Configuring GCP for Velostrata

This topic describes how to configure GCP so that you can use Velostrata.

Setting up a GCP account, organization, and project

  1. Go to the Google Cloud Platform Console and sign in. Or, if you don't already have an account, sign-up to create one.
  2. To set up an organization, see Creating and managing organizations. For more information, see Best practices for enterprise organizations.
  3. Assign the following permissions for people who will administer the organization and run the account and role creation script:
    1. Organization Role Administrator
    2. Organization Administrator
    3. Compute Admin
    4. (Project) Owner

For more information on IAM concepts such as GCP accounts, service accounts, and roles, see the IAM Overview.

  1. Create a GCP project to host Velostrata infrastructure on GCP. In the rest of this document, we'll call this the infrastructure project.

Setting up networks on GCP

Velostrata uses GCP Virtual Private Cloud networks and VPN connectivity to your source environment, and requires specific networking rules set up before migrations can be completed. For detailed information on firewall, routing, and network tagging for your deployment, see network access requirements.

Creating GCP roles and service accounts via Cloud Shell

Permissions overview

Velostrata requires a number of roles and service accounts on GCP. Roles are a set of permissions. Service accounts are assigned these roles. Brief explanations of the roles and service accounts are provided below.

The Velostrata Manager role (velos_manager_[deployment_name]) and service account (velos-manager-[deployment_name]) have permissions to create all the resources for your migration (VMs, Cloud Storage buckets, etc.).

The Velostrata Cloud Extension role (velos_ce_[deployment_name]) and service account (velos-cloud-extension-[deployment_name]) have permissions to manage the Cloud Storage API for migrations.

If you are using multiple projects, the Velostrata Manager role is created at the organization level, and the Cloud Extension role is created in the infrastructure project. Service accounts, however, are created only under the infrastructure project.

This document describes the easiest way to create the appropriate service accounts, using a script available in Cloud Shell.

The script enables the following GCP APIs:

  • Cloud Resource Manager API
  • Identity and Access Management (IAM) API
  • Compute Engine API
  • Google Cloud Storage API
  • Stackdriver Logging API
  • Stackdriver Monitoring API

Though we don't recommended it, you can configure GCP manually.


If you want to migrate to multiple projects within your organization, you need your numeric Organization ID.

Running the configuration script

To run the configuration script:

  1. Open Cloud Shell
  2. Change to the directory containing the Velostrata script:
    cd /google/velostrata
  3. Choose a deployment name that will be appended to your service account and role IDs, for example main.
  4. Run the script as in one of the examples below.

Example single-project configuration

In this example, you will configure GCP with roles and service accounts in the velostrata infrastructure project and with the deployment name main.

./ -p velostrata -d main

This command creates:

  • The velos_manager_main and velos_ce_main roles in the velostrata project.
  • The and service accounts in the velostrata project.

Example multiple-project configuration

In this example, you will configure GCP with roles and service accounts to handle migrations into multiple projects. The script will use the velostrata infrastructure project.

Running the script with the -o flag will create the manager role at the organization level, allowing you to migrate VMs to multiple projects.

./ -p velostrata -d main \
  -o 12345678

This command creates:

  • The velos_manager_main role in the organization with ID 12345678.
  • The velos_ce_main role in the velostrata project.
  • The and service accounts in the velostrata project.

Appendix: Configuration script parameters

The script handles Cloud IAM configuration for Velostrata.



-d or --deployment-name, the deployment's suffix that will be appended to Service Account and Role names. Must be less than 8 characters and can only contain lowercase letters and numbers.

-p or --project-id, the ID of the GCP project will host your migration.


-o or --org-id takes a numeric GCP organization ID.

Send feedback about...

Velostrata - Cloud Migration Software for GCP