Contents

GCP

GCP

Generally, the administrator can choose among three “levels” of permissions, from the most permissive and least setup effort, to the least permissive and more setup effort:

  • Default: no setup, give users Owner-level permissions (i.e., you do not need to follow the instructions in this section)

  • Medium: easy setup, with a medium set of permissions

  • Minimal: more setup, with the minimal set of permissions

Medium Permissions

The easiest way to grant permissions to a user access your GCP project without the Owner role is to add the following roles to the user principals:

roles/browser
roles/compute.admin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountUser
roles/serviceusage.serviceUsageConsumer
roles/storage.admin
roles/iam.securityAdmin

Note

If the roles/iam.securityAdmin role is undesirable, you can do the following. First, include the role and have any user (e.g., the admin) run sky launch --cloud gcp successfully once. This is to create the necessary service account. Then, remove the role from the list above.

Optionally, to use TPUs, add the following role:

roles/tpu.admin

You can grant those accesses via GCP’s IAM & Admin console.

Minimal Permissions

The Medium Permissions assigns admin permissions for some GCP services to the user. If you would like to grant finer-grained and more minimal permissions to your users in your organization / project, you can create a custom role by following the steps below:

User

  1. Go to GCP’s IAM & Admin console and click on Create Role.

GCP Create Role

  1. Give the role a descriptive name, such as minimal-skypilot-role.

  2. Click Add Permissions and search for the following permissions and add them to the role:

compute.disks.create
compute.disks.list
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.start
compute.instances.stop
compute.networks.get
compute.networks.list
compute.networks.getEffectiveFirewalls
compute.globalOperations.get
compute.reservations.list
compute.subnetworks.use
compute.subnetworks.list
compute.subnetworks.useExternalIp
compute.projects.get
compute.zoneOperations.get
iam.roles.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
serviceusage.services.enable
serviceusage.services.list
serviceusage.services.use
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy

  1. Optional: If the user needs to access GCS buckets, you can additionally add the following permissions:

storage.buckets.create
storage.buckets.get
storage.buckets.delete
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

  1. Optional: If the user needs to access TPU VMs, you can additionally add the following permissions (the following may not be exhaustive, please file an issue if you find any missing permissions):

tpu.nodes.create
tpu.nodes.delete
tpu.nodes.list
tpu.nodes.get
tpu.nodes.update
tpu.operations.get

  1. Optional: To enable sky launch --clone-disk-from, you need to have the following permissions for the role as well:

compute.disks.useReadOnly
compute.images.create
compute.images.get
compute.images.delete

  1. Optional: To enable opening ports on GCP cluster, you need to have the following permissions for the role as well:

compute.instances.setTags
compute.firewalls.list
compute.firewalls.update

  1. Click Create to create the role.

  2. Go back to the “IAM” tab and click on GRANT ACCESS.

  3. Fill in the email address of the user in the “Add principals” section, and select minimal-skypilot-role in the “Assign roles” section. Click Save.

GCP Grant Access

  1. The user should receive an invitation to the project and should be able to setup SkyPilot by following the instructions in Installation.

Note

The user created with the above minimal permissions will not be able to create service accounts to be assigned to SkyPilot instances.

The admin needs to follow the instruction below to create a service account to be shared by all users in the project.

Service Account

Note

If you already have an service account under “Service Accounts” tab with the email starting with skypilot-v1@, it is likely created by SkyPilot automatically, and you can skip this section.

  1. Click the “Service Accounts” tab in the “IAM & Admin” console, and click on the CREATE SERVICE ACCOUNT.

GCP Create Service Account

  1. Set the service account id to skypilot-v1 and click CREATE AND CONTINUE.

Set Service Account Name

  1. Select the minimal-skypilot-role (or the name you set) created in the last section and click on DONE.

Set Service Account Role

previous

AWS

next

Cloud Authentication