Embodiments provide for the management of resources for an isolated sub-network without use of gateways or other such access mechanisms. A common executor sub-network logically sits between the isolated sub-network and resource provisioning infrastructure, enabling provisioning commands to be executed on behalf of a client in the isolated sub-network. A virtual endpoint enables request objects to be passed to an operations object store of the common executor sub-network. The request object can include information such as a command to be executed and a credential for authorizing the command. An executor service performs the necessary validations and authorizations, and causes the command to be executed on behalf of the client. Upon completion, a response object is provided that includes a result of the execution. The response object includes a limited amount of information, with a full response object being stored by the executor sub-network for auditing or other such purposes.