Nebius Cloud

Firefly integrates with Nebius Cloud to pull in information about your cloud resources—such as compute instances, GPU clusters, Kubernetes node groups, PostgreSQL clusters, container registries, and more—directly into your Firefly Inventory. This enables you to view, manage, and govern Nebius assets. You can use Firefly to enforce infrastructure-as-code (IaC) practices and apply policies across your Nebius environment, helping ensure compliance, visibility, and best practices at scale.

Best Practices

For governance, mark your production integrations using the "Mark as Production" option during setup (or edit this setting later in the Integrations window).
Use a dedicated Nebius service account for Firefly's access rather than sharing with other applications.
Store Firefly API credentials securely using environment variables or a secrets manager.

Integration Method

Nebius integration is performed using a Terraform module that creates the necessary IAM resources and registers the integration with Firefly.

Terraform Module Creates a service account with read access to your Nebius resources and optionally configures audit log permissions for event-driven integration.

Using Terraform Module

The Terraform module is the recommended method for Nebius integration as it provides automated, repeatable deployment that fits into your existing IaC workflows.

Prerequisites

Terraform >= 1.5.0 installed
Nebius CLI installed and configured (Installation Guide)
Firefly Credentials (access key and secret key from Firefly console)
IAM admin permissions in your Nebius tenant (to create service accounts and access permits)

Setup Procedure

Log in to your Nebius tenant with permissions to create IAM resources.
In Firefly, go to Settings > Integrations.
Select Add New > Nebius.
Enter your Tenant ID and Project ID (see Getting Your IDs below).
(Optional) Enter an Integration Name to customize how this integration appears in Firefly.
(Optional) Select Mark as Production to flag this account as production in Firefly.
(Optional) Select Enable Event-Driven to enable audit log permissions for real-time event-driven scanning.
Click Generate Terraform Snippet to create the module configuration.
Copy the generated Terraform snippet to a new file (e.g., main.tf).
Configure Nebius authentication (see Authentication Methods below).
Run terraform init && terraform plan && terraform apply.
Once the Terraform apply completes, Firefly will automatically detect the integration and begin scanning your resources.

Getting Your IDs

Use the Nebius CLI to retrieve your Tenant ID and Project ID:

# Get tenant ID
nebius iam tenant list

# Get project ID (replace <tenant-id> with your tenant ID)
nebius iam project list --parent-id <tenant-id>

Nebius Authentication Methods

The Terraform module supports three authentication methods for running the onboarding:

Option 1: Environment Variables (Recommended for CI/CD)

Set the following environment variables before running Terraform:

export NB_SA_ID="serviceaccount-xxxxxxxxxxxx"
export NB_SA_PUBLIC_KEY_ID="publickey-xxxxxxxxxxxx"
export NB_SA_PRIVATE_KEY_FILE="/path/to/private.pem"

In your Terraform configuration:

nebius_auth_method = "env"

Option 2: Direct Credentials

Specify credentials directly in the Terraform module:

nebius_auth_method        = "service_account"
nebius_service_account_id = "serviceaccount-xxxxxxxxxxxx"
nebius_public_key_id      = "publickey-xxxxxxxxxxxx"
nebius_private_key_file   = "/path/to/private.pem"

Option 3: CLI Profile (Local Development)

Use an existing Nebius CLI profile:

nebius_auth_method = "profile"
nebius_profile     = "myprofile"

Creating Nebius Admin Credentials

If you need to create new admin credentials for running the Terraform module:

# Create service account with admin permissions
nebius iam service-account create --name firefly-admin-sa --parent-id <project-id>

# Get service account ID
export SA_ID=$(nebius iam service-account get-by-name \
  --name firefly-admin-sa --format json | jq -r ".metadata.id")

# Add to admin group (replace <admin-group-id> with your admin group)
nebius iam group-membership create --parent-id <admin-group-id> --member-id $SA_ID

# Generate authorized key
nebius iam auth-public-key generate --service-account-id $SA_ID \
  --output ~/nebius-admin-key.json

# Extract credentials for environment variables
export NB_SA_ID=$(cat ~/nebius-admin-key.json | jq -r '.["subject-credentials"].iss')
export NB_SA_PUBLIC_KEY_ID=$(cat ~/nebius-admin-key.json | jq -r '.["subject-credentials"].kid')
cat ~/nebius-admin-key.json | jq -r '.["subject-credentials"]["private-key"]' > ~/nebius-admin.pem
export NB_SA_PRIVATE_KEY_FILE=~/nebius-admin.pem

Terraform Module Example

module "firefly_nebius_onboarding" {
  source = "github.com/gofireflyio/firefly-nebius-onboarding?ref=main"

  # Required
  tenant_id          = "tenant-xxxxxxxxxxxx"
  project_id         = "project-xxxxxxxxxxxx"
  firefly_access_key = var.firefly_access_key
  firefly_secret_key = var.firefly_secret_key

  # Nebius Authentication - choose one method:

  # Option 1: Environment variables (default, recommended for CI/CD)
  # Set: NB_SA_ID, NB_SA_PUBLIC_KEY_ID, NB_SA_PRIVATE_KEY_FILE
  nebius_auth_method = "env"

  # Option 2: Direct credentials
  # nebius_auth_method        = "service_account"
  # nebius_service_account_id = "serviceaccount-xxxxxxxxxxxx"
  # nebius_public_key_id      = "publickey-xxxxxxxxxxxx"
  # nebius_private_key_file   = "/path/to/private.pem"

  # Option 3: CLI profile (local development)
  # nebius_auth_method = "profile"
  # nebius_profile     = "myprofile"

  # Optional
  # integration_name  = "My Nebius Integration"
  # is_prod           = true
  # enable_audit_logs = true
}

Module Variables

Required Variables

Variable

Description

tenant_id

Nebius Tenant ID

project_id

Nebius Project ID where service account will be created

firefly_access_key

Firefly access key (from Settings > Access Keys)

firefly_secret_key

Firefly secret key

Optional Variables

Variable

Default

Description

integration_name

Tenant name

Custom integration name in Firefly

prefix

""

Prefix for created resource names

suffix

""

Suffix for created resource names

existing_service_account_id

null

Use existing service account instead of creating new

existing_group_id

null

Use existing group instead of creating new

is_prod

true

Mark integration as production environment

enable_audit_logs

true

Enable audit log permissions for event-driven

skip_integration_request

false

Skip Firefly API registration (for testing)

Created Resources

The Terraform module creates the following resources in your Nebius tenant:

Resource

Name

Description

Service Account

firefly-integration

Used by Firefly to access your environment

Group

firefly-group

Contains the service account

Group Membership

—

Links service account to group

Access Permit

viewer

Read-only access on tenant for inventory discovery

Access Permit

auditlogs.audit-event-viewer

View audit logs (if event-driven enabled)

Access Permit

auditlogs.audit-event-exporter

Export audit logs (if event-driven enabled)

Auth Public Key

—

RSA key pair for service account authentication

IAM Permissions

The integration creates the following access permits:

Viewer Role — Allows Firefly to discover and inventory all Nebius resources in your tenant, including compute instances, GPU clusters, Kubernetes resources, databases, and storage.

When event-driven integration is enabled:

Audit Log Viewer — Allows reading audit log events for real-time change detection.
Audit Log Exporter — Allows exporting audit log events to Firefly for processing and analysis.

Event-Driven Integration

When enable_audit_logs is set to true (default), the integration configures audit log permissions for real-time event-driven scanning. This enables Firefly to detect changes in your Nebius environment as they happen, providing faster drift detection and inventory updates.

Nebius Discovery Status

To scan your integration for changes and discover new assets on-demand:

Procedure

Go to Settings > Integrations > Nebius.
Find the integration you want to scan.
For asset changes, on the integration menu, select Scan Assets.
For IaC stacks changes, on the integration menu, select Scan Stacks.
View changes in the Inventory and/or IaC Explorer after several minutes.

Policy Evolution

The Terraform module uses versioned policies (policy_version output) to track permission changes over time. When Firefly requires additional permissions in the future, you can update the module version and re-apply to get the new policy.

Additional Resources

Firefly Nebius Onboarding Module — GitHub repository with full documentation
Nebius Cloud Documentation — Official Nebius documentation
Nebius CLI Installation — Guide to installing the Nebius CLI

PreviousOracle Cloud Infrastructure NextKubernetes

Last updated 23 days ago

Was this helpful?

hashtagBest Practices

hashtagIntegration Method

hashtagUsing Terraform Module

hashtagPrerequisites

hashtagSetup Procedure

hashtagGetting Your IDs

hashtagNebius Authentication Methods

hashtagCreating Nebius Admin Credentials

hashtagTerraform Module Example

hashtagModule Variables

hashtagCreated Resources

hashtagIAM Permissions

hashtagEvent-Driven Integration

hashtagNebius Discovery Status

hashtagProcedure

hashtagPolicy Evolution

hashtagAdditional Resources

Best Practices

Integration Method

Using Terraform Module

Prerequisites

Setup Procedure

Getting Your IDs

Nebius Authentication Methods

Creating Nebius Admin Credentials

Terraform Module Example

Module Variables

Created Resources

IAM Permissions

Event-Driven Integration

Nebius Discovery Status

Procedure

Policy Evolution

Additional Resources