How to use Nebius AI securely
This section provides recommendations for using IAM features to ensure the secure operation of Nebius AI services.
Don't grant unnecessary access rights
For critical resources:
- Assign the minimum required roles.
- Assign only the roles you need at the moment. Don't assign roles that might only be needed in the future.
Protect your Google account
To better safeguard your resources from unauthorized access, we recommend enabling two-factor authentication
Use service accounts
Use service accounts to automate work with Nebius AI and follow these recommendations:
-
Control access to your service accounts. The
editor
role for a service account lets the user perform operations permitted under the service account. If the service account has the administrator role for the cloud, the user can use it to make themselves an administrator. -
Create separate service accounts for different tasks. This way you can only assign them the roles you actually need. You can revoke roles from a service account or delete it without affecting other service accounts.
-
Name your service accounts according to their intended purposes and permissions.
-
Keep your service account keys a secret — they can be used to perform operations on behalf of your service accounts. Don't keep the service account keys in the source code.
Periodically revoke old keys and issue new ones. Be sure to do this if you think someone discovered your secret key.
-
Don't use your keys for authentication if you can use IAM tokens. Keys have an unlimited lifetime, while IAM tokens are valid for 12 hours.