Enabling the HYCU Managed Service Account

The HYCU Managed Service Account (HMSA) is a special type of account that is designed specifically for HYCU for Google Cloud to run data protection operations. It provides business continuity of your data protection environment by enforcing a single service account that cannot be deleted accidentally, and at the same time it also delivers enhanced security by uniquely identifying the service and using key rotation to limit risks associated with potential service account key leaks.

To enable the HMSA, you must perform all the steps in the HYCU Managed Service Account configuration wizard that appears after you sign in to HYCU for Google Cloud or that you can access by clicking Enable in the Subscription Information dialog box. To open the Subscription Information dialog box, click in the toolbar, and then select Subscription Information.

Prerequisite

You must have the Administrator role assigned.

Considerations

  • When selecting the projects in the HYCU Managed Service Account configuration wizard, keep in mind that the project list includes all the HYCU for Google Cloud projects that are linked to your billing account. The protected projects are preselected and, if required, you can add additional projects by selecting the check box before the name of each project.

  • After you enable the HMSA, you can no longer access the HYCU Managed Service Account configuration wizard, and on each project that you plan to protect, you must manually grant the following permissions to the HMSA in Google Cloud:

    • Compute Admin (roles/compute.admin)

    • Service Account User (roles/iam.serviceAccountUser)

    • Storage Admin (roles/storage.admin)

    • Required only if protecting GKE applications. Kubernetes Engine Admin (roles/container.admin)

    For instructions on how to grant permissions to service accounts, see Google Cloud documentation.

Procedure

The HYCU Managed Service Account configuration wizard guides you through all the required steps of enabling the HMSA. You first select projects that are already protected or that you plan to protect with HYCU for Google Cloud, and then allow the HMSA to access all the selected projects, which you can do either manually (by granting the required permissions to the HMSA on each project) or automatically (by using Google Cloud Shell).