AI Deploy - Accessing your app with tokens
Discover how to create a scoped token and query your AI Deploy app
Last updated 3rd November, 2022.
AI Deploy is in beta. During the beta-testing phase, the infrastructure’s availability and data longevity are not guaranteed. Please do not use this service for applications that are in production, as this phase is not complete.
AI Deploy is covered by OVHcloud Public Cloud Special Conditions.
Objective
This guide covers the creation of application tokens for AI Deploy.
Requirements
- a Public cloud project
- access to the OVHcloud Control Panel
- a Running AI Deploy app (the deployed app in this guide uses the Docker image infrastructureascode/hello-world)
Instructions
Adding labels to an App
Tokens are scoped based on labels added to your AI Deploy app. To scope a token you need to add a label to your AI Deploy app upon submission.
In this instance we add the label group=A to the AI Deploy app. A set of defaults labels are added to all AI Deploy apps:
ovh/idwhich value is the ID of the AI Deploy appovh/typewith valueapp, the type of AI resource
Labels prefixed by ovh/ are reserved by the platform, those labels are overriden upon submission if any are provided.
All the labels of an AI Deploy app are listed on the AI Deploy app details under Tags:
Generating tokens
From the AI Deploy page, you access the tokens management page by clicking the Tokens tab.
Once on the token management tab, simply click on New Token.
Read token
There are two types of roles that can be assigned to a token:
- AI Platform - Read-only
- AI Platform - Operator
A Read-only token will only grant you the right to query the deployed app while an Operator token would also allow you to manage the AI Deploy app itself.
Let us create a token for the AI Deploy apps matching the label group=A with read-only access in the GRA cluster.
To create an AI Deploy app token we need to specify 3 parameters:
- The token scope specified through label selectors, a token will be scoped over any app matching the set of label selectors. In this case
group=A - The token role: AI Training - Read-only
- The region (cluster in which are deployed the AI Deploy apps): GRA.
Fill out the form:
Click Generate. Upon success, you are redirected to the token list with the new generated token displayed at the top:
Save the token string for later use.
The token is only displayed once, make sure to save it before leaving the page or you will need to regenerate the token.
This newly generated token provides read access over all resources tagged with the label group=A including the ones submitted after the creation of the token.
Operator token
An operator token grants read access along with management access for the matching apps. This means that you can manage the AI Deploy app lifecycle (start/stop/delete) using either the CLI (more info here) or the AI Training API by providing this token.
This Operator token will be scoped on a specific AI Deploy app and we will use the default ovh/id label to do so (since it is reserved, there is only one AI Deploy app that can match this label selector).
- Token scope:
ovh/id=4c4f6253-a059-424a-92da-5e06a12ddffd - The token role: AI Training - Operator
- The region: GRA.
Additional information about the use of a token to manage an AI Training resource can be found here.
Using a token to query an AI Deploy app
With the token we generated in the previous step we will now query the app. For this demonstration, we deployed a simple Hello World app that always responds Hello, World!.
You can get the access URL of your app in the details of the AI Deploy app, above the Tags.
Browser
When accessing the AI Deploy app via its URL in your browser, you will reach a Login page:
To use the token to access this app, you can click on Login with token. Fill in your token in the dedicated field and click Connect.
You now land on the exposed AI Deploy app service:
Code integration
You can also directly CURL the AI Deploy app using the token as an Authorization header:
export TOKEN=<your-token>
curl "https://<your-app-id>.app.<your-app-region>.training.ai.cloud.ovh.net" -H "Authorization: Bearer $TOKEN"
> Hello, World!
Token lifecycle
Once a token is created, you can either regenerate the token or delete it.
Regenerating a token
When creating a token, the actual token string is only displayed once upon creation. It is not possible to retrieve the actual token afterwards, so make sure to save it when creating a new one.
If you lost the token or if it leaked and you need to invalidate the token, you can generate it again. This causes the existing token to expire.
From the list of tokens, click on the action menu and select Regenerate:
Then click on Regenerate to confirm.
Deleting a token
If you simply need to invalidate the token, you can delete it using the same action menu to regenerate a token. This will invalidate the existing token.
Feedback
Please feel free to send us your questions, feedback and suggestions to help our team improve the service on the OVHcloud Discord server
Czy ten przewodnik był pomocny?
Zachęcamy do przesyłania sugestii, które pomogą nam ulepszyć naszą dokumentację.
Obrazy, zawartość, struktura - podziel się swoim pomysłem, my dołożymy wszelkich starań, aby wprowadzić ulepszenia.
Zgłoszenie przesłane za pomocą tego formularza nie zostanie obsłużone. Skorzystaj z formularza "Utwórz zgłoszenie" .
Dziękujemy. Twoja opinia jest dla nas bardzo cenna.