Version 5.0

Configuring permissions for a Shared VPC

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network so that they can communicate with each other securely and efficiently using internal IPs from that network.

When you use Shared VPC, you designate a project as a Shared VPC host project and attach one or more service projects to it. The VPC networks in the Shared VPC host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.

Using Shared VPC with Migrate for Compute Engine

When your Migrate for Compute Engine environment uses a Shared VPC, you must ensure that you have configured permissions correctly so that you can deploy a migrated VM to the Compute Engine target project.

For example, you have the following environment:

  • Project A - Migrate for Compute Engine host project
  • Project B - Shared VPC host project and subnet definitions
  • Project C - Migrate for Compute Engine target project and Shared VPC service project

In this example, you define a Shared VPC in Project B. Project B is referred to as the Shared VPC host project.

You then migrate a VM to a Compute Engine instance in Project C, the Migrate for Compute Engine target project, where Project C accesses the Shared VPC. In this example, Project C is referred to as the Shared VPC service project. You must have already configured Project C to function as a service project of Project B, as described in Provisioning Shared VPC, before you deploy the Compute Engine instance.

However, before you can deploy the Compute Engine instance, you must also ensure that the Migrate for Compute Engine default service account on Project A has the required permissions. Specifically, Migrate for Compute Engine requires the compute.networkUser role on the subnetworks in the Shared VPC host project.

The following section describes how to configure the Migrate for Compute Engine default service account.

Configuring the Migrate for Compute Engine default service account

When you enable the Migrate for Compute Engine API on the host project, Migrate for Compute Engine automatically creates a default service account on the host project.

To deploy a Compute Engine instance to a target project that accesses a Shared VPC, you must add the compute.networkUser role on the subnetworks in the Shared VPC host project to the Migrate for Compute Engine default service account. You have two options for how you add this role:

  • Assign the Migrate for Compute Engine default service account to be a Service Project Admin with access to only some of the subnets in the Shared VPC host project. This option provides a granular means to define Service Project Admins by granting them the compute.networkUser role for only some subnets in the Shared VPC host project.

    See Service Project Admins for some subnets for the steps to this procedure.

  • Allow the Migrate for Compute Engine default service account to be a Service Project Admin with access to all subnets in the Shared VPC host project. In this case, you grant the role of compute.networkUser for the Shared VPC host project to the Migrate for Compute Engine default service account. The default service account then has access to all of the currently defined and future subnets in the Shared VPC host project.

    The procedure below shows the steps to this method.

To configure the Migrate for Compute Engine default service account for access to all subnets in the Shared VPC host project:

  1. Open the Migrate for Compute Engine page in the Google Cloud Console:

    Go to the Migrate for Compute Engine page

  2. Select the Targets tab.

    At the top of the page is an information box showing the email address of the Migrate for Compute Engine default service account in the form:

    service-M4CE_HOST_PROJECT_NUMBER@gcp-sa-vmmigration.iam.gserviceaccount.com

  3. Copy the email address.

  4. Use that email address to grant the compute.networkUser role on the Shared VPC host project to the Migrate for Compute Engine default service account:

    gcloud projects add-iam-policy-binding VPC_HOST_PROJECT_ID \
       --member=serviceAccount:service-M4CE_HOST_PROJECT_NUMBER@gcp-sa-vmmigration.iam.gserviceaccount.com \
       --role=roles/compute.networkUser

For more on assigning roles and permissions to a user account, see Granting, changing, and revoking access to resources.