Migrate to Virtual Machines creates a default service account when you enable the Migrate to Virtual Machines API on the host project.
To be able to assign the service account used to run a Compute Engine instance on a target project, you must add the necessary permissions to the Migrate to Virtual Machines default service account.
About the service account used to run a Compute Engine instance
Before you can test-clone or cut-over a VM, you must configure the target details of the Compute Engine instance used to host the migrated VM. For both a test and a production environment, configure the target details for the Compute Engine instance to specify:
- Google project
- Number of CPUs
- Amount of memory
- Disk size
For example, you have the following environment:
- Project A - Migrate to Virtual Machines host project
- Project B - Compute Engine target project
By default, the Compute Engine instance running on target Project B does not have a service account assigned to it.
If the target Compute Engine instance requires access to Google Cloud services and APIs, create a service account in the target project with the necessary permissions to access those services and APIs. Then, assign that service account to the Compute Engine instance when you configure its target details.
You perform all configuration of Compute Engine instances from the Migrate to Virtual Machines host project. Before you can assign a service account in the target project to aCompute Engine instance, you must ensure that the Migrate to Virtual Machines default service account has the necessary permissions on the target service account.
Configuring the default service account
To assign a service account to a Compute Engine
instance running on a target project, the default Migrate to Virtual Machines
service account on the host project must be added to the Service Account User
role on the target service account.
To add the default service account to the Service Account User role:
Determine the email address of the Migrate to Virtual Machines default service account:
Open the Migrate to Virtual Machines page in the Google Cloud console:
Select the Targets tab.
At the top of the page is an information box showing the email address of the Migrate to Virtual Machines default service account in the form:
service-HOST_PROJECT_NUMBER@gcp-sa-vmmigration.iam.gserviceaccount.com
Save that email address for use below.
In the Google Cloud console, go to the Service Accounts page.
Select the target project.
Select the checkbox next to the chosen target service account.
Click Manage Access. A list of roles that have been granted on the service account are displayed.
Expand the Service Account User role to view the principals that have been granted that role on the service account.
If the email address of the Migrate to Virtual Machines default service account is not listed, select Add Principal.
Enter the email address of the Migrate to Virtual Machines default service account as the New principal.
Select the Service Accounts > Service Account User role.
Select Save.
You should now be able to assign the service account to a Compute Engine instance running on a target project.