Skip to content

[GCP] Cluster provisioning fails in orgs with restricted firewall and IAM permissions #9968

Description

@ikding

Summary

SkyPilot fails to provision GCP clusters in organizations that enforce least-privilege IAM org policies — specifically where end users cannot create firewall rules or IAM service accounts. These are standard enterprise security controls and the restriction is common in corporate GCP deployments.

Failure modes

  1. Firewall rule creation during OS Login setup

    When OS Login is enabled for a GCP project, setup_gcp_authentication in sky/authentication.py runs:

    gcloud compute firewall-rules create allow-ssh-ingress-from-iap \ --direction=INGRESS --action=allow --rules=tcp:22 --source-ranges=0.0.0.0/0

    In orgs where compute.firewalls.create is denied by org policy, this command fails and blocks cluster launch. The firewall rule itself is typically already in place — created by a platform team at the VPC or org level — but SkyPilot has no way to skip this step.

  2. IAM service account creation

    In _configure_iam_role (sky/provision/gcp/config.py), when SkyPilot cannot find its own managed service account, it attempts to create one via iam.serviceAccounts.create. In orgs where service account creation is restricted to admins, this fails even though every GCP project already has a usable default compute service account ({project_number}-compute@developer.gserviceaccount.com).

Expected behavior

SkyPilot should be usable in GCP environments where:

  • Firewall rules are pre-provisioned by a platform team and individual users cannot modify them
  • IAM service account creation is an elevated privilege not available to end users

Environment

  • Cloud: GCP with OS Login enabled
  • GCP org policy: constraints/compute.restrictCloudStorageAccess, custom deny policies on iam.serviceAccounts.create and compute.firewalls.*
  • SkyPilot version: v0.12.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions