Google Compute Engine IAM User Permissions

To enable restore of workloads to Google Compute Engine, do the following:

  1. Grant the following roles to the IAM user whose credentials you plan to use to connect to Google Compute Engine:
  • Compute Admin role (roles/compute.admin)

To avoid granting the Compute Admin role to the IAM user Compute Engine service account for security reasons, you can create a custom role with the following Compute Engine IAM permissions and grant it instead:

compute.addresses.list
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.stop
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regions.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list

  • Cloud Build Editor role (roles/cloudbuild.builds.editor)
  • Project IAM Admin role (roles/resourcemanager.projectIamAdmin)
  • Storage Admin role (roles/storage.admin)
  • Storage HMAC Key Admin (roles/storage.hmacKeyAdmin)
  • Viewer role (roles/viewer)

For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.

  1. [If you recover workloads with helper appliance] Make sure that the Cloud Build API is enabled. Then grant the following roles to the Cloud Build service account in Google Compute Engine:
  • Compute Admin role (roles/compute.admin)

To avoid granting the Compute Admin role to the Cloud Build service account for security reasons, you can use the custom role that you created for the IAM user Compute Engine service account and grant it instead.

  • Service Account Token Creator role (roles/iam.serviceAccountTokenCreator)
  • Service Account User role (roles/iam.serviceAccountUser)
  • [Optional: to export or import images that use shared VPCs] Compute Network User role (roles/compute.networkUser)

For more information, see the Prerequisites for importing and exporting VM images section in the Google Cloud documentation.

  1. Make sure that VM Migration API is enabled. For more information on enabling the API, see the Enable Migrate to Virtual Machines services section in Google Cloud documentation.

After you enable VM Migration API, Google Compute Engine creates the default Migrate to Virtual Machines service account. If the account was not created, create it manually as described in the Trigger service agent creation section in Google Cloud documentation.

Grant the following roles to the service account:

  • Storage Object Viewer (roles/storage.objectViewer)
  • VM Migration Service Account (roles/vmmigration.serviceAgent)

The Google Cloud service account specified at the Account step must the VM Migration Administrator (roles/vmmigration.admin) role.

For more information on the required permissions and limitations, see the Import virtual disk images section in the Google Cloud documentation.

Page updated 8/25/2025

Page content applies to build 13.0.0.4967