Mistral Enterprise RBAC

v20260311

mistral-enterprise-rbac

Guide for configuring Mistral AI enterprise role-based access controls, including scoped API keys, RBAC gateways, budget caps, key audits, and rotation to secure organization-level usage.

Mistral RBAC AccessControl APIKeys Security DevOps Governance

Get Skill

238 downloads

Overview

Mistral AI Enterprise RBAC

Overview

Control access to Mistral AI models and API resources at the organization level. Mistral uses API key scoping and La Plateforme workspace management to separate environments.

Prerequisites

Mistral La Plateforme organization account
Organization admin or owner role
At least one active API key with admin scope

Instructions

Step 1: Create Scoped API Keys per Team

set -euo pipefail
# Create a key restricted to small models only (cost-safe for junior devs)
curl -X POST https://api.mistral.ai/v1/api-keys \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
  -d '{
    "name": "dev-team-small-only",
    "allowed_models": ["mistral-small-latest", "codestral-latest"],
    "rate_limit_rpm": 100
  }'

# Create an unrestricted key for the ML team
curl -X POST https://api.mistral.ai/v1/api-keys \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
  -d '{
    "name": "ml-team-full-access",
    "allowed_models": ["mistral-small-latest", "mistral-large-latest", "mistral-embed"],
    "rate_limit_rpm": 500  # HTTP 500 Internal Server Error
  }'

Step 2: Implement a Gateway That Enforces Roles

// mistral-gateway.ts - Proxy that checks roles before forwarding
const ROLE_MODEL_MAP: Record<string, string[]> = {
  analyst:   ['mistral-small-latest'],
  developer: ['mistral-small-latest', 'codestral-latest', 'mistral-embed'],
  senior:    ['mistral-small-latest', 'mistral-large-latest', 'mistral-embed'],
  admin:     ['*'],
};

function canUseModel(role: string, model: string): boolean {
  const allowed = ROLE_MODEL_MAP[role];
  return allowed?.includes('*') || allowed?.includes(model) || false;
}

Step 3: Set Workspace Spending Limits

Navigate to La Plateforme > Organization > Billing and set monthly budget caps. Configure alerts at 50%, 80%, and 95% thresholds. Each API key can also have independent rate limits to prevent a single integration from consuming the entire budget.

Step 4: Audit API Key Usage

set -euo pipefail
# List all API keys and their last-used timestamps
curl https://api.mistral.ai/v1/api-keys \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY" | \
  jq '.data[] | {name, created_at, last_used_at, allowed_models}'

# Revoke a compromised key
curl -X DELETE https://api.mistral.ai/v1/api-keys/key_abc123 \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY"

Step 5: Rotate Keys on Schedule

Automate 90-day key rotation. Create the new key, update consuming services, then delete the old key after a 24-hour overlap window.

Error Handling

Issue	Cause	Solution
`401 Unauthorized`	API key revoked or invalid	Generate new key on La Plateforme
`403 model not allowed`	Key restricted from that model	Use a key with broader model scope
`429 rate limit`	Key RPM cap exceeded	Increase rate limit or distribute load across keys
Spending alert triggered	Monthly budget near cap	Review usage by key; restrict heavy consumers

Examples

Basic usage: Apply mistral enterprise rbac to a standard project setup with default configuration options.

Advanced scenario: Customize mistral enterprise rbac for production environments with multiple constraints and team-specific requirements.

Output

Configuration files or code changes applied to the project
Validation report confirming correct implementation
Summary of changes made and their rationale

Resources

Official Mistral documentation
Community best practices and patterns
Related skills in this plugin pack

Info

Category Development

Name mistral-enterprise-rbac

Version v20260311

Size 4.07KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-03-12