Help Center/ ModelArts/ Best Practices/ Permissions Management/ Configuration Practices in Typical Scenarios/ Granting SFS Turbo Folder Access Permissions to IAM Users
Updated on 2024-01-09 GMT+08:00

Granting SFS Turbo Folder Access Permissions to IAM Users

Scenarios

Grant access permission of specific SFS Turbo folders to IAM users.

Constraints

  • Ensure that you have enabled strict authorization. Log in to the ModelArts console and choose Settings from the navigation pane on the left. On the Global Configuration page, click Enable strict authorization.
  • If ModelArts permissions have not been granted to IAM users, the IAM users may fail to use ModelArts after the strict authorization is enabled. Grant the permission to IAM users by referring to Assigning Permissions to Individual Users for Using ModelArts.

Procedure

  1. Log in to the management console using the main account, hover the cursor over your username in the upper right corner, and choose Identity and Access Management from the drop-down list to switch to the IAM management console.
  2. On the IAM console, choose Permissions > Policies/Roles from the navigation pane on the left, click Create Custom Policy in the upper right corner, and configure the policy as follows:

    • Policy Name: Enter a policy name, for example, ma_sfs_turbo.
    • Policy View: Select JSON.
    • Policy Content: Enter the following information:
      {
          "Version": "1.1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "<modelarts_action>"
                  ],
                  "Condition": {
                      "StringEquals": {
                          "modelarts:sfsId": [
                              "<your_ssf_id>"
                          ],
                          "modelarts:sfsPath": [
                              "<sfs_path>"
                          ],
                          "modelarts:sfsOption": [
                              "<sfs_option>"
                          ]
                      }
                  }
              }
          ]
      }

    Replace <modelarts_action>, <your_ssf_id>, <sfs_path>, and <sfs_option> with actual parameters as you need. The following table describes the parameters.

    Table 1 Parameter description

    Parameter

    Description

    Action

    Scenario in which the SFS Turbo folder access permission is granted.

    • modelarts:trainJob:create indicates that the permission is granted during development environment instance creation.
    • modelarts:notebook:create indicates that the permission is granted during training job creation.

    Multiple actions are supported, the following shows an example:

    "Action": [
       "modelarts:trainJob:create",
       "modelarts:notebook:create"
    ],

    modelarts:sfsId

    SFS Turbo ID, which can be obtained on the SFS Turbo details page. You can enter multiple IDs, the following shows an example:

    "modelarts:sfsId": [
       "0e51c7d5-d90e-475a-b5d0-ecf896da3b0d",
       "2a70da1e-ea87-4ee4-ae1e-55df846e7f41"
    ],

    modelarts:sfsPath

    Path of the SFS Turbo folder whose permissions need to be configured. You can enter multiple paths, the following shows an example:

    "modelarts:sfsPath": [
      "/path1",
      "/path2/path2-1"
    ],

    If there are multiple SFS IDs, the SFS paths will apply to all SFS IDs. As shown in the following example, permission to access /path1 and /path2/path2-1 of both 0e51c7d5-d90e-475a-b5d0-ecf896da3b0d and 2a70da1e-ea87-4ee4-ae1e-55df846e7f41 are configured.

    "modelarts:sfsId": [
       "0e51c7d5-d90e-475a-b5d0-ecf896da3b0d",
       "2a70da1e-ea87-4ee4-ae1e-55df846e7f41"
    ],
    "modelarts:sfsPath": [
      "/path1",
      "/path2/path2-1"
    ],

    modelarts:sfsOption

    Type of the access permission. The following parameters are supported:

    • readonly: Read-only permission
    • readwrite: Read and write permission

    To add multiple SFS options to a custom policy, add a JSON structure to Statement, the following shows an example:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "modelarts:notebook:create"
                ],
                "Condition": {
                    "StringEquals": {
                        "modelarts:sfsId": [
                            "0e51c7d5-d90e-475a-b5d0-ecf896da3b0d"
                        ],
                        "modelarts:sfsPath": [
                            "/path1"
                        ],
                        "modelarts:sfsOption": [
                            "readonly"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "modelarts:notebook:create"
                ],
                "Condition": {
                    "StringEquals": {
                        "modelarts:sfsId": [
                            "0e51c7d5-d90e-475a-b5d0-ecf896da3b0d"
                        ],
                        "modelarts:sfsPath": [
                            "/path2"
                        ],
                        "modelarts:sfsOption": [
                            "readwrite"
                        ]
                    }
                }
            }
        ]
    }

  3. Create a user group and add the user to the user group. For details, see Step 1 Create a User Group and Add Users to the User Group.
  4. Grant a policy to the user group. On the user group list page of IAM, click Authorize of the target user group. The Authorize User Group page is displayed. Select the ma_sfs_turbo policy created in Step 2. Click Next and then OK.
  5. Add the IAM ReadOnlyAccess permission to an existing ModelArts agency.

    1. On the ModelArts management console, choose Settings from the navigation pane on the left. On the displayed page, locate the target agency, choose View Permissions in the Operation column, and click Modify permission in IAM.
      Figure 1 Modifying permissions in IAM
    2. On the IAM console, choose Agencies from the navigation pane on the left, and choose Permissions > Authorize. Search for IAM ReadOnlyAccess, enable it, and click Next and OK.
      Figure 2 IAM ReadOnlyAccess

  6. Verify that the permission is granted.

    Log in to ModelArts as the IAM user, only the configured SFS Turbo folders are displayed during training job creation and notebook creation.