Authenticating Cloudera AI Inference service

Cloudera AI Inference service uses a CDP_TOKEN obtained from the User Management Service (UMS) to authenticate users and clients that interact with all HTTP endpoints exposed by the service workload.

UMS tokens expire after one hour by default.
If a token is expired, the service returns an HTTP 401 Unauthorized response.
To extend the token lifetime, use the following command:
```
$ cdp iam set-authentication-policy --workload-auth-token-expiration-sec [***EXPIRATION TIME IN SECONDS***]
```
note
This setting applies to the entire Cloudera account and is not limited to Cloudera AI Inference service. Increasing the token expiration time may introduce security risks, as JWT tokens, unlike API keys, cannot be revoked. Additionally, note that the above command requires the AUTHENTICATION_POLICY Cloudera entitlement.
note
Extending the lifetime of the token is available only from Cloudera AI on premises 1.5.5 SP1 and higher releases.

Cloudera AI Inference service supports tokens issued by the following identity providers:

User Management Service (UMS) (part of the Cloudera Control Plane)

Obtain the CDP_TOKEN from the User Management Service (UMS) using either the CDP CLI or Cloudera AI Inference service UI.

Optional: Use the CDP CLI:
```
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name DE | jq -r '.token')
```
note
The same workload name (for example, DE in the above command) can be used to authenticate with Cloudera AI Inference service.
Optional: Use the Cloudera AI Inference service UI, navigate to Model Endpoints:
1. In the Cloudera console, click the Cloudera AI tile.
  The Cloudera AI Workbenches page displays.
2. Select Model Endpoints under Deployments on the left navigation menu.
3. Click your model endpoint.
4. Click on Code Sample.
5. Click on Copy CDP Token.