User authentication and authorization
This page describes user authentication and authorization on Anyscale platform.
Users need to get authenticated to interact with the four interfaces that Anyscale supports:
- a Web UI, accessible at
- a CLI, which can be installed via
pip install anyscale,
- a Python SDK, which is also installed with
pip install anyscale, and
- an HTTP API, which can be used for programmatic access in any language.
Anyscale supports Single Sign On (SSO) with SAML 2.0 providers. A guide for setting up SSO with common providers can be found here. Integration with SSO identity providers allows Anyscale customers to set more restrictive policies on authentication to the console by implementing password rotation, group policies, and MFA.
CLI tokens allow users to programmatically interact with Anyscale. You can fetch a user-specific, persistent token from the Anyscale Web UI and store it for use in development. The default location for clients to reference this token is at
~/.anyscale/credentials.json and is set using the
anyscale auth set CLI command. The token can also be set via the
ANYSCALE_CLI_TOKEN environment variable. Ray and Anyscale clients send this token in HTTPS request headers to access Anyscale API calls.
Rotating CLI Tokens
CLI tokens can be rotated in order to revoke all existing tokens. Rotating a token will invalidate all existing tokens and cause subsequent API requests to fail authentication.
- Collaborators can rotate their own CLI tokens. To rotate and retrieve a new credential, there are two methods:
- Within the UI, you can rotate your own CLI tokens by navigating to the Credentials page within the console and selecting “Rotate API Credential”.
- Using the API, you can rotate your own credential by using the Rotate User key API.
- Owners (users with administrator privileges) can rotate existing user credentials using the Rotate API key for User API by providing a user’s user ID. Note: Users can retrieve a user ID by leveraging this get collaborator API.
Revoke CLI Tokens
Account owners can revoke a user's CLI tokens by removing users from their accounts.