Platform For AI:Cloud product dependencies and authorization: DLC

Background information

Before using DLC, you must grant the necessary permissions to use DLC features and perform operations on OSS. PAI workspaces allow you to apply fine-grained permission control to model training tasks for RAM users. Because DLC accesses dependent cloud products like OSS and NAS, you must also authorize PAI to access them. See the following sections for detailed instructions.

• Operating account authorization

  Describes DLC's product dependencies and the required authorizations.

• PAI service account authorization

  Grants an Alibaba Cloud account general permissions to use DLC and access OSS or NAS.

Operating account authorization

DLC provides a platform for creating and submitting model training jobs. You may need to activate and authorize the following cloud services when you use DLC to create and submit training jobs.

• PAI module: DLC

  Operation account	Service	Reference
  Alibaba Cloud account	You can use an Alibaba Cloud account to perform operations on DLC. No additional authorization is required.	N/A
  RAM user (Recommended)	PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Roles and permissions.	Manage members of a workspace

• Dependent cloud product: NAS

  DLC uses NAS for data storage, so you need to activate NAS and grant the appropriate permissions.

  Scenario	Description	Reference
  Activate NAS	We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.	Authorization: Control NAS access with RAM policies Common operations: Create a file system
  Use NAS	Use NAS after activation: Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed. Common operations: You need to create a NAS file system and mount it to an instance of PAI.

• Dependent cloud service: OSS

  You need to activate and authorize OSS for data storage.

  Scenario	Description	Reference
  Activate OSS	We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.	Activation: Activate OSS Authorization: Overview of RAM policy Common operations: Create buckets
  Use OSS	Use OSS after activation: Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements. Common operations: You need to create a bucket to upload objects to OSS.

PAI service account authorization

Grant general DLC permissions

To ensure DLC functions properly, confirm that your Alibaba Cloud account has the required DLC permissions. Typically, these permissions are granted when you activate PAI and create a default workspace. You can verify that your account has these permissions by following the instructions in Reference: Verify the AliyunPAIDLCDefaultRole association.

1. Log on to the PAI console. At the top of the page, select the target region. On the right side of the page, select the target workspace, and then click Go to DLC.

2. Authorize the AliyunPAIDLCDefaultRole.

   1. Click Authorize. On the next page, which states You are not authorized to access the DLC console, click Go to Authorize.

   2. On the Cloud Resource Access Authorization page, click Agree to Authorization. A success message appears.

3. Add the AliyunOSSFullAccess policy to the AliyunPAIDLCDefaultRole.

   After completing the authorization above, your account has the default role permissions for DLC. You also need to add OSS operational permissions to ensure DLC functions correctly. The following steps describe how to do this.

   1. In the RAM console, navigate to the Identities > Role page and find AliyunPAIDLCDefaultRole.

   2. In the row for AliyunPAIDLCDefaultRole, click Grant Permission in the Actions column.

   3. In the Grant Permission panel, configure the parameters.

      Parameter	Description
      Authorization Scope	Select Alibaba Cloud Account. The differences between the two supported scopes are as follows: Alibaba Cloud Account: The permissions take effect within the current Alibaba Cloud account. Specific Resource Group: The permissions take effect within the specified resource group.
      Principal	This is the RAM role to be authorized. The system automatically populates this with the current RAM role. You do not need to change it.
      Permission Policy	In the search box, enter OSS. From the search results, select the appropriate policy to grant. The selected policy appears in the Selected list on the right. Note Although AliyunOSSFullAccess is used in this example, you should always follow the principle of least privilege when selecting a policy.

   4. Click OK.

4. To ensure DLC functions correctly, add the PaiDlcOAuthPolicy policy to the AliyunPAIDLCDefaultRole. Follow these steps:

   1. In the RAM console, go to the Permissions > Permission Policy page and click Create Policy to create a custom policy named PaiDlcOAuthPolicy. Configure the key parameters as follows. For detailed steps, see Create a custom policy by using the script editor.

      Parameter	Description
      Policy Document	On the JSON tab, enter the following policy content. { "Version": "1", "Statement": [ { "Action": [ "ram:GetDefaultDomain", "ram:ListApplications", "ram:CreateApplication", "ram:ListAppSecretIds", "ram:GetAppSecret", "ram:CreateAppSecret", "ram:DeleteApplication", "ram:DeleteAppSecret" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
      Name	Set the name to PaiDlcOAuthPolicy.

   2. On the Identities > Role page, in the row for the AliyunPAIDLCDefaultRole, click Grant Permission in the Actions column.

   3. In the Grant Permission panel, add the PaiDlcOAuthPolicy policy as follows:

      Set Authorization Scope to Alibaba Cloud Account. In the policy search box, enter DlcO, select the PaiDlcOAuthPolicy custom policy from the search results, and then click OK.

5. Verify the authorization.

   After completing these steps, click AliyunPAIDLCDefaultRole to view its attached policies. After a successful authorization, the Permissions tab for the role must contain the following three policies: AliyunPAIDLCDefaultRolePolicy (a system policy for the PAI DLC service role), PaiDlcOAuthPolicy (a custom policy that allows PAI DLC to access application and domain resources in the RAM console), and AliyunOSSFullAccess (a system policy for managing OSS permissions).

Authorize PAI to access OSS and NAS

PAI provides a one-click authorization method to grant PAI access to related cloud products such as OSS and NAS. Follow these steps:

1. Log on to the PAI console.

2. In the left-side navigation pane, click Activation & Authorization > Dependent Services. Under the DLC section, find OSS and NAS.

3. In the Actions column, check the authorization status for OSS.

   • If it is not authorized, click Authorize Now in the Actions column and follow the on-screen instructions.

   • If it is already authorized, click View Authorization in the Actions column.

Verify the AliyunPAIDLCDefaultRole association

To ensure that DLC can function properly, you need to confirm that your Alibaba Cloud account has the AliyunPAIDLCDefaultRole service-linked role. The procedure is as follows.

Note

Only a primary account can grant permissions; RAM users cannot.

1. Log on to the RAM console.

2. In the left-side navigation pane, choose Identity Management > Roles.

3. On the Role page, enter AliyunPAIDLCDefaultRole in the search box.

   • If this role is found, it means the DLC service-linked role has already been granted.

   • If this role is not found, you must grant the required permissions. For instructions, see Grant general DLC permissions.

Related documents

After completing the authorization, you can create a DLC model training job. For instructions, see Create a training job.