When you use Platform for AI (PAI), there may be scenarios where you need to use other Alibaba Cloud services, such as Object Storage Service (OSS) or MaxCompute to complete development. In these scenarios, you need to use an Alibaba Cloud account to activate the Alibaba Cloud services on which PAI depends and grant permissions to Resource Access Management (RAM) users to ensure smooth development. This topic describes the dependent Alibaba Cloud services and the permission requirements when PAI is used in different scenarios.
Authorization object: service-linked role of PAI and Alibaba Cloud account
Before you activate and authorize other cloud services, you can familiarize yourself with the authorization objects. You need to authorize two objects when you use PAI.
Authorization object | Description | Instruction |
Service-linked role of PAI | When you activate PAI, the system creates a service-linked role of PAI, which you can use to manage PAI modules and access other cloud services. In this case, you need to grant permissions to the service-linked role to use all features provided by PAI. | To complete this step, click Authorize on the activation page when you activate PAI. If you do not complete authorization when you activate PAI, the system prompts you to complete authorization when you start to use PAI. You can click the Authorize to complete authorization. |
Alibaba Cloud account | When you use PAI, log on to the PAI console by using an Alibaba Cloud account and manage PAI modules and access other cloud services. Therefore, you need to grant permissions to the Alibaba Cloud accounts based on your business requirements. Note
| For more information about dependent Alibaba Cloud services in different scenarios and the required permissions, see the following section. |
PAI modules and dependent Alibaba Cloud services
The following section describes the cloud services and the required permissions in different scenarios when you use PAI.
Activate PAI and purchase PAI resources
Recommended operation account
We recommend that you use an Alibaba Cloud account to activate PAI and purchase PAI resources, such as general training resources.
Required permissions
Operation account
Required permissions
Reference
Alibaba Cloud account
(Recommended)
You can use an Alibaba Cloud account to activate and purchase resources. No additional authorization is required.
N/A
RAM user
If you want to use a RAM user to activate PAI or purchase PAI resources, grant the
AliyunPAIFullAccess
permissions to the RAM user.NoteThe
AliyunPAIFullAccess
contains a wide range of permissions. We recommend that you use an Alibaba Cloud account in this scenario.
Manage AI workspaces
AI workspaces provide enterprises and teams with centralized management of computing resources and personnel. AI workspace also provides development tools and AI asset management capabilities that support team collaboration on full-link AI development. You can use an Alibaba Cloud account or RAM users to perform operations on AI workspaces.
PAI module: AI workspace
Operation account
Required permissions
Alibaba Cloud account
You can use an Alibaba Cloud account to manage AI workspaces. No additional authorization is required.
RAM user
If your Alibaba Cloud account has multiple RAM users and each RAM user is used by different user roles, you can assume different roles to the RAM users for convenient management. For example, you can set a RAM user to be Resource Administrator (Alibaba Cloud Account/RAM User), Workspace Administrator or Owner, Algorithm Developer, Algorithm O&M Engineer, Labeling Administrator, or Visitor based on your business requirements. For more information about the permissions of each role on the workspace, see Appendix: Roles and permissions.
Dependent cloud service: EventBridge
PAI workspaces provide a notification mechanism to help you track and monitor the status of Deep Learning Containers (DLC) jobs or Machine Learning Designer jobs. Workspaces send notifications by using EventBridge. Therefore, you need to activate and authorize EventBridge to receive notifications.
AI development: iTAG
iTAG is an intelligent data labeling platform. In iTAG, you can label data of different modals, such as images, text, videos, and audio or multimodal data. You may need to activate and authorize the following cloud services when you use iTAG.
PAI module: iTAG
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to perform operations on iTAG. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.
Dependent cloud service: OSS
The input and output of dataset labeling use OSS as a data source. Therefore, you need to activate and authorize OSS before you start labeling.
Scenario
Description
Reference
Activate OSS
We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the
AliyunOSSFullAccess
permissions to the RAM user.Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets
Use OSS
Use OSS after activation:
Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.
AI development: Machine Learning Designer
Machine Learning Designer provides a visualized environment for full-link machine learning development with rich built-in machine learning algorithms. You may need to activate and authorize the following cloud services when you use Machine Learning Designer.
PAI module: Machine Learning Designer
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to perform operations on Machine Learning Designer. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.
PAI module: general computing resources
You can use the general computing resources of PAI for AI development.
We recommend that you use an Alibaba Cloud account to purchase general computing resources. If you want to use a RAM user to purchase resources, the RAM user must be granted
AliyunPAIFullAccess
permissions. For more information, see the Activate PAI and purchase PAI resources section.Grant your RAM user or RAM role the permissions to access MaxCompute
Machine Learning Designer provides hundreds of self-developed algorithms based on the MaxCompute framework. Make sure that you activate MaxCompute before you use these algorithms.
Scenario
Description
Reference
Activate MaxCompute
We recommend that you use an Alibaba Cloud account to activate MaxCompute. No additional authorization is required. If you want to activate MaxCompute by using a RAM user, you need to grant the AliyunBSSOrderAccess and AliyunDataWorksFullAccess permissions to the RAM user.
Activation: Activate MaxCompute and DataWorks
Authorization: Manage the members of a workspace
Common operations: Create a MaxCompute project and Manage the computing resources of a workspace
Use MaxCompute
You need to add the MaxCompute Developer role to the workspace. For more information, see Add members.
Dependent cloud service: OSS
You need to activate and authorize OSS to use OSS as a data source when you use deep learning algorithm components.
Scenario
Description
Reference
Activate OSS
We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the
AliyunOSSFullAccess
permissions to the RAM user.Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets
Use OSS
Use OSS after activation:
Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.
Dependent cloud service: Flink
Machine Learning Designer provides dozens of self-developed algorithms based on the Flink framework. Make sure that you activate Flink before you use these algorithms.
Scenario
Description
Reference
Activate Flink
We recommend that you use an Alibaba Cloud account to activate Flink. No additional authorization is required. If you want to activate Flink by using a RAM user, you must grant the
AliyunStreamFullAccess
permissions to the RAM user.Activation: Activate Realtime Compute for Apache Flink
Authorization: Grant permissions to a RAM user
Use Flink
Use Flink after activation:
Authorization: Flink provides detailed RAM control policies. You can grant permissions to RAM users as needed.
AI development: Data Science Workshop (DSW)
DSW is an integrated development environment (IDE) in the cloud that provides interactive development environments for different levels of developers. You may need to activate and authorize the following cloud services when you use DSW for interactive modeling.
PAI module: DSW
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to perform operations on DSW. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.
Dependent cloud service: File Storage NAS
PAI provides cloud disks with a specific capacity to store data persistently for DSW instances that are created by using the public resource group. If the DSW instance is stopped and not launched for over 15 days, the disk is cleared. Non-persistent on-premises storage is provided for DSW instances that are created by using dedicated resource groups. If you want to persist data, we recommend that you mount a NAS file system. In this case, you need to activate and authorize NAS for persistence data storage.
Scenario
Description
Reference
Activate NAS
We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the
AliyunNASFullAccess
permissions to the RAM user.Authorization: Perform access control based on RAM policies
Common operations: Create a file system
Use NAS
Use NAS after activation:
Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a NAS file system and mount it to an instance of PAI.
AI development: DLC
DLC provides a platform for creating and submitting model training jobs. You may need to activate and authorize the following cloud services when you use DLC to create and submit training jobs.
PAI module: DLC
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to perform operations on DLC. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.
Dependent cloud service: File Storage NAS
You need to activate and authorize NAS for persistence data storage.
Scenario
Description
Reference
Activate NAS
We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the
AliyunNASFullAccess
permissions to the RAM user.Authorization: Perform access control based on RAM policies
Common operations: Create a file system
Use NAS
Use NAS after activation:
Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a NAS file system and mount it to an instance of PAI.
Dependent cloud service: OSS
You need to activate and authorize OSS for data storage.
Scenario
Description
Reference
Activate OSS
We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the
AliyunOSSFullAccess
permissions to the RAM user.Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets
Use OSS
Use OSS after activation:
Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.
AI development: Elastic Algorithm Service (EAS)
You can use EAS to deploy a model as a RESTful API and then call the API by sending HTTP requests. You may need to activate and authorize the following cloud services when you use EAS to deploy models.
PAI module: EAS
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to perform operations on EAS. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides detailed RAM control policies. You can grant operation permissions to RAM accounts based on your business requirements. Examples:
Management permissions for EAS: the
AliyunPAIEASFullAccess
permission.Read-only permissions on EAS: the
AliyunPAIEASReadOnlyAccess
permission.
Dependent cloud service: API Gateway
You can use API Gateway to debug and access services over the Internet after you deploy the model in EAS.
Scenario
Description
Reference
Activate API Gateway
We recommend that you use an Alibaba Cloud account to activate API Gateway. No additional authorization is required. If you want to activate API Gateway by using a RAM user, you must grant the
AliyunApiGatewayFullAccess
permissions to the RAM user.Authorization: Use RAM to manage the permissions on API resources
Use API Gateway
Use API Gateway after activation:
Authorization: API Gateway provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Dependent cloud service: OSS
You need to use OSS to store model files.
Scenario
Description
Reference
Activate OSS
We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the
AliyunOSSFullAccess
permissions to the RAM user.Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets
Use OSS
Use OSS after activation:
Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.
Dependent cloud service: Simple Log Service
Logs are delivered to Simple Log Service.
Scenario
Description
Reference
Activate Simple Log Service
We recommend that you use an Alibaba Cloud account to activate Simple Log Service. No additional authorization is required. If you want to activate Simple Log Service by using a RAM user, you must grant the
AliyunLogFullAccess
permissions to the RAM user.Activation: Activate Simple Log Service
Authorization: Authorization rules
Common operations: Create a project and Create a Logstore
Use Simple Log Service
Use Simple Log Service after activation:
Authorization: Simple Log Service provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a project and a Logstore for Simple Log Service to collect and store logs.
Dependent cloud service: Virtual Private Cloud (VPC)
VPC direct connections are used.
Scenario
Description
Reference
Activate VPC
We recommend that you use an Alibaba Cloud account to activate VPC. No additional authorization is required. If you want to activate VPC by using a RAM user, you must grant the
AliyunVPCFullAccess
permissions to the RAM user.Authorization: Grant permissions to a RAM user
Common operations: Create and manage a VPC and Create and manage a vSwitch.
Use VPC
Use VPC after activation:
Authorization: VPC provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a VPC and a vSwitch for network connection.
Dependent cloud service: CloudMonitor
CloudMonitor is used to monitor services and generate alerts.
Scenario
Description
Reference
Activate CloudMonitor
We recommend that you use an Alibaba Cloud account to activate CloudMonitor. No additional authorization is required. If you want to activate CloudMonitor by using a RAM user, you must grant the
AliyunCloudMonitorFullAccess
permissions to the RAM user.Authorization: RAM authentication
Common operations: Step 1: Configure alert contacts and Step 2: Configure alert rules
Use CloudMonitor
Use Container Registry after activation
Authorization: CloudMonitor Gateway provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: In most cases, you need to configure alert contacts and alert rules.
AI Computing Asset Management
AI Computing Asset Management provides an all-in-one platform to manage development data as assets during AI development. You may need to activate and authorize the following cloud services when you use AI Computing Asset Management.
PAI module: AI Computing Asset Management
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to manage AI assets. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.
Dependent cloud service: Container Registry
You need to use Container Registry to build a custom image, and then use and manage the custom image as an AI asset.
Scenario
Description
Reference
Activate Container Registry
We recommend that you use an Alibaba Cloud account to activate CloudMonitor. No additional authorization is required. If you want to activate Container Registry by using a RAM user, you must grant the
AliyunContainerRegistryFullAccess
permissions to the RAM user.Authorization: RAM authentication rules
Common operations: Use a Container Registry Enterprise Edition instance to build an image
Use Container Registry
Use Container Registry after activation
Authorization: Container Registry provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: In most cases, you need to prepare a Docker file for building an image, create a custom image and then use the AI Computing Asset Management platform to manage the image.
AI acceleration
You can use AI acceleration to accelerate trainings and inference.
In most cases, you only need permissions for development, training, and inference in related PAI modules when using AI acceleration. No additional authorization is required.
If you need to use dataset acceleration, you need to purchase a dataset acceleration instance and configure an acceleration slot.
We recommend that you use an Alibaba Cloud account to purchase and configure resources for dataset acceleration instances.
If you want to use a RAM user to purchase and configure resources of dataset acceleration, the RAM user must be granted the
AliyunPAIFullAccess
andAliyunDatasetAccFullAccess
permissions.