Function Permissions#
This page describes function invocation permissions and public and shared function access within your Cloud Functions account.
Function permissions within Cloud Functions fall into three categories:
Account-owned functions
These are functions that are scoped to just your Cloud Functions account, within your NGC organization, listed as “My Functions”. Any user within your NGC organization can invoke account-owned functions by generating a Personal API Key. See Generate an NGC Personal API Key.
Note
Metrics and logs in the Cloud Functions UI are currently only available for account-owned functions.
Shared functions
These are functions that are shared to your Cloud Functions account, from a different Cloud Functions account, listed as “Shared Functions”. Functions shared to your account are invoke-able by any user within your NGC organization, via generating a Personal API Key.
Public functions
These are NVIDIA NIM functions that are maintained by NVIDIA and shared to all NGC organizations for public access, listed as “Created by NVIDIA”. The functions listed here are also available to invoke via NVIDIA’s AI API Catalog. Refer to the samples within the catalog for instructions on how to invoke the function.
All function categories are visible in the UI under the Functions List page tabs and are also visible in the API when listing functions.
Listing Functions via API#
All functions available to your Cloud Functions account are listable via API with the following curl.
1 curl --location 'https://api.ngc.nvidia.com/v2/nvcf/functions?visibility=authorized&visibility=private&visibility=public' \
2 --header 'Accept: application/json' \
3 --header "Authorization: Bearer $API_KEY"
Available parameters for filtering include:
visibility=private- Account-owned functionsvisibility=authorized- Functions shared to your accountvisibility=public- Functions created by NVIDIA available to all accounts
Sharing a Function to Another NCA ID#
Functions can be shared so that another organization can invoke them. This can be done by sharing a function ID (shares all versions of the function) or a version ID (recommended approach, shares a single version of a function). The below guide walks through the steps to share a function by version ID. The same steps can be applied using the APIs for sharing by function ID, refer to the OpenAPI Spec for all API calls managing authorized parties. A full postman collection for this example can be downloaded here. This functionality is also available via the NGC CLI.
Prerequisites
A function deployed and active in organization A.
Generate and save an NGC Personal API key for organization A - $API_KEY
Generate and save an NGC Personal API key for organization B - $API_KEY_B
Steps
Identify the NCA ID of the organization B by navigating to the NGC Organization Profile Page as a user of the organization. Store this as $NCA_ID_B
Make an API call to share the function to organization B by adding the organization to the authorized parties for the function version. Ensure you set functionId, functionVersionId, $API_KEY and $NCA_ID_B variables in the call.
1curl -X 'POST' \
2 'https://api.ngc.nvidia.com/v2/nvcf/authorizations/functions/{functionId}/versions/{functionVersionId}' \
3 -H "Authorization: Bearer $API_KEY" \
4 -H 'accept: application/json' \
5 -H 'Content-Type: application/json' \
6 -d '
7 {
8 "authorizedParties": [
9 {
10 "ncaId": "$NCA_ID_B"
11 }
12 ]
13 }'
Verify the function is now authorized to the other organization by listing the authorizations.
1curl -X 'GET' \
2 'https://api.ngc.nvidia.com/v2/nvcf/authorizations/functions/{functionId}/versions/{functionVersionId}' \
3 -H "Authorization: Bearer $API_KEY" \
4 -H 'accept: application/json'
Verify the function is now authorized by invoking the function using organization B’s $API_KEY_B. Ensure to replace the message body with a payload that the function expects. Note that the API domain for invocation is https://api.nvcf.nvidia.com.
1 curl --location "https://api.nvcf.nvidia.com/v2/nvcf/pexec/functions/{functionId}/versions/{functionVersionId}/" \
2 --header 'Content-Type: application/json' \
3 --header "Authorization: Bearer $API_KEY_B" \
4 --data '{
5 "message": "hello world"
6 }'