Updated on 2025-08-04 GMT+08:00

Configuring the Missing ModelArts Studio (MaaS) Permissions

When you use MaaS, the system will alert you when permissions are incorrect or absent. Without granting these permissions promptly, certain features will not work well, impacting your usage. To keep your services running smoothly, review and configure missing permissions quickly to prevent disruptions.

Prerequisites

You have registered a Huawei ID and enabled Huawei Cloud services, performed real-name authentication, and ensure your account is not frozen or in arrears before using ModelArts. For details, see Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services and Real-Name Authentication.

Billing

Authorization is free. But using data storage, importing models, or deploying services may incur fees because they rely on OBS and SWR. For details, see Billing Overview.

Adding Dependency Service Authorization

Access to MaaS features requires authorization from OBS and SWR. Authenticate with OBS and SWR to enable data storage, model import, and service deployment.

A message appears at the top of the MaaS console if dependency authorization has not been configured, prompting you to configure it.

Tenant user: Click Authorize access to go to the permissions management page on the ModelArts console and add dependency service permissions. For details, see MaaS Agency Authorization.

IAM user: Contact the administrator.

Figure 1 Dependency authorization prompt

Adding Missing Permissions Using the Tenant Account

A permission error message appears at the top of the MaaS console if necessary permissions are not granted.

Figure 2 Permissions missing

You can click View missing permissions in the pop-up prompt. In the Service Permissions Missing dialog box, select Existing authorization or New authorization as required, and click OK.

Figure 3 Service permissions missing

Adding Missing Permissions Using an IAM Account

The ModelArts Studio (MaaS) console will display an Access Denied dialog box if you lack necessary permissions. Create a custom policy, assign it to the target user group, review any missing service permissions, and contact your administrator to configure the necessary permissions.

Figure 4 Access Denied dialog box

For details about the missing permissions, see Table 1. For details, see Actions.

Table 1 Missing permissions

Permission

Description

iam:permissions:listRolesForAgencyOnDomain

Querying permissions of an agency for a global service project

iam:permissions:listRolesForAgencyOnProject

Querying permissions of an agency for a region-specific project

iam:permissions:listRolesForAgency

Querying all permissions of an agency

iam:agencies:getAgency

Querying agency details

iam:agencies:listAgencies

Querying agencies in specified conditions

  1. Create a custom policy.
    1. In the Access Denied dialog box, click Copy to save the missing permissions and click OK.
      Figure 5 Access Denied
    2. Hover over your account in the upper right corner and click Identity and Access Management.
    3. In the navigation pane of the IAM console, choose Permissions > Policies/Roles.
    4. On the Policies/Roles page, click Create Custom Policy in the upper right corner.
    5. On the Create Custom Policy page, configure parameters and click OK.
      Figure 6 Creating a custom policy
      Table 2 Parameters for creating a custom policy

      Parameter

      Description

      Example

      Policy Name

      Enter a policy name.

      policykl631g

      Policy View

      Click JSON.

      JSON

      Policy Content

      Paste the permission policy saved in step 1.a in [] of the Statement parameter.

      {
          "Version": "1.1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:permissions:listRolesForAgencyOnDomain",
                      "iam:permissions:listRolesForAgencyOnProject",
                      "iam:permissions:listRolesForAgency",
                      "iam:agencies:getAgency",
                      "iam:agencies:listAgencies"
                  ]
              }
          ]
      }

      Description

      Enter a policy description.

      N/A

      Scope

      Use the default value Global services.

      Global services

  2. Add the custom policy to the target user group.
    1. In the navigation pane on the left of the IAM console, click User Groups.
    2. On the User Groups page, search for the target user group and click Authorize in the Operation column.
      Figure 7 Authorize
    3. On the displayed page, select the policy created in step 1, click Next, select the authorization scope as required, and click OK.
      Figure 8 Authorization page
    4. In the Information dialog box, read the information carefully and click OK.
  3. Review and configure the missing service permissions.
    1. Log in to the ModelArts Studio (MaaS) console and click View missing permissions in the upper part of the page. In the Service Permissions Missing dialog box, view the missing service permissions.
      Figure 9 Service permissions missing
    2. Contact the administrator to configure the missing service permissions. For details, see MaaS Agency Authorization.

FAQs

  • How do I obtain access keys (AK/SK)?

    You will need to obtain an access key if you are using access key authentication to access certain functions like accessing model services. For details, see How Do I Obtain an Access Key?

  • How do I delete an agency?

    Go to the IAM console, choose Agencies in the navigation pane, and delete the target agency. For details, see Deleting or Modifying Agencies.