Grant RAM User Access for Machine Learning Designer - Platform For AI

Grant permissions to the operating account and PAI service account to access Designer and dependent services such as MaxCompute, OSS, Flink, and general training resources.

Service dependencies

Designer depends on OSS and may also depend on MaxCompute, Flink, or general training resources. Required permissions vary by scenario.

MaxCompute: Designer includes hundreds of proprietary Alibaba algorithms built on MaxCompute.
Flink: Designer provides algorithm components that run on Flink, such as the PyAlink Script component.
OSS: Intermediate data and models generated during training are stored in OSS. Activate OSS and grant permissions before using Designer.
General training resources: Designer provides deep learning algorithms trained using general training resources. The custom Python Script component also depends on general training resources. Activate this service and grant permissions before using these features.

Note

Log on to the PAI console and click Activate and Authorize > All Cloud Product Dependencies to view cloud product dependencies and authorization details for each feature module.

Grant the operating account required permissions for Designer, MaxCompute, general training resources, Flink, and OSS. Also grant PAI permission to access OSS. To use all Designer features, grant permissions as described in the following sections:

PAI sub-product: Designer
Other dependent cloud products: MaxCompute
Other dependent PAI sub-products: General computing resources
Other dependent cloud products: Flink
Other dependent cloud products: OSS
PAI service account authorization

Grant operating account permissions

Designer provides a visual development environment for the machine learning lifecycle and includes built-in algorithms. When using Designer for model development, activate the following cloud products and grant permissions in advance.

PAI sub-product: Designer

Account type

Scenarios

Procedure

Root account

Root account can perform all operations in Designer without additional authorization.

Not applicable

Resource Access Management (RAM) user

(Recommended)

PAI provides different member roles. Add a RAM user as a workspace member and assign a role as needed. For more information about role permissions, see Appendix: Roles and permissions.

Manage workspace members

Other dependent PAI sub-products: General computing resources
Designer requires computing resources for AI development. Use PAI general computing resources.
Use a root account to purchase general computing resources. If using a RAM user, grant the AliyunPAIFullAccess permission. For more information about permissions, see Permission management.
To authorize a RAM user to submit training tasks to general computing resources associated with a workspace, add the RAM user to the workspace and assign the Developer, Algorithm O&M Engineer, or Administrator role.

Other dependent cloud products: OSS

Deep learning algorithm components depend on OSS data sources. Activate OSS and grant permissions before use.

Sub-scenario

Description

Procedure

Activate OSS

Use a root account to activate OSS. No additional authorization is required for root accounts. To use a RAM user to activate OSS, grant the AliyunOSSFullAccess permission to the RAM user.

Activation: Activate OSS
Grant permissions to a RAM user: RAM Policy
Common operations: Create a bucket in the console

Use OSS

When using OSS:

Authorization: OSS provides detailed RAM control policies. Grant operation permissions to RAM users as needed.
Common operations: Create a bucket to upload files to OSS.

When granting an operating account permissions to access OSS, use a custom policy to define access permissions for a RAM user to OSS data in the PAI console. Perform the following steps:

Log on to the RAM console.
In the navigation pane on the left, choose Permission Management > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the Script Editor tab.

Enter the policy document and click OK.

OSS provides a complete permission control system. For more information about OSS authorization policies, see RAM Policy.

Important

Define the access policy carefully based on the permissions required by the RAM user.

Using OSS in the PAI console involves common operations such as listing accessible buckets and reading or writing data. Use the following custom policy to configure permissions for RAM users performing operations in the PAI console.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:ListObjects",
        "oss:DeleteObject",
        "oss:ListParts",
        "oss:PutObject",
        "oss:AbortMultipartUpload",
        "oss:GetBucketCors",
        "oss:GetBucketCors",
        "oss:DeleteBucketCors"
      ],
      "Resource": [
        "acs:oss:*:*:<yourBucketName>",
        "acs:oss:*:*:<yourBucketName>/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Replace <yourBucketName> in the policy with the bucket name for which permissions are granted.

Enter a Name and Note for the access policy and click OK.

Grant PAI service account permissions

Authorization is usually completed when activating PAI. If authorization was not completed during activation, grant permissions by following these steps:

Log on to the PAI console.
In the navigation pane on the left, click Activate and Authorize > All Cloud Product Dependencies. In the Designer section, find OSS.
In the Actions column, check the authorization status of OSS.
- If permissions are not granted, click Authorize in the Actions column and follow the on-screen instructions to complete authorization.
- After authorization is complete, click View Authorization Information in the Actions column to view details.