All Products
Search

This Product

    Platform For AI:Grant permissions for DLC

    Document Center

    Platform For AI:Grant permissions for DLC

    Last Updated:Apr 01, 2026

    Before you use Deep Learning Containers (DLC) for the first time, grant the DLC service-linked role access to your cloud resources. If you use Object Storage Service (OSS) as a storage backend, also grant the service-linked role access to OSS.

    Who needs to read this

    This topic covers two types of authorization. Read the section that applies to you:

    Your roleWhat to do
    Alibaba Cloud account (root account) — first-time DLC setupComplete both Operating account authorization and PAI service account authorization
    RAM user — first-time DLC setupAsk your account administrator to complete PAI service account authorization, then ask to be added as a workspace member with the appropriate role
    Account administrator — verifying existing permissionsGo directly to Check whether AliyunPAIDLCDefaultRole is attached

    Operating account authorization

    DLC depends on the following cloud services. Activate and authorize them before creating training jobs.

    PAI workspace member roles

    Account typeWhat's required
    Alibaba Cloud accountNo additional authorization required
    RAM user (recommended for teams)Assign a PAI workspace member role to the RAM user. For the permissions each role grants, see Roles and permissions. For setup steps, see Manage members of a workspace.
    Missing workspace roles may prevent certain DLC features from appearing in the console or cause access denied errors when creating training jobs.

    NAS (Network Attached Storage)

    NAS is used for data storage in DLC training environments.

    ScenarioWhat's required
    Activate NAS with an Alibaba Cloud accountNo additional authorization required
    Activate NAS with a RAM userGrant the AliyunNASFullAccess policy to the RAM user. See Perform access control based on RAM policies.
    Use NAS after activationCreate a NAS file system and mount it to a PAI instance. NAS provides fine-grained RAM control policies — grant only the permissions your RAM users need. See Create a file system.

    OSS

    OSS is used for storing training data and model outputs.

    ScenarioWhat's required
    Activate OSS with an Alibaba Cloud accountNo additional authorization required
    Activate OSS with a RAM userGrant the AliyunOSSFullAccess policy to the RAM user. See Activate OSS and Overview of RAM policy.
    Use OSS after activationCreate a bucket to store training data and model outputs. OSS provides fine-grained RAM control policies — grant only the permissions your RAM users need. See Create buckets.

    PAI service account authorization

    PAI uses the AliyunPAIDLCDefaultRole service-linked role to access cloud resources such as OSS and NAS on your behalf. Complete the following steps to attach this role and add the required policies.

    Only a root account can complete service account authorization. RAM users cannot grant these permissions.

    These permissions are typically granted automatically when you activate PAI and create a default workspace. Before following the steps below, verify whether the role already exists — see Check whether AliyunPAIDLCDefaultRole is attached.

    Grant general DLC permissions to an Alibaba Cloud account

    1. Log on to the PAI console. In the top navigation bar, select the target region. On the right side of the page, select the target workspace and click Enter DLC.

    2. Grant the AliyunPAIDLCDefaultRole role.

      1. Click Go to Authorization.

        image

      2. On the Cloud Resource Access Authorization page, click Agree to Authorization and wait for the success message.

    3. Add the AliyunOSSFullAccess permission to the AliyunPAIDLCDefaultRole role.

      1. In the RAM console, go to Identity Management > Roles and find the AliyunPAIDLCDefaultRole role.

        image

      2. In the Actions column, click Add Permissions.

      3. In the Add Permissions panel, configure the following parameters:

        ParameterDescription
        Resource ScopeSelect Account Level. Permissions take effect across all resources in the current Alibaba Cloud account. To restrict permissions to a specific resource group, select Resource Group Level.
        PrincipalThe system pre-fills the current RAM role. No changes needed.
        Access PolicyIn the search box, enter OSS and select the required policy from the results. The selected policy appears in the Selected list on the right. image
        Important

        AliyunOSSFullAccess grants access to all OSS buckets in the account. If DLC only needs access to specific buckets, create a custom policy that restricts access to those buckets only, following the principle of least privilege.

      4. Click Confirm new authorization.

    4. Add the PaiDlcOAuthPolicy permission to the AliyunPAIDLCDefaultRole role.

      1. In the RAM console, go to Permission Management > Policies and click Create Policy.

      2. On the Script Editor tab, paste the following policy document. For details on creating custom policies, see Create a custom policy on the Script tab.

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ram:GetDefaultDomain",
        "ram:ListApplications",
        "ram:CreateApplication",
        "ram:ListAppSecretIds",
        "ram:GetAppSecret",
        "ram:CreateAppSecret",
        "ram:DeleteApplication",
        "ram:DeleteAppSecret"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

      3. Set Name to PaiDlcOAuthPolicy and complete the policy creation.

      4. Go to Identity Management > Roles, find AliyunPAIDLCDefaultRole, and click Add Permissions in the Actions column.

      5. In the Add Permissions panel, search for and select the PaiDlcOAuthPolicy policy.

        image

    5. Verify the authorization result. Click AliyunPAIDLCDefaultRole and confirm that all three policies are correctly attached to the role.

      DLC权限确认

    Grant PAI access to OSS and NAS using one-click authorization

    PAI provides a one-click authorization method as an alternative to the manual steps above.

    1. Log on to the PAI console.

    2. In the left navigation pane, go to Activation and Authorization > All Cloud Product Dependencies. Locate the DLC section and find OSS and NAS.

    3. In the Actions column, check the authorization status:

      • If not authorized: click One-click Authorization and follow the on-screen instructions.

      • If already authorized: click View Authorization Information to review the details.

    Check whether AliyunPAIDLCDefaultRole is attached to the account

    Only a root account can perform this check and grant permissions. RAM users cannot complete this step.

    1. Log on to the RAM console.

    2. In the left navigation pane, go to Identity Management > Role.

    3. On the Roles page, search for AliyunPAIDLCDefaultRole.

    Tip: If DLC features are unavailable or you see access denied errors after completing authorization, verify that all three policies (AliyunOSSFullAccess, PaiDlcOAuthPolicy, and the default DLC role policy) are attached to the AliyunPAIDLCDefaultRole role.

    What's next

    After granting the required permissions, create your first DLC training job. See Create a training task.