Before using LangStudio, assign service roles to access required resources and activate dependent cloud services. This topic describes LangStudio dependencies and required permissions.
Overview
LangStudio depends on multiple Alibaba Cloud services for LLM application development: OSS stores files, Simple Log Service and Managed Service for OpenTelemetry enable debugging, and EAS deploys application flows. Grant permissions to operation accounts and Alibaba Cloud accounts before using LangStudio.
Two authorization paths:
-
Grant permissions to operation account: For Alibaba Cloud accounts or RAM users managing LangStudio workspaces
-
Grant permissions to Alibaba Cloud account: Required service role assignment for LangStudio to access dependent cloud services
Grant permissions to operation account
Grant operation accounts permissions to access the following dependent cloud services:
-
LangStudio
Account type
Description
Procedure
Alibaba Cloud account
No additional authorization required.
N/A
RAM user
(Recommended)
Assign member roles to RAM users for workspace management. For role permissions, see List of Roles and Permissions - LangStudio.
-
OSS: Stores code, configuration files, development logs, and service snapshots
Task
Description
Procedure
Activate OSS
Use an Alibaba Cloud account (recommended) or attach the AliyunOSSFullAccess policy to a RAM user.
-
Activate: Console quick start
-
Grant RAM permissions: RAM Policy
-
Common operations: Console quick start
Use OSS
Grant fine-grained permissions to RAM users and create buckets for object storage.
-
-
Managed Service for OpenTelemetry: Provides trace analysis for LLM application development and deployment
Task
Description
Procedure
Activate service
Use an Alibaba Cloud account (recommended) or attach the AliyunARMSFullAccess policy to a RAM user.
-
Activate: Quick Start
-
Grant RAM permissions: Use RAM users to implement permission segregation
Use service
View trace analysis logs in the LangStudio console or Managed Service for OpenTelemetry console.
-
-
Simple Log Service: Stores log data from Managed Service for OpenTelemetry (indirect dependency)
Task
Description
Procedure
Activate service
Use an Alibaba Cloud account (recommended) or attach the AliyunLogFullAccess policy to a RAM user.
-
Grant RAM permissions: Create and authorize a RAM user
-
VPC: Provides VPC configuration for EAS service deployment
Task
Description
Procedure
Activate VPC
Use an Alibaba Cloud account (recommended) or attach the AliyunVPCFullAccess policy to a RAM user.
-
Activate: Create and manage a VPC
-
Grant RAM permissions: Use RAM for access control
-
-
PAI: Provides access to PAI workspaces and modules
Task
Description
Procedure
Activate PAI
Use an Alibaba Cloud account (recommended) or attach the AliyunPAIFullAccess policy to a RAM user.
-
Grant RAM permissions: Log on as a RAM role and use PAI
-
DataWorks: Enables scheduled updates for knowledge bases
Task
Description
Procedure
Activate DataWorks
Use an Alibaba Cloud account (recommended) or attach the AliyunDataWorksFullAccess policy to a RAM user.
-
Activate: Activate DataWorks
-
Grant RAM permissions: Best practices: Authorization guide for RAM users
-
Grant permissions to Alibaba Cloud account
Assign service roles for LangStudio access
Assign service roles to your Alibaba Cloud account when activating LangStudio for the first time:
-
Log on to the PAI console. In the right pane, select the workspace and click Enter LangStudio.
-
Grant cloud service access permissions:
-
Click Authorize.
-
On the Quick Authorization page, click Confirm Authorization and complete security verification.
The system assigns required service roles automatically.
-
-
Before using LangStudio, click Activate For Free to activate OSS, Simple Log Service, and Managed Service for OpenTelemetry.
Reference 1: Modify authorization policy for LangStudio service role
Ensure familiarity with RAM policies before modifying. Incorrect operations can make LangStudio unavailable.
Customize the permission policy for the AliyunPAILangStudioDefaultRole role in the RAM console for fine-grained access control. Example: Modify OSS access policy to grant more precise bucket permissions:
-
View the default policy of AliyunPAILangStudioDefaultRole:
-
Log on to the RAM console. In the navigation pane, choose .
-
On the Roles page, search for AliyunPAILangStudioDefaultRole and click the role name.
-
On the Permissions tab, click the policy name to view and copy the default policy content:
{ "Version": "1", "Statement": [ { "Action": [ "eas:CreateService", "eas:ListServices", "eas:DescribeService", "eas:DeleteService", "eas:UpdateService", "eas:StartService", "eas:StopService" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:GetObject", "oss:PutObject", "oss:DeleteObject", "oss:ListObjects" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "paillmtrace:GetXtraceToken" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "paidlc:CreateJob", "paidlc:DeleteJob", "paidlc:StopJob", "paidlc:GetJob", "paidlc:UpdateJob", "paidlc:ListJobs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "paidsw:CreateInstance", "paidsw:DeleteInstance", "paidsw:UpdateInstance", "paidsw:StartInstance", "paidsw:StopInstance", "paidsw:GetInstance", "paidsw:ListInstances" ], "Resource": "*", "Effect": "Allow" }, { "Action": "pai:AssumeUser", "Resource": "acs:pai:*:*:users/*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "eas.pai.aliyuncs.com" } } }, { "Action": [ "dataworks:CreateWorkflowDefinition", "dataworks:UpdateWorkflowDefinition", "dataworks:GetWorkflowDefinition", "dataworks:ListWorkflowDefinitions", "dataworks:DeleteWorkflowDefinition", "dataworks:CreateDeployment", "dataworks:GetDeployment", "dataworks:ExecDeploymentStage", "dataworks:GetJobStatus", "dataworks:ImportWorkflowDefinition" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "paiflow:CreatePipelineRun", "paiflow:GetPipelineRun", "paiflow:DeletePipelineRun", "paidataset:CreateDataset", "paidataset:GetDataset", "paidataset:UpdateDataset", "paidataset:ListDatasets", "paidataset:DeleteDataset", "paidataset:CreateDatasetVersion", "paidataset:GetDatasetVersion", "paidataset:UpdateDatasetVersion", "paidataset:DeleteDatasetVersion", "paidataset:ListDatasetVersions" ], "Resource": "*", "Effect": "Allow" } ] }
-
-
Create a custom policy using the script editor. Follow these instructions:
-
Modify the default policy content. For example, update the OSS authorization policy to specify accessible OSS buckets using the Condition element in RAM. Sample (Remove all comments in actual use):
{ "Version": "1", "Statement": [ //Do not modify the permissions on other services. //Add a tag to configure access permissions on OSS buckets. { "Action": [ "oss:GetObject", "oss:PutObject", "oss:DeleteObject", "oss:ListObjects" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "oss:BucketTag/Product": "PaiLangStudio" } } } ] }NoteAdd tags to buckets that LangStudio can access. Example: Key:Product, Value:PaiLangStudio. For more information, see Manage bucket tags.
-
Set the policy name to CustomAliyunPAILangStudioDefaultRolePolicy.
-
-
Attach CustomAliyunPAILangStudioDefaultRolePolicy to AliyunPAILangStudioDefaultRole and detach AliyunPAILangStudioDefaultRolePolicy. For more information, see Grant permissions to a RAM role and Revoke permissions from a RAM role.
LangStudio accesses your resources based on the modified policy after the update.
Reference 2: Check AliyunPAILangStudioDefaultRole assignment status
Verify whether the AliyunPAILangStudioDefaultRole service role is assigned to your Alibaba Cloud account:
Only Alibaba Cloud accounts can assign this role. RAM users cannot assign the role.
-
Log on to the RAM console. In the navigation pane, choose Identities > Roles.
-
On the Roles page, search for AliyunPAILangStudioDefaultRole.
-
If the role appears in search results, it is assigned to your account.
-
Otherwise, assign the role. For more information, see Assign service roles for LangStudio access.
-