authorize PAI DLC - Platform For AI - Alibaba Cloud Documentation Center

The first time you use Deep Learning Containers (DLC) of Platform for AI (PAI), you need to assign a service-linked role to DLC to allow DLC to access the required resources. If you use Object Storage Service (OSS) for storage, you need to grant the DLC service-linked role the permissions to access OSS. This topic describes how to grant permissions to the DLC service-linked role.

Background information

Before you use DLC, you must make sure that the account you use has the permissions to manage DLC and OSS. PAI allows you to grant fine-grained permissions to Resource Access Management (RAM) users to manage DLC jobs by using workspaces. In addition, you must authorize PAI to manage OSS and File Storage NAS (NAS) before you use DLC. For more information, see the following sections:

Grant permissions to the operation account
This section describes the PAI modules and other cloud services that are used by DLC and the authorization procedures.
Grant permissions to the service-linked role
This section describes how to grant a RAM user the permissions to manage DLC and access OSS and NAS.

Grant permissions to the operation account

DLC provides a platform for creating and submitting model training jobs. You may need to activate and authorize the following cloud services when you use DLC to create and submit training jobs.

PAI module: DLC

Operation account

Service

Reference

Alibaba Cloud account

You can use an Alibaba Cloud account to perform operations on DLC. No additional authorization is required.

N/A

RAM user

(Recommended)

PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

Manage members of a workspace

Dependent cloud service: NAS

You need to activate and authorize NAS for data storage.

Scenario

Description

Reference

Activate NAS

We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the AliyunNASFullAccess permissions to the RAM user.

Authorization: Perform access control based on RAM policies
Common operations: Create a file system

Use NAS

Use NAS after activation:

Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a NAS file system and mount it to an instance of PAI.

Dependent cloud service: OSS

You need to activate and authorize OSS for data storage.

Scenario

Description

Reference

Activate OSS

We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets

Use OSS

Use OSS after activation:

Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.

Grant permissions to the service-linked role

Grant DLC permissions to an Alibaba Cloud account

Before you use DLC, make sure that the Alibaba Cloud account that you use has the permissions to manage DLC. In most cases, you are prompted to perform authorization when you activate PAI. For more information, see Activate PAI and create the default workspace. You can check whether your Alibaba Cloud account has operation permissions on DLC. For more information, see the "Check whether the AliyunPAIDLCDefaultRole role is assigned to DLC" section in this topic. If the account does not have the required permissions, perform the following operations to grant the required permissions to the Alibaba Cloud account:

Log on to the PAI console. Select a region and a workspace. Then, click Enter Deep Learning Containers (DLC).
Assign the AliyunPAIDLCDefaultRole role to the RAM user.
1. Click Authorize to go to the Cloud Resource Access Authorization page.
2. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. A message indicating that the role is assigned to the RAM user appears.

Attach the AliyunOSSFullAccess policy to the AliyunPAIDLCDefaultRole role.

After you complete the preceding steps, the account that you use is granted the permissions of the DLC default role. To ensure that DLC can work as expected, you also need to grant the account the permissions to manage OSS. Perform the following steps:

Log on to the RAM console and choose Identities > Roles. On the Roles page, find the AliyunPAIDLCDefaultRole role.
In the Actions column of AliyunPAIDLCDefaultRole, click Grant Permission.

In the Grant Permission panel, configure the parameters described in the following table.

Parameter	Description
Resource Scope	Set the value to Account. The following authorization scopes are supported: Account: The authorization takes effect on the current Alibaba Cloud account. Resource Group: The authorization takes effect on a specific resource group.
Principal	The RAM role to which you want to grant permissions. The system automatically specifies the current RAM role. You do not need to change the value.
Policy	Enter OSS in the search box and select an appropriate policy from the search results. The policy that you selected is displayed in the Selected Policy section. Note In this example, the AliyunOSSFullAccess policy is attached to the role. In actual scenarios, you need to grant permissions based on the principle of least privilege.

Click Grant permissions.

Attach the PaiDlcOAuthPolicy policy to the AliyunPAIDLCDefaultRole role to ensure that DLC can work as expected.

Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies and click Create Policy. Create a custom policy named PaiDlcOAuthPolicy and configure the following key parameters. For more information, see Create a custom policy on the JSON tab.

Parameter

Description

JSON

Click the JSON tab and enter the following content:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ram:GetDefaultDomain",
        "ram:ListApplications",
        "ram:CreateApplication",
        "ram:ListAppSecretIds",
        "ram:GetAppSecret",
        "ram:CreateAppSecret",
        "ram:DeleteApplication",
        "ram:DeleteAppSecret"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

Name

Set the value to PaiDlcOAuthPolicy.

In the left-side navigation pane of the RAM console, choose Identities > Roles. On the Roles page, find the AliyunPAIDLCDefaultRole role and click Grant Permission in the Actions column.
In the Grant Permission panel, perform the operations shown in the following figure to add the PaiDlcOAuthPolicy policy.

View the authorization result.
After you complete the preceding operations, click AliyunPAIDLCDefaultRole to check whether the policy that is attached to the role is correct.

Grant PAI the permissions to access OSS and NAS

You can authorize PAI to access OSS and NAS with a few clicks by performing the following steps:

Note

You cannot access DLC by using a RAM role. You can authorize DLC to access OSS only by using the following method.

Log on to the PAI console.
In the left-side navigation pane, choose Activation & Authorization > Dependent Services. In the DLC section, find OSS and NAS.
View the authorization details of OSS in the Actions column.
- If PAI is not authorized to access OSS, click Authorize Now in the Actions column and follow the on-screen instructions to authorize PAI.
- Otherwise, click View Authorization in the Actions column to view the authorization details.

Check whether the AliyunPAIDLCDefaultRole role is assigned to DLC

To use DLC as expected, use your Alibaba Cloud account to assign the AliyunPAIDLCDefaultRole role to DLC. Perform the following steps:

Note

Only Alibaba Cloud accounts can assign the role. RAM users cannot assign the role.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
In the search box on the Roles page, search for AliyunPAIDLCDefaultRole.
- If the role is displayed in the search result, the role is assigned to DLC.
- Otherwise, you must assign the role to DLC. For more information, see Grant DLC permissions to an Alibaba Cloud account.

References

After you complete the authorization, you can create a DLC job to train the model. For more information, see Submit training jobs.