This topic describes how to grant a Resource Access Management (RAM) user permissions to use FunModel.
Prerequisites
You have created a RAM user.
Background information
There are two ways to grant a RAM user permissions to use FunModel.
System policy: Provides broad permissions. You cannot modify the content of a system policy, but the configuration is simple.
Custom policy: Allows you to create policies for RAM users to simplify configuration. You can also modify the content of custom policies to implement fine-grained access control. The configuration is more complex than that of a system policy.
System policy
Log on to the Resource Access Management (RAM) console as an Alibaba Cloud account or a RAM administrator.
Grant the RAM user the permissions in the following list. For more information, see Manage RAM user permissions.
Permission policy
Description
Policy required for FunModel to deploy model services.
Permission to manage Function Compute (FC) services.
Permission to manage the FunctionAI developer platform.
Read-only permission to access Object Storage Service (OSS).
Read-only permission to access Simple Log Service.
Read-only permission to access Cloud Monitor.
Read-only permission to access Network Attached Storage (NAS).
Read-only permission to access Virtual Private Cloud (VPC).
Read-only permission to access Resource Access Management (RAM).
Custom policy
Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
Create a custom policy to grant the RAM user read and write permissions for FunModel.
On the Script Editor tab, replace the existing content in the configuration box with the following script. For more information, see Create a custom policy.
{ "Version": "1", "Statement": [ { "Action": [ "ram:Get*", "ram:List*", "ram:GenerateCredentialReport" ], "Resource": "*", "Effect": "Allow" }, { "Action": "devs:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "devs.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "fc:*", "Resource": "*" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "fc.aliyuncs.com" } } }, { "Action": [ "log:Get*", "log:List*", "log:Query*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:Get*", "oss:List*", "oss:PutBucket", "oss:PutBucketCors" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cms:Get*", "cms:List*", "cms:Query*", "cms:Describe*" ], "Resource": "*", "Effect": "Allow" }, { "Action": "vpc:DescribeVpc*", "Resource": "*", "Effect": "Allow" }, { "Action": "nas:Describe*", "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:DescribeSecurityGroup*", "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "vpc:CreateVpc", "vpc:CreateVSwitch", "vpc:ModifyVpcAttribute", "vpc:DescribeVSwitches", "vpc:DescribeVpcs", "ecs:AuthorizeSecurityGroup", "ecs:CreateSecurityGroup", "ecs:DescribeSecurityGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "vpc:DescribeVpcAttribute", "vpc:DescribeVSwitchAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "nas:CreateFileSystem", "nas:DeleteFileSystem", "nas:DescribeFileSystems", "nas:ModifyFileSystem", "nas:DeleteMountTarget", "nas:ModifyMountTarget", "nas:DescribeMountTargets" ], "Resource": "acs:nas:*:*:filesystem/*" }, { "Effect": "Allow", "Action": "nas:CreateMountTarget", "Resource": [ "acs:nas:*:*:filesystem/*", "acs:vpc:*:*:vswitch/*" ] }, { "Effect": "Allow", "Action": [ "nas:CreateAccessGroup", "nas:CreateAccessRule" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "agentrun:Get*", "agentrun:List*" ], "Resource": "*" } ] }Attach the custom policy that you created in the previous step to the RAM user. For more information, see Manage RAM user permissions.