Log on to and use Model Studio as a RAM role - Alibaba Cloud Model Studio

If a RAM user does not have the required permissions to use or manage Alibaba Cloud Model Studio, you can assign a RAM role with the necessary permissions to the user. The user can then assume this role to use or manage Model Studio.

If you are unfamiliar with concepts such as RAM users, workspaces, and permissions, first read Configure permissions for team collaboration.

You can use an Alibaba Cloud account to perform the following operations. If you use a RAM user, you must grant the AliyunRAMFullAccess system policy to the RAM user. For more information, see Grant permissions to a RAM user.

Background information

Model Studio supports the following logon methods:

Log on with an Alibaba Cloud account or a RAM user
You can log on to and use Model Studio with an Alibaba Cloud account or a RAM user. After an account is added as a member of a Model Studio workspace, you can log on to the Model Studio console with your account and password. You can then use Model Studio with the permissions of the logged-on account.
Log on with a RAM role
Some enterprise users prefer to log on using role-based single sign-on (SSO) to use Model Studio. After a RAM role becomes a member of a Model Studio workspace, a user who assumes the role has the same Model Studio permissions as an account member.

Procedure

The following figure shows the complete process, which includes creating a RAM user, granting permission to assume a role, and using Model Studio.

Step 1: Create a RAM user

For more information, see Create a RAM user. If the RAM user already exists, you can skip this step.

Step 2: Create a RAM role

You can create a RAM role in either of the following ways:

To assume the role by switching identities in the Alibaba Cloud console, see Create a RAM role for a trusted Alibaba Cloud account.
To implement role-based SSO between your enterprise identity provider (IdP) and Alibaba Cloud, see Create a RAM role for a trusted identity provider and Overview of SSO.

Step 3: Grant a RAM user the permission to assume a role

Important

If you chose to assume the RAM role using an enterprise IdP account in the previous step, you can skip this step.

After you create the RAM user and RAM role, you must grant the RAM user permission to assume the RAM role. You can choose one of the following methods:

Method 1: Allow the RAM user to assume all RAM roles.
Method 2: Allow the RAM user to assume only a specific RAM role.

Method 2 provides more fine-grained access control. Method 1 is simpler to configure.

Allow the RAM user to assume all RAM roles

In the RAM console, select Identities > Users from the left navigation pane.
In the Actions column for the RAM user, click Add Permissions.
On the Grant Permission page, set Resource Scope to Account. In the Policy section, search for and select the AliyunSTSAssumeRoleAccess system policy. Click Grant permissions. Learn how to revoke permissions.

Allow the RAM user to assume a specific RAM role

In the left navigation pane of the RAM console, select Permissions > Policies.
Click Create Policy.
On the JSON tab, enter the following content. Replace acs:ram:*:<account-id>:role/<role-name> with the Alibaba Cloud Resource Name (ARN) of the role that you created in Step 2. For more information about how to view the role ARN, see FAQ about RAM roles and STS tokens.
An ARN is the Global Resource Descriptor of a RAM role and is used to specify the role.
```
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "acs:ram:*:<account-id>:role/<role-name>"
        }
    ],
    "Version": "1"
}
```
Click OK. Enter a name and description for the policy, and then complete the creation.
Grant the custom policy to the RAM user. The user can then assume the permissions of this RAM role. For more information, see Grant permissions to a RAM user.

Step 4: Grant workspace permissions to the RAM role

Important

You must perform this operation as an Alibaba Cloud account or a RAM user with management permissions (global management).

You can specify which workspaces the RAM role can access and use.

Go to the Accounts (Singapore or Beijing) page, click Add User, and then configure the following parameters.
If the RAM role already exists in Accounts, click Permissions in the Actions column to grant permissions.
- Type: Select RAM Role.
- RAM Role: Select the RAM role that you just created.
- Display Name: Enter a name for the RAM role to be used in Model Studio.
Click OK. The added RAM role appears in the list.
Click Permissions to the right of the role, and then click + next to Permission. Follow the wizard to select the workspace and the console pages that the role can access.
Administrator: This role allows users to access all features in the assigned workspace, except for the features accessible from the button in the top-right corner of the page (which opens the System (Singapore or Beijing) page).
Click Complete. The authorization takes effect immediately.
See Assume a RAM role in the console to switch your RAM user identity. After you switch your identity, log on to the Model Studio console (Singapore or Beijing) by assuming the role. You can then access and use the corresponding workspace. You can also switch workspaces in the console.

Step 5 (Optional): Grant API permissions to the RAM role

If the RAM user needs to call the APIs for features such as knowledge base, and prompt engineering, you must also configure data permissions for the RAM role.

In the left navigation pane of the RAM console, select Identities > Roles.
In the Actions column for the role, click Grant Permission.

Set Resource Scope to Account. In the Policy section, search for and select AliyunBailianDataFullAccess or AliyunBailianDataReadOnlyAccess. Click Grant permissions. Learn how to revoke permissions.

To avoid unnecessary security risks, grant only the least privilege required for the role to perform its tasks.

System policy name

Permission description

AliyunBailianDataFullAccess

Can call all APIs in the API catalog.

AliyunBailianDataReadOnlyAccess

Can call read-only APIs in the API catalog, such as DescribeFile and GetIndexJobStatus.

Cannot call create, delete, or modify APIs in the API reference, such as Retrieve, AddFile, and CreateIndex.

Step 6 (Optional): Grant Model Studio management permissions to the RAM role

If the RAM user needs to manage all Model Studio workspaces, accounts, and API keys under the Alibaba Cloud account, you must also configure team collaboration permissions for the RAM role.

In the left navigation pane of the RAM console, select Identities > Roles.
In the Actions column for the role, click Grant Permission.
Set Resource Scope to Account. In the Policy section, search for and select AliyunBailianFullAccess. Click Gant permissions to grant the permission. Learn how to revoke permissions.

Next steps

Get started with Model Studio