迁移中心 IAM 角色和权限

如果您创建了要使用 Migration Center 的 Google Cloud 项目,则您已拥有激活 Migration Center 和管理产品中资源所需的所有权限。

当您在项目中添加新成员时,可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色,以控制该成员可以在 Migration Center 中执行的操作。

本页介绍了您可能需要分配给项目成员的典型角色,以及执行各种操作所需的权限。

准备工作

角色和操作

您可以在 Migration Center 执行的操作主要分为三类:

按照最佳实践,请为项目的成员分配执行所需操作所需的最低权限的角色。

创建 Migration Center 其他角色

在为组织成员分配角色之前,请先创建一个自定义角色,以简化权限管理方式。请按照以下步骤操作:

  1. 在 Google Cloud 控制台中,前往 IAM 和管理 > 角色

    打开“角色”

  2. 点击  Create role

  3. 创建角色页面中,填写以下字段:

    • 标题:“Migration Center 附加角色”

    • 说明:“Migration Center 场景所需的其他角色”

  4. 点击  添加权限

  5. 在权限列表中,搜索并选择以下权限:

    • iam.serviceAccountKeys.list
    • iam.serviceAccounts.list
    • resourcemanager.projects.update
    • serviceusage.services.enable

    然后,如需添加权限,请点击添加

  6. 点击创建即可完成操作。

激活 Migration Center

您需要先在 Google Cloud 控制台中激活 Migration Center,然后才能使用它。此一次性操作包括启用 API 和选择用于存储资源的区域。

如需获得激活 Migration Center 所需的权限,请让您的管理员为您授予项目的以下 IAM 角色:

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

这些预定义角色包含激活 Migration Center 所需的权限。如需查看所需的确切权限,请展开所需权限部分:

所需权限

如需激活 Migration Center,您需要具备以下权限:

  • migrationcenter.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.*
  • resourcemanager.projects.update
  • serviceusage.services.list
  • serviceusage.services.enable
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.list
  • resourcemanager.projects.update

您也可以使用自定义角色或其他预定义角色来获取这些权限。

管理 Migration Center 资源

管理 Migration Center 资源包括生成费用估算、创建资产识别客户端和移除资产等操作。

如需获得管理 Migration Center 资源所需的权限,请让管理员向您授予项目的以下 IAM 角色:

  • Migration Center Admin (migrationcenter.admin)
  • Migration Center 附加角色
  • Viewer (viewer)
  • Service Account Key Admin (iam.serviceAccountKeyAdmin)

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

这些预定义角色包含管理 Migration Center 资源所需的权限。如需查看所需的确切权限,请展开所需权限部分:

所需权限

如需管理 Migration Center 资源,您需要具备以下权限:

  • migrationcenter.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.*
  • serviceusage.services.list
  • iam.serviceAccounts.list
  • iam.serviceAccountKeys.list

您也可以使用自定义角色或其他预定义角色来获取这些权限。

查看 Migration Center 资源

如需获得查看 Migration Center 资源所需的权限,请让管理员向您授予项目的以下 IAM 角色:

  • Migration Center Viewer (migrationcenter.viewer)
  • Viewer (viewer)
  • Rapid Migration Assessment Viewer (rma.viewer)

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

这些预定义角色包含查看 Migration Center 资源所需的权限。如需查看所需的确切权限,请展开所需权限部分:

所需权限

如需查看 Migration Center 资源,您需要具备以下权限:

  • migrationcenter.assets.get
  • migrationcenter.assets.list
  • migrationcenter.groups.get
  • migrationcenter.groups.list
  • migrationcenter.importJobs.get
  • migrationcenter.importJobs.list
  • migrationcenter.locations.*
  • migrationcenter.operations.get
  • migrationcenter.operations.list
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.annotations.get
  • rma.collectors.get
  • rma.collectors.list
  • rma.locations.*
  • rma.operations.get
  • rma.operations.list

您也可以使用自定义角色或其他预定义角色来获取这些权限。

角色与权限

下表列出了 Migration Center 中提供的角色和权限。

Migration Center 角色和权限

Role Permissions

(roles/migrationcenter.admin)

Full access to Migration Center all resources.

migrationcenter.*

  • migrationcenter.assets.delete
  • migrationcenter.assets.get
  • migrationcenter.assets.list
  • migrationcenter.assets.reportFrames
  • migrationcenter.assets.update
  • migrationcenter.assetsExportJobs.create
  • migrationcenter.assetsExportJobs.delete
  • migrationcenter.assetsExportJobs.get
  • migrationcenter.assetsExportJobs.list
  • migrationcenter.assetsExportJobs.run
  • migrationcenter.discoveryClients.create
  • migrationcenter.discoveryClients.delete
  • migrationcenter.discoveryClients.get
  • migrationcenter.discoveryClients.list
  • migrationcenter.discoveryClients.sendHeartbeat
  • migrationcenter.discoveryClients.update
  • migrationcenter.errorFrames.get
  • migrationcenter.errorFrames.list
  • migrationcenter.groups.create
  • migrationcenter.groups.delete
  • migrationcenter.groups.get
  • migrationcenter.groups.list
  • migrationcenter.groups.update
  • migrationcenter.importDataFiles.create
  • migrationcenter.importDataFiles.delete
  • migrationcenter.importDataFiles.get
  • migrationcenter.importDataFiles.list
  • migrationcenter.importJobs.create
  • migrationcenter.importJobs.delete
  • migrationcenter.importJobs.get
  • migrationcenter.importJobs.list
  • migrationcenter.importJobs.update
  • migrationcenter.locations.get
  • migrationcenter.locations.list
  • migrationcenter.operations.cancel
  • migrationcenter.operations.delete
  • migrationcenter.operations.get
  • migrationcenter.operations.list
  • migrationcenter.preferenceSets.create
  • migrationcenter.preferenceSets.delete
  • migrationcenter.preferenceSets.get
  • migrationcenter.preferenceSets.list
  • migrationcenter.preferenceSets.update
  • migrationcenter.relations.get
  • migrationcenter.relations.list
  • migrationcenter.reportConfigs.create
  • migrationcenter.reportConfigs.delete
  • migrationcenter.reportConfigs.get
  • migrationcenter.reportConfigs.list
  • migrationcenter.reports.create
  • migrationcenter.reports.delete
  • migrationcenter.reports.get
  • migrationcenter.reports.list
  • migrationcenter.settings.get
  • migrationcenter.settings.update
  • migrationcenter.sources.create
  • migrationcenter.sources.delete
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • migrationcenter.sources.update

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

  • rma.annotations.create
  • rma.annotations.get
  • rma.collectors.create
  • rma.collectors.delete
  • rma.collectors.get
  • rma.collectors.list
  • rma.collectors.update
  • rma.locations.get
  • rma.locations.list
  • rma.operations.cancel
  • rma.operations.delete
  • rma.operations.get
  • rma.operations.list

serviceusage.quotas.get

(roles/migrationcenter.viewer)

Read-only access to Migration Center all resources.

migrationcenter.assets.get

migrationcenter.assets.list

migrationcenter.assetsExportJobs.get

migrationcenter.assetsExportJobs.list

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.list

migrationcenter.errorFrames.*

  • migrationcenter.errorFrames.get
  • migrationcenter.errorFrames.list

migrationcenter.groups.get

migrationcenter.groups.list

migrationcenter.importDataFiles.get

migrationcenter.importDataFiles.list

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.locations.*

  • migrationcenter.locations.get
  • migrationcenter.locations.list

migrationcenter.operations.get

migrationcenter.operations.list

migrationcenter.preferenceSets.get

migrationcenter.preferenceSets.list

migrationcenter.relations.*

  • migrationcenter.relations.get
  • migrationcenter.relations.list

migrationcenter.reportConfigs.get

migrationcenter.reportConfigs.list

migrationcenter.reports.get

migrationcenter.reports.list

migrationcenter.settings.get

migrationcenter.sources.get

migrationcenter.sources.list

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

  • rma.locations.get
  • rma.locations.list

rma.operations.get

rma.operations.list

serviceusage.quotas.get

(roles/migrationcenter.discoveryClient)

Migration Center Discover Client role

migrationcenter.assets.reportFrames

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.sendHeartbeat

(roles/migrationcenter.discoveryClientRegistrator)

Registrator of Migration Center Discover Clients

migrationcenter.discoveryClients.create

migrationcenter.discoveryClients.delete

migrationcenter.discoveryClients.update

migrationcenter.operations.get

migrationcenter.sources.create

migrationcenter.sources.delete

resourcemanager.projects.get

resourcemanager.projects.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/migrationcenter.serviceAgent)

Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.

storage.objects.get

vmmigration.migratingVms.create

Rapid Migration Assessment 角色和权限

Role Permissions

(roles/rma.admin)

Full access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

  • rma.annotations.create
  • rma.annotations.get
  • rma.collectors.create
  • rma.collectors.delete
  • rma.collectors.get
  • rma.collectors.list
  • rma.collectors.update
  • rma.locations.get
  • rma.locations.list
  • rma.operations.cancel
  • rma.operations.delete
  • rma.operations.get
  • rma.operations.list

(roles/rma.viewer)

Read-only access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

  • rma.locations.get
  • rma.locations.list

rma.operations.get

rma.operations.list

(roles/rma.runner)

Update and Read access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.collectors.update

rma.locations.*

  • rma.locations.get
  • rma.locations.list

rma.operations.get

rma.operations.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/rapidmigrationassessment.serviceAgent)

Gives RMA service account access to MC resources.

autoscaling.sites.writeMetrics

cloudasset.assets.exportResource

cloudasset.feeds.create

logging.logEntries.create

migrationcenter.assets.list

migrationcenter.assets.reportFrames

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.sources.*

  • migrationcenter.sources.create
  • migrationcenter.sources.delete
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • migrationcenter.sources.update

monitoring.metricDescriptors.create

monitoring.metricDescriptors.list

monitoring.timeSeries.create

resourcemanager.projects.get