   compute.firewalls.list

   compute.globalOperations.get

   compute.instances.attachDisk

   compute.instances.detachDisk

   compute.instances.get

   compute.instances.getGuestAttributes

   compute.instances.list

   compute.instances.setMetadata

   compute.instances.start

   compute.instances.stop

   compute.networks.get

   compute.networks.list

   compute.projects.get

   compute.regions.get

   compute.regions.list

   compute.snapshots.create

   compute.snapshots.delete

   compute.snapshots.get

   compute.snapshots.useReadOnly

   compute.subnetworks.get

   compute.subnetworks.list

   compute.zoneOperations.get

   compute.zones.get

   compute.zones.list

   compute.machineTypes.list

   deploymentmanager.deployments.create

   deploymentmanager.deployments.delete

   deploymentmanager.deployments.get

   deploymentmanager.operations.get

   deploymentmanager.resources.list

   iam.roles.create

   iam.serviceAccounts.actAs

   iap.tunnelInstances.accessViaIAP

   resourcemanager.projects.getIamPolicy

   resourcemanager.projects.setIamPolicy

   storage.buckets.create

}

 

After you create a service account in Google Cloud, you must add it to Veeam Backup & Replication as described in the Veeam Backup & Replication User Guide, section Google Cloud Platform Service Account.

  • A service account whose permissions are used to perform data protection and disaster recovery operations with Google Cloud resources.
  • When you deploy a new backup appliance, the default service account is automatically created on this appliance and is assigned all the required permissions.
  • When you connect to an existing backup appliance, Google Cloud Plug-in for Veeam Backup & Replication uses a service account with a set of predefined permissions that has already been created on this appliance.

Virtualization Servers and Hosts Service Account Permissions

If you plan to copy backups to on-premises repositories, to perform restore to VMware vSphere and Microsoft Hyper-V environments, or to perform other tasks related to virtualization servers and hosts, you must check whether the service account specified for these servers and hosts has the required permissions described in the Veeam Backup & Replication User Guide for VMware vSphere and Veeam Backup & Replication User Guide for Microsoft Hyper-V, section Using Virtualization Servers and Hosts.

Microsoft Azure Account Permissions

An Azure AD application that you plan to use to restore VM instances to Microsoft Azure must have permissions described in the Veeam Backup & Replication User Guide, section Permissions.

AWS IAM User Permissions

An IAM user whose one-time access keys you plan to use to perform restore of VM instances to Amazon EC2 must have permissions described in the Veeam Backup & Replication User Guide, section AWS IAM User Permissions.