IAM roles and permissions


This page describes how to grant the Backup for GKE service permissions for a Google Cloud project, backups, or restores.

Predefined roles

Backup for GKE has the following predefined roles:

Role Title Description Lowest resource
gkebackup.admin Backup for GKE Admin Full read-write access to all Backup for GKE resources Project
gkebackup.backupAdmin Backup for GKE Backup Admin Creates and manages backup plans and backups. Can delegate manual backup creation to Delegated Backup Admins. Project
gkebackup.delegatedBackupAdmin Backup for GKE Delegated Backup Admin Creates and manages backups within a backup plan. BackupPlan
gkebackup.viewer Backup for GKE Viewer Read-only access to all Backup for GKE resources Project
gkebackup.restoreAdmin Backup for GKE Restore Admin Creates and manages restore plans and restores. Can delegate restore creation to Delegated Restore Admins. Project
gkebackup.delegatedRestoreAdmin Backup for GKE Delegated Restore Admin Creates and manages restores within a restore plan. RestorePlan

Set project-level permissions

You can grant Identity and Access Management permissions for an entire Google Cloud project to an account in the IAM page of the Google Cloud console or by using the Google Cloud CLI. Adding permissions at the project level grants the IAM permissions to an account for the following roles:

  • Backup for GKE Admin
  • Backup for GKE Backup Admin
  • Backup for GKE Viewer
  • Backup for GKE Restore Admin

gcloud

To set permissions, run the following command:

gcloud projects add-iam-policy-binding PROJECT_ID\
    --role roles/ROLE_ID \
    --member PRINCIPAL

Replace the following:

  • PROJECT_ID: the ID of your Google Cloud project.
  • ROLE_ID: the type of role, for example gkebackup.backupAdmin.
  • PRINCIPAL: An identifier for the principal, which usually has the following form: member-type:id. For example, user:[email protected].

Console

Perform the following tasks in the Google Cloud console:

  1. Go to your project's IAM page.

    Go to IAM

  2. Click the Grant access button below the toolbar.

  3. In the New principals box, enter the email for the account that you want to add.

  4. Select a role in the drop-down list, for example Backup for GKE Admin.

  5. Click Save.