Migration Center IAM roles and permissions

If you create the Google Cloud project where you want to use Migration Center, you already have all the permissions required to activate Migration Center and manage resources in the product.

When you add a new member to your project, you can use an Identity and Access Management (IAM) policy to give that member one or more IAM roles to control the actions that the member can perform in Migration Center.

This page describes the typical roles you might want to assign to your project members and the permissions required to perform various actions.

Before you begin

• Read the IAM documentation.

Roles and actions

There are three main categories of actions that you can perform in Migration Center:

• Activate Migration Center.
• Manage Migration Center resources.
• View Migration Center resources.

As a best practice, assign members of your project the roles with the least amount of privileges required to perform the actions they need to perform.

Create the Migration Center Additional Role

As a preliminary step before you assign roles to the members of your organization, create a custom role to simplify how you manage permissions. Follow these steps:

1. In the Google Cloud console, go to IAM & Admin > Roles.

   Go to Roles

2. Click add Create role

3. In the Create role page, fill in the following fields:

   • Title: "Migration Center Additional Role"

   • Description: "Additional roles needed for Migration Center scenarios"

4. Click add Add permissions.

5. From the list of permissions, search for the following permissions and select them:

   • iam.serviceAccountKeys.list
   • iam.serviceAccounts.list
   • resourcemanager.projects.update
   • serviceusage.services.enable

   Then, to add your permissions, click Add.

6. To finish, click Create.

Activate Migration Center

Before you can use Migration Center, you need to activate it from the Google Cloud console. This one-time action includes activating the APIs and selecting a region to store your resources.

To get the permissions that you need to activate Migration Center, ask your administrator to grant you the following IAM roles on the project:

• Migration Center Admin (migrationcenter.admin)
• Migration Center Additional Role

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to activate Migration Center. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to activate Migration Center:

• migrationcenter.*
• resourcemanager.projects.get
• resourcemanager.projects.list
• rma.*
• resourcemanager.projects.update
• serviceusage.services.list
• serviceusage.services.enable
• iam.serviceAccountKeys.list
• iam.serviceAccounts.list
• resourcemanager.projects.update

You might also be able to get these permissions with custom roles or other predefined roles.

Manage Migration Center resources

Managing Migration Center resources includes actions such as generating a cost estimate, creating a discovery client, and removing assets.

To get the permissions that you need to manage Migration Center resources, ask your administrator to grant you the following IAM roles on the project:

• Migration Center Admin (migrationcenter.admin)
• Migration Center Additional Role
• Viewer (viewer)
• Service Account Key Admin (iam.serviceAccountKeyAdmin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to manage Migration Center resources. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to manage Migration Center resources:

• migrationcenter.*
• resourcemanager.projects.get
• resourcemanager.projects.list
• rma.*
• serviceusage.services.list
• iam.serviceAccounts.list
• iam.serviceAccountKeys.list

You might also be able to get these permissions with custom roles or other predefined roles.

View Migration Center resources

To get the permissions that you need to view Migration Center resources, ask your administrator to grant you the following IAM roles on the project:

• Migration Center Viewer (migrationcenter.viewer)
• Viewer (viewer)
• Rapid Migration Assessment Viewer (rma.viewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to view Migration Center resources. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to view Migration Center resources:

• migrationcenter.assets.get
• migrationcenter.assets.list
• migrationcenter.groups.get
• migrationcenter.groups.list
• migrationcenter.importJobs.get
• migrationcenter.importJobs.list
• migrationcenter.locations.*
• migrationcenter.operations.get
• migrationcenter.operations.list
• migrationcenter.sources.get
• migrationcenter.sources.list
• resourcemanager.projects.get
• resourcemanager.projects.list
• serviceusage.services.list
• resourcemanager.projects.get
• resourcemanager.projects.list
• rma.annotations.get
• rma.collectors.get
• rma.collectors.list
• rma.locations.*
• rma.operations.get
• rma.operations.list

You might also be able to get these permissions with custom roles or other predefined roles.

Roles and permissions

The following tables show the roles and permissions available in Migration Center.

Migration Center roles and permissions

Rapid Migration Assessment roles and permissions