Google Cloud credentials for Backup and DR Service protection and data access

This page explains what default Google Cloud credentials are and how to add new credentials for backup/recovery appliances in the management console.

A Google Cloud credential is a pointer to a service account that allows the backup/recovery appliance to access project resources like Compute Engine APIs and Cloud Storage buckets to backup and recover Compute Engine instances.

During the backup or recovery of Compute Engine instances, the backup/recovery appliances use the service account in the credential to take snapshots of the instances, and upload instance metadata (like VM configuration, network, and tags) to a Cloud Storage bucket through an OnVault pool. If the appliance that created the instance snapshots is not available, you can access the backups using a different appliance, through the metadata stored in the Cloud Storage bucket. See Import persistent disk snapshot images.

Default Google Cloud credential

Default Google Cloud credential is created automatically when you deploy the backup/recovery appliance. This credential is created based on the service account attached to the appliance in a project. This credential simplifies the process of discovering and protecting Compute Engine instances without the need to create OnVault pool and service account. In the management console, you can view this default Google Cloud credential in the Cloud Credentials page by navigating to Manage > Credentials.

The default Google Cloud credential in the Cloud Credentials page is displayed based on the appliance name. For example, if the name of the backup/recovery appliance is ba-name then the default service account name is displayed is *ba-name@developer.gserviceaccount.com. The value project-id is the project ID. You cannot edit or delete this default Google Cloud credential, you can only view it.

The default Google Cloud credential points to an automatically created OnVault pool—which points to an automatically created Cloud Storage bucket. The Cloud Storage bucket holds VM instance created Cloud Storage bucket. The Cloud Storage bucket holds VM instance configuration and metadata and gets automatically created at run time, when a backup template is assigned to a Compute Engine instance. The location of the Cloud Storage bucket is determined based on the persistent disks snapshots storage location or region as configured in the backup template.

OnVault pools are created automatically even if you change the region or multi-region of the instance or when the policy override is applied after the first snapshot ran successfully. The service thus ensures that both the persistent disk data and the instance VM configuration are colocated.

For the default Google Cloud credential, the IAM role Backup and DR Cloud Storage Operator is automatically assigned to the service account attached to the backup/recovery appliance. You need to manually assign the IAM role Backup and DR Compute Engine Operator to back up the Compute Engine instances.

View the corresponding Cloud Storage bucket of the appliance in the Google Cloud console by navigating to Cloud Storage > Buckets.

The storage bucket is created with the name <backup/recovery-appliance-name>-<random-string>-<region/multi-region> in the same project where the appliance is deployed and has the following properties set.

• Storage Class: Standard
• Object Access Control: Uniform
• Bucket Location: Same as Persistent Disk snapshot location
• Object Versioning: No object versioning or retention set on bucket

• Access: No public access on the bucket

Add Google Cloud credentials

Backup and DR Service provides the ability to create a new Google Cloud credential if you still want to manually create one for a backup/recovery appliance. To create new Google Cloud credentials, first you need to create a new OnVault pool, see OnVault pool instructions.

Add Google Cloud credentials

To create a Google Cloud credential, you need to define the credential name and OnVault pool where you want to store the backup data. A service account is auto-filled based on the service account attached to the selected backup/recovery appliance. Create an OnVault, if you don't have one.

Before adding the Google Cloud credential, assign the role Backup and DR Compute Engine Operator to the service account attached to the appliance.

Use these instructions to add Google Cloud credential for backup/recovery appliances:

1. Click Manage and select Credentials from the drop-down menu.

   The Cloud Credentials page opens listing all Google Cloud credentials managed by the management console if any credentials are already added.

2. Click Add Google Cloud Credentials.

3. In Credential Name, add a unique name that you want to identify the credential with.

4. Select a Default Zone. The default zone is used to determine which zone to default to when discovering Compute Engine VMs in a project. You can also select a different zone during discovery.

5. In the Appliances drop-down, select the appliance you want the credentials to be associated with. The Service Account field is automatically filled with the service account attached to that appliance.

6. Select the OnVault pool. Pools are displayed based on the selected appliance. To add an OnVault pool, use the OnVault Pool instructions.

7. Click Add.

The management console sends a request to validate the Google Cloud credentials to the selected appliance. If validation succeeds, the credential is registered. Google Cloud credentials creation leads to automatic creation of a Cloud Storage pool and a resource profile with Google Cloud credential name as the prefix.

Edit Google Cloud credentials

Use these instructions to edit an existing Google Cloud credential for the appliance:

1. Click Manage and select Credentials from the drop-down menu. The Cloud Credentials page opens listing all credentials saved on appliances managed by the management console.
2. Select the credential that you want to modify and then select Edit from the bottom right-hand corner of the page. The Edit Credential page opens. You can also right-click the credential and select Edit from the drop-down menu options.
3. Update the name, default zone, organization attributes, and OnVault pool as needed.
4. Click Save to apply the changes.

Delete a Google Cloud credential

Before deleting the credentials, unprotect and remove all the applications and hosts discovered using this credential, and then delete it.

Use these instructions to delete a Google Cloud credential.

1. Click Manage and select Credentials from the drop-down menu.
2. Right-click the required credentials and select Delete.
3. Click Confirm.

The Backup and DR Compute Engine guide

• Check for the Google Cloud credentials
• Discover and protect Compute Engine instances
• Mount backup images of Compute Engine instances
• Restore a Compute Engine instance
• Import Persistent Disk snapshot images