Restore Permissions

To allow Veeam Backup for Google Cloud to perform restore operations, the service account associated with the Google Cloud project that will be used to manage the restored instances must have the following permissions.

VM Restore Permissions

compute.addresses.list

compute.disks.create

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.delete

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.list

compute.globalOperations.get

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.setLabels

compute.instances.setMachineResources

compute.instances.setMetadata

compute.instances.setMinCpuPlatform

compute.instances.setName

compute.instances.setScheduling

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.updateNetworkInterface

compute.instances.setDeletionProtection

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regionOperations.get

compute.regions.get

compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.list

resourcemanager.projects.get

cloudkms.cryptoKeys.list

cloudkms.keyRings.list

compute.addresses.use

compute.addresses.useInternal

compute.disks.list

compute.instances.list

compute.routes.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.cryptoKeys.getIamPolicy

serviceusage.services.list

pubsub.subscriptions.setIamPolicy

pubsub.subscriptions.getIamPolicy

pubsub.topics.setIamPolicy

pubsub.topics.getIamPolicy

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.get

storage.objects.update

storage.buckets.create

 

 

Important

To allow Veeam Backup for Google Cloud to connect a restored VM instance to a Shared VPC network, the service account associated with the project to which the instance belongs must also have either the compute.networkUser role for the whole Shared VPC host project, or the compute.networkViewer role for the whole host project plus compute.networkUser for specific subnets in the host project.

To allow Veeam Backup for Google Cloud to check the subnet configuration of the Shared VPC network to which the restored VM instance is connected, you must also add the following permissions to the service account associated with the project to which the instance belongs: compute.firewalls.list, compute.networks.get, compute.routes.list and compute.subnetworks.get for the whole Shared VPC host project.

To learn how to provide access to Shared VPC networks, see Google Cloud documentation.

Cloud SQL Restore Permissions

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.keyRings.list

cloudsql.backupRuns.get

cloudsql.instances.create

cloudsql.instances.get

cloudsql.instances.import

cloudsql.instances.restoreBackup

cloudsql.instances.update

compute.firewalls.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.routes.list

compute.subnetworks.list

compute.zones.list

resourcemanager.projects.get

cloudsql.backupRuns.list

cloudsql.databases.create

cloudsql.databases.list

cloudsql.instances.list

cloudsql.instances.listServerCas

cloudsql.users.create

cloudsql.users.list

cloudsql.users.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

serviceusage.services.list

cloudsql.backupRuns.create

cloudsql.backupRuns.delete

cloudsql.databases.get

 

Important

To allow Veeam Backup for Google Cloud to use Cloud IAM credentials while restoring a MySQL instance, the service account associated with the project to which the instance belongs must also have the cloudsql.instances.login permission assigned.

Cloud Spanner Restore Permissions

spanner.backupOperations.get

spanner.backups.get

spanner.backups.restoreDatabase

spanner.backups.delete

spanner.databaseOperations.get

spanner.databases.create

spanner.databases.list

spanner.databases.update

spanner.instanceConfigOperations.get

spanner.instanceConfigs.create

spanner.instanceConfigs.delete

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instanceOperations.get

spanner.instances.create

spanner.instances.delete

spanner.instances.get

spanner.instances.list

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.keyRings.list

compute.projects.get

monitoring.timeSeries.list

resourcemanager.projects.get

spanner.databases.get

spanner.databases.updateDdl

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.write

spanner.databases.select

spanner.sessions.create

spanner.sessions.delete

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

serviceusage.services.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy