本主题介绍如何手动设置迁移虚拟机所需的权限。这是人工备选方法。此处提供的指导旨在帮助用户了解或控制为迁移过程和迁移后的工作负载授予的权限。
本页面介绍了迁移至以下各项时的角色创建流程:
- 单个 Google Cloud 项目
- 多个 Google Cloud 项目
准备工作
执行 Migrate for Compute Engine 迁移需要两个服务账号。如需详细了解这些服务账号及其关联角色,请参阅配置 Google Cloud。如需详细了解 gcloud 命令及其参数,请参阅 gcloud CLI 文档。
- 您必须安装 Google Cloud SDK。
- 创建 Google Cloud 项目,以在 Google Cloud 上托管 Migrate for Compute Engine 基础架构。我们将此项目称为“基础架构项目”。只要看到
project-ID,就可以使用此项目。 - 对您的基础架构项目启用以下 API。
gcloud services enable iam.googleapis.com --project project-ID gcloud services enable cloudresourcemanager.googleapis.com --project project-ID gcloud services enable compute.googleapis.com --project project-ID gcloud services enable storage-component.googleapis.com --project project-ID gcloud services enable logging.googleapis.com --project project-ID gcloud services enable monitoring.googleapis.com --project project-ID
如需继续,请选择是要迁移到单个项目还是多个项目。
单个项目
本部分介绍了如何创建迁移到单个独立项目所需的服务账号,并为这些服务账号分配相应的角色。
创建服务账号
在 Google Cloud 中创建
migration-manager服务账号。gcloud config set project project-ID gcloud iam service-accounts create "migration-manager" --display-name "migration-manager"
为
migration-manager服务账号分配角色。gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.inframanager" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountUser" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.viewer" \ --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "migration-manager@project-ID.iam.gserviceaccount.com" \ --member=serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project project-ID
在 Google Cloud 中创建
migration-cloud-extension服务账号。在计划部署 Migrate for Compute Engine Cloud Extensions (CE) 的项目中创建此账号。gcloud iam service-accounts create "migration-cloud-extension" \ --display-name "migration-cloud-extension"
为
migration-cloud-extension服务账号分配角色。gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet
多个项目
本部分介绍了如何创建迁移到多个项目所需的角色,并将这些角色分配给服务账号。
创建服务账号并为其分配角色
在 Google Cloud 中创建
migration-manager服务账号。您可以在任何项目中创建migration-manager服务账号,但在宿主项目中创建此服务账号可简化配置。gcloud config set project project-ID gcloud iam service-accounts create "migration-manager" \ --display-name "migration-manager"
为
migration-manager服务账号分配角色。gcloud organizations add-iam-policy-binding organization-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.inframanager" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud organizations add-iam-policy-binding organization-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountUser" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID --member \ serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.viewer" \ --no-user-output-enabled --quiet gcloud iam service-accounts add-iam-policy-binding \ "migration-manager@project-ID.iam.gserviceaccount.com" \ --member=serviceAccount:"migration-manager@project-ID.iam.gserviceaccount.com" \ --role=roles/iam.serviceAccountTokenCreator --project project-ID
在 Google Cloud 中创建
migration-cloud-extension服务账号。在计划部署 Migrate for Compute Engine Cloud Extensions (CE) 的项目中创建此账号。gcloud iam service-accounts create "migration-cloud-extension" \ --display-name "migration-cloud-extension"
为
migration-cloud-extension服务账号分配角色。gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/cloudmigration.storageaccess" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" \ --no-user-output-enabled --quiet gcloud projects add-iam-policy-binding project-ID \ --member serviceAccount:"migration-cloud-extension@project-ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" \ --no-user-output-enabled --quiet