This page describes how to grant the Backup for GKE service permissions for a Google Cloud project, backups, or restores.
Predefined roles
Backup for GKE has the following predefined roles:
Role | Title | Description | Lowest resource |
---|---|---|---|
gkebackup.admin |
Backup for GKE Admin | Full read-write access to all Backup for GKE resources | Project |
gkebackup.backupAdmin |
Backup for GKE Backup Admin | Creates and manages backup plans and backups. Can delegate manual backup creation to Delegated Backup Admins. | Project |
gkebackup.delegatedBackupAdmin |
Backup for GKE Delegated Backup Admin | Creates and manages backups within a backup plan. | BackupPlan |
gkebackup.viewer |
Backup for GKE Viewer | Read-only access to all Backup for GKE resources | Project |
gkebackup.restoreAdmin |
Backup for GKE Restore Admin | Creates and manages restore plans and restores. Can delegate restore creation to Delegated Restore Admins. | Project |
gkebackup.delegatedRestoreAdmin |
Backup for GKE Delegated Restore Admin | Creates and manages restores within a restore plan. | RestorePlan |
Set project-level permissions
You can grant Identity and Access Management permissions for an entire Google Cloud project to an account in the IAM page of the Google Cloud console or by using the Google Cloud CLI. Adding permissions at the project level grants the IAM permissions to an account for the following roles:
- Backup for GKE Admin
- Backup for GKE Backup Admin
- Backup for GKE Viewer
Backup for GKE Restore Admin
gcloud
To set permissions, run the following command:
gcloud projects add-iam-policy-binding PROJECT_ID\
--role roles/ROLE_ID \
--member PRINCIPAL
Replace the following:
PROJECT_ID
: the ID of your Google Cloud project.ROLE_ID
: the type of role, for examplegkebackup.backupAdmin
.PRINCIPAL
: An identifier for the principal, which usually has the following form:member-type:id
. For example,user:my-user@example.com
.
Console
Perform the following tasks in the Google Cloud console:
Go to your project's IAM page.
Click the Grant access button below the toolbar.
In the New principals box, enter the email for the account that you want to add.
Select a role in the drop-down list, for example Backup for GKE Admin.
Click Save.