--- title: "Policy CLI reference" description: "Customer-hosted cloud features" --- # Policy CLI reference #### Customer-hosted cloud features :::note Some features are only available on customer-hosted clouds. Reach out to [support@anyscale.com](mailto:support@anyscale.com) for info. ::: ## Policy CLI ### `anyscale policy set` Beta :::warning This command undergoes rapid iteration. Users must be tolerant of change. ::: **Usage** `anyscale policy set [OPTIONS]` Set user group permission policy for a resource. The config file should be in YAML format with bindings list. For organization policies, --resource-id cannot be specified, the policy will be set for your current organization automatically. Example policy.yaml:  bindings: - role\_name: collaborator principals: - ug\_abc123 - role\_name: readonly principals: - ug\_def456 - ug\_ghi789 Valid role\_name values:  Cloud: collaborator, readonly Project: owner, collaborator, readonly Organization: owner, collaborator **Options** - **`--resource-type`**: Resource type ('cloud', 'project', or 'organization'). - **`--resource-id`**: Resource ID (e.g., cld\_abc123, prj\_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'. - **`-f/--config-file`**: Path to a YAML config file with policy bindings. #### Examples ::::tabs :::tab[CLI] ```bash # Set policy for a cloud $ anyscale policy set --resource-type cloud --resource-id cld_abc123 -f policy.yaml (anyscale +0.5s) Setting policy for cloud cld_abc123... (anyscale +1.2s) Policy for cloud cld_abc123 has been updated. # Set policy for your organization (--resource-id is not allowed) $ anyscale policy set --resource-type organization -f org_policy.yaml (anyscale +0.5s) Setting policy for organization your organization... (anyscale +1.2s) Policy for organization your organization has been updated. $ cat policy.yaml bindings: - role_name: collaborator principals: - ug_abc123 - role_name: readonly principals: - ug_def456 - ug_ghi789 ``` ::: :::: ### `anyscale policy get` Beta :::warning This command undergoes rapid iteration. Users must be tolerant of change. ::: **Usage** `anyscale policy get [OPTIONS]` Get user group permission policy for a resource. For organization policies, --resource-id cannot be specified, the policy for your current organization will be returned automatically. **Options** - **`--resource-type`**: Resource type ('cloud', 'project', or 'organization'). - **`--resource-id`**: Resource ID (e.g., cld\_abc123, prj\_xyz789). Required for 'cloud' and 'project' types, not allowed for 'organization'. #### Examples ::::tabs :::tab[CLI] ```bash # Get policy for a cloud $ anyscale policy get --resource-type cloud --resource-id cld_abc123 (anyscale +0.5s) Policy for cloud cld_abc123: Role Principal (User Group ID) Process Status -------- ------------------------- -------------- collaborator ug_abc123 success readonly ug_def456 success readonly ug_ghi789 success # Get policy for your organization (--resource-id is not allowed) $ anyscale policy get --resource-type organization (anyscale +0.5s) Policy for organization your organization: Role Principal (User Group ID) Process Status -------- ------------------------- -------------- owner ug_admins success collaborator ug_developers success ``` ::: :::: ### `anyscale policy list` Beta :::warning This command undergoes rapid iteration. Users must be tolerant of change. ::: **Usage** `anyscale policy list [OPTIONS]` List permission policies for all resources of a specific type. Only shows resources that have bindings configured. **Options** - **`--resource-type`**: Resource type to list policies for ('cloud' or 'project'). #### Examples ::::tabs :::tab[CLI] ```bash $ anyscale policy list --resource-type cloud (anyscale +0.6s) cloud: cld_abc123 Role Principal (User Group ID) Process Status -------- ------------------------- -------------- collaborator ug_abc123 success readonly ug_def456 success (anyscale +0.6s) cloud: cld_xyz789 Role Principal (User Group ID) Process Status -------- ------------------------- -------------- collaborator ug_ghi789 pending ``` ::: :::: ## Policy models ### `Policy` Policy model representing the policy for a single resource. #### Fields - **`bindings` (List\[[PolicyBinding](#policybinding)\])**: List of role bindings for the policy. - **`sync_status` ([PolicySyncStatus](#policysyncstatus))**: Sync status of the policy (pending, success, or failed). #### Python Methods ```python def to_dict(self) -> Dict[str, Any] """Return a dictionary representation of the model.""" ``` #### Examples ::::tabs :::tab[Python] ```python import anyscale from anyscale.policy.models import Policy policy = anyscale.policy.get(resource_type="cloud", resource_id="cld_abc123") print(f"Sync status: {policy.sync_status}") for binding in policy.bindings: print(f"{binding.role_name}: {binding.principals}") ``` ::: :::: ### `PolicyBinding` A binding of a role to a list of principals (user group IDs). #### Fields - **`role_name` (str)**: The role name. For cloud/project policies use 'collaborator' or 'readonly'. For organization policies use 'owner' or 'collaborator'. - **`principals` (List\[str\])**: List of user group IDs that have this role. #### Python Methods ```python def to_dict(self) -> Dict[str, Any] """Return a dictionary representation of the model.""" ``` #### Examples ::::tabs :::tab[Python] ```python from anyscale.policy.models import PolicyBinding binding = PolicyBinding(role_name="collaborator", principals=["ug_abc123"]) ``` ::: :::: ### `PolicyConfig` Policy configuration with role bindings. #### Fields - **`bindings` (List\[[PolicyBinding](#policybinding)\])**: List of role bindings for the policy. #### Python Methods ```python def __init__(self, **fields) -> PolicyConfig """Construct a model with the provided field values set.""" def options(self, **fields) -> PolicyConfig """Return a copy of the model with the provided field values overwritten.""" def to_dict(self) -> Dict[str, Any] """Return a dictionary representation of the model.""" ``` #### Examples ::::tabs :::tab[YAML] ```yaml bindings: - role_name: collaborator principals: - ug_abc123 - role_name: readonly principals: - ug_def456 - ug_ghi789 ``` ::: :::tab[Python] ```python from anyscale.policy.models import PolicyBinding, PolicyConfig config = PolicyConfig( bindings=[ PolicyBinding(role_name="collaborator", principals=["ug_abc123"]), PolicyBinding(role_name="readonly", principals=["ug_def456", "ug_ghi789"]), ] ) ``` ::: :::: ### `PolicySyncStatus` Sync status for resource permission policies. #### Values - **`pending`**: Policy is pending synchronization. - **`success`**: Policy has been successfully synchronized. - **`failed`**: Policy synchronization has failed. ### `ResourcePolicy` Resource policy model representing permissions for a resource. #### Fields - **`resource_id` (str)**: The ID of the resource. - **`resource_type` (str)**: The type of the resource (e.g., 'cloud', 'project'). - **`bindings` (List\[[PolicyBinding](#policybinding)\])**: List of role bindings for the policy. - **`sync_status` ([PolicySyncStatus](#policysyncstatus))**: Sync status of the policy (pending, success, or failed). #### Python Methods ```python def to_dict(self) -> Dict[str, Any] """Return a dictionary representation of the model.""" ``` #### Examples ::::tabs :::tab[Python] ```python import anyscale from anyscale.policy.models import ResourcePolicy policies = anyscale.policy.list(resource_type="cloud") for policy in policies: print(f"{policy.resource_id}: {policy.bindings} (sync_status: {policy.sync_status})") ``` ::: :::: --- Previous: [Other](/reference/cli/other.md) | Next: [Project](/reference/cli/project.md)