IAM permissions for Migrate for Compute Engine

This page describes the specific roles and service accounts used in a Migrate for Compute Engine installation.

Overview

Migrate for Compute Engine uses service accounts to grant access permissions. This topic describes the roles and permissions assigned to these service accounts.

Deploying Velostrata Manager creates two service accounts:

  1. The Manager Service Account is attached to the Manager instance. It allows the Manager to orchestrate migrations, deploy Cloud Extensions and create instances in your environment for migrated VMs.
  2. The Cloud Extension Service Account is attached to the Cloud Extensions nodes. It allows Cloud Extensions nodes access to storage resources.

Additionally, there are Migrate for Compute Engine-specific roles which enable permissions on Compute Engine and Cloud Storage.

Migrate for Compute Engine service accounts

Roles assigned to the two service accounts are described below. For more information on these roles, see Understanding roles in the Identity and Access Management documentation.

Service Account Assigned Roles
Velostrata Manager Service Account roles/iam.serviceAccountUser
roles/logging.logWriter
roles/monitoring.metricWriter
roles/monitoring.viewer
roles/cloudmigration.inframanager
Velostrata Cloud Extension Service Account roles/logging.logWriter
roles/monitoring.metricWriter
roles/cloudmigration.storageaccess

Cloud migration roles and permissions:

The cloudmigration roles are a collection of permissions required to create and host Migrate for Compute Engine infrastructure in your environment. These permissions are described below. For more information on these permissions, see Understanding roles in the Identity and Access Management documentation.

Role Permissions
roles/cloudmigration.inframanager compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.get
compute.diskTypes.list
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.update
compute.instances.updateNetworkInterface
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.get
compute.licenses.list
compute.machineTypes.get
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/cloudmigration.storageaccess storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update