Cirun Cloud Credential Errors: Runner Fails to Launch
Cirun authenticates to your cloud with credentials you provide and launches runners in your account. If those credentials are missing, expired, or under-privileged, no runner starts and your job waits. This page covers how to diagnose credential and permission failures. See docs.cirun.io for the authoritative, current steps.
Symptoms
Jobs stay in "Waiting for a runner," no instance appears in your cloud console, or the Cirun dashboard shows a launch failure. This usually points at the connected cloud identity rather than your workflow.
Check the connected cloud access
On the Cirun dashboard, confirm cloud access is still connected for the provider your .cirun.yml targets. Credentials can be rotated or revoked out from under Cirun; re-add cloud access if the connection is stale.
Check IAM permissions
The identity Cirun uses must be able to create and terminate the instance types you request, and manage related resources (networking, images, and for spot/preemptible, the relevant permissions). On AWS this is typically an IAM user or role with EC2 run/terminate permissions; on GCP a service account; on Azure a service principal. Grant the minimum permissions Cirun's docs list for your provider.
Check region and account scope
Make sure the credential has access in the region your runner targets and that the account is not blocked by an organization policy or SCP that denies instance creation.
The fully-managed alternative
Because Latchkey is fully managed, there are no cloud credentials to connect, rotate, or debug - and no IAM to scope. If credential upkeep is a recurring drain, that removes the whole category of problem. You trade direct control of the cloud account for not having to operate it.