迁移中心 IAM 角色和权限
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
如果您创建了要使用迁移中心的 Google Cloud 项目,则已经拥有启用迁移中心和管理该产品中资源所需的所有权限。
向项目添加新成员时,您可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色,以控制该成员可以在迁移中心执行的操作。
本页介绍了您可能希望为项目成员分配的典型角色,以及执行各种操作所需的权限。
准备工作
角色和操作
您可以在迁移中心执行三类主要操作:
最佳实践是,为项目成员分配的角色应具有执行所需操作所需的最低权限。
创建 Migration Center 附加角色
在向组织成员分配角色之前,请先创建一个自定义角色,以简化权限管理方式。请按照以下步骤操作:
在 Google Cloud 控制台中,依次前往 IAM 和管理 > 角色。
打开“角色”
点击add 创建角色
在创建角色页面中,填写以下字段:
标题:“迁移中心附加角色”
说明:“迁移中心场景所需的其他角色”
点击 add 添加权限。
在权限列表中,搜索并选择以下权限:
iam.serviceAccountKeys.listiam.serviceAccounts.listresourcemanager.projects.updateserviceusage.services.enable
然后,点击添加以添加权限。
点击创建以完成操作。
激活迁移中心
您需要先在控制台中启用迁移中心 Google Cloud ,然后才能使用该工具。此一次性操作包括启用 API 和选择存储资源的区域。
如需获得启用迁移中心所需的权限,请让您的管理员向您授予项目的以下 IAM 角色:
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
这些预定义角色包含启用迁移中心所需的权限。如需查看所需的确切权限,请展开所需权限部分:
所需权限
如需启用迁移中心,您需要具备以下权限:
-
migrationcenter.*
-
resourcemanager.projects.get
-
resourcemanager.projects.list
-
rma.*
-
resourcemanager.projects.update
-
serviceusage.services.list
-
serviceusage.services.enable
-
iam.serviceAccountKeys.list
-
iam.serviceAccounts.list
-
resourcemanager.projects.update
您也可以使用自定义角色或其他预定义角色来获取这些权限。
管理迁移中心资源
管理 Migration Center 资源包括生成预估费用、创建发现客户端和移除资产等操作。
如需获得管理 Migration Center 资源所需的权限,请让管理员向您授予项目的以下 IAM 角色:
-
Migration Center Admin (
migrationcenter.admin)
-
Migration Center 附加角色
-
Viewer (
viewer)
-
Service Account Key Admin (
iam.serviceAccountKeyAdmin)
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
这些预定义角色包含管理 Migration Center 资源所需的权限。如需查看所需的确切权限,请展开所需权限部分:
所需权限
管理迁移中心资源需要以下权限:
-
migrationcenter.*
-
resourcemanager.projects.get
-
resourcemanager.projects.list
-
rma.*
-
serviceusage.services.list
-
iam.serviceAccounts.list
-
iam.serviceAccountKeys.list
您也可以使用自定义角色或其他预定义角色来获取这些权限。
查看 Migration Center 资源
如需获得查看迁移中心资源所需的权限,请让管理员向您授予项目的以下 IAM 角色:
-
Migration Center Viewer (
migrationcenter.viewer)
-
Viewer (
viewer)
-
Rapid Migration Assessment Viewer (
rma.viewer)
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
这些预定义角色包含查看迁移中心资源所需的权限。如需查看所需的确切权限,请展开所需权限部分:
所需权限
如需查看迁移中心资源,您需要具备以下权限:
-
migrationcenter.assets.get
-
migrationcenter.assets.list
-
migrationcenter.groups.get
-
migrationcenter.groups.list
-
migrationcenter.importJobs.get
-
migrationcenter.importJobs.list
-
migrationcenter.locations.*
-
migrationcenter.operations.get
-
migrationcenter.operations.list
-
migrationcenter.sources.get
-
migrationcenter.sources.list
-
resourcemanager.projects.get
-
resourcemanager.projects.list
-
serviceusage.services.list
-
resourcemanager.projects.get
-
resourcemanager.projects.list
-
rma.annotations.get
-
rma.collectors.get
-
rma.collectors.list
-
rma.locations.*
-
rma.operations.get
-
rma.operations.list
您也可以使用自定义角色或其他预定义角色来获取这些权限。
角色与权限
下表显示了迁移中心中提供的角色和权限。
迁移中心角色和权限
| Role |
Permissions |
Migration Center Admin
Beta
(roles/migrationcenter.admin)
Full access to Migration Center all resources.
|
migrationcenter.*
migrationcenter.assets.createmigrationcenter.assets.deletemigrationcenter.assets.getmigrationcenter.assets.listmigrationcenter.assets.reportFramesmigrationcenter.assets.updatemigrationcenter.assetsExportJobs.createmigrationcenter.assetsExportJobs.deletemigrationcenter.assetsExportJobs.getmigrationcenter.assetsExportJobs.listmigrationcenter.assetsExportJobs.runmigrationcenter.discoveryClients.createmigrationcenter.discoveryClients.deletemigrationcenter.discoveryClients.getmigrationcenter.discoveryClients.listmigrationcenter.discoveryClients.sendHeartbeatmigrationcenter.discoveryClients.updatemigrationcenter.errorFrames.getmigrationcenter.errorFrames.listmigrationcenter.groups.createmigrationcenter.groups.deletemigrationcenter.groups.getmigrationcenter.groups.listmigrationcenter.groups.updatemigrationcenter.importDataFiles.createmigrationcenter.importDataFiles.deletemigrationcenter.importDataFiles.getmigrationcenter.importDataFiles.listmigrationcenter.importJobs.createmigrationcenter.importJobs.deletemigrationcenter.importJobs.getmigrationcenter.importJobs.listmigrationcenter.importJobs.updatemigrationcenter.locations.getmigrationcenter.locations.listmigrationcenter.operations.cancelmigrationcenter.operations.deletemigrationcenter.operations.getmigrationcenter.operations.listmigrationcenter.preferenceSets.createmigrationcenter.preferenceSets.deletemigrationcenter.preferenceSets.getmigrationcenter.preferenceSets.listmigrationcenter.preferenceSets.updatemigrationcenter.relations.getmigrationcenter.relations.listmigrationcenter.reportConfigs.createmigrationcenter.reportConfigs.deletemigrationcenter.reportConfigs.getmigrationcenter.reportConfigs.listmigrationcenter.reports.createmigrationcenter.reports.deletemigrationcenter.reports.getmigrationcenter.reports.listmigrationcenter.settings.getmigrationcenter.settings.updatemigrationcenter.sources.createmigrationcenter.sources.deletemigrationcenter.sources.getmigrationcenter.sources.listmigrationcenter.sources.update
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
rma.annotations.createrma.annotations.getrma.collectors.createrma.collectors.deleterma.collectors.getrma.collectors.listrma.collectors.updaterma.locations.getrma.locations.listrma.operations.cancelrma.operations.deleterma.operations.getrma.operations.list
serviceusage.quotas.get
|
Migration Center Discovery Client
Beta
(roles/migrationcenter.discoveryClient)
Migration Center Discover Client role
|
migrationcenter.assets.reportFrames
migrationcenter.discoveryClients.get
migrationcenter.discoveryClients.sendHeartbeat
|
Migration Center Discovery Client Registrator
Beta
(roles/migrationcenter.discoveryClientRegistrator)
Registrator of Migration Center Discover Clients
|
migrationcenter.discoveryClients.create
migrationcenter.discoveryClients.delete
migrationcenter.discoveryClients.update
migrationcenter.operations.get
migrationcenter.sources.create
migrationcenter.sources.delete
resourcemanager.projects.get
resourcemanager.projects.list
|
Migration Center Service Agent
(roles/migrationcenter.serviceAgent)
Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.
|
storage.objects.get
vmmigration.migratingVms.create
|
Migration Center Viewer
Beta
(roles/migrationcenter.viewer)
Read-only access to Migration Center all resources.
|
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.assetsExportJobs.get
migrationcenter.assetsExportJobs.list
migrationcenter.discoveryClients.get
migrationcenter.discoveryClients.list
migrationcenter.errorFrames.*
migrationcenter.errorFrames.getmigrationcenter.errorFrames.list
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.importDataFiles.get
migrationcenter.importDataFiles.list
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.locations.*
migrationcenter.locations.getmigrationcenter.locations.list
migrationcenter.operations.get
migrationcenter.operations.list
migrationcenter.preferenceSets.get
migrationcenter.preferenceSets.list
migrationcenter.relations.*
migrationcenter.relations.getmigrationcenter.relations.list
migrationcenter.reportConfigs.get
migrationcenter.reportConfigs.list
migrationcenter.reports.get
migrationcenter.reports.list
migrationcenter.settings.get
migrationcenter.sources.get
migrationcenter.sources.list
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.locations.getrma.locations.list
rma.operations.get
rma.operations.list
serviceusage.quotas.get
|
Rapid Migration Assessment 角色和权限
| Role |
Permissions |
RMA Service Agent
(roles/rapidmigrationassessment.serviceAgent)
Gives RMA service account access to MC resources.
|
autoscaling.sites.writeMetrics
cloudasset.assets.exportResource
cloudasset.feeds.create
logging.logEntries.create
migrationcenter.assets.list
migrationcenter.assets.reportFrames
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.sources.*
migrationcenter.sources.createmigrationcenter.sources.deletemigrationcenter.sources.getmigrationcenter.sources.listmigrationcenter.sources.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.list
monitoring.timeSeries.create
resourcemanager.projects.get
|
Rapid Migration Assessment Admin
(roles/rma.admin)
Full access to Rapid Migration Assessment all resources.
|
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
rma.annotations.createrma.annotations.getrma.collectors.createrma.collectors.deleterma.collectors.getrma.collectors.listrma.collectors.updaterma.locations.getrma.locations.listrma.operations.cancelrma.operations.deleterma.operations.getrma.operations.list
|
Rapid Migration Assessment Runner
(roles/rma.runner)
Update and Read access to Rapid Migration Assessment all resources.
|
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.*
rma.locations.getrma.locations.list
rma.operations.get
rma.operations.list
|
Rapid Migration Assessment Viewer
(roles/rma.viewer)
Read-only access to Rapid Migration Assessment all resources.
|
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.locations.getrma.locations.list
rma.operations.get
rma.operations.list
|
