I have a QNAP NAS at home which I use for file storage. It shares several folders with the family’s Mac, Linux, and Windows computers. Many of these files are are irreplaceable, especially our digital photos, so I back them up to the cloud. QNAP provides the Hybrid Backup and Sync application, which supports multiple cloud storage endpoints. QNAP also provides specific documentation for backing up and syncing to Google Cloud Storage. However, QNAP’s instructions don’t explain how to set up a Google Cloud Storage bucket destination, so here is the procedure I used to set up Google Cloud Storage to back up my QNAP NAS.
Google Cloud Platform Configuration
- Create a Google Cloud Platform account
- Requires a payment method, such as a credit card
- The project name and ID will be auto-created. Auto-generated IDs work fine (see below if you are getting an error about an “Invalid Project Id”)
- Create a custom role for the QNAP backup service account
- Google Cloud Console->IAM & Admin->Roles
- Click “+ Create Role”
- Set meaningful values for Title, Description, and ID
- Click “+ Add Permissions”
- In the field with light gray text that says “Filter table,” type in
- Click the check box next each of the following permissions, and then click Add:
- Click the “CREATE” button
- Create a service account
- Download key in P12 format
- Grant custom role to service account
- In Google Cloud Console, go to IAM & Admin->IAM
- Click the “+ADD” button at the top
- Paste in the service account email address (or start typing for auto-complete)
- In the “Select a role” drop-down, use auto-complete to add the custom role you just created (see screenshot below)
- Click SAVE
- Create a Google Cloud Storage bucket
- Nearline storage
- Multi-region in US
- Choose “Set permissions uniformly at bucket-level (Bucket Policy Only)”
- Grant permissions to service account on bucket
- Edit bucket permissions
- Click “Add members”
- Paste in email address of service account
- Select role “Storage Object Admin”
EDIT 2019-08-19: Updated required permissions; see above.
If the QNAP Backup & Sync application gives you the error “Invalid project id” when connecting to Cloud Storage for the first time, it is not necessarily a problem with the project ID. There are a lot of misleading posts about this error on the QNAP Forums. Backup & Sync works fine with Google’s default project IDs. This error also happens when the service account you specified doesn’t have permission to list buckets. The procedure I outlined above prevents this problem by adding a custom role with the one required permission.
If you have a question or a suggestion to clarify the instructions, leave a comment and I will try to improve the instructions. Thanks!
13 thoughts on “QNAP NAS: Backup & Sync to Google Cloud Storage”
Hi Craig Finch,
I follow all the steps to configure my QNAP to Google Cloud Storage but i still get the Invalid Project Id Error Message.
Are you able to give me a support by Team viewer?
Thank you so much in advance
I realized that I had to add additional IAM permissions for the service account. Please see my updated post above, and see if adding permissions to the role resolves your issue. If not, try adding the “Storage Object Admin” or “Storage Admin” role to the service account, and try the backup again. Generally, it’s not a good idea to give service accounts such broad permissions on a long-term basis.
I have followed all of the steps and am still getting a permissions error. This is more in completing the back-up process. The cloud storage space is added successfully without issues. Service account is added to bucket and all rules/permissions listed above are in place. When creating a back-up, I can get all the way to the “create” button when I get an error.
Cannot upload to the cloud service. Permission denied.
I have tried many things to get past this final step and with the many rules and permission options, I am having little luck. Can you possibly help?
Hi Craig, thank you for you great guide. You solved my problem when I wanted to use a custom service account instead of the default one 😉
A quick note of thanks for this post Craig, I found it helpful and it gave me good clues as I developed my understanding of the process.
One suggestion for improvement would be to include some basic “why” information with your “what” guide. Why a custom role? and service account? for example. I’m guessing you’ve taken the path you’ve taken as it aligns with the philosophy of ‘asigning just enough Google Cloud resource to do the job’?
Thanks again for a very helpful post.
Tim, I’m glad I could help. You are correct that I am following the “principle of least access.” While it may be overkill for backing up your personal NAS, I usually use Google Cloud Platform for enterprise infrastructure, where the principle is essential.
ShockSolution, is this still up-to-date? Following these instructions exactly, I still cannot create a Google Cloud Storage “space” in Qnap HBS. As a quick test, adding the “Owner” role to the service allows immediate creation. (That is super dangerous of course) and removing the Owner role immediately results in a “Cannot Authenticate” error upon trying to add that Storage Space in HBS. Have you run into changes that are required over the past few years? If not, will start to dig into the 4,990 permissions…
Thanks for this writeup – it has already been immensely helpful.
Did you resolve this question? If not, please post a follow-up comment.
Hi Craig, no – I’m back to still getting this error when creating new projects, despite thinking I had worked past it. I’m not sure what is creating the issue and am still trying to track down what little ‘nit’ might be causing it. I’ll definitely report back if I can find it.
Craig, here’s the verdict: One more role is required to be added onto the Service Account at the Project level to create a new “Storage Space” within the current version of HBS 3:
Storage Object Viewer, Creator or Admin are needed. All 3 will work so obviously Storage Object Viewer is best with least privilege.
Storage Object Viewer allows you to do these things: Create a Storage Space in Qnap HBS 3, create a new folder within an existing bucket from within HBS3, but it *does not* allow you to create a new bucket via HBS3.
If you want to be able to add a new bucket from within HBS3, you will need to add Storage Admin to the ServiceAccount (project level). Storage Admin adds full control over buckets as well as objects so you can create buckets on the fly from within HBS3. Just like you, I wouldn’t recommend it be used in this way – create buckets from Google Cloud Console and give that service account least required privilege.
Interestingly, back to the Storage Object Viewer role: Because adding Viewer allows HBS3 to establish a new connection to Google Cloud Storage, that means either the role or one or more of its 4 permissions are now needed for QTS HBS 3:
Hopefully that will help someone in the future!
I’ve discovered that the Role Storage Object Creator must also be added to the Service Account in order to successfully connect HBS to Google Cloud Storage as a Storage location.
Tracy, I did not add “Storage Object Creator” to the custom role for the Service Account because I separately granted the “Storage Object Admin” role to the Service Account at the bucket level (see step 6). The “Storage Object Admin” includes the ability to create, list, update, and delete files.
For whatever reason, I could not get that to work alone with the current version of HBS 3 My final resolution is documented in the thread above.
Thanks again for your wonderful writeup. It is much appreciated!