概览
Migrate for Compute Engine 使用服务账号来授予访问权限。本主题介绍了分配给这些服务账号的角色和权限。
部署 Velostrata Manager 会创建两个服务账号:
- Manager 服务账号附加到 Manager 实例。它允许 Manager 编排迁移、部署 Cloud Extensions 扩展以及在环境中为迁移后的虚拟机创建实例。
- Cloud Extension 服务账号附加到 Cloud Extensions 扩展节点。它允许 Cloud Extensions 扩展节点访问存储资源。
此外,还有一些特定于 Migrate for Compute Engine 的角色,用于启用针对 Compute Engine 和 Cloud Storage 的权限。
Migrate for Compute Engine 服务账号
分配给这两个服务账号的角色如下所述。如需详细了解这些角色,请参阅 Identity and Access Management 文档中的了解角色。
| 服务账号 | 已分配的角色 |
|---|---|
| Velostrata Manager 服务账号 | roles/iam.serviceAccountUser |
| roles/logging.logWriter | |
| roles/monitoring.metricWriter | |
| roles/monitoring.viewer | |
| roles/cloudmigration.inframanager | |
| Velostrata Cloud Extension 服务账号 | roles/logging.logWriter |
| roles/monitoring.metricWriter | |
| roles/cloudmigration.storageaccess |
云迁移角色和权限:
cloudmigration 角色是在您的环境中创建和托管 Migrate for Compute Engine 基础架构所需的一组权限。这些权限如下所述。如需详细了解这些权限,请参阅 Identity and Access Management 文档中的了解角色。
| 角色 | 权限 |
|---|---|
| roles/cloudmigration.inframanager | compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.setLabels compute.addresses.use compute.addresses.useInternal compute.diskTypes.get compute.diskTypes.list compute.disks.create compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.get compute.machineTypes.list compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.get compute.regions.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.get compute.zones.list iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
| roles/cloudmigration.storageaccess | storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |