All Products
Search
Document Center

Platform For AI:Grant permissions to use EAS

Last Updated:Aug 09, 2025

If a Resource Access Management (RAM) user needs to use Elastic Algorithm Service (EAS), the parent Alibaba Cloud account must grant the required permissions to the RAM user. This topic describes how to grant these permissions.

Background information

EAS provides the following three authorization methods. You can select a method based on your requirements.

  • Grant a RAM user full permissions on EAS

    EAS provides the AliyunPAIEASFullAccess system policy, which grants full permissions on EAS. After you attach this policy to a RAM user, the RAM user has full permissions to use all features of EAS.

  • Grant a RAM user read-only permissions on EAS

    EAS provides the AliyunPAIEASReadOnlyAccess system policy, which grants read-only permissions. After you attach this policy to a RAM user, the RAM user can query and view services deployed in EAS.

  • Create a custom policy for fine-grained authorization

    If the two system policies do not meet your requirements, you can create a custom policy to grant fine-grained permissions to a RAM user. For example, you can grant permissions to query or modify deployed services or dedicated resource groups.

Grant a RAM user full permissions on EAS

After you grant full permissions on EAS to a RAM user, the RAM user can use all features of EAS.

  1. Log on to the RAM console.

  2. Grant the RAM user full permissions on EAS. For more information, see Grant permissions to a RAM user.

    Where:

    • Set Resource Scope to Account Level.

    • For Policy, select the System Policy AliyunPAIEASFullAccess.

      Note

      OSS permissions are security-sensitive and are not included in the AliyunPAIEASFullAccess policy. If the RAM user needs to use OSS, you must grant OSS permissions to the user separately. For more information, see RAM Policy Editor.

Grant a RAM user read-only permissions on EAS

After you grant read-only permissions on EAS to a RAM user, the RAM user can query and view services deployed in EAS.

  1. Log on to the RAM console.

  2. Grant the RAM user read-only permissions on EAS. For more information, see Grant permissions to a RAM user.

    Note the following parameters:

    • Set Resource Scope to Account Level.

    • For Policy, select the System Policy AliyunPAIEASReadOnlyAccess.

Create a custom policy for fine-grained authorization

To grant a RAM user specific permissions to query or modify deployed services or dedicated resource groups, you can create a custom policy for fine-grained authorization.

  1. Log on to the RAM console.

  2. Create a custom policy. For more information, see Create a custom policy using the script editor.

    Important

    Define the policy carefully based on the permissions that the RAM user requires.

    The following code provides an example of a policy script.

    { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "eas:CreateInstance", "Resource": "*" }, { "Effect": "Allow", "Action": [ "eas:DescribeService", "eas:DeleteService", "eas:UpdateService", "eas:UpdateServiceVersion" ], "Resource": [ "acs:eas:<region>:<uid>:service/eas-m-xxx1",// This is an example. Modify it based on the instructions in the "Policy description" section. "acs:eas:<region>:<uid>:service/eas-m-xxx2" ], } ] }

    For more information about the values of Action and Resource in the script, see Policy description.

  3. Grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.

    Where:

    • Set Resource Scope to Account Level.

    • For Policy, select the custom policy that you created in Step 2.

Policy description

An access policy contains two main elements: Action and Resource. Action specifies the operation to perform, and Resource specifies the resource on which the operation is performed. The following sections describe the valid values for Action and Resource:

  • Action

    Category

    Action

    Description

    Service-related

    eas:CreateService

    Create a model service

    eas:ListServices

    View the list of model services

    eas:DescribeService

    View the details of a model service

    eas:DeleteService

    Delete a model service

    eas:DeleteServiceLabel

    Delete a tag from a model service

    eas:ListServiceInstances

    View information about model service instances

    eas:DeleteServiceInstances

    Restart model service instances

    eas:UpdateService

    Update a model service or add a version

    eas:UpdateServiceVersion

    Switch the version of a model service

    eas:StartService

    Start a model service

    eas:StopService

    Stop a model service

    eas:UpdateService

    Update a model service

    eas:UpdateServiceLabel

    Update a tag of a model service

    eas:RestartService

    Restart a model service

    eas:CreateServiceAutoScaler

    Enable auto scaling for a model service

    eas:CreateServiceCronScaler

    Enable scheduled scaling for a model service

    eas:DeleteServiceAutoScaler

    Disable auto scaling for a model service

    eas:DeleteServiceCronScaler

    Disable scheduled scaling for a model service

    eas:DescribeServiceAutoScaler

    View the auto scaling status of a model service

    eas:DescribeServiceCronScaler

    View information about scheduled scaling for a model service

    eas:UpdateServiceAutoScaler

    Update the auto scaling configuration of a model service

    eas:UpdateServiceCronScaler

    Update the scheduled scaling configuration of a model service

    eas:CreateAppService

    Create an application service

    eas:UpdateServiceSafetyLock

    Update the security lock of a service

    eas:UpdateServiceInstance

    Update the properties of a service instance

    eas:UpdateAppService

    Update an application service

    eas:DescribeServiceDiagnosis

    View the diagnostic details of a service

    eas:DescribeServiceInstanceDiagnosis

    View the diagnostic details of a service instance

    eas:DescribeServiceEvent

    Query the deployment events of a model service

    eas:DescribeGroup

    View the details of a service group

    eas:ListServiceVersions

    Query the historical versions of a service

    eas:ListServiceContainers

    Query the list of containers for a service

    eas:ListGroups

    View the list of service groups

    eas:CreateServiceMirror

    Create a traffic mirror for a model service

    eas:DescribeServiceMirror

    View the status of a traffic mirror for a model service

    eas:UpdateServiceMirror

    Update the configuration of a traffic mirror for a model service

    eas:DeleteServiceMirror

    Disable a traffic mirror for a model service

    eas:ReleaseService

    Configure the traffic splitting ratio for a blue-green deployment

    eas:DescribeServiceLog

    View the log data of a model service

    Resource group-related

    eas:CreateResource

    Create a dedicated resource group

    eas:DescribeResource

    View the basic information about a dedicated resource group

    eas:ListResources

    View the list of dedicated resource groups

    eas:DeleteResource

    Delete a dedicated resource group

    eas:UpdateResource

    Update the basic information about a dedicated resource group

    eas:ListResourceInstances

    View the list of machine instances in a dedicated resource group

    eas:ListResourceInstanceWorker

    View the list of containers created on the instances of a dedicated resource group

    eas:ListResourceServices

    View the services deployed in a dedicated resource group

    eas:CreateResourceInstances

    Create instances for a dedicated resource group

    eas:UpdateResourceInstance

    Update an instance in a dedicated resource group

    eas:DeleteResourceInstances

    Delete instances from a dedicated resource group

    eas:UpdateResourceDLink

    Update the status of a VPC direct connection for a dedicated resource group

    eas:DescribeResourceDLink

    View the status of a VPC direct connection for a dedicated resource group

    eas:DeleteResourceDLink

    Delete the VPC direct connection configuration of a dedicated resource group

    eas:CreateResourceLog

    Enable SLS log delivery for a dedicated resource group

    eas:DescribeResourceLog

    View the status of SLS log delivery for a dedicated resource group

    eas:DeleteResourceLog

    Delete the SLS log delivery configuration for a dedicated resource group

    Stress testing task-related

    eas:CreateBenchmarkTask

    Create a stress testing task

    eas:DeleteBenchmarkTask

    Delete a stress testing task

    eas:DescribeBenchmarkTask

    View the details of a stress testing task

    eas:DescribeBenchmarkTaskReport

    View the report of a stress testing task

    eas:ListBenchmarkTask

    Query the list of stress testing tasks

    eas:StartBenchmarkTask

    Start a stress testing task

    eas:StopBenchmarkTask

    Stop a stress testing task

    eas:UpdateBenchmarkTask

    Update a stress testing task

    Private gateway-related

    eas:CreateGateway

    Create a private gateway

    eas:DescribeGateway

    View the details of a private gateway

    eas:UpdateGateway

    Update a private gateway

    eas:CreateGatewayIntranetLinkedVpc

    Create an internal-facing endpoint for a private gateway

    eas:ListGatewayIntranetLinkedVpc

    View the list of internal-facing endpoints for a private gateway

    eas:DeleteGatewayIntranetLinkedVpc

    Delete an internal-facing endpoint of a private gateway

    eas:DeleteGateway

    Delete a private gateway

    eas:ListPrivileges

    View the whitelist configuration of a user

  • Resource

    In EAS, the Resource element uses the following format:

    acs:eas:<region>:<uid>:<resource_type>/<id>

    Replace the following parameters with their actual values:

    • <region>: The region where the service or dedicated resource group resides.

    • <uid>: The UID of the Alibaba Cloud account.

    • <resource_type>: The resource type. For example, to perform operations on services, set this parameter to service. To perform operations on resource groups, set this parameter to resource.

    • <id>: The ID of the service or dedicated resource group.

    The following examples show how to specify the Resource value to operate on services in public resource groups, services in dedicated resource groups, and dedicated resource groups:

    • Operate on a specific deployed service

      • Operate on a service deployed in a public resource group

        acs:eas:cn-hangzhou:123456789012****:service/eas-m-u12fxt9ml1syoj****

        This Resource value specifies the service with the ID eas-m-u12fxt9ml1syoj**** in a public resource group. The service is deployed in the China (Hangzhou) region and belongs to the Alibaba Cloud account 123456789012****.

        acs:eas:cn-hangzhou:123456789012****:service/your_service_name

        This Resource value specifies the service named your_service_name in a public resource group. The service is deployed in the China (Hangzhou) region and belongs to the Alibaba Cloud account 123456789012****.

      • Operate on a service deployed in a dedicated resource group

        acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai81****/service/eas-m-iaskn1skn1us****

        This Resource value specifies the service eas-m-iaskn1skn1us****, which is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The service is in the China (Shanghai) region and belongs to the Alibaba Cloud account 123456789012****.

        acs:eas:cn-shanghai:123456789012****:resource/eas-r-jksauxqjsai8****/service/your_private_service

        This Resource value specifies the service named your_private_service, which is deployed in the dedicated resource group eas-r-jksauxqjsai8****. The service is in the China (Shanghai) region and belongs to the Alibaba Cloud account 123456789012****.

    • Operate on a specific dedicated resource group

      acs:eas:cn-beijing:123456789012****:resource/eas-r-jksauxqjsai8****

      This Resource value specifies the dedicated resource group with the ID eas-r-jksauxqjsai8****. The resource group is in the China (Beijing) region and belongs to the Alibaba Cloud account 123456789012****.

    • Batch authorization

      You can replace any part of the Resource format with an asterisk (*) to implement batch authorization.

      The following examples show sample Resource values for batch authorization:

      • acs:eas:*:123456789012****:service/*

        This Resource value specifies all services in public resource groups that belong to the Alibaba Cloud account 123456789012**** in all regions.

      • acs:eas:cn-hangzhou:123456789012****:resource/eas-r-jksauxqjsai8****/*

        This Resource value specifies all services that are deployed in the dedicated resource group eas-r-jksauxqjsai8**** in the China (Hangzhou) region. The resource group belongs to the Alibaba Cloud account 123456789012****.

      • acs:eas:*:123456789012****:*

        This Resource value specifies all resource groups and services that belong to the Alibaba Cloud account 123456789012**** in all regions.

      • acs:eas:*:123456789012****:service/prefix*

        This Resource value specifies all services in public resource groups whose names start with the prefix prefix. The services belong to the Alibaba Cloud account 123456789012**** and are in all regions.