This topic shows you how to authorize RAM users to manage Data Science Workshop (DSW) instances and assign service-linked roles to DSW.

Background information

For more information about the structure and syntax of permission policies, see Policy structure and syntax.

Assign a service-linked role to DSW by using the Alibaba Cloud account

To ensure that the DSW can provide services normally, you must use your Alibaba Cloud account to assign the AliyunPAIDSWDefaultRole role to DSW.

  1. Log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, click Roles.
  3. On the Roles page, search for the AliyunPAIDSWDefaultRole role.
    • If the role is displayed in the search result, the role is assigned to DSW.
    • If the role is not displayed, you must assign the role to DSW. For more information, see Assign service-linked roles.

Authorize RAM users

You can use your Alibaba Cloud account to authorize RAM users to manage DSW instances. Then, the RAM users can create, start, stop, and delete DSW instances.

  1. Log on to the RAM console.
  2. Create a custom policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters.
      Parameter Description
      Policy Name Enter DSW_Notebook_Access.
      Note Enter DSW access policy.
      Configuration Mode Select Script.
      Policy Document Add the following content to Policy Document:
      {
        "Statement": [
          {
            "Action": [
              "notebook:CreateInstance",
              "notebook:StartInstance",
              "notebook:StopInstance",
              "notebook:EditInstance",
              "notebook:ListInstance"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ],
        "Version": "1"
      }
      Action indicates the granted permissions, including:
      • notebook:CreateInstance: creates DSW instances.
      • notebook:StartInstance: starts DSW instances.
      • notebook:StopInstance: stops DSW instances.
      • notebook:EditInstance: modifies DSW instances.
      • notebook:ListInstance: views all DSW instances.
      Resource indicates resources that a RAM user is authorized to manage. You can set this parameter in one of the following ways:
      • Authorize the RAM user to manage all DSW instances in a specified region.
        "Resource": "acs:notebook:cn-beijing:*:notebook/*"
      • Authorize the RAM user to manage a specified instance, such as the DSW instance hhdemo in the following example:
        "Resource": "acs:notebook:*:*:notebook/hhdemo"
      • Authorize the RAM user to manage all DSW instances.
        "Resource": "*"
      For more information about other permissions, see Policy elements.
    4. Click OK.
  3. Attach the custom policy to a RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, click Add Permissions in the Actions column.
    3. Optional:In the Add Permissions panel, click Custom Policy.
    4. In the Select Policy section, enter DSW_Notebook_Access.
    5. Click DSW_Notebook_Access in the Authorization Policy Name column. Then, the policy is displayed in the Selected section.
    6. Click OK.

Assign service-linked roles

If you are a first-time user of DSW, you must first assign service-linked roles to DSW so that DSW can access the required resources.

  1. Go to the Notebook Modeling page.
    1. Log on to the Machine Learning Platform for AI (PAI) console.
    2. In the left-side navigation pane, choose Model Training > DSW-Notebook Service.
  2. Click Create Instance.
  3. In the Role Authorization dialog box, click OK.
  4. On the Cloud Resource Access Authorization page, click Agree to Authorize.
    Service-linked roles are automatically assigned to DSW and displayed on the Cloud Resource Access Authorization page.