Creating Google Cloud roles and service accounts manually

If you want more fine-grained control over the permissions granted for the migration process and migrated workloads. To enable this, Velostrata allows you to create roles and service accounts manually.

This page describes the role creation process for two types of manual setup:

Prerequisites

You must install the Google Cloud SDK.

Instructions for a single project

Velostrata requires a number of roles and service accounts on Google Cloud. Roles are a set of permissions. Service accounts are assigned these roles.

This section describes how to create the three service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.

The three service accounts are:

  • The Velostrata Management Service Account (velos-gcp-mgmt-sa), which creates all the resources that a Cloud Extension needs (VMs, Cloud Storage buckets, etc.).
  • The Velostrata Cloud Extension Service Account (velos-gcp-ce-sa), which has permissions to manage Google Cloud Cloud Storage for migrations.
  • The Velostrata Project Worker Service Account (velos-gcp-worker-sa), which is used for the Prepare to Detach operation, ensuring that data from a VM to be detached is fully synchronized with the cloud, and writes from that bucket to a native Compute Engine disk.

More information on each of these service accounts, and their assocated roles, is on the Configuring Google Cloud page.

Creating roles

  1. Create the three Velostrata roles at the Project level within Google Cloud:

    1. Open a command prompt as an administrative user and use the Google Cloud SDK to run the following command. Replace the login parameter with your Google Cloud account login information.
      gcloud auth login login@google.com --no-launch-browser --brief
    2. Download the Cloud Deployment Manager zip file, which contains YAML configuration files.
    3. Unzip the file and save it to a directory you can access when creating the role account.
    4. Execute the following commands:
    gcloud iam roles create "velos_mgmt_role" --project [PROJECT_ID] \
--file ./velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_ce_role" --project [PROJECT_ID] \
--file ./velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_worker_role" --project [PROJECT_ID] \
--file ./velos_gcp_org_worker_role.yaml --no-user-output-enabled --quiet

Creating service accounts and assigning roles to them

  1. Create the velos-gcp-mgmt-sa service account in Google Cloud: 

    gcloud config set project [PROJECT_ID]
gcloud iam service-accounts create "velos-gcp-mgmt-sa" --display-name "Velos-gcp-mgmt-sa"

  2. Assign the velos_mgmt_role to the velos-gcp-mgmt-sa service account. Note: The [ProjectID] is the same one used in the previous step.

    gcloud projects \
add-iam-policy-binding [PROJECT_ID] --member \
 serviceAccount:"velos-gcp-mgmt-sa@[PROJECT_ID].iam.gserviceaccount.com" \
 --role "projects/[PROJECT_ID]/roles/velos_mgmt_role" \
 --no-user-output-enabled --quiet

  3. Create the velos-gcp-ce-sa service account in Google Cloud. Create this account in the project where you plan to deploy the Velostrata Cloud Extension (CE).

    gcloud iam service-accounts create "velos-gcp-ce-sa" \
 --display-name "velos-gcp-ce-sa"

  4. Assign the velos_ce_role, created above, to the velos-gcp-ce-sa service account:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
 --member serviceAccount:"velos-gcp-ce-sa@[PROJECT_ID].iam.gserviceaccount.com" \
 --role "projects/[PROJECT_ID]/roles/velos_ce_role" \
 --no-user-output-enabled --quiet

  5. Create the velos-gcp-worker-sa service account:

    gcloud iam service-accounts create "velos-gcp-worker-sa"\
 --display-name="velos-worker-sa"

  6. Assign the velos_worker_role, created above, to the velos-gcp-worker-sa service account within the CE project:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
 --member serviceAccount:"velos-gcp-worker-sa@[PROJECT_ID].iam.gserviceaccount.com" \
 --role "projects/[PROJECT_ID]/roles/velos_worker_role" --no-user-output-enabled --quiet

Instructions for multiple projects

The example used in this section refers to the following resources used that you use when creating and assigning roles and services accounts for multiple projects:

  • Organization: the Google Cloud organization containing all account roles and service account objects.
  • Host Project: the Google Cloud project that contains management service accounts.
  • Cloud Extension (CE) Project: the Google Cloud project that hosts the Cloud Extension service accounts and VMs.
  • Destination Project: A Google Cloud project that VMs are being migrated into.

The table below lists the commands and command parameters used in the instructions to create roles and assign service accounts to roles for multiple projects.

You can view a list of existing values for each command parameter at the gcloud command line by executing the command in the third column of the table.

Command parameter Description GCloud CLI list command
orgadmin@google.com The organization-level administrator 

N/A

organizationID The numerical ID of the organization containing the projects, roles, and service accounts 

gcloud organizations list

projectID The alphanumeric ID of the project where the velos-mgmt-sa and velos-ce-sa service accounts are created. 

gcloud projects list \
--format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)"

projectName The alphanumeric name of the project associated with the above projectID. These names may or may not be the same. 

gcloud projects list \
--format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)"

serviceProjectID The numerical ID of the Google Cloud project where to migrate the VMs towill be migrated. 

gcloud projects list \
--format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)"

For more information about the following gcloud commands and their parameters, see the gcloud CLI documentation.

Creating roles

The following steps will create roles for Velostrata on Google Cloud.

  1. Create the Velostrata roles within Google Cloud at the Organization level:
    gcloud auth login
orgadmin@google.com --no-launch-browser --brief
  2. Download the Velostrata_Manager zip file, which contains the YAML files needed to create these roles.
  3. Unzip the file and save to a directory you can access when creating roles.
  4. Execute the following commands:
gcloud iam roles create "velos_mgmt_role" --organization [organizationId] \
 --file ./velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_ce_role" --organization [organizationId] \
 --file ./velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_worker_role" --organization [organizationId] \
 --file ./velos_gcp_org_worker_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_listnetwork_role" --organization [organizationId] \
 --file ./velos_gcp_org_listnetworks_role.yaml --no-user-output-enabled --quiet

Creating service accounts and assigning roles to them

  1. Create the velos-gcp-mgmt-sa service account in Google Cloud. Although you can create the velos-gcp-mgmt-sa service account in any of your projects, Velostrata 4.0 by Google recommends creating this service in the host project to simplify configuration.

    gcloud config set project [projectId]
gcloud iam service-accounts create "velos-gcp-mgmt-sa" \
 --display-name "Velos-gcp-mgmt-sa"

  2. Assign the velos_mgmt_role, created above, to the velos-gcp-mgmt-sa service account. 

    gcloud projects \
add-iam-policy-binding [ProjectID] \
 --member serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"\
 --role organizations/[organizationId]/roles/"velos_mgmt_role"\
 --no-user-output-enabled --quiet

  3. Pick one of two options for assigning security privileges.

    • Option A assigns permissions at the organization-level. This has fewer steps but offers less granularity over permissions.
    • Option B assigns permissions on a per-project basis, which requires more steps but provides more granularity over permissions and access control.

    Once you have completed either option, Finishing configuration

Option A – Assigning security privileges in the IAM console

  1. For Option A, you'll assign the service account velos-gcp-mgmt-sa at the organization-level in the IAM console. This gives the velos-gcp-mgmt-sa service account access to all projects in the organization so the Google Cloud administrator does not have to create a service account in every project.
  2. Log in to the IAM console with your Google Cloud account as an organization-level administrator.
  3. Click the project selection at the top and pick your organization.
  4. From the Google Cloud menu, select IAM and click the ADD button.
  5. In the New Members field, enter the full name of your velos-gcp-mgmt-sa service account, as shown below.
  6. In the Select a role drop-down box, select the Role Custom in the left-hand column, then **Velos Mgmt Role **in the right-hand column.
  7. Click Save.
  8. Continue to Finishing configuration

Option B – Assigning security privileges to the Velostrata service account

  1. Assign the velos_gcp_org_listnetworks_role to the velos-gcp-mgmt-sa service account. Use the ID of the host project for the [ProjectID]:

    gcloud projects add-iam-policy-binding [ProjectID]
    
 --member serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com" 
    
 --role organizations/organizationId/roles/"velos_gcp_org_listnetworks_role.yaml" 
    
 --no-user-output-enabled --quiet

  2. Assign the velos_mgmt_role to the velos-gcp-mgmt-sa for each Cloud Extension (CE) destination project:

    gcloud projects add-iam-policy-binding[ProjectID]
 --member serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com" 
    
 --role organizations/[organizationId]/roles/"velos_mgmt_role" 
    
 --no-user-output-enabled --quiet

  3. Continue to Finishing the Configuration.

Finishing the configuration

  1. After you've completed either Option A or Option B, create the velos-gcp-ce-sa service account in Google Cloud. Create this account in the destination project where you plan to deploy the Velostrata Cloud Extension (CE).

    gcloud config set project [CEProjectId]
gcloud iam service-accounts create "velos-gcp-ce-sa"
 --display-name "velos-gcp-ce-sa"

  2. Assign velos_ce_role to the velos-gcp-ce-sa service account:

    gcloud projects add-iam-policy-binding [CEProjectID] \
 --member serviceAccount:"velos-gcp-ce-sa@[ProjectID].iam.gserviceaccount.com" \
 --role organizations/[organizationId]/roles/"velos_ce_role" \
 --no-user-output-enabled --quiet

  3. Assign a policy that maps the velos-gcp-ce-sa service account to the velos-mgmt-sa service account. This step is required in order for the velos-gcp-mgmt-sa service account to create Cloud Extension instances.

    1. To do this, navigate to the folder with the YAML files you downloaded previously.
    2. Open the YAML file named "sa_mapping.yaml" in your preferred text editor. Note that YAML files are case- and space-sensitive.
    3. Go to Line 5 of the file, which looks similar to the following example: 
      serviceAccount:velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com
    4. Replace [projectID] with the project that contains the velos-gcp-mgmt-sa service account.
    5. Save the file and exit your text editor.

    6. Execute the following command at the command line:

      gcloud iam service-accounts set-iam-policy "velos-gcp-ce-sa@[ProjectID].iam.gserviceaccount.com" \
./sa_mapping.yaml --no-user-output-enabled --quiet

  4. Create the velos-gcp-worker-sa service account. At the command line, execute the following commands:

    gcloud config set project [destinationProjectId] \
gcloud iam service-accounts create "velos-gcp-worker-sa" \
 --display-name="velos-gcp-worker-sa"

  5. Assign the velos_worker_role to the velos-gcp-worker-sa service account:

    gcloud projects \
add-iam-policy-binding [CEProjectId]
 --member serviceAccount:"velos-gcp-worker-sa@[ProjectID].iam.gserviceaccount.com" \
 --role organizations/[organizationId]/roles/"velos_worker_role"

  6. Assign a policy that maps the velos-gcp-worker-sa service account to the velos-gcp-mgmt-sa service account. This is required for the velos-mgmt-sa service account to create instances. Execute the following command:

    gcloud iam service-accounts set-iam-policy "velos-gcp-worker-sa@[ProjectID].iam.gserviceaccount.com" \
./sa_mapping.yaml --no-user-output-enabled --quiet