Which Roles are required to only create a disk snapshot?

[Rob Olmos]

The fine-grain control of the alpha Roles is a very welcomed improvement.

For the Role ID "roles/compute.storageAdmin" it lists 44 permissions.

Which permissions are the ones required for only creating a snapshot?

There's two relevant ones that I see but I don't know the difference between them: compute.disks.createSnapshot and compute.snapshots.create -- what's the difference?

Does the gcloud CLI tool also need other permissions to authenticate as a service account and run the "gcloud compute disks snapshot" command?

Thanks

[Carlos (Cloud Platform Support)]

Hi Rob,

The information I was able to find describes the compute.storageAdmin role in beta. Can you let me know where/how you are getting those references to the alpha roles?

In regards to the CLI , if gcloud is being used in a VM, no only the permission to call the method must be granted but also the VM needs to have the right scope. The details are explained on this discussion.

[Rob Olmos]

Hey Carlos,

Thanks for your reply. The alpha Custom Roles feature can be found in the Cloud Console > IAM & Admin > Roles. https://console.cloud.google.com/iam-admin/roles/project

The specific permissions for the pre-defined Roles can be found by clicking on the "Compute Storage Admin" role. https://console.cloud.google.com/iam-admin/roles/details/roles+compute.storageAdmin

Additional docs: https://cloud.google.com/iam/docs/creating-custom-roles

[Carlos (Cloud Platform Support)]

Hi Rob,

Thanks for all the information provided. I was doing some tests associating individually the roles “compute.disks.createSnapshot” and “ compute.snapshots.create” to services account. By doing that I verified that actually both roles will be necessary.

Nevertheless after assigning both roles, taking the snapshot is still failing. Although there is not permission error, Cloud SDK is crashing. I am doing further investigation to unveil what the correct set should be.

[Carlos (Cloud Platform Support)]

Hi Rob,

These are the four permissions you will need to grant on the role so that the service account can take snapshots
4 assigned permissions

1. compute.disks.createSnapshot
   
2. compute.snapshots.create
   
3. compute.snapshots.get
   
4. compute.zoneOperations.get

Basically “gcloud compute disks snapshot” was letting me know which permission should be added.

I encountered an issue while running the command without allowing “compute.zoneOperations.get“. Cloud SDK crashes, I will inform the backend team. 

[Rob Olmos]

Awesome discovery. Thanks Carlos.

Do you happen to know what the difference between "compute.disks.createSnapshot" and "compute.snapshots.create" is?

It looked like the permissions are almost exactly correlated to API calls but there's no "compute.snapshots.create" API method.

[Carlos (Cloud Platform Support)]

I have not found any public documentation that describe what each one has access to. I will try to do some additional research internally. If I can find useful information I will update the discussion. 

[Carlos (Cloud Platform Support)]

Hi Rob,

There is few documentation on those permissions. It does seems that compute.disks.createSnapshot is on the disk while compute.snapshots.create is on the project level. I would assume that those permissions might have been dis-aggregated maybe to allow in the future a functionality like cross-project snapshotting. This is the insight provided by a colleague. Nevertheless, I was not able to reach the architectural team or a product manager.