Access control with IAM

To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for Database Migration Service and your relevant destination database product. You can control access to Database Migration Service-related resources, as opposed to granting users the Viewer, Editor, or Owner role to the entire Google Cloud project.

This page focuses details all of the roles that user and service accounts need during a homogeneous Cloud SQL migration with Database Migration Service. For more information about when you use these permissions during the migration process, see Migrate your SQL Server databases to Cloud SQL for SQL Server.

Accounts involved in performing migration jobs

There are three accounts involved in data migrations performed with Database Migration Service:

User account that performs the migration
This is the Google Account that you sign in with to create the connection profiles, upload the backup files to the Cloud Storage storage, create and run the migration job.
Database Migration Service service account
This is the service account that is created for you when you enable the Database Migration Service API. The email address associated with this account is generated automatically and can't be changed. This email address uses the following format:
service-PROJECT_NUMBER@datamigration.iam.gserviceaccount.com
Cloud SQL instance service account
This is a service account assigned specifically to your destination Cloud SQL for SQL Server instance. It is created after you create the destination instance. You can view the email address associated with this service account on the Cloud SQL instance detail page. See View instance information in the Cloud SQL for SQL Server documentation.

Each account involved in the data migration process requires a different set of roles and permissions.

Permissions and roles

To get the permissions that you need to perform homogeneous SQL Server migrations with Database Migration Service, ask your administrator to grant the required IAM roles on your project for the following accounts:

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to perform homogeneous SQL Server migrations with Database Migration Service. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to perform homogeneous SQL Server migrations with Database Migration Service:

  • User account that performs the migration:
    • datamigration.*
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • cloudsql.operations.get
    • cloudsql.instances.create
    • cloudsql.instances.get
    • cloudsql.instances.list
    • cloudsql.instances.import
    • cloudsql.databases.get
    • cloudsql.databases.list
    • cloudsql.databases.delete
    • compute.machineTypes.list
    • compute.machineTypes.get
    • compute.projects.get
    • storage.buckets.create
    • storage.buckets.list
  • Database Migration Service service account:
    • datamigration.*
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • cloudsql.instances.create
    • cloudsql.instances.get
    • cloudsql.instances.list
    • cloudsql.instances.executeSql
    • storage.objects.create
    • storage.objects.list
  • Cloud SQL instance service account:
    • storage.objects.list
    • storage.objects.get

You might also be able to get these permissions with custom roles or other predefined roles.