Create and manage a backup vault

Overview

This page explains how to create and manage a backup vault in the Google Cloud console.

Before you begin

To get the permissions that you need to create and manage a backup vault, ask your administrator to grant you the Backup and DR Backup Vault Admin (roles/backupdr.backupvaultAdmin) IAM role on the project where you want to create a backup vault. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to create and manage a backup vault. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create and manage a backup vault:

  • backupdr.backupVaults.create
  • backupdr.backupVaults.list
  • backupdr.backupVaults.get
  • backupdr.backupVaults.update
  • backupdr.backupVaults.delete

You might also be able to get these permissions with custom roles or other predefined roles.

Create a backup vault

Use the following instructions to create a backup vault.

Console

  1. In the Google Cloud console, go to the Backup vaults page.

    Go to Backup vaults

  2. Click Create backup vault.

  3. On the Create a backup vault page, enter your backup vault information.

    1. In the Name your backup vault field, enter a name that meets the backup vault name requirements.
    2. Click Continue.
    3. From the Choose where to store your data list, select a Location where the backup data will be permanently stored.
    4. Click Continue.
    5. In the Prevent backup deletion field, enter the minimum enforced retention period defining how long backups are protected against deletion. The minimum is 1 day and the maximum is 99 years.
    6. If you want to lock the value of the minimum enforced retention period, select the Lock the enforced retention checkbox, click the icon, and then select the date from the calendar.
    7. In the Define access to your backup vault section, select an option to define access restrictions for the backup vault. If you don't select an option, the backup vault is created with the Restrict access to current organization restriction.
  4. Click Create.

gcloud

  1. In one of the following development environments, set up the gcloud CLI:
  2. Cloud Shell: to use an online terminal with the gcloud CLI already set up, activate Cloud Shell. At the bottom of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.
  3. Local shell: to use a local development environment, install and initialize the gcloud CLI.

  4. Create a backup vault.

      gcloud backup-dr backup-vaults create BACKUPVAULT_NAME \
      --project=PROJECT_ID \
      --location=LOCATION \
      --backup-min-enforced-retention=RETENTION_PERIOD_IN_DAYS
      --access-restriction=ACCESS_RESTRICTION
    

    Replace the following:

    • BACKUPVAULT_NAME: the name of the backup vault.
    • PROJECT_ID: the name of the project where you want to create the backup vault.
    • LOCATION: the location where you want to create a backup vault.
    • RETENTION_PERIOD_IN_DAYS: the period of time that each backup in the backup vault cannot be deleted. The minimum is 1 day and the maximum is 99 years. For example, 2w1d is two weeks and one day. For more information, see Backup vault minimum enforced retention period.
    • ACCESS_RESTRICTION: specify access restrictions for the backup vault. The allowed values are within-project, within-org, unrestricted, and within-org-but-unrestricted-for-ba. If you don't specify a value, the backup vault is created with the within-org restriction.
  5. Check the status of the operation.

      gcloud backup-dr operations describe FULL_OPERATION_ID
    

    Replace the following:

    • FULL_OPERATION_ID the operation ID that is displayed for the backup vault. It is in the following format projects/test-project/locations/us-central1/operations/operationID

    The output is displayed as the following:

    
        Create in progress for backup vault [projects/test-project/locations/us-central1/operations/operation-1721893921568-41e0dab8938a1-f1dc6ad2-3051b3ce]. Run the [gcloud backup-dr operations describe] command to check the status of this operation.
    

Terraform

You can use a Terraform resource to create a backup vault.


resource "google_backup_dr_backup_vault" "default" {
  provider                                   = google-beta
  location                                   = "us-central1"
  backup_vault_id                            = "my-vault"
  description                                = "This vault is created usingTerraform."
  backup_minimum_enforced_retention_duration = "100000s"
  force_update                               = "true"
  force_delete                               = "true"
  allow_missing                              = "true"
}

List backup vaults in a project

Use the following instructions to list backup vaults in a project.

Console

  1. In the Google Cloud console, go to the Backup vaults page.

    Go to Backup vaults

    Backup vaults that are part of the selected project appear in the list.

gcloud

  1. List the backup vaults.

      gcloud backup-dr backup-vaults list \
      --project=PROJECT_ID \
      --location=LOCATION
    

    Replace the following:

    • PROJECT_ID: the name of the project where the backup vaults are created.
    • LOCATION: the location where the backup vaults are created.

View backup vault details

The backup vault details page displays the configuration information and lets you to update the editable items.

The Lock status field in the backup vault details page can have one of the following values:

  • Unlocked: A lock is neither applied nor pending for the backup vault.
  • Lock takes effect on datetime: A lock has been set to take effect on the backup vault at the specified date.
  • Locked: The value of the backup vault's minimum enforced retention periods is locked against reduction or removal.

Use the following instructions to view backup vault details.

Console

  1. In the Google Cloud console, go to the Backup vaults page.

    Go to Backup vaults

    Backup vaults that are part of the selected project are listed on this page.

  2. Click the backup vault that you want to view.

    The backup vault details page displays the configuration information, including the value of the minimum enforced retention period, and its lock status.

gcloud

  1. View the backup vault details.

      gcloud backup-dr backup-vaults describe BACKUPVAULT_NAME \
      --location=LOCATION \
      --project=PROJECT_ID
    

    Replace the following:

    • BACKUPVAULT_NAME: the name of the backup vault.
    • LOCATION: the location of the backup vault.
    • PROJECT_ID: the name of the project where the backup vault is created.

Update the minimum enforced retention period on an existing backup vault

You can update the minimum enforced retention period based on the lock's status.

  • Unlocked: You can increase or decrease the minimum enforced retention period.
  • Locked: You can only increase the minimum enforced retention period.

The lock cannot be removed if the effective date has been reached. However, if the effective date has not yet been reached, you can remove the lock, which clears the originally-specified effective date.

Changes to the value of the minimum enforced retention period only apply to backups created after the update. Changes to the value of the minimum enforced retention period don't impact the enforced retention remaining for backups that already exist in the backup vault. To ensure that the creation of backups doesn't fail, make sure that the minimum enforced retention doesn't exceed the backup deletion timeline defined by associated backup plans.

When increasing the enforced retention period for a backup vault, ensure the backup vault enforced retention period doesn't exceed the retention period in the backup plan for any backups you will store in the backup vault. If the changed value is longer than the backup retention period, the Backup and DR Service handles these changes differently based on the backup plan type.

  • Google Cloud console-based plans: Changes to the backup vault value are prevented.

  • Management console-based plans: Changes to the backup vault value are allowed, but you should immediately update the relevant backup plans to specify retention that is equal to or longer than the updated backup vault minimum enforced retention period to prevent backups to fail.

    Backups generated while the plan retention is shorter than the backup vault minimum enforced retention are created with the enforced retention period set to the backup vault's minimum enforced retention. Additionally, the backup's expiration is set to occur after the enforced retention period has been satisfied.

Use the following instructions to update the minimum enforced retention period on an existing backup vault.

Console

  1. In the Google Cloud console, go to the Backup vaults page.

    Go to Backup vaults

  2. In the list of backup vaults, click the name of the backup vault that you want to update.

  3. Click the icon.

  4. In the Edit minimum enforced retention dialog, enter the New minimum enforced retention period value. This is the period of time that each backup in the backup vault cannot be deleted. The minimum is 1 day and the maximum is 99 years.

  5. If you want to lock the minimum enforced retention period, select the Lock the enforced retention checkbox, and then select the lock effective date from the calendar.

  6. Click Save.

gcloud

  1. Update the minimum enforced retention period on an existing backup vault.

      gcloud backup-dr backup-vaults update BACKUPVAULT_NAME\
      --project=PROJECT_ID \
      --location=LOCATION \
      --backup-min-enforced-retention=RETENTION_PERIOD_IN_DAYS
    

    Replace the following:

    • BACKUPVAULT_NAME: the name of the backup vault.
    • PROJECT_ID: the name of the project where the backup vault is created.
    • LOCATION: the location of the backup vault.
    • RETENTION_PERIOD_IN_DAYS: the period of time that each backup in the backup vault cannot be deleted. The minimum is 1 day and the maximum is 99 years.

Delete a backup vault

Backup vaults can only be deleted if they don't contain backups. To delete a backup vault, first delete all backups contained in that vault if they are eligible for deletion.

Use the following instructions to delete a backup vault.

Console

  1. In the Google Cloud console, go to the Backup vaults page.

    Go to Backup vaults

  2. Click the backup vault you want to delete.

  3. Click Delete.

  4. In the overlay window that appears, confirm you want to delete the backup vault and its contents.

  5. Click Delete.

gcloud

  1. Delete a backup vault.

      gcloud backup-dr backup-vaults delete BACKUPVAULT_NAME \
      --project=PROJECT_ID \
      --location=LOCATION
    

    Replace the following:

    • BACKUPVAULT_NAME: the name of the backup vault.
    • PROJECT_ID: the name of the project where the backup vault is created.
    • LOCATION: the location of the backup vault.

Grant access to the backup vault service agent and to backup/recovery appliances

Every backup vault created has a unique service agent linked to it. For some resource types, the service agent is leveraged to perform actions on behalf of the Backup and DR Service and, therefore, needs to be granted appropriate permissions on the projects, where the backup vault service agent needs to access. A service agent is a Google-managed service account; for more information, see Service agents.

For some resource types, such as Google Cloud VMware Engine, Oracle databases, and SQL Server databases, the Backup and DR backup/recovery appliance must perform actions on the backup vault. In those cases, the backup/recovery appliance needs appropriate permissions on the backup vault.

Grant a role to the service agent

After you find the service agent's email address, you can grant the backup vault service agent a role just like you would grant a role to any other principal.

To back up a Compute Engine VM instance in a project different from where the backup vault is created, you must grant the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role to the backup vault service agent within the Compute Engine project. However, to back up a Compute Engine VM instance in the project same as where the backup vault is created, no roles are required to be granted.

To restore a Compute Engine instance, you need to grant the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role in your restore project to the backup vault service agent.

Use the following instructions to grant a role to the service agent.

Console

  1. In the Google Cloud console, go to the Backup vaults page.

    Go to Backup vaults

  2. Click the backup vault name and copy the service agent's email address.

  3. In the Google Cloud console, go to the IAM page.

    Go to IAM

  4. In the New principles field, enter the service agent's email address.

  5. From the Select a role list, select the appropriate role based on the resource type. For example, to back up a Compute Engine instance in a project different from where the backup vault is created, select the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role.

  6. Click Save.

gcloud

  1. Grant roles to the service agent.

      gcloud projects add-iam-policy-binding PROJECT_ID \
      --member='serviceAccount:SERVICE_ACCOUNT \
      --role=ROLE
    

    Replace the following:

    • PROJECT_ID: the name of the project.
    • SERVICE_ACCOUNT: the email address of the backup vault service agent. For example, my-service-account@my-project.iam.gserviceaccount.com.
    • ROLE: the role required to grant on the resource project. For example, to back up a Compute Engine instance in a project different from where the backup vault is created, select the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role.

Grant roles to the backup/recovery appliance service account

You can access a backup vault from the backup/recovery appliance project only after the appliance service account is granted the Backup and DR Backup Vault Accessor (roles/backupdr.backupvaultAccessor) and Backup and DR Backup Vault Lister (roles/backupdr.backupvaultLister) IAM roles in the backup vault project. Without these roles, you cannot access the backup vault to complete the setup to enable backup creation.

After granting roles to the backup/recovery appliance service account, you can back up and restore Google Cloud VMware Engine, Oracle databases, and SQL Server databases into a backup vault using the management console.

Use the following instructions to grant roles to the backup/recovery appliance service account:

  1. In the Google Cloud console, go to the VM instances page where your appliance was created.

    Go to the VM instances page

  2. Click the Compute Engine instance that you want to get the service account for.

  3. In the API and identity management section, copy the email address of the service account from the Service account field.

  4. In the Google Cloud console, go to IAM roles in your backup vault project.

    Go to IAM

  5. Click Grant access.

  6. In the New principles field, enter the appliance's service account email address.

  7. From the Select a role list, select the Backup and DR Backup Vault Accessor role.

  8. Optional: To ensure that your backup/recovery appliance only has access to a specific backup vault, click Add IAM condition next to the Backup and DR Backup Vault Accessor role.

    1. In the Title field, enter a name for the condition.
    2. Click the Condition editor tab.

      • In the Expression CEL editor field, enter the following expression.

        resource.name.extract("projects/PROJECT_ID/locations/LOCATION/backupVaults
        /{name}/") == ("BACKUPVAULT_NAME") || resource.name.extract("projects/PROJECT_ID/locations/LOCATION/backupVaults
        /{name}") == ("BACKUPVAULT_NAME") || resource.name.extract("operations/{op}") != ""```
        

      Replace the following:

      • BACKUPVAULT_NAME: the name of the backup vault.
      • PROJECT_ID: the name of the project where the backup vault is created.
      • LOCATION: the location of the backup vault.

        To add access for additional backup vaults, append additional "resource.name.startsWith" statements (with the "||" OR logical operator) as necessary.

        For example, the following statement authorizes a backup vault named "bv-test" and a backup vault named "user-bv1", both located in a project named "testproject" and in the region "us-central1".

        resource.name.extract("projects/testproject/locations/us-central1/backupVaults
        /{name}/") == ("bv-test") || resource.name.extract("projects/testproject/locations/us-central1/backupVaults
        /{name}") == ("bv-test") || resource.name.extract("projects/testproject/locations/us-central1/backupVaults
        /{name}/") == ("user-bv1") || resource.name.extract("projects/testproject/locations/us-central1/backupVaults
        /{name}") == ("user-bv1") || resource.name.extract("operations/{op}") != ""```
        
    3. Click Save.

    4. Click Add another role.

    5. From the Select a role list, select the Backup and DR Backup Vault Lister role.

  9. Click Save.

What's next