Before you can access Elastic Algorithm Service (EAS) of Machine Learning Platform for AI (PAI) as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user with your Alibaba Cloud account. This topic describes how to authorize a RAM user to access EAS.

Background information

You can authorize a RAM user to access EAS by using one of the following methods:
  • Grant a RAM user full permissions on EAS

    Use the system policy AliyunPAIEASFullAccess. The policy provides full permissions on EAS. After you attach the policy to the RAM user, the RAM user can use all features of EAS.

  • Grant a RAM user read-only permissions on EAS

    Use the system policy AliyunPAIEASReadOnlyAccess. This policy provides read-only permissions on EAS. After you attach the policy to the RAM user, the RAM user can query and view model services that are deployed in EAS.

  • Create a custom policy

    If the preceding methods do not meet your requirements, you can create a custom policy. For example, you can create a custom policy to authorize the RAM user to query and modify model services or dedicated resource groups in EAS.

Grant a RAM user full permissions on EAS

This section describes how to authorize a RAM user to use all features of EAS.

  1. Log on to the RAM console.
  2. Grant a RAM user full permissions on EAS. For more information, see Grant permissions to a RAM user.
    • In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
    • In the Add Permissions panel, set the Select Policy parameter to System Policy and then select the AliyunPAIEASFullAccess policy.
      Note Object Storage Service (OSS) permissions are related to data security. Therefore, the AliyunPAIEASFullAccess policy does not provide OSS permissions. You must grant the RAM user OSS permissions separately. For more information, see RAM Policy Editor.

Grant a RAM user read-only permissions on EAS

This section describes how to authorize a RAM user to query and view model services that are deployed in EAS.

  1. Log on to the RAM console.
  2. Grant a RAM user read-only permissions on EAS. For more information, see Grant permissions to a RAM user.
    • In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
    • In the Add Permissions panel, set the Select Policy parameter to System Policy and then select the AliyunPAIEASReadOnlyAccess policy.

Create a custom policy

This section describes how to authorize a RAM user to query and modify model services or dedicated resource groups in EAS by creating a custom policy.

  1. Log on to the RAM console.
  2. Create a custom policy. For more information, see Create a custom policy on the JSON tab.
    Important We recommend that you follow the principle of least privilege when you specify the policy content.
    The following content provides a sample policy script:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "eas:CreateInstance",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "eas:DescribeService",
                    "eas:DeleteService",
                    "eas:UpdateService",
                    "eas:UpdateServiceVersion"
                ],
                "Resource": [
                    "acs:eas:<region>:<uid>:service/eas-m-xxx1",//See the description below and change the values accordingly. 
                    "acs:eas:<region>:<uid>:service/eas-m-xxx2"
                ],
            }
        ]
    }

    For more information about the Action and Resource elements, see the "Policy description" section of this topic.

  3. Attach the policy to a RAM user. For more information, see Grant permissions to a RAM user.
    • In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
    • In the Add Permissions panel, set the Select Policy parameter to Custom Policy and then select the custom policy that is created in Step 2.

Policy description

Each policy contains the Action and Resource elements. The Action element specifies the action to be performed, and the Resource element specifies the principal on which the action is performed. The following sections describe the valid values of the Action and Resource elements.
  • Action
    Category Action Description
    Service-related eas:CreateService Create model services.
    eas:ListServices View model services.
    eas:DescribeService View the details of model services.
    eas:DeleteService Delete model services.
    eas:ListServiceInstances View information about EAS instances.
    eas:DeleteServiceInstances Restart EAS instances.
    eas:UpdateService Update model services or add versions.
    eas:UpdateServiceVersion Switch between versions of model services.
    eas:StartService Start model services.
    eas:StopService Stop model services.
    eas:CreateServiceAutoScaler Enable auto scaling for model services.
    eas:DeleteServiceAutoScaler Disable auto scaling for model services.
    eas:DescribeServiceAutoScaler View the state of auto scaling for model services.
    eas:UpdateServiceAutoScaler Modify the configurations of auto scaling.
    eas:CreateServiceMirror Create traffic mirror sessions.
    eas:DescribeServiceMirror View the states of traffic mirror sessions.
    eas:UpdateServiceMirror Modify the configurations of traffic mirror sessions.
    eas:DeleteServiceMirror Close traffic mirror sessions.
    eas:ReleaseService Set the traffic ratio for blue-green deployment.
    eas:DescribeServiceLog View logs of model services.
    Resource group-related eas:CreateResource Create dedicated resource groups.
    eas:DescribeResource View basic information about dedicated resource groups.
    eas:ListResources View dedicated resource groups.
    eas:DeleteResource Delete dedicated resource groups.
    eas:UpdateResource Update basic information about dedicated resource groups.
    eas:ListResourceInstances View nodes of dedicated resource groups.
    eas:ListResourceInstanceWorker View containers hosted on nodes of dedicated resource groups.
    eas:ListResourceServices View model services deployed in dedicated resource groups.
    eas:CreateResourceInstances Add nodes to dedicated resource groups.
    eas:DeleteResourceInstances Remove nodes from dedicated resource groups.
    eas:UpdateResourceDLink Update the state of Virtual Private Cloud (VPC) direct connection for dedicated resource groups.
    eas:DescribeResourceDLink View the states of VPC direct connection of dedicated resource groups.
    eas:DeleteResourceDLink Delete VPC direct connection configurations of dedicated resource groups.
    eas:CreateResourceLog Enable log shipper for dedicated resource groups.
    eas:DescribeResourceLog View the state of log shipper for dedicated resource groups.
    eas:DeleteResourceLog Disable log shipper for dedicated resource groups.
  • Resource
    EAS defines the Resource element in the following format:
    acs:eas:<region>:<uid>:<resource_type>/<id>
    Replace the following parameters with actual values:
    • <region>: the region in which the model service or dedicated resource group is deployed.
    • <uid>: the UID of the account to which the resource belongs.
    • <resource_type>: the resource type. For example, if you want to manage resources related to model services, set the value to service. If you want to manage resources related to resource groups, set the value to resource.
    • <id>: the ID of the model service or dedicated resource group.
    The following examples show the values of the Resource element in different scenarios: managing model services deployed in public resource groups, managing model services deployed in dedicated resource groups, and managing dedicated resource groups.
    • Manage model services that are deployed in EAS
      • Manage a model service that is deployed in a public resource group
        acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****
        The value of Resource specifies the model service eas-m-u12fxt9ml1syoj**** that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account 123456789012****.
        acs:eas:cn-hangzhou:123456789012****:service/your_service_name
        The value of Resource specifies the model service your_service_name that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account 123456789012****.
      • Manage a model service that is deployed in a dedicated resource group
        acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****
        The value of Resource specifies the model service eas-m-iaskn1skn1us**** that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account 123456789012****.
        acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai8****/service/your_private_service
        The value of Resource specifies the model service your_private_service that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account 123456789012****.
    • Manage a dedicated resource group
      acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****
      The value of Resource specifies the dedicated resource group eas-r-jksauxqjsai8****. The dedicated resource group is deployed in the China (Beijing) region and belongs to the account 123456789012****.
    • Use a wildcard character

      You can use wildcard characters (*) in Resource to specify more than one resource.

      The following examples show the values of Resource that use wildcard characters:
      • acs:eas:*:123456789012****:service/*
        The value of Resource specifies model services that belong to the account 123456789012**** and are deployed in public resource groups across all regions.
      • acs:eas:cn-hangzhou:123456789012****:resource/eas-r-jksauxqjsai8****/*
        The value of Resource specifies all model services that belong to the account 123456789012**** and are deployed in the dedicated resource group eas-r-jksauxqjsai8**** in the China (Hangzhou) region.
      • acs:eas:*:123456789012****:*
        The value of Resource specifies all resource groups and model services that belong to the account 123456789012**** in all regions.
      • acs:eas:*:123456789012****:service/prefix*
        The value of Resource specifies model services that belong to the account 123456789012**** and are deployed in public resource groups whose names contain the prefix prefix across all regions.