Policy CLI reference

View Markdown

Policy CLI reference

Customer-hosted cloud features

note

Some features are only available on customer-hosted clouds. Reach out to support@anyscale.com for info.

Policy CLI

anyscale policy set Beta

warning

This command undergoes rapid iteration. Users must be tolerant of change.

Usage

anyscale policy set [OPTIONS]

Set user group permission policy for a resource.

The config file should be in YAML format with bindings list.

For organization policies, --resource-id cannot be specified, the policy will be set for your current organization automatically.

Example policy.yaml:

 bindings:

• role_name: collaborator principals:
  • ug_abc123
• role_name: readonly principals:
  • ug_def456
  • ug_ghi789

Valid role_name values:

 Cloud: collaborator, readonly Project: owner, collaborator, readonly Organization: owner, collaborator

Options

• --resource-type: Resource type ('cloud', 'project', or 'organization').
• --resource-id: Resource ID (e.g., cld_abc123, prj_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'.
• -f/--config-file: Path to a YAML config file with policy bindings.

Examples

CLI

# Set policy for a cloud
$ anyscale policy set --resource-type cloud --resource-id cld_abc123 -f policy.yaml
(anyscale +0.5s) Setting policy for cloud cld_abc123...
(anyscale +1.2s) Policy for cloud cld_abc123 has been updated.

# Set policy for your organization (--resource-id is not allowed)
$ anyscale policy set --resource-type organization -f org_policy.yaml
(anyscale +0.5s) Setting policy for organization your organization...
(anyscale +1.2s) Policy for organization your organization has been updated.

$ cat policy.yaml
bindings:
  - role_name: collaborator
    principals:
      - ug_abc123
  - role_name: readonly
    principals:
      - ug_def456
      - ug_ghi789

anyscale policy get Beta

warning

This command undergoes rapid iteration. Users must be tolerant of change.

Usage

anyscale policy get [OPTIONS]

Get user group permission policy for a resource.

For organization policies, --resource-id cannot be specified, the policy for your current organization will be returned automatically.

Options

• --resource-type: Resource type ('cloud', 'project', or 'organization').
• --resource-id: Resource ID (e.g., cld_abc123, prj_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'.

Examples

CLI

# Get policy for a cloud
$ anyscale policy get --resource-type cloud --resource-id cld_abc123
(anyscale +0.5s) Policy for cloud cld_abc123:
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
collaborator  ug_abc123              success
readonly  ug_def456                  success
readonly  ug_ghi789                  success

# Get policy for your organization (--resource-id is not allowed)
$ anyscale policy get --resource-type organization
(anyscale +0.5s) Policy for organization your organization:
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
owner     ug_admins                  success
collaborator  ug_developers          success

anyscale policy list Beta

warning

This command undergoes rapid iteration. Users must be tolerant of change.

Usage

anyscale policy list [OPTIONS]

List permission policies for all resources of a specific type.

Only shows resources that have bindings configured.

Options

• --resource-type: Resource type to list policies for ('cloud' or 'project').

Examples

CLI

$ anyscale policy list --resource-type cloud
(anyscale +0.6s) cloud: cld_abc123
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
collaborator  ug_abc123              success
readonly  ug_def456                  success

(anyscale +0.6s) cloud: cld_xyz789
Role      Principal (User Group ID)  Process Status
--------  -------------------------  --------------
collaborator  ug_ghi789              pending

Policy models

Policy

Policy model representing the policy for a single resource.

Fields

• bindings (List[PolicyBinding]): List of role bindings for the policy.
• sync_status (PolicySyncStatus): Sync status of the policy (pending, success, or failed).

Python Methods

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

Python

import anyscale
from anyscale.policy.models import Policy

policy = anyscale.policy.get(resource_type="cloud", resource_id="cld_abc123")
print(f"Sync status: {policy.sync_status}")
for binding in policy.bindings:
    print(f"{binding.role_name}: {binding.principals}")

PolicyBinding

A binding of a role to a list of principals (user group IDs).

Fields

• role_name (str): The role name. For cloud/project policies use 'collaborator' or 'readonly'. For organization policies use 'owner' or 'collaborator'.
• principals (List[str]): List of user group IDs that have this role.

Python Methods

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

Python

from anyscale.policy.models import PolicyBinding

binding = PolicyBinding(role_name="collaborator", principals=["ug_abc123"])

PolicyConfig

Policy configuration with role bindings.

Fields

• bindings (List[PolicyBinding]): List of role bindings for the policy.

Python Methods

def __init__(self, **fields) -> PolicyConfig
    """Construct a model with the provided field values set."""

def options(self, **fields) -> PolicyConfig
    """Return a copy of the model with the provided field values overwritten."""

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

YAML

bindings:
  - role_name: collaborator
    principals:
      - ug_abc123
  - role_name: readonly
    principals:
      - ug_def456
      - ug_ghi789

Python

from anyscale.policy.models import PolicyBinding, PolicyConfig

config = PolicyConfig(
    bindings=[
        PolicyBinding(role_name="collaborator", principals=["ug_abc123"]),
        PolicyBinding(role_name="readonly", principals=["ug_def456", "ug_ghi789"]),
    ]
)

PolicySyncStatus

Sync status for resource permission policies.

Values

• pending: Policy is pending synchronization.
• success: Policy has been successfully synchronized.
• failed: Policy synchronization has failed.

ResourcePolicy

Resource policy model representing permissions for a resource.

Fields

• resource_id (str): The ID of the resource.
• resource_type (str): The type of the resource (e.g., 'cloud', 'project').
• bindings (List[PolicyBinding]): List of role bindings for the policy.
• sync_status (PolicySyncStatus): Sync status of the policy (pending, success, or failed).

Python Methods

def to_dict(self) -> Dict[str, Any]
    """Return a dictionary representation of the model."""

Examples

Python

import anyscale
from anyscale.policy.models import ResourcePolicy

policies = anyscale.policy.list(resource_type="cloud")
for policy in policies:
    print(f"{policy.resource_id}: {policy.bindings} (sync_status: {policy.sync_status})")