Creating Google Cloud roles and service accounts manually

This topic describes how to manually set up permissions required for migrating VMs. This is a manual alternative to The guidance here aims to help those who want to understand or control the permissions granted for the migration process and migrated workloads.

This page describes the role creation process for migrating to:

  • A single Google Cloud project
  • Multiple Google Cloud projects

Before you begin

Two service accounts are required for Migrate for Compute Engine migrations. For more information on each of these service accounts and their associated roles, see Configuring Google Cloud. For more information about gcloud commands and their parameters, see the gcloud CLI documentation.

  1. You must install the Google Cloud SDK.
  2. Create a Google Cloud project to host Migrate for Compute Engine infrastructure on Google Cloud. We'll call this project the infrastructure project. Use this project wherever you see project-ID.
  3. Enable the following APIs on your infrastructure project.
    gcloud services enable iam.googleapis.com --project project-ID
    gcloud services enable cloudresourcemanager.googleapis.com --project project-ID
    gcloud services enable compute.googleapis.com --project project-ID
    gcloud services enable storage-component.googleapis.com --project project-ID
    gcloud services enable logging.googleapis.com --project project-ID
    gcloud services enable monitoring.googleapis.com --project project-ID
    

To continue, select if you are migrating to a single project or multiple projects.

Single Project

This section describes how to create the service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.

Creating service accounts

  1. Create the migration-manager service account in Google Cloud.

    gcloud config set project project-ID
    gcloud iam service-accounts create "migration-manager" --display-name "migration-manager"
  2. Assign roles to the migration-manager service account.

    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/cloudmigration.inframanager" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/cloudmigration.storageaccess" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/iam.serviceAccountUser" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/logging.logWriter" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/monitoring.viewer" \
      --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
      "migration-manager@project-ID.iam.gserviceaccount.com" \
      --member=serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role=roles/iam.serviceAccountTokenCreator --project project-ID
    
  3. Create the migration-cloud-extension service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).

    gcloud iam service-accounts create "migration-cloud-extension" \
    --display-name "migration-cloud-extension"
  4. Assign roles to the migration-cloud-extension service account.

    gcloud projects add-iam-policy-binding project-ID \
      --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \
      --role "roles/cloudmigration.storageaccess" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID \
      --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \
      --role "roles/logging.logWriter" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID \
      --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter" \
      --no-user-output-enabled --quiet
    

Multiple Projects

This section describes how to create the roles required for migrations into multiple projects, and assign those roles to service accounts.

Creating service accounts and assigning roles to them

  1. Create the migration-manager service account in Google Cloud. Although you can create the migration-manager service account in any of your projects, creating this service in the host project will simplify configuration.

    gcloud config set project project-ID
    gcloud iam service-accounts create "migration-manager" \
    --display-name "migration-manager"
  2. Assign roles to themigration-manager service account.

    gcloud organizations add-iam-policy-binding organization-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/cloudmigration.inframanager" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/cloudmigration.storageaccess" \
      --no-user-output-enabled --quiet
    
    gcloud organizations add-iam-policy-binding organization-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/iam.serviceAccountUser" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/logging.logWriter" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID --member \
      serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role "roles/monitoring.viewer" \
      --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
      "migration-manager@project-ID.iam.gserviceaccount.com" \
      --member=serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \
      --role=roles/iam.serviceAccountTokenCreator --project project-ID
    
  3. Create the migration-cloud-extension service account in Google Cloud. Create this account in the project where you plan to deploy the Migrate for Compute Engine Cloud Extension (CE).

    gcloud iam service-accounts create "migration-cloud-extension" \
      --display-name "migration-cloud-extension"
  4. Assign roles to the migration-cloud-extension service account.

    gcloud projects add-iam-policy-binding project-ID \
      --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \
      --role "roles/cloudmigration.storageaccess" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID \
      --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \
      --role "roles/logging.logWriter" \
      --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding project-ID \
      --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter" \
      --no-user-output-enabled --quiet