Skip to main content
  • EN

Dear Community,

When working with Veeam Backup for Google Cloud (VBGC) in environments that span multiple GCP projects, it’s critical to understand how Service Accounts work and why they are the backbone of successful backup and recovery operations.

This information highlights a real-world scenario where a single service account was configured to manage backups across multiple GCP projects and what permissions are absolutely required to ensure everything runs smoothly.

 

Why Service Accounts Matter in VBGC. The Service Account (SA) is the identity VBGC uses to:

  • Access GCP resources.
  • Perform backups, snapshots, and restores.
  • Manage staging servers.
  • Recover files at the VM or database level.

 

One properly configured Service Account is enough to manage backup and restore operations across multiple GCP projects:

 

  • The SA has sufficient IAM permissions in each GCP project.
  • All projects are added to the VBGC appliance in the web interface.
  • The appliance can communicate with the associated resources via the SA.

 

Required IAM Permissions for Full Functionality:


Make sure the Service Account has the following permissions granted at the GCP layer (on each project it interacts with). Without these, backup or restore operations will fail or be partially functional.

 

Here’s a list of required capabilities and their corresponding permissions (all should show as “Passed” in the VBGC diagnostics tab):

 

 

✅ Cloud SQL Snapshot

✅ Cloud SQL Backup

✅ Cloud SQL Restore

✅ Cloud SQL Staging Server

✅ VM File-Level Recovery to Original Location

✅ Cloud Spanner Snapshot

✅ Cloud Spanner Backup

✅ Cloud Spanner Restore

✅ Worker for File-Level Recovery to Original Location

 

If even one permission is missing, backup or restore operations for that service may silently fail or not be available.

 

Best Practices is that to Assign permissions using custom roles or predefined roles like:

  • Compute Admin.
  • Storage Admin.
  • Cloud SQL Admin.
  • Spanner Admin.
  • Reuse the same SA across multiple projects to simplify access management.
  • Test access through the VBGC Web UI diagnostics to confirm all modules show Passed.

 

Using a centralized Service Account across all your GCP projects in VBGC is not only supported it’s highly efficient. Just make sure that the right IAM permissions are granted per project, and you’ll be able to seamlessly protect and restore workloads like Cloud SQL, Cloud Spanner, and VM instances.

 

Feel free to share your experience below!

 

 

 

No experience with GCP myself but it is always an interesting read about it.  Thanks for sharing.

No experience with GCP myself but it is always an interesting read about it.  Thanks for sharing.

 

Hi ​@Chris.Childerhose thank you for your words.  

Terms & Conditions