API Key-Based Access Control for AI Model Deployment on OCI

Question

Pulumi · Accepted Answer

API key-based access control involves setting up a mechanism where API keys are used to authenticate and authorize individuals or services that need to interact with your application or API. In the context of AI model deployment on Oracle Cloud Infrastructure (OCI), you want to ensure that only authorized entities can access your AI services and models.

To implement API key-based access control in OCI using Pulumi, you will typically need to follow these steps:

Create an API key for the user who needs to access the AI model.
Deploy an AI model using OCI's AI services.
Optionally, set up a private endpoint for secure and private access within your virtual cloud network (VCN).

In this example, we will focus on creating an API key for a user and deploying an AI Anomaly Detection model in OCI using Pulumi. To maintain the scope, we won't include setting up a private endpoint in this example but you can extend the setup accordingly.

Below is a Pulumi program that demonstrates these steps:

We'll first create a user for which we'll generate an API key.
The API key will be associated with this user, which provides them secure access.
Next, we'll create an AI anomaly detection project and model as part of the deployment.

import pulumi
import pulumi_oci as oci

# Replace the following values with your specific details
compartment_id = 'ocid1.compartment.oc1..exampleuniqueID'
user_description = "API Key User for AI Model Deployment"

# Create a new user in OCI for API key-based access control.
api_user = oci.identity.User("apiUser",
    compartment_id=compartment_id,
    description=user_description,
)

# Generate an API Key for the user
api_key = oci.identity.UserApiKey("apiUserKey",
    user_id=api_user.id,
    # Key value should be the base64 encoded PEM key. Consider using the OCI CLI to generate one or provide your encoded key here.
    key="<Your_Public_PEM_Key_Base64_Encoded>",
)

# The following steps are to deploy an AI Anomaly Detection Model, replace the placeholder values with real ones

# Create an AI Anomaly Detection project
ai_project = oci.aianomalydetection.Project("aiProject",
    compartment_id=compartment_id,
    description="AI Anomaly Detection Project",
    display_name="AIDemoProject",
)

# Deploy an AI Anomaly Detection model
ai_model = oci.aianomalydetection.Model("aiModel",
    project_id=ai_project.id,
    compartment_id=compartment_id,
    display_name="AIDemoModel",
    description="AI Anomaly Detection Model Deployment",
    # The following arguments should be adjusted to point to your data and meet your model's specifics like algorithm, window size etc.
    model_training_details=oci.aianomalydetection.ModelModelTrainingDetailsArgs(
        data_asset_ids=["<Your_Data_Asset_IDs>"],
        target_fap=0.05,
        window_size=12,
    ),
)

# Export the user OCID and the API key fingerprint to be used for API interactions
pulumi.export("api_user_id", api_user.id)
pulumi.export("api_key_fingerprint", api_key.fingerprint)
pulumi.export("ai_model_id", ai_model.id)

In the Blockly program above:

oci.identity.User: Creates a new user in OCI.
oci.identity.UserApiKey: Generates a new API key for the user, which allows for authentication when interacting with OCI services.
oci.aianomalydetection.Project: Sets up an AI anomaly detection project which is required to host models.
oci.aianomalydetection.Model: Deploys an AI Anomaly Detection model inside the project.

We export the user ID and API key fingerprint at the end, which can be used to interact with the OCI APIs. Note that you must provide your base64 encoded public PEM key for the API key.

Important Considerations:

Ensure your API keys are securely stored and transmitted. Do not commit them in version control systems.
Set up your compartment in OCI and replace the placeholder compartment_id and other identifiers with the actual values from your OCI setup.
You should look for the data_asset_ids and other model-specific parameters according to the data you want to use for anomaly detection.
The OCI CLI can be used to generate the required public/private key pair. The public key needs to be registered as the API key on OCI as shown in the api_key resource. Keep your private key secure and use it to sign requests to OCI services.

This program will provision the necessary resources on OCI to deploy a simple AI anomaly detection model and set up API key-based access control for a user. We strongly recommend reviewing the OCI documentation for each service to ensure you understand and properly configure all required settings according to the security guidelines and best practices.