Enabling Google services and configuring service accounts

Before you can begin a migration, you must perform the steps below in the sections:

Enabling the Cloud SDK and required services

All Migrate for Anthos users must configure the Cloud SDK and enable the required Google services.

Preparing the Cloud SDK

To prepare gcloud:

  1. Install and initialize the Cloud SDK.
  2. Update Cloud SDK:
    gcloud components update
  3. Make sure that Cloud SDK is authorized to access your data and services:
    gcloud auth login

    A new browser tab opens and you are prompted to choose an account.

  4. For an on-prem installation, set the credentials required to access a Cloud Storage bucket.

    For an individual user, use the following gcloud command:

    gcloud auth application-default login

    A new browser tab opens and you are prompted to choose an account.

    Alternatively, if you are using a service account, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the JSON file that contains your service account key:

    export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

Enabling required services

Migrate for Anthos requires that you enable the following Google services:

Name Title
servicemanagement.googleapis.com Service Management API
servicecontrol.googleapis.com Service Control API
cloudresourcemanager.googleapis.com Cloud Resource Manager API
compute.googleapis.com Compute Engine API
container.googleapis.com Kubernetes Engine API
containerregistry.googleapis.com Google Container Registry API
cloudbuild.googleapis.com Cloud Build API

To confirm that the required services are enabled:

gcloud services list

If you do not see the required services listed, enable them:

gcloud services enable servicemanagement.googleapis.com servicecontrol.googleapis.com cloudresourcemanager.googleapis.com compute.googleapis.com container.googleapis.com containerregistry.googleapis.com cloudbuild.googleapis.com

For more information about the gcloud services, see gcloud services.

Configuring service accounts

A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.

For example, a Compute Engine VM may run as a service account, and that account can be given permissions to access the resources it needs. This way the service account is the identity of the service, and the service account's permissions control which resources the service can access.

When using Migrate for Anthos, you create two service accounts:

Best practices when using service accounts

As a best practice, create a separate service account in the same project as you are using for Migrate for Anthos. Then assign the service account only the permissions necessary to perform the required operation. In that way, you limit the permissions associated with the service account.

Creating a service account for accessing Container Registry and Cloud Storage

Create a service account with the storage.admin role and pass it when you install Migrate for Anthos components:

  1. Create the m4a-install service account:

    gcloud iam service-accounts create m4a-install \
     --project=PROJECT_ID
  2. Grant the storage.admin role to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID  \
     --member="serviceAccount:m4a-install@PROJECT_ID.iam.gserviceaccount.com" \
     --role="roles/storage.admin"
  3. Download the key file for the service account:

    gcloud iam service-accounts keys create m4a-install.json \
     --iam-account=m4a-install@PROJECT_ID.iam.gserviceaccount.com \
     --project=PROJECT_ID 

After downloading the service account key as a JSON file, you can install Migrate for Anthos on the destination Google Kubernetes Engine cluster using the procedure described in Installing Migrate for Anthos.

Creating a service account for using Compute Engine as a migration source

To use Compute Engine as a migration source, create a service account with the compute.viewer and compute.storageAdmin roles:

  1. Create the m4a-ce-src service account:

    gcloud iam service-accounts create m4a-ce-src \
     --project=PROJECT_ID
  2. Grant the compute.viewer role to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID  \
     --member="serviceAccount:m4a-ce-src@PROJECT_ID.iam.gserviceaccount.com" \
     --role="roles/compute.viewer"
  3. Grant the compute.storageAdmin role to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID  \
     --member="serviceAccount:m4a-ce-src@PROJECT_ID.iam.gserviceaccount.com" \
     --role="roles/compute.storageAdmin"
  4. Download the key file for the service account:

    gcloud iam service-accounts keys create m4a-ce-src.json \
     --iam-account=m4a-ce-src@PROJECT_ID.iam.gserviceaccount.com \
     --project=PROJECT_ID 

After downloading the service account key as a JSON file, you can create a source for migrating Compute Engine workloads. See Adding a migration source.

What's next