Stay organized with collections
Save and categorize content based on your preferences.
To limit access for users within a project or organization, you can use
Identity and Access Management (IAM) roles for Database Migration Service and your relevant
destination database product. You can control
access to Database Migration Service-related resources, as opposed to granting users
the Viewer, Editor, or Owner role to the entire Google Cloud project.
This page focuses details all of the roles that user and service accounts need
during a heterogeneous AlloyDB for PostgreSQL migration with Database Migration Service.
For more information about when you use these permissions during the migration process, see
Migrate your SQL Server databases to AlloyDB for PostgreSQL.
Accounts involved in performing migration jobs
There are two accounts involved in data migrations performed with
Database Migration Service:
User account that performs the migration
This is the
Google Account that you sign in with to create the connection profiles,
upload the backup files to the Cloud Storage storage, create and run the migration
job.
Database Migration Service service account
This is the service account that is created for you when you enable the
Database Migration Service API. The email address associated with this account is generated
automatically and can't be changed. This email address uses the following
format:
Each account involved in the data migration process requires a different
set of roles and permissions.
Permissions and roles
To get the permissions that you need to perform heterogeneous SQL Server
migrations with Database Migration Service, ask your administrator to grant you the
required IAM roles on your project:
For more information about granting roles, see
Manage access in the Identity and Access Management documentation.
These predefined roles contain the permissions required to perform
heterogeneous SQL Server migrations with Database Migration Service. To see the exact
permissions that are required, expand the
Required permissions section:
Required permissions
The following permissions are required to perform heterogeneous SQL Server
migrations with Database Migration Service:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document details the roles and permissions required for performing heterogeneous SQL Server to AlloyDB for PostgreSQL migrations using Database Migration Service.\u003c/p\u003e\n"],["\u003cp\u003eThere are two main accounts involved in the migration process: the user account that initiates and manages the migration, and the Database Migration Service service account that is automatically created.\u003c/p\u003e\n"],["\u003cp\u003eTo perform these migrations, the user account must be granted the Database Migration Admin and AlloyDB Admin IAM roles within the project.\u003c/p\u003e\n"],["\u003cp\u003eThe required permissions include various actions related to \u003ccode\u003edatamigration\u003c/code\u003e and \u003ccode\u003ealloydb\u003c/code\u003e, such as creating, getting, listing, updating, and deleting clusters, instances, and users.\u003c/p\u003e\n"],["\u003cp\u003eThe Database Migration Service for heterogeneous SQL Server to AlloyDB for PostgreSQL migrations is currently in Pre-GA stage, subject to specific terms and limited support.\u003c/p\u003e\n"]]],[],null,["# Access control with IAM\n\nTo limit access for users within a project or organization, you can use\nIdentity and Access Management (IAM) roles for Database Migration Service and your relevant\ndestination database product. You can control\naccess to Database Migration Service-related resources, as opposed to granting users\nthe Viewer, Editor, or Owner role to the entire Google Cloud project.\n\nThis page focuses details all of the roles that user and service accounts need\nduring a heterogeneous AlloyDB for PostgreSQL migration with Database Migration Service.\nFor more information about when you use these permissions during the migration process, see\n[Migrate your SQL Server databases to AlloyDB for PostgreSQL](/database-migration/docs/sqlserver-to-alloydb/guide).\n\nAccounts involved in performing migration jobs\n----------------------------------------------\n\nThere are two accounts involved in data migrations performed with\nDatabase Migration Service:\n\nUser account that performs the migration\n: This is the\n [Google Account](/iam/docs/overview#google_account) that you sign in with to create the connection profiles,\n upload the backup files to the Cloud Storage storage, create and run the migration\n job.\n\nDatabase Migration Service service account\n: This is the service account that is created for you when you enable the\n Database Migration Service API. The email address associated with this account is generated\n automatically and can't be changed. This email address uses the following\n format: \n\n ```\n service-PROJECT_NUMBER@gcp-sa-datamigration.iam.gserviceaccount.com\n ```\n\nEach account involved in the data migration process requires a different\nset of roles and permissions.\n\nPermissions and roles\n---------------------\n\nTo get the permissions that you need to perform heterogeneous SQL Server\nmigrations with Database Migration Service, ask your administrator to grant you the\nrequired IAM roles on your project:\n\n- [Database Migration Admin](/iam/docs/roles-permissions/datamigration#datamigration.admin) (`roles/datamigration.admin`)\n- [AlloyDB Admin](/iam/docs/roles-permissions/alloydb#alloydb.admin) (`roles/alloydb.admin`)\n\nFor more information about granting roles, see\n[Manage access](/iam/docs/granting-changing-revoking-access) in the Identity and Access Management documentation.\n\nThese predefined roles contain the permissions required to perform\nheterogeneous SQL Server migrations with Database Migration Service. To see the exact\npermissions that are required, expand the\n**Required permissions** section: \n\n#### Required permissions\n\nThe following permissions are required to perform heterogeneous SQL Server\nmigrations with Database Migration Service:\n\n- `datamigration.*`\n- `cloudaicompanion.entitlements.get`\n\n This permission is included in the `roles/datamigration.admin`\n role. It is required for the\n [Gemini-enhanced conversion features](/database-migration/docs/sqlserver-to-alloydb/code-conversion-with-gemini).\n- `alloydb.clusters.create`\n- `alloydb.clusters.get`\n- `alloydb.clusters.list`\n- `alloydb.clusters.update`\n- `alloydb.clusters.delete`\n- `alloydb.instances.create`\n- `alloydb.instances.get`\n- `alloydb.instances.list`\n- `alloydb.instances.update`\n- `alloydb.instances.delete`\n- `alloydb.operations.get`\n- `alloydb.users.list`\n- `alloydb.users.get`\n- `alloydb.users.create`\n- `alloydb.users.update`\n- `alloydb.users.delete`\n\nYou might also be able to get these permissions with\n[custom roles](/iam/docs/creating-custom-roles) or other\n[predefined roles](/iam/docs/roles-permissions)."]]
