Skip to main content
Configure your firewall rules, IAM permissions, and network security to allow the required connections for your GCP Runner to function properly.

IAM Permissions Required

Your GCP service account needs the following permissions to deploy and manage the runner infrastructure:

Required Roles

  • Compute Admin (roles/compute.admin) - Manage VMs, networks, and load balancers
  • Storage Admin (roles/storage.admin) - Manage Cloud Storage buckets and objects
  • Artifact Registry Administrator (roles/artifactregistry.admin) - Manage container images
  • Secret Manager Admin (roles/secretmanager.admin) - Store and retrieve secrets
  • Service Account Admin (roles/iam.serviceAccountAdmin) - Create service accounts for runner components
  • Project IAM Admin (roles/resourcemanager.projectIamAdmin) - Manage project-level IAM bindings

Custom Role (Alternative)

Instead of broad roles, you can create a custom role with specific permissions. GCP custom roles do not support wildcards, so you must list each permission explicitly. The example below covers the most common permissions needed:
This list covers the most common deployment permissions. Depending on your configuration (CMEK, internal LB, etc.), additional permissions may be required. Refer to the IAM configuration guide in the Terraform module for the complete list.

Network Connectivity Requirements

Configure your firewall and network security groups to allow outbound connections to these endpoints.

Ona Services

Management Plane

Controls Runner and Environment orchestration by communicating with Ona’s control plane.
  • https://app.gitpod.io
  • https://app.ona.com

VS Code

Required for VS Code IDE functionality including server downloads and extension marketplace access.
  • https://update.code.visualstudio.com/api/commits/stable/server-linux-x64-web
  • https://update.code.visualstudio.com/api/commits/stable/server-linux-arm64-web
  • https://update.code.visualstudio.com/commit:*/server-linux-x64/stable
  • https://update.code.visualstudio.com/commit:*/server-linux-arm64/stable
  • https://*.vscode-unpkg.net
  • https://marketplace.visualstudio.com
  • https://*.gallerycdn.vsassets.io
  • https://*.prss.microsoft.com
  • https://*.vscode-gitpod-cdn.com (required for VS Code Web functionality)
  • https://vscode.gitpod.io (required for VS Code Web functionality)

JetBrains

Required for JetBrains IDE functionality including IDE downloads and services.
  • https://www.jetbrains.com
  • https://download.jetbrains.com
  • https://download-cf.jetbrains.com
  • https://download-cdn.jetbrains.com
  • https://data.services.jetbrains.com
  • https://plugins.jetbrains.com
  • https://downloads.marketplace.jetbrains.com
  • https://account.jetbrains.com
See the JetBrains network access requirements for more details.

Release Artifacts

Downloads Ona updates, CLI binaries, and agent components necessary for Runner and Environment operation. These are served from app.gitpod.io/releases/* (same domain as the control plane). This access is required from the user laptops.
  • https://app.gitpod.io/releases/cli/stable/manifest.json
  • https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64
  • https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64.exe
  • https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64.sha256
  • https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64
  • https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64.sha256
  • https://app.gitpod.io/releases/vscode/releases/*/vscode-remote.vsix
  • https://app.gitpod.io/releases/vscode/releases/*/vscode-agent-amd64
  • https://app.gitpod.io/releases/vscode/releases/*/vscode-agent-arm64
  • https://app.gitpod.io/releases/jetbrains/releases/*/jetbrains-agent-amd64
  • https://app.gitpod.io/releases/jetbrains/releases/*/jetbrains-agent-arm64

Container Registries

Downloads container images used by development environments and runner infrastructure. Ona runner images (Google Artifact Registry):
  • https://us-docker.pkg.dev/gitpod-artifacts/docker-public (project ID: 760152953637)
Ona default Dev Container image:
  • https://mcr.microsoft.com/devcontainers/base:2.0.4-noble

Your Infrastructure

Runner Proxy Domain

The runner must be able to reach its own configured domain over HTTPS. It periodically verifies DNS resolution and TLS connectivity by requesting https://<your-runner-domain>/_health. Blocking this egress causes the runner to report degraded status.
  • https://<your-runner-domain> (the domain you configured during setup)

SCM and SSO Providers

Access to your source code repositories and authentication providers for user login and code access. Configure access to your specific providers (complete HTTPS URLs):
  • GitHub, GitLab, Bitbucket URLs
  • SSO provider URLs (Okta, Azure AD, etc.)

Optional Services

Prometheus Remote Write

Optional metrics collection endpoint for monitoring Runner and Environment performance.
  • Your metrics endpoint URL (HTTPS 443)

Additional Container Registries

Optional access to custom container registries for pulling private or organization-specific images. Common registries (allow those you use):
  • https://index.docker.io
  • https://registry-1.docker.io
  • https://auth.docker.io
  • https://ghcr.io
  • Your private registry URLs (HTTPS 443)

GCP Services and APIs Required

Core GCP Services

Supporting GCP Services

Required APIs

Metadata Service Access

Image Access Requirements

GCP Runners require access to specific VM images. If your GCP Organization restricts image access through organizational policies, ensure your GCP project can launch Compute Engine instances from these images.

Required Images

Organizational Policy Configuration

If your organization uses image access restrictions, configure your organizational policy to allow:

Allowlisting Recommendations

Use Project-Level Access: Allow access by project ID rather than specific image names to automatically receive security updates and new features. Regular Updates: Ona updates images regularly for security patches and feature improvements. Project-level access ensures automatic access to updated images. Testing Access: Verify image access before deployment:

Quota Requirements

Ensure your GCP project has sufficient quotas for the runner deployment:

Compute Engine Quotas

Regional Quotas

Quotas are region-specific. Ensure adequate quotas in your deployment region:

Requesting Quota Increases

For production deployments, request quota increases through the GCP Console:
  1. Navigate to IAM & AdminQuotas
  2. Filter by service: Compute Engine API
  3. Select your deployment region
  4. Request increases for the resources listed above

Troubleshooting

Insufficient IAM Permissions: Verify your service account has the required roles listed above.API Not Enabled: Enable all required APIs in your GCP project:
Image Access Denied: Check organizational policies and image project access.Quota Exceeded: Monitor quota usage and request increases before deployment.
Test your access before deployment: