Version 5.0

Configuring permissions for a Shared VPC

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network so that they can communicate with each other securely and efficiently using internal IPs from that network.

When you use Shared VPC, you designate a project as a host project and attach one or more service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.

Using Shared VPC with Migrate for Compute Engine

When your Migrate for Compute Engine environment uses a Shared VPC, you must ensure that you have configured permissions correctly so that you can deploy a migrated VM to the Compute Engine target project.

For example, you have the following environment:

  • Project A - Migrate for Compute Engine host project
  • Project B - Shared VPC host project and subnet definitions
  • Project C - Compute Engine target project and Shared VPC service project

In this example, you define a Shared VPC in Project B. Project B is referred to as the Shared VPC host project.

You then migrate a VM to a Compute Engine instance in Project C, where Project C accesses the Shared VPC. In this example, Project C is referred to as the Shared VPC service project. You must have already configured Project C to function as a service project of Project B, as described in Provisioning Shared VPC, before you deploy the Compute Engine instance.

However, before you can deploy the Compute Engine instance, you must also ensure that the Migrate for Compute Engine default service account on Project A has the required permissions. See the following section for more details on configuring this service account.

Configuring the Migrate for Compute Engine default service account

When you enable the Migrate for Compute Engine API on the host project, Migrate for Compute Engine automatically creates a default service account on the host project.

To deploy a Compute Engine instance to a target project that accesses a Shared VPC, you must add the compute.subnetworks.use role to the Migrate for Compute Engine default service account.

To configure the Migrate for Compute Engine default service account:

  1. Open the Migrate for Compute Engine page in the Google Cloud Console:

    Go to the Migrate for Compute Engine page

  2. Select the Targets tab.

  3. Select Add Project.

    A panel opens listing the available projects. At the top of the panel is an information box showing the email address of the Migrate for Compute Engine default service account in the form:

    service_account_id@PROJECT_ID.iam.gserviceaccount.com

  4. Copy the email address.

  5. Use that email address to grant the compute.subnetworks.use role on the Shared VPC host project to the Migrate for Compute Engine default service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
       --member=user:service_account_id@PROJECT_ID.iam.gserviceaccount.com \
       --role=roles/compute.subnetworks.use

For more on assigning roles and permissions to a user account, see Granting, changing, and revoking access to resources.