[Yandex Cloud documentation](../../index.md) > [Yandex Container Registry](../index.md) > [Tutorials](index.md) > Deploying a service in DataSphere from a Docker image with FastAPI

# Deploying a service in Yandex DataSphere from a Docker image with FastAPI

# Deploying a service based on a Docker image with FastAPI

In this tutorial, you will deploy a FastAPI service based on a [Docker image](../../datasphere/concepts/deploy/index.md#docker-node). The service provides metrics in [Prometheus](https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format) text format. The service will run at the `0.0.0.0` IP address and on port `9875`.

To deploy a service based on a Docker image with FastAPI:

1. [Set up your infrastructure](#infra).
1. [Prepare a Docker image for the service deployment](#docker).
1. [Deploy the service in DataSphere](#deploy).
1. [Run a health check for the service you deployed](#check-node).

If you no longer need the resources you created, [delete them](#clear-out).

## Getting started {#before-you-begin}

Before getting started, register in Yandex Cloud, set up a [community](../../datasphere/concepts/community.md), and link your [billing account](../../billing/concepts/billing-account.md) to it.
1. [On the DataSphere home page](https://datasphere.yandex.cloud), click **Try for free** and select an account to log in with: Yandex ID or your working account with the identity federation (SSO).
1. Select the [Yandex Identity Hub organization](../../organization/index.md) you are going to use in Yandex Cloud.
1. [Create a community](../../datasphere/operations/community/create.md).
1. [Link your billing account](../../datasphere/operations/community/link-ba.md) to the DataSphere community you are going to work in. Make sure you have a linked billing account and its [status](../../billing/concepts/billing-account-statuses.md) is `ACTIVE` or `TRIAL_ACTIVE`. If you do not have a billing account yet, create one in the DataSphere interface.

### Required paid resources {#paid-resources}

The cost of deploying a service based on a Docker image includes:

* Fee for continuously running node instances (see [DataSphere pricing](../../datasphere/pricing.md)).
* Fee for running code cells for health checks of the deployed service.
* Amount of storage used by Yandex Container Registry data (see [Container Registry pricing](../pricing.md)).

## Set up your infrastructure {#infra}

Log in to the Yandex Cloud [management console](https://console.yandex.cloud) and select the organization you use to access DataSphere. On the [**Yandex Cloud Billing**](https://center.yandex.cloud/billing/accounts) page, make sure you have a billing account linked.

If you have an active billing account, you can go to the [cloud page](https://console.yandex.cloud/cloud) to create or select a folder to run your infrastructure.

{% note info %}

If you are using an [identity federation](../../organization/concepts/add-federation.md) to work with Yandex Cloud, you might not have access to billing details. In this case, contact your Yandex Cloud organization administrator.

{% endnote %}

### Create a folder {#create-folder}

{% note info %}

In our example, both the Yandex Cloud infrastructure and the deployed service operate from the same Yandex Cloud folder; however, this is not a requirement.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

   1. In the [management console](https://console.yandex.cloud), select a cloud and click ![create](../../_assets/console-icons/plus.svg)**Create folder**.
   1. Name your folder, e.g., `data-folder`.
   1. Click **Create**.

{% endlist %}

### Create a registry in Container Registry {#create-registry}

DataSphere can create a node from a Docker image hosted in [Yandex Container Registry](../index.md). To push an image, create a registry.

{% list tabs group=instructions %}

- Management console {#console}

  1. Navigate to `data-folder`.
  1. [Go](../../console/operations/select-service.md#select-service) to **Container Registry**.
  1. Click **Create registry**.
  1. Specify a name for the registry, e.g., `datasphere-registry`, and click **Create registry**.

{% endlist %}

### Create a service account for the DataSphere project {#create-sa}

{% list tabs group=instructions %}

- Management console {#console}

   1. Navigate to `data-folder`.
   1. [Go](../../console/operations/select-service.md#select-service) to **Identity and Access Management**.
   1. Click **Create service account**.
   1. Name the [service account](../../iam/concepts/users/service-accounts.md), e.g., `sa-for-datasphere`.
   1. Click **Add role** and assign the following [roles](../../iam/concepts/access-control/roles.md) to the service account:
      * `container-registry.images.puller` to allow DataSphere to pull your Docker image to create a node.
      * `vpc.user` to use the DataSphere network.
      * `datasphere.user` to send requests to the node.

   1. Click **Create**.

{% endlist %}

### Create an authorized key for a service account {#create-key}

To allow your service account to [get authenticated in Yandex Container Registry](../operations/authentication.md), create an authorized key.

{% note info %}

Authorized keys do not expire, but you can always get new authorized keys and get authenticated again if something goes wrong.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. Navigate to `data-folder`.
  1. [Go](../../console/operations/select-service.md#select-service) to **Identity and Access Management**.
  1. In the left-hand panel, select ![FaceRobot](../../_assets/console-icons/face-robot.svg) **Service accounts**.
  1. In the list that opens, select the `sa-for-datasphere` service account.
  1. Click **Create new key** in the top panel.
  1. Select **Create authorized key**.
  1. Select the encryption algorithm.
  1. Save both the public and private keys. The private key is not saved in Yandex Cloud, and you will not be able to view the public key in the management console.

     {% note tip %}

     You can save the file with the key on your computer. You will need its contents later when creating a secret to access DataSphere in Container Registry.

     {% endnote %}

{% endlist %}

## Prepare your Docker image for the service deployment {#docker}

If you do not have Docker yet, [install](https://docs.docker.com/install/) it.

### Create a Docker image for your service {#create-docker}

1. Create a folder to store the Docker image configuration and all the required files, e.g., `/home/docker-images`.
1. Clone the [repository on GitHub](https://github.com/yandex-cloud-examples/yc-datasphere-fastapi-service-deploy) and place the files in the folder you created.
1. Run [Docker Desktop](https://docs.docker.com/desktop/).
1. In the command shell, navigate to the folder the cloned repository is stored in:

   ```bash
   cd docker-images
   ```

1. Build the Docker image:

   ```bash
   docker build --platform linux/amd64 -t fastapi-docker .
   ```

### Push the Docker image to Container Registry {#push-docker}

If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

{% list tabs group=instructions %}

- CLI {#cli}

   1. [Set](../../cli/operations/profile/manage-properties.md) `data-folder` as your default folder:

      ```bash
      yc config set folder-id <folder_ID>
      ```

   1. [Get authenticated in Container Registry](../index.md).

      1. Issue an [IAM token](../../iam/concepts/authorization/iam-token.md) for your service account:

      ```bash
      yc iam create-token
      ```
      
      The response will contain the IAM token. If you are authenticating using a federated account, the CLI will redirect you to the management console to authenticate and then send you an IAM token.

      {% note info %}

      The IAM token has a short [lifetime](../../iam/concepts/authorization/iam-token.md#lifetime) of up to 12 hours. This makes it a good method for applications that automatically request an IAM token.

      {% endnote %}

      1. Run the command with the token value you got in the previous step in place of `<IAM_token>`:

      ```bash
      docker login \
        --username iam \
        --password <IAM_token> \
        cr.yandex
      ```

   1. Get a list of registries in `data-folder`:

      ```bash
      yc container registry list
      ```

      You will need the registry ID at the next step. Here is an example of the command output:

      ```text
      +----------------------+---------------------+----------------------+
      |          ID          |        NAME         |      FOLDER ID       |
      +----------------------+---------------------+----------------------+
      | crp86bmgl1da******** | datasphere-registry | b1g4bh24c406******** |
      +----------------------+---------------------+----------------------+
      ```

   1. Push the Docker image to Container Registry by substituting your `datasphere-registry` ID:

      ```bash
      docker tag fastapi-docker cr.yandex/<registry_ID>/fastapi:v1
      docker push cr.yandex/<registry_ID>/fastapi:v1
      ```

{% endlist %}

## Deploy the service in DataSphere {#deploy}

1. Open the DataSphere [home page](https://datasphere.yandex.cloud). In the left-hand panel, select ![community-panel](../../_assets/console-icons/circles-concentric.svg) **Communities**.
1. Select a community with a billing account linked.
1. [Create a project](../../datasphere/operations/projects/create.md) named `Node from Docker`.
1. [In the project settings](../../datasphere/operations/projects/update.md), specify:
   * **Default folder**: `data-folder`
   * **Service account**: `sa-for-datasphere`
1. [Create a secret](../../datasphere/operations/data/secrets.md) named `key-for-sa` by adding the contents of the authorized key file for the `sa-for-datasphere` service account without any changes whatsoever. 
1. Create a node. To do this, click **Create resource** in the top-right corner of the project page. In the pop-up window, select **Node**. Specify the node settings:
   1. Enter `fastapi` as the node name in the **Name** field.
   1. Under **Docker image**:
      * **Type**: Select **Docker**.
      * **Docker image storage**: Select **Yandex Container Registry**.
      * **Image path**: Specify the path to the Container Registry image in the `cr.yandex/<registry_ID>/<image_name>:<tag>` format. You can get it in the management console by copying the full value on the repository page. You can also fill out this field manually. You can get the registry ID in the CLI by running the `yc container registry list` command.      
      * **Password secret**: Select `key-for-sa`.
   1. Under **Endpoint**:
      * **Type**: Select **HTTP**.
      * **Port**: 9875.
   1. Enable **Telemetry** and specify:
      * **Type**: Select **Prometheus**.
      * **HTTP path**: `/metrics`.
      * **Port**: 9875.
   1. Enable **Healthcheck** and specify:
      * **Type**: Select **HTTP**.
      * **Path**: `/`.
      * **Port**: 9875.
      * **Timeout**: 1.
      * **Interval**: 15.
      * **Fails threshold**: 3.
      * **Passes threshold**: 3.
   1. Under **Folder**, select `data-folder`.
   1. Under **Provisioning**, select the `g1.1` [configuration](../../datasphere/concepts/configurations.md).
   1. Click **Create**.

## Run a health check for the service you deployed {#check-node}

1. Select the project in your community or on the DataSphere [home page](https://datasphere.yandex.cloud) in the **Recent projects** tab.
1. In the list of services, select **Node**.
1. Click the `Node from Docker` node you created.
1. Navigate to the **Request** tab.
1. In the **Create test request** form, select the `GET` method.
1. In the **Path** field, enter `/urls`.
1. Click **Execute** to get a complete list of URIs to test performance and metrics.

   Result:

   ```json
   [
   {
      "path": "/openapi.json",
      "name": "openapi"
   },
   {
      "path": "/docs",
      "name": "swagger_ui_html"
   },
   {
      "path": "/docs/oauth2-redirect",
      "name": "swagger_ui_redirect"
   },
   {
      "path": "/redoc",
      "name": "redoc_html"
   },
   {
      "path": "/metrics",
      "name": "metrics"
   },
   {
      "path": "/",
      "name": "root"
   },
   {
      "path": "/urls",
      "name": "get_all_urls"
   },
   {
      "path": "/health-check",
      "name": "healthcheck"
   }
   ]
   ```

## How to delete the resources you created {#clear-out}

When deploying and using models, you pay for the uptime of each node instance: from its start to deletion.

If you no longer need the service you deployed, delete the node.

1. [Delete the node](../../datasphere/operations/deploy/node-delete.md).
1. [Delete the secret](../../datasphere/operations/data/secrets.md#delete).
1. [Delete the authorized key](../../iam/operations/authentication/manage-authorized-keys.md#delete-authorized-key) of the service account.
1. [Delete the Docker image](../operations/docker-image/docker-image-delete.md).
1. [Delete the registry](../operations/registry/registry-delete.md) in Container Registry.