Skip to main content

Policy API Reference (0.26.81)

View Markdown

Policy API Reference (0.26.81)

note

This is archived documentation for version 0.26.81. For the current documentation, see current documentation.

Customer-hosted cloud features

note

Some features are only available on customer-hosted clouds. Reach out to support@anyscale.com for info.

Policy CLI

anyscale policy set Beta

warning

This command undergoes rapid iteration. Users must be tolerant of change.

Usage

anyscale policy set [OPTIONS]

Set user group permission policy for a resource.

The config file should be in YAML format with bindings list.

For organization policies, --resource-id cannot be specified, the policy will be set for your current organization automatically.

Example policy.yaml:

 bindings:

  • role_name: collaborator principals:
    • ug_abc123
  • role_name: readonly principals:
    • ug_def456
    • ug_ghi789

Valid role_name values:

 Cloud: collaborator, readonly Project: collaborator, readonly Organization: owner, collaborator

Options

  • --resource-type: Resource type ('cloud', 'project', or 'organization').
  • --resource-id: Resource ID (e.g., cld_abc123, prj_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'.
  • -f/--config-file: Path to a YAML config file with policy bindings.

Examples

# Set policy for a cloud
$ anyscale policy set --resource-type cloud --resource-id cld_abc123 -f policy.yaml
(anyscale +0.5s) Setting policy for cloud cld_abc123...
(anyscale +1.2s) Policy for cloud cld_abc123 has been updated.

# Set policy for your organization (--resource-id is not allowed)
$ anyscale policy set --resource-type organization -f org_policy.yaml
(anyscale +0.5s) Setting policy for organization your organization...
(anyscale +1.2s) Policy for organization your organization has been updated.

$ cat policy.yaml
bindings:
  - role_name: collaborator
    principals:
      - ug_abc123
  - role_name: readonly
    principals:
      - ug_def456
      - ug_ghi789

anyscale policy get Beta

warning

This command undergoes rapid iteration. Users must be tolerant of change.

Usage

anyscale policy get [OPTIONS]

Get user group permission policy for a resource.

For organization policies, --resource-id cannot be specified, the policy for your current organization will be returned automatically.

Options

  • --resource-type: Resource type ('cloud', 'project', or 'organization').
  • --resource-id: Resource ID (e.g., cld_abc123, prj_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'.

Examples

# Get policy for a cloud
$ anyscale policy get --resource-type cloud --resource-id cld_abc123
(anyscale +0.5s) Policy for cloud cld_abc123:
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
collaborator  ug_abc123              success
readonly  ug_def456                  success
readonly  ug_ghi789                  success

# Get policy for your organization (--resource-id is not allowed)
$ anyscale policy get --resource-type organization
(anyscale +0.5s) Policy for organization your organization:
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
owner     ug_admins                  success
collaborator  ug_developers          success

anyscale policy list Beta

warning

This command undergoes rapid iteration. Users must be tolerant of change.

Usage

anyscale policy list [OPTIONS]

List permission policies for all resources of a specific type.

Only shows resources that have bindings configured.

Options

  • --resource-type: Resource type to list policies for ('cloud' or 'project').

Examples

$ anyscale policy list --resource-type cloud
(anyscale +0.6s) cloud: cld_abc123
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
collaborator  ug_abc123              success
readonly  ug_def456                  success

(anyscale +0.6s) cloud: cld_xyz789
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
collaborator  ug_ghi789              pending

Policy SDK

anyscale.policy.set

Set user group permission policy for a resource.

For organization policies, resource_id cannot be specified, the policy will be set for your current organization automatically.

Valid role_name values by resource type:

Cloud:

  • collaborator: Read/write access (create, read, update, delete)
  • readonly: Read-only access

Project:

  • collaborator: Read/write access (create, read, update)
  • readonly: Read-only access

Organization:

  • owner: Full control (write + collaborator management)
  • collaborator: Read/write access to organization resources

Arguments

  • resource_type (str): Resource type ('cloud', 'project', or 'organization').
  • config (PolicyConfig): Policy configuration with role bindings.
  • resource_id (str | None) = None: Resource ID (e.g., cld_abc123, prj_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'.

Examples

import anyscale
from anyscale.policy.models import PolicyConfig, PolicyBinding

# Set policy for a cloud
policy_config = PolicyConfig(
    bindings=[
        PolicyBinding(role_name="collaborator", principals=["ug_abc123"]),
        PolicyBinding(role_name="readonly", principals=["ug_def456", "ug_ghi789"]),
    ]
)
anyscale.policy.set(
    resource_type="cloud",
    resource_id="cld_abc123",
    config=policy_config,
)

# Set policy for your organization (no resource_id needed)
org_policy = PolicyConfig(
    bindings=[
        PolicyBinding(role_name="owner", principals=["ug_admins"]),
        PolicyBinding(role_name="collaborator", principals=["ug_developers"]),
    ]
)
anyscale.policy.set(
    resource_type="organization",
    config=org_policy,
)

anyscale.policy.get

Get user group permission policy for a resource.

For organization policies, resource_id cannot be specified, the policy for your current organization will be returned automatically.

Returns a Policy object with role bindings.

Arguments

  • resource_type (str): Resource type ('cloud', 'project', or 'organization').
  • resource_id (str | None) = None: Resource ID (e.g., cld_abc123, prj_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'.

Returns: Policy

Examples

import anyscale
from anyscale.policy.models import Policy

# Get policy for a cloud
policy = anyscale.policy.get(resource_type="cloud", resource_id="cld_abc123")
for binding in policy.bindings:
    print(f"{binding.role_name}: {binding.principals}")

# Get policy for your organization (no resource_id needed)
org_policy = anyscale.policy.get(resource_type="organization")
for binding in org_policy.bindings:
    print(f"{binding.role_name}: {binding.principals}")

anyscale.policy.list

List permission policies for all resources of a specific type.

Returns a list of ResourcePolicy objects.

Arguments

  • resource_type (str): Resource type to list policies for ('cloud' or 'project').

Returns: List[ResourcePolicy]

Examples

import anyscale
from anyscale.policy.models import ResourcePolicy

policies = anyscale.policy.list(resource_type="cloud")
for policy in policies:
    print(f"{policy.resource_id}: {policy.bindings}")

Policy Models

Policy

Policy model representing the policy for a single resource.

Fields

  • bindings (List[PolicyBinding]): List of role bindings for the policy.
  • sync_status (PolicySyncStatus): Sync status of the policy (pending, success, or failed).

Python Methods

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

import anyscale
from anyscale.policy.models import Policy

policy = anyscale.policy.get(resource_type="cloud", resource_id="cld_abc123")
print(f"Sync status: {policy.sync_status}")
for binding in policy.bindings:
    print(f"{binding.role_name}: {binding.principals}")

PolicyBinding

A binding of a role to a list of principals (user group IDs).

Fields

  • role_name (str): The role name. For cloud/project policies use 'collaborator' or 'readonly'. For organization policies use 'owner' or 'collaborator'.
  • principals (List[str]): List of user group IDs that have this role.

Python Methods

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

from anyscale.policy.models import PolicyBinding

binding = PolicyBinding(role_name="collaborator", principals=["ug_abc123"])

PolicyConfig

Policy configuration with role bindings.

Fields

  • bindings (List[PolicyBinding]): List of role bindings for the policy.

Python Methods

def __init__(self, **fields) -> PolicyConfig
    """Construct a model with the provided field values set."""

def options(self, **fields) -> PolicyConfig
    """Return a copy of the model with the provided field values overwritten."""

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

bindings:
  - role_name: collaborator
    principals:
      - ug_abc123
  - role_name: readonly
    principals:
      - ug_def456
      - ug_ghi789

PolicySyncStatus

Sync status for resource permission policies.

Values

  • pending: Policy is pending synchronization.
  • success: Policy has been successfully synchronized.
  • failed: Policy synchronization has failed.

ResourcePolicy

Resource policy model representing permissions for a resource.

Fields

  • resource_id (str): The ID of the resource.
  • resource_type (str): The type of the resource (e.g., 'cloud', 'project').
  • bindings (List[PolicyBinding]): List of role bindings for the policy.
  • sync_status (PolicySyncStatus): Sync status of the policy (pending, success, or failed).

Python Methods

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

import anyscale
from anyscale.policy.models import ResourcePolicy

policies = anyscale.policy.list(resource_type="cloud")
for policy in policies:
    print(f"{policy.resource_id}: {policy.bindings} (sync_status: {policy.sync_status})")