This topic describes how to manually set up permissions required for migrating VMs. The guidance here aims to help those who want to understand or control the permissions granted for the migration process and migrated workloads.
This page describes the role creation process for migrating to:
- A single Google Cloud project
- Multiple Google Cloud projects
Before you begin
Two service accounts are required for Migrate for Compute Engine migrations.
For more information on each of these service accounts and their associated
roles, see
Configuring Google Cloud.
For more information about gcloud
commands and their parameters,
see the
gcloud CLI documentation.
- You must install the Google Cloud SDK.
- Create a Google Cloud project
to host Migrate for Compute Engine infrastructure on Google Cloud.
We'll call this project the infrastructure project. Use this project
wherever you see
project-ID
. - Enable the following APIs on your infrastructure project.
gcloud services enable iam.googleapis.com --project project-ID gcloud services enable cloudresourcemanager.googleapis.com --project project-ID gcloud services enable compute.googleapis.com --project project-ID gcloud services enable storage-component.googleapis.com --project project-ID gcloud services enable logging.googleapis.com --project project-ID gcloud services enable monitoring.googleapis.com --project project-ID
To continue, select if you are migrating to a single project or multiple projects.
Single Project
This section describes how to create the service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.
Creating service accounts
Create the
migration-manager
service account in Google Cloud.gcloud config set project project-ID gcloud iam service-accounts create "migration-manager" --display-name "migration-manager"
Assign roles to the
migration-manager
service account.gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.inframanager" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountUser" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.viewer" \ --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "migration-manager@project-ID.iam.gserviceaccount.com" \ --member=serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project project-ID
Create the
migration-cloud-extension
service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).gcloud iam service-accounts create "migration-cloud-extension" \ --display-name "migration-cloud-extension"
Assign roles to the
migration-cloud-extension
service account.gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet
Multiple Projects
This section describes how to create the roles required for migrations into multiple projects, and assign those roles to service accounts.
Creating service accounts and assigning roles to them
Create the
migration-manager
service account in Google Cloud. Although you can create themigration-manager
service account in any of your projects, creating this service in the host project will simplify configuration.gcloud config set project project-ID gcloud iam service-accounts create "migration-manager" \ --display-name "migration-manager"
Assign roles to the
migration-manager
service account.gcloud organizations add-iam-policy-binding organization-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.inframanager" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud organizations add-iam-policy-binding organization-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountUser" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.viewer" \ --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "migration-manager@project-ID.iam.gserviceaccount.com" \ --member=serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project project-ID
Create the
migration-cloud-extension
service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).gcloud iam service-accounts create "migration-cloud-extension" \ --display-name "migration-cloud-extension"
Assign roles to the
migration-cloud-extension
service account.gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet