AI Workbench Integrations#

Screenshot of the Workbench integrations page in the application settings page. From left to right shows NGC, GitHub, GitLab, and an example of self-hosted GitLab.

Overview of Integrations#

Streamlining access to platforms and services like GitHub container registries requires under-the-hood implementation of different APIs and authentication methods.

Manually configuring this on a project by project basis would be very painful, so Workbench handles this through Integrations.

Integrations programmatically handle access to platforms and services to provide a uniform experience across projects and locations.

Default vs custom integrations#

  • Default Integrations are pre-configured in the Settings page and just require an authentication flow.

  • Custom Integrations require manual configuration to setup an authentication flow.

Authentication Methods#

Supported authentication methods#

  • OAuth: Streamlined access to resources or services through token exchange.

  • Personal Access Token (PAT): Customized access based on privileges you assign to the token.

  • API Key: Similar to a PAT.

Table of integrations#

Integration

OAuth

API Key / PAT

Configuration

GitHub.com, default

Yes

Yes

Open Settings

GitLab.com, default

Yes

Yes

Open Settings

Self-Hosted GitLab, custom

Yes

Yes

Open Settings

NVIDIA NGC, default

No

Yes

Open Settings

NVIDIA Brev, experimental

Yes

Yes

Configure Brev

Connecting Default Integrations#

Basic Steps#

  1. Have an active account on the platform and be logged in.

  2. Open AI Workbench Settings (Integration Settings).

  3. Select the Integrations page.

  4. Click Connect on the card for the integration you want to connect.

  5. Select an authentication method and follow the flow.

GitHub.com Details#

OAuth Flow: Easiest way to connect to GitHub.

  • Click Connect on the GitHub card in Settings, and select OAuth.

  • Click through whatever is required to connect to your GitHub account

  • Copy the code displayed in the Workbench popup and paste it into the GitHub authentication page

  • Authorize the NVIDIA GitHub App and wait for the connection to complete

Learn about OAuth apps in GitHub here.

PAT Flow: More granular control over access to your GitHub resources.

  • Create a PAT on GitHub with the following scopes:

    • repo — Full control of private repositories

    • read:org — Read access to organization membership and teams

    • user — Read access to user profile information

    • read:packages — Read access to GitHub packages

  • Click Connect to start the authentication flow and select Personal Access Token.

  • Enter your PAT and click Connect.

GitLab.com Details#

OAuth Flow: Easiest way to connect to GitLab.

  • Click Connect on the GitLab integration card in Settings, and select OAuth.

  • Click through whatever is required to connect to your GitLab account

  • Wait for the connection to complete

PAT Flow: Grants the same access as the OAuth flow.

  • Create a PAT on GitLab with the api scope

  • Click Connect on the GitLab integration card in Settings, and select Personal Access Token.

  • Enter your PAT and click Connect.

Learn about Personal Access Tokens on GitLab here.

NVIDIA Brev Details#

The NVIDIA Brev integration is experimental and has a different authentication flow than the other default integrations.

For more information on setting up and using Brev with AI Workbench, see NVIDIA Brev Integration.

NVIDIA NGC Details#

NGC only provides API Keys for authentication. They are called Personal Keys.

  • Create a Personal Key on NGC

    • Log in to NGC and navigate to Setup > Keys/Secrets > Generate API Key.

    • Click Generate Personal Key, name it, set the expiration, and select the following services:

      • Catalog - Access to the NGC Catalog

      • Registry - Access to the NGC Container Registry

      • Build - Access to the NGC Build service

    • Click Generate Personal Key

  • Click Connect on the NGC integration card in the Workbench Settings page.

  • Enter your Personal API Key and click Connect.

Creating and Connecting Custom Integrations#

Self-Hosted GitLab#

You can use an OAuth flow or a PAT to connect your Workbench to a self-hosted GitLab instance.

The OAuth flow requires setup for the GitLab and is deferred to Self-Hosted Gitlab.

The PAT flow is straightforward and is described here.

High-Level Steps for PAT:

  • Add a new integration of type “Self-Hosted GitLab”

  • Connect the integration using the card that appears in Settings

Detailed Steps for PAT:

  • Create a PAT on the GitLab instance (see here for how to create a PAT)

  • Click Add Integration in the Integration page in Settings.

  • Select “Self-Hosted GitLab” as the Integration Type

  • Enter a distinct Display Name and select PAT as the Authentication Method.

  • Enter the URL for your self-hosted GitLab instance and click Add.

  • Click Connect on the new integration card in Settings and enter your PAT.

FAQs#

Does Configuring an Integration Give NVIDIA Access to My Credentials or Accounts?#

No. NVIDIA does not get any access to your credentials or accounts.

Configuring an integration just provides the Desktop App installed on your laptop with the necessary permissions to authenticate to the given platform or service.

In addition, the Desktop App does not have any telemetry of any kind, so there is no way that any of your information would be passed back to NVIDIA.

You can revoke this access at anytime by disconnecting the integration.

What Kind of Access Workbench Actually Need to my GitHub or GitLab Resources in Order to Manage Projects?#

Workbench needs full API access to manage repositories on your behalf, including creating, modifying, and pushing changes to both public and private repositories.

If I use a PAT or API Key as the Authentication Mechanism, How Does AI Workbench Store It?#

AI Workbench stores and uses credentials for integrations when connected. By default, all credentials are stored and encrypted at rest using the host system’s secret storage that is tied to your login.

On macOS, credentials are stored in the Keychain. On Windows, they are stored using the Windows Credentials API. On Linux, credentials are stored using the dbus secret service, which is gnome-keyring by default with Ubuntu.

This ensures that your credentials are secure and protected, while still being easily accessible when needed.

How Does Workbench Pass Credentials to a Location?#

When you start a location using the desktop app or CLI, the associated Workbench service is started and your credentials are pushed into memory for use by the service.

Depending on your container runtime, AI Workbench may write a temporary file or act as a credential helper to provide credentials to the runtime. If written to a file, the file is removed at service stop.

When using Git with AI Workbench, your credentials are provided to Git via a custom credential helper. This keeps your credentials safe and secure, without the need to store them on the file system.

Can I Use the CLI to Connect an Integration?#

Yes. This has two steps. First you create the integration, and then you connect it to trigger the authentication flow.

  1. Run the following command to start the interactive integration setup:

    nvwb create integration

  2. Select the particular integration you want to connect and hit Enter.

  3. Enter the required details as prompted.

  4. Once setup is complete, AI Workbench lists all configured integrations. Verify that your new integration appears.

  5. To connect to the integration, run:

    nvwb connect integration <integration name>

How Do I Disconnect an Integration?#

  1. Open AI Workbench Settings (:ref:settings-integrations).

  2. Select the Integrations page.

  3. Click Disconnect on the integration card you want to remove

Do I Need an NGC API Key to Use Workbench?#

No. The default containers used for project creation are public, so you don’t need an API key to use them.

However, you do need an NGC API Key if you want to use the following from build.nvidia.com:

What’s the difference between using an NGC API Key to access private container on NGC and using it to access endpoints on build.nvidia.com?#

Configuring the NGC API key in the Workbench Settings page makes it available to use with any location or project that pulls the base image from a private registry on NGC.

It does not configure acess to any API endpoints on build.nvidia.com.

However, the personal key does also grant access to the endpoints on build.nvidia.com, but you must configure this on a project-by-project basis as a sensitive environment variable.

See here for more information on how to configure environment variables.