Support Questions

waelfatah · ‎03-24-2025

Hello Cloudera Community,

I'm working on a project where I need to provide users with temporary access to call specific Cloudera Machine Learning (CML) API endpoints, particularly for interacting with deployed models.

My goal is to avoid granting users long-lived API V2 keys and instead generate short-lived, scoped access credentials that expire after a set time (e.g., 2 hours).

After exploring the CML API v2 and the cmlapi library, I'm finding it challenging to identify a direct method for generating these temporary, scoped access keys.

My questions are:

Is there a supported mechanism within the CML API v2 or cmlapi to generate temporary access keys with a specified expiration time?
If not, are there recommended alternative approaches for providing users with limited, time-bound access to CML API endpoints?
Are there plans to introduce temporary access key generation functionality in future CML releases?
Is there a best practice to follow for this kind of implementation?

I'm aiming for a solution that prioritizes security and minimizes the risk of exposing long-term credentials.

Any guidance or insights from the community would be greatly appreciated.

Thank you.

Gopinath · ‎03-24-2025

Is there a supported mechanism within the CML API v2 or cmlapi to generate temporary access keys with a specified expiration time?

Yes. You may consider using cmlv2 api createV2Key [1]. I am able to get a apikey created for myself with ttl as 5 days ie 30 Mar 2025.

api request:

curl -X POST "https://trimmed.cloudera.site/api/v2/users/ngopinath/v2_keys" -H "accept: application/json" -H "Authorization: Bearer trimmed.trimmed" -H "Content-Type: application/json" -d "{ \"comments\": \"test\", \"expiry_date\": \"2025-03-30\", \"username\": \"ngopinath\"}"

api response:

{
  "api_key": "trimmed.trimmed",
  "key_id": "trimmed",
  "created_at": "2025-03-25",
  "expiry_date": "2025-03-30",
  "comments": "test",
  "audiences": [
    "API"
  ]
}

Since we have solution for Q#1, I presume following queries are invalidated. Let me know if you are able to proceed with api createV2Key.

[1] https://docs.cloudera.com/machine-learning/cloud/rest-api-reference-ai-workbench/index.html#api-CMLS...

View solution in original post

DianaTorres · ‎03-24-2025

@waelfatah Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our CML experts @smdas @Mike @Gopinath who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Regards,

Diana Torres,
Senior Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

Gopinath · ‎03-24-2025

Is there a supported mechanism within the CML API v2 or cmlapi to generate temporary access keys with a specified expiration time?

Yes. You may consider using cmlv2 api createV2Key [1]. I am able to get a apikey created for myself with ttl as 5 days ie 30 Mar 2025.

api request:

curl -X POST "https://trimmed.cloudera.site/api/v2/users/ngopinath/v2_keys" -H "accept: application/json" -H "Authorization: Bearer trimmed.trimmed" -H "Content-Type: application/json" -d "{ \"comments\": \"test\", \"expiry_date\": \"2025-03-30\", \"username\": \"ngopinath\"}"

api response:

{
  "api_key": "trimmed.trimmed",
  "key_id": "trimmed",
  "created_at": "2025-03-25",
  "expiry_date": "2025-03-30",
  "comments": "test",
  "audiences": [
    "API"
  ]
}

Since we have solution for Q#1, I presume following queries are invalidated. Let me know if you are able to proceed with api createV2Key.

[1] https://docs.cloudera.com/machine-learning/cloud/rest-api-reference-ai-workbench/index.html#api-CMLS...

Gopinath · ‎03-26-2025

@waelfatah is createV2Key working for you?

waelfatah · ‎03-26-2025

Thank you for answering !

curl -X POST "https://trimmed.cloudera.site/api/v2/users/ngopinath/v2_keys" -H "accept: application/json" -H "Authorization: Bearer trimmed.trimmed" -H "Content-Type: application/json" -d "{ \"comments\": \"test\", \"expiry_date\": \"2025-03-30\", \"username\": \"ngopinath\"}"

Is it possible to provide a username and a password instead of the bearer in the authorization header?

Gopinath · ‎03-27-2025

@waelfatah Based on the way, CAI handles the v2 API call, I don't think cmlv2api support simple authentication.

DianaTorres · ‎04-01-2025

@waelfatah Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Senior Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

Support Questions

Generating Temporary Access Keys for CML API Endpoints