If you want to access Elastic Algorithm Service (EAS) of Platform for AI (PAI) as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user by using your Alibaba Cloud account. This topic describes how to grant permissions to a RAM user to access EAS.
Background information
You can grant permissions to a RAM user to access EAS by using one of the following methods:
Grant a RAM user full permissions on EAS
Use the AliyunPAIEASFullAccess system policy that provides full permissions on EAS. After you attach the policy to the RAM user, the RAM user can use all features of EAS.
Grant a RAM user read-only permissions on EAS
Use the AliyunPAIEASReadOnlyAccess system policy that provides read-only permissions on EAS. After you attach the policy to the RAM user, the RAM user can query and view model services that are deployed in EAS.
If the preceding methods do not meet your requirements, you can create a custom policy to grant permissions to the RAM user in a fine-grained manner. For example, you can create a custom policy to grant permissions to the RAM user to query and modify model services or dedicated resource groups in EAS.
Grant a RAM user full permissions on EAS
This section describes how to grant permissions to a RAM user to use all features of EAS.
Log on to the RAM console.
Grant a RAM user full permissions on EAS. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
Resource Scope: Set this parameter to Account.
Policy: Select system policy AliyunPAIEASFullAccess.
NoteObject Storage Service (OSS) permissions are related to data security. The AliyunPAIEASFullAccess policy does not provide OSS permissions. You must separately grant the RAM user OSS permissions. For more information, see RAM Policy Editor.
Grant a RAM user read-only permissions on EAS
This section describes how to grant permissions to a RAM user to query and view model services that are deployed in EAS.
Log on to the RAM console.
Grant a RAM user full permissions on EAS. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
Resource Scope: Set this parameter to Account.
Policy: Select system policy AliyunPAIEASReadOnlyAccess.
Create a custom policy
This section describes how to grant permissions to a RAM user to query and modify model services or dedicated resource groups in EAS by creating a custom policy.
Log on to the RAM console.
Create a custom policy. For more information, see Create a custom policy on the JSON tab.
ImportantWhen you specify the policy document, we recommend that you follow the principle of least privilege.
The following code provides a sample policy document:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "eas:CreateInstance", "Resource": "*" }, { "Effect": "Allow", "Action": [ "eas:DescribeService", "eas:DeleteService", "eas:UpdateService", "eas:UpdateServiceVersion" ], "Resource": [ "acs:eas:<region>:<uid>:service/eas-m-xxx1",// Modify this configuration based on your business requirements and the instructions in the "Policy description" section of this topic. "acs:eas:<region>:<uid>:service/eas-m-xxx2" ], } ] }
For information about the configurations of the Action and Resource elements, see the Policy description section of this topic.
Attach the policy to the RAM user. For more information, see Grant permissions to a RAM user.
Take note of the following parameters:
Resource Scope: Set this parameter to Account.
Policy: Select the custom policy that you created in Step 2.
Policy description
Each policy contains the Action and Resource elements. The Action element specifies the action to be performed, and the Resource element specifies the principal on which the action is performed. The following table lists the valid values for the Action and Resource elements.
Action
Category
Action
Description
Service-related action
eas:CreateService
Creates model services.
eas:ListServices
Views model services.
eas:DescribeService
Views the details of model services.
eas:DeleteService
Deletes model services.
eas:DeleteServiceLabel
Deletes tags of model services.
eas:ListServiceInstances
Views information about EAS instances.
eas:DeleteServiceInstances
Restarts EAS instances.
eas:UpdateService
Updates model services or add versions.
eas:UpdateServiceVersion
Switches between versions of model services.
eas:StartService
Starts model services.
eas:StopService
Stops model services.
eas:UpdateService
Updates model services.
eas:UpdateServiceLabel
Updates tags of model services.
eas:RestartService
Restarts model services.
eas:CreateServiceAutoScaler
Enables auto scaling for model services.
eas:CreateServiceCronScaler
Enables scheduled auto scaling for model services.
eas:DeleteServiceAutoScaler
Disables auto scaling for model services.
eas:DeleteServiceCronScaler
Disables scheduled auto scaling for model services.
eas:DescribeServiceAutoScaler
Views the auto scaling status of model services.
eas:DescribeServiceCronScaler
Views information about scheduled auto scaling for model services.
eas:UpdateServiceAutoScaler
Updates auto scaling configurations of model services.
eas:UpdateServiceCronScaler
Updates scheduled auto scaling configurations of model services.
eas:CreateAppService
Creates an application service.
eas:UpdateServiceSafetyLock
Updates the service security lock.
eas:UpdateServiceInstance
Updates the attributes of service instances.
eas:UpdateAppService
Updates an application service.
eas:DescribeServiceDiagnosis
Views diagnostic details of services.
eas:DescribeServiceInstanceDiagnosis
Views diagnostic details of service instances.
eas:DescribeServiceEvent
Views model service deployment events.
eas:DescribeGroup
Views service group details.
eas:ListServiceVersions
Views the historical versions of a service.
eas:ListServiceContainers
Views the container list of a service.
eas:ListGroups
Views the list of service groups.
eas:CreateServiceMirror
Creates traffic mirror sessions.
eas:DescribeServiceMirror
Views the status of traffic mirror sessions.
eas:UpdateServiceMirror
Updates the configuration of traffic mirror sessions.
eas:DeleteServiceMirror
Closes traffic mirror sessions.
eas:ReleaseService
Specifies the traffic ratio for blue-green deployment.
eas:DescribeServiceLog
Views logs of model services.
Resource group-related action
eas:CreateResource
Creates dedicated resource groups.
eas:DescribeResource
Views basic information about dedicated resource groups.
eas:ListResources
Views dedicated resource groups.
eas:DeleteResource
Deletes dedicated resource groups.
eas:UpdateResource
Updates basic information about dedicated resource groups.
eas:ListResourceInstances
Views instances of dedicated resource groups.
eas:ListResourceInstanceWorker
Views containers hosted on instances of dedicated resource groups.
eas:ListResourceServices
Views model services deployed in dedicated resource groups.
eas:CreateResourceInstances
Adds instances to dedicated resource groups.
eas:UpdateResourceInstance
Updates instances in a dedicated resource group.
eas:DeleteResourceInstances
Removes instances from dedicated resource groups.
eas:UpdateResourceDLink
Updates the status of Virtual Private Cloud (VPC) direct connection for dedicated resource groups.
eas:DescribeResourceDLink
Views the status of VPC direct connection of dedicated resource groups.
eas:DeleteResourceDLink
Deletes VPC direct connection configurations of dedicated resource groups.
eas:CreateResourceLog
Enables log shipper for dedicated resource groups.
eas:DescribeResourceLog
Views the status of log shipper for dedicated resource groups.
eas:DeleteResourceLog
Disables log shipper for dedicated resource groups.
Stress testing-related action
eas:CreateBenchmarkTask
Creates a stress testing task.
eas:DeleteBenchmarkTask
Deletes a stress testing task.
eas:DescribeBenchmarkTask
Views the details of a stress testing task.
eas:DescribeBenchmarkTaskReport
Views the report of a stress testing task.
eas:ListBenchmarkTask
Views the list of stress testing tasks.
eas:StartBenchmarkTask
Starts a stress testing task.
eas:StopBenchmarkTask
Stops a stress testing task.
eas:UpdateBenchmarkTask
Updates a stress testing task.
Private gateway-related action
eas:CreateGateway
Creates a private gateway.
eas:DescribeGateway
Views the details of a private gateway.
eas:UpdateGateway
Updates a private gateway.
eas:CreateGatewayIntranetLinkedVpc
Creates an internal endpoint of a private gateway.
eas:ListGatewayIntranetLinkedVpc
Views internal endpoints of a private gateway.
eas:DeleteGatewayIntranetLinkedVpc
Deletes an internal endpoint of a private gateway.
eas:DeleteGateway
Deletes a private gateway.
Resource
The Resource element in EAS is in the following format:
acs:eas:<region>:<uid>:<resource_type>/<id>
Replace the following parameters with actual values:
<region>: the region in which the model service or dedicated resource group is deployed.
<uid>: the UID of the account to which the resource belongs.
<resource_type>: the resource type. For example, if you want to manage resources related to model services, set the value to service. If you want to manage resources related to resource groups, set the value to resource.
<id>: the ID of the model service or dedicated resource group.
The following examples show the values of the Resource element in the following scenarios: managing model services deployed in public resource groups, managing model services deployed in dedicated resource groups, and managing dedicated resource groups.
Manage model services that are deployed in EAS
Manage a model service that is deployed in a public resource group
acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****
The value of Resource specifies the model service eas-m-u12fxt9ml1syoj**** that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account named 123456789012****.
acs:eas:cn-hangzhou:123456789012****:service/your_service_name
The value of Resource specifies the model service your_service_name that is deployed in a public resource group. The model service is deployed in the China (Hangzhou) region and belongs to the account named 123456789012****.
Manage a model service that is deployed in a dedicated resource group
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****
The value of Resource specifies the model service eas-m-iaskn1skn1us**** that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account named 123456789012****.
acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai8****/service/your_private_service
The value of Resource specifies the model service your_private_service that is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The model service is deployed in the China (Shanghai) region and belongs to the account named 123456789012****.
Manage a dedicated resource group
acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****
The value of Resource specifies the dedicated resource group eas-r-jksauxqjsai8****. The dedicated resource group is deployed in the China (Beijing) region and belongs to the account named 123456789012****.
Use a wildcard character
You can use the asterisk (*) wildcard character in Resource to specify more than one resource.
The following examples show the values of Resource when wildcard characters are used:
acs:eas:*:123456789012****:service/*
The value of Resource specifies model services that belong to the account named 123456789012**** and are deployed in public resource groups across all regions.
acs:eas:cn-hangzhou:123456789012****:resource/eas-r-jksauxqjsai8****/*
The value of Resource specifies all model services that belong to the account named 123456789012**** and are deployed in the dedicated resource group eas-r-jksauxqjsai8**** in the China (Hangzhou) region.
acs:eas:*:123456789012****:*
The value of Resource specifies all resource groups and model services that belong to the account named 123456789012**** in all regions.
acs:eas:*:123456789012****:service/prefix*
The value of Resource specifies all resource groups and model services that belong to the account named 123456789012**** in regions whose names contain a
prefix
prefix.