Before you can begin a migration, you must perform the steps in the first section to enable the Cloud SDK and required services.
The second section describes how to configure a service account for use with Migrate for Anthos. You only have to configure a service account when:
- Performing an on-prem migration
- Using Compute Engine as a migration source and using a non-default scope on the destination Google Kubernetes Engine cluster
Enabling the Cloud SDK and required services
All Migrate for Anthos users must configure the Cloud SDK and enable the required Google services.
Preparing the Cloud SDK
To prepare gcloud:
- Install and initialize the Cloud SDK.
- Update Cloud SDK:
gcloud components update
- Make sure that Cloud SDK is authorized to access your data and services:
gcloud auth login
A new browser tab opens and you are prompted to choose an account.
For an on-prem installation, or if you are running
migctloutside of Cloud Shell, set the credentials required to access a Cloud Storage bucket.For an individual user, use the following gcloud command:
gcloud auth application-default login
A new browser tab opens and you are prompted to choose an account.
Alternatively, if you are using a service account, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the JSON file that contains your service account key:
export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"
Enabling required services
Migrate for Anthos requires that you enable the following Google services:
| Name | Title |
|---|---|
servicemanagement.googleapis.com |
Service Management API |
servicecontrol.googleapis.com |
Service Control API |
cloudresourcemanager.googleapis.com |
Cloud Resource Manager API |
compute.googleapis.com |
Compute Engine API |
container.googleapis.com |
Kubernetes Engine API |
containerregistry.googleapis.com |
Google Container Registry API |
cloudbuild.googleapis.com |
Cloud Build API |
To confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
gcloud services enable servicemanagement.googleapis.com servicecontrol.googleapis.com cloudresourcemanager.googleapis.com compute.googleapis.com container.googleapis.com containerregistry.googleapis.com cloudbuild.googleapis.com
For more information about the gcloud services, see
gcloud services.
Configuring a service account
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
For example, a Compute Engine VM may run as a service account, and that account can be given permissions to access the resources it needs. This way the service account is the identity of the service, and the service account's permissions control which resources the service can access.
When using Migrate for Anthos, you only have to create a service account:
- When performing an on-prem migration
- When using Compute Engine as a migration source and using a non-default cluster scope
See Cloud Identity and Access Management documentation for more.
Best practices when using service accounts
As a best practice, create a separate service account in the same project as you are using for Migrate for Anthos. Then assign the service account only the permissions necessary to perform the required operation. In that way, you limit the permissions associated with the service account.
Steps for creating and configuring a service account
To create and configure a service account:
Create the new service account as described in Creating and managing service accounts.
Create a custom role for the permissions required to be assigned to your service account as described in Understanding IAM custom roles.
Add the custom role to the service account as described in Granting, changing, and revoking access to resources.
Download the service account key as a JSON file as described in Creating service account keys.
You must download the service account key as a JSON file in order to pass it to a Migrate for Anthos command.
Creating a service account for an on-prem migration
When performing an on-prem migration, you must create and download a service account with the following permissions:
storage.buckets.createstorage.buckets.getstorage.buckets.liststorage.buckets.updatestorage.objects.createstorage.objects.getstorage.objects.liststorage.objects.update
After downloading the service account, you can install Migrate for Anthos on the destination Google Kubernetes Engine cluster using the procedure described in Installing Migrate for Anthos.
Optionally creating a service account when using Compute Engine as a migration source
Scopes set the
access level of your cluster nodes for specific GCP services.
When you create a Google Kubernetes Engine cluster in the Cloud, Migrate for Anthos recommends
that you set scopes to cloud-platform.
If you set scopes to cloud-platform, you then create a migration source for Compute Engine
by using a command in the form:
migctl source create ce my-ce-src --project my-project
However, if you set scopes to a value other than cloud-platform, you must define
a service account with the correct permissions, then pass the service account to the command:
migctl source create ce my-ce-src --project my-project --json-key sa.json
You must create and download service account with the following permissions:
compute.disks.createSnapshotcompute.disks.deletecompute.disks.getcompute.instances.getcompute.snapshots.createcompute.snapshots.deletecompute.snapshots.getcompute.zoneOperations.get
After downloading the service account, you can install Migrate for Anthos on
the destination Google Kubernetes Engine cluster with scopes set to a value other than cloud-platform.
See the procedure described in Installing Migrate for Anthos.