Worker Permissions

In this article

    To allow Veeam Backup for GCP to create a worker instance in a GCP project and to access the instance when performing backup and restore operations, the service account associated with the project must have the following permissions:

    compute.disks.create

    compute.disks.createSnapshot

    compute.disks.delete

    compute.disks.list

    compute.disks.setLabels

    compute.disks.use

    compute.firewalls.list

    compute.globalOperations.get

    compute.instances.create

    compute.instances.delete

    compute.instances.detachDisk

    compute.instances.get

    compute.instances.list

    compute.instances.setLabels

    compute.instances.setMetadata

    compute.instances.setServiceAccount

    compute.instances.setTags

    compute.machineTypes.get

    compute.networks.list

    compute.projects.get

    compute.regionOperations.get

    compute.regions.get

    compute.regions.list

    compute.routes.list

    compute.snapshots.create

    compute.snapshots.delete

    compute.snapshots.get

    compute.snapshots.getIamPolicy

    compute.snapshots.list

    compute.snapshots.setIamPolicy

    compute.snapshots.setLabels

    compute.subnetworks.get

    compute.subnetworks.list

    compute.subnetworks.use

    compute.subnetworks.useExternalIp

    compute.zoneOperations.get

    compute.zones.get

    compute.zones.list

    iam.serviceAccounts.actAs

    logging.sinks.delete

    logging.sinks.get

    logging.sinks.list

    pubsub.subscriptions.consume

    pubsub.subscriptions.create

    pubsub.subscriptions.delete

    pubsub.subscriptions.get

    pubsub.subscriptions.list

    pubsub.topics.attachSubscription

    pubsub.topics.create

    pubsub.topics.delete

    pubsub.topics.get

    pubsub.topics.list

    pubsub.topics.publish

    resourcemanager.projects.get

    resourcemanager.projects.getIamPolicy

    serviceusage.services.list

    Important

    To allow Veeam Backup for GCP to connect a created worker instance to a Shared VPC network, the service account associated with the GCP project where the instance belongs must also have either the compute.networkUser role for the whole Shared VPC host project, or the compute.networkViewer role for the whole host project plus compute.networkUser for specific subnets in the host project.

    To learn how to provide access to Shared VPC networks, see Google Cloud documentation.