Restore a disk from an instant snapshot

To access data captured in aninstant snapshot,you must restore, or create a new disk from the instant snapshot.

This page explains how to create a disk from an instant snapshot. After youcreate the disk, you can use it by attaching it to a virtual machine (VM).

Before you begin

Required roles and permissions

To get the permissions that you need to create a disk from an instant snapshot, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create a disk from an instant snapshot. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to create a disk from an instant snapshot:

  • To create a disk:
    • compute.disks.create on the destination project for the new disk
    • compute.instantSnapshots.useReadOnly on the source instant snapshot

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Restrictions

The following restrictions apply:

  • When you create a disk from an instant snapshot, the new disk always hasthe same type, storage location, and encryption as the source disk of the snapshot.

  • You can't create a VM directly from an instant snapshot. You must create a diskfrom the instant snapshot and then use the new disk to create a VM.

  • If the source disk of the instant snapshotuses customer-managed or customer-supplied encryption keys,you must provide the same encryption key when you create a new disk from the instant snapshot.

    Consider this example. Imagine you have a disk,DISK-1 encrypted with a customer-supplied encryption key (CSEK),KEY-1.You also have an instant snapshot,IS-1, created fromDISK-1.To create a new disk fromIS-1, you must provide the same key,KEY-1, whenyou create the new disk.

    If the disk is encrypted with customer-managed encryption keys (CMEK), you only have to provide the key if you use theREST or the gcloud CLI to create the disk. If you use theGoogle Cloud console, you don't need to specify the encryption key.

Create a disk from an instant snapshot

An instant snapshot is encrypted with the same encryption as its source disk.The steps to create a disk from an instant snapshot depend on how theinstant snapshot's source disk is encrypted.

Each source disk is encrypted with one of the following methods:

  • Google-owned and Google-managed encryption keys. This is the default.
  • Customer-managed encryption keys (CMEK)
  • Customer-supplied encryption keys (CSEK).

To find out how a particular disk is encrypted, seeView information about a disk's encryption.

Create a disk from an instant snapshot encrypted with default encryption

You can create a disk from an instant snapshot with the gcloud CLI,the Google Cloud console, or the REST.

Console

  1. Find the instant snapshot that you want to restore:

    1. In the Google Cloud console, go to theSnapshots page.

      Go to Snapshots

    2. Click theInstant snapshots tab.

    3. In theName column, click the name of the instant snapshot you want to restore.

  2. ClickCreate disk.

  3. In theName field, enter a new name for the disk.

  4. Optional: In theDescription field, enter additional details.

  5. Verify that theDisk source type isInstant snapshot.

  6. In theSource instant snapshot list, choose the instant snapshot.

  7. Optional: Configure additional customizations for the disk.

    • Enter a size: In theSize field, specify a size for the disk in GB.The size must be equal to or larger than the size of the source disk for the snapshot.
    • Schedule backups: If you want Compute Engine tocreate standard snapshots of this new disk on a schedule,select theEnable snapshot schedule checkbox and choose a snapshot schedule.Otherwise, clear the checkbox.

  8. Optional: To organize your project, add one or morelabels.

  9. To create the disk, clickCreate.

gcloud

Use thegcloud compute disks create command.The arguments you specify depend on whether you're creating a zonal orregional disk.

Create a zonal disk

Specify the zone with the--zone flag:

gcloud compute disks createDISK_NAME --zone=ZONE \  --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME

Replace the following:

  • DISK_NAME: the name of the new disk.
  • ZONE: the zone for the new disk, for example,europe-west1-a.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of thesource instant snapshot.

Create a regional disk

Specify the region with--region and the new disk's target replication zones zones with--replica-zones.

gcloud compute disks createDISK_NAME \ --region=REGION \ --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \ --replica-zones=ZONE1,ZONE2

Replace the following:

  • DISK_NAME: the name of the new disk.
  • REGION: the region for the regional diskto reside in, for example:europe-west1.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of thesource instant snapshot.
  • ZONE1,ZONE2: the zones within the regionwhere the two disk replicas are located, for example:europe-west1-b,europe-west1-c.

REST

To create a zonal or regional disk from an instant snapshot, use thedisks.insert method. Thenew disk must be the same type as that of the source disk of the instantsnapshot. For example, you can't create a regional disk from a snapshot of azonal disk.

Create a zonal disk

Make aPOST request, specifying the source instant snapshot.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/SOURCE_ZONE/disks/insert{"name": "NEW_DISK_NAME","sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME"}

Replace the following:

  • PROJECT: the project in which to create the new disk.
  • SOURCE_ZONE: the zone where the instant snapshotis located, for example,us-central1-a. The disk is created in this zone.
  • NEW_DISK_NAME: a unique name for the new disk.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.

Create a regional disk

Make aPOST request, specifying the source instant snapshot and thezones where the disk should be replicated to.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/region/SOURCE_REGION/disks/insert{"name": "NEW_DISK_NAME","sourceInstantSnapshot": "projects/PROJECT/regions/SOURCE_REGION/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME","replicaZones": [  "projects/PROJECT/zones/ZONE1",  "projects/PROJECT/zones/ZONE2"]}

Replace the following:

  • PROJECT: the project in which to create the new disk.
  • SOURCE_REGION: the region where the instant snapshot is located.The disk is created in this region.
  • NEW_DISK_NAME: a unique name for the new disk.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instantsnapshot.
  • ZONE1,ZONE2: the zones within the region for thetwo disk replicas, for example,europe-west1-b,europe-west1-c.

API request response

If thePOST request is successful, the response body will be an object that you can poll to get the status of the disk's creation. SeeHandling API responses for more information.

Create a disk from a CMEK- or CSEK-encrypted instant snapshot

Console

If the instant snapshot uses Google default or CMEK encryption, Google Cloud consoleautomatically provides the encryption key when you create a disk from the instantsnapshot. Otherwise, if the instant snapshot is CSEK-encrypted, you must providethe encryption key to create a disk.

Follow thesteps in the Google-managed encryption section,specifying the encryption key using these instructions:

  1. In theDecryption section, enter the encryption key in theEncryption key field.
  2. If the key is wrapped with the public RSA key, selectWrapped key.

gcloud

Use thegcloud compute disks create command.

If the source disk is CMEK-encrypted, use the--kms-key parameter to provide the name of the key.

If the source disk is CSEK-encrypted, use the--csek-key-file parameterto specify the source disk's encryption key.

CMEK

To create a zonal disk from a CMEK encrypted instant snapshot,use the following command:

     gcloud compute disks createNEW_DISK_NAME \       --zone=SOURCE_ZONE \       --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \       --kms-key=projects/KMS_PROJECT_NAME/locations/KEYRING_LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Replace the following:

  • NEW_DISK_NAME: the name of the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is stored, for example,europe-west1-a.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • KMS_PROJECT_NAME: the project containing the key.
  • KEYRING_LOCATION: the location of the key ring that the key belongs to. If the key ring is global, specifyglobal. Otherwise, specify the name of the region where the key ring is located, for example,us-west1.
  • KEY_RING_NAME: the name of the key ring that includes the key, for example,key-ring-1.
  • KEY_NAME: the name of the key used to encrypt the disk.

CSEK

To create a zonal disk from a CSEK-encrypted instant snapshot,use the following command:

     gcloud compute disks createNEW_DISK_NAME \       --zone=SOURCE_ZONE \       --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \       --csek-key-file=PATH_TO_CSEK_JSON_FILE

Replace the following:

  • NEW_DISK_NAME: the name of the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is stored, for example,europe-west1-a.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • CSEK_JSON_FILE: Path to a JSON file containing the key. See an example of the CSEK file format.

To create a regional disk, replace the--zone flag in thepreceding example with the following flags:

  • --region: the region for the new disk
  • --replica-zones: the zones within the region for the two disk replicas.

REST

To create a zonal or regional disk from a CMEK- or CSEK-encrypted instant snapshot,make aPOST request to thedisks.insert methodusing the properties listed in theGoogle-managed encryption section.

Additionally, provide the source disk's encryption key with thediskEncryptionKeyfield. The properties of thediskEncryptionKey field depend on whether or notthe disk is CMEK- or CSEK-encrypted.

The following examples show how to create a new zonal disk for each encryption type.

CMEK

In the request body, specify the name of the key with thediskEncryptionKey.kmsKeyName property:

{"name": "NEW_DISK_NAME","sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME","diskEncryptionKey": {      "kmsKeyName": "projects/KMS_PROJECT/locations/LOCATION/keyRings/KEYRING_LOCATION/cryptoKeys/KEY_NAME"  }}

Replace the following:

  • NEW_DISK_NAME: a unique name for the new disk.
  • PROJECT: the project in which to create the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is located,for example,us-central1-a. The disk is created in this zone.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instantsnapshot.
  • KMS_PROJECT: the project containing the key.
  • LOCATION: the location of the key ring that the key belongs to.If the key ring is global, specifyglobal. Otherwise, specify the name of the region wherethe key ring is located, for example,us-west1.
  • KEY_RING: the name of the key ring thatincludes the key, for example,key-ring-1.
  • KEY: the name of the key used toencrypt the disk.

CSEK

The request body depends on whether the CSEK used to encrypt the instantsnapshot is RSA-encrypted or not.

To use a raw (non-RSA encrypted) key, specify the key in thediskEncryptionKey.rawKey property of the request body:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/SOURCE_ZONE/disks/insert{  "name": "NEW_DISK_NAME",  "sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/INSTANT_SNAPSHOT_NAME,  "diskEncryptionKey": {      "rawKey": "RAW_ENCRYPTION_KEY"  }}

Replace the following with the corresponding values:

  • PROJECT: the project in which to create the new disk.
  • SOURCE_ZONE: the zone where the instant snapshotis located, for example,us-central1-a. The disk is created in this zone.
  • NEW_DISK_NAME: a unique name for the new disk.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • RAW_ENCRYPTION_KEY: The key used to encrypt theinstant snapshot and its source disk, for example,SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=.

To use an RSA-encrypted key, modify the preceding example as follows:

  • Make aPOST request to thedisks.insert method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/insert

  • Specify the key in thediskEncryptionKey.rsaEncryptedKey property of therequest body:

    "diskEncryptionKey": { "rsaEncryptedKey": "RSA_ENCRYPTED_KEY"}

ReplaceRSA_ENCRYPTED_KEY with your encrypted key.

API request response

If thePOST request is successful, the response body will be an object that you can poll to get the status of the disk's creation. SeeHandling API responses for more information.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.