Creating Google Cloud roles and service accounts manually

This topic describes how to set up the permissions for a manual Google Cloud Migrate for Compute Engine (formerly Velostrata) migration. The guidance here aims to help those who want to understand or control the permissions granted for the migration process and migrated workloads.

This page describes the role creation process for migrating to:

  • A single Google Cloud project
  • Multiple Google Cloud projects

Prerequisites

Two service accounts are required for Migrate for Compute Engine migrations. For more information on each of these service accounts and their associated roles, see Configuring Google Cloud. For more information about gcloud commands and their parameters, see the gcloud CLI documentation.

  1. You must install the Google Cloud SDK.
  2. Create a Google Cloud project to host Migrate for Compute Engine infrastructure on Google Cloud. We'll call this project the infrastructure project. Use this project wherever you see project-ID.
  3. Enable the following APIs on your infrastructure project.
    gcloud services enable iam.googleapis.com --project project-ID
    gcloud services enable cloudresourcemanager.googleapis.com --project project-ID
    gcloud services enable compute.googleapis.com --project project-ID
    gcloud services enable storage-component.googleapis.com --project project-ID
    gcloud services enable logging.googleapis.com --project project-ID
    gcloud services enable monitoring.googleapis.com --project project-ID
    

To continue, select if you are migrating to a single project or multiple projects.

Single Project

This section describes how to create the service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.

Creating roles

Create the roles at the project level:

  1. Open a command prompt and run the following command. Replace the login parameter with your Google Cloud account login information.
    gcloud auth login login@google.com --no-launch-browser --brief
    
  2. Download the Cloud Deployment Manager file from the Downloads page.
  3. Expand the downloaded file and save to a directory you can access when creating roles.
  4. In the expanded directories, open the manual directory.
    cd google/migrate/gce/manual
    
  5. Using YAML files in that directory, assign permissions to the roles:

    gcloud iam roles create "velos_manager" --project project-ID \
    --file velos_gcp_mgmt_role.yaml --no-user-output-enabled --quiet
    gcloud iam roles create "velos_ce" --project project-ID \
    --file velos_gcp_ce_role.yaml.yaml --no-user-output-enabled --quiet
    

Creating service accounts

  1. Create the velos-manager service account in Google Cloud. Note: The project-ID is your infrastructure project.

    gcloud config set project project-ID
    gcloud iam service-accounts create "velos-manager" --display-name "velos-manager"

  2. Assign the velos_manager role to the velos-manager service account.

    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "projects/project-ID/roles/velos_manager" \
     --no-user-output-enabled --quiet
    
  3. Add additional required roles to the velos_manager role:

    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/iam.serviceAccountUser"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/logging.logWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/monitoring.metricWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/monitoring.viewer"
     --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
    "velos-manager@project-ID.iam.gserviceaccount.com" \
    --member=serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
    --role=roles/iam.serviceAccountTokenCreator --project project-ID
    
  4. Create the velos-cloud-extension service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).

    gcloud iam service-accounts create "velos-cloud-extension" \
    --display-name "velos-cloud-extension"
  5. Assign the velos_ce role to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding project-ID \
    --member serviceAccount:"velos-cloud-extension@project-ID.iam.gserviceaccount.com" \
    --role "projects/project-ID/roles/velos_ce" \
    --no-user-output-enabled --quiet
    
  6. Assign additional required roles to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding project-ID \
    --member serviceAccount:"velos-cloud-extension@project-ID.iam.gserviceaccount.com" \
    --role "roles/logging.logWriter" \
    --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID \
    --member serviceAccount:"velos-cloud-extension@project-ID.iam.gserviceaccount.com" \
    --role "roles/monitoring.metricWriter" \
    --no-user-output-enabled --quiet
    

Multiple Projects

This section describes how to create the roles required for migrations into multiple projects, and assign those roles to service accounts.

Creating roles

The following steps create roles for Migrate for Compute Engine on Google Cloud.

  1. Create the Migrate for Compute Engine roles within Google Cloud at the Organization level:
    gcloud auth login orgadmin@google.com --no-launch-browser --brief
  2. Download the Cloud Deployment Manager file from the Downloads page.
  3. Expand the downloaded file and save to a directory you can access when creating roles.
  4. In the expanded directories, open the manual directory.
    cd google/migrate/gce/manual
    
  5. Using YAML files in that directory, assign permissions to the roles:

    gcloud iam roles create "velos_manager" --organization organization-ID \
    --file velos_gcp_mgmt_role.yaml --no-user-output-enabled --quiet
    gcloud iam roles create "velos_ce" --project project-ID \
    --file velos_gcp_ce_role.yaml.yaml --no-user-output-enabled --quiet
    

Creating service accounts and assigning roles to them

  1. Create the velos-manager service account in Google Cloud. Although you can create the velos-manager service account in any of your projects, Migrate for Compute Engine 4.8 recommends creating this service in the host project to simplify configuration.

    gcloud config set project project-ID
    gcloud iam service-accounts create "velos-manager" \
    --display-name "velos-manager"
  2. Assign the velos_manager role to thevelos-manager service account.

    gcloud organizations add-iam-policy-binding organization-ID \
    --member serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com"\
    --role organizations/organization-ID/roles/"velos_manager"\
    --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
    "velos-manager@project-ID.iam.gserviceaccount.com" \
    --member=serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
    --role=roles/iam.serviceAccountTokenCreator --project project-ID
    
  3. Add additional required roles to the velos_manager role:

    gcloud organizations add-iam-policy-binding organization-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/iam.serviceAccountUser"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/logging.logWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/monitoring.metricWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
     serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
     --role "roles/monitoring.viewer"
     --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
    "velos-manager@project-ID.iam.gserviceaccount.com" \
    --member=serviceAccount:"velos-manager@project-ID.iam.gserviceaccount.com" \
    --role=roles/iam.serviceAccountTokenCreator --project project-ID
    
    
  4. Create the velos-cloud-extension service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).

    gcloud iam service-accounts create "velos-cloud-extension" \
    --display-name "velos-cloud-extension"
  5. Assign the velos_ce role to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding project-ID \
    --member serviceAccount:"velos-cloud-extension@project-ID.iam.gserviceaccount.com" \
    --role "projects/project-ID/roles/velos_ce" \
    --no-user-output-enabled --quiet
    
  6. Assign additional required roles to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding project-ID \
    --member serviceAccount:"velos-cloud-extension@project-ID.iam.gserviceaccount.com" \
    --role "roles/logging.logWriter" \
    --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID \
    --member serviceAccount:"velos-cloud-extension@project-ID.iam.gserviceaccount.com" \
    --role "roles/monitoring.metricWriter" \
    --no-user-output-enabled --quiet