> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Nebius

> How DSALTA integrates with Nebius — data collected, setup guide, and automated compliance checks.

## Overview

DSALTA connects to Nebius AI Cloud using read-only IAM access to collect compliance evidence automatically. Data syncs every 24 hours and feeds into your Data Library modules.

<Info>
  **Read-only access.** DSALTA never modifies, creates, or deletes resources in your Nebius tenant. The connection uses a Nebius **service account** to read tenant user accounts and inventory for identity, access, and asset monitoring.
</Info>

## How to Connect

Nebius connects with a **service account** and an authorized key — DSALTA generates the key for you, so no CLI is required. You'll need **tenant admin** rights in the Nebius Console to set it up.

<Steps>
  <Step title="Check prerequisites">
    You need **tenant admin** rights in the Nebius Console to create a service account and upload an authorized key. The service account must be in the tenant **admins** or **editors** group — a `viewer` or `auditor` cannot read tenant user accounts.
  </Step>

  <Step title="Create the service account and upload the key">
    In the [Nebius Console](https://console.nebius.com), create a service account and add it to the **admins** (or **editors**) group so DSALTA can read users. Then upload the public key that DSALTA provides as an **authorized key** on that service account — no CLI needed.
  </Step>

  <Step title="Enter your Nebius IDs">
    In the DSALTA sidebar, go to **Integrations**, find **Nebius**, and click **Connect**. In the secure window, paste your **Tenant ID** (starts with `tenant-e00…`), **Service account ID** (starts with `serviceaccount-e00…`), and the **Public key ID** shown in the Console after uploading the key (starts with `publickey-e00…`), then click **Connect**.
  </Step>

  <Step title="Validate and finish">
    DSALTA verifies the service account against Nebius IAM and completes the connection. It then runs an initial sync, after which the compliance checks below activate. The connection is durable — it never expires.
  </Step>
</Steps>

## Automated Compliance Checks

Each check below runs automatically every 24 hours. Click any check for step-by-step remediation guidance.

| Check                                                                                                      | Description                                                                                            |
| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| [At least one identity source should be connected](/integrations/nebius/identity-source-connected)         | Checks that Nebius IAM is connected and a tenant identity source is reachable.                         |
| [Inactive user accounts should be disabled](/integrations/nebius/inactive-accounts-disabled)               | Checks that Nebius tenant user accounts in a non-active state are disabled or removed.                 |
| [Service accounts should be inventoried and owned](/integrations/nebius/service-accounts-inventoried)      | Checks that Nebius service accounts are enumerated and attributable to an owner.                       |
| [Service account keys should be rotated within 90 days](/integrations/nebius/service-account-keys-rotated) | Checks that Nebius service account keys/tokens are rotated within the configured window.               |
| [Human access should use federated SSO](/integrations/nebius/federated-sso-enforced)                       | Checks that human users access Nebius through a federated identity provider (e.g. Microsoft Entra ID). |

## Troubleshooting

<AccordionGroup>
  <Accordion title="Integration shows Disconnected">
    Reconnect from **Integrations → Nebius → Reconnect**. This usually happens if the authorized key was removed from the service account in the Nebius Console, or the service account was deleted or dropped from the admins/editors group. Re-upload the key or restore the group membership, then reconnect.
  </Accordion>

  <Accordion title="Data is not syncing">
    Confirm the service account is still in the tenant **admins** or **editors** group — a `viewer` or `auditor` cannot read tenant user accounts. Verify the Tenant ID, Service account ID, and Public key ID are correct and that the public key is still present as an authorized key, then trigger a manual sync from the integration settings.
  </Accordion>
</AccordionGroup>
