When accessing other cloud resources in the EAS service, you need to configure access keys for authentication. By associating a RAM role, you can access other cloud resources within the EAS service instance based on STS temporary credentials without configuring long-term AccessKeys, reducing the risk of key leakage. This topic describes how to create a RAM role and authorize it to EAS, and how to obtain STS temporary access credentials based on the RAM role.
Benefits
A RAM role is a trusted entity role that cloud services can assume, used to solve "cross-service access" issues. Obtaining temporary access credentials based on RAM roles for identity verification and access control has the following benefits:
Security and confidentiality: No need to manage credentials within the service. STS temporary access credentials replace long-term AccessKeys, reducing the risk of key leakage.
Convenient and controllable: By modifying RAM role permission policies, you can more conveniently and precisely control the permissions for developers to access cloud resources within the service.
Limits
Currently, an EAS service can only be associated with one RAM role.
Configuration methods
Configure a RAM role for the EAS service when creating it, and obtain STS temporary access credentials.
Configure a RAM role for EAS
The following configuration methods are supported:
Configuration method | Scenarios |
Method 1: Authorize the PAI default role for the EAS service Note The PAI default role operates based on the service role AliyunServiceRoleForPaiEas and only has permissions to access MaxCompute and OSS. | No need to create additional RAM roles, suitable for accessing basic development resources in MaxCompute and OSS. After authorizing the PAI default role for the EAS service, you do not need to configure AccessKeys in the following scenarios:
|
Method 2: Authorize a custom role for the EAS service | When the PAI default role permissions are insufficient, you can create a RAM role and customize its permission policy to control the range of cloud resources that developers can access within the EAS service as needed. After authorizing a custom role for the EAS service, when accessing cloud products through STS temporary credentials, the permissions will be consistent with those of the custom role. During service deployment, the system will access mounted data sources and pull custom images based on the custom role's permissions. |
The specific configuration methods are as follows:
Method 1: Authorize the PAI default role for the EAS service
When deploying an EAS service, add the following configuration to the JSON in the Service Configuration section:
"options": {
"enable_ram_role": true
}If you use JSON for direct deployment and want to call the OSS SDK through the PAI default role, you need to ensure that the service configuration includes the metadata.workspace_id field.
Method 2: Authorize a custom role for the EAS service
Log on to the RAM console and create a RAM role.
Take note of the following key parameters:
Principal Type: Select Cloud Service.
Principal Name: Select Platform for AI/PAI (eas.pai.aliyuncs.com).
Grant permissions to the RAM role.
Grant system policies or custom policies to the RAM role to give it relevant resource access or operation permissions. For example, grant the AliyunOSSReadOnlyAccess permission to the RAM role for accessing OSS.
ImportantIf you mount data sources or use custom images when deploying services, the system will access the data sources and pull images based on the RAM role's permissions. Therefore, you need to grant the RAM role permissions to access data sources (NAS or OSS) and Container Registry.
Associate the RAM role when deploying the EAS service.
Configure the following content in the JSON of the service configuration section, where role_arn needs to be replaced with the ARN of the RAM role created in the previous steps. For information about how to obtain the ARN, see View the RAM role.
"options": { "enable_ram_role": true }, "role_arn": "acs:ram::111*************:role/${RoleName}"(Optional) If you use a Resource Access Management (RAM) user (Alibaba Cloud sub-account) to deploy EAS services, contact the Alibaba Cloud account (primary account) to grant you the following trust policy to obtain the permission to pass the RAM role to the EAS instance. For more information, see Create a custom permission policy and Grant permissions to a RAM user.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram::*:role/${RoleName}" } ] }Replace ${RoleName} with the name of the RAM role associated with the EAS service.
Obtain temporary access credentials based on the RAM role associated with the EAS service
After assigning the PAI default role or a custom role to the EAS service, you can obtain temporary access credentials through the following methods:
Method 1: Obtain through the Credentials tool
The Credentials tool calls the local service within the EAS service instance (automatically injected when the EAS service is created) to obtain STS temporary access credentials, which are periodically updated.
When deploying the EAS service, complete the following key configurations:
Install the Alibaba Cloud Credentials tool.
In the Third-party Library Configuration parameter, select Third-party Library List, and configure alibabacloud_credentials in the edit box to install the Alibaba Cloud Credentials tool.
NoteIf the third-party library is pre-installed in the image, you can skip this configuration.
Configure a script file.
For Python, the script content example is as follows. For more language SDK examples, see Best practices for accessing Alibaba Cloud OpenAPI using access credentials.
from alibabacloud_credentials.client import Client as CredClient from alibabacloud_credentials.models import Config as CredConfig credentialsConfig = CredConfig( type='credentials_uri' ) credentialsClient = CredClient(credentialsConfig)
Method 2: Directly access the local service within the EAS service instance
Within the EAS service instance, execute the following command to access the automatically injected local server to obtain temporary access credentials.
# Obtain temporary authorization access credentials for the instance RAM role
curl $ALIBABA_CLOUD_CREDENTIALS_URISample response:
{
"Code": "Success",
"AccessKeyId": "STS.N*********7",
"AccessKeySecret": "3***************d",
"SecurityToken": "DFE32G*******",
"Expiration": "2024-05-21T10:39:29Z"
}Where:
SecurityToken: Indicates the temporary token of the RAM role.
Expiration: Indicates the validity period of the temporary authorization access credentials of the RAM role.
Method 3: Directly access the local file in the EAS service instance
Access the file at the specified path in the EAS service instance (automatically injected and periodically refreshed by PAI-EAS) to obtain temporary access credentials for the RAM role. The path to this file is /etc/ram/credentials, and the file content example is as follows:
{
"Code": "Success",
"AccessKeyId": "STS.N*********7",
"AccessKeySecret": "3***************d",
"SecurityToken": "DFE32G*******",
"Expiration": "2024-05-21T10:39:29Z"
}Examples
This section describes how to access PyODPS or OSS based on the EAS RAM role. You can integrate the code into the service image or mount it to the service instance through model configuration. This example demonstrates the mounting method. The procedure is as follows:
Go to the Custom Deployment page. For more information, see Service deployment.
On the Custom Deployment page, configure the following key parameters. For more parameter configuration information, see Console custom deployment parameter description.
Parameter
Description
Environment Information
Run Command
Add a command to execute the code, such as
python /mnt/data/xx.py.Model Configuration
Mount the code file
xx.pyto the EAS service instance through Model Configuration. Select the directory where the code file is located and configure the mount path/mnt/data/. The code file content example is as follows:Example 1: Access OSS data based on the RAM role
import oss2 from alibabacloud_credentials.client import Client from alibabacloud_credentials import providers from itertools import islice if __name__ == '__main__': auth = oss2.ProviderAuth(providers.DefaultCredentialsProvider()) # <oss_endpoint> needs to be replaced with your OSS Bucket name; <oss_bucket> needs to be replaced with the Endpoint of the region where your OSS Bucket is located. bucket = oss2.Bucket(auth, '<oss_endpoint>', '<oss_bucket>' ) for b in islice(oss2.ObjectIterator(bucket), 10): print(b.key)Where:
<oss_bucket> needs to be replaced with your OSS Bucket name, and ensure it is the default OSS bucket preset in the current workspace.
<oss_endpoint> needs to be replaced with the Endpoint of the region where your OSS Bucket is located. Because EAS does not connect to the public network by default, you should configure the internal network Endpoint address (such as
oss-cn-hangzhou-internal.aliyuncs.com). If you need to use a public network Endpoint (such asoss-cn-hangzhou.aliyuncs.com), you need to configure a virtual private cloud (VPC) with public network access capability for EAS. For more information, see Network configuration.
Example 2: Access PyODPS data based on the RAM role
from alibabacloud_credentials import providers from odps.accounts import CredentialProviderAccount from odps import ODPS if __name__ == '__main__': account = CredentialProviderAccount(providers.DefaultCredentialsProvider()) # <odps_project> needs to be replaced with your Project name; <odps_endpoint> needs to be replaced with the Endpoint of the region where your Project is located. o = ODPS( account=account, project="<odps_project>", endpoint="<odps_endpoint>" ) for t in o.list_tables(): print(t)Where:
<odps_project> needs to be replaced with your Project name. You can log on to the MaxCompute console and view the specific Project name in in the specified region.
NoteIf you use a RAM user, ensure that the user has operation permissions for the project. For more information, see Authorize other users.
<odps_endpoint> needs to be replaced with the Endpoint of the region where your Project is located. Because EAS does not connect to the public network by default, you should configure the internal network Endpoint address (such as
https://service.cn-hangzhou-vpc.maxcompute.aliyun-inc.com/api). If you need to use a public network Endpoint (such ashttps://service.cn-hangzhou.maxcompute.aliyun.com/api), you need to configure a virtual private cloud (VPC) with public network access capability for EAS. For more information, see Network configuration.
Third-party Library Configuration
Configure the following Third-party Library List to install the Alibaba Cloud Credentials tool, PyODPS SDK, and OSS SDK.
alibabacloud_credentials pyodps oss2NoteIf the third-party libraries are pre-installed in the image, you can skip this configuration.
Service Configuration
Taking the PAI default role as an example, add the following configuration to the JSON in the Service Configuration section:
"options": { "enable_ram_role": true }NoteIf you use JSON for direct deployment and want to call the OSS SDK through the PAI default role, you need to ensure that the service configuration includes the
metadata.workspace_idfield.After the parameter configuration is complete, click Deploy.
After the service is successfully deployed, you can view the running results in the service logs.
FAQ
How do I resolve errors when configuring a custom RAM role when deploying an EAS service?
Error message:
Log on to the RAM console and check if the role exists.
If the role does not exist, modify the instance custom RAM role to an existing role.
If the role exists, contact the primary account to grant the sub-account the following custom permission policy (replace
${RoleName}with the RAM role name) to obtain the permission to pass the RAM role to the EAS instance. For more information, see Grant permissions to a RAM user.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram::*:role/${RoleName}" } ] }
The Deployment Event error message is
unable to render, error: failed to assume role for user, reason: You are not authorized to do this action. You should be authorized by RAM..You can view this on the Elastic Algorithm Service page by clicking the service name and then switching to the Deployment Events tab, as shown in the following figure:
In most cases, this error occurs because no trust policy is configured for the RAM role. To configure a trust policy for the RAM role, perform the following steps:
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Roles page, click the name of the target RAM role.
On the Trust Policy tab, click Edit Trust Policy to add trust for "eas.pai.aliyuncs.com".
In the code editor, modify the content of the trust policy and click OK.
The following sample code shows the original policy document of the RAM role:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::aaa:root" ], "Service": [ "xxx.aliyuncs.com" ] } } ], "Version": "1" }The new policy content is as follows:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::aaa:root" ], "Service": [ "xxx.aliyuncs.com", "eas.pai.aliyuncs.com" ] } } ], "Version": "1" }