If you want to use a RAM user to manage model services or dedicated resource groups, you must first use your Alibaba Cloud account to grant permissions to the RAM user. This topic describes how to grant RAM users the permissions to perform operations on Elastic Algorithm Service (EAS) of Machine Learning Platform for AI (PAI), purchase dedicated resource groups, deploy models as services, and access Object Storage Service (OSS).

Background information

The following table describes the permissions on EAS.
Object Permission name Permission description
Model services eas:EditInstance The write permissions that allow you to create, update, and delete model services.
eas:ListInstance The list query permissions that allow you to view the list of model services on the Elastic Algorithm Service page.
eas:ReadInstance The read permissions that allow you to view the monitoring results, logs, endpoints, and online debugging data of model services.
eas:OperateInstance The operation permissions that allow you to start and stop model services and configure traffic distribution.
Resource groups eas:ListResourceGroup The list query permissions that allow you to view the list of resource groups on the Elastic Algorithm Service page. When you deploy a service, you can query and use resource groups.
eas:ReadResourceGroup The read permissions that allow you to go to the details page of a resource group and view the number, models, and status of the servers in the resource group.
eas:OperateResourceGroup The operation permissions that allow you to purchase and create or delete a resource group, renew a pay-as-you-go resource group, scale out or in a pay-as-you-go resource group, and enable or disable direct connection to your virtual private cloud (VPC).
The following content shows definitions of a policy:
  • A policy is the basic unit for the Alibaba Cloud account to grant permissions to RAM users.
  • A policy can contain one or more permissions.
  • An Alibaba Cloud account identifies policies based on policy names and grants permissions to RAM users by attaching policies.
  • Alibaba Cloud supports system policies and custom policies. You can define custom policies to meet specific needs of using Alibaba Cloud services. In EAS, all policies are custom policies.
EAS uses OSS as a data store. Therefore, to use EAS, RAM users must have access permissions on OSS. For more information, see the "Use custom policies to grant access permissions on OSS to a RAM user" section. In addition, you can grant other permissions to RAM users as required in the following scenarios:

Grant a RAM user the permissions to perform operations on EAS

In EAS, all policies are service-specific. Therefore, you must create a custom policy before you grant permissions to a RAM user.

  1. Log on to the Resource Access Management (RAM) console.
  2. Create a custom policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters.
      Parameter Description
      Policy Name We recommend that you name a policy based on the required permissions and business needs.
      Note The description of the policy. The description helps differentiate this policy from other policies.
      Configuration Mode Select Script.
      Policy Document In the code editor below Policy Document, define the policy based on the permissions on EAS. A policy can contain one or more permissions.
      Notice We recommend that you define the policy based on the minimum permissions required by the RAM user.
      For example, if you want to grant the permissions on model services and resource groups to the RAM user, you can set the Policy Name parameter to Model&ResourceGroup and set the Policy Document parameter by entering the following code. After you attach the Model&ResourceGroup policy to the RAM user by using the Alibaba Cloud account, the RAM user has all the permissions on model services and resource groups.
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "eas:ReadInstance",
                      "eas:ListInstance",
                      "eas:EditInstance",
                      "eas:OperateInstance",
                      "eas:ListResourceGroup",
                      "eas:ReadResourceGroup",
                      "eas:OperateResourceGroup"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
    4. Click OK.
  3. Attach the custom policy to a RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user to whom you want to grant permissions and click Add Permissions in the Actions column.
    3. Optional:In the Add Permissions panel, set the parameters.
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Principal The system automatically enters the value. You do not need to change the value.
      Select Policy
      1. Click Custom Policy.
      2. In the Authorization Policy Name column on the left side, click the name of the policy that you defined, such as Model_R&W. The policy name appears in the Selected section on the right side.
    4. Click OK.

Grant a RAM user the permissions to purchase dedicated resource groups

If a RAM user needs to purchase and create dedicated resource groups, you must grant the eas:OperateResourceGroup and AliyunFinanceConsoleFullAccess permissions to the RAM user. Otherwise, the RAM user cannot place orders and complete payment. The AliyunFinanceConsoleFullAccess permission is a system policy. Therefore, you can grant this permission to the RAM user without the need to create a custom policy.

  1. Log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to whom you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, set the parameters.
    Parameter Description
    Authorized Scope Select Alibaba Cloud Account.
    Principal The system automatically enters the value. You do not need to change the value.
    Select Policy
    1. Click System Policy.
    2. In the Authorization Policy Name column on the left side, click AliyunFinanceConsoleFullAccess. The policy appears in the Selected section on the right side.
  5. Click OK.

Grant a RAM user the permissions to deploy models as services

If a RAM user needs to deploy models as services, you must attach a custom policy to the RAM user and bind the AccessKey pair of the RAM user to the tenant system of DTplus. You can use your Alibaba Cloud account to view the AccessKey ID of the RAM user on the details page of the RAM user. Then, obtain the AccessKey secret based on the AccessKey ID and inform the RAM user of the AccessKey pair.

  1. Use your Alibaba Cloud account to obtain the AccessKey pair of the RAM user.
    1. Log on to the RAM console by using an Alibaba Cloud account.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, click the logon name of the RAM user in the User Logon Name/Display Name column.
    4. On the details page of the RAM user, view the AccessKey ID of the RAM user in the User AccessKeys section. Then, obtain the AccessKey secret based on the AccessKey ID.
      AccessKey ID of a RAM userIf the RAM user does not have an AccessKey pair, click Create AccessKey Pair to create one for the RAM user.
  2. Go to the DTplus console. On the Personal Information page, bind the AccessKey pair of the RAM user. For more information, see Update personal information.

Use custom policies to grant access permissions on OSS to a RAM user

After a security upgrade, PAI supports more secure access to OSS data. You can configure custom policies to grant RAM users the permissions to access OSS data in the PAI console.

  1. On the Create Custom Policy page, set the parameters.
    Parameter Description
    Policy Name We recommend that you name a policy based on the required permissions and business needs.
    Note The description of the policy. The description helps differentiate this policy from other policies.
    Configuration Mode Select Script.
    Policy Document OSS provides a complete system for data permission management. For more information about how to configure RAM policies for OSS, see Overview.
    Notice We recommend that you define the policy based on the minimum permissions required by the RAM user.
    To use OSS data in the PAI console, you may need the permissions on common operations such as the permissions to access, read data from, and write data to an OSS bucket. We recommend that you grant permissions to the RAM user based on the following sample custom policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:GetObject",
            "oss:ListObjects",
            "oss:DeleteObject",
            "oss:ListParts",
            "oss:PutObject",
            "oss:AbortMultipartUpload",
            "oss:GetBucketCors",
            "oss:GetBucketCors",
            "oss:DeleteBucketCors"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    Replace <yourBucketName> in the preceding sample custom policy with the name of the OSS bucket on which the permissions you want to grant.
  2. Click OK.