Google Cloud credentials for Backup and DR Service protection and data access
This page explains what default Google Cloud credentials are and how to add newcredentials for backup/recovery appliances in the management console.
A Google Cloud credential is a pointer to a service account that allows thebackup/recovery appliance to access project resources like Compute EngineAPIs and Cloud Storage buckets to backup and recover Compute Engine instances.
During the backup or recovery of Compute Engine instances, thebackup/recovery appliances use the service account in the credential to takesnapshots of the instances, and upload instance metadata (like VM configuration,network, and tags) to a Cloud Storage bucket through an OnVault pool. If theappliance that created the instance snapshots is not available, you can accessthe backups using a different appliance, through the metadata stored in theCloud Storage bucket. SeeImport persistent disk snapshot images.
Default Google Cloud credential
Default Google Cloud credential is created automatically when you deploy thebackup/recovery appliance. This credential is createdbased on the service account attached to the appliance in a project. Thiscredential simplifies the process of discovering and protecting Compute Engineinstances without the need to create OnVault pool and service account. In themanagement console, you can view this default Google Cloud credential in theCloud Credentials page by navigating toManage>Credentials.
The default Google Cloud credential in theCloud Credentials page is displayedbased on the appliance name. For example, if thename of the backup/recovery appliance isba-name then thedefault service account name is displayed is*ba-name@developer.gserviceaccount.com.The valueproject-id is the project ID.You cannot edit or delete this default Google Cloud credential, you can only view it.
The default Google Cloud credential points to anautomatically created OnVault pool—which points to an automaticallycreated Cloud Storage bucket. The Cloud Storage bucket holds VM instancecreated Cloud Storage bucket. The Cloud Storage bucket holds VM instanceconfiguration and metadata and gets automatically created at run time, when abackup template is assigned to a Compute Engine instance. The location of theCloud Storage bucket is determined based on the persistent disks snapshotsstorage location or region as configured in the backup template.
OnVault pools are created automatically even if you change the region ormulti-region of the instance or when thepolicy override is applied afterthe first snapshot ran successfully. The service thus ensures that both thepersistent disk data and the instance VM configuration are colocated.
For the default Google Cloud credential, the IAM roleBackup and DR Cloud Storage Operator is automatically assigned to the serviceaccount attached to the backup/recovery appliance. You need to manually assignthe IAM roleBackup and DR Compute Engine Operator to back up theCompute Engine instances.
View the corresponding Cloud Storage bucket of the appliance in theGoogle Cloud console by navigating toCloud Storage>Buckets.
Note: It's recommended not to use the automatically createdstorage bucket for any other purpose.The storage bucket is created with the name<backup/recovery-appliance-name>-<random-string>-<region/multi-region>in the same project where the appliance is deployed and has the followingproperties set.
- Storage Class: Standard
- Object Access Control: Uniform
- Bucket Location: Same as Persistent Disk snapshot location
- Object Versioning: No object versioning or retention set on bucket
Access: No public access on the bucket
Note: The automatically created storage bucket uses aStandardstorage class to hold the VM configuration and metadata and you'recharged for aStandard storage class.
Add Google Cloud credentials
Backup and DR Service provides the ability to create a new Google Cloud credential if youstill want to manually create one for a backup/recovery appliance. To createnew Google Cloud credentials, first you need to create a new OnVault pool, seeOnVault pool instructions.
Add Google Cloud credentials
To create a Google Cloud credential, you need to define the credential name andOnVault pool where you want to store the backup data. A service accountis auto-filled based on the service account attached to the selectedbackup/recovery appliance.Create an OnVault, if you don't have one.
Before adding the Google Cloud credential, assign the roleBackup and DR Compute Engine Operator to the service account attached to theappliance.
Use these instructions to add Google Cloud credential for backup/recovery appliances:
ClickManage and selectCredentials from the drop-down menu.
TheCloud Credentials page opens listing all Google Cloud credentials managed bythe management console if any credentials are already added.
ClickAdd Google Cloud Credentials.
InCredential Name, add a unique name that you want to identify thecredential with.
Select aDefault Zone. The default zone is used to determine which zoneto default to when discovering Compute Engine VMs in a project. You canalso select a different zone during discovery.
In theAppliances drop-down, select the appliance you want thecredentials to be associated with. TheService Account field isautomatically filled with the service account attached to that appliance.
Select the OnVault pool. Pools are displayed based on the selectedappliance. To add an OnVault pool, use theOnVault Pool instructions.
Note: The OnVault drop-down does not display the auto-created pools.It's only offered for thedefault Google Cloud credentials.ClickAdd.
The management console sends a request to validate the Google Cloud credentials to theselected appliance. If validation succeeds, the credential isregistered. Google Cloud credentials creation leads to automatic creation of aCloud Storage pool and a resource profile with Google Cloud credential name asthe prefix.
Edit Google Cloud credentials
Use these instructions to edit an existing Google Cloud credential for the appliance:
- ClickManage and selectCredentials from the drop-down menu.TheCloud Credentials page opens listing all credentials saved onappliances managed by the management console.
- Select the credential that you want to modify and then selectEdit fromthe bottom right-hand corner of the page. TheEdit Credential page opens.You can also right-click the credential and selectEdit fromthe drop-down menu options.
- Update the name, default zone, organization attributes, and OnVault pool as needed.
- ClickSave to apply the changes.
Delete a Google Cloud credential
Before deleting the credentials, unprotect and remove all the applicationsand hosts discovered using this credential, and then delete it.
Use these instructions to delete a Google Cloud credential.
- ClickManage and selectCredentials from the drop-down menu.
- Right-click the required credentials and selectDelete.
- ClickConfirm.
The Backup and DR Compute Engine guide
- Check for the Google Cloud credentials
- Discover and protect Compute Engine instances
- Mount backup images of Compute Engine instances
- Restore a Compute Engine instance
- Import Persistent Disk snapshot images
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.