Configuring GCP for Velostrata

This document describes how to configure Velostrata to work with GCP. Velostrata requires that you set up the following GCP resources:

  • User account
  • Organization
  • Project
  • Virtual Private Cloud network (Google recommends using a custom network)
  • Subnet
  • Cloud VPN connectivity to your on-premises data center

You also need to export your private key from your GCP account using a GCP Credential File.

Setting up a GCP account, organization, and project

  1. Go to the Google Cloud Platform Console and sign in or, if you don't already have an account, sign-up to create one.
  2. To set up an organization, see Creating and managing organizations and read Best practices for enterprise organizations.
  3. Assign the following permissions for people who will administer the organization and run the account and role creation script:
    1. Organization Administrator
    2. Compute Admin
    3. (Project) Owner

To understand IAM concepts such as GCP accounts, service accounts, etc., see the IAM Overview.

Setting up networks on GCP

Velostrata uses GCP Virtual Private Cloud (VPC) networks and VPN connectivity to your on-premises data center or other clouds from which you are planning to migrate.

Inside the VPC network, Velostrata uses subnets for Cloud Edge components. Outbound internet access is enabled by default for VPC subnets. This enables the Velostrata Cloud Edge nodes to send data to the Velostrata Telemetry Service and the Google Cloud Storage service.

For detailed information on firewall, routing, and network tagging considerations for your Velostrata deployment, see Velostrata network access requirements.

Creating GCP roles and service accounts via Cloud Shell

Permissions overview

Velostrata requires a number of roles and service accounts on GCP. Roles are a set of permissions. Service accounts are assigned these roles. Brief explanations of the roles are provided below. They are also available in Jinja templates accessible in Cloud Shell under the /google/velostrata directory.

The Velostrata Management service account (velos-gcp-mgmt-sa) creates all the resources that a Cloud Extension needs (VMs, Cloud Storage buckets, etc.).

The Velostrata Cloud Extension service account (velos-gcp-ce-sa) has permissions to manage GCP Cloud Storage for migrations.

The Velostrata Project Worker service account (velos-gcp-worker-sa) uses the same subset of GCP storage permissions as the Cloud Extension account, but is only used for the Prepare to Detach operation. During this, a Velostrata Worker VM prepares a Cloud Storage bucket, ensures that data from a VM to be detached is fully synchronized with the cloud, and writes from that bucket to a native Compute Engine disk.

The total number and placement of service accounts depends on the number of GCP projects your organization uses for a migration. If you are using multiple projects, all roles are created uniquely within the organization. Service accounts, however, are created under different projects.

This document describes the easiest and fastest way to create the appropriate service accounts, using the Velostrata service account and roles utility available in Cloud Shell.

Though we don't recommended it, you can also configure GCP following the guidance in Configuring GCP manually.


The script enables the following GCP APIs:

  • Cloud Resource Manager API
  • Identity and Access Management (IAM) API
  • Compute Engine API
  • Google Cloud Storage API
  • Google Cloud Deployment Manager API

The user running Cloud Shell needs the following IAM roles:

  • Owner
  • Compute Admin
  • Organization Administrator

From GCP, you need the following information:

  • Numeric Organization ID
  • Project IDs

The script requires elevated permissions, so commands must be run with sudo.

Running the configuration script

To run the configuration script:

  1. Launch Cloud Shell.
  2. Change to the directory containing the Velostrata script:
    cd /google/velostrata

Run the script with the following command:

sudo ./ COMMAND

Where COMMAND is either:

  • list-projects, which lists all the projects the user has the permissions to access.
  • deploy, which creates and assigns the service accounts for your migration.


Here's an example with the script using list-projects.

sudo ./ list-projects [--org-id organization_id] [--projects-file filename]


--org-id takes a numeric GCP organization ID. Returns only projects from that organization.

--projects-file Saves output to a file.


Here's an example with the script using deploy.

sudo ./ deploy --host-proj-id single_proj_id --ce-proj-id single_proj_id --projects-file projects.txt [--audit]


--host-proj-id, the ID of the GCP project that contains the Velostrata Manager,

--ce-proj-id, the project that will contain your Cloud Extensions.


--org-id takes a numeric GCP organization ID. Returns only projects from that organization.

--audit generates a shell script (named deployment_[RANDOM].sh, where random is a random string generated by the script) that allows you to verify the commands to be executed.

--projects-file a text file that contains GCP project IDs, one per line.


To configure Velostrata to use a single project for all migrated VMs:

sudo ./ deploy --host-proj-id single_proj_id --ce-proj-id single_proj_id --projects-file projects.txt

To configure Velostrata to use multiple projects, using all available projects in the GCP organization as target projects for workloads:

sudo ./ deploy --host-proj-id host_proj_id --ce-proj-id ce_proj_id --org-id org_id

Saving the scripts

The role creation script generates a series of files that you must copy in order to keep. From Cloud Shell, you can save copies to your local machine or copy them to a Cloud Storage bucket.

Make a local copy

To copy the deployment and rollback scripts to your local machine from the Cloud Shell environment:

  1. Find the fully qualified file names that you want to copy, for example /google/velostrata/
  2. Click the expanded menu button more_vert above the Cloud Shell terminal.
  3. Click Download file.
  4. Enter the Fully qualified file path of the file you want to download.
  5. Repeat for any other files you would like a copy of.

Copy to Cloud

Files can be copied from Cloud Shell to a Cloud Storage bucket using the gsutil cp command.

gsutil cp deployment_rollback_*.sh gs://my-bucket

Rolling back the script

If you need to roll back your service account setup, run the following command:

sudo ./deployment_rollback_[RANDOM].sh

Creating the GCP Credential File

Before you can add a Cloud Extension using the Velostrata Manager, you need to export your private key from the GCP console.


  1. Open IAM & Admin > Service Accounts.
  2. If necessary, select your project from the Select a project menu.
  3. Find the Velostrata service account you created that ends in "mgmt-sa".
  4. Click the action more_vert menu to the right of that line and select the Create Key option.
  5. Select JSON as your Key Type and click Create.
  6. Download the file.
Was this page helpful? Let us know how we did:

Send feedback about...

Velostrata - Cloud Migration Software for GCP