Overview
Migrate for Compute Engine uses service accounts to grant access permissions. This topic describes the roles and permissions assigned to these service accounts.
Deploying Velostrata Manager creates two service accounts:
- The Manager Service Account is attached to the Manager instance. It allows the Manager to orchestrate migrations, deploy Cloud Extensions and create instances in your environment for migrated VMs.
- The Cloud Extension Service Account is attached to the Cloud Extensions nodes. It allows Cloud Extensions nodes access to storage resources.
Additionally, there are Migrate for Compute Engine-specific roles which enable permissions on Compute Engine and Cloud Storage.
Migrate for Compute Engine service accounts
Roles assigned to the two service accounts are described below. For more information on these roles, see Understanding roles in the Identity and Access Management documentation.
Service Account | Assigned Roles |
---|---|
Velostrata Manager Service Account | roles/iam.serviceAccountUser |
roles/logging.logWriter | |
roles/monitoring.metricWriter | |
roles/monitoring.viewer | |
roles/cloudmigration.inframanager | |
Velostrata Cloud Extension Service Account | roles/logging.logWriter |
roles/monitoring.metricWriter | |
roles/cloudmigration.storageaccess |
Cloud migration roles and permissions:
The cloudmigration
roles are a collection of permissions required to create
and host Migrate for Compute Engine infrastructure in your environment. These
permissions are described below. For more information on these permissions, see
Understanding roles in the Identity and Access Management
documentation.
Role | Permissions |
---|---|
roles/cloudmigration.inframanager | compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.setLabels compute.addresses.use compute.addresses.useInternal compute.diskTypes.get compute.diskTypes.list compute.disks.create compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.get compute.machineTypes.list compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.get compute.regions.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.get compute.zones.list iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
roles/cloudmigration.storageaccess | storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |