If you are a first-time user of Deep Learning Containers (DLC), you must first assign a service-linked role to DLC so that DLC can access the required resources. In addition, if you use Object Storage Service (OSS) for storage, you must grant the service-linked role of DLC the permissions to access OSS. This topic describes how to grant permissions to a service-linked role of DLC.

Background information

Before you use DLC, you must grant the account that you use the permissions to manage DLC and OSS. In addition, Machine Learning Platform for AI allows you to grant Resource Access Management (RAM) users fine-grained permissions to manage DLC jobs by using workspaces. Before you use DLC, you must grant Machine Learning Platform for AI the permissions to manage OSS and Apsara File Storage NAS (NAS) that are used for storage. For more information, see the following sections:

Grant your RAM user the permissions to manage DLC

Make sure that the RAM user that you use has the permissions to manage DLC. This ensures that DLC can provide service as normal. You need to grant the RAM user the permissions when you Activate PAI and create the default workspace. You can refer to Check whether the AliyunPAIDLCDefaultRole role is assigned to DLC to check whether the RAM user has the permissions to manage DLC. If the RAM user does not have the required permissions, refer to the following section and grant the required permissions to the RAM user.

  1. Go to the DLC tab.
    1. Log on to the Machine Learning Platform for AI console.
    2. In the left-side navigation pane, choose Resource Management > Resource Platforms to go to the DLC tab.
  2. Assign the AliyunPAIDLCDefaultRole role to the RAM user.
    1. Click Authorize Now to go to the Cloud Resource Access Authorization page.
      Authorization
    2. Click Confirm Authorization Policy. A message that indicates the role is assigned to the RAM user appears.
  3. Grant the AliyunOSSFullAccess permission to the AliyunPAIDLCDefaultRole role.
    After you complete the preceding steps, the RAM user that you use has the permissions of the DLC default role. You must also grant the RAM user the permissions to manage OSS so that DLC can work as normal. This section describes the procedure.
    1. Log on to the RAM console and choose Identities > Roles. On the Roles page, find the AliyunPAIDLCDefaultRole role. For more information, see View the information about a RAM role.
      DLC
    2. Click Add Permissions in the Actions column corresponding to the AliyunPAIDLCDefaultRole role.
    3. In the Add Permissions panel, configure the following parameters.
      ParameterDescription
      Authorized ScopeSelect Alibaba Cloud Account. The following authorization scopes are supported:
      • Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
      PrincipalThe RAM role to which you want to grant permissions. The system automatically specifies AliyunPAIDLCDefaultRole. You do not need to modify the parameter.
      Select PolicyClick System Policy and enter OSS in the field below System Policy. Click one or more policies as needed in the search result. The policies that you click are displayed in the Selected section. Select Policy
      Note In this example, the AliyunOSSFullAccess policy is attached to the role. In actual scenarios, you must grant permissions based on the principle of least privilege.
    4. Click OK.
  4. Add the PaiDlcOAuthPolicy permission to the AliyunPAIDLCDefaultRole role so that DLC can work as normal. Perform the following steps:
    1. Find the AliyunPAIDLCDefaultRole role and click Add Permissions in the Actions column.
    2. In the Add Permissions panel, add the PaiDlcOAuthPolicy permission by following the instructions in the figure.
      DLC permissions
  5. View the authorization result.
    After you complete the preceding steps, click AliyunPAIDLCDefaultRole to check whether the policy that is attached to the role is accurate. Confirm DLC permissions

Grant a RAM user specific permissions to manage DLC jobs

The Alibaba Cloud account can grant RAM users the permissions to manage DLC jobs, such as create jobs, view job details, clone jobs, stop jobs, share jobs, and delete jobs. You can refer to the following information and grant the permissions to a RAM user:
  • To grant a RAM user the permissions to manage self-created DLC jobs, you must assign the Administrator, Algorithm Developer, and Algorithm Operator roles to the RAM user in the corresponding workspace. For more information, see Manage the members of a workspace.
  • To grant a RAM user the permissions to manage DLC jobs that are created by other accounts, you must assign the Administrator and Algorithm Operator roles to the RAM user in the corresponding workspace. For more information, see Manage the members of a workspace.

Grant Machine Learning Platform for AI the permissions to access OSS and NAS

You can grant Machine Learning Platform for AI the permissions to access OSS and NAS with a few clicks. To grant Machine Learning Platform for AI the permissions to access OSS, perform the following steps:
Note You cannot access DLC by using a RAM role. You can grant DLC the permissions to access OSS only by using the following method.
  1. Log on to the Machine Learning Platform for AI console.
  2. In the left-side navigation pane, choose Resource Management > Dependent Services. In the DSW section, find OSS and NAS.
  3. View the authorization details of OSS in the Actions column.
    • If Machine Learning Platform for AI is not granted the permissions to access OSS, click Authorize Now in the Actions column and grant the permissions to Machine Learning Platform for AI by following the on-screen instructions.
    • If Machine Learning Platform for AI is granted the permissions to access OSS, click View Authorization in the Actions column to view the authorization details.

Check whether the AliyunPAIDLCDefaultRole role is assigned to DLC

To ensure that the DLC can provide services as normal, you must use your Alibaba Cloud account to assign the AliyunPAIDLCDefaultRole role to DLC. Perform the following steps:
Note Only Alibaba Cloud accounts can assign the role. RAM users cannot assign the role.
  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the search box of the Roles page, search for AliyunPAIDLCDefaultRole.
    • If the role is displayed in the search result, the role is assigned to DLC.
    • If the role is not displayed in the search result, you must grant the role to DLC.