Grant the permissions that are required to use EAS - Platform For AI

Before you can access Elastic Algorithm Service (EAS) of Platform for AI (PAI) as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user by using your Alibaba Cloud account. This topic describes how to grant permissions to a RAM user to access EAS.

Background information

You can grant permissions to a RAM user to access EAS by using one of the following methods:

Grant a RAM user full permissions on EAS
Use the AliyunPAIEASFullAccess system policy that provides full permissions on EAS. After you attach the policy to the RAM user, the RAM user can use all features of EAS.
Grant a RAM user read-only permissions on EAS
Use the AliyunPAIEASReadOnlyAccess system policy that provides read-only permissions on EAS. After you attach the policy to the RAM user, the RAM user can query and view model services that are deployed in EAS.
Create a custom policy
If the preceding methods do not meet your requirements, you can create a custom policy to grant permissions to the RAM user in a fine-grained manner. For example, you can create a custom policy to grant permissions to the RAM user to query and modify model services or dedicated resource groups in EAS.

Grant a RAM user full permissions on EAS

This section describes how to grant permissions to a RAM user to use all features of EAS.

Log on to the RAM console.
Grant a RAM user full permissions on EAS. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
- In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
- In the Add Permissions panel, set the Select Policy parameter to System Policy and then select the AliyunPAIEASFullAccess policy.
  Note
  Object Storage Service (OSS) permissions are related to data security. The AliyunPAIEASFullAccess policy does not provide OSS permissions. You must separately grant the RAM user OSS permissions. For more information, see RAM Policy Editor.

Grant a RAM user read-only permissions on EAS

This section describes how to grant permissions to a RAM user to query and view model services that are deployed in EAS.

Log on to the RAM console.
Grant a RAM user read-only permissions on EAS. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
- In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
- In the Add Permissions panel, set the Select Policy parameter to System Policy and then select the AliyunPAIEASReadOnlyAccess policy.

Create a custom policy

This section describes how to grant permissions to a RAM user to query and modify model services or dedicated resource groups in EAS by creating a custom policy.

Log on to the RAM console.

Create a custom policy. For more information, see Create a custom policy on the JSON tab.

Important

When you specify the policy content, we recommend that you follow the principle of the least privilege.

The following section provides a sample policy script:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eas:CreateInstance",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eas:DescribeService",
                "eas:DeleteService",
                "eas:UpdateService",
                "eas:UpdateServiceVersion"
            ],
            "Resource": [
                "acs:eas:<region>:<uid>:service/eas-m-xxx1",//See the description below and modify the values based on your business requirements. 
                "acs:eas:<region>:<uid>:service/eas-m-xxx2"
            ],
        }
    ]
}

For information about the Action and Resource parameters, see the Policy description section of this topic.

Attach the policy to a RAM user. For more information, see Grant permissions to a RAM user.
Take note of the following items:
- In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
- In the Add Permissions panel, set the Select Policy parameter to Custom Policy and then select the custom policy that you created in Step 2.

Policy description

Each policy contains the Action and Resource parameters. The Action parameter specifies the action to be performed, and the Resource parameter specifies the principal on which the action is performed. The following tables describe the valid values of the Action and Resource parameters.

Action

Category	Action	Description
Service-related	eas:CreateService	Create model services.
	eas:ListServices	View model services.
	eas:DescribeService	View the details of model services.
	eas:DeleteService	Delete model services.
	eas:DeleteServiceLabel	Delete tags of model services.
	eas:ListServiceInstances	View information about EAS instances.
	eas:DeleteServiceInstances	Restart EAS instances.
	eas:UpdateService	Update model services or add versions.
	eas:UpdateServiceVersion	Switch between versions of model services.
	eas:StartService	Start model services.
	eas:StopService	Stop model services.
	eas:UpdateService	Update model services.
	eas:UpdateServiceLabel	Update tags of model services.
	eas:RestartService	Restart EAS instances.
	eas:CreateServiceAutoScaler	Enable auto scaling for model services.
	eas:CreateServiceCronScaler	Enable scheduled auto scaling for model services.
	eas:DeleteServiceAutoScaler	Disable auto scaling for model services.
	eas:DeleteServiceCronScaler	Disable scheduled auto scaling for model services.
	eas:DescribeServiceAutoScaler	View the auto scaling status of model services.
	eas:DescribeServiceCronScaler	View information about scheduled auto scaling for model services.
	eas:UpdateServiceAutoScaler	Update auto scaling configurations of model services.
	eas:UpdateServiceCronScaler	Update scheduled auto scaling configurations of model services.
	eas:CreateAppService	Create an application service.
	eas:UpdateServiceSafetyLock	Update the service security lock.
	eas:UpdateServiceInstance	Update the attributes of service instances.
	eas:UpdateAppService	Updates an application service.
	eas:DescribeServiceDiagnosis	View diagnostic details of services.
	eas:DescribeServiceInstanceDiagnosis	View diagnostic details of service instances.
	eas:DescribeServiceEvent	View model service deployment events.
	eas:DescribeGroup	View service group details.
	eas:ListServiceVersions	View the historical versions of a service.
	eas:ListServiceContainers	View the container list of a service.
	eas:ListGroups	View the list of service groups.
	eas:CreateServiceMirror	Create traffic mirror sessions.
	eas:DescribeServiceMirror	View the status of traffic mirror sessions.
	eas:UpdateServiceMirror	Update the configuration of traffic mirror sessions.
	eas:DeleteServiceMirror	Close traffic mirror sessions.
	eas:ReleaseService	Specify the traffic ratio for blue-green deployment.
	eas:DescribeServiceLog	View logs of model services.
Resource group-related	eas:CreateResource	Create dedicated resource groups.
	eas:DescribeResource	View basic information about dedicated resource groups.
	eas:ListResources	View dedicated resource groups.
	eas:DeleteResource	Delete dedicated resource groups.
	eas:UpdateResource	Update basic information about dedicated resource groups.
	eas:ListResourceInstances	View nodes of dedicated resource groups.
	eas:ListResourceInstanceWorker	View containers hosted on instances of dedicated resource groups.
	eas:ListResourceServices	View model services deployed in dedicated resource groups.
	eas:CreateResourceInstances	Add instances to dedicated resource groups.
	eas:UpdateResourceInstance	Update instances in a dedicated resource group.
	eas:DeleteResourceInstances	Remove instances from dedicated resource groups.
	eas:UpdateResourceDLink	Update the status of Virtual Private Cloud (VPC) direct connection for dedicated resource groups.
	eas:DescribeResourceDLink	View the status of VPC direct connection of dedicated resource groups.
	eas:DeleteResourceDLink	Delete VPC direct connection configurations of dedicated resource groups.
	eas:CreateResourceLog	Enable log shipper for dedicated resource groups.
	eas:DescribeResourceLog	View the status of log shipper for dedicated resource groups.
	eas:DeleteResourceLog	Disable log shipper for dedicated resource groups.
Stress testing-related	eas:CreateBenchmarkTask	Create a stress testing task.
	eas:DeleteBenchmarkTask	Delete a stress testing task.
	eas:DescribeBenchmarkTask	View the details of a stress testing task.
	eas:DescribeBenchmarkTaskReport	View the report of a stress testing task.
	eas:ListBenchmarkTask	View the list of stress testing tasks.
	eas:StartBenchmarkTask	Start a stress testing task.
	eas:StopBenchmarkTask	Stop a stress testing task.
	eas:UpdateBenchmarkTask	Update a stress testing task.
Private gateway-related	eas:CreateGateway	Create a private gateway.
	eas:DescribeGateway	View the details of a private gateway.
	eas:UpdateGateway	Update a private gateway.
	eas:CreateGatewayIntranetLinkedVpc	Create an internal endpoint of a private gateway.
	eas:ListGatewayIntranetLinkedVpc	View internal endpoints of a private gateway.
	eas:DeleteGatewayIntranetLinkedVpc	Delete an internal endpoint of a private gateway.
	eas:DeleteGateway	Delete a private gateway.

Resource
The Resource parameter in EAS is in the following format:
```
acs:eas:<region>:<uid>:<resource_type>/<id>
```
Replace the following parameters with actual values:
- <region>: the region in which the model service or dedicated resource group is deployed.
- <uid>: the UID of the account to which the resource belongs.
- <resource_type>: the resource type. For example, if you want to manage resources related to model services, set the value to service. If you want to manage resources related to resource groups, set the value to resource.
- <id>: the ID of the model service or dedicated resource group.
The following examples show the values of the Resource parameter in the following scenarios: managing model services deployed in public resource groups, managing model services deployed in dedicated resource groups, and managing dedicated resource groups.
- Manage model services that are deployed in EAS
  - Manage a model service that is deployed in a public resource group
```
acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****
```
    The value of Resource specifies the model service eas-m-u12fxt9ml1syoj**** that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account named 123456789012****.
```
acs:eas:cn-hangzhou:123456789012****:service/your_service_name
```
    The value of Resource specifies the model service your_service_name that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account named 123456789012****.
  - Manage a model service that is deployed in a dedicated resource group
```
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****
```
    The value of Resource specifies the model service eas-m-iaskn1skn1us**** that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account named 123456789012****.
```
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai8****/service/your_private_service
```
    The value of Resource specifies the model service your_private_service that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account named 123456789012****.
- Manage a dedicated resource group
```
acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****
```
  The value of Resource specifies the dedicated resource group eas-r-jksauxqjsai8****. The dedicated resource group is deployed in the China (Beijing) region and belongs to the account named 123456789012****.
- Use a wildcard character
  You can use the asterisk (*) wildcard character in Resource to specify more than one resource.
  The following examples show the values of Resource when wildcard characters are used:
  - acs:eas:*:123456789012****:service/*
    The value of Resource specifies model services that belong to the account named 123456789012**** and are deployed in public resource groups across all regions.
  - acs:eas:cn-hangzhou:123456789012****:resource/eas-r-jksauxqjsai8****/*
    The value of Resource specifies all model services that belong to the account named 123456789012**** and are deployed in the dedicated resource group eas-r-jksauxqjsai8**** in the China (Hangzhou) region.
  - acs:eas:*:123456789012****:*
    The value of Resource specifies all resource groups and model services that belong to the account named 123456789012**** in all regions.
  - acs:eas:*:123456789012****:service/prefix*
    The value of Resource specifies all resource groups and model services that belong to the account named 123456789012**** in regions whose names contain a prefix prefix.