IAM Permissions Required
Your GCP service account needs the following permissions to deploy and manage the runner infrastructure:Required Roles
- Compute Admin (
roles/compute.admin) - Manage VMs, networks, and load balancers - Storage Admin (
roles/storage.admin) - Manage Cloud Storage buckets and objects - Artifact Registry Administrator (
roles/artifactregistry.admin) - Manage container images - Secret Manager Admin (
roles/secretmanager.admin) - Store and retrieve secrets - Service Account Admin (
roles/iam.serviceAccountAdmin) - Create service accounts for runner components - Project IAM Admin (
roles/resourcemanager.projectIamAdmin) - Manage project-level IAM bindings
Custom Role (Alternative)
Instead of broad roles, you can create a custom role with specific permissions. GCP custom roles do not support wildcards, so you must list each permission explicitly. The example below covers the most common permissions needed:This list covers the most common deployment permissions. Depending on your configuration (CMEK, internal LB, etc.), additional permissions may be required. Refer to the IAM configuration guide in the Terraform module for the complete list.
Network Connectivity Requirements
Configure your firewall and network security groups to allow outbound connections to these endpoints.Ona Services
Management Plane
Controls Runner and Environment orchestration by communicating with Ona’s control plane.https://app.gitpod.iohttps://app.ona.com
VS Code
Required for VS Code IDE functionality including server downloads and extension marketplace access.https://update.code.visualstudio.com/api/commits/stable/server-linux-x64-webhttps://update.code.visualstudio.com/api/commits/stable/server-linux-arm64-webhttps://update.code.visualstudio.com/commit:*/server-linux-x64/stablehttps://update.code.visualstudio.com/commit:*/server-linux-arm64/stablehttps://*.vscode-unpkg.nethttps://marketplace.visualstudio.comhttps://*.gallerycdn.vsassets.iohttps://*.prss.microsoft.comhttps://*.vscode-gitpod-cdn.com(required for VS Code Web functionality)https://vscode.gitpod.io(required for VS Code Web functionality)
JetBrains
Required for JetBrains IDE functionality including IDE downloads and services.https://www.jetbrains.comhttps://download.jetbrains.comhttps://download-cf.jetbrains.comhttps://download-cdn.jetbrains.comhttps://data.services.jetbrains.comhttps://plugins.jetbrains.comhttps://downloads.marketplace.jetbrains.comhttps://account.jetbrains.com
Release Artifacts
Downloads Ona updates, CLI binaries, and agent components necessary for Runner and Environment operation. These are served fromapp.gitpod.io/releases/* (same domain as the control plane). This access is required from the user laptops.
https://app.gitpod.io/releases/cli/stable/manifest.jsonhttps://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64.exehttps://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64.sha256https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64.sha256https://app.gitpod.io/releases/vscode/releases/*/vscode-remote.vsixhttps://app.gitpod.io/releases/vscode/releases/*/vscode-agent-amd64https://app.gitpod.io/releases/vscode/releases/*/vscode-agent-arm64https://app.gitpod.io/releases/jetbrains/releases/*/jetbrains-agent-amd64https://app.gitpod.io/releases/jetbrains/releases/*/jetbrains-agent-arm64
Container Registries
Downloads container images used by development environments and runner infrastructure. Ona runner images (Google Artifact Registry):https://us-docker.pkg.dev/gitpod-artifacts/docker-public(project ID:760152953637)
https://mcr.microsoft.com/devcontainers/base:2.0.4-noble
Your Infrastructure
Runner Proxy Domain
The runner must be able to reach its own configured domain over HTTPS. It periodically verifies DNS resolution and TLS connectivity by requestinghttps://<your-runner-domain>/_health. Blocking this egress causes the runner to report degraded status.
https://<your-runner-domain>(the domain you configured during setup)
SCM and SSO Providers
Access to your source code repositories and authentication providers for user login and code access. Configure access to your specific providers (complete HTTPS URLs):- GitHub, GitLab, Bitbucket URLs
- SSO provider URLs (Okta, Azure AD, etc.)
Optional Services
Prometheus Remote Write
Optional metrics collection endpoint for monitoring Runner and Environment performance.- Your metrics endpoint URL (HTTPS 443)
Additional Container Registries
Optional access to custom container registries for pulling private or organization-specific images. Common registries (allow those you use):https://index.docker.iohttps://registry-1.docker.iohttps://auth.docker.iohttps://ghcr.io- Your private registry URLs (HTTPS 443)
GCP Services and APIs Required
Core GCP Services
Supporting GCP Services
Required APIs
Metadata Service Access
Image Access Requirements
GCP Runners require access to specific VM images. If your GCP Organization restricts image access through organizational policies, ensure your GCP project can launch Compute Engine instances from these images.Required Images
Organizational Policy Configuration
If your organization uses image access restrictions, configure your organizational policy to allow:Allowlisting Recommendations
Use Project-Level Access: Allow access by project ID rather than specific image names to automatically receive security updates and new features. Regular Updates: Ona updates images regularly for security patches and feature improvements. Project-level access ensures automatic access to updated images. Testing Access: Verify image access before deployment:Quota Requirements
Ensure your GCP project has sufficient quotas for the runner deployment:Compute Engine Quotas
Regional Quotas
Quotas are region-specific. Ensure adequate quotas in your deployment region:Requesting Quota Increases
For production deployments, request quota increases through the GCP Console:- Navigate to IAM & Admin → Quotas
- Filter by service: Compute Engine API
- Select your deployment region
- Request increases for the resources listed above
Troubleshooting
Common Permission Issues
Common Permission Issues
Insufficient IAM Permissions: Verify your service account has the required roles listed above.API Not Enabled: Enable all required APIs in your GCP project:Image Access Denied: Check organizational policies and image project access.Quota Exceeded: Monitor quota usage and request increases before deployment.
Validation Commands
Validation Commands
Test your access before deployment: