Creating GCP roles and service accounts manually

You may want more fine-grained control over the permissions granted for the migration process and migrated workloads. To enable this, Velostrata allows you to create roles and service accounts manually.

This page describes the role creation process for two types of manual setup:

Prerequisites

You must install the GCP SDK.

Instructions for a single project

Velostrata requires a number of roles and service accounts on GCP. Roles are a set of permissions. Service accounts are assigned these roles.

This section describes how to create the three service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.

The three service accounts are:

  • The Velostrata Management Service Account (velos-gcp-mgmt-sa), which creates all the resources that a Cloud Extension needs (VMs, Cloud Storage buckets, etc.).
  • The Velostrata Cloud Extension Service Account (velos-gcp-ce-sa), which has permissions to manage GCP Cloud Storage for migrations.
  • The Velostrata Project Worker Service Account (velos-gcp-worker-sa), which is used for the Prepare to Detach operation, ensuring that data from a VM to be detached is fully synchronized with the cloud, and writes from that bucket to a native Compute Engine disk.

More information on each of these service accounts, and their assocated roles, is on the Configuring GCP page.

Creating roles

  1. Create the three Velostrata roles at the Project level within GCP:

    1. Open a command prompt as an administrative user and use the GCP SDK to run the following command. Replace the login parameter with your GCP account login information.
      gcloud auth login login@google.com --no-launch-browser --brief
    2. Download the Cloud Deployment Manager zip file, which contains YAML configuration files.
    3. Unzip the file and save it to a directory you can access when creating the role account.
    4. Execute the following commands:
    gcloud iam roles create "velos_mgmt_role" --project [PROJECT_ID] \
    --file ./velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet
    gcloud iam roles create "velos_ce_role" --project [PROJECT_ID] \
    --file ./velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
    gcloud iam roles create "velos_worker_role" --project [PROJECT_ID] \
    --file ./velos_gcp_org_worker_role.yaml --no-user-output-enabled --quiet

Creating service accounts and assigning roles to them

  1. Create the velos-gcp-mgmt-sa service account in GCP:

    gcloud config set project [PROJECT_ID]
    gcloud iam service-accounts create "velos-gcp-mgmt-sa" --display-name "Velos-gcp-mgmt-sa"

  2. Assign the velos_mgmt_role to the velos-gcp-mgmt-sa service account.
    Note: The [ProjectID] is the same one used in the previous step.

    gcloud projects \
    add-iam-policy-binding [PROJECT_ID] --member \
    serviceAccount:"velos-gcp-mgmt-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "velos_mgmt_role" --no-user-output-enabled --quiet
  3. Create the velos-gcp-ce-sa service account in GCP. Create this account in the project where you plan to deploy the Velostrata Cloud Extension (CE).

    gcloud iam \
    service-accounts create "velos-gcp-ce-sa" --display-name \
    "velos-gcp-ce-sa"
  4. Assign the velos_ce_role, created above, to the velos-gcp-ce-sa service account:

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
    serviceAccount:"velos-gcp-ce-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "velos_ce_role" --no-user-output-enabled --quiet
  5. Create the velos-gcp-worker-sa service account:

    gcloud iam service-accounts create "velos-gcp-worker-sa"\
    --display-name="velos-worker-sa"
  6. Assign the velos_worker_role, created above, to the velos-gcp-worker-sa service account within the CE project:

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
    serviceAccount:"velos-gcp-worker-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "velos_worker_role" --no-user-output-enabled --quiet

Instructions for multiple projects

The example used in this section refers to the following resources used that you use when creating and assigning roles and services accounts for multiple projects:

  • Organization: the GCP organization containing all account roles and service account objects.
  • Host Project: the GCP project that contains management service accounts.
  • Cloud Extension (CE) Project: the GCP project that hosts the Cloud Extension service accounts and VMs.
  • Destination Project: A GCP project that VMs are being migrated into.

The table below lists the commands and command parameters used in the instructions to create roles and assign service accounts to roles for multiple projects.

You can view a list of existing values for each command parameter at the gcloud command line by executing the command in the third column of the table.

Command parameter Description GCloud CLI list command
orgadmin@google.com The organization-level administrator

N/A

organizationID The numerical ID of the organization containing the projects, roles, and service accounts

gcloud organizations list

projectID The alphanumeric ID of the project where the velos-mgmt-sa and velos-ce-sa service accounts are created.

gcloud projects list \
--format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)"

projectName The alphanumeric name of the project associated with the above projectID. These names may or may not be the same.

gcloud projects list \
--format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)"

serviceProjectID The numerical ID of the GCP project where to migrate the VMs towill be migrated.

gcloud projects list \
--format="table[box,title='ProjectsIDs'](name,projectId:label=ProjectID)"

For more information about the following gcloud commands and their parameters, see the Cloud SDK documentation.

Creating roles

The following steps will create roles for Velostrata on GCP.

  1. Create the Velostrata roles within GCP at the Organization level:
    gcloud auth login
    orgadmin@google.com --no-launch-browser --brief
  2. Download the Velostrata_Manager zip file, which contains the YAML files needed to create these roles.
  3. Unzip the file and save to a directory you can access when creating roles.
  4. Execute the following commands:
gcloud iam roles create "velos_mgmt_role" --organization [organizationId] --file ./velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_ce_role" --organization [organizationId] --file ./velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_worker_role" --organization [organizationId] --file ./velos_gcp_org_worker_role.yaml --no-user-output-enabled --quiet
gcloud iam roles create "velos_listnetwork_role" --organization [organizationId] --file ./velos_gcp_org_listnetworks_role.yaml --no-user-output-enabled --quiet 

Creating service accounts and assigning roles to them

  1. Create the velos-gcp-mgmt-sa service account in GCP. Although you can create the velos-gcp-mgmt-sa service account in any of your projects, Velostrata 4.0 by Google recommends creating this service in the host project to simplify configuration.

    gcloud config set project [projectId]
    gcloud iam service-accounts create "velos-gcp-mgmt-sa" --display-name "Velos-gcp-mgmt-sa"
  2. Assign the velos_mgmt_role, created above, to the velos-gcp-mgmt-sa service account.

    gcloud projects \
    add-iam-policy-binding [ProjectID] --member \
    serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"\
    --role organizations/[organizationId]/roles/"velos_mgmt_role"\
    --no-user-output-enabled --quiet 
  3. Pick one of two options for assigning security privileges.

    • Option A assigns permissions at the organization-level. This has fewer steps but offers less granularity over permissions.
    • Option B assigns permissions on a per-project basis, which requires more steps but provides more granularity over permissions and access control.

    Once you have completed either option, Finishing configuration

Option A – Assigning security privileges in the GCP Cloud IAM console

  1. For Option A, you'll assign the service account velos-gcp-mgmt-sa at the organization-level in the GCP IAM console. This gives the velos-gcp-mgmt-sa service account access to all projects in the organization so the GCP administrator does not have to create a service account in every project.
  2. Log in to the GCP console with your GCP account as an organization-level administrator.
  3. Click the project selection at the top and pick your organization.
  4. From the GCP menu, select IAM and click the ADD button.
  5. In the New Members field, enter the full name of your velos-gcp-mgmt-sa service account, as shown below.
  6. In the Select a role drop-down box, select the Role Custom in the left-hand column, then **Velos Mgmt Role **in the right-hand column.
  7. Click Save.
  8. Continue to Finishing configuration

Option B – Assigning security privileges to the Velostrata service account

  1. Assign the velos_gcp_org_listnetworks_role to the velos-gcp-mgmt-sa service account. Use the ID of the host project for the [ProjectID]:

    gcloud projects add-iam-policy-binding [ProjectID] --member 
    serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"
    --role organizations/organizationId/roles/"velos_gcp_org_listnetworks_role.yaml"
    --no-user-output-enabled --quiet

  2. Assign the velos_mgmt_role to the velos-gcp-mgmt-sa for each Cloud Extension (CE) destination project:

    gcloud projects add-iam-policy-binding[ProjectID] --member 
    serviceAccount:"velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com"
    --role organizations/[organizationId]/roles/"velos_mgmt_role"
    --no-user-output-enabled --quiet

  3. Continue to Finishing the Configuration.

Finishing the configuration

  1. After you've completed either Option A or Option B, create the velos-gcp-ce-sa service account in GCP. Create this account in the destination project where you plan to deploy the Velostrata Cloud Extension (CE).

    gcloud config set project [CEProjectId]
    gcloud iam service-accounts create "velos-gcp-ce-sa" --display-name \
    "velos-gcp-ce-sa"
  2. Assign velos_ce_role to the velos-gcp-ce-sa service account:

    gcloud projects add-iam-policy-binding [CEProjectID] --member \
    serviceAccount:"velos-gcp-ce-sa@[ProjectID].iam.gserviceaccount.com" \
    --role organizations/[organizationId]/roles/"velos_ce_role" \
    --no-user-output-enabled --quiet
  3. Assign a policy that maps the velos-gcp-ce-sa service account to the velos-mgmt-sa service account. This step is required in order for the velos-gcp-mgmt-sa service account to create Cloud Extension instances.

    1. To do this, navigate to the folder with the YAML files you downloaded previously.
    2. Open the YAML file named "sa_mapping.yaml" in your preferred text editor. Note that YAML files are case- and space-sensitive.
    3. Go to Line 5 of the file, which looks similar to the following example:
      serviceAccount:velos-gcp-mgmt-sa@[ProjectID].iam.gserviceaccount.com
    4. Replace [projectID] with the project that contains the velos-gcp-mgmt-sa service account.
    5. Save the file and exit your text editor.
    6. Execute the following command at the command line:

      gcloud iam service-accounts set-iam-policy \
      "velos-gcp-ce-sa@[ProjectID].iam.gserviceaccount.com" \
      ./sa_mapping.yaml --no-user-output-enabled --quiet
  4. Create the velos-gcp-worker-sa service account. At the command line, execute the following commands:

    gcloud config set project [destinationProjectId] \
    gcloud iam service-accounts create "velos-gcp-worker-sa" \
    --display-name="velos-gcp-worker-sa"
  5. Assign the velos_worker_role to the velos-gcp-worker-sa service account:

    gcloud projects \
    add-iam-policy-binding [CEProjectId] --member \
    serviceAccount:"velos-gcp-worker-sa@[ProjectID].iam.gserviceaccount.com" \
    --role organizations/[organizationId]/roles/"velos_worker_role"
  6. Assign a policy that maps the velos-gcp-worker-sa service account to the velos-gcp-mgmt-sa service account. This is required for the velos-mgmt-sa service account to create instances. Execute the following command:

    gcloud iam service-accounts set-iam-policy \
    "velos-gcp-worker-sa@[ProjectID].iam.gserviceaccount.com" \
    ./sa_mapping.yaml --no-user-output-enabled --quiet
Was this page helpful? Let us know how we did:

Send feedback about...

Velostrata - Cloud Migration Software for GCP