Skip to main content
  1. CloudM
  2. Migrate
  3. Perform a Migration
  4. Configure your Connections
  5. Connection Setup
  6. Environment Configuration Guides

Configuring Google Cloud Storage as a Source

Updated

Overview

 

To migrate data from an existing Google Cloud Storage (GCS) bucket, you must grant the CloudM Migrate service account the necessary permissions to read the data.

This guide covers the two sets of permissions you may need to configure:

  1. Bucket Permissions: Granting the CloudM Migrate service account read-access to the objects in your bucket.
  2. KMS Key Permissions: An optional step required only if your bucket's data is encrypted with a customer-managed encryption key (CMEK).

 

Prerequisites

 

Before you begin, ensure you have the following:

  • The name of your existing Google Cloud Storage bucket.
  • The email address of the Service Account you created specifically for CloudM Migrate.
  • Knowledge of whether the objects in your bucket are encrypted with a customer-managed KMS key.

 

Step 1: Grant Read Permissions to the Service Account

 

This step gives CloudM Migrate the ability to see and copy data from your bucket.

  1. Navigate to the Google Cloud Console.
  2. Using the navigation menu (☰), go to Cloud Storage > Buckets.
  3. Locate your existing bucket in the list.
  4. Click the vertical three-dots menu (⋮) on the right-hand side of your bucket's row and select Edit access.
  5. Click the Add Principal button.
  6. In the New members field, paste the email address of your CloudM Migrate Service Account.
  7. In the Select a role dropdown menu, search for and select the Storage Object Viewer role. This role provides the necessary read-only access.
  8. Click Save.

 

 

Step 2: Configure KMS Key Permissions for Decryption (Optional)

 

Complete this step only if the data in your source bucket is encrypted with a customer-managed KMS key. This allows the underlying Google Storage service to decrypt the data so CloudM Migrate can read it.

  1. First, identify your project's Cloud Storage Service Account.
    • In the Google Cloud Console, navigate to Cloud Storage > Settings.
    • Under the Cloud Storage Service Account section, copy the Service Account email address.
  2. Next, navigate to the KMS key settings.
    • Using the navigation menu (☰), go to Security > Key Management Service.
  3. Select the Key Ring and then the specific Key that is used to encrypt your bucket's data.
  4. In the right-hand panel, select the Permissions tab. If the panel is not visible, click Show Info Panel.
  5. Click the Add Member button.
  6. In the New members field, paste the Cloud Storage Service Account email address you copied in step 1.
  7. In the Select a role dropdown menu, search for and select the Cloud KMS CryptoKey Encrypter/Decrypter role.
  8. Click Save.

Your Google Cloud Storage bucket is now correctly configured as a migration source. If using the KMS Key, this can be setup within the source settings in the batch configuration.

Was this article helpful?
0 out of 0 found this helpful