When you use DSW for the first time, you must grant the DSW service-linked role permissions to access cloud resources. If you use OSS as your storage system, you must also grant the DSW service-linked role permissions to access OSS as needed. This topic describes the authorization operations required to use DSW.
Background information
Before using DSW, you must grant your account the general permissions to use its features. PAI also lets you use workspaces to configure fine-grained permissions for RAM users to perform operations on DSW instances. Additionally, when you use DSW, PAI performs background storage operations on dependent services such as OSS and NAS. Therefore, you must also grant PAI permission to access OSS and NAS. For detailed instructions, see the procedures in this topic.
Describes the services that DSW depends on and the required authorization operations.
Authorize the PAI service account
Grants an Alibaba Cloud account general permissions to operate DSW and access OSS or NAS.
Authorize an account
DSW is a cloud-based IDE for machine learning that provides an interactive programming environment for developers of all skill levels. When you use DSW for interactive modeling, you may need to use the following cloud services, which you must activate and authorize in advance.
PAI sub-product: DSW
Account type
Scenario
Guidance
Alibaba Cloud account
An Alibaba Cloud account can perform all DSW operations without requiring additional authorization.
Not applicable
RAM user (Recommended)
PAI provides different member roles. You can add a RAM user as a workspace member and assign a role with the required permissions for the sub-product. For details about the permissions of each role, see Appendix: Roles and permissions list.
Common operation permissions
Some DSW operations require specific API-level permissions that are not automatically granted by workspace role assignments. These permissions are bound to individual resource IDs and must be explicitly included in a RAM policy.
Operation | Required permission | Permission scope | Notes |
Delete a pay-as-you-go instance |
| Specific instance ID | Not included in the workspace administrator role. |
The PaiDSW:DeletePostPaidInstance permission is bound to the resource ID (ARN) of a specific DSW instance. Workspace-level roles and resource group permissions do not grant this permission. A RAM user with the workspace administrator role cannot delete pay-as-you-go instances without an explicit policy granting PaiDSW:DeletePostPaidInstance.
Dependent cloud services: OSS
DSW depends on OSS for data storage. Therefore, you must activate OSS and grant the required permissions.
Scenario
Description
Guidance
Activate OSS
We recommend using an Alibaba Cloud account to activate OSS, as no additional authorization is required. If you want to use a RAM user to activate OSS, you must grant the RAM user the
AliyunOSSFullAccesspermission.Activation: Quick start
Grant permissions to a RAM user: RAM Policy
Common operations: Quick start
Use OSS
When you use OSS:
Authorization: OSS provides detailed RAM control policies. You can grant specific operation permissions to RAM users as needed.
Common operations: You typically need to create a bucket before you can upload files to OSS.
Authorize the PAI service account
Grant DSW permissions to an Alibaba Cloud account
To ensure DSW works correctly, confirm that your Alibaba Cloud account has general DSW permissions. These permissions are typically granted when you activate PAI and create a default workspace. You can follow the instructions in Reference: Check if the AliyunPAIDSWDefaultRole role is attached to your account to verify whether your account has the required permissions. If not, follow the steps in this section to grant them.
Go to the DSW page.
Log on to the PAI console.
On the Overview page, select the target region.
In the left navigation bar, click Workspaces, and on the Workspace List page, click the name of the target workspace to enter it.
In the left-side navigation pane of the workspace, choose to open the DSW page.
Authorize the AliyunPAIDSWDefaultRole role.
Click Create Instance.
In the Grant Permissions dialog box, click Authorize Now.
On the cloud resource access authorization page, click Agree to Authorization.
On the cloud resource access authorization page, the system automatically configures the required service-linked role for DSW. No manual configuration is necessary.
Authorize PAI to access OSS and NAS
PAI provides a one-click authorization method to grant PAI access to related cloud products such as OSS and NAS. Follow these steps:
-
Log on to the PAI console.
In the left navigation bar, click , and in the DSW section, find OSS and NAS.
-
In the Actions column, check the authorization status for OSS.
-
If it is not authorized, click Authorize Now in the Actions column and follow the on-screen instructions.
-
If it is already authorized, click View Authorization in the Actions column.
-
If you do not grant the AliyunPAIDLCAccessingOSSRole permission to access OSS, you might encounter the following error when mounting an OSS dataset:
root@dsw-xxx:/mnt/workspace# cd /mnt
root@dsw-xxx:/mnt# ls -ll
total 9
drw-rw-r-- 0 99 99 512 Jan 1 1970 data
drwxr-xr-x 5 root root 4096 Dec 13 02:42 systemDisk
drwxr-xr-x 5 root root 4096 Dec 13 02:42 workspace
root@dsw-xxx:/mnt# cd data
root@dsw-xxx:/mnt/data# ls -ll
ls: reading directory '.': Input/output error
total 0
root@dsw-xxx:/mnt/data#Grant VPC permissions for DSW internet access
When you enable internet access for a DSW instance, PAI requires permissions to access VPC resources including NAT gateways. The following VPC permission must remain permanently granted — do not revoke it after granting.
Required permission | Purpose |
| Lists available zones when configuring internet access via NAT gateway |
Do not revoke the vpc:ListEnhanhcedNatGatewayAvailableZones permission after granting it. Revoking this permission causes internet access features to fail.
Granting the permission to a sub-account: If a RAM user (sub-account) receives a "no permission" error when enabling internet access for a DSW instance, the primary Alibaba Cloud account must create a custom permission policy in the RAM console and grant vpc:ListEnhanhcedNatGatewayAvailableZones to the RAM user.
Avoiding availability zone errors: When configuring internet access, confirm the availability zone (AZ) where your DSW resources reside and select that same AZ in the console to prevent availability zone mismatch errors.
Reference: Check for the AliyunPAIDSWDefaultRole role
To ensure that DSW can function correctly, you need to confirm that your current Alibaba Cloud account has the AliyunPAIDSWDefaultRole service role. The specific steps are as follows.
Only an Alibaba Cloud account can grant these permissions. A RAM user cannot perform this authorization.
Log on to the RAM console.
In the left-side navigation pane, choose Identity Management > Roles.
On the Roles page, enter AliyunPAIDSWDefaultRole in the search box and press Enter.
If the role is found, the DSW service-linked role is already authorized.
If the role is not found, you must authorize it. For instructions, see Grant general DSW permissions to an Alibaba Cloud account.
FAQ
Q:What should I do if one-click authorization shows that a role does not exist or the authorization is incomplete?
When using the one-click authorization feature in the PAI console, you may see a prompt indicating that a RAM role does not exist or that authorization is incomplete. Use the steps below based on your scenario.
Scenario 1: A specified RAM role (such as AliyunODPSPAIDefaultRole) does not exist or authorization is incomplete
Go to the RAM console.
Delete the specified role (for example,
AliyunODPSPAIDefaultRole).Return to the PAI console and click One-click Authorization again to complete the authorization.
Scenario 2: You are prompted to delete AliyunPAIDSWDefaultRole, but cannot find the role in the RAM console
In the PAI console dialog, confirm the authorization.
Refresh the page.
If the warning persists, perform One-click Authorization again.
Related documentation
After completing the authorization, you can create a DSW instance and use the DSW development environment to develop and train AI models. For instructions, see Create a DSW instance.