You may have insufficient permissions when you use Function AI. To use all product features, you need to complete the authorization operations described in this topic.
What permissions are required for a RAM user to use the Function AI platform?
Why do I need to add various types of permissions for a RAM user when using Function AI?
How do I grant fine-grained permissions to different RAM users?
What roles need to be configured to deploy services on the Function AI platform?
What roles need to be configured for the Function AI platform to run related services?
What permissions are required for a RAM user to use the Function AI platform?
You can configure permissions for a Resource Access Management (RAM) user to use Function AI based on your requirements. You can select a system policy, create a custom policy, or configure a resource-level access policy. For more information, see Grant permissions to a RAM user to use Function AI.
Why do I need to add various types of permissions for a RAM user when using Function AI?
Function AI integrates and orchestrates multiple Alibaba Cloud services, such as Function Compute (FC), CloudFlow, and ApsaraDB RDS (RDS). Its configurations are associated with other services, such as VPC, Object Storage Service (OSS), and NAS. You must also grant read permissions on RAM to check whether the roles and access policies are complete at each stage.
Therefore, when you create a service in the console, you must configure the required permissions for the RAM user. This ensures that the service is configured and runs correctly.
How do I grant fine-grained permissions to different RAM users?
Function AI provides resource-level authorization policies at the project granularity. This lets you grant a RAM user access to project resources with specific names. For more information, see Resource-level access policy.
What roles need to be configured to deploy services on the Function AI platform?
To deploy services on the Function AI platform, you must create the AliyunDevsCustomRole and AliyunDevsDefaultRole roles. These roles are trusted by Function AI. For more information about these two roles, see the Quickly grant permissions to create RAM roles document.
AliyunDevsCustomRoleThis is the default role used for service deployment. Function AI assumes this role to deploy the cloud resources in your project. The access policy for this role varies based on the service type.
AliyunDevsDefaultRoleThis role is used for platform features that depend on other Alibaba Cloud services. These features involve managing your FC, OSS, and NAS resources.
When you first access the Function AI console, the platform guides you to automatically create these two roles. When you deploy a service, the platform also checks the access policy of AliyunDevsCustomRole. If any permissions are missing, a dialog box appears and prompts you to grant them to ensure a smooth deployment.
What roles need to be configured for the Function AI platform to run related services?
When you deploy a Function AI service, you must configure specific roles. For more information, see What roles need to be configured to deploy services on the Function AI platform?. During service runtime, the corresponding role permissions are also required to ensure proper access to downstream Alibaba Cloud services.
The following examples provide details:
When you create a project from the SpringBoot template, you must specify a service role trusted by FC. The web service uses this role to access other Alibaba Cloud services during runtime.
When you create a flow service and run AI Studio, you must create the
AliyunFnFExecutionRolerole. This role is trusted by CloudFlow and is used to test and run your workflow. When you create a flow in AI Studio and click Save and Deploy, a dialog box appears and guides you to complete the role authorization.
Role configuration
When you create and deploy services using Function AI, the system automatically detects missing roles or access policies. A dialog box appears to guide you through one-click authorization.