Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

This page explains how to provision users in CoreWeave Identity and Access Management (IAM) for SUNK so they receive POSIX identities, SSH keys, and Slurm accounts in your cluster. After you complete the steps here, you can continue to nsscache configuration so those identities are available on the cluster. SUNK access management refers to the provisioning of users in your SUNK cluster, allowing them to SSH into Login Nodes and Individual Login Pods, manage Slurm settings, and use Slurm commands to run experiments. At CoreWeave, this encompasses the flow of user identities from its source of truth to the creation of POSIX and Slurm identities in your SUNK cluster. This end-to-end flow is implemented by Automated User Provisioning (AUP) and SUNK User Provisioning (SUP). SUP can be used alongside or independently of AUP. AUP connects your organization’s to CoreWeave Identity and Access Management (IAM) through SCIM, the modern standard for secure identity synchronization. AUP continuously syncs users and groups from an upstream IdP, such as Okta or Microsoft Entra, so that any changes made upstream from new users, role updates, or deletions, propagate automatically to CoreWeave IAM. SUP provisions CoreWeave IAM data into SUNK, whether that data was federated from an IdP through AUP or manually created directly in the CoreWeave console. SUP automatically creates POSIX users and groups, SSH keys, and Slurm users and accounts in your SUNK clusters as soon as a user is added directly to CoreWeave IAM or to an upstream IdP.

Provision users in CoreWeave IAM

The following sections describe how to get users into CoreWeave IAM, either by federating from an identity provider (IdP) with Automated User Provisioning (AUP) or by creating users manually in the Cloud Console. Follow the instructions for either method below before configuring SUP so that SUP has IAM data to sync into the cluster.

Prerequisites

Before provisioning users in CoreWeave IAM, enable the following settings on the SCIM Configuration page:
  • Enable SCIM API
  • Enable SUNK User Provisioning
Screenshot of the SCIM Configuration page with the prerequisite toggles enabled

Provision users from an IdP into CoreWeave IAM

This section assumes you are federating users from an IdP with Automated User Provisioning (AUP). Complete configure AUP with Okta or configure AUP with Microsoft Entra first so users and groups exist in CoreWeave IAM before you continue with the steps in this section.
  1. In the Cloud Console, navigate to the SCIM Configuration page. Screenshot of the SCIM option in the IAM sidebar
  2. Click the toggle buttons to enable Automated User Provisioning, if it is not already enabled. All three toggles must be enabled if you are federating from an IdP. Screenshot of the SCIM Configuration page with the toggles enabled
  3. In your IdP, create a custom attribute for SSH public keys and map it to CoreWeave’s SCIM endpoint. CoreWeave IAM needs this mapping so SUP can install the correct keys on the cluster. The attribute mapping must meet these requirements:
    RequirementValue
    Attribute namesunkSshKeys (must be exact)
    SCIM namespaceurn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser
    Data typeString (the SCIM endpoint accepts a single key or a list of keys)
    For IdP-specific setup instructions, see:
  4. In your IdP, navigate to the target user’s profile and add their SSH public key to the custom attribute you created.
  5. In the Provisioning section of your IdP, verify that the SSH key attribute is included in the attribute mappings for the CoreWeave application.
  6. In the Cloud Console, navigate to the Users page to view a list of all users in your cluster. Click the three-dot menu icon to the right of the target user’s name, and then click View Details. Screenshot of the View Details option for a user
  7. Verify that the SSH Keys field under Slurm Attributes contains the SUNK public SSH key that you added in your IdP. When using CoreWeave AUP, this field automatically synchronizes with CoreWeave IAM whenever changes are made in your IdP. Although users can manually edit this field in the CoreWeave console and temporarily use the updated key to SSH into the cluster, the next synchronization will overwrite this value. Therefore, manual updates should not be relied upon as a persistent configuration for the SSH Keys field when using AUP.
  8. Continue on to nsscache configuration. At this point, federated users should appear in CoreWeave IAM with SSH keys that SUP can propagate to SUNK. Learn more about AUP and how to integrate it with other CoreWeave services in the Automated User Provisioning guide.

Provision users directly in CoreWeave IAM

  1. In the Cloud Console, navigate to the SCIM Configuration page. Screenshot of the SCIM option in the IAM sidebar
  2. Click the toggle buttons to enable the following settings, if they are not already enabled:
    • Enable SCIM API
    • Enable SUNK User Provisioning
    In the SCIM Configuration page, it is not necessary to toggle Enable Automated User Provisioning if you are not federating from an IdP. Screenshot of the SCIM Configuration page with the toggles enabled
  3. Each user seeking access to the cluster must add one or more public SSH keys to the SSH Keys field of the Slurm Attributes section in their Settings page, accessible via the profile icon at the top right of the CoreWeave Cloud Console. When adding multiple keys, enter one per line (newline-separated), not comma-separated. If users don’t see the Slurm Attributes section in their Settings page, verify that SUNK User Provisioning is enabled on the SCIM Configuration page. Screenshot of the SSH Keys field in the Slurm Attributes section
  4. Continue on to nsscache configuration. Users who added SSH keys in their settings are ready for SUP to create matching POSIX and Slurm identities on the cluster.

Slurm user attributes

SUP automatically creates a POSIX User ID (UID), POSIX Group ID (GID), and POSIX username when a user is provisioned in CoreWeave IAM either through AUP or manual creation. Users can view these details in the Slurm Attributes section of their Settings page, accessible via the profile icon at the top right of the Cloud Console. Admins can view this information in the Users page of the Cloud Console. Click the vertical dot menu icon to the right of a user’s name, and then click View Details.

Create SUNK user groups

Group names in CoreWeave IAM must match the names you reference in the nsscache configuration. If federating users from an IdP, you can create your user groups there. Groups will be synced automatically by AUP into CoreWeave IAM. If you are not federating users from an IdP, create your user groups in the CoreWeave Cloud Console using the following steps:
  1. In the CoreWeave Cloud Console, navigate to the Groups tab on the left-hand sidebar. Screenshot of the Groups option in the IAM sidebar
  2. Click the Create Group button at the top-right of the page. Screenshot of the Create Group button
  3. Enter the group name, and click Create. The names of these groups must match the names of the groups specified in the nsscache configuration. A POSIX Group ID (GID) will be created automatically for each new group.
Last modified on April 13, 2026