Google Cloud permissions for the Console agent
Suggest changes
PDFs
The Console agent requires permissions to perform actions in Google Cloud. These permissions are included in a custom role provided by NetApp. You should understand what the agent does with these permissions.
Service account permissions
The custom role shown below provides the permissions that a Console agent needs to manage resources and processes within your Google Cloud network.
You'll need to apply this custom role to a service account that gets attached to the Console agent VM.
You also need to ensure that the role is up to date as new permissions are added in subsequent releases. If new permissions are required, they will be listed in the release notes.
title: NetApp Console agent
description: Permissions for the service account associated with the Console agent.
stage: GA
includedPermissions:
- iam.serviceAccounts.actAs
- compute.regionBackendServices.create
- compute.regionBackendServices.get
- compute.regionBackendServices.list
- compute.networks.updatePolicy
- compute.backendServices.create
- compute.addresses.list
- compute.disks.create
- compute.disks.createSnapshot
- compute.disks.delete
- compute.disks.get
- compute.disks.list
- compute.disks.setLabels
- compute.disks.use
- compute.firewalls.create
- compute.firewalls.delete
- compute.firewalls.get
- compute.firewalls.list
- compute.globalOperations.get
- compute.images.get
- compute.images.getFromFamily
- compute.images.list
- compute.images.useReadOnly
- compute.instances.addAccessConfig
- compute.instances.attachDisk
- compute.instances.create
- compute.instances.delete
- compute.instances.detachDisk
- compute.instances.get
- compute.instances.getSerialPortOutput
- compute.instances.list
- compute.instances.setDeletionProtection
- compute.instances.setLabels
- compute.instances.setMachineType
- compute.instances.setMetadata
- compute.instances.setTags
- compute.instances.start
- compute.instances.stop
- compute.instances.updateDisplayDevice
- compute.instanceGroups.get
- compute.addresses.get
- compute.instances.updateNetworkInterface
- compute.machineTypes.get
- compute.networks.get
- compute.networks.list
- compute.projects.get
- compute.regions.get
- compute.regions.list
- compute.snapshots.create
- compute.snapshots.delete
- compute.snapshots.get
- compute.snapshots.list
- compute.snapshots.setLabels
- compute.subnetworks.get
- compute.subnetworks.list
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.zoneOperations.get
- compute.zones.get
- compute.zones.list
- compute.instances.setServiceAccount
- deploymentmanager.compositeTypes.get
- deploymentmanager.compositeTypes.list
- deploymentmanager.deployments.create
- deploymentmanager.deployments.delete
- deploymentmanager.deployments.get
- deploymentmanager.deployments.list
- deploymentmanager.manifests.get
- deploymentmanager.manifests.list
- deploymentmanager.operations.get
- deploymentmanager.operations.list
- deploymentmanager.resources.get
- deploymentmanager.resources.list
- deploymentmanager.typeProviders.get
- deploymentmanager.typeProviders.list
- deploymentmanager.types.get
- deploymentmanager.types.list
- logging.logEntries.list
- logging.privateLogEntries.list
- resourcemanager.projects.get
- storage.buckets.create
- storage.buckets.delete
- storage.buckets.get
- storage.buckets.list
- cloudkms.cryptoKeyVersions.useToEncrypt
- cloudkms.cryptoKeys.get
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- storage.buckets.update
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.list
- storage.objects.get
- storage.objects.list
- monitoring.timeSeries.list
- storage.buckets.getIamPolicy
- cloudkms.cryptoKeys.getIamPolicy
- cloudkms.cryptoKeys.setIamPolicy
- cloudkms.keyRings.get
- cloudkms.keyRings.getIamPolicy
- cloudkms.keyRings.setIamPolicyHow Google Cloud permissions are used for Cloud Volumes ONTAP
| Actions | Purpose | Used for deployment? | Used for daily operations? | Used for deletion? |
|---|---|---|---|---|
compute.disks.create |
To create and manage disks for Cloud Volumes ONTAP. |
Yes |
Yes |
No |
compute.disks.createSnapshot |
No |
Yes |
No |
|
compute.disks.delete |
No |
Yes |
Yes |
|
compute.disks.get |
No |
Yes |
No |
|
compute.disks.list |
Yes |
Yes |
No |
|
compute.disks.setLabels |
Yes |
Yes |
No |
|
compute.disks.use |
No |
Yes |
No |
|
compute.firewalls.create |
To create firewall rules for Cloud Volumes ONTAP. |
Yes |
No |
No |
compute.firewalls.delete |
No |
Yes |
Yes |
|
compute.firewalls.get |
Yes |
Yes |
No |
|
compute.firewalls.list |
Yes |
Yes |
No |
|
compute.globalOperations.get . |
To get the status of operations. |
Yes |
Yes |
No |
compute.images.get |
To get images for VM instances. |
Yes |
No |
No |
compute.images.getFromFamily |
Yes |
No |
No |
|
compute.images.list |
Yes |
No |
No |
|
compute.images.useReadOnly |
Yes |
No |
No |
|
compute.instances.attachDisk |
To attach and detach disks to Cloud Volumes ONTAP. |
Yes |
Yes |
No |
compute.instances.detachDisk |
No |
Yes |
Yes |
|
compute.instances.create |
To create and delete Cloud Volumes ONTAP VM instances. |
Yes |
No |
No |
compute.instances.delete |
No |
No |
Yes |
|
compute.instances.get |
To list VM instances. |
Yes |
Yes |
No |
compute.instances.getSerialPortOutput |
To get console logs. |
Yes |
Yes |
No |
compute.instances.list |
To retrieve the list of instances in a zone. |
Yes |
Yes |
No |
compute.instances.setDeletionProtection |
To set deletion protection on the instance. |
Yes |
No |
No |
compute.instances.setLabels |
To add labels. |
Yes |
No |
No |
compute.instances.setMachineType |
To change the machine type for Cloud Volumes ONTAP. |
Yes |
Yes |
No |
compute.instances.setMinCpuPlatform |
Yes |
Yes |
No |
|
compute.instances.setMetadata |
To add metadata. |
Yes |
Yes |
No |
compute.instances.setTags |
To add tags for firewall rules. |
Yes |
Yes |
No |
compute.instances.start |
To start and stop Cloud Volumes ONTAP. |
Yes |
Yes |
No |
compute.instances.stop |
Yes |
Yes |
No |
|
compute.instances.updateDisplayDevice |
Yes |
Yes |
No |
|
compute.machineTypes.get |
To get the numbers of cores to check quotas. |
Yes |
No |
No |
compute.projects.get |
To support multi-projects. |
Yes |
No |
No |
compute.snapshots.create |
To create and manage persistent disk snapshots. |
Yes |
Yes |
No |
compute.snapshots.delete |
No |
Yes |
Yes |
|
compute.snapshots.get |
No |
Yes |
No |
|
compute.snapshots.list |
No |
Yes |
No |
|
compute.snapshots.setLabels |
Yes |
Yes |
No |
|
compute.networks.get |
To get the networking information needed to create a new Cloud Volumes ONTAP virtual machine instance. |
Yes |
Yes |
No |
compute.networks.list |
Yes |
Yes |
No |
|
compute.regions.get |
Yes |
Yes |
No |
|
compute.regions.list |
Yes |
Yes |
No |
|
compute.subnetworks.get |
Yes |
Yes |
No |
|
compute.subnetworks.list |
Yes |
Yes |
No |
|
compute.zoneOperations.get |
Yes |
Yes |
No |
|
compute.zones.get |
Yes |
Yes |
No |
|
compute.zones.list |
Yes |
Yes |
No |
|
deploymentmanager.compositeTypes.get |
To deploy the Cloud Volumes ONTAP virtual machine instance using Google Cloud Deployment Manager. |
Yes |
No |
No |
deploymentmanager.compositeTypes.list |
Yes |
No |
No |
|
deploymentmanager.deployments.create |
Yes |
No |
No |
|
deploymentmanager.deployments.delete |
Yes |
No |
No |
|
deploymentmanager.deployments.get |
Yes |
No |
No |
|
deploymentmanager.deployments.list |
Yes |
No |
No |
|
deploymentmanager.manifests.get |
Yes |
No |
No |
|
deploymentmanager.manifests.list |
Yes |
No |
No |
|
deploymentmanager.operations.get |
Yes |
No |
No |
|
deploymentmanager.operations.list |
Yes |
No |
No |
|
deploymentmanager.resources.get |
Yes |
No |
No |
|
deploymentmanager.resources.list |
Yes |
No |
No |
|
deploymentmanager.typeProviders.get |
Yes |
No |
No |
|
deploymentmanager.typeProviders.list |
Yes |
No |
No |
|
deploymentmanager.types.get |
Yes |
No |
No |
|
deploymentmanager.types.list |
Yes |
No |
No |
|
logging.logEntries.list |
To get stack log drives. |
Yes |
Yes |
No |
logging.privateLogEntries.list |
Yes |
Yes |
No |
|
resourcemanager.projects.get |
To support multi-projects. |
Yes |
Yes |
No |
storage.buckets.create |
To create and manage a Google Cloud Storage bucket for data tiering. |
Yes |
Yes |
No |
storage.buckets.delete |
No |
Yes |
Yes |
|
storage.buckets.get |
No |
Yes |
No |
|
storage.buckets.list |
No |
Yes |
No |
|
storage.buckets.update |
No |
Yes |
No |
|
cloudkms.cryptoKeyVersions.useToEncrypt |
To use customer-managed encryption keys from the Cloud Key Management Service with Cloud Volumes ONTAP. |
Yes |
Yes |
No |
cloudkms.cryptoKeys.get |
Yes |
Yes |
No |
|
cloudkms.cryptoKeys.list |
Yes |
Yes |
No |
|
cloudkms.keyRings.list |
Yes |
Yes |
No |
|
compute.instances.setServiceAccount |
To set a service account on the Cloud Volumes ONTAP instance. This service account provides permissions for data tiering to a Google Cloud Storage bucket. |
Yes |
Yes |
No |
iam.serviceAccounts.actAs |
Yes |
No |
No |
|
iam.serviceAccounts.getIamPolicy |
Yes |
Yes |
No |
|
iam.serviceAccounts.list |
Yes |
Yes |
No |
|
storage.objects.get |
Yes |
Yes |
No |
|
storage.objects.list |
Yes |
Yes |
No |
|
compute.addresses.list |
To retrieve the addresses in a region when deploying an HA pair. |
Yes |
No |
No |
compute.backendServices.create |
To configure a backend service for distributing traffic in an HA pair. |
Yes |
No |
No |
compute.regionBackendServices.create |
Yes |
No |
No |
|
compute.regionBackendServices.get |
Yes |
No |
No |
|
compute.regionBackendServices.list |
Yes |
No |
No |
|
compute.networks.updatePolicy |
To apply firewall rules on the VPCs and subnets for an HA pair. |
Yes |
No |
No |
compute.instanceGroups.get |
To create and manage storage VMs on Cloud Volumes ONTAP HA pairs. |
Yes |
Yes |
No |
compute.addresses.get |
Yes |
Yes |
No |
|
compute.instances.updateNetworkInterface |
Yes |
Yes |
No |
|
monitoring.timeSeries.list |
To discover information about Google Cloud Storage buckets. |
Yes |
Yes |
No |
storage.buckets.getIamPolicy |
Yes |
Yes |
No |
Permissions used for NetApp Backup and Recovery
Actions |
Purpose |
Used for deployment? |
Used for daily operations? |
Used for deletion? |
|
To select your own customer-managed keys in the NetApp Backup and Recovery activation wizard instead of using the default Google-managed encryption keys. |
Yes |
Yes |
No |
Permissions used for NetApp Data Classification
Actions |
Purpose |
Used for deployment? |
Used for daily operations? |
Used for deletion? |
|
To enable NetApp Data Classification. |
Yes |
No |
No |
Change log
As permissions are added and removed, we'll note them in the sections below.
26 November, 2025
The permissions are updated to add clarity about their usage, but no permissions were added or removed. Three columns are added to indicate whether each permission is used for deployment, daily operations, or deletion. Apart from this, a few permissions are segregated based on their use for NetApp Data Classification and NetApp Backup and Recovery.
6 February, 2023
The following permission was added to this policy:
-
compute.instances.updateNetworkInterface
This permission is required for Cloud Volumes ONTAP.
27 January, 2023
The following permissions were added to the policy:
-
cloudkms.cryptoKeys.getIamPolicy
-
cloudkms.cryptoKeys.setIamPolicy
-
cloudkms.keyRings.get
-
cloudkms.keyRings.getIamPolicy
-
cloudkms.keyRings.setIamPolicy
These permissions are required for NetApp Backup and Recovery.