RAM authorization - Platform For AI - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Platform for AI for RAM permission policies. The RAM code (RamCode) for Platform for AI is paiplugin,eas,pai,datasetacc,featurestore,paidlc,paiitag,paidesigner,paitraining,paiartlab,paicomponentmanagement , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Platform for AI. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
eas:StartBenchmarkTask	StartBenchmarkTask		*BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId}`	None	None
eas:CreateGatewayIntranetLinkedVpcPeer	CreateGatewayIntranetLinkedVpcPeer	create	All Resource ``	None	None
eas:ListServiceInstances	ListServiceInstances	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DescribeService	DescribeService	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:CreateVirtualResource	CreateVirtualResource	create	VirtualResource `acs:eas:{#regionId}:{#accountId}:virtualresource/`	None	None
eas:ListVirtualResources	ListVirtualResource	list	VirtualResource `acs:eas:{#regionId}:{#accountId}:virtualresource/`	None	None
eas:DetachGatewayDomain	DetachGatewayDomain	delete	All Resource ``	None	None
eas:DeleteResource	DeleteResource	delete	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:DeleteGatewayIntranetLinkedVpcPeer	DeleteGatewayIntranetLinkedVpcPeer	delete	All Resource ``	None	None
eas:CreateResourceLog	CreateResourceLog	create	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:DeleteServiceInstances	DeleteServiceInstances	delete	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:StopService	StopService	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DescribeVirtualResource	DescribeVirtualResource	get	*VirtualResource `acs:eas:{#regionId}:{#accountId}:virtualresource/{#VirtualResourceId}`	None	None
eas:CreateServiceMirror	CreateServiceMirror	create	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:ListGatewayIntranetLinkedVpcPeer	ListGatewayIntranetLinkedVpcPeer	list	All Resource ``	None	None
eas:UpdateVirtualResource	UpdateVirtualResource	update	*VirtualResource `acs:eas:{#regionId}:{#accountId}:virtualresource/{#VirtualResourceId}`	None	None
eas:DeleteServiceMirror	DeleteServiceMirror	delete	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:ListGatewayIntranetLinkedVpc	ListGatewayIntranetLinkedVpc	list	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:ListServiceContainers	ListServiceContainers	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:CreateServiceAutoScaler	CreateServiceAutoScaler	create	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:UpdateService	UpdateService	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DeleteGateway	DeleteGateway	delete	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:UpdateGroup	UpdateGroup	update	All Resource ``	None	None
eas:CreateResourceInstances	CreateResourceInstances	create	*ResourceInstance `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:DescribeResourceLog	DescribeResourceLog	get	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:CreateGatewayIntranetLinkedVpc	CreateGatewayIntranetLinkedVpc	create	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:DescribeServiceInstanceDiagnosis	DescribeServiceInstanceDiagnosis	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:StartService	StartService	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DeleteGatewayIntranetLinkedVpc	DeleteGatewayIntranetLinkedVpc	delete	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:DescribeResource	DescribeResource	get	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:ListAclPolicy	ListAclPolicy	list	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:DeleteServiceAutoScaler	DeleteServiceAutoScaler	delete	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DescribeServiceLog	DescribeServiceLog	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:ListGroups	ListGroups	get	All Resource ``	None	None
eas:DescribeServiceMirror	DescribeServiceMirror	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:ListServices	ListServices	get	Service `acs:eas:{#regionId}:{#accountId}:service/`	None	None
eas:ListGatewayIntranetSupportedZone	ListGatewayIntranetSupportedZone	get	All Resource ``	None	None
eas:DescribeGateway	DescribeGateway	get	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:CreateResource	CreateResource	create	Resource `acs:eas:{#regionId}:{#accountId}:resource/`	None	None
eas:UpdateResource	UpdateResource	update	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#resourceId}`	None	None
eas:DescribeGroup	DescribeGroup	get	All Resource ``	None	None
eas:DescribeServiceDiagnosis	DescribeServiceDiagnosis	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:ListResources	ListResources	get	Resource `acs:eas:{#regionId}:{#accountId}:resource/`	None	None
eas:ListGateway	ListGateway	list	All Resource ``	None	None
eas:AttachGatewayDomain	AttachGatewayDomain	update	All Resource ``	None	None
eas:DevelopService	DevelopService	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:ListTenantAddons	ListTenantAddons	get	All Resource ``	None	None
eas:CreateAclPolicy	CreateAclPolicy	create	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:UpdateServiceLabel	UpdateServiceLabel	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DescribeServiceAutoScaler	DescribeServiceAutoScaler	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DescribeGroupEndpoints	DescribeGroupEndpoints	get	All Resource ``	None	None
eas:DescribeServiceEndpoints	DescribeServiceEndpoints	get	All Resource ``	None	None
eas:UpdateResourceInstance	UpdateResourceInstance	update	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:ListResourceInstances	ListResourceInstances	get	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:ReleaseService	ReleaseService	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DeleteVirtualResource	DeleteVirtualResource	delete	*VirtualResource `acs:eas:{#regionId}:{#accountId}:virtualresource/{#VirtualResourceId}`	None	None
eas:ListResourceInstanceWorker	ListResourceInstanceWorker	get	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:DeleteService	DeleteService	delete	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DescribeBenchmarkTask	DescribeBenchmarkTask	get	*BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId}`	None	None
eas:CreateGateway	CreateGateway	create	Gateway `acs:eas:{#regionId}:{#accountId}:gateway/`	None	None
eas:DeleteResourceInstances	DeleteResourceInstances	delete	*ResourceInstance `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:UpdateResourceInstanceLabel	UpdateResourceInstanceLabel	update	All Resource ``	None	None
eas:ListGatewayDomains	ListGatewayDomains	list	All Resource ``	None	None
eas:MigrateResourceInstance	MigrateResourceInstance	none	All Resource ``	None	None
eas:UpdateServiceCronScaler	UpdateServiceCronScaler	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:UpdateServiceSafetyLock	UpdateServiceSafetyLock	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:UpdateResourceDLink	UpdateResourceDLink	update	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:DeleteResourceLog	DeleteResourceLog	delete	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:UpdateGateway	UpdateGateway	update	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None
eas:DescribeBenchmarkTaskReport	DescribeBenchmarkTaskReport	get	*BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId}`	None	None
eas:UpdateServiceAutoScaler	UpdateServiceAutoScaler	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:CloneService	CloneService	create	All Resource ``	None	None
eas:ListResourceServices	ListResourceServices	get	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:UpdateBenchmarkTask	UpdateBenchmarkTask		*BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId}`	None	None
eas:ReinstallTenantAddon	ReinstallTenantAddon	update	All Resource ``	None	None
eas:CreateService	CreateService	create	All Resource ``	None	None
eas:DescribeResourceDLink	DescribeResourceDLink	get	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:ListBenchmarkTask	ListBenchmarkTask	list	BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/`	None	None
eas:DeleteResourceDLink	DeleteResourceDLink	delete	*Resource `acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}`	None	None
eas:UpdateAppService	UpdateAppService	update	All Resource ``	None	None
eas:DeleteServiceCronScaler	DeleteServiceCronScaler	delete	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:UpdateServiceMirror	UpdateServiceMirror	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:CommitService	CommitService	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:CreateAppService	CreateAppService	create	All Resource ``	None	None
eas:RestartService	RestartService	update	All Resource ``	None	None
eas:DescribeServiceEvent	DescribeServiceEvent	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:UpdateServiceVersion	UpdateServiceVersion	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DeleteBenchmarkTask	DeleteBenchmarkTask		*BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId}`	None	None
eas:CreateBenchmarkTask	CreateBenchmarkTask		BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/`	None	None
eas:UpdateServiceInstance	UpdateServiceInstance	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:StopBenchmarkTask	StopBenchmarkTask		*BenchmarkTask `acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId}`	None	None
eas:DescribeServiceSignedUrl	DescribeServiceSignedUrl	none	All Resource ``	None	None
eas:ListServiceVersions	ListServiceVersions	list	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:CreateServiceCronScaler	CreateServiceCronScaler	create	All Resource ``	None	None
eas:DescribeServiceCronScaler	DescribeServiceCronScaler	get	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DeleteServiceLabel	DeleteServiceLabel	update	*Service `acs:eas:{#regionId}:{#accountId}:service/{#ServiceName}`	None	None
eas:DeleteAclPolicy	DeleteAclPolicy	delete	*Gateway `acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId}`	None	None

Resource

The following table lists the resources defined by Platform for AI. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
BenchmarkTask	acs:eas:{#regionId}:{#accountId}:benchmarktask/{#BenchmarkTaskId} acs:eas:{#regionId}:{#accountId}:benchmarktask/*
Service	acs:eas:{#regionId}:{#accountId}:service/{#ServiceName} acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId} acs:eas:{#regionId}:{#accountId}:service/* acs:paiplugin:{#regionId}:{#accountId}:service/{#ServiceName}
VirtualResource	acs:eas:{#regionId}:{#accountId}:virtualresource/* acs:eas:{#regionId}:{#accountId}:virtualresource/{#VirtualResourceId}
Resource	acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId} acs:eas:{#regionId}:{#accountId}:resource/*
Gateway	acs:eas:{#regionId}:{#accountId}:gateway/{#GatewayId} acs:eas:{#regionId}:{#accountId}:gateway/*
ResourceInstance	acs:eas:{#regionId}:{#accountId}:resource/{#ResourceId}
Group	acs:eas:{#regionId}:{#accountId}:group/*

Condition

Platform for AI does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: