Access control with IAM

To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for Database Migration Service and your relevant destination database product. You can control access to Database Migration Service-related resources, as opposed to granting users the Viewer, Editor, or Owner role to the entire Google Cloud project.

This page focuses details all of the roles that user and service accounts need during a heterogeneous Cloud SQL migration with Database Migration Service. For more information about when you use these permissions during the migration process, see Migrate your Oracle databases to Cloud SQL for PostgreSQL.

Accounts involved in performing migration jobs

There are two accounts involved in data migrations performed with Database Migration Service:

User account that performs the migration
This is the Google Account that you sign in with to create the connection profiles, upload the backup files to Cloud Storage, create and run the migration job.
Database Migration Service service account
This is the service account that is created for you when you enable the Database Migration Service API. The email address associated with this account is generated automatically and can't be changed. This email address uses the following format: 
service-PROJECT_NUMBER@datamigration.iam.gserviceaccount.com

Each account involved in the data migration process requires a different set of roles and permissions.

Permissions and roles

To get the permissions that you need to perform heterogeneous Oracle migrations with Database Migration Service, ask your administrator to grant you the required IAM roles on your project:

For more information about granting roles, see Manage access in the Identity and Access Management documentation.

These predefined roles contain the permissions required to perform heterogeneous Oracle migrations with Database Migration Service. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to perform heterogeneous Oracle migrations with Database Migration Service:

  • datamigration.*
  • cloudsql.instances.create
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsql.instances.update
  • cloudsql.instances.delete
  • cloudsql.operations.get
  • cloudsql.users.list
  • cloudsql.users.get
  • cloudsql.users.create
  • cloudsql.users.update
  • cloudsql.users.delete

You might also be able to get these permissions with custom roles or other predefined roles.