Cloud credentials for Backup and DR Service protection and data access

This page explains what default cloud credentials are and how to add new credentials for backup/recovery appliances in the management console.

A cloud credential is a pointer to a service account that allows the backup/recovery appliance to access project resources like Compute Engine APIs and Cloud Storage buckets to backup and recover Compute Engine instances.

During the backup or recovery of Compute Engine instances, the backup/recovery appliances use the service account in the credential to take snapshots of the instances, and upload instance metadata (like VM configuration, network, and tags) to a Cloud Storage bucket through an OnVault pool. If the appliance that created the instance snapshots is not available, you can access the backups using a different appliance, through the metadata stored in the Cloud Storage bucket. See Import persistent disk snapshot images.

Default cloud credential

Default cloud credential is created automatically when you deploy the backup/recovery appliance of version 11.0.2 or higher. This credential is created based on the service account attached to the appliance in a project. This credential simplifies the process of discovering and protecting Compute Engine instances without the need to create OnVault pool and service account. In the management console, you can view this default cloud credential in the Cloud Credentials page by navigating to Manage > Credentials.

The default cloud credential in the Cloud Credentials page is displayed based on the appliance name followed by the suffix -sa. For example, if the name of the backup/recovery appliance is bur-appliance-us-east1 then the default cloud credential is displayed as bur-appliance-us-east1-sa. You cannot edit or delete this default cloud credential, you can only view it.

The default cloud credential points to an automatically created OnVault pool—which points to an automatically created Cloud Storage bucket. The Cloud Storage bucket holds VM instance configuration and metadata and gets automatically created at run time, when a backup template is assigned to a Compute Engine instance. The location of the Cloud Storage bucket is determined based on the persistent disks snapshots storage location or region as configured in the backup template.

OnVault pools are created automatically even if you change the region or multi-region of the instance or when the policy override is applied after the first snapshot ran successfully. The service thus ensures that both the persistent disk data and the instance VM configuration are colocated.

For the default cloud credential, the IAM role Backup and DR Cloud Storage Operator is automatically assigned to the service account attached to the backup/recovery appliance. You need to manually assign the IAM role Backup and DR Compute Engine Operator to back up the Compute Engine instances.

View the corresponding Cloud Storage bucket of the appliance in the Google Cloud console by navigating to Cloud Storage > Buckets.

The storage bucket is created with the name <backup/recovery-appliance-name>-<random-string>-<region/multi-region> in the same project where the appliance is deployed and has the following properties set.

  • Storage Class: Standard
  • Object Access Control: Uniform
  • Bucket Location: Same as Persistent Disk snapshot location
  • Object Versioning: No object versioning or retention set on bucket
  • Access: No public access on the bucket

Add cloud credentials

Backup and DR Service provides the ability to create a new cloud credential if you still want to manually create one for a backup/recovery appliance. To create new cloud credentials, first you need to create a new OnVault pool, see OnVault pool instructions. The procedure to add a cloud credential varies based on the software version of the backup/recovery appliance. To determine which version is in use, navigate to Manage > Appliances and check the Version column.

The following table highlights the behavior of Cloud credentials with the deployed appliance version.

Original appliance version Appliance upgraded version Cloud credentials usage
11.0.1* 11.0.2 or higher Any existing cloud credentials will continue to use JSON keys. But you can replace a JSON key in cloud credential with an appliance Service Account Credentials.
11.0.2 or higher Not applicable Default cloud credential that does not use JSON key is automatically created. Refer to default cloud credentials.

*Appliances deployed before January 2023 are most likely deployed on version 11.0.1.

Add cloud credentials for an appliance running on 11.0.2 or higher

To create a Cloud credential, you need to define the credential name and OnVault pool where you want to store the backup data. A service account is auto-filled based on the service account attached to the selected backup/recovery appliance. Create an OnVault, if you don't have one.

Before adding the cloud credential, assign the role Backup and DR Compute Engine Operator to the service account attached to the appliance.

Use these instructions to add Google Cloud credential for appliances running on 11.0.2:

  1. Click Manage and select Credentials from the drop-down menu.

    The Cloud Credentials page opens listing all cloud credentials managed by the management console if any credentials are already added.

  2. Click Add Google Cloud Credentials.

  3. In Credential Name, add a unique name that you want to identify the credential with.

  4. Select a Default Zone. The default zone is used to determine which zone to default to when discovering Compute Engine VMs in a project. You can also select a different zone during discovery.

  5. In the Appliances drop-down, select the appliance you want the credentials to be associated with. The Service Account field is automatically filled with the service account attached to that appliance.

  6. Select the OnVault pool. Pools are displayed based on the selected appliance. To add an OnVault pool, use the OnVault Pool instructions.

  7. Click Add.

The management console sends a request to validate the cloud credentials to the selected appliance. If validation succeeds, the credential is registered. Cloud credentials creation leads to automatic creation of a Cloud Storage pool and a resource profile with cloud credential name as the prefix.

Add cloud credentials for an appliance running on version 11.0.2 or earlier

We recommend you update your appliance to the latest version. See instructions to update backup/recovery appliance.

To create an OnVault pool with appliances running on version 11.0.1 or earlier, you need to manually upload the JSON key. See Create service account keys for instructions to create and download the service account key in JSON format.

You need to manually upload the JSON key until the backup/recovery appliance is updated to 11.0.2 or higher. You need to define the credential name and the OnVault pool where you want to store the backup data. If you don't have an OnVault, see the instructions to Create an OnVault pool.

Use these instructions to add Google Cloud credential for the appliance running on 11.0.1:

  1. Click Manage and select Credentials from the drop-down menu. The Cloud Credentials page opens listing all cloud credentials managed by the management console if any credentials are already added.
  2. Click Add Google Cloud Credentials.
  3. In Credential Name, add a unique name that you want to identify the credential with.
  4. Select Default Zone. The default zone is used to determine which zone to initial search in when performing a Compute Engine discovery. You can select a different zone every time you run the discovery tool.
  5. In the Appliances drop-down, select the appliance for the credential to be associated with. Only the selected appliance has access to this credential.
  6. In the Credential JSON field, click Choose file and import the service account key that is saved in JSON format. Service account and project ID are derived from the JSON key file. You can change the project ID as needed.
  7. Select the OnVault pool. Pools are displayed based on the selected appliance. To add an OnVault pool, see OnVault Pool.
  8. Click Add.

The management console sends a request to validate the cloud credentials to the selected appliance. If validation succeeds, the credential is registered. Cloud credentials creation leads to automatic creation of a cloud pool and a resource profile with cloud credential name as the prefix.

Edit cloud credentials

Use these instructions to edit an existing cloud credential for the appliance:

  1. Click Manage and select Credentials from the drop-down menu. The Cloud Credentials page opens listing all credentials saved on appliances managed by the management console.
  2. Select the credential that you want to modify and then select Edit from the bottom right-hand corner of the page. The Edit Credential page opens. You can also right-click the credential and select Edit from the drop-down menu options.
  3. If you're updating an appliance running on 11.0.2 or higher, you can update the name, default zone, organization attributes, and OnVault pool.
  4. If you're updating the appliance running version on 11.0.2 or earlier version:

    1. Make changes to the credential as follows:

      • If you're updating either the name, default region or default zone, or organization attributes, you don't have to provide the cloud access information such as the JSON key file.
      • If you're updating the cloud credential information or adding additional appliances, you're asked to provide the cloud access information that was used to create the credential.
    2. You can select an additional appliance to store the data.

    3. You can change the OnVault pool, if another pool is available.

  5. Click Save to apply the changes.

Replace a JSON key cloud credential with an appliance Service Account Credentials

If you have a cloud credential that is created using a JSON key for authentication, you cannot switch that credential to use with the appliance service account authentication. Instead, create a new cloud credential and assign the profile that is automatically created with the cloud credentials by modifying the backup plan.

Use the following instructions to replace a JSON key cloud credential with an appliance Service Account Credentials:

  1. Create a new Cloud Credential using the appliance service account. This creates a new resource profile with the name: <new credentialname>_Profile.
  2. Go to App Manager and select Applications.
  3. Find all Compute Engine instances using the old Cloud credential. Identify the profile names which are in the format: <old credentialname>_Profile
  4. Follow the instructions in the Modify backup plan management of a managed application topic and update the profile in use to the new profile.

All new images use the newly created cloud credentials. You cannot delete the old Cloud credential definition until all images created previously in that pool are expired.

Delete a cloud credential

Before deleting the credentials, unprotect and remove all the applications and hosts discovered using this credential, and then delete it.

Use these instructions to delete a cloud credential.

  1. Click Manage and select Credentials from the drop-down menu.
  2. Right-click the required credentials and select Delete.
  3. Click Confirm.

The Backup and DR Compute Engine guide