Enabling Google services and configuring service accounts
Before you can begin a migration, you must perform the steps below in the sections:
Enabling the Google Cloud CLI and required services
All Migrate to Containers users must configure the Google Cloud CLI and enable the required Google services.
Preparing the Google Cloud CLI
To prepare gcloud
:
- Install and initialize the gcloud CLI.
- Update gcloud CLI:
gcloud components update
- Make sure that gcloud CLI is authorized to access your data and services:
gcloud auth login
A new browser tab opens and you are prompted to choose an account.
Set the credentials required to access a Cloud Storage bucket.
For an individual user, use the following gcloud command:
gcloud auth application-default login
A new browser tab opens and you are prompted to choose an account.
Alternatively, if you are using a service account, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the JSON file that contains your service account key:
export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"
Enabling required services
Migrate to Containers requires that you enable the following Google services:
Name | Title |
---|---|
servicemanagement.googleapis.com |
Service Management API |
servicecontrol.googleapis.com |
Service Control API |
cloudresourcemanager.googleapis.com |
Cloud Resource Manager API |
compute.googleapis.com |
Compute Engine API |
container.googleapis.com |
Kubernetes Engine API |
containerregistry.googleapis.com |
Container Registry API |
cloudbuild.googleapis.com |
Cloud Build API |
To confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
gcloud services enable servicemanagement.googleapis.com servicecontrol.googleapis.com cloudresourcemanager.googleapis.com compute.googleapis.com container.googleapis.com containerregistry.googleapis.com cloudbuild.googleapis.com
For more information about the gcloud
services, see
gcloud
services.
Configuring service accounts
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
For example, a Compute Engine VM may run as a service account, and that account can be given permissions to access the resources it needs. This way the service account is the identity of the service, and the service account's permissions control which resources the service can access.
When using Migrate to Containers, you create two service accounts:
A service account used by Migrate to Containers to access Container Registry and Cloud Storage. This service account is required for Migrate to Containers components to be able to access the Container Registry and to access a Cloud Storage bucket. If you are not using these data repositories, you do not have to define this service account. See Defining data repositories for more.
A service account for using Compute Engine as a migration source. This service account is used to access Compute Engine resources when migrating Compute Engine VMs. If you are not using Compute Engine as a migration source then you can omit this service account.
Best practices when using service accounts
As a best practice, create a separate service account in the same project as you are using for Migrate to Containers. Then assign the service account only the permissions necessary to perform the required operation. In that way, you limit the permissions associated with the service account.
Creating a service account for accessing Container Registry and Cloud Storage
Create a service account with the storage.admin role and pass it when you install Migrate to Containers components:
Create the
m4a-install
service account:gcloud iam service-accounts create m4a-install \ --project=PROJECT_ID
Grant the
storage.admin
role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:m4a-install@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.admin"
Download the key file for the service account:
gcloud iam service-accounts keys create m4a-install.json \ --iam-account=m4a-install@PROJECT_ID.iam.gserviceaccount.com \ --project=PROJECT_ID
After downloading the service account key as a JSON file, you can install Migrate to Containers on the destination Google Kubernetes Engine cluster using the procedure described in Installing Migrate to Containers.
Creating a service account using Compute Engine as a migration source
To use Compute Engine as a migration source, create a service account with the compute.viewer and compute.storageAdmin roles:
Create the
m4a-ce-src
service account:gcloud iam service-accounts create m4a-ce-src \ --project=PROJECT_ID
Grant the
compute.viewer
role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:m4a-ce-src@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/compute.viewer"
Grant the
compute.storageAdmin
role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:m4a-ce-src@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/compute.storageAdmin"
Download the key file for the service account:
gcloud iam service-accounts keys create m4a-ce-src.json \ --iam-account=m4a-ce-src@PROJECT_ID.iam.gserviceaccount.com \ --project=PROJECT_ID
After downloading the service account key as a JSON file, you can create a source for migrating Compute Engine workloads. See Adding a migration source.
Use Migrate to Virtual Machines as a migration source
Prepare Migrate to Virtual Machines as a migration source
To use Migrate to Virtual Machines 5.0 as a migration source, you must first enable the Migrate to Virtual Machines services and install the connector, as described in the following steps:
Specify the Migrate to Virtual Machines service account
To use Migrate to Virtual Machines as a migration source, create a service
account with the vmmigration.admin
role bound on the service project:
Create the
m2c-m2vm-src-service
service account:gcloud iam service-accounts create m2c-m2vm-src-service --project=PROJECT_ID
Grant the
vmmigration.admin
role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:m2c-m2vm-src-service@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/vmmigration.admin"
Download the key file for the service account:
gcloud iam service-accounts keys create m2c-m2vm-src-service.json \ --iam-account=m2c-m2vm-src-service@PROJECT_ID.iam.gserviceaccount.com \ --project=PROJECT_ID
Specify the Migrate to Virtual Machines target project service account
To use Migrate to Virtual Machines as a migration source, create a service
account with the compute.instanceAdmin.v1
and compute.storageAdmin
roles bound
on the target project:
Create the
m2c-m2vm-src-gce
service account:gcloud iam service-accounts create m2c-m2vm-src-gce --project=PROJECT_ID
Grant the
compute.instanceAdmin.v1
role to the service account:gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \ --member="serviceAccount:m2c-m2vm-src-gce@PROJECT_ID.iam.gserviceaccount.com --role="roles/compute.instanceAdmin.v1"
Grant the
compute.storageAdmin
role to the service account:gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \ --member="serviceAccount:m2c-m2vm-src-gce@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/compute.storageAdmin"
Download the key file for the service account:
gcloud iam service-accounts keys create m2c-m2vm-src-gce.json \ --iam-account=m2c-m2vm-src-gce@PROJECT_ID.iam.gserviceaccount.com \ --project=PROJECT_ID
After downloading the service account key as a JSON file, you can create a source for migrating Migrate to Virtual Machines workloads. See Adding a migration source.
What's next
- Configure a Google Kubernetes Engine (GKE) or Anthos cluster on Google Cloud as a processing cluster for Linux or Windows.
- Configure an Anthos on bare metal cluster for Linux.
- Learn how you can access Google Cloud services with your workforce or other cloud identities.