CYBBACK|for Google Cloud IAM

Quick User Guide

Your first GCP IAM snapshot
in under 10 minutes.

From sign-up to a fully encrypted, restorable snapshot of your project IAM — bindings, service accounts, custom roles, org policies. This guide walks you through every step.

AudienceGCP & security admins

Reading time~ 8 minutes

Setup time~ 10 minutes

VersionEN — 2026

What you'll learn

6 steps to a production-ready backup

1Sign upTrial or paid licence 2Connect GCP IAMService account + roles 3Enable encryptionAES-256-GCM at rest 4Use your own storageBring Your Own Bucket 5Run your first backupManual or scheduled 6Restore your dataPer-binding granularity

Get started

Sign up — trial or paid licence

CYBBACK offers two ways to get started. Both unlock the full Google Cloud IAM feature set.

Option A — Free trial

Open cybback.com/essai-gratuit.
Fill in your work email, company and a password. Click Start free trial.
Confirm via the verification email.
On the trial selection screen, pick Google Cloud IAM. Your trial workspace is provisioned instantly.

Painless onboarding

Trial accounts get the full Google Cloud IAM feature set — encryption, BYOB, scheduling, granular restore. Switch to a paid plan at any moment without losing data.

Option B — Paid licence (Stripe checkout)

Go to cybback.com/tarifs and pick the Google Cloud IAM plan that matches the number of GCP projects to protect.
Click Subscribe. Stripe Checkout supports cards, SEPA and invoicing on annual plans.
Your licence is active immediately — visible under Account → Subscription.

Connect Google Cloud IAM

Service account & required roles

CYBBACK reads your project IAM through a Google service account. The service account needs read-only roles for backup, and additional admin roles only if you plan to use the restore feature.

1. Create the service account

Open console.cloud.google.com and select the project to protect.
Enable these APIs: Identity and Access Management (IAM) API, Cloud Resource Manager API, Service Usage API, Org Policy API.
Go to IAM & Admin → Service Accounts → + Create service account. Name it cybback-iam-backup.
Open the new service account → Keys → Add key → JSON. Save the file safely.

2. Grant the required roles

On the project (IAM & Admin → IAM → + Grant access), assign to the service account:

Backup only: • roles/iam.securityReviewer (read IAM policies) • roles/iam.serviceAccountViewer (list service accounts) • roles/iam.roleViewer (read custom roles) • roles/orgpolicy.policyViewer (read org policies) Restore (in addition): • roles/iam.securityAdmin (apply IAM policies) • roles/iam.serviceAccountAdmin (create/disable SA) • roles/iam.roleAdmin (create/update roles)

Read-only mode (recommended for compliance)

If your governance forbids granting any write permission to a third-party service, deploy a read-only service account for daily backups and reserve the admin-grade restore service account for break-glass scenarios.

3. Paste credentials into CYBBACK

Open app.cybback.com/dashboard/giam-backup → Settings.
Paste the entire JSON service account key.
Specify the Project ID to protect. Click Save credentials.
CYBBACK runs an authentication test and lists your project metadata on success.

app.cybback.com/dashboard/giam-backup

Dashboard

Settings

Service account JSONEncrypted at rest

Paste the JSON key downloaded from Google Cloud Console.

Encryption at rest

Enable AES-256-GCM encryption

Backup files are stored on CYBBACK's secure EU infrastructure by default. Add a second layer with client-side encryption: each file is encrypted before it leaves the worker.

On the Settings tab of the Google Cloud IAM page, scroll to Security options.
Toggle AES-256 Encryption ON.
Click Save. Applies to new backups; previous backups remain readable.

Settings → Security options

AES-256 EncryptionRecommended

Encrypts your backup data with AES-256-GCM before being sent to storage.

EnabledYour next backups will be end-to-end encrypted

Bring Your Own Bucket

Use your own S3-compatible storage

Want full data sovereignty? Point CYBBACK at your S3-compatible bucket — AWS S3, GCS, Scaleway, OVH, Wasabi, MinIO. Your data, your provider, your region.

Provision the bucket

In your S3 provider, create a private bucket (no public access, versioning recommended).
Create an access key / secret key with permissions limited to that bucket.
Note your endpoint URL and region.

Configure CYBBACK

Open Dashboard → Storage.
Select My own S3 storage.
Fill the form, click Test connection, then Save.

Dashboard → Storage

S3 ConfigurationEncrypted at rest

Required IAM actions: PutObject, GetObject, DeleteObject, ListBucket.
Resilience: CYBBACK stores an encrypted snapshot of S3 credentials with each backup. Old backups remain restorable even after you switch providers.

Test before saving

Always click Test connection first. CYBBACK writes & deletes a probe file to validate credentials, region and permissions.

First backup

Run your first backup

You're now fully configured. Time to run your first IAM snapshot — manually for instant peace of mind, then schedule recurring runs.

Manual backup

Go back to the Dashboard tab.
Click Run backup now. The job appears with status pending, then running.
Progress is streamed live: IAM policies fetched, service accounts listed, custom roles enumerated, org policies captured.

Schedule automatic backups

From Dashboard → Schedules, click New schedule.
Service: Google Cloud IAM. Frequency: Daily / Weekly / Custom (cron).
Pick a window and click Save.

Snapshot-first

IAM state is small — a full backup of a typical project completes in 10–30 seconds. Daily snapshots add negligible storage cost while giving you a perfect audit trail.

Track your backups

Real-time: the Events page streams every operation across all services via SSE.
Notifications: success / failure / drift alerts via email, Slack and webhooks.
Drift detection: alerts on suspicious permission changes, role permission expansions, or sudden binding count changes between runs.

Restore

Restore — per-binding granularity

CYBBACK restores from any previous IAM snapshot. Pick a single binding, a deleted service account, an obsolete role definition — or roll back the entire project IAM state to a known-good moment.

The 3-step restore flow

Selection. Open the snapshot, browse the 4 categories (IAM Policies, Service Accounts, Custom Roles, Org Policies), tick what you want to recover. Search by principal email or role name.
Options. Choose your safety net:
- Dry-run — simulate, no IAM API write.
- Merge — add missing bindings without removing live ones (recommended).
- Overwrite — replace the live IAM policy with the snapshot (full rollback).
Execution. The API applies the restore in real-time and reports per-resource results. A summary shows what was added, updated or skipped.

Dashboard → Google Cloud IAM → Restore

1. Selection

2. Options

3. Execution

Restore options14 IAM bindings · 3 service accounts

Dry-runSimulate without writing to IAM

Merge modeAdd missing bindings, preserve live ones

Overwrite (full rollback)Replace the live IAM policy with the snapshot

Best practices

Always start with a dry-run — IAM mistakes can lock you out of your own project.
Prefer merge mode for incremental remediation. Reserve overwrite for true disaster recovery.
Watch the etag. CYBBACK uses optimistic concurrency: if the live policy has changed since the snapshot, you'll get a clean error rather than a silent overwrite.
Native exports: ZIP archives of JSON-formatted IAM bindings are also available from the Export tab if you need an offline copy.

Service account keys

Service account JSON keys are not stored — Google never returns the private material. Restored service accounts will need fresh keys generated by your administrators.

You're all set.

Need help? Our team replies within one business day on every plan.

Contact support →