Skip to content

[Docs] Clarify Nebius credential setup #5298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 30, 2025
Merged

[Docs] Clarify Nebius credential setup #5298

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7a7a99c
clarify nebius credential setup
Michaelvll Apr 19, 2025
f698bd1
Add automatic build for rtd
Michaelvll Apr 21, 2025
7f7ebb2
fix
Michaelvll Apr 21, 2025
d23085e
docs format
Michaelvll Apr 21, 2025
2a0033e
Add link
Michaelvll Apr 26, 2025
63a9258
remove readthedocs config
Michaelvll Apr 26, 2025
fcddd81
Merge branch 'master' of github.com:skypilot-org/skypilot into clarif…
Michaelvll Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/source/cloud-setup/cloud-permissions/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,6 @@ Table of contents

aws
gcp
nebius
vsphere
kubernetes
40 changes: 40 additions & 0 deletions docs/source/cloud-setup/cloud-permissions/nebius.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
Nebius
======

.. _nebius-service-account:

Service account
----------------

To use *Service Account* authentication, follow these steps:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is a service account and why would you want to use it?


1. **Create a Service Account** using the Nebius web console.
2. **Generate PEM Keys**:

.. code-block:: shell

openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

3. **Generate and Save the Credentials File**:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: It is possible to use Nebius CLI

nebius iam auth-public-key generate \
  --parent-id "$NEBIUS_PROJECT_ID" \
  --service-account-id "$SA_ID" \
  --output ~/.nebius/credentials.json

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @SalikovAlex! I am going to merge this PR first to keep it only for refactoring of organization of the page. Could you help submit another one to use the new key generation command?


* Save the file as `~/.nebius/credentials.json`.
* Ensure the file matches the expected format below:

.. code-block:: json

{
"subject-credentials": {
"alg": "RS256",
"private-key": "PKCS#8 PEM with new lines escaped as \n",
"kid": "public-key-id",
"iss": "service-account-id",
"sub": "service-account-id"
}
}


**Important Notes:**

* The `NEBIUS_IAM_TOKEN` file, if present, will take priority for authentication.
* Service Accounts are restricted to a single region. Ensure you configure the Service Account for the appropriate region during creation.
41 changes: 3 additions & 38 deletions docs/source/getting-started/installation.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -542,52 +542,17 @@ Nebius

mkdir -p ~/.nebius
nebius iam get-access-token > ~/.nebius/NEBIUS_IAM_TOKEN.txt

If you have one tenant you can run:

.. code-block:: shell

nebius --format json iam whoami|jq -r '.user_profile.tenants[0].tenant_id' > ~/.nebius/NEBIUS_TENANT_ID.txt

You can specify a preferable project ID, which will be used if a project ID is required in the designated region.
**Optional**: You can specify a preferable project ID, which will be used if a project ID is required in the designated region.

.. code-block:: shell

echo $NEBIUS_PROJECT_ID > ~/.nebius/NEBIUS_PROJECT_ID.txt

To use *Service Account* authentication, follow these steps:

1. **Create a Service Account** using the Nebius web console.
2. **Generate PEM Keys**:

.. code-block:: shell

openssl genrsa -out private.pem 4096 && openssl rsa -in private.pem -outform PEM -pubout -out public.pem

3. **Generate and Save the Credentials File**:

* Save the file as `~/.nebius/credentials.json`.
* Ensure the file matches the expected format below:

.. code-block:: json

{
"subject-credentials": {
"alg": "RS256",
"private-key": "PKCS#8 PEM with new lines escaped as \n",
"kid": "public-key-id",
"iss": "service-account-id",
"sub": "service-account-id"
}
}


**Important Notes:**

* The `NEBIUS_IAM_TOKEN` file, if present, will take priority for authentication.
* Service Accounts are restricted to a single region. Ensure you configure the Service Account for the appropriate region during creation.
Alternatively, you can also use a service account to access Nebius, see :ref:`Using Service Account for Nebius <nebius-service-account>`.

Nebius offers `Object Storage <https://nebius.com/services/storage>`_, an S3-compatible object storage without any egress charges.
Nebius also offers `Object Storage <https://nebius.com/services/storage>`_, an S3-compatible object storage without any egress charges.
SkyPilot can download/upload data to Nebius buckets and mount them as local filesystem on clusters launched by SkyPilot. To set up Nebius support, run:

.. code-block:: shell
Expand Down