This topic describes how to set up the permissions for a manual Migrate for Compute Engine migration. The guidance here aims to help those who want to understand or control the permissions granted for the migration process and migrated workloads.
This page describes the role creation process for migrating to:
- A single Google Cloud project
- Multiple Google Cloud projects
Prerequisites
Two service accounts are required for Migrate for Compute Engine migrations.
For more information on each of these service accounts and their associated
roles, see
Configuring Google Cloud.
For more information about gcloud
commands and their parameters,
see the
gcloud CLI documentation.
- You must install the Google Cloud SDK.
- Create a Google Cloud project
to host Migrate for Compute Engine infrastructure on Google Cloud.
We'll call this project the infrastructure project. Use this project
wherever you see
[PROJECT_ID]
. - Enable the following APIs on your infrastructure project.
gcloud services enable iam.googleapis.com --project [PROJECT_ID] gcloud services enable cloudresourcemanager.googleapis.com --project [PROJECT_ID] gcloud services enable compute.googleapis.com --project [PROJECT_ID] gcloud services enable storage-component.googleapis.com --project [PROJECT_ID] gcloud services enable logging.googleapis.com --project [PROJECT_ID] gcloud services enable monitoring.googleapis.com --project PROJECT_ID
To continue, select if you are migrating to a single project or multiple projects.
Single Project
Instructions for a single project
This section describes how to create the service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.
Creating roles
Create the roles at the project level:
- Open a command prompt and run the following command. Replace the login
parameter with your Google Cloud account login information.
gcloud auth login login@google.com --no-launch-browser --brief
- Download the Cloud Deployment Manager zip file.
- Unzip the file to a directory you can access when creating the roles.
- Open the
manual
directory within that zipfile (include quotes because the path contains a space).cd "GcpDeploymentManager 2/manual"
Assign permissions to the roles:
gcloud iam roles create "velos_manager" --project [PROJECT_ID] \ --file velos_gcp_mgmt_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_ce" --project [PROJECT_ID] \ --file velos_gcp_ce_role.yaml --no-user-output-enabled --quiet
- Open a command prompt and run the following command. Replace the login
parameter with your Google Cloud account login information.
Creating service accounts
Create the
velos-manager
service account in Google Cloud. Note: The[PROJECT_ID]
is your infrastructure project.gcloud config set project [PROJECT_ID] gcloud iam service-accounts create "velos-manager" --display-name "velos-manager"
Assign the
velos_manager
role to thevelos-manager
service account.gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "projects/[PROJECT_ID]/roles/velos_manager" \ --no-user-output-enabled --quiet
Add additional required roles to the
velos_manager
role:gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountUser" --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/logging.logWriter" --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/monitoring.viewer" --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "velos-manager@[ProjectID].iam.gserviceaccount.com" \ --member=serviceAccount:"velos-manager@[ProjectID].iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project [ProjectID]
Create the
velos-cloud-extension
service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).gcloud iam service-accounts create "velos-cloud-extension" \ --display-name "velos-cloud-extension"
Assign the
velos_ce
role to thevelos-cloud-extension
service account:gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com" \ --role "projects/[PROJECT_ID]/roles/velos_ce" \ --no-user-output-enabled --quiet
Assign additional required roles to the
velos-cloud-extension
service account:gcloud projects add-iam-policy-binding [PROJECT_ID]
--member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
--role "roles/logging.logWriter"
--no-user-output-enabled --quietgcloud projects add-iam-policy-binding [PROJECT_ID]
--member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
--role "roles/monitoring.metricWriter"
--no-user-output-enabled --quiet
Multiple Projects
Instructions for multiple projects
This section describes how to create the roles required for migrations into multiple projects, and assign those roles to service accounts.
Creating roles
The following steps create roles for Migrate for Compute Engine on Google Cloud.
- Create the Migrate for Compute Engine roles within Google Cloud at
the Organization level:
gcloud auth login orgadmin@google.com --no-launch-browser --brief
- Download the Migrate for Compute Engine_Manager zip file, which contains the YAML files needed to create these roles.
- Unzip the file and save to a directory you can access when creating roles.
- Open the
manual
directory within that zipfile.cd GcpDeploymentManager/manual
Assign permissions to the roles:
gcloud iam roles create "velos_manager" --organization [ORGANIZATION_ID] \ --file velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet gcloud iam roles create "velos_ce" --project [PROJECT_ID] \ --file velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
Creating service accounts and assigning roles to them
Create the
velos-manager
service account in Google Cloud. Although you can create thevelos-manager
service account in any of your projects, Migrate for Compute Engine 4.2 by Google recommends creating this service in the host project to simplify configuration.gcloud config set project [PROJECT_ID] gcloud iam service-accounts create "velos-manager" \ --display-name "velos-manager"
Assign the
velos_manager
role to thevelos-manager
service account.gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] \ --member serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com"\ --role organizations/[ORGANIZATION_ID]/roles/"velos_manager"\ --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --member=serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project [PROJECT_ID]
Add additional required roles to the
velos_manager
role:gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountUser" --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/logging.logWriter" --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding [PROJECT_ID] --member \ serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role "roles/monitoring.viewer" --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --member=serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project [PROJECT_ID]
Create the
velos-cloud-extension
service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).gcloud iam service-accounts create "velos-cloud-extension" \ --display-name "velos-cloud-extension"
Assign the
velos_ce
role to thevelos-cloud-extension
service account:gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com" \ --role "projects/[PROJECT_ID]/roles/velos_ce" \ --no-user-output-enabled --quiet
Assign additional required roles to the
velos-cloud-extension
service account:gcloud projects add-iam-policy-binding [PROJECT_ID]
--member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
--role "roles/logging.logWriter"
--no-user-output-enabled --quietgcloud projects add-iam-policy-binding [PROJECT_ID]
--member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
--role "roles/monitoring.metricWriter"
--no-user-output-enabled --quiet