To protect Google Cloud instances, you must assign the required permissions to your GC service accounts.
If you plan to use encryption, shared virtual private cloud (VPC) networks, or node affinity groups, assign the permissions that are described in the relevant section in addition to the permissions in the General section.
Predefined IAM roles for Google Cloud
To simplify configuration, Commvault provides predefined Google Cloud IAM role definitions for common operations.
Use the following YAML files to create custom IAM roles in Google Cloud:
These role definitions include the permissions that are required for the corresponding workflows described on this page.
You can modify the roles to meet your organization's security and compliance requirements.
The following APIs must be enabled on both the source and destination projects:
API Permissions
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
Encryption |
|---|---|---|---|---|---|
|
IAM API |
Yes |
Yes |
Yes |
Yes |
Yes |
|
KMS Inventory API |
-- |
-- |
-- |
-- |
Yes |
|
Compute Engine API |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Cloud Key Management Services |
-- |
-- |
-- |
-- |
Yes |
|
Cloud Resource Manager API |
-- |
-- |
-- |
Yes |
-- |
|
Cloud Storage API |
-- |
-- |
-- |
Yes |
-- |
General
The following sections list the individual permissions that are included in the predefined IAM role file.
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
compute.addresses.get |
-- |
Yes |
Yes |
Yes |
|
compute.addresses.list |
-- |
Yes |
Yes |
-- |
|
compute.addresses.use |
-- |
Yes |
Yes |
-- |
|
compute.addresses.useInternal |
-- |
Yes |
Yes |
Yes |
|
compute.disks.create |
Yes |
Yes |
Yes |
Yes |
|
compute.disks.createSnapshot |
Yes |
Yes |
Yes |
Yes |
|
compute.disks.delete |
Yes |
Yes |
Yes |
Yes |
|
compute.disks.get |
Yes |
Yes |
Yes |
Yes |
|
compute.disks.list |
Yes |
-- |
-- |
-- |
|
compute.disks.resize |
-- |
Yes |
Yes |
Yes |
|
compute.disks.setLabels |
Yes |
Yes |
Yes |
Yes |
|
compute.disks.use |
Yes |
Yes |
Yes |
Yes |
|
compute.diskTypes.get |
Yes |
-- |
-- |
-- |
|
compute.globalOperations.get |
Yes |
Yes |
Yes |
Yes |
|
compute.images.list |
No |
Yes |
-- |
No |
|
compute.instances.attachDisk |
Yes |
Yes |
Yes |
Yes |
|
compute.instances.create |
-- |
Yes |
Yes |
Yes |
|
compute.instances.delete |
-- |
Yes |
Yes |
Yes |
|
compute.instances.detachDisk |
Yes |
Yes |
Yes |
Yes |
|
compute.instances.get |
Yes |
-- |
-- |
-- |
|
compute.instances.list |
Yes |
-- |
-- |
-- |
|
compute.instances.setDeletionProtection |
No |
Yes |
-- |
Yes |
|
compute.instances.setLabels |
-- |
Yes |
Yes |
Yes |
|
compute.instances.setMetadata |
-- |
Yes |
Yes |
Yes |
|
compute.instances.setServiceAccount |
-- |
Yes |
Yes |
Yes |
|
compute.instances.setTags |
-- |
Yes |
Yes |
Yes |
|
compute.instances.start |
-- |
Yes |
Yes |
Yes |
|
compute.instances.stop |
-- |
Yes |
Yes |
Yes |
|
compute.instances.updateDisplayDevice |
-- |
Yes |
Yes |
Yes |
|
compute.machineTypes.get |
Yes |
Yes |
Yes |
Yes |
|
compute.machineTypes.list |
-- |
Yes |
Yes |
Yes |
|
compute.networks.get |
-- |
Yes |
Yes |
Yes |
|
compute.networks.list |
-- |
Yes |
Yes |
Yes |
|
compute.projects.get |
Yes |
Yes |
Yes |
Yes |
|
compute.regionoperations.get |
Yes |
Yes |
Yes |
Yes |
|
compute.regions.get |
Yes |
Yes |
Yes |
Yes |
|
compute.regions.list |
Yes |
Yes |
Yes |
Yes |
|
compute.snapshots.create |
Yes |
Yes |
Yes |
Yes |
|
compute.snapshots.delete |
Yes |
Yes |
Yes |
Yes |
|
compute.snapshots.get |
Yes |
Yes |
Yes |
Yes |
|
compute.snapshots.setLabels |
Yes |
Yes |
Yes |
Yes |
|
compute.snapshots.useReadOnly |
Yes |
Yes |
Yes |
Yes |
|
compute.subnetworks.get |
Yes |
Yes |
Yes |
Yes |
|
compute.subnetworks.list |
-- |
Yes |
Yes |
Yes |
|
compute.subnetworks.use |
-- |
Yes |
Yes |
Yes |
|
compute.subnetworks.useExternalIp |
-- |
Yes |
Yes |
Yes |
|
compute.zoneOperations.get |
Yes |
Yes |
Yes |
Yes |
|
compute.zones.get |
Yes |
Yes |
Yes |
Yes |
|
compute.zones.list |
Yes |
Yes |
Yes |
Yes |
|
iam.serviceAccounts.actAs |
Yes |
Yes |
Yes |
Yes |
|
iam.serviceAccounts.get |
Yes |
Yes |
Yes |
Yes |
|
iam.serviceAccounts.list |
Yes |
Yes |
Yes |
Yes |
Note
While replicating instances to a GC destination using the RTO option Hot site replication, the software uses a JSON config file to create the instance. The software saves the JSON config file in a storage bucket during the replication operation, and then after the instance is created, deletes the JSON config file. Configure the relevant permissions for the GC Service Account in the destination project to create a storage bucket, otherwise replication will fail.
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
storage.buckets.create |
-- |
-- |
-- |
Yes |
|
storage.buckets.delete |
-- |
-- |
-- |
Yes |
|
storage.buckets.get |
-- |
-- |
-- |
Yes |
|
storage.buckets.update |
-- |
-- |
-- |
Yes |
|
storage.multipartUploads.create |
Yes |
Yes |
-- |
Yes |
|
storage.objects.create |
-- |
-- |
-- |
Yes |
|
storage.objects.delete |
-- |
-- |
-- |
Yes |
|
storage.objects.get |
-- |
-- |
-- |
Yes |
|
storage.objects.list |
-- |
-- |
-- |
Yes |
|
storage.objects.update |
-- |
-- |
-- |
Yes |
DVDF
While replicating instances to a GC destination using the Deploy virtual machine only during failover option, the software uses a JSON config file to create the instance. The software saves the JSON config file in a storage bucket during the replication operation, and then after the instance is created, deletes the JSON config file. Configure the relevant permissions for the GCP Service Account in the destination project to create a storage bucket, otherwise replication will fail.
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
storage.buckets.create |
-- |
-- |
-- |
Yes |
|
storage.buckets.delete |
-- |
-- |
-- |
Yes |
|
storage.buckets.get |
-- |
-- |
-- |
Yes |
|
storage.buckets.update |
-- |
-- |
-- |
Yes |
|
storage.multipartUploads.create |
Yes |
Yes |
-- |
Yes |
|
storage.objects.create |
-- |
-- |
-- |
Yes |
|
storage.objects.delete |
-- |
-- |
-- |
Yes |
|
storage.objects.get |
-- |
-- |
-- |
Yes |
|
storage.objects.list |
-- |
-- |
-- |
Yes |
|
storage.objects.update |
-- |
-- |
-- |
Yes |
Encryption
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
cloudkms.cryptoKeyEncrypterDecrypter |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeyVersions.useToDecrypt |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeyVersions.useToEncrypt |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeys.create |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeys.get |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeys.update |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.cryptoKeys.list |
Yes |
Yes |
Yes |
No |
|
cloudkms.keyRings.create |
Yes |
Yes |
Yes |
Yes |
|
cloudkms.keyRings.get |
Yes |
Yes |
Yes |
Yes |
Node Affinity
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
compute.nodeGroups.get |
-- |
Yes |
Yes |
-- |
|
compute.nodeGroups.list |
-- |
Yes |
Yes |
-- |
Power Management for MediaAgents
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
compute.instances.list |
Yes |
Yes |
Yes |
Yes |
|
compute.instances.start |
Yes |
Yes |
Yes |
Yes |
|
compute.instances.stop |
Yes |
Yes |
Yes |
Yes |
|
compute.machineTypes.get |
Yes |
Yes |
Yes |
Yes |
|
compute.zone.list |
Yes |
Yes |
Yes |
Yes |
Shared VPC
|
Permission |
Backups |
Restores |
VM conversions |
Replication |
|---|---|---|---|---|
|
compute.subnetworks.use |
-- |
Yes |
Yes |
Yes |