authorize PAI DLC - Platform For AI - Alibaba Cloud Documentation Center

The first time you use Deep Learning Containers (DLC) of Platform for AI (PAI), you need to assign a service-linked role to DLC to allow DLC to access the required resources. If you use Object Storage Service (OSS) for storage, you need to grant the service-linked role of DLC the permissions to access OSS. This topic describes how to grant permissions to a DLC service-linked role.

Background information

Before you use DLC, you must grant the account that you use the permissions to manage DLC and OSS. PAI allows you to grant fine-grained permissions to Resource Access Management (RAM) users to manage DLC jobs by using workspaces. Before you use DLC, you must authorize PAI to manage OSS and Apsara File Storage NAS (NAS). For more information, see the following sections:

Grant permissions to the operation account
This section describes the PAI modules and other cloud services that are used by DLC and the authorization procedures.
Grant permissions to the service-linked role
This section describes how to grant a RAM user the permissions to manage DLC and access OSS and NAS.

Grant permissions to the operation account

DLC provides a platform for creating and submitting model training jobs. You may need to activate and authorize the following cloud services when you use DLC to create and submit training jobs.

PAI module: DLC

Operation account

Service

Reference

Alibaba Cloud account

You can use an Alibaba Cloud account to perform operations on DLC. No additional authorization is required.

N/A

RAM user

(Recommended)

PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, go to the Roles and Permissions page.

image..png

Manage members of the workspace

Dependent cloud service: NAS

You need to activate and authorize NAS for data storage.

Scenario

Description

Reference

Activate NAS

We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.

Authorization: Perform access control based on RAM policies
Common operations: Create a NAS file system

Use NAS

Use NAS after activation:

Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a NAS file system and mount it to an instance of PAI.

Dependent cloud service: OSS

You need to activate and authorize OSS for data storage.

Scenario

Description

Reference

Activate OSS

We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets

Use OSS

Use OSS after activation:

Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.

Grant permissions to the service-linked role

Grant DLC permissions to an Alibaba Cloud account

Before you start to use DLC, make sure that the Alibaba Cloud account that you use has the permissions to manage DLC. In most cases, you are prompted to perform authorization when you activate PAI. For more information, see Activate PAI and create the default workspace. You can check whether your Alibaba Cloud account has the operation permissions on DLC. For more information, see the "Check whether the AliyunPAIDLCDefaultRole role is assigned to DLC" section in this topic. If the account does not have the required permissions, refer to the following section to grant the required permissions to the Alibaba Cloud account.

Go to the General Computing Resources tab.
1. Log on to the PAI console.
2. In the left-side navigation pane, choose AI Computing Resources > Resource Pool.
3. On the Resource Pool page, click General Computing Resources.
Assign the AliyunPAIDLCDefaultRole role to the RAM user.
1. Click Authorize Now to go to the Cloud Resource Access Authorization page.
2. Click Confirm Authorization Policy. A message indicating that the role is assigned to the RAM user appears.

Grant the AliyunOSSFullAccess permission to the AliyunPAIDLCDefaultRole role.

After you complete the preceding steps, the account that you use has the permissions of the DLC default role. You also need to grant the account the permissions to manage OSS to ensure that DLC can work as expected. Perform the following steps.

Log on to the RAM console and choose Identities > Roles. On the Roles page, find the AliyunPAIDLCDefaultRole role. For more information, see View the information about a RAM role.
In the Actions column, click Add Permissions.

In the Add Permissions panel, configure the following parameters.

Parameter	Description
Authorized Scope	Select Alibaba Cloud Account. The following authorization scopes are supported: Alibaba Cloud Account: The authorization takes effect for all resources in the current Alibaba Cloud account. Specific Resource Group: The authorization takes effect in a specific resource group.
Principal	The RAM role to which you want to grant permissions. The system automatically specifies AliyunPAIDLCDefaultRole. You do not need to change the value.
Select Policy	Click System Policy and enter OSS in the field below System Policy. Select one or more policies from the search result based on your requirements. The policies that you select are displayed in the Selected section. Note In this example, the AliyunOSSFullAccess policy is attached to the role. In actual scenarios, you need to grant permissions based on the principle of the least privilege.

Click OK.

Add the PaiDlcOAuthPolicy policy to the AliyunPAIDLCDefaultRole role to ensure that DLC can work as expected. Perform the following steps.

Create a custom policy named PaiDlcOAuthPolicy and configure the key parameters. The following table describes the parameters. For more information, see the "Create a custom policy on the JSON tab" section in the Create a custom policy topic.

Parameter

Description

JSON

Click the JSON tab and enter the following content:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ram:GetDefaultDomain",
        "ram:ListApplications",
        "ram:CreateApplication",
        "ram:ListAppSecretIds",
        "ram:GetAppSecret",
        "ram:CreateAppSecret",
        "ram:DeleteApplication",
        "ram:DeleteAppSecret"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

Name

Set the name to PaiDlcOAuthPolicy.

Find the AliyunPAIDLCDefaultRole role and click Add Permissions in the Actions column.
In the Add Permissions panel, follow the instructions that are shown in the following figure to add the PaiDlcOAuthPolicy policy.

View the authorization result.
After you complete the preceding operations, click AliyunPAIDLCDefaultRole to check whether the policy that is attached to the role is accurate.

Grant PAI the permissions to access OSS and NAS

You can authorize PAI to access OSS and NAS with a few clicks. Perform the following steps.

Note

You cannot access DLC by using a RAM role. You can authorize DLC to access OSS only by using the following method.

Log on to the PAI console.
In the left-side navigation pane, choose Activation & Authorization > > Dependent Services. In the DLC section, find OSS and NAS.
View the authorization details of OSS in the Actions column.
- If PAI is not authorized to access OSS, click Authorize Now in the Actions column and authorize PAI by following the on-screen instructions.
- Otherwise, click View Authorization in the Actions column to view the authorization details.

Check whether the AliyunPAIDLCDefaultRole role is assigned to DLC

To use DLC as expected, you need to use your Alibaba Cloud account to assign the AliyunPAIDLCDefaultRole role to DLC. Perform the following steps:

Note

Only Alibaba Cloud accounts can assign the role. RAM users cannot assign the role.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
In the search box on the Roles page, search for AliyunPAIDLCDefaultRole.
- If the role is displayed in the search result, the role is assigned to DLC.
- Otherwise, you must assign the role to DLC. For more information, see Grant DLC permissions to an Alibaba Cloud account.

References

After you complete the authorization, you can create a DLC job to train the model. For more information, see Submit training jobs.