Google Cloud Platform permissions required by NetBackup Snapshot Manager
Assign the following permissions to the service account that NetBackup Snapshot Manager uses to access assets in the Google Cloud Platform (GCP):
Note:
In the following table the permissions marked with an are mandatory.
Table: NetBackup Snapshot Manager feature Vs permissions for GCP cloud provider
Feature | Task/Operation | Required permission | |
|---|---|---|---|
VM based | |||
VM protection | Backup, Restore, Indexing + GRT | To fetch the specified disk type | compute.diskTypes.get |
To delete the specified persistent disk | compute.disks.delete | ||
Used when attaching a disk to an instance | compute.disks.use | ||
To attach an existing disk resource to an instance | compute.instances.attachDisk | ||
Detach a disk from an instance | compute.instances.detachDisk | ||
Cross-Project restore | To create a persistent disk in the specified project | compute.disks.create | |
Snapshot/ (Cross-Project/Region) Restore | To create a snapshot in the specified project | compute.snapshots.create | |
To delete the specified snapshot resource | compute.snapshots.delete | ||
Restore/Backup/Snapshot/Indexing + GRT | To set the labels on a disk | compute.disks.setLabels | |
To return the specified snapshot resource | compute.snapshots.get | ||
To retrieve the specified zone-specific operations resource | compute.zoneOperations.get | ||
Snapshot, (Cross-Project/Cross-Region) Restore | To create a snapshot of a specified persistent disk | compute.disks.createSnapshot | |
Snapshot/Backup/Restore | To retrieve the specified operations resource | compute.globalOperations.get | |
Cross-Project restore, BFS | To create disk from a snapshot in same or different project | compute.snapshots.useReadOnly | |
Configuration of shared VPC | To fetch the effective firewall on a given network | compute.networks.getEffectiveFirewalls | |
To retrieve the list of networks available to the specified project | compute.networks.list | ||
To return the specified project resource | compute.projects.get | ||
Return the specified subnetwork | compute.subnetworks.get | ||
To retrieve a list of subnetworks available to the specified project | compute.subnetworks.list | ||
To create a resource using a subnet | compute.subnetworks.use | ||
To create a resource using an external IP | compute.subnetworks.useExternalIp | ||
To retrieve the project identified by the specified name | resourcemanager.projects.get | ||
To return the specified firewall | compute.firewalls.get | ||
Snapshot | To set the labels on a snapshot | compute.snapshots.setLabels | |
Plugin configuration | To return the specified region resource | compute.regions.get | |
Calculate CP capability, Restore | To return the specified machine type | compute.machineTypes.get | |
To retrieve a list of machine types available to the specified project | compute.machineTypes.list | ||
Discovery | To fetch the specified persistent disk | compute.disks.get | |
To retrieve a list of persistent disks contained within the specified zone | compute.disks.list | ||
To fetch the specified instance resource | compute.instances.get | ||
To retrieve the list of instances contained within the specified zone | compute.instances.list | ||
To list Google Compute Engine snapshots | compute.snapshots.list | ||
Restore | To create an instance resource in the specified project | compute.instances.create | |
To delete the specified instance resource | compute.instances.delete | ||
To set metadata for the specified instance | compute.instances.setMetadata | ||
To set the service account on the instance | compute.instances.setServiceAccount | ||
To set labels on an instance | compute.instances.setLabels | ||
To set network tags for the specified instance | compute.instances.setTags | ||
To start an compute engine instance | compute.instances.start | ||
To stop a running instance, shutting it down cleanly | compute.instances.stop | ||
To return the specified network | compute.networks.get | ||
To attach service accounts to resources | iam.serviceAccounts.actAs | ||
Restore of CMK encrypted disks | Restore | To get metadata for a given CryptoKey and its primary CryptoKeyVersion | cloudkms.cryptoKeys.get |
To get metadata for a given CryptoKeyVersion | cloudkms.cryptoKeyVersions.get | ||
To list CryptoKeys | cloudkms.cryptoKeys.list | ||
To list KeyRings | cloudkms.keyRings.list | ||
To decrypt data while reading encrypted disks | cloudkms.cryptoKeyVersions.useToDecrypt | ||
To encrypt data on restored disks | cloudkms.cryptoKeyVersions.useToEncrypt | ||
To get information about a location | cloudkms.locations.get | ||
To list information about the supported locations for this service | cloudkms.locations.list | ||
Cross-Project restore | To encrypt/decrypt data in other project | Cloud KMS CryptoKey Encrypter/Decrypter | |
SQL database protection | List cloud SQL instances in a given project | cloudsql.instances.list | |
To get the list of databases | cloudsql.databases.list | ||
To get the database details | cloudsql.databases.get | ||
To export data from database for backup | cloudsql.instances.export | ||
To get the details of instance | cloudsql.instances.get | ||
To import the backed up files into database | cloudsql.instances.import | ||
To get the list of instances | cloudsql.instances.list | ||
To create bucket | storage.buckets.create | ||
To get bucket | storage.buckets.get | ||
To get permissions on buckets for required service account | storage.buckets.getIamPolicy | ||
To set permissions on buckets for required service account | storage.buckets.setIamPolicy | ||
To save backup files to bucket | storage.objects.create | ||
To cleanup backup files from bucket | storage.objects.delete | ||
To get backup file details from bucket | storage.objects.get | ||
To get list of files from bucket | storage.objects.list | ||
PaaS workloads protection (GCP BigQuery) | To get details about a configuration | bigquery.config.get | |
To create new empty datasets | bigquery.datasets.create | ||
To delete a dataset | bigquery.datasets.delete | ||
To get metadata and permissions about a dataset | bigquery.datasets.get | ||
Metadata viewing permissions in GCP console | bigquery.datasets.getIamPolicy | ||
To run jobs (including queries) within the project | bigquery.jobs.create | ||
To get data and metadata for any job | bigquery.jobs.get | ||
To list all jobs and retrieve metadata on any job submitted by any user. For jobs submitted by other users, details and metadata are redacted. | bigquery.jobs.list | ||
To list all jobs and retrieve metadata on any job submitted by any user | bigquery.jobs.listAll | ||
To cancel any job | bigquery.jobs.update | ||
To get routine definitions and metadata | bigquery.routines.get | ||
To list routines and metadata on routines | bigquery.routines.list | ||
To create new tables | bigquery.tables.create | ||
To create new table snapshots | bigquery.tables.createSnapshot | ||
To delete tables | bigquery.tables.delete | ||
To delete table snapshots | bigquery.tables.deleteSnapshot | ||
To export table data out of BigQuery | bigquery.tables.export | ||
To get table metadata | bigquery.tables.get | ||
To get table data | bigquery.tables.getData | ||
To list tables and metadata of the tables | bigquery.tables.list | ||
To update table metadata | bigquery.tables.update | ||
To update table data | bigquery.tables.updateData | ||
To create new buckets in a project | storage.buckets.create | ||
To read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket. | storage.buckets.get | ||
To read bucket IAM policies | storage.buckets.getIamPolicy | ||
To update bucket IAM policies | storage.buckets.setIamPolicy | ||
To add new objects to a bucket | storage.objects.create | ||
To delete objects | storage.objects.delete | ||
To read object data and metadata, excluding ACLs. | storage.objects.get | ||
To list objects in a bucket. Also, to read object metadata, excluding ACLs, when listing. | storage.objects.list | ||
Kuberenetes cluster based | |||
Kubernetes extension /Auto-scaling | To get information of the cluster | container.clusters.get | |
To get details Get details about the managed instance group | compute.instanceGroupManagers.get | ||
Kubernetes extension /Auto-scaling | To update managed instance group | compute.instanceGroupManagers.update | |
Kubernetes extension /Auto-scaling | To update node pool of the cluster | container.clusters.update | |
To manage the operations done on GKE cluster | container.operations.get | ||