Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for cloud providers
  5. Google Cloud Platform plug-in configuration notes
  6. Google Cloud Platform permissions required by NetBackup Snapshot Manager
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Google Cloud Platform permissions required by NetBackup Snapshot Manager

Assign the following permissions to the service account that NetBackup Snapshot Manager uses to access assets in the Google Cloud Platform (GCP):

Note:

In the following table the permissions marked with an asterisk (*) are mandatory.

Table: NetBackup Snapshot Manager feature Vs permissions for GCP cloud provider

Feature

Task/Operation

Required permission

VM based

VM protection

Backup, Restore, Indexing + GRT *

To fetch the specified disk type

compute.diskTypes.get

To delete the specified persistent disk

compute.disks.delete

Used when attaching a disk to an instance

compute.disks.use

To attach an existing disk resource to an instance

compute.instances.attachDisk

Detach a disk from an instance

compute.instances.detachDisk

Cross-Project restore

To create a persistent disk in the specified project

compute.disks.create

Snapshot/ (Cross-Project/Region) Restore *

To create a snapshot in the specified project

compute.snapshots.create

To delete the specified snapshot resource

compute.snapshots.delete

Restore/Backup/Snapshot/Indexing + GRT *

To set the labels on a disk

compute.disks.setLabels

To return the specified snapshot resource

compute.snapshots.get

To retrieve the specified zone-specific operations resource

compute.zoneOperations.get

Snapshot, (Cross-Project/Cross-Region) Restore *

To create a snapshot of a specified persistent disk

compute.disks.createSnapshot

Snapshot/Backup/Restore *

To retrieve the specified operations resource

compute.globalOperations.get

Cross-Project restore, BFS *

To create disk from a snapshot in same or different project

compute.snapshots.useReadOnly

Configuration of shared VPC*

To fetch the effective firewall on a given network

compute.networks.getEffectiveFirewalls

To retrieve the list of networks available to the specified project

compute.networks.list

To return the specified project resource

compute.projects.get

Return the specified subnetwork

compute.subnetworks.get

To retrieve a list of subnetworks available to the specified project

compute.subnetworks.list

To create a resource using a subnet

compute.subnetworks.use

To create a resource using an external IP

compute.subnetworks.useExternalIp

To retrieve the project identified by the specified name

resourcemanager.projects.get

To return the specified firewall

compute.firewalls.get

Snapshot *

To set the labels on a snapshot

compute.snapshots.setLabels

Plugin configuration *

To return the specified region resource

compute.regions.get

Calculate CP capability,  Restore *

To return the specified machine type

compute.machineTypes.get

To retrieve a list of machine types available to the specified project

compute.machineTypes.list

Discovery *

To fetch the specified persistent disk 

compute.disks.get

To retrieve a list of persistent disks contained within the specified zone 

compute.disks.list

To fetch the specified instance resource

compute.instances.get

To retrieve the list of instances contained within the specified zone

compute.instances.list

To list Google Compute Engine snapshots

compute.snapshots.list

Restore *

To create an instance resource in the specified project

compute.instances.create

To delete the specified instance resource

compute.instances.delete

To set metadata for the specified instance

compute.instances.setMetadata

To set the service account on the instance

compute.instances.setServiceAccount

To set labels on an instance

compute.instances.setLabels

To set network tags for the specified instance

compute.instances.setTags

To start an compute engine instance

compute.instances.start

To stop a running instance,  shutting it down cleanly

compute.instances.stop

To return the specified network

compute.networks.get

To attach service accounts to resources

iam.serviceAccounts.actAs

Restore of CMK encrypted disks

Restore

To get metadata for a given CryptoKey and its primary CryptoKeyVersion

cloudkms.cryptoKeys.get

To get metadata for a given CryptoKeyVersion

cloudkms.cryptoKeyVersions.get

To list CryptoKeys

cloudkms.cryptoKeys.list

To list KeyRings

cloudkms.keyRings.list

To decrypt data while reading encrypted disks

cloudkms.cryptoKeyVersions.useToDecrypt

To encrypt data on restored disks

cloudkms.cryptoKeyVersions.useToEncrypt

To get information about a location

cloudkms.locations.get

To list information about the supported locations for this service

cloudkms.locations.list

Cross-Project restore

To encrypt/decrypt data in other project

Cloud KMS CryptoKey Encrypter/Decrypter

SQL database protection

List cloud SQL instances in a given project

cloudsql.instances.list

To get the list of databases

cloudsql.databases.list

To get the database details

cloudsql.databases.get

To export data from database for backup

cloudsql.instances.export

To get the details of instance

cloudsql.instances.get

To import the backed up files into database

cloudsql.instances.import

To get the list of instances

cloudsql.instances.list

To create bucket

storage.buckets.create

To get bucket 

storage.buckets.get

To get permissions on buckets for required service account

storage.buckets.getIamPolicy

To set permissions on buckets for required service account

storage.buckets.setIamPolicy

To save backup files to bucket

storage.objects.create

To cleanup backup files from bucket

storage.objects.delete

To get backup file details from bucket

storage.objects.get

To get list of files from bucket

storage.objects.list

PaaS workloads protection (GCP BigQuery)

To get details about a configuration

bigquery.config.get

To create new empty datasets

bigquery.datasets.create

To delete a dataset

bigquery.datasets.delete

To get metadata and permissions about a dataset

bigquery.datasets.get

Metadata viewing permissions in GCP console

bigquery.datasets.getIamPolicy

To run jobs (including queries) within the project

bigquery.jobs.create

To get data and metadata for any job

bigquery.jobs.get

To list all jobs and retrieve metadata on any job submitted by any user. For jobs submitted by other users, details and metadata are redacted.

bigquery.jobs.list

To list all jobs and retrieve metadata on any job submitted by any user

bigquery.jobs.listAll

To cancel any job

bigquery.jobs.update

To get routine definitions and metadata

bigquery.routines.get

To list routines and metadata on routines

bigquery.routines.list

To create new tables

bigquery.tables.create

To create new table snapshots

bigquery.tables.createSnapshot

To delete tables

bigquery.tables.delete

To delete table snapshots

bigquery.tables.deleteSnapshot

To export table data out of BigQuery

bigquery.tables.export

To get table metadata

bigquery.tables.get

To get table data

bigquery.tables.getData

To list tables and metadata of the tables

bigquery.tables.list

To update table metadata

bigquery.tables.update

To update table data

bigquery.tables.updateData

To create new buckets in a project

storage.buckets.create

To read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket.

storage.buckets.get

To read bucket IAM policies

storage.buckets.getIamPolicy

To update bucket IAM policies

storage.buckets.setIamPolicy

To add new objects to a bucket

storage.objects.create

To delete objects

storage.objects.delete

To read object data and metadata, excluding ACLs.

storage.objects.get

To list objects in a bucket. Also, to read object metadata, excluding ACLs, when listing.

storage.objects.list

Kuberenetes cluster based

Kubernetes extension /Auto-scaling

To get information of the cluster

container.clusters.get

To get details Get details about the managed instance group

compute.instanceGroupManagers.get

Kubernetes extension /Auto-scaling

To update managed instance group

compute.instanceGroupManagers.update

Kubernetes extension /Auto-scaling

To update node pool of the cluster

container.clusters.update

To manage the operations done on GKE cluster

container.operations.get

Feedback

Was this page helpful?
Previous

Additional prerequisites for configuring the GCP plug-in using Service Account option

Next

Preparing the GCP service account for plug-in configuration

Feedback

Was this page helpful?