To access Elastic Algorithm Service (EAS) of Platform for AI (PAI) as a Resource Access Management (RAM) user, the Alibaba Cloud account owner must grant the RAM user the required permissions. This topic describes how to grant a RAM user permissions to use EAS.
Prerequisites
Before you begin, ensure that you have:
-
An Alibaba Cloud account with administrator access
-
A RAM user to grant permissions to
Choose a permission method
EAS supports three permission methods. Select the one that matches your access requirements.
| Method | System policy | What the RAM user can do | Includes OSS permissions |
|---|---|---|---|
| Full access | AliyunPAIEASFullAccess |
Use all EAS features | No — grant OSS permissions separately |
| Read-only access | AliyunPAIEASReadOnlyAccess |
Query and view model services deployed in EAS | No |
| Custom policy | Created by you | Perform specific actions on specific resources (fine-grained control) | As defined in your policy |
Grant full access
-
Log on to the RAM console.
-
Grant the RAM user permissions. For details, see Grant permissions to a RAM user. Set the following parameters:
Parameter Value Resource Scope Account Policy Select System Policy AliyunPAIEASFullAccess
Grant OSS permissions (required for data access)
AliyunPAIEASFullAccess does not include Object Storage Service (OSS) permissions. OSS permissions are managed separately for data security. If your workload requires OSS access, grant OSS permissions independently.
Use the RAM Policy Editor to create and attach an OSS policy to the RAM user.
Grant read-only access
-
Log on to the RAM console.
-
Grant the RAM user permissions. For details, see Grant permissions to a RAM user. Set the following parameters:
Parameter Value Resource Scope Account Policy Select System Policy AliyunPAIEASReadOnlyAccess
Create a custom policy
Use a custom policy to grant fine-grained permissions — for example, allowing a RAM user to query and modify specific model services or dedicated resource groups.
-
Log on to the RAM console.
-
Create a custom policy. For details, see Create a custom policy on the JSON tab. Follow the principle of least privilege when specifying the policy document. The following is a sample policy document:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "eas:CreateInstance", "Resource": "*" }, { "Effect": "Allow", "Action": [ "eas:DescribeService", "eas:DeleteService", "eas:UpdateService", "eas:UpdateServiceVersion" ], "Resource": [ "acs:eas:<region>:<uid>:service/eas-m-xxx1", "acs:eas:<region>:<uid>:service/eas-m-xxx2" ] } ] }For valid
ActionandResourcevalues, see Policy reference below. -
Attach the policy to the RAM user. For details, see Grant permissions to a RAM user. Set the following parameters:
Parameter Value Resource Scope Account Policy Select the custom policy created in step 2
Policy reference
Each policy contains Action and Resource elements. Action specifies the operation to perform. Resource specifies the resource on which the operation is performed.
Action
Service-related actions
| Action | Description |
|---|---|
eas:CreateService |
Creates model services |
eas:ListServices |
Views model services |
eas:DescribeService |
Views the details of model services |
eas:DeleteService |
Deletes model services |
eas:DeleteServiceLabel |
Deletes tags of model services |
eas:ListServiceInstances |
Views information about EAS instances |
eas:DeleteServiceInstances |
Restarts EAS instances |
eas:UpdateService |
Updates model services or adds versions |
eas:UpdateServiceVersion |
Switches between versions of model services |
eas:StartService |
Starts model services |
eas:StopService |
Stops model services |
eas:UpdateServiceLabel |
Updates tags of model services |
eas:RestartService |
Restarts model services |
eas:CreateServiceAutoScaler |
Enables auto scaling for model services |
eas:CreateServiceCronScaler |
Enables scheduled auto scaling for model services |
eas:DeleteServiceAutoScaler |
Disables auto scaling for model services |
eas:DeleteServiceCronScaler |
Disables scheduled auto scaling for model services |
eas:DescribeServiceAutoScaler |
Views the auto scaling status of model services |
eas:DescribeServiceCronScaler |
Views information about scheduled auto scaling for model services |
eas:UpdateServiceAutoScaler |
Updates auto scaling configurations of model services |
eas:UpdateServiceCronScaler |
Updates scheduled auto scaling configurations of model services |
eas:CreateAppService |
Creates an application service |
eas:UpdateServiceSafetyLock |
Updates the service safety lock |
eas:UpdateServiceInstance |
Updates the attributes of service instances |
eas:UpdateAppService |
Updates an application service |
eas:DescribeServiceDiagnosis |
Views diagnostic details of services |
eas:DescribeServiceInstanceDiagnosis |
Views diagnostic details of service instances |
eas:DescribeServiceEvent |
Views model service deployment events |
eas:DescribeGroup |
Views service group details |
eas:ListServiceVersions |
Views the historical versions of a service |
eas:ListServiceContainers |
Views the container list of a service |
eas:ListGroups |
Views the list of service groups |
eas:CreateServiceMirror |
Creates traffic mirror sessions |
eas:DescribeServiceMirror |
Views the status of traffic mirror sessions |
eas:UpdateServiceMirror |
Updates the configuration of traffic mirror sessions |
eas:DeleteServiceMirror |
Closes traffic mirror sessions |
eas:ReleaseService |
Specifies the traffic ratio for blue-green deployment |
eas:DescribeServiceLog |
Views logs of model services |
Resource group-related actions
| Action | Description |
|---|---|
eas:CreateResource |
Creates dedicated resource groups |
eas:DescribeResource |
Views basic information about dedicated resource groups |
eas:ListResources |
Views dedicated resource groups |
eas:DeleteResource |
Deletes dedicated resource groups |
eas:UpdateResource |
Updates basic information about dedicated resource groups |
eas:ListResourceInstances |
Views instances of dedicated resource groups |
eas:ListResourceInstanceWorker |
Views containers hosted on instances of dedicated resource groups |
eas:ListResourceServices |
Views model services deployed in dedicated resource groups |
eas:CreateResourceInstances |
Adds instances to dedicated resource groups |
eas:UpdateResourceInstance |
Updates instances in a dedicated resource group |
eas:DeleteResourceInstances |
Removes instances from dedicated resource groups |
eas:UpdateResourceDLink |
Updates the Virtual Private Cloud (VPC) direct connection status of dedicated resource groups |
eas:DescribeResourceDLink |
Views the VPC direct connection status of dedicated resource groups |
eas:DeleteResourceDLink |
Deletes VPC direct connection configurations of dedicated resource groups |
eas:CreateResourceLog |
Enables log shipper for dedicated resource groups |
eas:DescribeResourceLog |
Views the log shipper status of dedicated resource groups |
eas:DeleteResourceLog |
Disables log shipper for dedicated resource groups |
Stress testing-related actions
| Action | Description |
|---|---|
eas:CreateBenchmarkTask |
Creates a stress testing task |
eas:DeleteBenchmarkTask |
Deletes a stress testing task |
eas:DescribeBenchmarkTask |
Views the details of a stress testing task |
eas:DescribeBenchmarkTaskReport |
Views the report of a stress testing task |
eas:ListBenchmarkTask |
Views the list of stress testing tasks |
eas:StartBenchmarkTask |
Starts a stress testing task |
eas:StopBenchmarkTask |
Stops a stress testing task |
eas:UpdateBenchmarkTask |
Updates a stress testing task |
Private gateway-related actions
| Action | Description |
|---|---|
eas:CreateGateway |
Creates a private gateway |
eas:DescribeGateway |
Views the details of a private gateway |
eas:UpdateGateway |
Updates a private gateway |
eas:CreateGatewayIntranetLinkedVpc |
Creates an internal endpoint of a private gateway |
eas:ListGatewayIntranetLinkedVpc |
Views internal endpoints of a private gateway |
eas:DeleteGatewayIntranetLinkedVpc |
Deletes an internal endpoint of a private gateway |
eas:DeleteGateway |
Deletes a private gateway |
eas:ListPrivileges |
Views the user's whitelist configuration |
Resource
The Resource element uses the following format:
acs:eas:<region>:<uid>:<resource_type>/<id>Replace the placeholders with actual values:
| Placeholder | Description |
|---|---|
<region> |
Region where the model service or dedicated resource group is deployed |
<uid> |
UID of the account that owns the resource |
<resource_type> |
service for model services; resource for dedicated resource groups |
<id> |
ID of the model service or dedicated resource group |
Examples
The following examples show Resource values for common scenarios.
Model service in a public resource group:
acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****
acs:eas:cn-hangzhou:123456789012****:service/your_service_nameModel service in a dedicated resource group:
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai8****/service/your_private_serviceDedicated resource group:
acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****Wildcard characters
Use the asterisk (*) wildcard to match multiple resources:
| Resource value | Matches |
|---|---|
acs:eas:*:123456789012****:service/* |
All model services in public resource groups across all regions |
acs:eas:cn-hangzhou:123456789012**:resource/eas-r-jksauxqjsai8**/* |
All model services in the dedicated resource group eas-r-jksauxqjsai8**** in China (Hangzhou) |
acs:eas:*:123456789012****:* |
All resource groups and model services in all regions |
acs:eas:*:123456789012****:service/prefix* |
All model services whose names start with prefix |