Database Migration Service roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Database Migration Service. To search through all roles and permissions, see the role and permission index.

Database Migration Service roles

Role Permissions

Role	Permissions
Database Migration Admin (`roles/datamigration.admin`) Full access to all resources of Database Migration.	`cloudaicompanion.entitlements.get` `datamigration.*` `datamigration.connectionprofiles.create` `datamigration.connectionprofiles.delete` `datamigration.connectionprofiles.get` `datamigration.connectionprofiles.getIamPolicy` `datamigration.connectionprofiles.list` `datamigration.connectionprofiles.setIamPolicy` `datamigration.connectionprofiles.update` `datamigration.conversionworkspaces.apply` `datamigration.conversionworkspaces.commit` `datamigration.conversionworkspaces.convert` `datamigration.conversionworkspaces.create` `datamigration.conversionworkspaces.delete` `datamigration.conversionworkspaces.get` `datamigration.conversionworkspaces.getIamPolicy` `datamigration.conversionworkspaces.list` `datamigration.conversionworkspaces.rollback` `datamigration.conversionworkspaces.seed` `datamigration.conversionworkspaces.setIamPolicy` `datamigration.conversionworkspaces.update` `datamigration.locations.fetchStaticIps` `datamigration.locations.get` `datamigration.locations.list` `datamigration.mappingrules.getIamPolicy` `datamigration.mappingrules.import` `datamigration.mappingrules.setIamPolicy` `datamigration.migrationjobs.create` `datamigration.migrationjobs.delete` `datamigration.migrationjobs.demoteDestination` `datamigration.migrationjobs.fetchSourceObjects` `datamigration.migrationjobs.generateSshScript` `datamigration.migrationjobs.generateTcpProxyScript` `datamigration.migrationjobs.get` `datamigration.migrationjobs.getIamPolicy` `datamigration.migrationjobs.list` `datamigration.migrationjobs.promote` `datamigration.migrationjobs.restart` `datamigration.migrationjobs.resume` `datamigration.migrationjobs.setIamPolicy` `datamigration.migrationjobs.start` `datamigration.migrationjobs.stop` `datamigration.migrationjobs.update` `datamigration.migrationjobs.verify` `datamigration.objects.get` `datamigration.objects.list` `datamigration.operations.cancel` `datamigration.operations.delete` `datamigration.operations.get` `datamigration.operations.list` `datamigration.privateconnections.create` `datamigration.privateconnections.delete` `datamigration.privateconnections.get` `datamigration.privateconnections.getIamPolicy` `datamigration.privateconnections.list` `datamigration.privateconnections.setIamPolicy` `resourcemanager.projects.get` `resourcemanager.projects.list`
Database Migration Service Agent (`roles/datamigration.serviceAgent`) Gives Cloud Database Migration service account access to Cloud SQL resources. Warning: Do not grant service agent roles to any principals except service agents.	`alloydb.clusters.create` `alloydb.clusters.delete` `alloydb.clusters.generateClientCertificate` `alloydb.clusters.get` `alloydb.clusters.list` `alloydb.clusters.update` `alloydb.instances.connect` `alloydb.instances.create` `alloydb.instances.delete` `alloydb.instances.get` `alloydb.instances.list` `alloydb.instances.update` `alloydb.operations.get` `alloydb.operations.list` `cloudsql.databases.delete` `cloudsql.databases.get` `cloudsql.databases.list` `cloudsql.instances.connect` `cloudsql.instances.create` `cloudsql.instances.delete` `cloudsql.instances.demoteMaster` `cloudsql.instances.executeSql` `cloudsql.instances.export` `cloudsql.instances.get` `cloudsql.instances.import` `cloudsql.instances.list` `cloudsql.instances.migrate` `cloudsql.instances.promoteReplica` `cloudsql.instances.restart` `cloudsql.instances.startReplica` `cloudsql.instances.stopReplica` `cloudsql.instances.update` `compute.forwardingRules.use` `compute.globalAddresses.create` `compute.globalAddresses.createInternal` `compute.globalAddresses.delete` `compute.globalAddresses.deleteInternal` `compute.globalAddresses.get` `compute.globalOperations.get` `compute.networkAttachments.get` `compute.networkAttachments.list` `compute.networks.addPeering` `compute.networks.get` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.networks.removePeering` `compute.networks.use` `compute.regionOperations.get` `compute.regionOperations.list` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.serviceAttachments.get` `compute.serviceAttachments.list` `compute.serviceAttachments.update` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `networkmanagement.connectivitytests.list` `serviceusage.services.use` `storage.folders.delete` `storage.objects.get` `storage.objects.list`

Database Migration Admin

(roles/datamigration.admin)

Full access to all resources of Database Migration.

cloudaicompanion.entitlements.get

datamigration.*

datamigration.connectionprofiles.create
datamigration.connectionprofiles.delete
datamigration.connectionprofiles.get
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.connectionprofiles.setIamPolicy
datamigration.connectionprofiles.update
datamigration.conversionworkspaces.apply
datamigration.conversionworkspaces.commit
datamigration.conversionworkspaces.convert
datamigration.conversionworkspaces.create
datamigration.conversionworkspaces.delete
datamigration.conversionworkspaces.get
datamigration.conversionworkspaces.getIamPolicy
datamigration.conversionworkspaces.list
datamigration.conversionworkspaces.rollback
datamigration.conversionworkspaces.seed
datamigration.conversionworkspaces.setIamPolicy
datamigration.conversionworkspaces.update
datamigration.locations.fetchStaticIps
datamigration.locations.get
datamigration.locations.list
datamigration.mappingrules.getIamPolicy
datamigration.mappingrules.import
datamigration.mappingrules.setIamPolicy
datamigration.migrationjobs.create
datamigration.migrationjobs.delete
datamigration.migrationjobs.demoteDestination
datamigration.migrationjobs.fetchSourceObjects
datamigration.migrationjobs.generateSshScript
datamigration.migrationjobs.generateTcpProxyScript
datamigration.migrationjobs.get
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.migrationjobs.promote
datamigration.migrationjobs.restart
datamigration.migrationjobs.resume
datamigration.migrationjobs.setIamPolicy
datamigration.migrationjobs.start
datamigration.migrationjobs.stop
datamigration.migrationjobs.update
datamigration.migrationjobs.verify
datamigration.objects.get
datamigration.objects.list
datamigration.operations.cancel
datamigration.operations.delete
datamigration.operations.get
datamigration.operations.list
datamigration.privateconnections.create
datamigration.privateconnections.delete
datamigration.privateconnections.get
datamigration.privateconnections.getIamPolicy
datamigration.privateconnections.list
datamigration.privateconnections.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

Database Migration Service Agent

(roles/datamigration.serviceAgent)

Gives Cloud Database Migration service account access to Cloud SQL resources.

alloydb.clusters.create

alloydb.clusters.delete

alloydb.clusters.generateClientCertificate

alloydb.clusters.get

alloydb.clusters.list

alloydb.clusters.update

alloydb.instances.connect

alloydb.instances.create

alloydb.instances.delete

alloydb.instances.get

alloydb.instances.list

alloydb.instances.update

alloydb.operations.get

alloydb.operations.list

cloudsql.databases.delete

cloudsql.databases.get

cloudsql.databases.list

cloudsql.instances.connect

cloudsql.instances.create

cloudsql.instances.delete

cloudsql.instances.demoteMaster

cloudsql.instances.executeSql

cloudsql.instances.export

cloudsql.instances.get

cloudsql.instances.import

cloudsql.instances.list

cloudsql.instances.migrate

cloudsql.instances.promoteReplica

cloudsql.instances.restart

cloudsql.instances.startReplica

cloudsql.instances.stopReplica

cloudsql.instances.update

compute.forwardingRules.use

compute.globalAddresses.create

compute.globalAddresses.createInternal

compute.globalAddresses.delete

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalOperations.get

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.addPeering

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.use

compute.regionOperations.get

compute.regionOperations.list

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.serviceAttachments.update

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

networkmanagement.connectivitytests.list

serviceusage.services.use

storage.folders.delete

storage.objects.get

storage.objects.list

Database Migration Service permissions

Permission	Included in roles
`datamigration.connectionprofiles.create`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.connectionprofiles.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.connectionprofiles.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.connectionprofiles.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.connectionprofiles.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.connectionprofiles.setIamPolicy`	Owner (`roles/owner`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`)
`datamigration.connectionprofiles.update`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.apply`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.commit`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.convert`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.create`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.conversionworkspaces.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.conversionworkspaces.rollback`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.seed`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.conversionworkspaces.setIamPolicy`	Owner (`roles/owner`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`)
`datamigration.conversionworkspaces.update`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.locations.fetchStaticIps`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.mappingrules.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.mappingrules.import`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.mappingrules.setIamPolicy`	Owner (`roles/owner`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`)
`datamigration.migrationjobs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.demoteDestination`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.fetchSourceObjects`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.generateSshScript`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.generateTcpProxyScript`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.migrationjobs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.migrationjobs.promote`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.restart`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.resume`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.setIamPolicy`	Owner (`roles/owner`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`)
`datamigration.migrationjobs.start`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.stop`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.migrationjobs.verify`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.objects.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.objects.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.privateconnections.create`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.privateconnections.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.privateconnections.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`)
`datamigration.privateconnections.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.privateconnections.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`datamigration.privateconnections.setIamPolicy`	Owner (`roles/owner`) Database Migration Admin (`roles/datamigration.admin`) Security Admin (`roles/iam.securityAdmin`)

Database Migration Service roles and permissions Stay organized with collections Save and categorize content based on your preferences.