chore: api keys document updates (#407)

Author: sr-remsha

docs/tutorials/2.devops/2.auth-and-access-control/0.api-keys.md

@@ -2,15 +2,20 @@
 
 ## Introduction
 
-API Keys can be used by external applications to access DIAL Core resources such as models, applications, toolsets and routes. DIAL Core uses them for server-to-server authentication and access control. In this document, you can learn how to define API keys, give access to resources in DIAL and define access limits.
+API Keys can be used by external applications to access DIAL Core resources such as models, applications, toolsets and routes. DIAL Core uses them for server-to-server authentication and access control. 
+
+You can define API key in DIAL Admin and via a direct configuration of DIAL Core. This document describes how to add and configure API keys in DIAL Core.
+
+> * Refer to [DIAL Admin](/docs/tutorials/3.admin/access-management-keys.md) to learn how to add and manage API keys via the administrator UI.
+> * Refer to [DIAL Core](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/keys.md) to see the complete configuration example.
 
 ## Step 1: Define API Keys
 
 To use API keys, you need to define them. API keys can be defined in DIAL Core dynamic settings and by DIAL administrators in [DIAL Admin](/docs/tutorials/3.admin/access-management-keys.md).
 
 ##### DIAL Core configuration
 
-API keys can be defined in the `keys.<core_key>` section in the [DIAL Core configuration file](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/keys.md).
+API keys can be defined in the `keys.<core_key>` section in the [aidial.config.json](https://github.com/epam/ai-dial-core/blob/development/sample/aidial.config.json) configuration file.
 
 > Refer to [DIAL Core documentation](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/keys.md) to get familiar with the description of the configuration parameters of API keys.
 
@@ -39,16 +44,14 @@ Access control in DIAL rests upon the concept of Objects of access (what we prot
 
 API Keys are Subjects used by external applications to access DIAL Core resources. DIAL Core uses them for server-to-server authentication and access control.
 
+The configuration in the previous step gives access to a private space of API key and resources in the public space that are not limited by roles or available for a role `"myRole"`.
+
 > * Refer to [Authentication](/docs/platform/3.core/1.auth-intro.md) to learn more about authentication in DIAL.
 > * Refer to [Access Control](/docs/platform/3.core/2.access-control-intro.md) to learn more about access control in DIAL.
 
-The configuration in the previous step gives access to for a private space of API key and resources in the public space that are not limited by roles or available for a role `"myRole"`.
-
-> Refer to [Access Control](/docs/platform/3.core/2.access-control-intro.md) to learn more about access control in DIAL.
-
 ##### DIAL Core configuration
 
-To provide access to additional resources in DIAL Core, you need to associate the role assigned to the API key with specific resources. You can do this by adding the API key role to the `userRoles` parameter of a corresponding deployment in DIAL Core configuration.
+To provide access to additional resources in DIAL Core, you need to associate the role assigned to the API key with specific resources. You can do this by adding the API key role to the `userRoles` parameter of a corresponding deployment (e.g. application or AI model) in DIAL Core configuration.
 
 In the following example, the `"myRole"` role is granted access to the `chat-gpt-35-turbo` language model. Using the same pattern, you can define user access to [applications](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/applications.md), [toolset](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/toolsets.md) and [routes](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/routes.md).
 
@@ -284,6 +287,40 @@ Sharing limits can be defined in the `roles.<role_name>.share` section of the DI
         }
     }
 ```
+### IP Address Range
+
+For security purposes, you can restrict the usage of API keys to certain networks by defining `allowedIpAddressRanges` with a list of allowed IP addresses in the `keys.<key_name>` section of the DIAL Core dynamic settings.
+
+
+##### DIAL Core configuration
+
+> Refer to [DIAL Core documentation](https://github.com/epam/ai-dial-core/blob/development/docs/dynamic-settings/keys.md) to see configuration guidelines. 
+
+A list of allowed IP addresses can be defined in the `keys.<key_name>.allowedIpAddressRanges` section of the DIAL Core dynamic settings.
+
+Any provided IP address (IPv4 or IPv6) must follow a CIDR notation in form of: `ip_address/prefix`, where
+
+* `ip_address`: string representation of IP address.
+* `prefix`: number of consecutive leading 1 bits in the network mask.
+
+```json
+"keys": {
+    "myApiKey": {
+        "project": "MyProject",
+        "role": "myRole",
+        "allowedIpAddressRanges": ["198.51.100.14/24", "2001:db8:1234::/48"]
+    }
+},
+```
+
+##### How it works
+
+* **undefined**: Client from any IP address can use the API key.
+* `null ` (default): Client from any IP address can use the API key.
+* **empty list**: API key is not usable from any IP address.
+* **a list is defined**: Client from the specified IP addresses can use the API key.
+
+If a client tries to access DIAL Core using the API key from an IP address which is out of the range, DIAL Core returns HTTP error code: `403(Forbidden) Access is forbidden from IP address {}`
 
 ## Full Configuration Example
 
@@ -292,7 +329,8 @@ Sharing limits can be defined in the `roles.<role_name>.share` section of the DI
 "keys": {
     "myApiKey": { //API key
         "project": "MyProject",
-        "role": "myRole" // the name of the role
+        "role": "myRole", // the name of the role
+        "allowedIpAddressRanges": ["198.51.100.14/24", "2001:db8:1234::/48"],
     }
 },
 "models": {