The first time you use Data Science Workshop (DSW) of Platform for AI (PAI), you must assign a service-linked role to DSW to allow DSW to access the required resources. If you use Object Storage Service (OSS) to store data, make sure that the service-linked role for DSW is granted the permissions to access OSS. This topic describes how to grant permissions to a DSW service-linked role.
Background information
If you want to use a Resource Access Management (RAM) user to manage DSW, you must grant permissions to the RAM user before you use DSW. In addition, PAI allows you to grant fine-grained permissions to RAM users to manage DSW instances by using workspaces. Before you use DSW, you must grant PAI the permissions to access storage services, such as OSS or File Storage NAS. For more information, see the following sections:
Authorize the operation account
This section describes the PAI modules and other cloud services on which DSW depends and the authorization operations
Authorize the service-linked role
This section describes how to grant the RAM user the permissions to manage DSW resources and access OSS or NAS.
Authorize the operation account
DSW is an integrated development environment (IDE) in the cloud that provides interactive development environments for different levels of developers. You may need to activate and authorize the following cloud services when you use DSW for interactive modeling.
PAI module: DSW
Operation account
Service
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to perform operations on DSW. No additional authorization is required.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.
Dependent cloud service: File Storage NAS
PAI provides cloud disks with a specific capacity to store data persistently for DSW instances that are created by using the public resource group. If the DSW instance is stopped and not launched for over 15 days, the disk is cleared. Non-persistent on-premises storage is provided for DSW instances that are created by using dedicated resource groups. If you want to persist data, we recommend that you mount a NAS file system. In this case, you need to activate and authorize NAS for persistence data storage.
Scenario
Description
Reference
Activate NAS
We recommend that you use an Alibaba Cloud account to activate NAS. No additional authorization is required. If you want to activate NAS by using a RAM user, you must grant the
AliyunNASFullAccesspermissions to the RAM user.Authorization: Perform access control based on RAM policies
Common operations: Create a file system
Use NAS
Use NAS after activation:
Authorization: NAS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a NAS file system and mount it to an instance of PAI.
Dependent cloud service: OSS
You need to activate and authorize OSS for data storage.
Scenario
Description
Reference
Activate OSS
We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the
AliyunOSSFullAccesspermissions to the RAM user.Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets
Use OSS
Use OSS after activation:
Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.
Authorize the service-linked role
Grant DSW permissions to an Alibaba Cloud account
Before you use DSW, make sure that the Alibaba Cloud account that you use has the permissions to manage DSW. In most cases, you are prompted to authorize the service-linked role when you activate PAI. For more information, see Activate PAI and create a default workspace. You can check whether the Alibaba Cloud account has the operation permissions on DSW. For more information, see the "Check whether the AliyunPAIDSWDefaultRole role is assigned to DSW" section of this topic. If the Alibaba Cloud account does not have the required permissions, perform the following steps to grant the required permissions to the account.
Go to the Interactive Modeling (DSW) page.
Log on to the PAI console.
On the Overview page, select a region in the top navigation bar.
In the left-side navigation pane, click Workspaces. On the Workspaces page, click the name of the workspace that you want to manage.
In the left-side navigation pane, choose .
Assign the AliyunPAIDSWDefaultRole role to the Alibaba Cloud account.
Click Create Instance.
In the Role Authorization dialog box, click OK.
On the Cloud Resource Access Authorization page, click Agree to Authorization.
Service-linked roles are automatically assigned to DSW and displayed on the Cloud Resource Access Authorization page.
Grant PAI the permissions to access OSS and NAS
You can authorize PAI to access OSS and NAS with a few clicks by performing the following steps:
Log on to the PAI console.
In the left-side navigation pane, choose . On the page that appears, find the OSS and NAS in the DSW section.
View the authorization details of OSS in the Actions column.
If PAI is not authorized to access OSS, click Authorize Now in the Actions column and follow the on-screen instructions to authorize PAI.
Otherwise, click View Authorization in the Actions column to view the authorization details.
If you do not grant OSS access permissions (AliyunPAIDLCAccessingOSSRole) to PAI, the following error may occur when you mount an OSS dataset:
Check whether the AliyunPAIDSWDefaultRole role is assigned to DSW
To use DSW as expected, use your Alibaba Cloud account to assign the AliyunPAIDSWDefaultRole role to DSW. Perform the following steps:
Only Alibaba Cloud accounts can assign the role. RAM users cannot assign the role.
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for the AliyunPAIDSWDefaultRole role.
If the role is displayed in the search result, the role is assigned to DSW.
Otherwise, you must assign the role to DSW. For more information, see the "Authorize the service-linked role" section of this topic.
References
After you authorize DSW, you can create a DSW instance and use the development environment provided by DSW to develop and train AI models. For more information, see Create a DSW instance.