Identity, access, and resource management in Nebius AI
In Nebius AI, you work with virtual machines, Kubernetes clusters etc. They are called resources. You can set up your Nebius AI workspace to grant other users permissions to work with your resources. You can also create special service accounts that can be used in programming interfaces, such as the Nebius AI CLI, to manage resources on your behalf.
Organizations
An organization is your workspace in Nebius AI. It contains your resources, as well as identity and access settings.
For more details, see Organizations and resource hierarchy in Nebius AI.
Resource access
To grant a user access to resources in an organization, you assign them a role in the organization by adding them to a corresponding group. Each role consists of a set of permissions that describe operations that can be performed with resources.
Before performing an operation with a certain resource (such as creating a VM), Nebius AI sends a request to the IAM service to check whether this operation is allowed. IAM compares the list of required permissions to the list of permissions granted to the user who is performing this operation. If any of the permissions are missing, the operation is not allowed and Nebius AI returns an error.
Accounts in Nebius AI
To identify users performing operations with resources, use Google accounts, service accounts, or federated accounts.
Google account
Goggle account: Your Google
Note
To better safeguard your resources from unauthorized access, we recommend enabling two-factor authentication
Service accounts
A service account is an account that can be used by a program to manage resources in Nebius AI.
By using service accounts you can flexibly configure access rights to resources for programs you wrote. For more information, see Service accounts.
Federated accounts
A federated account is a user account from an identity federation, like Active Directory.
By using identity federations, a company can set up Single Sign-On, which is authentication in Nebius AI via their server. This lets company employees use their corporate accounts to access Nebius AI.
For more information, see SAML-compatible identity federations.
Authentication keys
To authenticate in Nebius AI, service accounts use keys of the following types:
- Authorized keys: Used to obtain IAM tokens for service accounts.
- Static access keys: Used in services with AWS-compatible APIs.
Authentication
The user must pass authentication so that IAM can authorize them (i.e., check whether the user has rights). Authentication is performed in different ways, depending on the type of account and the interface used. For more information, see Authenticating in Nebius AI.