This page explains how to create and manage a backup vault in the Google Cloud console.
Before you begin
To get the permissions that you need to create and manage a backup vault,
ask your administrator to grant you the
Backup and DR Backup Vault Admin (roles/backupdr.backupvaultAdmin
) IAM role on the project where you want to create a backup vault.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to create and manage a backup vault. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to create and manage a backup vault:
-
backupdr.backupVaults.create
-
backupdr.backupVaults.list
-
backupdr.backupVaults.get
-
backupdr.backupVaults.update
-
backupdr.backupVaults.delete
You might also be able to get these permissions with custom roles or other predefined roles.
Create a backup vault
Use the following instructions to create a backup vault.
Console
In the Google Cloud console, go to the Backup vaults page.
Click Create backup vault.
On the Create a backup vault page, enter your backup vault information.
- In the Name your backup vault field, enter a name that meets the backup vault name requirements.
- Click Continue.
- From the Choose where to store your data list, select a Location where the backup data will be permanently stored.
- Click Continue.
- In the Prevent backup deletion field, enter the minimum enforced retention period defining how long backups are protected against deletion. The minimum is 1 day and the maximum is 99 years.
- If you want to lock the value of the minimum enforced retention period, select the Lock the enforced retention checkbox, click the icon, and then select the date from the calendar.
- In the Define access to your backup vault section, select an option to define access restrictions for the backup vault. If you don't select an option, the backup vault is created with the Restrict access to current organization restriction.
Click Create.
gcloud
- In one of the following development environments, set up the gcloud CLI:
- Cloud Shell: to use an online terminal with the gcloud CLI already set up, activate Cloud Shell. At the bottom of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.
Local shell: to use a local development environment, install and initialize the gcloud CLI.
Create a backup vault.
```gcloud gcloud alpha backup-dr backup-vaults create BACKUPVAULT_NAME \ --project=PROJECT_ID \ --location=LOCATION \ --backup-min-enforced-retention=RETENTION_PERIOD_IN_DAYS --access-restriction=ACCESS_RESTRICTION ```
Replace the following:
BACKUPVAULT_NAME
: the name of the backup vault.PROJECT_ID
: the name of the project where you want to create the backup vault.LOCATION
: the location where you want to create a backup vault.RETENTION_PERIOD_IN_DAYS
: the period of time that each backup in the backup vault cannot be deleted. The minimum is 1 day and the maximum is 99 years. For example,2w1d
is two weeks and one day. For more information, see Backup vault minimum enforced retention period.ACCESS_RESTRICTION
: specify access restrictions for the backup vault. The allowed values arewithin-project
,within-org
,unrestricted
, andwithin-org-but-unrestricted-for-ba
. If you don't specify a value, the backup vault is created with thewithin-org
restriction.
Check the status of the operation.
```gcloud gcloud backup-dr operations describe FULL_OPERATION_ID ```
Replace the following:
FULL_OPERATION_ID
the operation ID that is displayed for the backup vault. It is in the following formatprojects/test-project/locations/us-central1/operations/operationID
The output is displayed as the following:
Create in progress for backup vault [projects/test-project/locations/us-central1/operations/operation-1721893921568-41e0dab8938a1-f1dc6ad2-3051b3ce]. Run the [gcloud backup-dr operations describe] command to check the status of this operation.
List backup vaults in a project
Use the following instructions to list backup vaults in a project.
Console
In the Google Cloud console, go to the Backup vaults page.
Backup vaults that are part of the selected project appear in the list.
gcloud
List the backup vaults.
gcloud alpha backup-dr backup-vaults list \ --project=PROJECT_ID \ --location=LOCATION
Replace the following:
PROJECT_ID
: the name of the project where the backup vaults are created.LOCATION
: the location where the backup vaults are created.
View backup vault details
The backup vault details page displays the configuration information and lets you to update the editable items.
The Lock status field in the backup vault details page can have one of the following values:
- Unlocked: A lock is neither applied nor pending for the backup vault.
- Lock takes effect on datetime: A lock has been set to take effect on the backup vault at the specified date.
- Locked: The value of the backup vault's minimum enforced retention periods is locked against reduction or removal.
Use the following instructions to view backup vault details.
Console
In the Google Cloud console, go to the Backup vaults page.
Backup vaults that are part of the selected project are listed on this page.
Click the backup vault that you want to view.
The backup vault details page displays the configuration information, including the value of the minimum enforced retention period, and its lock status.
gcloud
View the backup vault details.
gcloud alpha backup-dr backup-vaults describe BACKUPVAULT_NAME \ --location=LOCATION \ --project=PROJECT_ID
Replace the following:
BACKUPVAULT_NAME
: the name of the backup vault.LOCATION
: the location of the backup vault.PROJECT_ID
: the name of the project where the backup vault is created.
Update the minimum enforced retention period on an existing backup vault
You can update the minimum enforced retention period based on the lock's status.
- Unlocked: You can increase or decrease the minimum enforced retention period.
- Locked: You can only increase the minimum enforced retention period.
The lock cannot be removed if the effective date has been reached. However, if the effective date has not yet been reached, you can remove the lock, which clears the originally-specified effective date.
Changes to the value of the minimum enforced retention period only apply to backups created after the update. Changes to the value of the minimum enforced retention period don't impact the enforced retention remaining for backups that already exist in the backup vault. To ensure that the creation of backups doesn't fail, make sure that the minimum enforced retention doesn't exceed the backup deletion timeline defined by associated backup plans.
When increasing the enforced retention period for a backup vault, ensure the backup vault enforced retention period doesn't exceed the retention period in the backup plan for any backups you will store in the backup vault. If the changed value is longer than the backup retention period, the Backup and DR Service handles these changes differently based on the backup plan type.
Google Cloud console-based plans: Changes to the backup vault value are prevented.
Management console-based plans: Changes to the backup vault value are allowed, but you should immediately update the relevant backup plans to specify retention that is equal to or longer than the updated backup vault minimum enforced retention period to prevent backups to fail.
Backups generated while the plan retention is shorter than the backup vault minimum enforced retention are created with the enforced retention period set to the backup vault's minimum enforced retention. Additionally, the backup's expiration is set to occur after the enforced retention period has been satisfied.
Use the following instructions to update the minimum enforced retention period on an existing backup vault.
Console
In the Google Cloud console, go to the Backup vaults page.
In the list of backup vaults, click the name of the backup vault that you want to update.
Click the
icon.In the Edit minimum enforced retention dialog, enter the New minimum enforced retention period value. This is the period of time that each backup in the backup vault cannot be deleted. The minimum is 1 day and the maximum is 99 years.
If you want to lock the minimum enforced retention period, select the Lock the enforced retention checkbox, and then select the lock effective date from the calendar.
Click Save.
gcloud
Update the minimum enforced retention period on an existing backup vault.
gcloud alpha backup-dr backup-vaults update BACKUPVAULT_NAME\ --project=PROJECT_ID \ --location=LOCATION \ --backup-min-enforced-retention=RETENTION_PERIOD_IN_DAYS
Replace the following:
BACKUPVAULT_NAME
: the name of the backup vault.PROJECT_ID
: the name of the project where the backup vault is created.LOCATION
: the location of the backup vault.RETENTION_PERIOD_IN_DAYS
: the period of time that each backup in the backup vault cannot be deleted. The minimum is 1 day and the maximum is 99 years.
Delete a backup vault
Backup vaults can only be deleted if they don't contain backups. To delete a backup vault, first delete all backups contained in that vault if they are eligible for deletion.
Use the following instructions to delete a backup vault.
Console
In the Google Cloud console, go to the Backup vaults page.
Click the backup vault you want to delete.
Click Delete.
In the overlay window that appears, confirm you want to delete the backup vault and its contents.
Click Delete.
gcloud
Delete a backup vault.
gcloud alpha backup-dr backup-vaults delete BACKUPVAULT_NAME \ --project=PROJECT_ID \ --location=LOCATION
Replace the following:
BACKUPVAULT_NAME
: the name of the backup vault.PROJECT_ID
: the name of the project where the backup vault is created.LOCATION
: the location of the backup vault.
Grant access to the backup vault service agent and to backup/recovery appliances
Every backup vault created has a unique service agent linked to it. For some resource types, the service agent is leveraged to perform actions on behalf of the Backup and DR Service and, therefore, needs to be granted appropriate permissions on the projects, where the backup vault service agent needs to access. A service agent is a Google-managed service account; for more information, see Service agents.
For some resource types, such as Google Cloud VMware Engine, Oracle databases, and SQL Server databases, the Backup and DR backup/recovery appliance must perform actions on the backup vault. In those cases, the backup/recovery appliance needs appropriate permissions on the backup vault.
Grant a role to the service agent
After you find the service agent's email address, you can grant the backup vault service agent a role just like you would grant a role to any other principal.
To back up a Compute Engine VM instance in a project different from where the
backup vault is created, you must grant the Backup and DR Compute Engine Operator
(roles/backupdr.computeEngineOperator
) IAM role to the backup vault
service agent within the Compute Engine project. However, to back up a
Compute Engine VM instance in the project same as where the
backup vault is created, no roles are required to be granted.
To restore a Compute Engine instance, you need to grant the
Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator
)
IAM role in your restore project to the backup vault service agent.
Use the following instructions to grant a role to the service agent.
Console
In the Google Cloud console, go to the Backup vaults page.
Click the backup vault name and copy the service agent's email address.
In the Google Cloud console, go to the IAM page.
In the New principles field, enter the service agent's email address.
From the Select a role list, select the appropriate role based on the resource type. For example, to back up a Compute Engine instance in a project different from where the backup vault is created, select the Backup and DR Compute Engine Operator (
roles/backupdr.computeEngineOperator
) IAM role.Click Save.
gcloud
Grant roles to the service agent.
gcloud alpha projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:SERVICE_ACCOUNT \ --role=ROLE
Replace the following:
PROJECT_ID
: the name of the project.SERVICE_ACCOUNT
: the email address of the backup vault service agent. For example,my-service-account@my-project.iam.gserviceaccount.com
.ROLE
: the role required to grant on the resource project. For example, to back up a Compute Engine instance in a project different from where the backup vault is created, select the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator
) IAM role.
Grant roles to the backup/recovery appliance service account
You can access a backup vault from the backup/recovery appliance project only after
the appliance service account is granted the Backup and DR Backup Vault Accessor
(roles/backupdr.backupvaultAccessor
) and Backup and DR Backup Vault Lister
(roles/backupdr.backupvaultLister
) IAM roles in the backup vault project.
Without these roles, you cannot access the backup vault to complete
the setup to enable backup creation.
After granting roles to the backup/recovery appliance service account, you can back up and restore Google Cloud VMware Engine, Oracle databases, and SQL Server databases into a backup vault using the management console.
Use the following instructions to grant roles to the backup/recovery appliance service account:
In the Google Cloud console, go to the VM instances page where your appliance was created.
Click the Compute Engine instance that you want to get the service account for.
In the API and identity management section, copy the email address of the service account from the Service account field.
In the Google Cloud console, go to IAM roles in your backup vault project.
Click Grant access.
In the New principles field, enter the appliance's service account email address.
From the Select a role list, select the Backup and DR Backup Vault Accessor role.
Optional: To ensure that your backup/recovery appliance only has access to a specific backup vault, click
Add IAM condition next to the Backup and DR Backup Vault Accessor role.- In the Title field, enter a name for the condition.
Click the Condition editor tab.
In the Expression CEL editor field, enter the following expression.
resource.name.extract("projects/PROJECT_ID/locations/LOCATION/backupVaults /{name}/") == ("BACKUPVAULT_NAME") || resource.name.extract("projects/PROJECT_ID/locations/LOCATION/backupVaults /{name}") == ("BACKUPVAULT_NAME") || resource.name.extract("operations/{op}") != ""```
Replace the following:
BACKUPVAULT_NAME
: the name of the backup vault.PROJECT_ID
: the name of the project where the backup vault is created.LOCATION
: the location of the backup vault.To add access for additional backup vaults, append additional "resource.name.startsWith" statements (with the "||" OR logical operator) as necessary.
For example, the following statement authorizes a backup vault named "bv-test" and a backup vault named "user-bv1", both located in a project named "testproject" and in the region "us-central1".
resource.name.extract("projects/testproject/locations/us-central1/backupVaults /{name}/") == ("bv-test") || resource.name.extract("projects/testproject/locations/us-central1/backupVaults /{name}") == ("bv-test") || resource.name.extract("projects/testproject/locations/us-central1/backupVaults /{name}/") == ("user-bv1") || resource.name.extract("projects/testproject/locations/us-central1/backupVaults /{name}") == ("user-bv1") || resource.name.extract("operations/{op}") != ""```
Click Save.
Click Add another role.
From the Select a role list, select the Backup and DR Backup Vault Lister role.
Click Save.