Backup Permissions
To allow Veeam Backup for GCP to perform backup operations, the service account associated with the GCP project managing VM instances that you want to protect must have the following permissions:
cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.keyRings.list compute.addresses.list compute.disks.createSnapshot compute.disks.get compute.disks.list compute.firewalls.list compute.globalOperations.get compute.globalOperations.list compute.instances.get compute.instances.list compute.machineTypes.get compute.networks.list compute.projects.get compute.regionOperations.get compute.regions.get compute.regions.list compute.routes.list compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.snapshots.setLabels compute.subnetworks.list compute.zoneOperations.get compute.zones.list logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list logging.sinks.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsub.topics.update resourcemanager.projects.get resourcemanager.projects.getIamPolicy serviceusage.services.list |
Important |
To allow Veeam Backup for GCP to back up a VM instance connected to a Shared VPC network, the service account associated with the project where the instance belongs must also have either the compute.networkUser role for the whole Shared VPC host project, or the compute.networkViewer role for the whole host project plus compute.networkUser for specific subnets in the host project. To learn how to provide access to Shared VPC networks, see Google Cloud documentation. |