Migrate for Compute Engine creates a default service account when you enable the Migrate for Compute Engine API on the host project. You typically do not have to make any changes to this service account.
However, to control the service account used to run a Compute Engine instance on a target project, you must add a permission to the Migrate for Compute Engine default service account on the host project.
About the service account used to run a Compute Engine instance
Before you can test-clone or cut-over a VM, you must configure the target details of the Compute Engine instance used to host the migrated VM. For both a test and a production environment, configure the target details for the Compute Engine instance to specify:
- Google project
- Number of CPUs
- Amount of memory
- Disk size
For example, you have the following environment:
- Project A - Migrate for Compute Engine host project
- Project B - Compute Engine target project
By default, the Compute Engine instance running on target Project B does not have a service account assigned to it.
If the target Compute Engine instance requires access to Google Cloud services and APIs, create a service account in the target project with the necessary permissions to access those services and APIs. Then, assign that service account to the Compute Engine instance when you configure its target details.
You perform all configuration of Compute Engine instances from the Migrate for Compute Engine host project. Before you can assign a service account in the target project to a Compute Engine instance, you must ensure that host project has the necessary permissions on the target service account.
Configuring the host project to assign a service account on a target project
To assign a service account to a Compute Engine instance
running on a target project, the default Migrate for Compute Engine service account on
the host project must be added to the
Service Account User role
on the target service account.
To add the default service account to the Service Account User role:
Determine the email address of the Migrate for Compute Engine default service account:
Open the Migrate for Compute Engine page in the Google Cloud Console:
Select the Targets tab.
Select Add Project.
A panel opens listing the available projects. At the top of the panel is an information box showing the email address of the Migrate for Compute Engine default service account in the form:
Save that email address for use below.
In the Google Cloud Console, go to the Service Accounts page.
Select the target project.
Select the checkbox next to the desired target service account.
Click Manage Access. A list of roles that have been granted on the service account are displayed.
Expand the Service Account User role to view the members that have been granted that role on the service account.
If the email address of the Migrate for Compute Engine default service account is not listed, select Add Member.
Enter the email address of the Migrate for Compute Engine default service account as the New member.
Select the Service Accounts > Service Account User role.
You should now be able to assign the service account to a Compute Engine instance running on a target project.