Before you can access Elastic Algorithm Service (EAS) of Machine Learning Platform for AI as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user with your Alibaba Cloud account. This topic describes how to authorize a RAM user to access EAS.

Background information

You can authorize a RAM user to access EAS by using one of the following methods:
  • Grant a RAM user full permissions on EAS

    Use the system permission policy AliyunPAIEASFullAccess. The policy contains full permissions on EAS. After you attach the policy to the RAM user, the RAM user can use all features of EAS.

  • Grant a RAM user read-only permissions on EAS

    Use the system permission policy AliyunPAIEASReadOnlyAccess. The policy contains read-only permissions on EAS. After you attach the policy to the RAM user, the RAM user can query and view model services that are deployed in EAS.

  • Create a custom permission policy

    If the preceding methods do not meet your requirements, you can create a custom permission policy. For example, you can create a custom permission policy to authorize the RAM user to query and modify model services or dedicated resource groups that are deployed in EAS.

Grant a RAM user full permissions on EAS

This section describes how to authorize a RAM user to use all features of EAS.

  1. Navigate to the Add Permissions page.
  2. In the Add Permissions panel, set the following parameters.
    Parameter Description
    Authorized Scope Select Alibaba Cloud Account.
    Principal The system automatically enters the value. In most cases, you do not need to change the value.
    Select Policy
    1. Click System Policy.
    2. In the Authorization Policy Name column on the left side, click AliyunPAIEASFullAccess. The policy appears in the Selected list on the right side.
    Note Object Storage Service (OSS) permissions are related to data security. Therefore, the AliyunPAIEASFullAccess permission policy does not contain OSS permissions. You must grant OSS permissions to the RAM user separately. For more information, see RAM Policy Editor.
  3. Click OK.

Grant a RAM user read-only permissions on EAS

This section describes how to authorize a RAM user to query and view model services that are deployed in EAS.

  1. Navigate to the Add Permissions page.
  2. In the Add Permissions panel, set the following parameters.
    Parameter Description
    Authorized Scope Select Alibaba Cloud Account.
    Principal The system automatically enters the value. In most cases, you do not need to change the value.
    Select Policy
    1. Click System Policy.
    2. In the Authorization Policy Name column on the left side, click AliyunPAIEASReadOnlyAccess. The policy appears in the Selected list on the right side.
  3. Click OK.

Navigate to the Add Permissions page

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

Create a custom permission policy

This section describes how to authorize a RAM user to query and modify model services or dedicated resource groups that are deployed in EAS by creating a custom permission policy.

  1. Log on to the RAM console.
  2. Create a custom permission policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Policy page, set the following parameters.
      Parameter Description
      Policy Name We recommend that you enter a policy name based on the required permissions and your business need.
      Note The description of the policy that helps you identify each policy.
      Configuration Mode Select Script.
      Policy Document Specify the policy content. Each permission policy can contain one or more permissions.
      Notice We recommend that you follow the principle of least privilege when you specify the policy content.
      The following code block is an example of the policy content:
      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "eas:CreateInstance",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "eas:DescribeService",
                      "eas:DeleteService",
                      "eas:UpdateService",
                      "eas:UpdateServiceVersion"
                  ],
                  "Resource": [
                      "acs:eas:<region>:<uid>:service/eas-m-xxx1",//See the description below and change the values accordingly. 
                      "acs:eas:<region>:<uid>:service/eas-m-xxx2"
                  ],
              }
          ]
      }
      For more information about the Action and Resource elements, see Policy descriptions.
    4. Click OK.
  3. Attach the custom permission policy to the RAM user.
    1. In the left-side navigation pane of the RAM console, choose Identities > Users.
    2. On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
    3. In the Add Permissions panel, set the following parameters.
      Parameter Description
      Authorized Scope Select Alibaba Cloud Account.
      Principal The system automatically enters the value. In most cases, you do not need to change the value.
      Select Policy
      1. Click Custom Policy.
      2. In the Authorization Policy Name column on the left side, click the custom permission policy that you created. The policy appears in the Selected list on the right side.
    4. Click OK.

Policy descriptions

Each permission policy contains the Action and Resource elements. The Action element specifies the action to be performed and the Resource element specifies the principal on which the action is performed. The following sections describe the valid values of the Action and Resource elements.
  • Action
    Type Action Description
    Service-related eas:CreateService Create model services.
    eas:ListServices View model services.
    eas:DescribeService View detailed information about model services.
    eas:DeleteService Delete model services.
    eas:ListServiceInstances View information about EAS instances.
    eas:DeleteServiceInstances Restart EAS instances.
    eas:UpdateService Update model services or add versions.
    eas:UpdateServiceVersion Switch the versions of model services.
    eas:StartService Start model services.
    eas:StopService Stop model services.
    eas:CreateServiceAutoScaler Enable auto scaling for model services.
    eas:DeleteServiceAutoScaler Disable auto scaling for model services.
    eas:DescribeServiceAutoScaler View the status of auto scaling.
    eas:UpdateServiceAutoScaler Modify the configuration of auto scaling.
    eas:CreateServiceMirror Create traffic mirror sessions.
    eas:DescribeServiceMirror View the status of traffic mirror sessions.
    eas:UpdateServiceMirror Modify the configurations of traffic mirror sessions.
    eas:DeleteServiceMirror Close traffic mirror sessions.
    eas:ReleaseService Set the traffic ratio for blue-green deployment.
    eas:DescribeServiceLog View logs of model services.
    Resource group-related eas:CreateResource Create dedicated resource groups.
    eas:DescribeResource View basic information about dedicated resource groups.
    eas:ListResources View dedicated resource groups.
    eas:DeleteResource Delete dedicated resource groups.
    eas:UpdateResource Update basic information about dedicated resource groups.
    eas:ListResourceInstances View nodes of dedicated resource groups.
    eas:ListResourceInstanceWorker View containers that are hosted on nodes of dedicated resource groups.
    eas:ListResourceServices View model services that are deployed in dedicated resource groups.
    eas:CreateResourceInstances Add nodes to dedicated resource groups.
    eas:DeleteResourceInstances Remove nodes from dedicated resource groups.
    eas:UpdateResourceDLink Update the status of Virtual Private Cloud (VPC) direct connections.
    eas:DescribeResourceDLink View VPC direct connections of dedicated resource groups.
    eas:DeleteResourceDLink Delete VPC direct connections of dedicated resource groups.
    eas:CreateResourceLog Enable log shipper for dedicated resource groups.
    eas:DescribeResourceLog View the status of log shipper for dedicated resource groups.
    eas:DeleteResourceLog Disable log shipper for dedicated resource groups.
  • Resource
    In EAS, the Resource element is defined in the following format:
    acs:eas:<region>:<uid>:<resource_type>/<id>
    Replace the following parameters with actual values:
    • <region>: the region where the model service or dedicated resource group is deployed.
    • <uid>: the UID of the account to which the resource belongs.
    • <resource_type>: the resource type. For example, if you want to manage resources related to model services, set the value to service. If you want to manage resources related to resource groups, set the value to resource.
    • <id>: the ID of the model service or dedicated resource group.
    The following examples show the values of the Resource element in different scenarios: managing model services deployed in public resource groups, managing model services deployed in dedicated resource groups, and managing dedicated resource groups.
    • Manage model services that are deployed in EAS
      • Manage a model service that is deployed in a public resource group
        acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****
        The value of Resource specifies the model service eas-m-u12fxt9ml1syoj**** that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account 123456789012****.
      • Manage a model service that is deployed in a dedicated resource group
        acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****
        The value of Resource specifies the model service eas-m-iaskn1skn1us**** that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account 123456789012****.
    • Manage a dedicated resource group
      acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****
      The value of Resource specifies the dedicated resource group eas-r-jksauxqjsai8****. The dedicated resource group is deployed in the China (Beijing) region and belongs to the account 123456789012****.
    • Use a wildcard character

      You can use wildcard characters (*) in Resource to specify more than one resource.

      The following examples show the values of Resource that use wildcard characters:
      • acs:eas:*:123456789012****:service/*
        The value of Resource specifies model services that belong to the account 123456789012**** and are deployed in public resource groups across all regions.
      • acs:eas:cn-hangzhou:123456789012****:resource/eas-r-jksauxqjsai8****/*
        The value of Resource specifies all model services that belong to the account 123456789012**** and are deployed in the dedicated resource group eas-r-jksauxqjsai8**** in the China (Hangzhou) region.
      • acs:eas:*:123456789012****:*
        The value of Resource specifies all resource groups and model services that belong to the account 123456789012**** in all regions.