This document describes what GCP permissions are needed at various stages of setting up and using Medusa.
When dealing with GCP permissions, it is a good practice to group these into roles. At the very least, allowing a service account to manipulate objects in GCS happens via a IAM role, not via an account. That is why we recommend establishing three roles:
setuprole - used to create buckets and service accounts for the backup and restore parts.backuprole - used to upload objects.restorerole - used for restores. This is a version of thebackuprole but with read-only access.
The permissions needed to set Medusa up are:
storage.buckets.create- to create a bucket where Medusa uploads.iam.serviceAccounts.create- to create the service account Medusa will run under.iam.serviceAccountKeys.create- to create a key for this account.storage.buckets.getIamPolicy- to get the IAM policy of the newly created bucket.storage.buckets.setIamPolicy- to set the IAM policy, so the newly created account can be used.
Doing backups with Medusa needs these permissions:
storage.buckets.getstorage.buckets.getIamPolicystorage.objects.createstorage.objects.deletestorage.objects.getstorage.objects.getIamPolicystorage.objects.list
These are the permissions needed to restore data using Medusa.
storage.buckets.getstorage.buckets.getIamPolicystorage.objects.getstorage.objects.getIamPolicystorage.objects.list