From 7ca05b10c8f6ddebbb4b586279077dbcfd78c38e Mon Sep 17 00:00:00 2001 From: Rowena Date: Thu, 31 Jul 2025 17:52:32 +0200 Subject: [PATCH 1/4] fix(ai): fix access doc --- menu/navigation.json | 2 +- pages/managed-inference/concepts.mdx | 4 +- .../how-to/manage-allowed-ips.mdx | 75 ++++++++++++------- 3 files changed, 51 insertions(+), 30 deletions(-) diff --git a/menu/navigation.json b/menu/navigation.json index 18d3b13025..47c5dd3f9b 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -917,7 +917,7 @@ "slug": "configure-autoscaling" }, { - "label": "Manage allowed IP addresses", + "label": "Manage access", "slug": "manage-allowed-ips" }, { diff --git a/pages/managed-inference/concepts.mdx b/pages/managed-inference/concepts.mdx index 12a5386de2..f22cca9fd0 100644 --- a/pages/managed-inference/concepts.mdx +++ b/pages/managed-inference/concepts.mdx @@ -7,9 +7,7 @@ dates: --- ## Allowed IPs -Allowed IPs are single IPs or IP blocks that have the [required permissions to remotely access a deployment](/managed-inference/how-to/manage-allowed-ips/). They allow you to define which host and networks can connect to your Managed Inference endpoints. You can add, edit, or delete allowed IPs. In the absence of allowed IPs, all IP addresses are allowed by default. - -Access control is handled directly at the network level by Load Balancers, making the filtering more efficient and universal and relieving the Managed Inference server from this task. +The **Allowed IPs** feature is no longer available for Managed Inference deployments. Use one of the alternative methods detailed in our [dedicated documentation](/managed-inference/how-to/manage-allowed-ips/) to restrict access to your Managed Inference deployments. ## Context size diff --git a/pages/managed-inference/how-to/manage-allowed-ips.mdx b/pages/managed-inference/how-to/manage-allowed-ips.mdx index 232f4c715e..c1c235d4f7 100644 --- a/pages/managed-inference/how-to/manage-allowed-ips.mdx +++ b/pages/managed-inference/how-to/manage-allowed-ips.mdx @@ -1,15 +1,23 @@ --- -title: How to manage allowed IP addresses for Managed Inference deployments -description: This page explains how to configure allowed IP addresses for Managed Inference deployments +title: How to manage access to your Managed Inference deployments +description: This page explains how to manage and restrict access to your Managed Inference deployments tags: managed-inference ai-data ip-address dates: - validation: 2025-03-19 + validation: 2025-07-31 posted: 2024-03-06 --- import Requirements from '@macros/iam/requirements.mdx' + +The **Allowed IPs** feature via ACLs is no longer available for Managed Inference deployments. We recommended using one of the alternative methods detailed in this document to restrict access to your Managed Inference deployments. + + +You can manage and restrict access to your Managed Inference deployments via the following methods: + +- Use [IAM](/iam/) features to place conditions on the API keys that are accepted when accessing your deployment's public endpoint +- Remove your deployment's public endpoint, and allow controlled access only via Private Networks. -Allowed IPs restrict the IPs allowed to access your Managed Inference endpoints. In the absence of allowed IPs, all IP addresses are allowed by default. +Read on for full details of these two methods. @@ -17,28 +25,43 @@ Allowed IPs restrict the IPs allowed to access your Managed Inference endpoints. - A [Managed Inference deployment](/managed-inference/quickstart/) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +## How to manage public access to a deployment with IAM + +When you enable a public endpoint for your Managed Inference deployment, access to this endpoint is restricted by default: a valid [Scaleway API key](/iam/concepts/#api-key) must accompany all access requests. + +An API key is considered valid to access a deployment when: + +- It belongs to the [Owner](TODO) of the Organization which owns the deployment, or +- It belongs to a [Member](TODO) or [Application](TODO) of the Organization which owns the deployment, and the Member/Application has appropriate [IAM permissions](/iam/reference-content/permission-sets/). + +There are two IAM permission sets specific to Managed Inference deployments: `InferenceFullAccess` (allowing access to create, read, update and delete a deployment) and `InferenceReadOnly` (allowing read-only access). Alternatively, wide-scoped permission sets such as `AllProductsFullAccess` will also allow access. + +Permissions are attributed via [policies](TODO), which are then attached to a Member or Application. + +You can further restrict access by imposing **conditions** when defining a policy. This enables you to allow access only to authorized API keys when presented by specific user agents (e.g., Terraform), from certain IP addresses, or during defined dates and times. + +### How to manage deployment access as an Organization Owner or Administrator + - Allowed IP configuration is only available for public endpoints. +If you only want to access the deployment yourself, and you are Owner of the Organization that created the deployment, all you need to do is [generate an API key]() for yourself, and it will automatically have full rights to access and manage the deployment. + +Read on if you want to manage access to your deployment for others. -## How to allow an IP address to connect to a deployment - -1. Click **Managed Inference** in the **AI** section of the [Scaleway console](https://console.scaleway.com) side menu. A list of your deployments displays. -2. From the drop-down menu, select the geographical region you want to manage. -3. Click a deployment name or > **More info** to access the deployment dashboard. -4. Click the **Security** tab and navigate to the **Allowed IPs** section. A list of your allowed IP addresses displays. -5. Click **Add allowed IP**. The IP can be a single IP or an IP block. - - The IP must be specified in CIDR format, i.e. `198.51.100.135/32` for a single IP or `198.51.100.0/24` for an IP block. - -6. Enter a single IP address or a subnetwork. - - To restore initial settings and allow connections from all IPs, delete all allowed IPs from the list. - - -## How to delete an IP address from the allowed list - -1. Go to your allowed IP address list. -2. Click and select **Delete**. -3. A pop-up displays. Type **DELETE** to confirm. -4. Click **Delete allowed IP**. \ No newline at end of file +1. [Invite Members]() (humans) to your Organization, or [create Applications]() (non-human users). +2. Create and attach a [policy]() to the Member or Application, defining the permissions they should have in your Organization by selelcting permission sets e.g. `InferenceFullAccess`. If desired, define [conditions]() as part of the policy, to further restrict access based on user agent type, date/time or IP address. + +All API keys generated by the Member, or for the Application, will automatically inherit the permissions you defined, and can be used to access a Managed Inference deployment's public endpoint depending on those permissions. + +You can revoke access to a deployment at any time by [modifying the policy]() attached to the Member or Application in question. + +### How to access a deployment as an Organization Member + +Access to Managed Inference deployments owned by an Organization in which you are a Member, is dependant on the IAM permissions attributed to you by the Organization's Owner or administrators. + +Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organiaztion Owner if you are unsure that you have the right permissions to access a Managed Inference deployment. + +1. [Log into the Scaleway console]() and [generate an API key for yourself]() +2. Use this API key for authentication when sending requests to a Managed Inference deployment. + +## How to \ No newline at end of file From 8ac474a025a3c0093f05eb8fa4a4a158644ed880 Mon Sep 17 00:00:00 2001 From: Rowena Date: Fri, 1 Aug 2025 15:57:49 +0200 Subject: [PATCH 2/4] fix(ai): managed inf network access docs --- menu/navigation.json | 2 +- .../assets/scaleway-api-authentication.webp | Bin 0 -> 14098 bytes .../how-to/manage-allowed-ips.mdx | 68 +++++++++++++----- ...managed-inference-with-private-network.mdx | 8 ++- ...-privacy-security-scaleway-ai-services.mdx | 1 - 5 files changed, 57 insertions(+), 22 deletions(-) create mode 100644 pages/managed-inference/how-to/assets/scaleway-api-authentication.webp diff --git a/menu/navigation.json b/menu/navigation.json index 47c5dd3f9b..9f466323a6 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -917,7 +917,7 @@ "slug": "configure-autoscaling" }, { - "label": "Manage access", + "label": "Manage access to a deployment", "slug": "manage-allowed-ips" }, { diff --git a/pages/managed-inference/how-to/assets/scaleway-api-authentication.webp b/pages/managed-inference/how-to/assets/scaleway-api-authentication.webp new file mode 100644 index 0000000000000000000000000000000000000000..4ac5ed2eb9805d641ba3674707d12ad9dea51aa5 GIT binary patch literal 14098 zcmZX(WmF!~vMt)UyAwRPyL)hVcXxOFa3{fnOK^90cL)S`cL)S`E_RoALgk(Q8v=K=staZx1=C2qMlP5@vcf)oeTWA>U82+Cx#1Lr*~raQlyfZsCX z2vqaSt!rk^ixypu_Eaif+%mh``=b*NP7K=$SV?Xqr^SzR4Qekr(s zg%TFoH`gE7%YhMG-q_w<@z|NKHk&795!X-t|BSy@dh_xv$MNV(xpz-BVHD#$?WD~z z6lOD`t4TVhw8bNW{slH>NIcoZ3B%h10$T_Xo`O!XjkjjF2ut8jBQl+ZLig?bF>^(eD&4mp5Z=Odc#_7B z7|U9nYQd<2L|A$Q$v`|$e0r{KSbE>T#OTum1lCzpNPzweLzDel!&KwI+Xo*E3jlym z)!VN%+jD(BYt2wD1e!JW0{2$_{L?%~S+4*41w*)! z*pT~i`SA9UYiThU>-rZ8IXKK4LKi+lq;kBfandOmyRTVPv{bFY#!IWOJ4D<>nY3B8 z36TmmyK+;cw#diQv1)iFX1%iATy`KYU4*;T{V}^Rs7gTx(nMCBiU9?ALL;Q3lN&Z` zQ$&RnwbWZCyOlX*D8s9tRkRe7o;wOf^cV?tifpI$QW%%CS%qtXHO`1{)jhG|bdwwp#IrQ2ul|F)Ea& z+TMpD7tcay`u{d^Ha50`wW9~$oGn+shpkDbLdQR1w5?J6ZLCV*RGbW1(fK1`+S$lu z>Y9CHZgu*8;Iy<*%p>N_!E$B~&r@{}1PjG{`db_O2W zYc4k@;Jre zjt)(Y5djW1A$rkEl|MJSdLIla9qYXt53rLOt$gzeDV=p+%&z#j)lQmCRP5z1onTV= zTE*KDv-xiE*0XIqsrZuBrZwSujKTDMl+O}^EkfkXwyw!AT$?L&51Jl{O`B@)Tn6b5)Elmt+Y z{nYXnNSohE{>RVUl4~_C!PEK{5>K+z@SWC;gC?Q*4vp(dW!On60_{^(6s8rU$Ei325t!4OKG9r=_keC|<94rt$`LLo!kR zIMW@rG!0=kg3M)y6xzs4K14P{-601`Swl2W1RjEh*3e6PE3r-Vx|KZz-56$cyY?0K zjEB&k8u#nvzB_V=T5GJO^4L&wxr24YOst5Qn34sp^kJ{7j?qOrb@578yA_-H5JGvm z?&{@YCXz+uhs@k+hd-YFT)f%;>R$GjHTZq7Jc7sW5ICeat8!uA*m724Q>n>Tii5Vq4o_9S>q*ED;SR?Ih@1PHk!vs2ls=OawR`q8E-kcEx{o*QQ40lAss zs`PwU`vxSVnyMkbcG8C#6~pp|pECx&0VE3EKWU!l?5^IF)sDg%0IQJRLLO_iGpdeb zyBtbz5tNb@^&w#@Sn|jR?;LIXr(!tTwdT;kEh&pxs3{AbueD-gaZZ!TmQ}`rp7h`( zO5Nu9?%K^=Z8U~CW05CSg z!o-O|llTQ(4K{q8%5FGcm;0q3r#a;Lw&*Y(?#GTUn19hUlyJ1HMj-)yjTuZih<{i- zoRCF6(O}dzS3et8-b!ps)JB7_oI``0;LD!Lr0TtPAwI_|okN%!L^X+hWEG-^bGS^z z^SWxtQzM-lrH(TO|7_)R_(U=n@8Eud~+FXg04OxjzZX2Br1s9#rBg0F`6 zW3`dzeB>t-q}fn#BXnNfa*8a4v)j|omH_v;ET)*txp72sX-3lb$V}?+o6{~&p3i8i zZnjzTonX-nR{SLGE^lZr6N<=xdY^m;qo}?$emR(LOs7-gQZ*V59S_g;{xQ#ckhkN? z=^d-`H`@%+vav7Yu`M$;Or(`sWMn-4V3t>BCim+0NfT1bGrs^zcFiK)uw}OgA&Vls z9QkV<*_MfQ-psBQIc6Nl-wsaNg5;MJ>^zRHb&|$k2>j^O{6Iu4%w@ZxAk8v$Y^wIZ zb2DBC%NE-NC$VQ>g#y-*hwMxNQTy6>ZX8o{<;Qn+n%gBK+A*I|K=_Y zPI1f_Kt4TbIk+4m(_FL+3}Y|tAc&HDWxe`o264O=Q&aT}O8eHNi4-n_aYGyNiDVZ) zYI3_U#nEfLE+SwZM=})RWfMKf_OAw5eUZSvDETz$7vDX@I?4I-n)C3TWwF> zE3cb}ra|D2;f#mI;T+_d%(vL>reIp$+90 zNjc0u*^W0>>7~-+4k6DubVM4IDMD|iHV&K zZQE8f=Z}G9Sy}MWv(#K8BC^H=FKHJnQSBz1qG%OY38(-@s1MM3j2sz?4%>?sN_Pup zlcA)DjQG%4%II}|9ozvVOH)f{vy+)YO{qVvp!oH@Aa-hW!W>sPXGGS&q=`B~N5Tb7 znoM8?hjJ-px!LL)khDAx$9VGb1KU)|O947b(ER_500pH6G7<0QC|WLd;Vy8l4d)G{ zZR-krpEWCNz6z*MV{r|R_K(YUBknDOEkCXlX@1c%=CqcCl7ZZh z9g#Nwhgd#q2K+xq`~`hXqCh%(;xQr}gI{Zo5L>w`2B$DShf(|NmwI;NIa9oxVx~2A zd)0FV6z(lFTjUQ#^O|Cqg`tZOVUoXI{|urBpD5ZSiBr$jCB(=e*^4;4<)2rWob$EM ztuKABs+%pDLm&X5$rkoEy2fKUY>RJ&;Igdx7L6FFUL5JqKHJmlQBz%J> z0YQ8UVdAg}IFPpMFuU3hMIrVHldN)_?inmw;Ey$CM)I{*w?G2!(3{13rY*N-?)sbf{T_RSva?U<5`_0PUYwSWvlDcp4Kf-Zke$H99M(JH&QP|#i_ z0v6?Ro&6h{!AANWdV#>y0+}pk={NLKd~fI+@#;Lxw2h}nHfWs*=evi7iqzQ)(&><{+wX#%4sQLaw_Ix)4f9$+5$aI=tLkl~Y7_ z```W2f4e42Kbu!BTIkZIlJauZl{)GN#Jwlxf}hw+_e_uE(yVYUjOi)v87v3_$mLOn zA*v$qO(S&WRFIYd^viG&39im}q2vFptvM$5*^hYVSc$UpE%t;RzvcpGsDxs&55YRV7mVO3?t)k^-yiyr1NHpbt6oZ}kK^B|h zz(~P}=t-dlU$VyBB&BB665lMg1ky@#?@cbJ;GaG$#~MIH2i|e89MTtU6U8yiN6veVFWZ# zJFilUve10QKAwyIf%&tPK(KPtYnN>%i4?9DCGSF)UiQ=1Z;K0Gc}%_0-Z8ep5-UGYo{ENZ(M@0F>)VL; z3v?!e$e-BC&yxP8^0gz3QI2>~Vu_QFl`B4q4$Us7legU;d?bi?cIA?~s#1m?g)Gmt?sbnid%seU{iBI35@K_1P@Q%Jg^CF2a z{R)<1B@|8SawLp2n^YGi&OybJN=%5K(9>hAJ-=W_6pP+Ij8cniQRl}Ia2+XO>-6;mf49t}c9B|ZnEO+ZfKGp*v zbm!AQZ!Umb?bZ*Xb$_VY8>tU*7)%sZ%>XqP!@Ul03Ax?-P{(^{$BZg zZtp+7v{pM3e#$>W)Xa6@TTJ_=K=6`2?nzX-=t^{;+VoKd_|*TW2z`1FBcW>gk>Y#( zZ+qO8`AhYLfZz7iPhIeTitXq*i-HI3nG@RC-xs4SOU{2xJ1po)ZyQO$sy2F+-~$-* z5eWffjTEUP>L=ox^zj~=c0xl3w-!$OgEFCxr3IwOVF&$M_*2q{C0fOJU0ADj6v%Be zt->tubTP9gIxR={u$Xl)(q~4#QEQ!MS$G94P5``oMb3V|;XP(pir-HMwi?Sa`7J|N z{4i~>E@pOU`hn7mk2dAQ==*ka=_drmIPbp}bkqyum=w4-ZL03)7SfOM;EidNZS_9J zvkF#UT$#~C`3 z--qJgDVgnyF;-XX?7E}!o-o}`uopZL)t6ehUIe^=ctGStWeL{YMD4FxyuK zuNEHLAqVad`ZQBQYQ1gptU?q+XB44Qy9}{%U5}$YUoIM%j=g%J61pd0uBI@cwl|Df zwkuq&-ObYbW{VtO)(0fmMEu%Hqjt|iOpz;YS5~@f+v!*YHh04?&MprON4X53Xz3hT z&Zh3F-i%R2lg)=R6E(Y}MA?o>r7bEENPJTo%JO;v0Jwh1X7X7s+^>WVnE0ybxCxpj z`j-KOg`p-f*GS4syjq4+g7q%t#>}46LjXHt7WZA=8OAacr#2{v88rQf-GBA;Mh8QI z!AXodc898#4Y8qW&c^czhAXEKWmrPC}D}X^+)dzh@WkFJbo@ZCX97e?7f6 zP&cTi_NLRA+s$?jsj(zJZ?tUOzZ^97V9R6T+)8~@bPCF1F_%%pEu^o1B1v5s=wjL{ zgkq{#9{yf%BqWKDO;xv?oVWLj)pN;;MZ1tiPUP?9@;A}c#}TB0GelP$8Dj~Sm)VY` zaAJJ(dao+)#6+S5lxz`!#|#IV-zcXMB$aa*m$XSeZ+-zX(MzvmEsJdx%y;=;Vf6Zm z!tTdPZ_7|nf7Cjt^@dVkBn>y1m!Ud5bN^mQOR@$k$wXkh8vTx0^iIj5KD!QdNsE=^S#Kt4M1#DQ)Jq&y}VLo;HKARs2Gf0$3 zfxp2mR!eu@~`{|jvYyg^GQ(G*xdUZT(T9cE+T4VVW*8V1T-rH z073$4E5l6{hnUF|@YFHHyia~n3;ekOdMYMsQ6R058VsO?p^e4Ic-y@N8vPCS2mbjZ zKFH3rbRP0vIkXMJ+2T1XmM1%8>@2flT*TdJ(juHs+$VTO-0x2MYWo!B$Qo)Ex z^_*nkj}p^_D5l;~}%AGhW6iwOxmn#zd4u;1f;?rzl zFPj&kY2wAlnG$=Vg(`();F2laOOcZsyjzE|**`iT6Hjo=@cOT%`LEdXAdD8JqXK~Z zeR%7z4o2l>ZiMHAe&k!wlDz&FB${g9rzBJ%`juc;Tq4zjw_Y)ILCOda?FytOvLkvOp5ZRYte9Sp7RUO)X_@~4BaSV$xEpr>%AM;42zxJXKvN@4$fILv zaDedqf5O)H%%|*hcQ{!>msL|W6LOhCLmQjM7ARd^VbXwOW!2Zkj zA70?t@lJIH^6l$3SD{#mtD6HLQx+8g`D0GD0>52%Z*#gXVt%$O=x1^1V27_0zGJga zHdobbkUmKJTM2%n(AD}15y*tT;6NE@s`12c> zFdLp;dzK&2=pVWNxRZF|Zc%$LZOLMU4yY;6s!5l3<9*L{|C9HH_Yg*>u#`o=@ypD6 zk<IOz(Lf<_c-Xrpbe6#$>zq@rl=Y zP7-%d-KuoL4_>V8ks#{XYzi8H(2qJXwiv7ty5dO49gT)NbS1kNE@M)0Vw{4Kyt(FPwE9<)?HHqc7y>ZnSXNM|HL9shnG%`7MDn=2y}2T^v4jGHFJ5k7!u#aEWUhJqMY>pCY6ntb+9feP zs($Dm{JINfghVeU>p z_P*BUe}MQT6*dh^!sO_uJ!p1S`s_>ZxCm=Q^xLZ)o`dxEvsB+s$(NT4UyOcH(1!pX z&BZ2wyr_lWdkDT25?8qEj$?B^zoITVP+eiWxIlP`5Ss6sx8`6kih$J5u$@KdUPGs6 zZchl&=TPQxO({j&U@gx8Jy0=FYm;N8dYGhO*r%x=m-~9!5HLCEk(Fx7x!yt zXXH_MsZ4a_A<;zxdR8(gq(y&{ACTWE%_CxKyw$Gl`~wb^POvkWc^7-FxFA8-OhrVj z0At`zNud|++ahAIf!jXr*1xvR%}r#qsi)g06s0a$(BwO}CQ4qWrlZ5N7w(g$4U}}N z3tHs!tErgHwk_xXkVQ@C0=O8iA0BR&D|bQ`bWEk%UEo1=J=cw8=DGD=6~<|O_XLx1 zsiy##p`V21pug7$p%t)CP(S5mqeZgKahhCF6jaC6kD#0vDz*R)Fv zm-+MDcby)bYZjQ=NJNMYQ03IC;XanaNn^xudQ_Ya@%*#lHYb{ zyQw{M5o@ybsqp=SGm&O@uE=@JndmgrJsJhs9@@7wK-^(GL%_eoiAQ=gaga+yJBW9f z281IKyY;mT&n+oHQv1b>nRU6yMu)c@?H_Fma>w|7OY@zo3V&mlQiU6>T-WiabIl?! zGee1$EBFr#{|TDs&7w|nC)Qmsp+y97IXF|WAHvSh6dAo*4>DiS+2SjbK8vd%+wr*K zcSJ$DaTs~!@Gs+CE5e70<&!pZO2L{dS!l62Q@vLBc=KPsVX4T!rDO**;83OLOMiq~ zT!mq-i~+rixzWlQ=E=)}62u)$n+-4^vG9)i{@x7$ zc{E7=Ze1y7f`xt?GYy|3c ziR-Uq5X)$46mCZF&xF?5Yw<@VrCuR2kMWoP>FSP0_a-NeVD8V39v(ltgsc9CVURI{ zKB^`5hhKXm+tr+;6B7r9TC0mPikiPqmOL@PACYE&kJ**B@;Y659~o=lCRs^p4|(D8 zH@u~PE++E4@XNC$>F+MpCKaC+D7WE}`#*lVn#mD(ElpFBe)M;3aa<{u9CI#o6KylcmgbcUyN}3#oa1Xy8WE zI?TDoPl>*usxGLgbrnp!)C|-N;;5#Jyy;^uSsT;=lgT`aFB@*ABOLG5l88N*kA|M` zL)TB#q;w7mMV{fp8GBk`>P;+uJyqqr9QFnIqr;RD7upN55#2#{2+D!77L&6~5v}25Apc0?eO4&KL*#1=tW~?Vt!%m)`P$XN`DPOQvlUpPbc*RMO z#{alI$kKazUW}Ulq1mFytwy5JyXXFnv#AT-n>Z(mRjIXgc`C`DZy>&c9OOUvl_=r- z?gy!$*LTq~9c`%D;$bo48+x`HXUX`6AWA3$I(CY~ODe7$NvvwBw~b)O(sXfNkzY-x z;dVd2N^dBj`xs=pWv=+pE?FyjV!epu?3%ZLX)l6LNZr(W_#0>>vnyM65x5^y4&79D zo?{RE1eB%@ItC$#>A`2tcz(OC2klqG&}xn8Be!2P>mE_|2Y7#9!%OTY+_TL3GR)E$ z%Vl79$@SM6r0Du?ZPtN%I2?$%DZGmLd%*%H>fg&yoAK7#L8s5ep&P+))aFGQCsV9+T;nC(h#~*RC>NcRRK8UcCDp2UL4!NC`nugV<2Rpys$|5q# z^KmDFC%(T~ny|d5rysUwEtQyoLgs<$Tx1y26k{r4x{rQ^&fvx7xzk1p#_*Fto#}K>$N1&As@6XFP2~OM_ZtKRq89Y&8pn6o=_l;O zZlW0Z%ojGrv)b`@Sos?&U(3W328mKmaj7(si#dH zoYbP=HM)WwF!W@qh0VL?9%4NkbA87x2qp>6 z9KGDVK5L1!^)hkCGX=PW8t%{+yn`aIr&SUMab`T9hMror2g~*%JhN_6F8q8p^w|#P zI8#e%rEYt2=~})Q94Z^&-q32T)W~0->3AV-Ic`<`*+0fXc0pz1(8$kfj$T1i>+z#bB#uLmSULb z{Ew;^^{`$P3p8+I=-Lk>K51&vCJs6A z{J2b^(xB&Pk{^Wc6;B=>jflc(+Mr_|81!+(L?BA(J8 zJ4aLIUqfRbQWEfv*VKosBs zO{3`Jm1U3`tD2J3YHCr`lSjx(-$!Mg*h-0~{cm&#^O@`H4|6QZI;-vuPIo|ue9{aZ zl7ZN!lia6?kaM#rdu>UZtqxF;&z-_zmO<&8EwQ_+ad)(i{a!6!1&^<S^<**R7h{_r$i9)ACVWeE z*ny{-fCuxpli%dMXoelLI`hUU1!OuUKNEzLTyO$QGwX>!pj1AGy##jB-O4V2_mF>q z;8-eUw*dq2Qur#23q={i%Clj%R;@-IvHgt`!u+UyG z$I=OJc1nItb8eJE6Ag`kshFJkxy##C!dETnPxe4=c{fWN^-cH<>u=HTsC~-3At8om z!ku+4p|3R%h@1&*oG{;NP_Y5(p95;iM?<^dmvpAw(_$|A+MZt^DbwEft%Uz|M=(Ak z_wZG#Xm-4}nJbfA0M+1|B*j2m0PeHpY4I*ZgMr+?rk(8uRBc_aFW*7 zONmG1UqRX1k+D353?nJ1ewIV$gqq4#r-a}S6WU@k*j_79GED0Dil;<$C^eHQ0&Kl(Su)M+9Vc(`XyeuQWIv@b-#R$Kl zjiOD3kn@z|MZQJ($8tE5#Io!iZ&~4J!e{Mv#_hP)vzDNHV@I)uo-?b?@sb<+;)2WF zx;*C!&yoE8xv-8?-9GqYu&IE+jwYO^7p=G6p?ppMhc$|-gmraJ&h-zq@z)F?x?WDX z;;X6XC+I1$539EKK^_k^@F#J~PeQ58G4ay>$pFI%-p4<_)t4NAn?;{scCUm|u|sr* z-LIY@f|QcTio`ViH?Mel<`Agw>0RLUY%Lg6z4B_Q#bhykx zAiNrSCwM>_((5xmfZ!6hEY1@j4>Jb`p*&mBI-?z*#OJzo3Ra653cNVWM#iY3+TfjP z+lb_JYzpDTYP>$u+j3}c1rGt zvo6PMH8P^5|A~LACp^8&#TeLjQRB);3z=rGddblP>?%fh;1+JViR#CpXARL~ZFZE* z?M5$QT=>i1((~tPGRyFDc?wU@;NPchpE}9y3 zsVL{pMoGqIk;cewVEyCKVfvqd2{Op?svxdz=4^K}s^7(z)Ot;uJOl_#70?*HSy^w_F^h_c(FA8 zKKIkNPF_n44>)nrMLQ&FsD^$qQLX1~gW4QK@u8>Au-#2Qdti>#w%O$6o(vf#VDjQkH^OFHv6gVea81((ya&a9LN0Sp&sn2Y!|`y`)rV0 zsQR$Jf&{UAPj{RkiUZg{!kOXgaM5w1uwZ{7hg|-kEL{76ahRZtYpigbp4bR-lYn+lgD-54U~QT6)D309^10tT^uZX5W^;$Pbf@Oxk%!PuE!GW z8l^E=7D3UKUT}syk(-yc;*ISrXUy}=IZVo^u0BgU;RwCPtKK>@k1ojTkrKt?Z-4Cd zH#yQnSamjyO&ih65fBm3qLeDZS4Fk#EV}2w;wJ-@dy=4N*#6*ytH#QJUR=srSJbMI zL-1S+9fXTU`}u=cq;8T{c54<&>dJyz+uS|^l39EoN&WG-G8aWczw~i&$3^KBOjt`% zVR}@-?1!sYg~WLfwJpTZ(}>QCWZ6 z1*lacQ&d!5;(;xXfF2}TgT7BcTO(f%ObdY7aH$~ANz0_{o3V<}KL-h4*wT9G0T0bz zku_{nO8!2RQN(xd%Y${aL7M?jn*?C$PDQK8g_0f}jiG7vz zs)Dcj-?#m0Ef8gU#ud(jRDB;~_DgR5lP9_A3$gFOtkqM4{KspzbsKLqqfsAyw0+VBB+`H@5T+VWoubR3Fxl`5;}{yT4PtBCy6w zyli(ojVN4c5yIKm865C2F@YoqwcVJ<=0CCwYAbhTQS>;HAP?=Npw#tsJ(qZ#i<7yg z|CH0r&oK&#tC2J&?QxseWSVLAHjgkS8OFu7D;YaTc~8kOrPckh`t>T=9!?*go6`8B z0|7F_mN1%k$tVxhb7kgmDm<_o)@+>o@ZiYd)7w@_<`?uND6%>R#8btXdiR%FrB+$ zYRC3$JO6wW(TiJ`0vYiY83-hWOFZJd=~_D?e|5-t{6ad)bA&Ky z*r@UdSsNcgR>;lMi;RL7zlVsHa4_u?e|u;ME{5GPb8hd-Y$P~Zffn%^7Y|e>Xwk;T z3SAC$>6$9k*p~gBRg?`M5BEXqOo|Or z8Y_giS_aj^3H09Ii_)&p7d(}aD;u}YMbcXNGKE1!*qe{h)cin1oo`?SwVmIwi9&`p z^jfnVJ0%vkQ&qN~$&6=WX~}JRtx>_v^pi$!U@5wk5G}_w&{~Y%zf4{>jcr1K2dxdM zJcFD&=_aq~PW3{-0uP{Bm%MvR=PPBW=vEf?xqc7Q{LC}V#pBYY>EMD8jaRl(M!SoW z=SfHv6t>bV6o`JxyU|E*}u>&yg6J#xGC|D~zaV`Sj(#@d;uOv4Mw>5%70>L)aZ zG6OyMpj2VzB?C?sNl~U61

n0gfo*uP<=*nG)radgL=L|Cn-@hA$!Tys^5%EyjG% zi=v%Q`eImd6SgGVVI#uWyOXuF87T&zP={#>+agqTr#DB*C_Q>8*8leNq%{&?{f(Le z@1b@D-02+MSz1TC5|-IdBdkARL;GF|c+{Xx-T|Cb^Y$X*Ibcq}sRzY?%oAwp9| zo~9+Lu!@~6d@~)sg!=@T_y8_!1?b5gXxso?MU7ffWr4cA7~_XA;GY4Ni5#rk7*#8n z)&rE^No)y}mzO@NJ5X8*ZjR6;h*FmOCpX>BiH)RlPZ~`X+X*+!OowfuKR#**1i4rs zCfxi(Y^QaUTujkGM5%!~3;Dd7o!N;L^bymiw@wB6xo${mwIf)MMADndp)k4$6%396 zNZ}SwbKs5|wtuf8J7g9<dj2Hwo9TzB3N!pkiGg%8x(N&dPr*!nuOH1LXL@>j-+0F_ph zSYUTZaARyCJ~O6&T2Xsoa4?f4(C64+m{c5<&FO?}*^Y<*l`8G;h4c?|j(p9Wqw86i zjPIC|5Lc=B+m(Us;PS6gT)8g%{s^|*aRh!)I0@hn>?Dfiwh!xe{)lOL*(?4kwvc(T^K)GvRq2Xf)*!9l2>7i_tmF8doU+^H!LZhRiHmE76h=JTmRZT^0Qz%f(i*`I z$dD(gqX_>7|0{Dj)%%MVm_aQ4hhrZ3KlwS>|F!uaCUrG<>$;u~N${RSD2UCZl{#)N8{ui>ZP#_YoY`>hz^{sRljmdnN*Q>qsc&Cb^EUND3vS zQ4=^CvZ~*+4Noy`piXR-i&aUHI8BYjJRB}zrEFH!6Eg|l5LVC?CEd+c3M!LkY8&rc{O`=LZBkW4kfy6Z%My@ryM@pq7NMByN zS^W9#WLfy63y&Jpms*Imj)v;`4@{(%*C1yOxV&;RBi>7{;}3W=0?)6I^uGuvL~FW$ zUWWys$&GD*tlD?5`n82a#pt}?Ha$Rmj6mM0$j4QC0DMFWk<5PKQLuHPG<>Ve+BX|P zyH{ptvNw{BEiL*aiV*ux`K=koQEu19AmHKSNDk}2sf`U#s``B6hAGY3Bu@Vy zRO(h2h~&wkcd=ms5t^<0Dv~qDj%SZ`yMz4CjKU07?ZtilpTCdk4%(U*{5&*g3>ec$ z=T|cBcL~^K5w-`z7h7X?L8ral?Zj9`Uno*mlU6wVg9zQ!^An^Qz0Hh&w0MS~XU!Vw zEr>j0Ho*t3QAl38Y08k}9mZHk3*>V4A+X_=hSIRd^p~GBx}#T%lL6nqs9~^kQ%3ih z1!xWvV7n*7<(c@t>Gsm^&|_+gP#JV3h+h)!cD3yjqCzoyiXqs!1P0vF#iQRKLH%dY z@2&p~azC#LzPqSQg(y_`Lo}R9bB{0O@N^kt^f`sMM0$zY*X|9|or84$^(YFDI$;=I z95td=2XoVY3udeJC1ZvBt#W7~4DXSHec#3dtz*v2Du^y@-|c The **Allowed IPs** feature via ACLs is no longer available for Managed Inference deployments. We recommended using one of the alternative methods detailed in this document to restrict access to your Managed Inference deployments. You can manage and restrict access to your Managed Inference deployments via the following methods: -- Use [IAM](/iam/) features to place conditions on the API keys that are accepted when accessing your deployment's public endpoint -- Remove your deployment's public endpoint, and allow controlled access only via Private Networks. +- Enable or disable authentication by API key +- Use [IAM](/iam/) features to control which API keys are accepted and under what conditions (including IP-based restrictions) +- Remove your deployment's public endpoint, and allow controlled access only via Private Networks -Read on for full details of these two methods. +Read on for full details. @@ -25,43 +28,72 @@ Read on for full details of these two methods. - A [Managed Inference deployment](/managed-inference/quickstart/) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -## How to manage public access to a deployment with IAM +## How to enable or disable authentication by API key + +By default, when you create your Managed Inference deployment, authentication by API key is automatically enabled. This means that when the deployment is accessed via either its public or private endpoint, a valid Scaleway API key must accompany all requests. + +You can disable API key authentication at any time, for either the public endpoint, the private endpoint, or both. + +1. Click **Managed Inference** in the **AI** section of the [Scaleway console](https://console.scaleway.com) side menu. A list of your deployments displays. +2. From the drop-down menu, select the geographical region containing your deployment. +3. Click the deployment whose authentication you want to manage. The deployment's dashboard displays. +4. Click the **Security** tab. +5. In the **Authentication** panel, use the toggles to enable or disable authentication by API key for the public and/or private endpoint. + + -When you enable a public endpoint for your Managed Inference deployment, access to this endpoint is restricted by default: a valid [Scaleway API key](/iam/concepts/#api-key) must accompany all access requests. +## How to manage access to a deployment with IAM + +When [authentication by API key](#enable-or-disable-authentication-by-api-key) is enabled, a valid [Scaleway API key](/iam/concepts/#api-key) must accompany all requests sent to your deployment's endpoint. An API key is considered valid to access a deployment when: -- It belongs to the [Owner](TODO) of the Organization which owns the deployment, or -- It belongs to a [Member](TODO) or [Application](TODO) of the Organization which owns the deployment, and the Member/Application has appropriate [IAM permissions](/iam/reference-content/permission-sets/). +- It belongs to the [Owner](/iam/concepts/#owner) of the Organization which owns the deployment, or +- It belongs to a [Member](/iam/concepts/#member) or [Application](/iam/concepts/#application) of the Organization which owns the deployment, and the Member/Application has appropriate [IAM permissions](/iam/reference-content/permission-sets/). There are two IAM permission sets specific to Managed Inference deployments: `InferenceFullAccess` (allowing access to create, read, update and delete a deployment) and `InferenceReadOnly` (allowing read-only access). Alternatively, wide-scoped permission sets such as `AllProductsFullAccess` will also allow access. -Permissions are attributed via [policies](TODO), which are then attached to a Member or Application. +Permissions are attributed via [policies](/iam/concepts/#policy), which are then attached to a Member or Application. You can further restrict access by imposing **conditions** when defining a policy. This enables you to allow access only to authorized API keys when presented by specific user agents (e.g., Terraform), from certain IP addresses, or during defined dates and times. ### How to manage deployment access as an Organization Owner or Administrator -If you only want to access the deployment yourself, and you are Owner of the Organization that created the deployment, all you need to do is [generate an API key]() for yourself, and it will automatically have full rights to access and manage the deployment. +If you only want to access the deployment yourself, and you are Owner of the Organization that created the deployment, simply [generate an API key](/iam/how-to/create-api-keys/) for yourself, and it will automatically have full rights to access and manage the deployment. Read on if you want to manage access to your deployment for others. -1. [Invite Members]() (humans) to your Organization, or [create Applications]() (non-human users). -2. Create and attach a [policy]() to the Member or Application, defining the permissions they should have in your Organization by selelcting permission sets e.g. `InferenceFullAccess`. If desired, define [conditions]() as part of the policy, to further restrict access based on user agent type, date/time or IP address. +1. [Invite Members](/iam/how-to/manage-members/) (other humans) to your Organization, or [create Applications](/iam/how-to/create-application/) (non-human users). +2. Create and attach a [policy](/iam/how-to/create-policy/) to the Member or Application, defining the permissions they should have in your Organization by selecting permission sets e.g. `InferenceFullAccess`. If desired, define [conditions](/iam/concepts/#conditions) as part of the policy, to further restrict access based on user agent type, date/time or IP address. -All API keys generated by the Member, or for the Application, will automatically inherit the permissions you defined, and can be used to access a Managed Inference deployment's public endpoint depending on those permissions. +All API keys generated by the Member, or for the Application, will automatically inherit the permissions you defined, and can be used to access a Managed Inference deployment's endpoint depending on those permissions. -You can revoke access to a deployment at any time by [modifying the policy]() attached to the Member or Application in question. +You can revoke access to a deployment at any time by [modifying or deleting the policy](/iam/how-to/manage-policies/) attached to the Member or Application in question. ### How to access a deployment as an Organization Member -Access to Managed Inference deployments owned by an Organization in which you are a Member, is dependant on the IAM permissions attributed to you by the Organization's Owner or administrators. +Your access to Managed Inference deployments owned by an Organization in which you are a Member, is dependant on the IAM permissions attributed to you by the Organization's Owner or administrators. -Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organiaztion Owner if you are unsure that you have the right permissions to access a Managed Inference deployment. +Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organization Owner if you are unsure that you have the right permissions to access a Managed Inference deployment. -1. [Log into the Scaleway console]() and [generate an API key for yourself]() +1. Log into the [Scaleway console](https://console.scaleway.com) and [generate an API key for yourself](/iam/how-to/create-api-keys/) 2. Use this API key for authentication when sending requests to a Managed Inference deployment. -## How to \ No newline at end of file +## How to restrict access over Private Networks + +For enhanced security, you can remove your deployment's public endpoint, attach it to a Private Network, and allow access only via its private endpoint. Only resources within the Private Network's VPC will be able to access the deployment, and they must have downloaded the resource's TLS certificate. + +You can still require API key authentication via the private endpoint, and use the methods described above to fine-tune API key restrictions and access. In addition, you can also use VPC features such as Network ACLs for enhanced control and security. + +1. [Create your deployment](/managed-inference/how-to/create-deployment/) without checking the **Allow public connections** box, or remove the public endpoint via its **Overview** screen in the console if you already created it with a public endpoint. +2. Ensure the deployment is [attached to a Private Network](/managed-inference/how-to/managed-inference-with-private-network/#how-to-attach-a-private-network-to-a-managed-inference-deployment). +3. Transfer the deployment's [TLS certificate](/managed-inference/how-to/managed-inference-with-private-network/#how-to-send-inference-requests-in-a-private-network) to the resources in the VPC that need to access the deployment. +4. (Optional) Ensure that API key authentication is enabled, and use [policies](/iam/how-to/create-policy/) to define IAM-based rules and conditions for access. +5. (Optional) Use VPC features such as [Network ACLs](/vpc/reference-content/understanding-nacls/) to place IP-based restrictions on which resources in the VPC can access the deployment. +6. Follow the instructions in the [dedicated documentation](/managed-inference/how-to/managed-inference-with-private-network/#how-to-send-inference-requests-in-a-private-network) for sending requests to your deployment in a Private Network. + + +If your VPC has a Public Gateway advertising a default route, external resources can still access the deployment via the Public Gateway (with correct authentication). [Read more about Public Gateways](/public-gateways/). + \ No newline at end of file diff --git a/pages/managed-inference/how-to/managed-inference-with-private-network.mdx b/pages/managed-inference/how-to/managed-inference-with-private-network.mdx index a106b3a949..fc23be455c 100644 --- a/pages/managed-inference/how-to/managed-inference-with-private-network.mdx +++ b/pages/managed-inference/how-to/managed-inference-with-private-network.mdx @@ -61,9 +61,13 @@ Your Managed Inference model will be deployed, and it will be attached to the se ## How to send inference requests in a Private Network + +For more information on managing access to deployments in a Private Network, see [How to manage access to deployments](/managed-inference/how-to/manage-allowed-ips/). + + 1. [Create an Instance](/instances/how-to/create-an-instance/) which will host the inference application. - Ensure the Instance [is attached to the same Private Network](/instances/how-to/use-private-networks/) as your Managed Inference deployment. + Ensure the Instance is attached a Private Network in the same VPC as your Managed Inference deployment. 2. Download the TLS certificate from your Managed Inference deployment, available from the **Overview** tab in the **Endpoints** section. @@ -106,7 +110,7 @@ Your Managed Inference model will be deployed, and it will be attached to the se "stream": False } - headers = {"Authorization": "Bearer " + ""} # ADD IAM KEY IF NECESSARY + headers = {"Authorization": "Bearer " + ""} # ADD API KEY, IF API KEY AUTHENTICATION IS ENABLED FOR THE PRIVATE ENDPOINT response = requests.post("/v1/chat/completions", headers=headers, json=PAYLOAD, stream=False, verify='.pem') diff --git a/pages/managed-inference/reference-content/data-privacy-security-scaleway-ai-services.mdx b/pages/managed-inference/reference-content/data-privacy-security-scaleway-ai-services.mdx index 8dda2496ca..69f1ddef73 100644 --- a/pages/managed-inference/reference-content/data-privacy-security-scaleway-ai-services.mdx +++ b/pages/managed-inference/reference-content/data-privacy-security-scaleway-ai-services.mdx @@ -37,7 +37,6 @@ Scaleway's Managed Inference services adhere to the following data usage policie - **Hosting:** Models deployed or consumed for inference are hosted in Europe within the data center region specified by the customer. - **Encryption**: All traffic between the customer and the inference service is encrypted using in-transit TLS encryption to ensure data protection during transmission. - **Endpoint Security**: Public-facing endpoints are secured with API key tokens. -- **Allowed IPs**: Public endpoints can be configured to restrict access to specific IP addresses or IP blocks. - **Virtual Private Cloud (VPC)**: The service can be hosted in a Virtual Private Cloud within private subnets. Access to the service can be restricted based on allowed IP ranges. ### Legal and compliance From 35fc3504a6dc657da7706b600f3d11548b609916 Mon Sep 17 00:00:00 2001 From: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> Date: Mon, 4 Aug 2025 16:59:01 +0200 Subject: [PATCH 3/4] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: NĂ©da <87707325+nerda-codes@users.noreply.github.com> --- pages/managed-inference/how-to/manage-allowed-ips.mdx | 4 ++-- .../how-to/managed-inference-with-private-network.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/managed-inference/how-to/manage-allowed-ips.mdx b/pages/managed-inference/how-to/manage-allowed-ips.mdx index bf095b1160..b7f45f4b15 100644 --- a/pages/managed-inference/how-to/manage-allowed-ips.mdx +++ b/pages/managed-inference/how-to/manage-allowed-ips.mdx @@ -66,7 +66,7 @@ Read on if you want to manage access to your deployment for others. 1. [Invite Members](/iam/how-to/manage-members/) (other humans) to your Organization, or [create Applications](/iam/how-to/create-application/) (non-human users). -2. Create and attach a [policy](/iam/how-to/create-policy/) to the Member or Application, defining the permissions they should have in your Organization by selecting permission sets e.g. `InferenceFullAccess`. If desired, define [conditions](/iam/concepts/#conditions) as part of the policy, to further restrict access based on user agent type, date/time or IP address. +2. Create and attach a [policy](/iam/how-to/create-policy/) to the Member or Application, defining the permissions they should have in your Organization by selecting permission sets (e.g. `InferenceFullAccess`). If desired, define [conditions](/iam/concepts/#conditions) as part of the policy, to further restrict access based on user agent type, date/time or IP address. All API keys generated by the Member, or for the Application, will automatically inherit the permissions you defined, and can be used to access a Managed Inference deployment's endpoint depending on those permissions. @@ -78,7 +78,7 @@ Your access to Managed Inference deployments owned by an Organization in which y Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organization Owner if you are unsure that you have the right permissions to access a Managed Inference deployment. -1. Log into the [Scaleway console](https://console.scaleway.com) and [generate an API key for yourself](/iam/how-to/create-api-keys/) +1. Log into the [Scaleway console](https://console.scaleway.com) and [generate an API key for yourself](/iam/how-to/create-api-keys/). 2. Use this API key for authentication when sending requests to a Managed Inference deployment. ## How to restrict access over Private Networks diff --git a/pages/managed-inference/how-to/managed-inference-with-private-network.mdx b/pages/managed-inference/how-to/managed-inference-with-private-network.mdx index fc23be455c..f03f16d7b4 100644 --- a/pages/managed-inference/how-to/managed-inference-with-private-network.mdx +++ b/pages/managed-inference/how-to/managed-inference-with-private-network.mdx @@ -67,7 +67,7 @@ For more information on managing access to deployments in a Private Network, see 1. [Create an Instance](/instances/how-to/create-an-instance/) which will host the inference application. - Ensure the Instance is attached a Private Network in the same VPC as your Managed Inference deployment. + Ensure the Instance is attached to a Private Network in the same VPC as your Managed Inference deployment. 2. Download the TLS certificate from your Managed Inference deployment, available from the **Overview** tab in the **Endpoints** section. From 226358405497827114e61c42f6e913108aaa0a5d Mon Sep 17 00:00:00 2001 From: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:33:43 +0200 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Jessica <113192637+jcirinosclwy@users.noreply.github.com> --- pages/managed-inference/how-to/manage-allowed-ips.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/managed-inference/how-to/manage-allowed-ips.mdx b/pages/managed-inference/how-to/manage-allowed-ips.mdx index b7f45f4b15..62ab8dc832 100644 --- a/pages/managed-inference/how-to/manage-allowed-ips.mdx +++ b/pages/managed-inference/how-to/manage-allowed-ips.mdx @@ -51,7 +51,7 @@ An API key is considered valid to access a deployment when: - It belongs to the [Owner](/iam/concepts/#owner) of the Organization which owns the deployment, or - It belongs to a [Member](/iam/concepts/#member) or [Application](/iam/concepts/#application) of the Organization which owns the deployment, and the Member/Application has appropriate [IAM permissions](/iam/reference-content/permission-sets/). -There are two IAM permission sets specific to Managed Inference deployments: `InferenceFullAccess` (allowing access to create, read, update and delete a deployment) and `InferenceReadOnly` (allowing read-only access). Alternatively, wide-scoped permission sets such as `AllProductsFullAccess` will also allow access. +There are two IAM permission sets specific to Managed Inference deployments: `InferenceFullAccess` (allowing access to create, read, update, and delete a deployment) and `InferenceReadOnly` (allowing read-only access). Alternatively, wide-scoped permission sets such as `AllProductsFullAccess` will also allow access. Permissions are attributed via [policies](/iam/concepts/#policy), which are then attached to a Member or Application. @@ -60,7 +60,7 @@ You can further restrict access by imposing **conditions** when defining a polic ### How to manage deployment access as an Organization Owner or Administrator -If you only want to access the deployment yourself, and you are Owner of the Organization that created the deployment, simply [generate an API key](/iam/how-to/create-api-keys/) for yourself, and it will automatically have full rights to access and manage the deployment. +If you only want to access the deployment yourself, and you are the Owner of the Organization that created the deployment, simply [generate an API key](/iam/how-to/create-api-keys/) for yourself, and it will automatically have full rights to access and manage the deployment. Read on if you want to manage access to your deployment for others. @@ -74,7 +74,7 @@ You can revoke access to a deployment at any time by [modifying or deleting the ### How to access a deployment as an Organization Member -Your access to Managed Inference deployments owned by an Organization in which you are a Member, is dependant on the IAM permissions attributed to you by the Organization's Owner or administrators. +Your access to Managed Inference deployments owned by an Organization in which you are a Member depends on the IAM permissions attributed to you by the Organization's Owner or administrators. Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organization Owner if you are unsure that you have the right permissions to access a Managed Inference deployment.