All Products
Search
Document Center

Platform For AI:Grant the permissions that are required to use DSW

Last Updated:Feb 18, 2024

The first time you use Data Science Workshop (DSW) of Platform for AI (PAI), you must assign a service-linked role to DSW to allow DSW to access the required resources. If you use Object Storage Service (OSS) to store data, make sure that the service-linked role for DSW is granted the permissions to access OSS. This topic describes how to grant permissions to a DSW service-linked role.

Background information

If you want to use a Resource Access Management (RAM) user to manage DSW, you must grant permissions to the RAM user before you use DSW. In addition, PAI allows you to grant fine-grained permissions to RAM users to manage DSW instances by using workspaces. Before you use DSW, you must grant PAI the permissions to access storage services, such as OSS or Apsara File Storage NAS. For more information, see the following sections:

Authorize the operation account

DSW is an integrated development environment (IDE) in the cloud that provides interactive development environments for different levels of developers. You may need to activate and authorize the following cloud services when you use DSW for interactive modeling.

  • PAI module: DSW

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to perform operations on DSW. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, go to the Roles and Permissions page.

    image..png

    Manage members of the workspace

  • Dependent cloud service: Apsara File Storage NAS

    PAI provides cloud disks with a specific capacity to store data persistently for DSW instances that are created by using the public resource group. If the DSW instance is stopped and not launched for over 15 days, the disk is cleared. Non-persistent on-premises storage is provided for DSW instances that are created by using dedicated resource groups. If you want to persist data, we recommend that you mount a NAS file system. In this case, you need to activate and authorize NAS for persistence data storage.

    Scenario

    Description

    Reference

    Activate NAS

    We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.

    Use NAS

    Use NAS after activation:

    • Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.

    • Common operations: You need to create a NAS file system and mount it to an instance of PAI.

  • Dependent cloud service: OSS

    You need to activate and authorize OSS for data storage.

    Scenario

    Description

    Reference

    Activate OSS

    We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

    Use OSS

    Use OSS after activation:

    • Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: You need to create a bucket to upload objects to OSS.

Authorize the service-linked role

Grant DSW permissions to an Alibaba Cloud account

Before you use DSW, make sure that the Alibaba Cloud account that you use has the permissions to manage DSW. In most cases, you are prompted to authorize the service-linked role when you activate PAI. For more information, see Activate PAI and create the default workspace. You can check whether the Alibaba Cloud account has the operation permissions on DSW. For more information, see the "Check whether the AliyunPAIDSWDefaultRole role is assigned to DSW" section of this topic. If the Alibaba Cloud account does not have the required permissions, perform the following steps to grant the required permissions to the account.

  1. Go to the Interactive Modeling (DSW) page.

    1. Log on to the PAI console.

    2. On the Overview page, select a region in the top navigation bar.

    3. In the left-side navigation pane, click Workspaces. On the Workspaces page, click the name of the workspace that you want to manage.

    4. In the left-side navigation pane, choose Model Development and Training > Interactive Modeling (DSW).

  2. Assign the AliyunPAIDSWDefaultRole role to the Alibaba Cloud account.

    1. Click Create Instance.

    2. In the Role Authorization dialog box, click OK.

    3. On the Cloud Resource Access Authorization page, click Agree to Authorization.

      Service-linked roles are automatically assigned to DSW and displayed on the Cloud Resource Access Authorization page.

Grant PAI the permissions to access OSS and NAS

Perform the following steps to grant PAI the permissions to access OSS and NAS.

  1. Log on to the PAI console.

  2. In the left-side navigation pane, choose Activation and Authorization > Dependent Services. On the page that appears, find the OSS and NAS in the DSW section.

  3. View the authorization details of OSS in the Actions column.

    • If PAI is not granted the permissions to access OSS, click Authorize Now in the Actions column and grant the permissions to PAI by following the on-screen instructions.

    • If PAI is granted the permissions to access OSS, click View Authorization in the Actions column to view the authorization details.

If you do not grant OSS access permissions (AliyunPAIDLCAccessingOSSRole) to PAI, the following error may occur when you mount an OSS dataset:

image

Check whether the AliyunPAIDSWDefaultRole role is assigned to DSW

To use DSW as expected, use your Alibaba Cloud account to assign the AliyunPAIDSWDefaultRole role to DSW. Perform the following steps:

Note

Only Alibaba Cloud accounts can assign the role. RAM users cannot assign the role.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, search for the AliyunPAIDSWDefaultRole role.

    • If the role is displayed in the search result, the role is assigned to DSW.

    • Otherwise, you must assign the role to DSW. For more information, see the "Authorize the service-linked role" section of this topic.

References

After you authorize DSW, you can create a DSW instance and use the development environment provided by DSW to develop and train AI models. For more information, see Create and manage DSW instances.