Restore Permissions

In this article

    To allow Veeam Backup for Google Cloud to perform restore operations, the service account associated with the Google Cloud project that will be used to manage the restored instances must have the following permissions.

    VM Restore Permissions

    compute.addresses.list

    compute.disks.create

    compute.disks.get

    compute.disks.setLabels

    compute.disks.use

    compute.disks.delete

    compute.disks.useReadOnly

    compute.firewalls.list

    compute.globalOperations.list

    compute.globalOperations.get

    compute.instances.create

    compute.instances.delete

    compute.instances.get

    compute.instances.setLabels

    compute.instances.setMachineResources

    compute.instances.setMetadata

    compute.instances.setMinCpuPlatform

    compute.instances.setScheduling

    compute.instances.setServiceAccount

    compute.instances.setTags

    compute.instances.start

    compute.instances.stop

    compute.instances.updateDisplayDevice

    compute.instances.updateNetworkInterface

    compute.instances.setDeletionProtection

    compute.machineTypes.list

    compute.networks.list

    compute.projects.get

    compute.regionOperations.get

    compute.regions.get

    compute.regions.list

    compute.snapshots.create

    compute.snapshots.delete

    compute.snapshots.get

    compute.snapshots.getIamPolicy

    compute.snapshots.list

    compute.snapshots.setLabels

    compute.snapshots.useReadOnly

    compute.subnetworks.list

    compute.subnetworks.use

    compute.subnetworks.useExternalIp

    compute.zoneOperations.get

    compute.zones.get

    compute.zones.list

    iam.serviceAccounts.actAs

    iam.serviceAccounts.list

    resourcemanager.projects.get

    cloudkms.cryptoKeys.list

    cloudkms.keyRings.list

    compute.addresses.use

    compute.addresses.useInternal

    compute.disks.list

    compute.instances.list

    compute.routes.list

    cloudkms.cryptoKeys.setIamPolicy

    cloudkms.cryptoKeys.getIamPolicy

    serviceusage.services.list

     

    Important

    • To allow Veeam Backup for Google Cloud to perform restore to the original location while source VM instances still exist there, you must also add the permission compute.instances.setName.

    The ability to rename VM instances is currently in pre-GA state. For more information, see Google Cloud documentation.

    • To allow Veeam Backup for Google Cloud to connect a restored VM instance to a Shared VPC network, the service account associated with the project where the instance belongs must also have either the compute.networkUser role for the whole Shared VPC host project, or the compute.networkViewer role for the whole host project plus compute.networkUser for specific subnets in the host project.

    To learn how to provide access to Shared VPC networks, see Google Cloud documentation.

    Cloud SQL Restore Permissions

    cloudkms.cryptoKeys.getIamPolicy

    cloudkms.cryptoKeys.list

    cloudkms.cryptoKeys.setIamPolicy

    cloudkms.keyRings.list

    cloudsql.backupRuns.get

    cloudsql.instances.create

    cloudsql.instances.get

    cloudsql.instances.import

    cloudsql.instances.restoreBackup

    compute.firewalls.list

    compute.networks.list

    compute.projects.get

    compute.regions.list

    compute.routes.list

    compute.subnetworks.list

    compute.zones.list

    cloudsql.backupRuns.list

    cloudsql.databases.create

    cloudsql.databases.list

    cloudsql.instances.list

    cloudsql.users.create

    cloudsql.users.list

    pubsub.subscriptions.consume

    pubsub.subscriptions.create

    pubsub.subscriptions.delete

    pubsub.subscriptions.get

    pubsub.subscriptions.list

    pubsub.topics.attachSubscription

    pubsub.topics.create

    pubsub.topics.delete

    pubsub.topics.detachSubscription

    pubsub.topics.get

    pubsub.topics.list

    serviceusage.services.list

    cloudsql.backupRuns.create

    cloudsql.backupRuns.delete

    cloudsql.databases.get