Skip to main content

Adding Private Model Connectors

Describes creating model connectors for Azure OpenAI, Google Gemini, and AWS Bedrock. Covers prerequisites (API keys, CloudFormation), creation, and group policy assignment.

Updated over 2 weeks ago

Model connectors link SurePath AI to a private AI provider so that the underlying model can be used in two ways. The first is powering the SurePath AI Private Portal, which gives users a governed interface for interacting with privately hosted AI models. The second is enabling the SurePath AI Gateway and Model Router, which intercepts inference requests from AI tools and developer environments and redirects them to privately hosted models. For more on the Gateway and Model Router, see Using the SurePath AI Gateway and Model Router with Claude Code.

Each section below covers the requirements and steps for creating a connector for a specific provider. Once a connector is active, proceed to the Add and enable your Private Model section to make the model available to users.

Azure OpenAI

Note: Azure AI is migrating to Microsoft Foundry. All new models are available in Foundry only. The Azure OpenAI connector continues to work for existing deployments, but Microsoft Foundry is recommended for new setups. See the Microsoft Foundry section below.

Requirements

  • Azure OpenAI API key (Azure OpenAI Service)

  • Admin access or higher to the SurePath AI admin interface

Create an Azure OpenAI connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector. This name will be used when selecting a connector while adding a private model.

  • Select Azure OpenAI from the Type field.

  • Enter the API Key obtained from Azure.

  • Enter the Account Name.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

Microsoft Foundry

Requirements

  • An Azure AI Foundry resource and project, with the Resource Name, Project Name, and API key (Create an Azure AI Foundry project)

  • Admin access or higher to the SurePath AI admin interface

Locate Microsoft Foundry credentials

  • Sign in to the Microsoft Foundry portal.

  • Create or open an existing project. The Project Name is displayed in the upper-left of the portal.

  • The Resource Name is the name of the Azure AI Services resource associated with the project, visible in the Azure Portal under the relevant resource group.

  • On the project Home page, the API Key is displayed alongside the project endpoint. Alternatively, navigate to the resource in the Azure Portal, select Keys and Endpoint under Resource Management, and copy Key 1 or Key 2.

Create a Microsoft Foundry connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select Microsoft Foundry from the Type field.

  • Enter the Resource Name.

  • Enter the Project Name.

  • Enter the API Key.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

Google Gemini

Requirements

  • Google Gemini API key (Google AI Studio)

  • Admin access or higher to the SurePath AI admin interface

Create a Google Gemini connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector. This name will be used when selecting a connector while adding a private model.

  • Select Google Gemini from the Type field.

  • Enter the API Key obtained from Google.

  • Enter the Account Name.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

AWS

Note: Specific foundation models must be enabled in the AWS account before they can be used with SurePath AI. Complete the model enablement steps below before creating a connector.

SurePath AI supports two authentication methods for AWS connectors: role assumption via a CloudFormation stack, and access keys using an IAM user's credentials. Choose the method that aligns with your organization's security policies.

Requirements

  • Permissions to enable Amazon Bedrock and configure IAM in AWS

  • AWS account number (12-digit)

  • Admin access or higher to the SurePath AI admin interface

Enable GenAI models in AWS

Before creating a connector, ensure the required foundation models are enabled in your AWS account. See Enable AWS Bedrock foundation models for instructions.

Create an AWS connector — role assumption

A SurePath AI connector created via role assumption uses a CloudFormation stack to grant SurePath AI read-only access to the Bedrock models enabled above.

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select AWS from the Type field.

  • Enter the 12-digit AWS Account ID.

  • The SurePath Role ARN will be auto-populated. Contact your SurePath AI team if a custom ARN is required.

  • Click Launch a CloudFormation Stack. This opens the AWS console.

    • Review the permissions being granted. This provides SurePath AI with read-only access to the Bedrock environment.

    • Follow the on-screen instructions and accept the changes.

    • Do not modify the ARN during this process unless directed by the SurePath AI team.

  • After saving the connector, it will take a few minutes to transition from PENDING to ACTIVE.

Create an AWS connector — access keys

This method uses an AWS IAM user's long-term access keys to authenticate with Bedrock. AWS recommends using temporary credentials where possible; review AWS IAM best practices before proceeding.

Create an IAM user for Bedrock access

  • Sign in to the AWS IAM console.

  • Navigate to Users, then click Create user.

  • Enter a username (for example, surepath-bedrock-user).

  • On the permissions step, select Attach policies directly.

  • Attach the AmazonBedrockFullAccess managed policy. Refer to AWS managed policies for Amazon Bedrock for information on scoping permissions to least privilege.

  • Complete the user creation process.

  • On the user's page, select the Security credentials tab.

  • Under Access keys, click Create access key.

  • Select Application running outside AWS as the use case.

  • Copy or download the Access Key ID and Secret Access Key. The secret access key is displayed only once and cannot be retrieved again.

Add the connector in SurePath AI

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select AWS from the Type field.

  • Select Access Keys from the Authentication Type field.

  • Select the appropriate AWS Region from the dropdown (for example, us-east-1).

  • Enter the Access Key ID.

  • Enter the Secret Access Key.

  • Click SAVE.

  • After saving, the connector will take a few minutes to transition from PENDING to ACTIVE.

Cloudflare AI

Requirements

  • Cloudflare Account ID and API token with Workers AI Read access (Create API token)

  • Admin access or higher to the SurePath AI admin interface

Obtain Cloudflare credentials

  • Log in to the Cloudflare dashboard and navigate to Workers & Pages > Workers AI.

  • Click the { } REST API card.

  • Your Account ID is displayed on this page — click the copy icon to copy it.

  • Click Create a Workers AI API Token. This creates a token with the correct permissions automatically.

  • Copy the token and store it securely. The token value is shown only once.

Create a Cloudflare AI connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select Cloudflare AI from the Type field.

  • Enter the Account ID.

  • Enter the API Key.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

Google Vertex AI

Requirements

Create a service account and download the JSON key

  • In the Google Cloud Console, navigate to IAM & Admin > Service Accounts.

  • Select the appropriate Google Cloud project.

  • Click Create Service Account, enter a name, then click Create and continue.

  • Assign the Vertex AI User role (roles/aiplatform.user) or Vertex AI Administrator role (roles/aiplatform.admin) to grant model access.

  • Click Continue, then Done.

  • On the Service Accounts page, click the email address of the service account just created.

  • Select the Keys tab, then click Add key > Create new key.

  • Select JSON as the key type and click Create. The JSON key file downloads automatically.

    • This file can only be downloaded at the time of creation. Store it securely.

Create a Google Vertex AI connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select Google Vertex AI from the Type field.

  • Paste the full contents of the downloaded JSON key file into the Service Account JSON field.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

NVIDIA NIM

Requirements

  • An NVIDIA Developer Program account and an API key (NVIDIA NIM API quickstart)

  • Admin access or higher to the SurePath AI admin interface

Obtain an NVIDIA NIM API key

NVIDIA Developer Program membership is required and available at no cost. API keys can be generated through the build.nvidia.com platform or the NGC portal.

Via build.nvidia.com:

  • Visit a model page at build.nvidia.com.

  • Click Get API Key in the right-hand pane and sign in or create an NVIDIA Developer account.

  • After authentication, the API key is displayed. Click Copy Key and store it securely.

Via the NGC portal:

  • Go to the NGC API keys page.

  • Click Generate Personal Key, enter a key name, and set an expiration.

  • Under Services Included, select NGC Catalog and Public API Endpoints.

  • Click Generate Personal Key and copy the key.

Create an NVIDIA NIM connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select NVIDIA NIM from the Type field.

  • Enter the API Key.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

OpenAI

Requirements

  • An OpenAI API key (OpenAI API keys)

  • Admin access or higher to the SurePath AI admin interface

Obtain an OpenAI API key

  • Sign in or create an account at platform.openai.com.

  • Navigate to Settings > API Keys, or go directly to the API keys page.

  • Click Create new secret key, enter a descriptive name, and click Create secret key.

  • Copy the key immediately. The full key value is shown only once.

Note: An OpenAI account with active billing is required for sustained API access.

Create an OpenAI connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select OpenAI from the Type field.

  • Enter the API Key.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

Perplexity

Requirements

Obtain a Perplexity API key

An API Group must be created before an API key can be generated. This is a Perplexity platform requirement.

  • Sign in at perplexity.ai.

  • Navigate to the API Groups page and create a group with a descriptive name (for example, Production).

  • After the group is created, navigate to the API Keys tab.

  • Click Create Key. The key is shown only once — copy and store it immediately.

Create a Perplexity connector

  • Log in to the SurePath AI admin interface.

  • Click Connectors in the CONFIGURE section, then click ADD CONNECTOR.

  • Enter a recognizable Name for the connector.

  • Select Perplexity from the Type field.

  • Enter the API Key.

  • Click SAVE.

Once saved, proceed to the Add and enable your Private Model section below.

Add and enable your Private Model

Once a connector turns green and shows as Active on the Connectors page, admins can add and activate a private model.

  • Click Private Models in the GOVERN section.

  • Select the Add Private Model tile.

  • Enter a recognizable Name for the model. The official LLM name is already displayed on the tile once created, so the name does not need to include it.

  • Select the Connector created in the previous steps from the dropdown.

  • Select one of the Supported Models from the dropdown list.

  • Click SAVE.

To activate the model for portal users:

  • Click Default Policy in the GOVERN section.

  • Select the private model just created from the Portal Private Model dropdown.

  • Toggle Portal Enabled to the active (green) state.

  • Scroll to the bottom of the page and click SAVE CHANGES.

Access the new private model

The new private model is accessible at portal.surepath.ai. Users can also reach it by attempting to access a GenAI application they are not currently authorized for.

Upgrading to a new or different private model

To change the active private model, admins can add a new private model using an existing connector, or add a new connector and private model combination. The new model is then selected as the Portal Private Model in the Default Policy settings.

Related Articles
Defining and accessing Data Sources
Updating Access Permissions for SurePath AI's CloudFormation Stack
Connecting an AWS Knowledge Base to Microsoft Sharepoint
Configuring telemetry destinations
Using the SurePath AI Gateway and Model Router with Claude Code
Did this answer your question?