When you use Data Science Workshop (DSW) for the first time, you must grant its service-linked role permissions to access cloud resources. If you use Object Storage Service (OSS) for data storage, you must also grant the DSW service-linked role permissions to access OSS. This topic describes the required authorization operations for using DSW.
Background information
Before you use DSW, you must grant your account the general permissions to use DSW features. PAI also lets you use workspaces to implement fine-grained access control for Resource Access Management (RAM) users over DSW instance operations. When you use DSW, PAI performs storage operations on dependent services, such as OSS and NAS, in the background. Therefore, you must also grant PAI permissions to access OSS and NAS. For details about the authorization operations, see the following sections.
Authorize the operating account
Describes the products that DSW depends on and the required authorization operations.
Authorize the PAI service account
Grant an Alibaba Cloud account general operation permissions for DSW and access permissions for OSS or NAS.
Authorize the operating account
DSW is a cloud-based machine learning Integrated Development Environment (IDE). It provides an interactive programming environment for developers of all skill levels. When you use DSW for interactive modeling, you may need to use the following related cloud products. You must activate these products and grant the required permissions in advance.
PAI sub-product: DSW
Account type
Scenario
Link to guide
Root account
A root account can perform all DSW operations without extra authorization.
Not applicable
RAM user (Recommended)
PAI provides different member roles. You can add RAM users as workspace members with specific roles to grant them permissions on the corresponding sub-products. For more information about the permissions of each role, see Appendix: Roles and permissions.
Other dependent cloud products: OSS
DSW depends on OSS for data storage. Therefore, you must activate OSS and grant the required permissions.
Scenario
Description
Link to guide
Activate OSS
Use a root account to activate OSS. No extra authorization is required when you use a root account. To use a RAM user to activate OSS, grant the
AliyunOSSFullAccesspermission to the RAM user.Activation: Quick Start
Grant permissions to a RAM user: RAM Policy
Common operations: Quick Start
Use OSS
When you use OSS:
Authorization: OSS provides detailed RAM control policies. Grant permissions to RAM users as needed.
Common operations: Create a bucket to upload files to OSS.
Authorize the PAI service account
Grant general DSW permissions to an Alibaba Cloud account (root account)
To ensure that DSW works properly, you must confirm that the current Alibaba Cloud account has general permissions for DSW. This authorization is usually completed when you activate PAI and create a default workspace. You can check whether the current account has general DSW permissions by following the instructions in Reference: Check whether the AliyunPAIDSWDefaultRole role is associated with the account. If not, follow the steps below to grant the permissions.
Go to the DSW page.
Log on to the PAI console.
On the Overview page, select the destination region.
In the navigation pane on the left, click Workspaces. On the Workspaces page, click the name of the workspace that you want to manage to go to the workspace page.
In the navigation pane on the left of the workspace page, choose to go to the DSW page.
Grant the AliyunPAIDSWDefaultRole role.
Click Create Instance.
In the Grant Permissions dialog box, click Authorize Now.
On the Cloud Resource Access Authorization page, click Agree to Authorization.
On the Cloud Resource Access Authorization page, the system automatically configures the service-linked role required by DSW. No manual configuration is required.
Grant PAI permissions to access cloud products: OSS and NAS
PAI provides a one-click authorization method to grant PAI access to cloud products such as OSS and NAS. The procedure is as follows:
Log on to the PAI console.
In the navigation pane on the left, choose . In the DSW section, find OSS and NAS.
In the Actions column, check the authorization status of OSS.
If the service is not authorized, click One-click Authorization in the Actions column and follow the on-screen instructions to complete the authorization.
If the service is already authorized, you can click View Authorization Information in the Actions column to view the details.
If you do not grant the role the permissions to access OSS (AliyunPAIDLCAccessingOSSRole), an error may occur when you try to mount an OSS dataset:
Reference: Check whether the AliyunPAIDSWDefaultRole role is associated with the account
To ensure that DSW works properly, you must confirm that your Alibaba Cloud account has the AliyunPAIDSWDefaultRole service role. Perform the following steps to check.
Only a root account can grant this authorization. RAM users cannot grant the authorization.
Log on to the RAM console.
In the left navigation pane, click Identity Management > Role.
On the Roles page, enter AliyunPAIDSWDefaultRole in the search box and search for the role.
If the role is found, the DSW service role is already authorized.
If the role is not found, you must perform the authorization. For more information, see Grant general DSW permissions to an Alibaba Cloud account (root account).
References
After you complete the authorization process, you can create a DSW instance and use the development environment provided by DSW to develop and train artificial intelligence models. For more information, see Create a DSW instance.