To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for Database Migration Service and your relevant destination database product. You can control access to Database Migration Service-related resources, as opposed to granting users the Viewer, Editor, or Owner role to the entire Google Cloud project.
This page focuses details all of the roles that user and service accounts need during a heterogeneous Cloud SQL migration with Database Migration Service. For more information about when you use these permissions during the migration process, see Migrate your Oracle databases to Cloud SQL for PostgreSQL.
Accounts involved in performing migration jobs
There are two accounts involved in data migrations performed with Database Migration Service:
- User account that performs the migration
- This is the Google Account that you sign in with to create the connection profiles, upload the backup files to Cloud Storage, create and run the migration job.
- Database Migration Service service account
- This is the service account that is created for you when you enable the
Database Migration Service API. The email address associated with this account is generated
automatically and can't be changed. This email address uses the following
format:
service-PROJECT_NUMBER@datamigration.iam.gserviceaccount.com
Each account involved in the data migration process requires a different set of roles and permissions.
Permissions and roles
To get the permissions that you need to perform heterogeneous Oracle migrations with Database Migration Service, ask your administrator to grant you the required IAM roles on your project:
-
Database Migration Admin (
roles/datamigration.admin
) -
Cloud SQL Admin (
roles/cloudsql.admin
)
For more information about granting roles, see Manage access in the Identity and Access Management documentation.
These predefined roles contain the permissions required to perform heterogeneous Oracle migrations with Database Migration Service. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to perform heterogeneous Oracle migrations with Database Migration Service:
datamigration.*
cloudsql.instances.create
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.update
cloudsql.instances.delete
cloudsql.operations.get
cloudsql.users.list
cloudsql.users.get
cloudsql.users.create
cloudsql.users.update
cloudsql.users.delete
You might also be able to get these permissions with custom roles or other predefined roles.