Creating GCP roles and service accounts manually

This topic describes how to set up the permissions for a manual Velostrata migration. The guidance here aims to help those who want to understand or control the permissions granted for the migration process and migrated workloads.

This page describes the role creation process for migrating to:

  • A single GCP project
  • Multiple GCP projects

Prerequisites

Two service accounts are required for Velostrata migrations. For more information on each of these service accounts and their associated roles, see Configuring GCP. For more information about gcloud commands and their parameters, see the Cloud SDK documentation.

  1. You must install the GCP SDK.
  2. Create a GCP project to host Velostrata infrastructure on GCP. We'll call this project the infrastructure project. Use this project wherever you see [PROJECT_ID].
  3. Enable the following APIs on your infrastructure project.
    gcloud services enable iam.googleapis.com --project [PROJECT_ID]
    gcloud services enable cloudresourcemanager.googleapis.com --project [PROJECT_ID]
    gcloud services enable compute.googleapis.com --project [PROJECT_ID]
    gcloud services enable storage-component.googleapis.com --project [PROJECT_ID]
    gcloud services enable logging.googleapis.com --project [PROJECT_ID]
    gcloud services enable monitoring.googleapis.com --project PROJECT_ID
    

To continue, select if you are migrating to a single project or multiple projects.

Single Project

Instructions for a single project

This section describes how to create the service accounts required for a single, standalone project, and assign the appropriate roles to those service accounts.

Creating roles

  1. Create the roles at the project level:

    1. Open a command prompt and run the following command. Replace the login parameter with your GCP account login information.
      gcloud auth login login@google.com --no-launch-browser --brief
      
    2. Download the Cloud Deployment Manager zip file.
    3. Unzip the file to a directory you can access when creating the roles.
    4. Open the manual directory within that zipfile.
      cd GcpDeploymentManager/manual
      
    5. Assign permissions to the roles:

      gcloud iam roles create "velos_manager" --project [PROJECT_ID] \
      --file velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet
      gcloud iam roles create "velos_ce" --project [PROJECT_ID] \
      --file velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
      

Creating service accounts

  1. Create the velos-manager service account in GCP. Note: The [PROJECT_ID] is your infrastructure project.

    gcloud config set project [PROJECT_ID]
    gcloud iam service-accounts create "velos-manager" --display-name "velos-manager"

  2. Assign the velos_manager role to the velos-manager service account.

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "projects/[PROJECT_ID]/roles/velos_manager" \
     --no-user-output-enabled --quiet
    
  3. Add additional required roles to the velos_manager role:

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/iam.serviceAccountUser"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/logging.logWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/monitoring.metricWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/monitoring.viewer"
     --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
    "velos-manager@[ProjectID].iam.gserviceaccount.com" \
    --member=serviceAccount:"velos-manager@[ProjectID].iam.gserviceaccount.com" \
    --role=roles/iam.serviceAccountTokenCreator --project [ProjectID]
    
  4. Create the velos-cloud-extension service account in GCP. Create this account in the project where you plan to deploy the Velostrata Cloud Extension (CE).

    gcloud iam service-accounts create "velos-cloud-extension" \
    --display-name "velos-cloud-extension"
  5. Assign the velos_ce role to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
    --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "projects/[PROJECT_ID]/roles/velos_ce" \
    --no-user-output-enabled --quiet
    
  6. Assign additional required roles to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding [PROJECT_ID] 
    --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
    --role "roles/logging.logWriter"
    --no-user-output-enabled --quiet

    gcloud projects add-iam-policy-binding [PROJECT_ID]
    --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
    --role "roles/monitoring.metricWriter"
    --no-user-output-enabled --quiet

Multiple Projects

Instructions for multiple projects

This section describes how to create the roles required for migrations into multiple projects, and assign those roles to service accounts.

Creating roles

The following steps create roles for Velostrata on GCP.

  1. Create the Velostrata roles within GCP at the Organization level:
    gcloud auth login
    orgadmin@google.com --no-launch-browser --brief
  2. Download the Velostrata_Manager zip file, which contains the YAML files needed to create these roles.
  3. Unzip the file and save to a directory you can access when creating roles.
  4. Open the manual directory within that zipfile.
    cd GcpDeploymentManager/manual
    
  5. Assign permissions to the roles:

    gcloud iam roles create "velos_manager" --organization [ORGANIZATION_ID] \
     --file velos_gcp_org_mgmt_role.yaml --no-user-output-enabled --quiet
    gcloud iam roles create "velos_ce" --project [PROJECT_ID] \
     --file velos_gcp_org_ce_role.yaml --no-user-output-enabled --quiet
     

Creating service accounts and assigning roles to them

  1. Create the velos-manager service account in GCP. Although you can create the velos-manager service account in any of your projects, Velostrata 4.2 by Google recommends creating this service in the host project to simplify configuration.

    gcloud config set project [PROJECT_ID]
    gcloud iam service-accounts create "velos-manager" \
    --display-name "velos-manager"
  2. Assign the velos_manager role to thevelos-manager service account.

    gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] \
    --member serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com"\
    --role organizations/[ORGANIZATION_ID]/roles/"velos_manager"\
    --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
    "velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
    --member=serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
    --role=roles/iam.serviceAccountTokenCreator --project [PROJECT_ID]
    
  3. Add additional required roles to the velos_manager role:

    gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/iam.serviceAccountUser"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/logging.logWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/monitoring.metricWriter"
     --no-user-output-enabled --quiet
    
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
     serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
     --role "roles/monitoring.viewer"
     --no-user-output-enabled --quiet
    
    gcloud iam service-accounts add-iam-policy-binding \
    "velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
    --member=serviceAccount:"velos-manager@[PROJECT_ID].iam.gserviceaccount.com" \
    --role=roles/iam.serviceAccountTokenCreator --project [PROJECT_ID]
    
    
  4. Create the velos-cloud-extension service account in GCP. Create this account in the project where you plan to deploy the Velostrata Cloud Extension (CE).

    gcloud iam service-accounts create "velos-cloud-extension" \
    --display-name "velos-cloud-extension"
  5. Assign the velos_ce role to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
    --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "projects/[PROJECT_ID]/roles/velos_ce" \
    --no-user-output-enabled --quiet
    
  6. Assign additional required roles to the velos-cloud-extension service account:

    gcloud projects add-iam-policy-binding [PROJECT_ID] 
    --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
    --role "roles/logging.logWriter"
    --no-user-output-enabled --quiet

    gcloud projects add-iam-policy-binding [PROJECT_ID]
    --member serviceAccount:"velos-cloud-extension@[PROJECT_ID].iam.gserviceaccount.com"
    --role "roles/monitoring.metricWriter"
    --no-user-output-enabled --quiet

傳送您對下列選項的寶貴意見...

這個網頁
Velostrata - Cloud Migration Software for GCP