Before you can access Elastic Algorithm Service (EAS) of Platform for AI (PAI) as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user by using your Alibaba Cloud account. This topic describes how to grant permissions to a RAM user to access EAS.
Background information
You can grant permissions to a RAM user to access EAS by using one of the following methods:
Grant a RAM user full permissions on EAS
Use the AliyunPAIEASFullAccess system policy that provides full permissions on EAS. After you attach the policy to the RAM user, the RAM user can use all features of EAS.
Grant a RAM user read-only permissions on EAS
Use the AliyunPAIEASReadOnlyAccess system policy that provides read-only permissions on EAS. After you attach the policy to the RAM user, the RAM user can query and view model services that are deployed in EAS.
If the preceding methods do not meet your requirements, you can create a custom policy to grant permissions to the RAM user in a fine-grained manner. For example, you can create a custom policy to grant permissions to the RAM user to query and modify model services or dedicated resource groups in EAS.
Grant a RAM user full permissions on EAS
This section describes how to grant permissions to a RAM user to use all features of EAS.
Log on to the RAM console.
Grant a RAM user full permissions on EAS. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
In the Add Permissions panel, set the Select Policy parameter to System Policy and then select the AliyunPAIEASFullAccess policy.
NoteObject Storage Service (OSS) permissions are related to data security. The AliyunPAIEASFullAccess policy does not provide OSS permissions. You must separately grant the RAM user OSS permissions. For more information, see RAM Policy Editor.
Grant a RAM user read-only permissions on EAS
This section describes how to grant permissions to a RAM user to query and view model services that are deployed in EAS.
Log on to the RAM console.
Grant a RAM user read-only permissions on EAS. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
In the Add Permissions panel, set the Select Policy parameter to System Policy and then select the AliyunPAIEASReadOnlyAccess policy.
Create a custom policy
This section describes how to grant permissions to a RAM user to query and modify model services or dedicated resource groups in EAS by creating a custom policy.
Log on to the RAM console.
Create a custom policy. For more information, see Create a custom policy on the JSON tab.
ImportantWhen you specify the policy content, we recommend that you follow the principle of the least privilege.
The following section provides a sample policy script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "eas:CreateInstance", "Resource": "*" }, { "Effect": "Allow", "Action": [ "eas:DescribeService", "eas:DeleteService", "eas:UpdateService", "eas:UpdateServiceVersion" ], "Resource": [ "acs:eas:<region>:<uid>:service/eas-m-xxx1",//See the description below and modify the values based on your business requirements. "acs:eas:<region>:<uid>:service/eas-m-xxx2" ], } ] }
For information about the Action and Resource parameters, see the Policy description section of this topic.
Attach the policy to a RAM user. For more information, see Grant permissions to a RAM user.
Take note of the following items:
In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
In the Add Permissions panel, set the Select Policy parameter to Custom Policy and then select the custom policy that you created in Step 2.
Policy description
Each policy contains the Action and Resource parameters. The Action parameter specifies the action to be performed, and the Resource parameter specifies the principal on which the action is performed. The following tables describe the valid values of the Action and Resource parameters.
Action
Category
Action
Description
Service-related
eas:CreateService
Create model services.
eas:ListServices
View model services.
eas:DescribeService
View the details of model services.
eas:DeleteService
Delete model services.
eas:DeleteServiceLabel
Delete tags of model services.
eas:ListServiceInstances
View information about EAS instances.
eas:DeleteServiceInstances
Restart EAS instances.
eas:UpdateService
Update model services or add versions.
eas:UpdateServiceVersion
Switch between versions of model services.
eas:StartService
Start model services.
eas:StopService
Stop model services.
eas:UpdateService
Update model services.
eas:UpdateServiceLabel
Update tags of model services.
eas:RestartService
Restart EAS instances.
eas:CreateServiceAutoScaler
Enable auto scaling for model services.
eas:CreateServiceCronScaler
Enable scheduled auto scaling for model services.
eas:DeleteServiceAutoScaler
Disable auto scaling for model services.
eas:DeleteServiceCronScaler
Disable scheduled auto scaling for model services.
eas:DescribeServiceAutoScaler
View the auto scaling status of model services.
eas:DescribeServiceCronScaler
View information about scheduled auto scaling for model services.
eas:UpdateServiceAutoScaler
Update auto scaling configurations of model services.
eas:UpdateServiceCronScaler
Update scheduled auto scaling configurations of model services.
eas:CreateAppService
Create an application service.
eas:UpdateServiceSafetyLock
Update the service security lock.
eas:UpdateServiceInstance
Update the attributes of service instances.
eas:UpdateAppService
Updates an application service.
eas:DescribeServiceDiagnosis
View diagnostic details of services.
eas:DescribeServiceInstanceDiagnosis
View diagnostic details of service instances.
eas:DescribeServiceEvent
View model service deployment events.
eas:DescribeGroup
View service group details.
eas:ListServiceVersions
View the historical versions of a service.
eas:ListServiceContainers
View the container list of a service.
eas:ListGroups
View the list of service groups.
eas:CreateServiceMirror
Create traffic mirror sessions.
eas:DescribeServiceMirror
View the status of traffic mirror sessions.
eas:UpdateServiceMirror
Update the configuration of traffic mirror sessions.
eas:DeleteServiceMirror
Close traffic mirror sessions.
eas:ReleaseService
Specify the traffic ratio for blue-green deployment.
eas:DescribeServiceLog
View logs of model services.
Resource group-related
eas:CreateResource
Create dedicated resource groups.
eas:DescribeResource
View basic information about dedicated resource groups.
eas:ListResources
View dedicated resource groups.
eas:DeleteResource
Delete dedicated resource groups.
eas:UpdateResource
Update basic information about dedicated resource groups.
eas:ListResourceInstances
View nodes of dedicated resource groups.
eas:ListResourceInstanceWorker
View containers hosted on instances of dedicated resource groups.
eas:ListResourceServices
View model services deployed in dedicated resource groups.
eas:CreateResourceInstances
Add instances to dedicated resource groups.
eas:UpdateResourceInstance
Update instances in a dedicated resource group.
eas:DeleteResourceInstances
Remove instances from dedicated resource groups.
eas:UpdateResourceDLink
Update the status of Virtual Private Cloud (VPC) direct connection for dedicated resource groups.
eas:DescribeResourceDLink
View the status of VPC direct connection of dedicated resource groups.
eas:DeleteResourceDLink
Delete VPC direct connection configurations of dedicated resource groups.
eas:CreateResourceLog
Enable log shipper for dedicated resource groups.
eas:DescribeResourceLog
View the status of log shipper for dedicated resource groups.
eas:DeleteResourceLog
Disable log shipper for dedicated resource groups.
Stress testing-related
eas:CreateBenchmarkTask
Create a stress testing task.
eas:DeleteBenchmarkTask
Delete a stress testing task.
eas:DescribeBenchmarkTask
View the details of a stress testing task.
eas:DescribeBenchmarkTaskReport
View the report of a stress testing task.
eas:ListBenchmarkTask
View the list of stress testing tasks.
eas:StartBenchmarkTask
Start a stress testing task.
eas:StopBenchmarkTask
Stop a stress testing task.
eas:UpdateBenchmarkTask
Update a stress testing task.
Private gateway-related
eas:CreateGateway
Create a private gateway.
eas:DescribeGateway
View the details of a private gateway.
eas:UpdateGateway
Update a private gateway.
eas:CreateGatewayIntranetLinkedVpc
Create an internal endpoint of a private gateway.
eas:ListGatewayIntranetLinkedVpc
View internal endpoints of a private gateway.
eas:DeleteGatewayIntranetLinkedVpc
Delete an internal endpoint of a private gateway.
eas:DeleteGateway
Delete a private gateway.
Resource
The Resource parameter in EAS is in the following format:
acs:eas:<region>:<uid>:<resource_type>/<id>
Replace the following parameters with actual values:
<region>: the region in which the model service or dedicated resource group is deployed.
<uid>: the UID of the account to which the resource belongs.
<resource_type>: the resource type. For example, if you want to manage resources related to model services, set the value to service. If you want to manage resources related to resource groups, set the value to resource.
<id>: the ID of the model service or dedicated resource group.
The following examples show the values of the Resource parameter in the following scenarios: managing model services deployed in public resource groups, managing model services deployed in dedicated resource groups, and managing dedicated resource groups.
Manage model services that are deployed in EAS
Manage a model service that is deployed in a public resource group
acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****
The value of Resource specifies the model service eas-m-u12fxt9ml1syoj**** that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account named 123456789012****.
acs:eas:cn-hangzhou:123456789012****:service/your_service_name
The value of Resource specifies the model service your_service_name that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account named 123456789012****.
Manage a model service that is deployed in a dedicated resource group
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****
The value of Resource specifies the model service eas-m-iaskn1skn1us**** that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account named 123456789012****.
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai8****/service/your_private_service
The value of Resource specifies the model service your_private_service that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account named 123456789012****.
Manage a dedicated resource group
acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****
The value of Resource specifies the dedicated resource group eas-r-jksauxqjsai8****. The dedicated resource group is deployed in the China (Beijing) region and belongs to the account named 123456789012****.
Use a wildcard character
You can use the asterisk (*) wildcard character in Resource to specify more than one resource.
The following examples show the values of Resource when wildcard characters are used:
acs:eas:*:123456789012****:service/*
The value of Resource specifies model services that belong to the account named 123456789012**** and are deployed in public resource groups across all regions.
acs:eas:cn-hangzhou:123456789012****:resource/eas-r-jksauxqjsai8****/*
The value of Resource specifies all model services that belong to the account named 123456789012**** and are deployed in the dedicated resource group eas-r-jksauxqjsai8**** in the China (Hangzhou) region.
acs:eas:*:123456789012****:*
The value of Resource specifies all resource groups and model services that belong to the account named 123456789012**** in all regions.
acs:eas:*:123456789012****:service/prefix*
The value of Resource specifies all resource groups and model services that belong to the account named 123456789012**** in regions whose names contain a
prefix
prefix.