Cloud Authentication#

Tip

More topics will be added to this page gradually as they surface.

Contributions are especially welcome on administration as cloud accounts differ case-by-case.

AWS#

AWS SSO#

AWS IAM Identity Center (Successor to AWS Single Sign-On, or SSO) is supported.

To use it, ensure that your machine has AWS CLI V2 installed (by default, pip install skypilot[aws] installs V1; V2 cannot be installed via pip).

You can use the following to check version:

$ aws --version

Then, after the usual aws configure sso and aws sso login --profile <profile_name> commands, SkyPilot will work as usual.

Using several profiles or accounts#

You can use different AWS profiles or accounts to launch different clusters. SkyPilot will remember the owner identity of each cluster and properly protects any “write” operations. All clusters are shown in sky status.

Example of mixing a default profile and an SSO profile:

$ # A cluster launched under the default AWS identity.
$ sky launch --cloud aws -c default

$ # A cluster launched under a different profile.
$ AWS_PROFILE=AdministratorAccess-12345 sky launch --cloud aws -c my-sso-cluster

GCP#

GCP Service Account#

GCP Service Accounts are supported.

Tip

A service account on your local machine can avoid the periodic google.auth.exceptions.RefreshError: Reauthentication is needed. Please run `gcloud auth application-default login` to reauthenticate. error. A service account is long-lived as it does not have an expiry time.

Set up a service account as follows:

  1. Follow the instructions to create a service account with the appropriate roles/permissions.

  2. In the “Service Accounts” tab in the IAM & Admin console, click on the service account to go to its detailed page. Click on the KEYS tab, then click on ADD KEY to add a JSON key. The key will be downloaded automatically.

  3. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the key file, and configure the gcloud CLI tool:

    $ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
    $ gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS
    $ gcloud config set project your-project-id
    

    You may want to add the export statement in your profile (e.g. ~/.bashrc, ~/.zshrc) so that it is set automatically in all new terminal sessions.