All Products
Search
Document Center

Platform For AI:Activate and grant permissions to dependent Alibaba Cloud services

Last Updated:Oct 31, 2024

When you use Platform for AI (PAI), there may be scenarios where you need to use other Alibaba Cloud services, such as Object Storage Service (OSS) or MaxCompute to complete development. In these scenarios, you need to use an Alibaba Cloud account to activate the Alibaba Cloud services on which PAI depends and grant permissions to Resource Access Management (RAM) users to ensure smooth development. This topic describes the dependent Alibaba Cloud services and the permission requirements when PAI is used in different scenarios.

Authorization object: service-linked role of PAI and Alibaba Cloud account

Before you activate and authorize other cloud services, you can familiarize yourself with the authorization objects. You need to authorize two objects when you use PAI.

Authorization object

Description

Instruction

Service-linked role of PAI

When you activate PAI, the system creates a service-linked role of PAI, which you can use to manage PAI modules and access other cloud services. In this case, you need to grant permissions to the service-linked role to use all features provided by PAI.

To complete this step, click Authorize on the activation page when you activate PAI. If you do not complete authorization when you activate PAI, the system prompts you to complete authorization when you start to use PAI. You can click the Authorize to complete authorization.

Alibaba Cloud account

When you use PAI, log on to the PAI console by using an Alibaba Cloud account and manage PAI modules and access other cloud services. Therefore, you need to grant permissions to the Alibaba Cloud accounts based on your business requirements.

Note
  • We recommend that you use an Alibaba Cloud account to activate PAI and purchase cloud resources.

  • You can grant permissions to a RAM user and use the RAM user to perform operations such as development and management.

For more information about dependent Alibaba Cloud services in different scenarios and the required permissions, see the following section.

PAI modules and dependent Alibaba Cloud services

The following section describes the cloud services and the required permissions in different scenarios when you use PAI.

Activate PAI and purchase PAI resources

  • Recommended operation account

    We recommend that you use an Alibaba Cloud account to activate PAI and purchase PAI resources, such as general training resources.

  • Required permissions

    Operation account

    Required permissions

    Reference

    Alibaba Cloud account

    (Recommended)

    You can use an Alibaba Cloud account to activate and purchase resources. No additional authorization is required.

    N/A

    RAM user

    If you want to use a RAM user to activate PAI or purchase PAI resources, grant the AliyunPAIFullAccess permissions to the RAM user.

    Note

    The AliyunPAIFullAccess contains a wide range of permissions. We recommend that you use an Alibaba Cloud account in this scenario.

    Appendix: AliyunPAIFullAccess

Manage AI workspaces

AI workspaces provide enterprises and teams with centralized management of computing resources and personnel. AI workspace also provides development tools and AI asset management capabilities that support team collaboration on full-link AI development. You can use an Alibaba Cloud account or RAM users to perform operations on AI workspaces.

  • PAI module: AI workspace

    Operation account

    Required permissions

    Alibaba Cloud account

    You can use an Alibaba Cloud account to manage AI workspaces. No additional authorization is required.

    RAM user

    If your Alibaba Cloud account has multiple RAM users and each RAM user is used by different user roles, you can assume different roles to the RAM users for convenient management. For example, you can set a RAM user to be Resource Administrator (Alibaba Cloud Account/RAM User), Workspace Administrator or Owner, Algorithm Developer, Algorithm O&M Engineer, Labeling Administrator, or Visitor based on your business requirements. For more information about the permissions of each role on the workspace, see Appendix: Roles and permissions.

  • Dependent cloud service: EventBridge

    PAI workspaces provide a notification mechanism to help you track and monitor the status of Deep Learning Containers (DLC) jobs or Machine Learning Designer jobs. Workspaces send notifications by using EventBridge. Therefore, you need to activate and authorize EventBridge to receive notifications.

AI development: iTAG

iTAG is an intelligent data labeling platform. In iTAG, you can label data of different modals, such as images, text, videos, and audio or multimodal data. You may need to activate and authorize the following cloud services when you use iTAG.

  • PAI module: iTAG

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to perform operations on iTAG. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

    Manage members of a workspace

  • Dependent cloud service: OSS

    The input and output of dataset labeling use OSS as a data source. Therefore, you need to activate and authorize OSS before you start labeling.

    Scenario

    Description

    Reference

    Activate OSS

    We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

    Use OSS

    Use OSS after activation:

    • Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: You need to create a bucket to upload objects to OSS.

AI development: Machine Learning Designer

Machine Learning Designer provides a visualized environment for full-link machine learning development with rich built-in machine learning algorithms. You may need to activate and authorize the following cloud services when you use Machine Learning Designer.

  • PAI module: Machine Learning Designer

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to perform operations on Machine Learning Designer. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

    Manage members of a workspace

  • PAI module: general computing resources

    You can use the general computing resources of PAI for AI development.

    We recommend that you use an Alibaba Cloud account to purchase general computing resources. If you want to use a RAM user to purchase resources, the RAM user must be granted AliyunPAIFullAccess permissions. For more information, see the Activate PAI and purchase PAI resources section.

  • Grant your RAM user or RAM role the permissions to access MaxCompute

    Machine Learning Designer provides hundreds of self-developed algorithms based on the MaxCompute framework. Make sure that you activate MaxCompute before you use these algorithms.

    Scenario

    Description

    Reference

    Activate MaxCompute

    We recommend that you use an Alibaba Cloud account to activate MaxCompute. No additional authorization is required. If you want to activate MaxCompute by using a RAM user, you need to grant the AliyunBSSOrderAccess and AliyunDataWorksFullAccess permissions to the RAM user.

    Use MaxCompute

    You need to add the MaxCompute Developer role to the workspace. For more information, see Add members.

  • Dependent cloud service: OSS

    You need to activate and authorize OSS to use OSS as a data source when you use deep learning algorithm components.

    Scenario

    Description

    Reference

    Activate OSS

    We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

    Use OSS

    Use OSS after activation:

    • Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: You need to create a bucket to upload objects to OSS.

  • Dependent cloud service: Flink

    Machine Learning Designer provides dozens of self-developed algorithms based on the Flink framework. Make sure that you activate Flink before you use these algorithms.

    Scenario

    Description

    Reference

    Activate Flink

    We recommend that you use an Alibaba Cloud account to activate Flink. No additional authorization is required. If you want to activate Flink by using a RAM user, you must grant the AliyunStreamFullAccess permissions to the RAM user.

    Use Flink

    Use Flink after activation:

    • Authorization: Flink provides detailed RAM control policies. You can grant permissions to RAM users as needed.

AI development: Data Science Workshop (DSW)

DSW is an integrated development environment (IDE) in the cloud that provides interactive development environments for different levels of developers. You may need to activate and authorize the following cloud services when you use DSW for interactive modeling.

  • PAI module: DSW

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to perform operations on DSW. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

    Manage members of a workspace

  • Dependent cloud service: File Storage NAS

    PAI provides cloud disks with a specific capacity to store data persistently for DSW instances that are created by using the public resource group. If the DSW instance is stopped and not launched for over 15 days, the disk is cleared. Non-persistent on-premises storage is provided for DSW instances that are created by using dedicated resource groups. If you want to persist data, we recommend that you mount a NAS file system. In this case, you need to activate and authorize NAS for persistence data storage.

    Scenario

    Description

    Reference

    Activate NAS

    We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.

    Use NAS

    Use NAS after activation:

    • Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.

    • Common operations: You need to create a NAS file system and mount it to an instance of PAI.

AI development: DLC

DLC provides a platform for creating and submitting model training jobs. You may need to activate and authorize the following cloud services when you use DLC to create and submit training jobs.

  • PAI module: DLC

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to perform operations on DLC. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

    Manage members of a workspace

  • Dependent cloud service: File Storage NAS

    You need to activate and authorize NAS for persistence data storage.

    Scenario

    Description

    Reference

    Activate NAS

    We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.

    Use NAS

    Use NAS after activation:

    • Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.

    • Common operations: You need to create a NAS file system and mount it to an instance of PAI.

  • Dependent cloud service: OSS

    You need to activate and authorize OSS for data storage.

    Scenario

    Description

    Reference

    Activate OSS

    We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

    Use OSS

    Use OSS after activation:

    • Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: You need to create a bucket to upload objects to OSS.

AI development: Elastic Algorithm Service (EAS)

You can use EAS to deploy a model as a RESTful API and then call the API by sending HTTP requests. You may need to activate and authorize the following cloud services when you use EAS to deploy models.

  • PAI module: EAS

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to perform operations on EAS. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides detailed RAM control policies. You can grant operation permissions to RAM accounts based on your business requirements. Examples:

    • Management permissions for EAS: the AliyunPAIEASFullAccess permission.

    • Read-only permissions on EAS: the AliyunPAIEASReadOnlyAccess permission.

    Grant the permissions that are required to use EAS

  • Dependent cloud service: API Gateway

    You can use API Gateway to debug and access services over the Internet after you deploy the model in EAS.

    Scenario

    Description

    Reference

    Activate API Gateway

    We recommend that you use an Alibaba Cloud account to activate API Gateway. No additional authorization is required. If you want to activate API Gateway by using a RAM user, you must grant the AliyunApiGatewayFullAccess permissions to the RAM user.

    Use API Gateway

    Use API Gateway after activation:

    • Authorization: API Gateway provides detailed RAM control policies. You can grant permissions to RAM users as needed.

  • Dependent cloud service: OSS

    You need to use OSS to store model files.

    Scenario

    Description

    Reference

    Activate OSS

    We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

    Use OSS

    Use OSS after activation:

    • Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: You need to create a bucket to upload objects to OSS.

  • Dependent cloud service: Simple Log Service

    Logs are delivered to Simple Log Service.

    Scenario

    Description

    Reference

    Activate Simple Log Service

    We recommend that you use an Alibaba Cloud account to activate Simple Log Service. No additional authorization is required. If you want to activate Simple Log Service by using a RAM user, you must grant the AliyunLogFullAccess permissions to the RAM user.

    Use Simple Log Service

    Use Simple Log Service after activation:

    • Authorization: Simple Log Service provides detailed RAM control policies. You can grant permissions to RAM users as needed.

    • Common operations: You need to create a project and a Logstore for Simple Log Service to collect and store logs.

  • Dependent cloud service: Virtual Private Cloud (VPC)

    VPC direct connections are used.

    Scenario

    Description

    Reference

    Activate VPC

    We recommend that you use an Alibaba Cloud account to activate VPC. No additional authorization is required. If you want to activate VPC by using a RAM user, you must grant the AliyunVPCFullAccess permissions to the RAM user.

    Use VPC

    Use VPC after activation:

    • Authorization: VPC provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: You need to create a VPC and a vSwitch for network connection.

  • Dependent cloud service: CloudMonitor

    CloudMonitor is used to monitor services and generate alerts.

    Scenario

    Description

    Reference

    Activate CloudMonitor

    We recommend that you use an Alibaba Cloud account to activate CloudMonitor. No additional authorization is required. If you want to activate CloudMonitor by using a RAM user, you must grant the AliyunCloudMonitorFullAccess permissions to the RAM user.

    Use CloudMonitor

    Use Container Registry after activation

    • Authorization: CloudMonitor Gateway provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: In most cases, you need to configure alert contacts and alert rules.

AI Computing Asset Management

AI Computing Asset Management provides an all-in-one platform to manage development data as assets during AI development. You may need to activate and authorize the following cloud services when you use AI Computing Asset Management.

  • PAI module: AI Computing Asset Management

    Operation account

    Service

    Reference

    Alibaba Cloud account

    You can use an Alibaba Cloud account to manage AI assets. No additional authorization is required.

    N/A

    RAM user

    (Recommended)

    PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

    Manage members of a workspace

  • Dependent cloud service: Container Registry

    You need to use Container Registry to build a custom image, and then use and manage the custom image as an AI asset.

    Scenario

    Description

    Reference

    Activate Container Registry

    We recommend that you use an Alibaba Cloud account to activate CloudMonitor. No additional authorization is required. If you want to activate Container Registry by using a RAM user, you must grant the AliyunContainerRegistryFullAccess permissions to the RAM user.

    Use Container Registry

    Use Container Registry after activation

    • Authorization: Container Registry provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.

    • Common operations: In most cases, you need to prepare a Docker file for building an image, create a custom image and then use the AI Computing Asset Management platform to manage the image.

AI acceleration

You can use AI acceleration to accelerate trainings and inference.

  • In most cases, you only need permissions for development, training, and inference in related PAI modules when using AI acceleration. No additional authorization is required.

  • If you need to use dataset acceleration, you need to purchase a dataset acceleration instance and configure an acceleration slot.

    • We recommend that you use an Alibaba Cloud account to purchase and configure resources for dataset acceleration instances.

    • If you want to use a RAM user to purchase and configure resources of dataset acceleration, the RAM user must be granted the AliyunPAIFullAccess and AliyunDatasetAccFullAccess permissions.