NGC User Guide

This document is a comprehensive guide to NVIDIA GPU Cloud (NGC), providing detailed instructions on setting up, managing, and optimizing your cloud environment, including creating accounts, managing users, accessing pre-trained models, and leveraging NGC's suite of AI and HPC tools.

1. What is NVIDIA NGC?

NVIDIA NGC™ is a cloud platform providing fully managed services, including NVIDIA AI Enterprise, DGX Cloud, and Riva Studio for Natural Language Understanding (NLU) and speech AI solutions. AI practitioners can leverage NVIDIA DGX Cloud for model training, NVIDIA AI Enterprise to obtain the latest NVIDIA NIM™ models, and the NGC Private Registry for securely sharing proprietary AI software. NGC also hosts a catalog of GPU-optimized AI software, SDKs, and Jupyter Notebooks to accelerate AI workflows and offers support through NVIDIA AI Enterprise.

Enterprises access their AI cloud services via a dedicated virtual NVIDIA Cloud Account (NCA) linked to the NGC organization where their services are enabled.

2. Why NGC Software

NGC provides software to meet the needs of data scientists, developers, and researchers across various levels of AI expertise.

All software hosted on NGC undergoes thorough scans for common vulnerabilities and exposures (CVEs), crypto, and private keys.

In addition to security scanning, NGC software is tested against a wide range of GPU-enabled platforms, including public cloud instances, workstations, and OEM servers designed for data center or edge deployments. Supported GPUs include H100, V100, A100, T4, Jetson, and the RTX Quadro.

NGC software is tested and assured to scale across multiple GPUs and, in some cases, across multiple nodes, ensuring users can fully utilize their GPU-powered servers out of the box.

For select containers, NVIDIA offers NGC Support Services to run software on DGX platforms or certified OEM servers. The service gives enterprise IT direct access to NVIDIA subject matter experts to address software issues and minimize system downtime quickly.

3. NGC Organizations and Teams

An NGC organization (org) is linked to an NVIDIA Cloud Account and shares the same account number. The dedicated account instance is used to enable and manage NVIDIA cloud services.

Users can access an NGC org in the following ways:

1) A user can sign up for a free NGC org through the NGC sign-in portal and create a new NVIDIA cloud account that grants access to an NGC org enabled with NVIDIA Catalog access (public artifacts only).

2) NVIDIA sends a message to the company or person granted entitlement for a service delivered in NGC. This can happen through a purchase order, early trial program, or other commercially related offers. The message's recipient then follows the entitlement steps to be granted an NVIDIA Cloud Account and gain access to their NGC service.

3) The account owner adds a user to an NCA account, then grants the required permissions to access the NGC org. The account owner will invite the user through an NCA invitation email or add the user using a corporate AD group membership rule mapped to the NGC org. Note that only 'enterprise' type orgs support the ability for account owners to manage additional users.

Users who sign up for an NGC org through the NGC sign-in portal get assigned an NCA account linked to an individual org that is automatically enabled with the NGC Catalog service and grants authenticated access to the catalog. An individual org is only accessible by a single user, the org owner. The NCA account linked to the org supports additional users, but these users cannot be assigned NGC access permissions.

An NVIDIA premium cloud service subscription, such as NVAIE or DGX Cloud, will be granted through purchase, an early access program, or the NGC Activate Subscription portal. Subscriptions get enabled on enterprise NGC orgs. Alternatively, an individual org is converted to an enterprise org when a user activates their subscription through the NGC activate subscription portal. An NGC enterprise org is linked to an NCA account and supports additional users, subdividing NGC resources into NGC teams, and role-based access rules.

3.1. NVIDIA Cloud Accounts and NGC

NVIDIA Cloud Accounts (NCA) is required to manage user access within NGC. It is fully integrated with NGC, allowing user management to be handled within the NGC environment. This integration automates the process of adding users to the NCA account directly from the NGC Add User pane, eliminating the need for the NGC owner or administrator to navigate to the NCA UI separately.

After the user is added, the next step (Step 2) requires the NGC owner or administrator to assign access permissions to the service entitlements hosted in the NGC org (for example, NVAIE or DGX Cloud).

As a follow-up step, the owner or administrator can navigate to the NCA UI console to setup essential services like:

Set up an account recovery email (Highly recommended)
Add additional NCA administrators (Highly recommended)
Enter company information
Manage user tenancy status

Removing a user from NGC doesn't remove their associated NCA account. The user's access permissions within the NGC organization are revoked, but the NCA account itself remains active. To completely remove a user from all NVIDIA cloud services, the user must be removed at the NCA account level.

While users can be added and assigned permissions within the NGC UI console, administrators should be aware of additional steps necessary to manage the NCA account.

To learn more about NCA, visit NVIDIA Cloud Accounts.

NCA provides a convenient and scalable way to set up and manage access to NVIDIA cloud services for various users within your company.

3.2. NGC Teams

An NGC team is a virtual sub-unit within an org, each with its own registry space. Only the same NGC team members have access to that team's registry space. Creating NGC teams allows users to share images within their team while keeping them hidden from other NGC teams in the same organization. Only the org owner or a user with the user admin role can create NGC teams. A user admin assigned at the org level (without specifying teams), can manage users across all NGC teams within the organization. If assigned to a specific NGC team, the user admin can only access and manage users exclusively within that team.

To create an NGC team, follow these steps:

Log in to your NGC org.
Select Organization from the user account menu.
On the dashboard or in the left navigation, select Teams.
On the Teams page, click Create Team on the upper right corner.
Enter a team name and description. Note that names must be all lowercase.
Click Create Team to finish.

3.3. NGC Org Owner and Other Org Users

When an NGC org is created, an NVIDIA Cloud Account (NCA) is required to access the NGC org. The NCA account is automatically generated, and the user needs to name it. The user is assigned the owner role in NCA and NGC as the initial user.

As mentioned previously, an individual org is only accessible by the org owner; additional users are not supported. To verify the type of org you manage, sign in to NGC to access your org. Under the user account menu, select Organization, and then select Organization Profile in the left navigation pane.

The org owner possesses the highest admin privileges in an NGC org. The org owner of an enterprise org can add and remove NGC teams and users, and assign NGC permissions to each added user by managing the assignment of teams and roles. When a new user gets added, the org owner invites the user to join the NVIDIA Cloud Account, then assigns access to the entire org or limits the user's access to a team or a set of teams created within the org. Then, the org owner controls the user's access by assigning the permissions (roles) necessary to perform their functions within the org or team.

An org supports up to three org owners, and only an org owner can add or invite additional org owners to share in the NGC org management responsibilities. In NCA, only one owner is supported, therefore to support the additional NGC org owners the account owner must assign the NCA "Admin" role when creating the add user invitation. For details, see the steps to add org additional org owners. To prevent accidentally adding an outside user as an org owner, the email address domain between all org owners’ users must match.

For example, if the users' email addresses are [email protected], [email protected], and [email protected], then all three can be added as org owners because their email address domains match. In contrast, if Peter’s email address was [email protected], then Peter cannot be added as an org owner.

Follow the steps in the next section to add a new org owner or additional users with different access permissions.

3.3.1. Adding NGC Users to an Org

The following section guides you through the steps to add a new org owner or additional users with different access permissions.

Sign in to NGC. Select the correct NCA account linked to the NGC org you want to manage, and click Continue.
Select Organization from the user account menu. On the dashboard or in the left navigation, select Users.
Click Add User at the top-right corner.

Important:

If your org is linked to an external IdP/SSO service, managing user membership using NGC IdP Membership Rules is recommended. If your IdP doesn't support groups, you can use the NGC add user service.
In Step 1, invite the user to be an "admin" if they require the ability to manage users in the NCA account, or assign the "member" role in NCA if they do not manage users.
- Enter the user email address, making sure the domain matches your email domain.
- Assign the NVIDIA Cloud Account Role "Administrator" or "Member."
- Customize the invitation email to inform the user what this is for (optional).
- Set an expiry for the invitation link (default: 6 hours).
- Click Add User and Send Invitation to proceed to Step 2.
After completing Step 1, you will see a successful invitation dialog and Step 2 configuration buttons become active.

User Role
To assign a role to the user:
- Select Organization for role assignment.
- Under the Organization roles, select Owner.
- Click Add Role to finish.
  
  Note:
  
  If the user being added will not manage users or NGC teams, assign the "member" role in NCA and don’t assign the Owner or User Admin role in NGC.
Controlled Permissions
To assign controlled permissions to a user:
- Click the Organization or Team radio button.
- Assign a "role" under each NGC application, depending on the level of access to grant the user.
In this example, the user added is assigned the Viewer role under NVIDIA AI Enterprise and the User role under Private Registry. These permissions limit the user to viewing and pulling artifacts from the NVIDIA Catalog and pushing and pulling artifacts to the org's private registry.
To learn more about NGC cloud services user roles, refer to the links below.
Note:

NVIDIA NGC is introducing a new user role, "Public API Endpoints User," to control access to NVIDIA inferencing credits used for calling NVIDIA API Catalog NIM endpoints. This role must be assigned to NGC organization users who need to generate an NGC Personal Key to use API Catalog credits. For more information, go to Assigning Services to Your Personal API Key. To update user roles, go to Updating User Roles.

Team Role Assignment

Assigning the user permissions at a Team level grants them access only to resources (such as containers, models) shared with that specific team. To grant a user access to resources across the entire org, assign the user roles at the Organization level.
The user added will receive an NCA invitation email message that includes the NCA URL to accept the invite and access the NGC org.

In the case of org owners, after all three org owners are added, any org owner can replace another org owner when needed. An org owner can remove another org owner by going to the 'users' list and selecting Remove User.

When an org owner is deleted, an email notification is sent to the remaining active owners about the deletion event. Using the same steps above, a replacement owner can be invited.

3.3.2. Updating User Roles

The following section guides you through the steps to update user roles.

After signing in and selecting the NGC org to update, navigate to the Organization > Users page.
To locate the user, you can search by either email address or name using the filtering bar.
Click on the user you want to modify, then click Edit Membership at the top of the page.
Select the desired roles to add to the user and click Add Role. A confirmation message will appear.
To remove roles, find the assigned roles in the table at the bottom of the page. Click the X to remove that role from the user.

Afterwards, you'll see a confirmation dialog.

3.3.3. Securing the Owner Account with Multi-Factor Authentication

When you create your owner account, you receive an NVIDIA identity account that is protected by a password you set at the time of owner account creation. You can further secure access to your owner account by setting up multi-factor authentication using the directions below:

Go to NVIDIA and click the sign-in icon.
Sign in with the credentials you set up during the org owner account setup.
From your NVIDIA user profile page, navigate to the bottom, click on Security settings, and click Update.
You will be prompted to enter your password again to access security settings.
Navigate to the Multi-factor Security settings.
You can now configure your identity account for two-factor authentication.

Go to the NVIDIA N-factor help page for details on how to set it up.

3.3.4. Contacting your Org Owner

As a user within an NGC organization, you may need to contact the organization owner to request a new service subscription or add a new user. NGC simplifies this communication with the Contact Admin option in your user account menu.

First, sign into the NGC application with your organization. Then click on your user ID in the top right corner to access the user account menu.
Select Contact Admin to open the email editor dialog.

Within this editor, you can choose from the following email templates:
- Product Request: Use this template when requesting a specific product for your <org-name> organization. For example, "I'd like to request the [product name] product for the <org-name> organization."
- Team Access Request: Select this template if you need to request access to the org or a particular team, such as "[team-name]," within your <org-name> organization.
Both templates come with pre-populated message content, but you can edit or delete portions of the message to create a customized message to send to your organization owner.
Once you are ready to send the message, click Send.

The organization owner will receive the email from [email protected] and will include your email address. The following is a sample email message:

By following these steps and using the Contact Admin option, you can easily initiate communication with your organization owner.

3.4. User Accepting an NGC Org Invitation

A user added will receive an NCA invite email requesting the user to join the NCA account to access NGC.

After clicking the Login link in the email message, the user is automatically redirected to their appropriate sign-in method. Suppose this is the user's first time signing into NVIDIA Cloud Accounts. In that case, they will be automatically prompted to create a new NVIDIA identity account using their email address or can select More Signup Options in the NVIDIA identity account creation portal to sign in using an existing social platform user account (e.g., Google, Facebook, Apple, or Discord).

Users who have an existing NVIDIA identity account are automatically prompted for their password to sign in and access NVIDIA NCA. Users ready to accept an invitation to access their NGC org go here. Users whose company has federated their NGC org to an external SSO identity provider are automatically redirected to their SSO portal to provide authentication credentials to sign in. To learn more about bringing your own SSO/IdP provider, see Using an External SSO for NGC Org Authentication.

Important:

For a successful user onboarding experience, customers should add the following NVIDIA email addresses to their allow-list in their firewall rules: '[email protected]', '[email protected]', [email protected], and '[email protected]'.

4. Accessing NGC Org

The following are ways to access an NGC org.

NCA/NGC owner: A user must create a new NVIDIA identity account, an NVIDIA cloud account, and register a new NGC individual org against it. Alternatively, the user receives an NCA welcome email and is invited to accept and sign in as the org owner of a new enterprise org.
Org user: The org owner, or an org user admin, adds a new user to the org (or team) and sends an NGC welcome email inviting the user to sign in.
Subscription: To access subscription-based software, users must provide Business Address details and a token (serial number, activation code, and so on.). Note that this category also requires Authenticated Access.

This section describes the steps to sign up for an NCA account and activate an individual NGC org.

Go to the NGC sign-in page from your browser, enter your email address, and then click Continue.
In this step you will create your NVIDIA sign-in identity using NVIDIA's default IdP. At the Create your Account screen, create a password, make sure to review the NVIDIA Account Terms of Use and Privacy Policy, and click Create Account to accept and proceed with account creation. You will receive an email to verify your email address.

A verification email is sent to your email address.
Open the NVIDIA account creation email and click Verify Email Address.

You are automatically directed to nvidia.com and see an email verified successfully page. This window will close automatically
At the Almost done! dialog, set your communications preferences, and then click Submit.
Enter the password you just created to continue setting up your NVIDIA Cloud Account. (This is a required security measure).
Give your NVIDIA Cloud Account (NCA) a name that will help you identify it easily the next time you sign-in.
Complete your user profile at the Set Your Profile screen, agree to the NVIDIA GPU Cloud Terms of Use, and then click Submit.

Your NVIDIA account is created, and you are automatically redirected to your individual NGC org.

Your access to NVIDIA NGC org is completed, you can choose to complete the setup of your NVIDIA Cloud Account now, or at a later time.

To finish setting up your NVIDIA Cloud Account, find your NCA invitation email message in your inbox and click Log In Now.

Your NVIDIA Cloud Account (NCA) provides the services to set up a recovery email address in case your existing one becomes unavailable, manage access for additional users (subscription required), and set up billing information to purchase consumption-based NVIDIA cloud products.
Enter your email address to Login and click Continue.
Enter the credentials you created for your NVIDIA identity account.
On the NCA landing page you can find the details of your account. Here you can setup a recovery email address that can be used to regain access if the email address you used to create your account becomes unavailable. Go to Setting Up NCA Recovery Email for steps on how to setup your recovery email.

4.1.2. Setting Up NCA Recovery Email

To set up your NVIDIA Cloud Account (NCA) recovery email, follow these steps.

Click Edit on the Account Details pane under the Account Management > Details page.
On the Edit - Details dialog, enter the email address that you want to use for account recovery. This email address must be different from the address used to create the account. You can optionally set a description of this account, click Save.
Check to see that the recovery email status on the Account Details pane changed to Pending.
Go to your recovery email inbox, search for the NVIDIA message with the title "NVIDIA Cloud Account, Verify Your Recovery Email", and click Verify.

You should see that your email has been verified.
Go back to your NCA console and check the recovery email status has updated with the address you assigned.

4.2. Accessing an NGC Subscription from an NGC Welcome Email

When you are approved for an "early access" program for NVIDIA AI software delivered on NGC, you will receive a welcome email where you start your onboarding journey to access the software. To access NGC, you will need an ‘NVIDIA Cloud Account’ to manage access to NGC for you and additional users. Below are the steps to use your welcome email.
Go to your email inbox you used to apply for the early access program to find the email "Welcome to NVIDIA NGC". Click the Accept invitation and sign-in button.

If you are an existing NVIDIA user, go directly to NGC Subscription - Existing NGC User.

4.2.1. NGC Subscription - New User

This section describes signing in if you are new to NVIDIA.
New users are automatically prompted to create a new NVIDIA account.

If you are new to NVIDIA, follow the steps below to create your NVIDIA sign-in identity account, make sure to review the NVIDIA account Terms of Use and Privacy Policy, and click Create Account to accept and proceed with your identity account creation.

A verification email is sent to your email address.
Open the email and click Verify Email Address.

You are automatically directed to nvidia.com and see an Email verified successfully page.
In the Almost done! dialog, select your communication preferences, and then click Submit.

4.2.2. NGC Subscription - Existing NGC User

This section describes signing in if you already have an NVIDIA account.

After successfully signing into your NVIDIA identity account, you will need to choose between the following:

An existing NCA account you own, or
Creating a new NCA account to generate a separate NGC org to claim the subscription.

Note:

You must be an 'owner' of an existing account to activate a new subscription against it.

If this is your first NCA account or you chose to create a new account for your subscription, you are prompted to name your account with a meaningful name that will help you identify it easily the next time you sign-in.

Accept the "Terms of Use" and "Privacy Policy."

Your NVIDIA Cloud Account is created, and you are automatically redirected to your enterprise NGC org.

Your access to NVIDIA NGC org is now complete. You can choose to complete the setup of your NVIDIA Cloud Account now, or at a later time.

Follow the steps in Setting up your NCA Account to finish setting up your NCA account. You will need to access your NCA account to add users to your enterprise NGC org.

4.3. Accessing NGC from an NCA Invitation Email

Follow these steps to accept an invitation to join an NVIDIA Cloud Account and access NGC.

Check your email inbox for a message titled "You've been invited to an NVIDIA Cloud Account." Open the email and click Login to proceed.
If you are new to NVIDIA, you are prompted to create an NVIDIA identity account. Create a password that is at least 9 characters long and uses a mix of uppercase and lowercase letters, numbers, and special characters. If you already have an NVIDIA identity account, enter your password to continue. You can skip to Step 6 below.

You will be asked to verify your email address in a confirmation email.
Check your email inbox for a message titled "NVIDIA Accounts". Open the email and click Verify Email Address.

The email confirmation message will display in your browser.
NVIDIA would like permission to send you the latest news related to our software and products, as well as learn more about how you use our websites to make sure we send you information relevant to you. Select your options and click Submit.
You are prompted by NVIDIA Cloud Accounts to accept the invitation to join your company's account. Click Accept Invitation to continue joining.
Enter your password (required for security).
Accept the terms of use and privacy policy to access your software subscription.

You can now access the NGC org.

5. Accessing NGC from an NVIDIA Commercial Entitlement

When you procure a software subscription delivered on NVIDIA NGC Cloud, you'll receive an entitlement certificate in an email with instructions on how to claim your entitlement. The following steps guide you through the entitlement registration process.

Find the Entitlement Certificate Email
Open your email inbox and locate the email titled "NVIDIA Entitlement Certificate - Ref." containing your entitlement certificate attachment.
Login or Register
- If you're an existing NVIDIA customer, click Already have an entitlement? Please Login.
- If you're a new NVIDIA customer, click the "registration page" link to begin claiming your entitlement.
Sign In
Enter your NVIDIA username and click Sign In.
- Existing NVIDIA customers: Enter your password, and then click Login.
- New customers: Create a new identity user account by setting a password.
Select or Create an NVIDIA Cloud Account (NCA)
- Returning customers: After logging in, choose an existing NCA or create a new NCA to claim your subscription entitlement. Select an existing account if you want the new subscription activated in the existing NGC org linked to the NCA account or create a new NCA to activate the subscription in a new NGC org.
  - To use an existing account, select the desired account and click Continue.
    
    Note:
    
    You must select an account you "own"; otherwise, the entitlement claim will fail.
    
    Important:
    
    An NCA account (NGC org) entitled with a commercial type license cannot support adding an evaluation or Not-For-Resale type license. Mixing license types into one NCA account is not allowed. If you know the license type installed in your existing account does not match the license type you are claiming, or you don’t know the existing license type, please choose to Create a New NVIDIA Cloud Account.
  - To create a new account, click Create New NVIDIA Cloud Account.
- New customers: You will be prompted to create a new NCA. Choose a meaningful account name for easy identification.
Complete Entitlement Registration
After selecting or creating an NCA, you will be directed to the entitlement registration page. Fill out the required fields and click Register.

Required Information:
- Primary Contact Information
  - First Name
  - Last Name
  - Email Address
  - Claiming Entitlement as
- Company
  - Company Name
  - Location (Country)
  - Address
  - Industry
- Primary Contact Details*
  - Location (Country)
  - Address
  - Phone
  - Job Role
* Click the checkbox above if the Primary Contact address is the same as the company address.
Email Confirmation and Access
After submitting the registration form, you'll receive two emails from NVIDIA:
- NVIDIA Application Hub Email: Click Log In to access your software subscription in NGC.
- NVIDIA Cloud Accounts Email: In the "You've been invited to an NVIDIA Cloud Account" email, click Log In Now and log in.
Click the NVIDIA NGC card to access your software subscription in NGC.

NVIDIA Cloud Accounts allow you to view and manage additional users within your account, granting them access to NVIDIA cloud services.

Your registration is now complete!

6. Using an External SSO for NGC Org Authentication

An enterprise org can federate its external SSO/IdP identity service to centralize user authentication and manage access to NVIDIA cloud services. This section covers how to configure NGC org authentication through an external SSO provider such as Azure AD or Okta.

The setup process to federate an NGC org to an external SSO identity provider is now guided by an NVIDIA IdP onboarding wizard app and the steps are performed by the customer. To gain access to the IdP onboarding app, contact your NVIDIA sales representative or submit a support case with NVIDIA Enterprise Support. If you don’t have an NVIDIA sales rep or an active support contract, please email [email protected] and submit the following information in your request message:

Your company name
A list of email domains that must be associated with the partner (e.g. acme.com, acme.net). The list can only include domains owned by the customer.

Note:

If the request is submitted by email, an identity verification process will be required before the IdP onboarding can be started.
The email addresses of the customer representatives who are expected to perform the IdP federation configuration steps.

6.1. Federating IdP with NVIDIA Cloud Services

When your request to federate your IdP is approved, you will receive an email with the NVIDIA URL to access the IdP onboarding configuration tool. Follow the steps below.

Access the Tool
Locate the NVIDIA email, then either create an NVIDIA identity account with your work email or sign in with an existing account.
Initial Setup
After you log in, you will see the initial screen of the IdP onboarding tool. Complete the required fields and click Next.
- Your company name: NVIDIA will verify your employment.
- Your identity management system: Select your IdP (e.g., Azure AD, Okta) from the dropdown.
- Your email domains: Enter the domains managed by your IdP.
Onboarding Wizard
You will be guided through a configuration wizard based on the IdP system you selected (Azure AD, OpenID Connect, or SAML).
- Entra ID (Azure AD)
- OpenID Connect Provider
- SAML
Perform a Login Test
After completing the IdP onboarding configuration, follow the instructions to test the login process.
Read the Login test instructions and click Next.

Review your login test results. If successful across all login services, click Confirm. If not, troubleshoot your IdP system and retest.
(Optional) Seek Support or Reassign Task
Use the "Help" button to access support options.

You can also reassign the task to complete the IdP configuration to a colleague.
Complete the IdP onboarding
Once your login test is successful, you will see a success message.

The NVIDIA team will finalize the onboarding generally within one business day, and you will receive a confirmation email.

Once your IdP is federated, NVIDIA cloud platforms are not automatically enabled to authenticate users through your external IdP. Since your company may have users accessing NVIDIA cloud platforms with NVIDIA-based identity user accounts, we would like to assist in identifying these users, communicating upcoming changes, and planning the migration of enterprise entitlements to their new external IdP-based identity user accounts. Please contact [email protected] to conduct this audit and coordinate the transition.

6.2. Authenticating and Managing User Access

This chapter covers the steps required to authenticate users through an enterprise SSO/IdP identity service, add new users, manage user permissions and roles, and ensure secure access to organizational resources.

After an NGC org is federated against an enterprise SSO/IdP identity service, the users signing into NGC will automatically be prompted to authenticate against their enterprise SSO/IdP service and redirected back to NGC after a successful sign-in. To add new users to an org federated to an external SSO/IdP provider, the org owner follows the steps described in Adding NGC Users to an Org. Alternatively, suppose the external IdP provider supports OIDC claims to identify the user's membership to a group or set of groups. In that case, NGC can be configured to map these OIDC claims to NGC org, teams, and role assignments. See the NGC IdP Membership Rules section for more details.

Note that NGC orgs no longer manage user tenancy; users and/or groups are assigned "permissions" to access NGC org resources and are tenants of the NVIDIA Cloud Account (NCA) linked to the NGC org. Users and groups are now added to the NVIDIA Cloud Account.

If you are managing user memberships using IdP-based group tags (claims), you need to add these groups both in the NCA account under "Add Groups" and in the NGC org under "External IdP > IdP rules." (In the future, we will deliver a feature where groups are added in NCA and discovered automatically in NGC to assign access permissions.)

To ensure access to the NCA account and NGC org is never lost, even if the IdP service is rendered inaccessible, configure a "Recovery email address" under the NCA account. This email address will be used to authenticate you outside of your IdP. For more information about email recovery, refer to Setting Up NCA Recovery Email.

Important:

For NVIDIA to automatically detect the deletion or deactivation of a user managed by the external IdP, the customer must also integrate their IdP user management service to our NVIDIA identity federation system using "SCIM" or "Security Event Tokens" and allow the user to update events to flow to NVIDIA. NVIDIA will use these events to ensure deleted user accounts from the enterprise side are reflected across all NVIDIA services. Any credential assets (e.g., API keys) owned by the removed user are immediately revoked upon receiving the deletion or deactivation event.

During the federation process, NVIDIA will share our IdP federation "Synchronization of users and group changes" document, and we will need to record a written acknowledgment (email is okay) of receipt of this information and a decision on whether or not you (customer) will implement the security event integration.

Some NVIDIA products (like NGC) provide a UI option for customers to manually disable/deactivate/dis-enroll users manually within the NVIDIA application and trigger the revocation of credential assets by deleting the user. For example, NGC supports removing a user from an NGC org, and this event automatically triggers the revocation of user-owned NGC API keys. However, such application-specific admin functions do not remove users from other NVIDIA applications unless the removal is performed at the NCA account level. The risk with this process is that if the user were part of other NVIDIA services that grant credential assets, these assets would remain as active dangling assets against those services because the user account remains "active" in our central identity service and NCA. The user's API keys are thus not revoked. The only way to guarantee NVIDIA-wide user account removal is to integrate user event sharing with the NVIDIA IdP federation service, and the customer must be guided to execute the NVIDIA recommended de-provisioning operations in the NVIDIA IdP federation service.

6.3. NGC IdP Membership Rules

An enterprise org can be federated to an external SSO/IdP identity service to centrally manage a company's rules for user authentication to cloud services.

When the NGC org is linked to an external IdP, the org owner will see the ability to start creating membership rules under the Organization > External IdP configuration page.

Important:

Only the org owner or the user_admin roles can manage IdP rules.

If you are an org owner, even if you are a member of a group configured in an IdP rule, the rule will not update your roles. By default, the org owner inherits admin privileges across all enablements and services in the owned org, and these role assignments are immutable.

If the NGC org is not linked to an enterprise-owned SSO IdP provider, the 'External IdP' web prompt is disabled with a message stating the org is not linked to an IdP. You can request to link your org to an enterprise-owned SSO IdP by emailing [email protected].

The membership rules feature uses Open ID Connect (OIDC) claims containing the user's membership attributes. However, if your integration is based on SAML, our IdP federation service will translate your SAML based identities and group labels to the appropriate OIDC Id-token and group labels our Cloud Platforms expect.

Sample ID-token expected by NGC

The ID-token contains several claims that carry attributes associated with the user. Specifically, we are interested in the "groups" claims values that map users to specific membership groups in their Active Directory (AD) service.

It's important to note that the external IdP uses the name "groups" to carry membership attribute values in the example above. However, other IdP providers may use a different name for their membership attribute claim. If your IdP provider uses a different claim name, check that NGC supports it by emailing [email protected].

An org owner or user_admin will create membership rules by mapping the name (alias) value of the IdP 'groups' claim to NGC org roles and permissions. Within the enterprise AD service, users assigned to these groups will receive the roles and permissions assigned to the group name in the NGC IdP rules.

Example

In this example, we are using Okta as the enterprise-owned SSO IdP provider. It is assumed the same person managing Okta also has NGC org owner permissions.

Okta Settings

First, the NGC org gets linked as a client application to the Okta IdP service.

On Okta, managed users get assigned to the NGC client application, enabling them to sign in to NGC using their Okta SSO account.

At this point, users have not been assigned to a 'group'.

On Okta, secure AD groups are created, and users can be assigned to a group or a set of groups.

In this example, Adam and Amy are assigned to the NGC_AIE_PR_Admin group. Note that this is being done manually using the Okta user management feature, but this is typically managed automatically by using an enterprise active directory integrated into the IdP provider.

At this point, Adam and Amy can sign into NGC, but there isn't an IdP rule that assigns them NGC org roles and permissions. The next section covers creating the NGC IdP membership rules that will grant Adam and Amy their roles.

Configuring NGC

After the IdP groups are created and users are assigned to secure AD groups on the Okta IdP side, the administrator (org owner) is ready to configure NGC IdP membership rules.

NGC

In the NGC web application, go to NGC External IdP settings and click Create Rule.

Type in a Rule Name that describes the purpose of the rule.

Then, under the If group equals field, enter the name of the IdP 'group' claim that will map to this rule. Note that the name must match exactly and is case-sensitive.

Finally, assign the NGC team or org-level access, and assign cloud service roles to grant to users that are assigned to the group. Click Save.

Once the rule is saved, the org owner must activate the rules to apply the membership roles to Adam and Amy when they sign in.

This completes the creation of an NGC IdP membership rule.

The org owner or user_admin can create multiple rules to support multiple group claim values from the IdP. An example of multiple IdP membership rules created can be seen below.

Important:

The NGC IdP membership rules do not go into effect until they are "activated". Users' accounts that were added using the manual method will continue to use NGC role permissions assigned through 'Users' invite user membership configurations.

When the Activate Rules button is clicked, the org owner or user_admin is prompted to confirm activation of the IdP rules. When the rules are activated, the NGC IDP rule system reviews user memberships previously added to the org using the "user invitation" method. The NGC IdP rule system will check if the user account maps to a new IdP membership rule. If one does, the previous account membership is deleted, and a new user account membership using the same email address and IdP association will be created. The permissions and roles that get assigned to the new account membership are based on the IdP 'groups' claim attribute.

Note:

Previous user accounts that are determined not to have an associated IdP rule remain as active user accounts under "Users" account memberships. An org owner or user admin can remove these users if the org should only be accessible by members mapped to IdP rules.

7. Activating Your Subscription (Offer Dependent)

This section describes activating a subscription and linking it to your NGC Account.

Note:

These steps are only required for customers who have been given an activation code as part of the purchase of a GPU or DPU.

Access the activation page directly via Activate Subscription.
Sign in to NGC with your email address and password if prompted. If you have not created an NGC account, create one now.
On the Activate Subscription page, enter your Business Information using your company's headquarters address and the serial number or activation code described by the specific offer. If entering multiple serial numbers or activation codes, use a comma to separate each.
Click Activate Subscription.
Once the system validates the serial numbers, review the information displayed and click Request Activation.
The Subscriptions page will display for your organization with the active NVIDIA AI Enterprise subscription.
Use the left navigation and click Enterprise Catalog to access the NVIDIA AI Enterprise software suite.

8. Switching Orgs or Team After Logging into NGC

This section describes switching to a different org or team after logging in.

In the top menu bar, click your user account icon. Then, select your org menu to expand the view to other available orgs. If you manage many orgs, you can use the search field to find the specific org you want to select. Select the desired org by clicking it once.

Depending on the org or team you select, your current page may also refresh.

9. NGC API Keys

NVIDIA NGC API keys are required to authenticate to NGC services using NCG CLI, Docker CLI, or API communication. NVIDIA NGC supports three types of API keys.

API Key (Original): This is the original type of API key available in NGC since its inception. This type allows you to create only one "API key" at a time. Generating a new key automatically revokes the previous one, as they cannot be rotated. The active key immediately becomes invalid when you create a new key.

Note:

NVIDIA will continue to support this key type for services that have not transitioned to the next-generation API keys. However, we encourage customers to migrate to our next-generation API keys when possible.

NVIDIA NGC introduces two new types of API keys supporting Role-Based Access Control (RBAC) configuration and the ability to manage the state of each key.

Personal API Key: Any user who is a member of an NGC org can generate Personal API Keys. These keys are tied to the user's lifecycle within the NGC org and can access up to the permissions and services assigned to the user. During the key generation steps, users can configure which NGC services are accessible by the API key and the time-to-live from one hour to 'never expires'.
Service API Key: Service API keys are not associated with individual user accounts; instead, they are linked to an NVIDIA cloud account and manage their lifecycle within the NGC org where they are created. The org owner and members assigned the user_admin role can create and manage Service API keys. The user_admin role must be assigned along with the specific application role for which the user will generate and manage service keys.

Note:

Service keys do not currently support listing artifacts in NGC CLI or Docker CLI. This functionality will be added in the future. In the meantime, use a Personal API key to list artifacts.

As NVIDIA rolls out support for "Personal" and "Service" API keys, the original NGC API keys will continue to be supported. We highly recommend generating new API keys using the latest "Personal" or "Service" type API keys. These key types deliver the ability to configure an expiration date, revoke or delete the key using an action button, and rotate the key as needed.

The NVIDIA NGC applications/services that support Personal and Service Keys are listed below:

NGC Application/Services	Service API Keys	Personal API Keys	NGC API Keys (Original)
NVIDIA NGC Catalog	Yes	Yes	Yes
NVIDIA NGC Private Registry (Helm charts are not yet supported).	Yes	Yes	Yes
NVIDIA NIM™	Yes	Yes	No
NVIDIA Fleet Command	No	Yes	Yes
NVIDIA Base Command Platform	No	No	Yes

If your NGC service isn't listed under Personal or Service Keys, continue using the original NGC API key. We'll update this list by adding support for other NGC services into our next-generation key types.

9.1. Generating a Personal API Key

Sign in to the NGC website.
From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password.
Click your user account icon in the top right corner and select Setup.
Click Generate Personal Key from the available options.
Personal Keys allow access to a set of NGC service APIs.
On the Setup > Personal Keys page, click + Generate Personal Key, on the menu or the pane.
In the Generate Personal Key dialog, fill in the required information for your key.
- Key Name: Enter a unique name for your key.
- Expiration: Choose the expiration date for the key.
- Services Included: Choose from the available services the key is permitted to access. Refer to Assigning Services to Your Personal API Key to learn more about each service and when to assign service access to your Personal Key.
Click Generate Personal Key when finished.
Your API key appears in the following dialog.
NGC does not save your key, so store it securely. You can copy your API Key to the clipboard by selecting Copy Personal Key or using the copy icon to the right of the API key.

You can generate up to eight personal keys and manage them from the Setup > Personal Keys dashboard. To activate or deactivate a key, click the Active toggle. The Actions (ellipsis) menu allows you to rotate or delete a personal key.

9.1.1. Assigning Services to Your Personal API Key

The services you can assign to a personal API key depend on two factors:

The services enabled for the NGC org where you generate the API key.
The service roles assigned to you by your NGC org owner or administrator.

For example, consider an NGC org with the following services enabled:

An NGC user account might have the following access roles assigned:

In this scenario, the NGC org has enabled NVIDIA Microservices, Private Registry, NVIDIA AI Enterprise, and Cloud Functions (NVCF). The user account has been granted access roles for all these services. Therefore, a personal API key can be generated with permissions to access one or all of them.

If a service is unavailable for assignment to the API key, it indicates that the org owner or administrator has not granted the user the necessary role for that service.

For details about each service listed above and its function, see below.

Secrets Manager: The NGC Secrets Manager service enables the NGC user to store secret key pairs required to access NVIDIA or external services that require programmatic authentication.

If you need to use a personal API key to retrieve these secret keys from the Secrets Manager vault, you must assign the Secrets Manager service permission to your API key.

NGC Catalog:The NGC Catalog service provides access to NVIDIA AI artifacts available for download. Users can browse available artifacts and access information about each one. Access to gated catalog artifacts is controlled by the NVIDIA AI Enterprise subscription.

Grant your personal API key NGC Catalog service permission if you need to use it to access NGC Catalog API endpoints, such as downloading NIM artifacts.

Public API Endpoints: The Public API Endpoints service is required to call NVIDIA NIM inference endpoints. Although NIM inference endpoints are enabled on all NGC orgs and do not appear as a service in the NGC subscription portal, calling them consumes org credits. Therefore, users must have the appropriate role assigned to them to add this service to their personal API key and use org credits.

Cloud Functions (NVCF): The Cloud Functions service is required to access functions that are private or shared with a specific NGC org. If enabled, the NVCF service allows the creation and management of functions. Permissions for these functions (create, read, update, delete, list) can be assigned to a user and are then inherited by their personal API key.

Grant your personal API key access to the Cloud Functions service if you need to use it to invoke, manage, or list private or shared org functions.

Private Registry: The Private Registry service provides a private repository for NGC org users with appropriate role access to manage and store private artifacts. NGC users with Private Registry access can upload, download, create, delete, share, and list artifacts.

Assign Private Registry access to your personal API key if you need to use it to programmatically manage private artifacts in the org's registry via Private Registry API endpoints.

9.2. Generating a Service API Key

Sign in to the NGC website.
From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password.
Select Organization from the user account menu on the upper right.

Select Service Keys on the organization dashboard.
On the Organization > Service Keys page, click + Create Service Key button to create a key.
In the Create Service Key dialog, fill in the required configuration. Service keys currently support services such as NVIDIA NIM, NGC Catalog, and Private Registry. Assign scopes and resource permissions to the key.

In the Entity Type field, select from the available options to grant to the API key.

In the Scope field, choose from the available options.
Click Next Step to review your key configuration.
Once you verified the configuration, click Confirm to generate your service key. Your service key appears in the next dialog.
NGC does not save your key, so store it securely. You can copy your API Key to the clipboard by clicking the copy icon to the right of the API key or the Copy Service Key button.

Make sure to copy the key value before leaving this page. Once you navigate away, the key value cannot be retrieved, and replacing it will require generating a new key.

NGC supports multiple Service API keys, which are managed from the Organization > Service Keys dashboard.

To activate or deactivate a key, click the Active toggle. The Actions (ellipsis) menu allows you to rotate or delete a service key.

Note:

When managing containers, ensure the scopes Get Container and Get Container list are assigned to your service key. For other types of artifacts, add the Get Artifact and Get Artifact list scopes. These scopes are the minimum required to discover the artifacts that need to be managed. Refer to the NGC Catalog User Guide and Private Registry User Guide for more information.

9.3. Generating NGC API Keys

This section describes obtaining an API key to access locked container images from the NGC Registry.

Sign in to the NGC website.
From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password.
Click your user account icon in the top right corner and select Setup.
Click Generate API Key to open the API Key page.
The API Key is the mechanism that authenticates your access to the NGC container registry.
On the API Key page, click + Generate API Key to generate your API key.
A warning message shows that your old API key will become invalid if you create a new one.
Click Confirm to generate the key.
Your API key appears.

You only need to generate an API Key once. NGC does not save your key, so store it securely.

Tip:

You can copy your API Key to the clipboard by clicking the copy icon to the right of the API key.

You can generate a new one from the NGC website if you lose your API Key. When you generate a new API Key, the old one is invalidated.

10. Notification Services

The NGC Notification Services feature enables NGC users to subscribe to email notifications to receive service change events. By subscribing to notifications, users can stay updated with the latest changes and developments in the NGC cloud platform and its services.

NGC customers can be informed of the following types of changes:

Customer-impacting service enhancements (release notes)
Security vulnerabilities (CVEs) and scanning reports
Software end-of-life announcements
Scheduled web portal maintenance to an NGC property

NGC customers can subscribe to notifications in the following ways:

During their first sign-in, the NGC portal will pop up a modal allowing users to set their notifications preferences.

The following sample toast notification confirms the user’s email preference settings:
After their initial sign-in, users can edit their notification preferences under their NGC user account settings page.

Notification preferences are organized based on the subscriptions enabled within the organization. Access to these preferences will be gated by the service roles assigned to each user.

Notices

Notice

_{THE INFORMATION IN THIS GUIDE AND ALL OTHER INFORMATION CONTAINED IN NVIDIA DOCUMENTATION REFERENCED IN THIS GUIDE IS PROVIDED "AS IS." NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE INFORMATION FOR THE PRODUCT, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. Notwithstanding any damages that customer might incur for any reason whatsoever, NVIDIA's aggregate and cumulative liability towards customer for the product described in this guide shall be limited in accordance with the NVIDIA terms and conditions of sale for the product.}

_{THE NVIDIA PRODUCT DESCRIBED IN THIS GUIDE IS NOT FAULT TOLERANT AND IS NOT DESIGNED, MANUFACTURED OR INTENDED FOR USE IN CONNECTION WITH THE DESIGN, CONSTRUCTION, MAINTENANCE, AND/OR OPERATION OF ANY SYSTEM WHERE THE USE OR A FAILURE OF SUCH SYSTEM COULD RESULT IN A SITUATION THAT THREATENS THE SAFETY OF HUMAN LIFE OR SEVERE PHYSICAL HARM OR PROPERTY DAMAGE (INCLUDING, FOR EXAMPLE, USE IN CONNECTION WITH ANY NUCLEAR, AVIONICS, LIFE SUPPORT OR OTHER LIFE CRITICAL APPLICATION). NVIDIA EXPRESSLY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR SUCH HIGH RISK USES. NVIDIA SHALL NOT BE LIABLE TO CUSTOMER OR ANY THIRD PARTY, IN WHOLE OR IN PART, FOR ANY CLAIMS OR DAMAGES ARISING FROM SUCH HIGH RISK USES.}

_{NVIDIA makes no representation or warranty that the product described in this guide will be suitable for any specified use without further testing or modification. Testing of all parameters of each product is not necessarily performed by NVIDIA. It is customer's sole responsibility to ensure the product is suitable and fit for the application planned by customer and to do the necessary testing for the application in order to avoid a default of the application or the product. Weaknesses in customer's product designs may affect the quality and reliability of the NVIDIA product and may result in additional or different conditions and/or requirements beyond those contained in this guide. NVIDIA does not accept any liability related to any default, damage, costs or problem which may be based on or attributable to: (i) the use of the NVIDIA product in any manner that is contrary to this guide, or (ii) customer product designs.}

_{Other than the right for customer to use the information in this guide with the product, no other license, either expressed or implied, is hereby granted by NVIDIA under this guide. Reproduction of information in this guide is permissible only if reproduction is approved by NVIDIA in writing, is reproduced without alteration, and is accompanied by all associated conditions, limitations, and notices.}

Trademarks

_{NVIDIA and the NVIDIA logo are trademarks and/or registered trademarks of NVIDIA Corporation in the United States and other countries. Other company and product names may be trademarks of the respective companies with which they are associated.}