Migration Center IAM roles and permissions

Stay organized with collections Save and categorize content based on your preferences.

If you create the Google Cloud project where you want to use Migration Center, you already have all the permissions required to activate Migration Center and manage resources in the product.

When you add a new member to your project, you can use an Identity and Access Management (IAM) policy to give that member one or more IAM roles to control the actions that the member can perform in Migration Center.

This page describes the typical roles you might want to assign to your project members and the permissions required to perform various actions.

Before you begin

Roles and actions

There are three main categories of actions that you can perform in Migration Center:

As a best practice, assign members of your project the roles with the least amount of privileges required to perform the actions they need to perform.

Activate Migration Center

Before you can use Migration Center, you need to activate it from the Google Cloud console. This one-time action includes activating the APIs and selecting a region to store your resources.

To get the permissions that you need to activate Migration Center, ask your administrator to grant you the following IAM roles on the project:

  • Migration Center Admin (migrationcenter.admin)
  • Editor (editor)

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to activate Migration Center. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

  • migrationcenter.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.*
  • resourcemanager.projects.update
  • serviceusage.services.list
  • serviceusage.services.enable

You might also be able to get these permissions with custom roles or other predefined roles.

Manage Migration Center resources

Managing Migration Center resources includes actions such as generating a cost estimate, creating a Migration Center Collector, and removing assets.

To get the permissions that you need to manage Migration Center resources, ask your administrator to grant you the following IAM roles on the project:

  • Migration Center Admin (migrationcenter.admin)
  • Viewer (viewer)

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to manage Migration Center resources. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

  • migrationcenter.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.*
  • serviceusage.services.list
  • iam.serviceAccounts.list
  • iam.serviceAccountKeys.list

You might also be able to get these permissions with custom roles or other predefined roles.

View Migration Center resources

To get the permissions that you need to view Migration Center resources, ask your administrator to grant you the following IAM roles on the project:

  • Migration Center Viewer (migrationcenter.viewer)
  • Viewer (viewer)
  • Rapid Migration Assessment Viewer (rma.viewer)

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to view Migration Center resources. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

  • migrationcenter.assets.get
  • migrationcenter.assets.list
  • migrationcenter.groups.get
  • migrationcenter.groups.list
  • migrationcenter.importJobs.get
  • migrationcenter.importJobs.list
  • migrationcenter.locations.*
  • migrationcenter.operations.get
  • migrationcenter.operations.list
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.annotations.get
  • rma.collectors.get
  • rma.collectors.list
  • rma.locations.*
  • rma.operations.get
  • rma.operations.list

You might also be able to get these permissions with custom roles or other predefined roles.