Version 5.0

Configuring permissions on target project service account

Migrate for Compute Engine creates a default service account when you enable the Migrate for Compute Engine API on the host project.

To be able to assign the service account used to run a Compute Engine instance on a target project, you must add the necessary permissions to the Migrate for Compute Engine default service account.

About the service account used to run a Compute Engine instance

Before you can test-clone or cut-over a VM, you must configure the target details of the Compute Engine instance used to host the migrated VM. For both a test and a production environment, configure the target details for the Compute Engine instance to specify:

  • Google project
  • Number of CPUs
  • Amount of memory
  • Disk size

For example, you have the following environment:

  • Project A - Migrate for Compute Engine host project
  • Project B - Compute Engine target project

By default, the Compute Engine instance running on target Project B does not have a service account assigned to it.

If the target Compute Engine instance requires access to Google Cloud services and APIs, create a service account in the target project with the necessary permissions to access those services and APIs. Then, assign that service account to the Compute Engine instance when you configure its target details.

You perform all configuration of Compute Engine instances from the Migrate for Compute Engine host project. Before you can assign a service account in the target project to a Compute Engine instance, you must ensure that the Migrate for Compute Engine default service account has the necessary permissions on the target service account.

Configuring the default service account

To assign a service account to a Compute Engine instance running on a target project, the default Migrate for Compute Engine service account on the host project must be added to the Service Account User role on the target service account.

To add the default service account to the Service Account User role:

  1. Determine the email address of the Migrate for Compute Engine default service account:

    1. Open the Migrate for Compute Engine page in the Google Cloud Console:

      Go to the Migrate for Compute Engine page

    2. Select the Targets tab.

      At the top of the page is an information box showing the email address of the Migrate for Compute Engine default service account in the form:

      service-HOST_PROJECT_NUMBER@gcp-sa-vmmigration.iam.gserviceaccount.com

    3. Save that email address for use below.

  2. In the Google Cloud Console, go to the Service Accounts page.

    Go to the Service Accounts page

  3. Select the target project.

  4. Select the checkbox next to the desired target service account.

  5. Click Manage Access. A list of roles that have been granted on the service account are displayed.

  6. Expand the Service Account User role to view the principals that have been granted that role on the service account.

  7. If the email address of the Migrate for Compute Engine default service account is not listed, select Add Principal.

  8. Enter the email address of the Migrate for Compute Engine default service account as the New principal.

  9. Select the Service Accounts > Service Account User role.

  10. Select Save.

    You should now be able to assign the service account to a Compute Engine instance running on a target project.