User authentication and authorization
This page describes user authentication and authorization on Anyscale platform.
Users need to get authenticated to interact with the interfaces that Anyscale supports:
- a Web UI, accessible at
console.anyscale.com
, - a CLI, which can be installed with
pip install anyscale
, - a Python SDK, which is also installed with
pip install anyscale
, and - a HTTP API, which can be used for programmatic access in any language.
- an Anyscale Endpoints API, which can be used for Endpoints features such as text generation, fine-tuning, or embedding.
Single sign-on
Anyscale supports Single Sign On (SSO) with SAML 2.0 providers. A guide for setting up SSO with common providers can be found here. Integration with SSO identity providers allows Anyscale customers to set more restrictive policies on authentication to the console by implementing password rotation, group policies, and MFA.
Platform API keys
Platform API keys allow users to programmatically interact with Anyscale Web UI, CLI, Python SDK, and HTTP API. You can fetch a user-specific, persistent key from the Anyscale Web UI and store it for use in development. The default location for the CLI and SDK to reference this key is at
~/.anyscale/credentials.json
and you can set it using the anyscale login
CLI command. You can also set the key with the ANYSCALE_CLI_TOKEN
environment variable. Ray and Anyscale clients send this key in HTTPS request headers to access Anyscale API calls.
Rotating platform API keys
Platform API keys can be rotated in order to revoke all existing keys. Rotating a token will invalidate all existing keys and cause subsequent API requests to fail authentication.
-
Collaborators can rotate their own Platform API keys. To rotate and retrieve a new credential, there are two methods:
- Within the UI, you can rotate your own Platform API keys by navigating to the API Keys page within the console, going to the AI Platform tab, and selecting “Revoke all keys”.
- Using the API, you can rotate your own Platform API key by using the Rotate User key API.
-
Owners (users with administrator privileges) can rotate existing user API keys using the Rotate API key for User API by providing a user’s user ID. Note: Users can retrieve a user ID by leveraging this get collaborator API.
Revoke platform API keys
Account owners can revoke a user's Platform API keys by removing users from their accounts.