Permissions & Connectivity
- Connectivty: Since both Spanner migration tool and the underlying GCP services talk to the source database for schema and data migration, certain pre-requisite connectivity configurations are required before using the tool.
- Permissions: Spanner migration tool (SMT) runs in the customers GCP account. In order to orchestrate migrations, SMT needs access to certain permissions.
Table of contents
Connectivity
API enablement
- Make sure that billing is enabled for your Google Cloud project.
-
Google Cloud Storage apis are generally enabled by default. In they have been disabled, you will need to enable them.
gcloud services enable storage.googleapis.com
Configuring connectivity for spanner-migration-tool
In order for SMT to read the information schema from the source database, ensure that the machine where you run spanner-migration-tool is allowlisted to connect to the source database. In generic terms (your specific network settings may differ), do the following:
- Open your source database machine’s network firewall rules.
- Create an inbound rule.
- Set the source ip address as the ip address of the machine where you run the
spanner-migration-tool. - Set the protocol to TCP.
- Set the port associated with the TCP protocol of your database.
- Save the firewall rule, and then exit.
Permissions
The Spanner migration tool interacts with many GCP services. Please refer to this list for permissions required to perform migrations.
Spanner
The recommended role to perform migrations is Cloud Spanner Database Admin.
The full list of required Spanner permissions for migration are
spanner.instances.list
spanner.instances.get
spanner.databases.create
spanner.databases.list
spanner.databases.get
spanner.databases.getDdl
spanner.databases.updateDdl
spanner.databases.read
spanner.databases.write
spanner.databases.select
Refer to the grant permissions page for custom roles.
GCS
Grant the user Editor role to create buckets in the project.
GCE
Enable access to Spanner using service accounts.