This document is for users and administrators of NVIDIA NGC Private Registry.

With the power of the cloud, the content stored in the NGC Private Registry is always available with redundant storage that can be accessed from anywhere, making it extremely easy to get to your content.

When sharing content across a large organization, it is essential to ensure that you can manage the users. The comprehensive user and team management in an NGC Private Registry allow administrators to control access to content stored in the registry.

We all are used to working collaboratively using tools such as Slack or Microsoft Teams, to share our content and ensure that our colleagues are all aligned. The primary goal of NGC Private Registry is to enable sharing of artificial intelligence (AI) content such as containers, models, Helm charts within your organization. This feature empowers key stakeholders in your organization to collaborate without reinventing the wheel, increasing productivity, saving valuable resources, and bringing your products to market faster.

As data scientists build custom content, storing, sharing, and versioning this valuable intellectual property is critical to meeting their company’s business needs. To address these needs, NVIDIA has developed the NGC Private Registry to provide a secure space to store and share custom containers, models, Jupyter notebooks, and Helm charts within your enterprise. The NGC Private Registry is available to DGX and NVIDIA AI Enterprise customers.

This document describes how to use the NVIDIA® NGC Private Registry. This guide assumes the user is familiar with Linux and Docker and has access to an NVIDIA GPU-based computing solution, such as an NVIDIA DGX system or NVIDIA-Certified system configured for internet access and prepared for running NVIDIA GPU-accelerated Docker containers.

3. Getting Started#

3.1. Obtaining a Private Registry# This chapter provides instructions for DGX customers on obtaining a private registry. After purchasing a support entitlement with NVIDIA, the end-customer will receive an NVIDIA Entitlement Certificate via email. The email will include all the pertinent instructions to register for technical support. The following is an example of the NVIDIA Entitlement Certificate email. The Entitlement Certificate itself is provided as a PDF attachment. The following is an example of an NVIDIA Entitlement Certificate. The PDF also includes instructions for using the certificate. If you already have an account, you can immediately log into the NVIDIA Enterprise Support portal.

If you are a new user without an NGC Support account, click the NVIDIA Enterprise Support Registration Form link. This link will have embedded information regarding your account. It is essential not to share this entitlement link outside of your organization. Registration will provide an NGC private registry and NVIDIA Enterprise Support accounts. You’ll receive a welcome email, at which time you can activate your NGC private registry account.

3.3. NGC API Keys# NVIDIA NGC API keys are required to authenticate with NGC services using NGC CLI, Docker CLI, or direct API requests. NGC provides two types of API keys: Personal Keys Any NGC org user can generate a personal key.

An NGC org user can grant a personal key up to the permissions assigned to them in the NGC org.

A personal key is linked to the user’s NGC org lifecycle. If the user’s permissions change, the available permissions that can be or are assigned to the personal key also change. If the user is removed from the NGC org, the key’s validity is revoked.

Supports updating permissions, rotation, and deletion (immediate revocation). Org owners and user_admins can revoke any member’s key on demand.

Each user can generate up to eight personal keys. Use personal keys to begin using NGC services within your sandbox. Personal keys are best suited for individuals working on early development and testing code before moving to pre-production and production releases. To learn how to authorize the services you have access to in the org and generate a personal key, go to Generating a Personal API Key. Important Use the legacy NGC API Key to authenticate with Base Command Platform, Fleet Command, or other NGC services that don’t support “Personal key” authentication. For cross-org authorization, continue using the legacy NGC API Key. NVIDIA plans to deprecate the legacy NGC API key after 2025. NVIDIA encourages you to use the Personal Key, but if you need to continue using the legacy API key, go to Generating a Legacy NGC API Key to find out where to create a new one. Also, your current NGC API key will continue to work. Service Keys The lifecycle of service keys is linked to the NGC org account, not associated with an individual user.

Only NGC org owners and user_admins can manage service keys.

A service key can be scoped to access only the permissions and services required, or full access to the services enabled in the org.

Supports scoped permissions, updating permissions, on-demand revocation, rotation, and deletion.

An NGC org can have up to 50 service keys. Use service keys when you require automated communication between machines and deploying to pre-production and production environments where you do not want to depend on a user’s membership status in the NGC org. Note Service keys currently do not support listing artifacts in NGC CLI or Docker CLI. This functionality will be added in the future. In the meantime, use a Personal API key to list artifacts. Examples using NGC API Keys Here are some examples of using NGC API keys to authenticate with NGC CLI and Docker CLI: NGC CLI $ ngc config set Paste your key value at the API_KEY prompt: [Enter API key [****API-Key]. Choices: [<VALID_APIKEY>] Important Always use the latest NGC CLI version to access the newest features, bug fixes, performance improvements, and security updates. Check for the latest versions at NGC CLI Installers or run ngc version list to view the latest releases, then upgrade using ngc version upgrade Docker CLI docker login nvcr.io --username '$oauthtoken' For the username, enter '$oauthtoken' exactly as shown. It is a special name that indicates that you will authenticate with an API key. Paste your key value at the Password prompt. 3.3.1. Supported NGC Applications and API Key Types# The NVIDIA NGC applications/services that support Personal and Service Keys are listed below: NGC Applications and Services # NGC Application/Services Service Description NVIDIA NGC Catalog Grants your key permission to access or download containers and artifacts from the NGC Catalog. The permission level matches your account’s permissions for the catalog. NVIDIA NGC Private Registry The key is authorized to perform actions on your organization’s private registry service, such as pulling, retrieving, creating, or deleting containers and artifacts. The permission level assigned to the key matches the permission level of your user account. Therefore, your user account must have permissions for the Private Registry. NVIDIA Cloud Functions This authorization allows your key to perform actions on your organization’s cloud functions service. If your organization has private functions published by NVIDIA, or if your cloud functions service enables you to create, deploy, and run your own functions, your personal key will have the same permissions as your user account for the cloud functions service. Therefore, it’s important that your user account has the necessary permissions for Cloud Functions. NVIDIA Public API Endpoints Grants permission for your key to access NVIDIA NIM inference endpoints listed in the NVIDIA API Catalog. Therefore, your user account must have Public API Endpoints permissions. NVIDIA Secrets Manager Authorizes your key to perform actions on the NVIDIA Secrets Manager service, which is used to store and manage secrets. Your key will have the same permission level as your user account, so your user account must possess Secrets Manager permissions. 3.3.2. Generating NGC API Keys# Generating API keys is essential for authenticating with NGC services using the NGC CLI, Docker CLI, or direct API requests. 3.3.2.1. Generating a Personal API Key# Sign in to the NGC website. From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password. Click your user account icon in the top-right corner and select Setup. Click Generate API Key from the available options. On the Setup > API Keys page, click + Generate Personal Key on the menu or the pane. In the Generate Personal Key dialog, fill in the required information for your key. Key Name: Enter a unique name for your key.

Expiration: Choose the expiration date for the key.

Services Included: Choose from the available services the key is permitted to access. Refer to Assigning Services to Your Personal API Key to learn more about each service and when to assign service access to your Personal Key. Click Generate Personal Key when finished. Your API key appears in the following dialog. NGC does not save your key, so store it securely. You can copy your API Key to the clipboard by selecting Copy Personal Key or using the copy icon to the right of the API key. You can generate up to eight personal keys and manage them from the Setup > Personal Keys dashboard. To activate or deactivate a key, click the Active toggle. The Actions (ellipsis) menu allows you to rotate or delete a personal key. 3.3.2.1.1. Assigning Services to Your Personal API Key# The services you can assign to a personal API key depend on two factors: The services enabled for the NGC org where you generate the API key.

The service roles assigned to you by your NGC org owner or administrator. For example, consider an NGC org with the following services enabled: An NGC user account might have the following access roles assigned: In this scenario, the NGC org has enabled NVIDIA Microservices, Private Registry, NVIDIA AI Enterprise, and Cloud Functions (NVCF). The user account has been granted access roles for all these services. Therefore, a personal API key can be generated with permissions to access one or all of them. If a service is unavailable for assignment to the API key, it indicates that the org owner or administrator has not granted the user the necessary role for that service. For details about each service listed above and its function, see the table Supported NGC Applications and API Key Types. 3.3.2.1.2. Generating a Legacy NGC API Key# To generate a legacy API key, go to Setup > API Keys and click + Generate Legacy Key in the Legacy Keys drop-down. In the Generate Legacy Key dialog, click on + Generate Legacy Key. 3.3.2.2. Generating a Service API Key# Sign in to the NGC website. From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password. Select Organization from the user account menu on the upper right. Select Service Keys on the organization dashboard. On the Organization > Service Keys page, click + Create Service Key button to create a key. In the Create Service Key dialog, fill in the required configuration. Service keys currently support services such as NVIDIA NIM, NGC Catalog, and Private Registry. Assign scopes and resource permissions to the key. In the Entity Type field, select from the available options to grant to the API key. In the Scope field, choose from the available options. Click Next Step to review your key configuration. Once you verified the configuration, click Confirm to generate your service key. Your service key appears in the next dialog. NGC does not save your key, so store it securely. You can copy your API Key to the clipboard by clicking the copy icon to the right of the API key or the Copy Service Key button. Make sure to copy the key value before leaving this page. Once you navigate away, the key value cannot be retrieved, and replacing it will require generating a new key. NGC supports multiple Service API keys, which are managed from the Organization > Service Keys dashboard. To activate or deactivate a key, click the Active toggle. The Actions (ellipsis) menu allows you to rotate or delete a service key. Note When managing containers, ensure the scopes Get Container and Get Container list are assigned to your service key. For other types of artifacts, add the Get Artifact and Get Artifact list scopes. These scopes are the minimum required to discover the artifacts that need to be managed. Refer to the NGC Catalog User Guide and Private Registry User Guide for more information.

3.4. Managing Users and Teams in NGC# This chapter applies to organization and team administrators, and explains the tasks that an organization or team administrator can perform from the NGC website. When the Organization was created, an Organization owner was created from the primary technical contact information provided during the sales process. This organization owner will receive an email from NGC. As the NGC Org owner for your organization, you can invite other users to join your organization’s NGC account. Users can then be assigned as members of teams within your organization. Teams are useful for keeping custom work private within the organization. You can also create other administrators in the organization to share that responsibility. The general workflow for building teams of users is as follows: The organization admin invites users to the organization’s NGC account. The organization admin creates teams within the organization. The organization admin adds users to appropriate teams, and typically assigns at least one user to be the team admin. The organization or team admin can then add other users to the team. 3.4.1. NGC Registry User Roles# Prior to adding users and teams, familiarize yourself with the following definitions of each role. The NGC container registry supports the following user roles. Organizational and Team Level Roles The following roles can be assigned to a user. Org Owner : This user is created at the time of Org creation. Up to two users can be assigned the Org Owner role at a given moment. This user can download/upload, push/pull or delete , add/remove users and create teams within an organization.

Registry Admin : This user can download/upload, push/pull or delete artifacts within an organization or team.

Registry User : This user can download, upload, push/pull artifacts within an organization or team.

Registry Read : This user can download and pull artifacts within an organization or team.

User Admin : This user can view and invite other users and user admins within an organization. At the team level, the User Admin can view and invite other users and user admins to that team . A User Admin can only grant roles that they possess.

User Read: This user can view details of an organization or team. Note A user must be a “Registry Read”, “Registry User”, and/or “User Admin” role to be a member of the organization or any team. User Role Capabilities # Capability Registry Admin Registry User User Admin Registry Read User Read Add teams X X ✔ X X Add new users to orgs or teams X X ✔ X X View users ✔ X ✔ X X Delete images ✔ X X X X View/Edit all image information via UI and CLI ✔ ✔ X X X View all artifacts namely containers, model, resources ✔ ✔ ✔ ✔ X Download all artifacts namely containers, model, resources ✔ ✔ X ✔ X Create and push/upload all artifacts namely containers, model, resources ✔ ✔ X X X 3.4.2. Creating Teams# Creating teams is useful for allowing users to share images within a team while keeping them invisible to other teams in the same organization. Only organization administrators can create teams. To create a team: Log on to the NGC application. Select Organization from the user account menu. From the dashboard or left navigation, select Teams. Then, click Create Team at the top of the screen. Enter a team name and description, then click Create Team. Team names must be all lowercase. 3.4.3. Creating Users# As the organization owner or user administrator, you must create user accounts to allow others to use the NGC container registry within the organization. Log on to the NGC application. Click Organization from the user account menu. From the dashboard or left navigation, select Users. Then, click Invite User at the top right of the screen. Fill out the Invite New User form for the new user as follows: Enter the display name and email where indicated.

Select the organization or team to be assigned.

Select the roles to assign to the user.

Click Add Role and then click Invite User when done. An invitation email is automatically sent to the user. 3.4.4. Adding a New User to a Team# Org owners or org level user administrators can add users to any team in the organization. Team user administrators can add users to their teams. Log on to the NGC application. Click Organization from the user account menu. Select Teams from the left navigation, and then, select the team that you want to add a user. On the Users page, click Invite New User. In the Invite New User dialog, follow the steps in section Creating Users to fill out the add user form and invite the new user to the team. Make sure the user is invited at the desired team context. Users can be members of more than one team. To add a user to another team, repeat these steps for any additional teams. 3.4.5. Adding an Existing User to a Team# Org owners or org level user administrators can add users to any team in the organization. Team user administrators can add users to their teams. Log on to the NGC application. Click Organization from the user account menu. From the dashboard or the left navigation, select Teams navigation. Then, select the team that you want to add a user. On the Users page, click Add Existing User. In the Find Existing User dialog, enter the name of the user you want to add. Select the user and click Edit User. On the user information page, assign the user to the desired team and roles. Click Add Role to save your changes. Users can be members of more than one team. To add a user to another team, repeat these steps for any additional teams. 3.4.6. Changing User Roles# You can change user assignments and roles for any users you create. Log on to the NGC application. Select the org and team for which you want to change the user role. Click your user icon to select from the list of orgs, select an org, and if applicable, select a team. Click Organization from the user account menu. Select Users from the left navigation. A list of all the users in the current registry space appears. Select the user whose role you want to change. The User Information form appears. Click Edit Membership. A prompt appears for editing membership roles. You can assign new roles, update and delete user roles, and click Add Role when done.