Skip to main content

Provision users in SUNK

Set up SUNK User Provisioning (SUP) with CoreWeave IAM

Overview

SUNK access management refers to the provisioning of users in your SUNK cluster, allowing them to SSH into Login Nodes and Individual Login Pods, manage Slurm settings, and use Slurm commands to run experiments. At CoreWeave, this encompasses the flow of user identities from its source of truth to the creation of POSIX and Slurm identities in your SUNK cluster. This end-to-end flow is implemented by Automated User Provisioning (AUP) and SUNK User Provisioning (SUP). SUP can be used alongside or independently of AUP.

AUP connects your organization's identity provider (IdP) to CoreWeave Identity and Access Management (IAM) through SCIM, the modern standard for secure identity synchronization. AUP continuously syncs users and groups from an upstream IdP, such as Okta or Microsoft Entra, so that any changes made upstream from new users, role updates, or deletions, propagate automatically to CoreWeave IAM.

SUP provisions CoreWeave IAM data into SUNK, whether that data was federated from an IdP through AUP or manually created directly in the CoreWeave console. SUP automatically creates POSIX users and groups, SSH keys, and Slurm users and accounts in your SUNK clusters as soon as a user is added directly to CoreWeave IAM or to an upstream IdP.

Provision users in CoreWeave IAM

Users can be provisioned into CoreWeave IAM in one of two ways: through AUP, or by creating users manually in the Cloud Console.

Follow the instructions for either method below before configuring SUP.

Prerequisites

Before provisioning users in CoreWeave IAM, you must first enable the following settings on the SCIM Configuration page.

  • Enable SCIM API
  • Enable SUNK User Provisioning

Provision users from an IdP into CoreWeave IAM

This section assumes you are federating users from an IdP with Automated User Provisioning (AUP). Follow the instructions to configure AUP with Okta or configure AUP with Microsoft Entra before continuing.

  1. In the Cloud Console, navigate to the SCIM Configuration page.

  2. Click the toggle buttons to enable Automated User Provisioning, if it is not already enabled. All three toggles must be enabled if you are federating from an IdP.

  3. In your IdP, create a SUNK public SSH key for the user. The SUNK public key must fulfill the following requirements, regardless of the IdP in use:

    • SUNK Public Keys must be formatted as a list of strings, of the type string array or string list, to avoid errors.
    • The external value of the SUNK public key must be exactly sunkSshKeys to be recognized in SUP.
    • The SUNK public key must be mapped to the following external namespace: urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser

  4. In your IdP, navigate to the target user's profile. Add the SUNK public key to the user's profile in the appropriate field.

  5. In the Provisioning section of your IdP, ensure that the SUNK public key attribute is mapped to the user so that it can be synced with CoreWeave IAM. This is IdP-specific, and will vary depending on the IdP in use.

  6. In the Cloud Console, navigate to the Users page to view a list of all users in your cluster. Click the three-dot menu icon to the right of the target user's name, and then click View Details.

  7. Verify that the SSH Keys field under Slurm Attributes contains the SUNK public SSH key that you added in your IdP. When using CoreWeave AUP, this field automatically synchronizes with CoreWeave IAM whenever changes are made in your IdP. Although users can manually edit this field in the CoreWeave console and temporarily use the updated key to SSH into the cluster, the next synchronization will overwrite this value. Therefore, manual updates should not be relied upon as a persistent configuration for the SSH Keys field when using AUP.

  8. Continue on to nsscache configuration.

    Learn more about AUP and how to integrate it with other CoreWeave services in the Automated User Provisioning guide.

Provision users directly in CoreWeave IAM

  1. In the Cloud Console, navigate to the SCIM Configuration page.

  2. Click the toggle buttons to enable the following settings, if they are not already enabled:

    • Enable SCIM API
    • Enable SUNK User Provisioning

    In the SCIM Configuration page, it is not necessary to toggle Enable Automated User Provisioning if you are not federating from an IdP.

  3. Each user seeking access to the cluster must add one or more public SSH keys to the SSH Keys field of the Slurm Attributes section in their Settings page, accessible via the profile icon at the top right of the CoreWeave Cloud Console.

    When adding multiple keys, enter one per line (newline-separated), not comma-separated. If users don't see the Slurm Attributes section in their Settings page, verify that SUNK User Provisioning is enabled on the SCIM Configuration page.

  4. Continue on to nsscache configuration.

Slurm user attributes

SUP automatically creates a POSIX User ID (UID), POSIX Group ID (GID), and POSIX username when they are provisioned in CoreWeave IAM either via AUP or manual creation.

Users can view these details in the Slurm Attributes section of their Settings page, accessible via the profile icon at the top right of the Cloud Console.

Admins can view this information in the Users page of the Cloud Console. Click the vertical dot menu icon to the right of a user's name, and then click View Details.

Create SUNK user groups

If federating users from an IdP, you can create your user groups there. Groups will be synced automatically by AUP into CoreWeave IAM.

If you are not federating users from an IdP, you can create your user groups in the CoreWeave Cloud Console with the following steps:

  1. In the CoreWeave Cloud Console, navigate to the Groups tab on the left-hand sidebar.

  2. Click the Create Group button at the top-right of the page.

  3. Enter the group name, and click Create. The names of these groups must match the names of the groups specified in the nsscache configuration. A POSIX Group ID (GID) will be created automatically for each new group.

Last updated on