You assign roles and permissions to:
- Grant user access for creating service accounts that Migrate for Compute Engine components will use at runtime.
- Grant user access for installing and using the Migrate for Compute Engine Manager. In particular, you can grant permissions that will allow users to deploy and use Migrate for Compute Engine Manager instances (or to have read-only access to migration configuration).
- Grant Migrate for Compute Engine components the access they need to manage Google Cloud resources at runtime, including Compute Engine VM instances, Cloud Storage, and others.
For a list of permissions granted with each role, see Understanding roles.
For general information on granting roles, see Granting, changing, and revoking access to resources.
Roles required for creating service accounts
In order to create service accounts, the user you are logged in with needs to have the following roles:
| Role | Permissions | Description |
|---|---|---|
roles/resourcemanager.organizationAdmin
|
Administer all resources belonging to the organization. | Allows users to create a service account for in a project within an organization. |
roles/iam.serviceAccountAdmin
|
Create and manage service accounts. |
Allows users to create a service account for the Migrate for Compute Engine Manager or Migrate for Compute Engine Cloud Extension in a project within an organization or for a standalone project. Assign these roles on the infrastructure project you created when you set up Migrate for Compute Engine on Google Cloud. |
roles/resourcemanager.projectIamAdmin
|
Administer IAM policies on projects. |
Roles required when deploying the Migrate for Compute Engine Manager
Through these roles, a user can deploy or use the Migrate for Compute Engine Manager.
Roles required to deploy the Migrate for Compute Engine Manager
| Role | Permissions | Description |
|---|---|---|
roles/compute.instanceAdmin
|
Create, modify, and delete virtual machine instances. |
Allows users to deploy the Migrate for Compute Engine Manager, as well as to perform migrations. Assign these roles when you set up the Migrate for Compute Engine Manager. |
roles/iam.serviceAccountUser
|
Run operations as the service account. |
|
roles/vmmigration.admin
|
Deploy new instances of Migrate for Compute Engine Manager and get information about them. |
Allows users to deploy the Migrate for Compute Engine Manager, as well as to perform migrations. |
Roles required to use the Migrate for Compute Engine Manager to migrate VMs
| Role | Permissions | Description |
|---|---|---|
roles/vmmigration.viewer
|
List Migrate for Compute Engine Manager deployments and get information about them. |
Allows users to retrieve information about deployed Migrate for Compute Engine Manager instances, or to view it in the Google Cloud console. Intended for users who will be performing migrations, but not setting up the system. |
Roles required when migrating VMs
Through these roles, Migrate for Compute Engine components have access they need to perform migration actions at runtime. These actions include creating and accessing Google Cloud resources and manage VM storage.
When you configure the Migrate for Compute Engine Manager, these roles are automatically assigned to the service accounts you create in that process. You can also create these service accounts manually, then specify the service accounts you create when configuring the Migrate for Compute Engine Manager.
You assign these roles by adding them to service accounts you then assign to the Migrate for Compute Engine components when setting them up on Google Cloud.
| Role | Permissions | Description |
|---|---|---|
roles/cloudmigration.inframanager |
Create and manage VMs to run Migrate for Compute Engine infrastructure | Allows Migrate for Compute Engine to create and configure the resources needed to set up the system and perform migrations. |
roles/cloudmigration.storageaccess |
Access migration storage. | Allows the Migrate for Compute Engine Cloud Extension to manage storage needed during migration. |
Service accounts assigned to Migrate for Compute Engine instances
Through these service accounts you create, Migrate for Compute Engine components have access needed at runtime to create and use Google Cloud.
When you set up Google Cloud as a destination, you select or create these service accounts.
The following table describes the service accounts and lists the roles assigned to them. For specifics about the roles assigned to these service accounts, see VM migration roles.
| Service Account (suggested name) | Required Roles | Description |
|---|---|---|
| Migration Manager |
roles/cloudmigration.inframanager |
Used by the Migrate for Compute Engine Manager to orchestrate migrations, deploy Cloud Extensions, and create instances in your environment for migrated VMs. |
| Cloud Extension |
roles/cloudmigration.storageaccess |
Used by Cloud Extensions nodes to access storage resources. |
What's next
- Learn more about IAM.
- Grant IAM roles to users.