Required Permissions#

Skyplane runs in your own cloud accounts and does interact with an external service to run transfers. However the cloud account you are running Skyplane in must have permissions to interact with object storage and create VMs to execute transfers.


Your AWS account must have the following permissions:

  • ec2:*

  • s3:*

  • kms:Decrypt

  • kms:GenerateDataKey

  • iam:GetRole

  • iam:CreateInstanceProfile,

  • iam:AddRoleToInstanceProfile


For GCP, Skyplane create a service account which has permissions to read and write from GCP object stores. Your GCP account must have the following roles:

  • roles/iam.serviceAccountCreator

  • roles/storage.objectAdmin

  • roles/compute.instanceAdmin.v1

In addition, the Compute Engine default service account principal must have the roles/storage.objectAdmin role, since instances created by the principal will inherit its permissions.


Your Azure account must have the following roles:

  • Storage Blob Data Contributor

  • Storage Account Contributor


Within Azure, it is not sufficient to have just the Owner role to be able to access and write to containers in storage. The VMs that Skyplane provisions are assigned the sufficient storage permissions, but to be able to interact with Azure storage locally, check to make sure your personal Azure account has the roles listed above.