您正在查看旧版的 Migrate for Compute Engine(原 Velostrata)的文档。您可以继续使用此版本,也可以使用当前版本

适用于 Migrate for Compute Engine 的 Cloud IAM 权限

本页面介绍了在安装的 Migrate for Compute Engine 中使用的特定角色和服务帐号。

概览

Migrate for Compute Engine 使用服务帐号来授予访问权限。本主题介绍了分配给这些服务帐号的角色和权限。

部署 Velostrata Manager 会创建两个服务帐号:

  1. Manager 服务帐号附加到 Manager 实例。它允许 Manager 编排迁移、部署 Cloud Extensions 扩展以及在环境中为迁移后的虚拟机创建实例。
  2. Cloud Extension 服务帐号附加到 Cloud Extensions 扩展节点。它允许 Cloud Extensions 扩展节点访问存储资源。

此外,还有一些特定于 Migrate for Compute Engine 的角色,用于启用针对 Compute Engine 和 Cloud Storage 的权限。

Migrate for Compute Engine 服务帐号

分配给这两个服务帐号的角色如下所述。如需详细了解这些角色,请参阅 Cloud Identity and Access Management 文档中的了解角色

服务帐号 已分配的角色
Velostrata Manager 服务帐号 roles/iam.serviceAccountUser
roles/logging.logWriter
roles/monitoring.metricWriter
roles/monitoring.viewer
roles/cloudmigration.inframanager
Velostrata Cloud Extension 服务帐号 roles/logging.logWriter
roles/monitoring.metricWriter
roles/cloudmigration.storageaccess

云迁移角色和权限:

cloudmigration 角色是在您的环境中创建和托管 Migrate for Compute Engine 基础架构所需的一组权限。这些权限如下所述。如需详细了解这些权限,请参阅 Cloud Identity and Access Management 文档中的了解角色

角色 权限
roles/cloudmigration.inframanager compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.get
compute.diskTypes.list
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.update
compute.instances.updateNetworkInterface
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.get
compute.licenses.list
compute.machineTypes.get
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/cloudmigration.storageaccess storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update