If you want more fine-grained control over the permissions granted for the migration process and migrated workloads. To enable this, Velostrata allows you to create roles and service accounts manually.
This page describes the role creation process for two types of manual setup:
- For a single project
- For multiple projects
Prerequisites
You must install the Google Cloud SDK.
Instructions for a single project
Velostrata requires a number of roles and service accounts on Google Cloud. Roles are a set of permissions. Service accounts are assigned these roles.
This section describes how to create the three service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.
The three service accounts are:
- The Velostrata Management Service Account (velos-gcp-mgmt-sa), which creates all the resources that a Cloud Extension needs (VMs, Cloud Storage buckets, etc.).
- The Velostrata Cloud Extension Service Account (velos-gcp-ce-sa), which has permissions to manage Google Cloud Cloud Storage for migrations.
- The Velostrata Project Worker Service Account (velos-gcp-worker-sa), which is used for the Prepare to Detach operation, ensuring that data from a VM to be detached is fully synchronized with the cloud, and writes from that bucket to a native Compute Engine disk.
More information on each of these service accounts, and their assocated roles, is on the Configuring Google Cloud page.
Creating roles
Create the three Velostrata roles at the Project level within Google Cloud:
- Open a command prompt as an administrative user and use the
Google Cloud SDK to run the following command. Replace the login
parameter with your Google Cloud account login information.
gcloud auth login login@google.com --no-launch-browser --brief
- Download the Cloud Deployment Manager zip file, which contains YAML configuration files.
- Unzip the file and save it to a directory you can access when creating the role account.
- Execute the following commands:
gcloud iam roles create "velos_mgmt_role" --project [PROJECT_ID] \ --file ./velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_ce_role" --project [PROJECT_ID] \ --file ./velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_worker_role" --project [PROJECT_ID] \ --file ./velos_gcp_org_worker_role.yaml --no-user-output-enabled --quiet
- Open a command prompt as an administrative user and use the
Google Cloud SDK to run the following command. Replace the login
parameter with your Google Cloud account login information.
Creating service accounts and assigning roles to them
Create the
velos-gcp-mgmt-sa
service account in Google Cloud:gcloud config set project [PROJECT_ID] gcloud iam service-accounts create "velos-gcp-mgmt-sa" --display-name "Velos-gcp-mgmt-sa"
Assign the
velos_mgmt_role
to thevelos-gcp-mgmt-sa
service account. Note: The[ProjectID]
is the same one used in the previous step.gcloud projects \ add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-gcp-mgmt-sa@[PROJECT_ID].iam.gserviceaccount.com" \ --role "projects/[PROJECT_ID]/roles/velos_mgmt_role" \ --no-user-output-enabled --quiet
Create the
velos-gcp-ce-sa
service account in Google Cloud. Create this account in the project where you plan to deploy the Velostrata Cloud Extension (CE).gcloud iam service-accounts create "velos-gcp-ce-sa" \ --display-name "velos-gcp-ce-sa"
Assign the
velos_ce_role
, created above, to thevelos-gcp-ce-sa
service account:gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member serviceAccount:"velos-gcp-ce-sa@[PROJECT_ID].iam.gserviceaccount.com" \ --role "projects/[PROJECT_ID]/roles/velos_ce_role" \ --no-user-output-enabled --quiet
Create the
velos-gcp-worker-sa
service account:gcloud iam service-accounts create "velos-gcp-worker-sa"\ --display-name="velos-worker-sa"
Assign the
velos_worker_role
, created above, to thevelos-gcp-worker-sa
service account within the CE project:gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member serviceAccount:"velos-gcp-worker-sa@[PROJECT_ID].iam.gserviceaccount.com" \ --role "projects/[PROJECT_ID]/roles/velos_worker_role" --no-user-output-enabled --quiet
Instructions for multiple projects
The example used in this section refers to the following resources used that you use when creating and assigning roles and services accounts for multiple projects:
- Organization: the Google Cloud organization containing all account roles and service account objects.
- Host Project: the Google Cloud project that contains management service accounts.
- Cloud Extension (CE) Project: the Google Cloud project that hosts the Cloud Extension service accounts and VMs.
- Destination Project: A Google Cloud project that VMs are being migrated into.
The table below lists the commands and command parameters used in the instructions to create roles and assign service accounts to roles for multiple projects.
You can view a list of existing values for each command parameter at the gcloud
command line by executing the command in the third column of the table.
Command parameter | Description | GCloud CLI list command |
---|---|---|
orgadmin@google.com | The organization-level administrator | N/A |
organizationID | The numerical ID of the organization containing the projects, roles, and service accounts | gcloud organizations list |
projectID | The alphanumeric ID of the project where the velos-mgmt-sa and velos-ce-sa service accounts are created. | gcloud projects list \ --format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)" |
projectName | The alphanumeric name of the project associated with the above projectID. These names may or may not be the same. | gcloud projects list \ --format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)" |
serviceProjectID | The numerical ID of the Google Cloud project where to migrate the VMs towill be migrated. | gcloud projects list \ --format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)" |
For more information about the following gcloud commands and their parameters, see the gcloud CLI documentation.
Creating roles
The following steps will create roles for Velostrata on Google Cloud.
- Create the Velostrata roles within Google Cloud at
the Organization level:
gcloud auth login orgadmin@google.com --no-launch-browser --brief
- Download the Velostrata_Manager zip file, which contains the YAML files needed to create these roles.
- Unzip the file and save to a directory you can access when creating roles.
- Execute the following commands:
gcloud iam roles create "velos_mgmt_role" --organization [organizationId] \ --file ./velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_ce_role" --organization [organizationId] \ --file ./velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_worker_role" --organization [organizationId] \ --file ./velos_gcp_org_worker_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_listnetwork_role" --organization [organizationId] \ --file ./velos_gcp_org_listnetworks_role.yaml --no-user-output-enabled --quiet
Creating service accounts and assigning roles to them
Create the
velos-gcp-mgmt-sa
service account in Google Cloud. Although you can create thevelos-gcp-mgmt-sa
service account in any of your projects, Velostrata 4.0 by Google recommends creating this service in the host project to simplify configuration.gcloud config set project [projectId] gcloud iam service-accounts create "velos-gcp-mgmt-sa" \ --display-name "Velos-gcp-mgmt-sa"
Assign the
velos_mgmt_role
, created above, to thevelos-gcp-mgmt-sa
service account.
gcloud projects \ add-iam-policy-binding [ProjectID] \ --member serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"\ --role organizations/[organizationId]/roles/"velos_mgmt_role"\ --no-user-output-enabled --quiet
Pick one of two options for assigning security privileges.
- Option A assigns permissions at the organization-level. This has fewer steps but offers less granularity over permissions.
- Option B assigns permissions on a per-project basis, which requires more steps but provides more granularity over permissions and access control.
Once you have completed either option, Finishing configuration
Option A – Assigning security privileges in the IAM console
- For Option A, you'll assign the service account
velos-gcp-mgmt-sa
at the organization-level in the IAM console. This gives thevelos-gcp-mgmt-sa
service account access to all projects in the organization so the Google Cloud administrator does not have to create a service account in every project. - Log in to the IAM console with your Google Cloud account as an organization-level administrator.
- Click the project selection at the top and pick your organization.
- From the Google Cloud menu, select IAM and click the ADD button.
- In the New Members field, enter the full name of your
velos-gcp-mgmt-sa
service account, as shown below. - In the Select a role drop-down box, select the Role Custom in the left-hand column, then **Velos Mgmt Role **in the right-hand column.
- Click Save.
- Continue to Finishing configuration
Option B – Assigning security privileges to the Velostrata service account
Assign the
velos_gcp_org_listnetworks_role
to thevelos-gcp-mgmt-sa
service account. Use the ID of the host project for the[ProjectID]
:
gcloud projects add-iam-policy-binding [ProjectID]
--member serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"
--role organizations/organizationId/roles/"velos_gcp_org_listnetworks_role.yaml"
--no-user-output-enabled --quietAssign the
velos_mgmt_role
to thevelos-gcp-mgmt-sa
for each Cloud Extension (CE) destination project:
gcloud projects add-iam-policy-binding[ProjectID] --member serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"
--role organizations/[organizationId]/roles/"velos_mgmt_role"
--no-user-output-enabled --quietContinue to Finishing the Configuration.
Finishing the configuration
After you've completed either Option A or Option B, create the
velos-gcp-ce-sa
service account in Google Cloud. Create this account in the destination project where you plan to deploy the Velostrata Cloud Extension (CE).gcloud config set project [CEProjectId] gcloud iam service-accounts create "velos-gcp-ce-sa" --display-name "velos-gcp-ce-sa"
Assign
velos_ce_role
to thevelos-gcp-ce-sa
service account:gcloud projects add-iam-policy-binding [CEProjectID] \ --member serviceAccount:"velos-gcp-ce-sa@[ProjectID].iam.gserviceaccount.com" \ --role organizations/[organizationId]/roles/"velos_ce_role" \ --no-user-output-enabled --quiet
Assign a policy that maps the
velos-gcp-ce-sa
service account to thevelos-mgmt-sa
service account. This step is required in order for thevelos-gcp-mgmt-sa
service account to create Cloud Extension instances.- To do this, navigate to the folder with the YAML files you downloaded previously.
- Open the YAML file named "sa_mapping.yaml" in your preferred text editor. Note that YAML files are case- and space-sensitive.
- Go to Line 5 of the file, which looks similar to the following
example:
serviceAccount:velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com
- Replace
[projectID]
with the project that contains thevelos-gcp-mgmt-sa
service account. - Save the file and exit your text editor.
Execute the following command at the command line:
gcloud iam service-accounts set-iam-policy "velos-gcp-ce-sa@[ProjectID].iam.gserviceaccount.com" \ ./sa_mapping.yaml --no-user-output-enabled --quiet
Create the
velos-gcp-worker-sa
service account. At the command line, execute the following commands:gcloud config set project [destinationProjectId] \ gcloud iam service-accounts create "velos-gcp-worker-sa" \ --display-name="velos-gcp-worker-sa"
Assign the
velos_worker_role
to thevelos-gcp-worker-sa
service account:gcloud projects \ add-iam-policy-binding [CEProjectId] --member serviceAccount:"velos-gcp-worker-sa@[ProjectID].iam.gserviceaccount.com" \ --role organizations/[organizationId]/roles/"velos_worker_role"
Assign a policy that maps the
velos-gcp-worker-sa
service account to thevelos-gcp-mgmt-sa
service account. This is required for thevelos-mgmt-sa
service account to create instances. Execute the following command:gcloud iam service-accounts set-iam-policy "velos-gcp-worker-sa@[ProjectID].iam.gserviceaccount.com" \ ./sa_mapping.yaml --no-user-output-enabled --quiet