Skip to navigationSkip to main contentSkip to footerScaleway DocsAsk our AI
Ask our AI
Log inSign up

How to manage access to your Managed Inference deployments

Important

The Allowed IPs feature via ACLs is no longer available for Managed Inference deployments. We recommended using one of the alternative methods detailed in this document to restrict access to your Managed Inference deployments.

You can manage and restrict access to your Managed Inference deployments via the following methods:

  • Enable or disable authentication by API key
  • Use IAM features to control which API keys are accepted and under what conditions (including IP-based restrictions)
  • Remove your deployment's public endpoint, and allow controlled access only via Private Networks

Read on for full details.

Before you start

To complete the actions presented below, you must have:

How to enable or disable authentication by API key

By default, when you create your Managed Inference deployment, authentication by API key is automatically enabled. This means that when the deployment is accessed via either its public or private endpoint, a valid Scaleway API key must accompany all requests.

You can disable API key authentication at any time, for either the public endpoint, the private endpoint, or both.

  1. Click Managed Inference in the AI section of the Scaleway console side menu. A list of your deployments displays.
  2. From the drop-down menu, select the geographical region containing your deployment.
  3. Click the deployment whose authentication you want to manage. The deployment's dashboard displays.
  4. Click the Security tab.
  5. In the Authentication panel, use the toggles toggle icon to enable or disable authentication by API key for the public and/or private endpoint.
A screenshot of the Scaleway console shows the toggles for API key authentication first for public endpoints, then for private endpoints

How to manage access to a deployment with IAM

When authentication by API key is enabled, a valid Scaleway API key must accompany all requests sent to your deployment's endpoint.

An API key is considered valid to access a deployment when:

  • It belongs to the Owner of the Organization which owns the deployment, or
  • It belongs to a Member or Application of the Organization which owns the deployment, and the Member/Application has appropriate IAM permissions.

There are two IAM permission sets specific to Managed Inference deployments: InferenceFullAccess (allowing access to create, read, update, and delete a deployment) and InferenceReadOnly (allowing read-only access). Alternatively, wide-scoped permission sets such as AllProductsFullAccess will also allow access.

Permissions are attributed via policies, which are then attached to a Member or Application.

You can further restrict access by imposing conditions when defining a policy. This enables you to allow access only to authorized API keys when presented by specific user agents (e.g., Terraform), from certain IP addresses, or during defined dates and times.

How to manage deployment access as an Organization Owner or Administrator

Note

If you only want to access the deployment yourself, and you are the Owner of the Organization that created the deployment, simply generate an API key for yourself, and it will automatically have full rights to access and manage the deployment.

Read on if you want to manage access to your deployment for others.

  1. Invite Members (other humans) to your Organization, or create Applications (non-human users).
  2. Create and attach a policy to the Member or Application, defining the permissions they should have in your Organization by selecting permission sets (e.g. InferenceFullAccess). If desired, define conditions as part of the policy, to further restrict access based on user agent type, date/time or IP address.

All API keys generated by the Member, or for the Application, will automatically inherit the permissions you defined, and can be used to access a Managed Inference deployment's endpoint depending on those permissions.

You can revoke access to a deployment at any time by modifying or deleting the policy attached to the Member or Application in question.

How to access a deployment as an Organization Member

Your access to Managed Inference deployments owned by an Organization in which you are a Member depends on the IAM permissions attributed to you by the Organization's Owner or administrators.

Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organization Owner if you are unsure that you have the right permissions to access a Managed Inference deployment.

  1. Log into the Scaleway console and generate an API key for yourself.
  2. Use this API key for authentication when sending requests to a Managed Inference deployment.

How to restrict access over Private Networks

For enhanced security, you can remove your deployment's public endpoint, attach it to a Private Network, and allow access only via its private endpoint. Only resources within the Private Network's VPC will be able to access the deployment, and they must have downloaded the resource's TLS certificate.

You can still require API key authentication via the private endpoint, and use the methods described above to fine-tune API key restrictions and access. In addition, you can also use VPC features such as Network ACLs for enhanced control and security.

  1. Create your deployment without checking the Allow public connections box, or remove the public endpoint via its Overview screen in the console if you already created it with a public endpoint.
  2. Ensure the deployment is attached to a Private Network.
  3. Transfer the deployment's TLS certificate to the resources in the VPC that need to access the deployment.
  4. (Optional) Ensure that API key authentication is enabled, and use policies to define IAM-based rules and conditions for access.
  5. (Optional) Use VPC features such as Network ACLs to place IP-based restrictions on which resources in the VPC can access the deployment.
  6. Follow the instructions in the dedicated documentation for sending requests to your deployment in a Private Network.
Tip

If your VPC has a Public Gateway advertising a default route, external resources can still access the deployment via the Public Gateway (with correct authentication). Read more about Public Gateways.

See Also
How to configure autoscalingHow to use your Managed Inference deployment with a Private Network
Still need help?

Create a support ticket
No Results