Creating credentials in the cloud with permissions to access the created key

NetBackup supports the following credential types with respect to the supported cloud providers:

Amazon Web Services (AWS)
- Access key - requires access key ID and secret access key.
- IAM role - assign the role to the EC2 instance that runs the NetBackup primary server. The role must have KMS permissions (kms:Encrypt, kms:Decrypt) for the key you want to use.
Google Cloud Platform (GCP)
- Service account - requires client email address, private key, project ID, private key ID, and client ID. The service account must be granted the cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter).
- Application default credentials - attach a service account to the VM that runs the NetBackup primary server. This service account must have the roles/cloudkms.cryptoKeyEncrypterDecrypter role for the cloud KMS key.
Microsoft Azure
- Service principal - requires client ID, tenant ID, and secret key. The service principal must be granted Cryptographic Operations (encrypt, decrypt) permissions on the key in Azure key vault.
- Managed identity - assign the managed identity to the Azure VM that runs the NetBackup primary server, and ensure that it has encrypt and decrypt permissions on the key vault key.