Summary
SkyPilot fails to provision GCP clusters in organizations that enforce least-privilege IAM org policies — specifically where end users cannot create firewall rules or IAM service accounts. These are standard enterprise security controls and the restriction is common in corporate GCP deployments.
Failure modes
-
Firewall rule creation during OS Login setup
When OS Login is enabled for a GCP project, setup_gcp_authentication in sky/authentication.py runs:
gcloud compute firewall-rules create allow-ssh-ingress-from-iap \ --direction=INGRESS --action=allow --rules=tcp:22 --source-ranges=0.0.0.0/0
In orgs where compute.firewalls.create is denied by org policy, this command fails and blocks cluster launch. The firewall rule itself is typically already in place — created by a platform team at the VPC or org level — but SkyPilot has no way to skip this step.
-
IAM service account creation
In _configure_iam_role (sky/provision/gcp/config.py), when SkyPilot cannot find its own managed service account, it attempts to create one via iam.serviceAccounts.create. In orgs where service account creation is restricted to admins, this fails even though every GCP project already has a usable default compute service account ({project_number}-compute@developer.gserviceaccount.com).
Expected behavior
SkyPilot should be usable in GCP environments where:
- Firewall rules are pre-provisioned by a platform team and individual users cannot modify them
- IAM service account creation is an elevated privilege not available to end users
Environment
- Cloud: GCP with OS Login enabled
- GCP org policy:
constraints/compute.restrictCloudStorageAccess, custom deny policies on iam.serviceAccounts.create and compute.firewalls.*
- SkyPilot version: v0.12.3
Summary
SkyPilot fails to provision GCP clusters in organizations that enforce least-privilege IAM org policies — specifically where end users cannot create firewall rules or IAM service accounts. These are standard enterprise security controls and the restriction is common in corporate GCP deployments.
Failure modes
Firewall rule creation during OS Login setup
When OS Login is enabled for a GCP project,
setup_gcp_authenticationinsky/authentication.pyruns:gcloud compute firewall-rules create allow-ssh-ingress-from-iap \ --direction=INGRESS --action=allow --rules=tcp:22 --source-ranges=0.0.0.0/0In orgs where
compute.firewalls.createis denied by org policy, this command fails and blocks cluster launch. The firewall rule itself is typically already in place — created by a platform team at the VPC or org level — but SkyPilot has no way to skip this step.IAM service account creation
In
_configure_iam_role(sky/provision/gcp/config.py), when SkyPilot cannot find its own managed service account, it attempts to create one viaiam.serviceAccounts.create. In orgs where service account creation is restricted to admins, this fails even though every GCP project already has a usable default compute service account ({project_number}-compute@developer.gserviceaccount.com).Expected behavior
SkyPilot should be usable in GCP environments where:
Environment
constraints/compute.restrictCloudStorageAccess, custom deny policies oniam.serviceAccounts.createandcompute.firewalls.*