PAI DLC authorization guide - Platform For AI - Alibaba Cloud Documentation Center

Grant DLC service-linked role access to cloud resources and OSS before first use. Learn required permissions and troubleshoot common authorization errors.

Background information

Before using DLC, grant the account performing operations the required permissions for DLC features and OSS. PAI also supports workspaces to implement fine-grained access control over DLC training tasks for RAM users. When using DLC, PAI performs storage operations on dependent products such as OSS and NAS in the background. Grant PAI access to OSS and NAS. For authorization operations, see the following sections.

Operating account authorization

Outlines the products that DLC depends on and the required permissions.
PAI service account authorization

Grant the Alibaba Cloud account general operation permissions for DLC and access permissions for OSS or NAS.

Operating account authorization

DLC provides a platform for creating and submitting model training jobs. You may need to activate and authorize the following cloud services when you use DLC to create and submit training jobs.

PAI module: DLC

Operation account

Service

Reference

Alibaba Cloud account

You can use an Alibaba Cloud account to perform operations on DLC. No additional authorization is required.

N/A

RAM user

(Recommended)

PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Roles and permissions.

Manage members of a workspace

Other dependent cloud products: NAS

NAS is used for data storage. You must activate NAS and grant the required permissions.

Scenario

Description

Reference

Activate NAS

We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.

Authorization: Perform access control based on RAM policies
Common operations: Create a file system

Use NAS

Use NAS after activation:

Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a NAS file system and mount it to an instance of PAI.

Dependent cloud service: OSS

You need to activate and authorize OSS for data storage.

Scenario

Description

Reference

Activate OSS

We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets

Use OSS

Use OSS after activation:

Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.

PAI service account authorization

Grant general DLC permissions to Alibaba Cloud account (root account)

To ensure that DLC functions as expected, make sure that your Alibaba Cloud account has general permissions for DLC. These permissions are typically granted when you activate PAI and create a default workspace. You can follow the instructions in Check whether the AliyunPAIDLCDefaultRole role is attached to the account to verify whether your account has the required permissions. If not, follow the steps in this section to grant the permissions.

Log on to the PAI console. In the top navigation bar, select the destination region. On the right side of the page, select the target workspace, and then click Enter DLC.
Grant the AliyunPAIDLCDefaultRole role.
1. Click Go to Authorization.
2. On the Cloud Resource Access Authorization page, click Agree to Authorization. Wait for a message indicating that the authorization is successful.

Add the AliyunOSSFullAccess permission to the AliyunPAIDLCDefaultRole role.

After you complete the authorization, the account that you use to perform operations has the default role permissions for DLC. You must also add operational permissions for OSS to ensure that DLC features function as expected. The procedure is as follows.

In the RAM console, navigate to the Identity Management > Roles page and find the AliyunPAIDLCDefaultRole role.
In the Actions column for the AliyunPAIDLCDefaultRole role, click Add Permissions.

In the Add Permissions panel, configure the parameters.

Parameter	Description
Resource Scope	Select Account Level. The system supports two authorization scopes: Account Level: The permissions take effect within the current Alibaba Cloud account. Resource Group Level: The permissions take effect within the specified resource group.
Principal	The RAM role to which you want to grant permissions. The system automatically specifies the current RAM role. You do not need to change it.
Access Policy	In the text box, enter OSS to search for policies. In the search results, select the required policy. The selected policy appears in the Selected list on the right. Note The example in the preceding figure uses AliyunOSSFullAccess. However, you should follow the principle of least privilege when you select a policy.

Click Confirm New Authorization.

Add the PaiDlcOAuthPolicy permission to the AliyunPAIDLCDefaultRole role to ensure that DLC features function as expected. The procedure is as follows.

In the RAM console, navigate to the Permission Management > Policies page. Click Create Policy to create the custom policy PaiDlcOAuthPolicy. The key parameters are described in the following table. For more information, see Create a custom policy on the Script tab.

Parameter

Description

Script Editor

On the Script Editor tab, enter the following policy document.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ram:GetDefaultDomain",
        "ram:ListApplications",
        "ram:CreateApplication",
        "ram:ListAppSecretIds",
        "ram:GetAppSecret",
        "ram:CreateAppSecret",
        "ram:DeleteApplication",
        "ram:DeleteAppSecret"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

Name

Set this parameter to PaiDlcOAuthPolicy.

On the Identity Management > Roles page, click Add Permissions in the Actions column for the AliyunPAIDLCDefaultRole role.
In the Add Permissions panel, follow the instructions in the following figure to add the PaiDlcOAuthPolicy policy.

Check the authorization result.

After you complete the preceding steps, click AliyunPAIDLCDefaultRole to verify that the policies are correctly attached to the role.

Grant PAI access to cloud products: OSS and NAS

PAI provides a one-click authorization method to grant PAI access to cloud products such as OSS and NAS. The procedure is as follows:

Log on to the PAI console.
In the navigation pane on the left, choose Activation and Authorization > All Cloud Product Dependencies. In the DLC section, find OSS and NAS.
In the Actions column, check the authorization status of OSS.
- If the service is not authorized, click One-click Authorization in the Actions column and follow the on-screen instructions to complete the authorization.
- If the service is already authorized, you can click View Authorization Information in the Actions column to view the details.

Reference: Check whether the AliyunPAIDLCDefaultRole role is attached to the account

To ensure that DLC functions as expected, make sure that your Alibaba Cloud account has the AliyunPAIDLCDefaultRole service-linked role. The procedure is as follows.

Note

Only a root account can grant permissions. RAM users cannot grant permissions.

Log on to the RAM console.
In the left navigation pane, click Identity Management > Role.
On the Roles page, enter AliyunPAIDLCDefaultRole in the search box and search for the role.
- If the role is found, the DLC service role has been granted.
- If the role is not found, you must grant the permissions. For more information, see Grant general DLC permissions to an Alibaba Cloud account (root account).

Permission checklist

Verify these permissions before using DLC to avoid authorization errors:

For Alibaba Cloud account (root user)

Account has sufficient balance
PAI service activated in target region
VPC and vSwitch created (if needed)

For RAM user

Policy AliyunPAIFullAccess attached
Policy AliyunOSSReadOnlyAccess attached (minimum for read-only data)
Policy AliyunECSReadOnlyAccess attached (to view instances)
Added to PAI workspace as member

For AliyunPAIDLCDefaultRole (service role)

Role exists (auto-created on first PAI use)
Policy AliyunECSFullAccess attached
Policy AliyunOSSFullAccess attached
Policy AliyunVPCReadOnlyAccess attached
Trust relationship allows PAI service

For OSS bucket access

Bucket in same region as DLC job
Bucket not encrypted (or encryption key accessible by RAM role)
Bucket policy allows AliyunPAIDLCDefaultRole access
Test access with ossutil before job submission

Troubleshooting

Common permission errors and solutions when using DLC:

Error Code: 100700008 - No permission: not in workspace

Symptoms: RAM user cannot access PAI console or create DLC jobs.

Root cause: RAM user/role missing required PAI workspace permissions.

Solution:

Log in with Alibaba Cloud account (not RAM user).
Grant RAM user AliyunPAIFullAccess policy in RAM console.

Or create custom policy with workspace access:

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "pai:*"
    ],
    "Resource": "*"
  }]
}

Add RAM user to workspace in PAI console: Workspace Settings > Members > Add Member.

Prevention: Configure permissions before creating workspace. Use workspace member management to control access.

Error: AccessDenied when accessing OSS data

Symptoms: DLC job fails with "AccessDenied" when reading/writing OSS bucket.

Root cause: RAM role missing OSS permissions or bucket policy too restrictive.

Solution:

Attach AliyunOSSReadOnlyAccess policy (minimum for read-only).
Or attach AliyunOSSFullAccess if writing data.
Verify bucket policy allows access from AliyunPAIDLCDefaultRole.
Check bucket in same region as DLC job. Cross-region access may be blocked.

Test access before job:

# Install and configure ossutil
wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64
chmod 755 ossutil64
./ossutil64 config

# Test bucket access
./ossutil64 ls oss://your-bucket/your-path/

Prevention: Follow permission checklist above. Test OSS access with ossutil before creating production jobs.

Error: Cannot create DLC training job

Symptoms: Job creation fails with "Invalid role" or "Service role not found" error.

Root cause: Missing DLC service role (AliyunPAIDLCDefaultRole).

Solution:

PAI auto-creates AliyunPAIDLCDefaultRole on first use. If auto-creation failed, manually create role.
In RAM console, create service-linked role with these policies:
- AliyunECSFullAccess
- AliyunOSSFullAccess
- AliyunVPCReadOnlyAccess

Set trust relationship to allow PAI service:

{
  "Statement": [{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {
      "Service": [
        "pai.aliyuncs.com"
      ]
    }
  }],
  "Version": "1"
}

Verify role exists: RAM console > Roles > Search "AliyunPAIDLCDefaultRole".

Prevention: Activate PAI service before first use. Allow auto-creation of service role.

Common permission errors reference

Error Code	Error Message	Cause	Solution
100700008	No permission: not in workspace	RAM user not workspace member	Add user to workspace
403	Forbidden - AccessDenied	Missing policy	Attach AliyunPAIFullAccess
403	OSS AccessDenied	Missing OSS permissions	Attach AliyunOSSReadOnlyAccess
400	InvalidRole	Service role missing	Create AliyunPAIDLCDefaultRole
409	RoleAlreadyExists	Role name conflict	Use existing role

References

After you grant the required permissions, you can create a DLC job for model training. For more information, see Create a training task.