To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for Database Migration Service and your relevant destination database product. You can control access to Database Migration Service-related resources, as opposed to granting users the Viewer, Editor, or Owner role to the entire Google Cloud project.
This page focuses details all of the roles that user and service accounts need during a homogeneous Cloud SQL migration with Database Migration Service. For more information about when you use these permissions during the migration process, see Migrate your SQL Server databases to Cloud SQL for SQL Server.
Accounts involved in performing migration jobs
There are three accounts involved in data migrations performed with Database Migration Service:
- User account that performs the migration
- This is the Google Account that you sign in with to create the connection profiles, upload the backup files to the Cloud Storage storage, create and run the migration job.
- Database Migration Service service account
- This is the service account that is created for you when you enable the
Database Migration Service API. The email address associated with this account is generated
automatically and can't be changed. This email address uses the following
format:
service-PROJECT_NUMBER@datamigration.iam.gserviceaccount.com
- Cloud SQL instance service account
- This is a service account assigned specifically to your destination Cloud SQL for SQL Server instance. It is created after you create the destination instance. You can view the email address associated with this service account on the Cloud SQL instance detail page. See View instance information in the Cloud SQL for SQL Server documentation.
Each account involved in the data migration process requires a different set of roles and permissions.
Permissions and roles
To get the permissions that you need to perform homogeneous SQL Server migrations with Database Migration Service, ask your administrator to grant the required IAM roles on your project for the following accounts:
- User account that performs the migration:
-
Database Migration Admin (
roles/datamigration.admin) -
Storage Admin (
roles/storage.admin) -
Cloud SQL Editor (
roles/cloudsql.editor)
-
Database Migration Admin (
- Database Migration Service service account:
-
Database Migration Admin (
roles/datamigration.admin) -
Storage Admin (
roles/storage.admin) -
Cloud SQL Editor (
roles/cloudsql.editor) -
Cloud SQL Studio User (
roles/cloudsql.studioUser)
-
Database Migration Admin (
- Cloud SQL instance service account:
Storage Object Viewer (
roles/storage.objectViewer)
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to perform homogeneous SQL Server migrations with Database Migration Service. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to perform homogeneous SQL Server migrations with Database Migration Service:
- User account that performs the migration:
datamigration.*resourcemanager.projects.getresourcemanager.projects.listcloudsql.operations.getcloudsql.instances.createcloudsql.instances.getcloudsql.instances.listcloudsql.instances.importcloudsql.databases.getcloudsql.databases.listcloudsql.databases.deletecompute.machineTypes.listcompute.machineTypes.getcompute.projects.getstorage.buckets.createstorage.buckets.list
- Database Migration Service service account:
datamigration.*resourcemanager.projects.getresourcemanager.projects.listcloudsql.instances.createcloudsql.instances.getcloudsql.instances.listcloudsql.instances.executeSqlstorage.objects.createstorage.objects.list
- Cloud SQL instance service account:
storage.objects.liststorage.objects.get
You might also be able to get these permissions with custom roles or other predefined roles.