PAI Workspace Management
Create, query, and list workspaces on Alibaba Cloud Platform for AI (PAI). Workspaces serve as isolated management units for AI model training, data processing, and related tasks.
Architecture: PAI AIWorkSpace (Workspace)
Workspace Modes:
- Simple Mode: Production environment only ()
- Standard Mode: Development () + Production () environments
Installation
Pre-check: Aliyun CLI >= 3.3.1 required
Run
to verify >= 3.3.1. If not installed or version too low,
see
references/cli-installation-guide.md
for installation instructions.
Then [MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
bash
aliyun version
aliyun configure set --auto-plugin-install true
Credential Verification
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use with literal credential values
- ONLY use to check credential status
Sensitive Data Masking:
-
The following fields in API responses contain personally identifiable information and MUST be masked before displaying to the user:
- / — Show only last 4 digits, e.g.,
- — Never display, omit entirely
- / — Show only first character + , e.g.,
- Accounts in — Mask as format
-
[MUST] Raw sensitive data MUST NOT appear in stdout, execution logs, on disk, or in the conversation: The execution framework logs ALL command stdout to execution logs/transcripts (e.g.,
ran-scripts/executed-actions.log
). Therefore,
EVERY execution of
or
(including basic queries without
) must include
pipe filtering — because
is
always returned and is sensitive. There must be
NO execution step where the raw API JSON appears in command output, even as an intermediate step. The
pipe must be part of a
single pipeline command:
bash
aliyun aiworkspace get-workspace --workspace-id <ID> --region <RegionId> \
--user-agent AlibabaCloud-Agent-Skills \
| jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
Status: \(.Status)
Environment: \(.EnvTypes | join(", "))
Created: \(.GmtCreateTime)
Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)"'
bash
aliyun aiworkspace get-workspace --workspace-id <ID> --verbose true --region <RegionId> \
--user-agent AlibabaCloud-Agent-Skills \
| jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
Status: \(.Status)
Owner: \(.Owner.UserName // "" | if length > 0 then .[0:1] + "***" else "N/A" end) (ID: \(.Owner.UserId // "" | if length > 0 then "****" + .[-4:] else "N/A" end))
Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)
Administrators: \(.AdminNames // [] | map(.[0:1] + "***") | join(", "))"'
The raw API response flows through the pipe internally and never reaches shell stdout. Only
's output (with masked values and natural language keys) is captured by the execution framework. The following are
all prohibited:
- Running the CLI command without pipe filtering — even for basic queries (the field is always returned and sensitive)
- Two-step processing — running the CLI command first to get raw output, then separately masking it. The raw JSON would appear in the execution transcript before masking is applied. The MUST be part of the same single pipeline command
- Capturing raw output to shell variables — e.g., then
echo "$response" | jq ...
- Output redirection (, , )
- Executing commands via shell scripts saved to disk (e.g., )
- Embedding raw API response data in any script or code file — e.g., writing a Python/shell script that contains raw JSON values as string literals, variables, or data structures (such as
ran_scripts/process_workspace_data.py
- Displaying raw JSON snippets in the conversation
-
[MUST] Original API field names MUST NOT be used as output keys: Even when values are masked, using original API field names (such as
,
,
,
) as JSON keys or structured output key names in any output (conversation or files) is
prohibited. Use natural language key names instead:
Correct approach:
EVERY execution of
or
must be a
single pipeline command with
appended. The Agent must NEVER run the CLI command first and then process the output in a separate step — the raw JSON would appear in the execution transcript before masking is applied. All data extraction, masking, and formatting must happen inside the
filter. If saving to a file, redirect the
jq output (not the CLI output) using
at the end of the pipeline. This rule applies to ALL queries — basic, verbose, and list.
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via in terminal or environment variables in shell profile)
- Return and re-run after shows a valid profile
RAM Permissions
See
references/ram-policies.md
for required permissions (including Policy JSON and instructions).
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
- Read
references/ram-policies.md
- Use skill to guide the user through requesting the necessary permissions
- Pause and wait until the user confirms that the required permissions have been granted
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, WorkspaceName, Description, EnvTypes, etc.)
MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
| Parameter | Required/Optional | Description | Example |
|---|
| Required | Region ID (global parameter), must be specified by the user, do not use default values | |
| Required | Workspace name: 3-23 characters, starts with a letter, may contain letters/digits/underscores, unique within the region | |
| Required | Workspace description, max 80 characters | |
| Required | Environment types (list format): (simple mode) or (standard mode) | |
| Optional | Display name, defaults to WorkspaceName | |
| Optional | Resource group ID, uses default resource group if not specified | |
Note: Once
is set, it
cannot be modified via CLI/code. To change it, use the console or recreate the workspace.
Timeout Configuration
API calls support timeout configuration (in seconds):
Option 1: Command-line parameters (applies to the current command only):
--connect-timeout <seconds>
- — I/O read timeout
Option 2: Persistent configuration (applies globally, written to current profile):
bash
aliyun configure set --connect-timeout 10 --read-timeout 30
Command-line parameters take precedence over persistent configuration. If not set, the CLI uses built-in defaults. When encountering
or
context deadline exceeded
errors, increase
(e.g., 30-60 seconds).
Core Workflow
See
references/related-commands.md
for all CLI command templates and parameter details.
Prerequisite: Region Selection and PAI Activation Check
[MUST] Do not use a default region: The Agent must not assume or use a default region. It must explicitly ask the user which region to use.
[MUST] Check PAI activation on first use of a region: After the user specifies a region (or the first time a region is used in a session), the Agent must call
to check whether PAI is activated in that region before executing any subsequent workspace operations.
Step 1: Confirm Region
Ask the user which region to use. If the user has not specified one, provide the list of common regions for selection (see the Common Region IDs table in
references/related-commands.md
).
Do not automatically select a default region.
Step 2: Check PAI Activation Status
Use
aliyun aiworkspace list-products
to check whether PAI and its dependent products are activated in the user-specified region:
bash
aliyun aiworkspace list-products \
--region <UserSpecifiedRegionId> \
--product-codes PAI_share \
--verbose true \
--user-agent AlibabaCloud-Agent-Skills
Step 3: Handle Check Results
Inspect the returned
array for the matching product entry:
Decision logic:
- → PAI is activated, proceed with subsequent workflows
- → PAI is not activated, guide the user to activate:
- Check the field:
- → User has permission. Show the link and prompt the user to complete activation in the console before continuing
- → User lacks permission (requires the primary account or a RAM user with permission). Inform the user to contact the primary account administrator
- Do not proceed with creating/querying workspaces when PAI is not activated
Workflow 1: Create Workspace (CreateWorkspace)
Use
aliyun aiworkspace create-workspace
to create a workspace. Required parameters:
,
,
,
. Simple mode uses
, standard mode uses
. Optionally add
and
.
Step 1: Input Parameter Validation
[MUST] Parameter format validation: Before calling the API, the Agent must validate user-provided parameters as follows. If validation fails, prompt the user to correct the input. Do not submit non-compliant parameters:
| Parameter | Validation Rules | Example |
|---|
| 3-23 characters, must start with a letter, may only contain letters, digits, and underscores (). Hyphens (), spaces, Chinese characters, and other special characters are not allowed | |
| Max 80 characters, wrap with quotes if containing special characters | |
| Must be or , list format | |
| Optional, no strict format restrictions | |
Step 2: Name Existence Check (check-then-act idempotency pattern)
[MUST] Idempotency guarantee: The CreateWorkspace API does not support ClientToken, so idempotency is ensured via a check-then-act pattern. Before creating, you
must call
list-workspaces --option CheckWorkspaceExists --workspace-name <name>
to check if the name already exists.
Decision logic:
- → Name is available, proceed to Step 3 to create
- → Name already exists, perform the following:
- Extract the existing from the returned
- Call
get-workspace --workspace-id <id>
- Compare the existing workspace's key parameters (, , etc.) with the current request parameters
- Match → Treat as already created, return the existing directly, do not recreate
- Mismatch → Inform the user that the name is already taken with a different configuration, ask the user to choose a different name
Step 3: Execute Creation
After parameter validation passes and the name does not exist, execute the
command. On success, a
is returned. If the creation returns a
WorkspaceNameAlreadyExists
error (concurrent scenario), handle it using the
logic from Step 2.
Workflow 2: Get Workspace Details (GetWorkspace)
[MUST] Single workspace queries must use : When querying the details of
one specific workspace, you
must use
aliyun aiworkspace get-workspace --workspace-id <id>
.
Do not use
list-workspaces --workspace-ids
as a substitute.
calls the GetWorkspace API and returns the complete details of a single workspace.
Only accepts
(required) and
(optional). The region is specified via the global
parameter. A
of
indicates the workspace is ready.
[MUST] trigger rules:
returns Owner (UserKp, UserId, UserName, DisplayName) and AdminNames (admin account list). The Agent must follow these rules:
- Trigger conditions — When the user's request involves any of the following keywords, must be appended when constructing the command (determined before calling the API, not dependent on API success):
- Chinese keywords: 所有者, 拥有者, 创建者, 管理员, 负责人, 归属
- English keywords: owner, admin, administrator, verbose
- Field names: Owner, AdminNames
- When not triggered — When the user only queries basic info (status, environment types, etc.), do not append
- Masking rules — UserId/Creator: last 4 digits only (); UserKp: omit entirely; UserName/DisplayName: first character only (); AdminNames entries:
- No raw sensitive data in stdout, execution logs, on disk, or in output — EVERY execution of (with or without ) or must be a single pipeline command with appended. The Agent must NEVER run the CLI command first and then mask the output separately — the raw JSON would appear in the execution transcript. No two-step processing, no variable capture (), no intermediate scripts. All masking must happen inside the filter of the same pipeline. See the Sensitive Data Masking section and
references/related-commands.md
[MUST] 404 error handling: When
returns
StatusCode: 404, Code: 100400027, Message: Workspace not exists
, the workspace ID does not exist. The Agent must
directly report to the user that the workspace does not exist, including the original workspace-id specified by the user.
Do not fall back to
or other APIs to try to "find" the workspace after receiving a 404.
Do not silently ignore the error. If the user subsequently provides a new workspace-id, the Agent must retry
with
the same parameters as the initial call (including
, etc.).
Workflow 3: List Workspaces (ListWorkspaces)
Use
aliyun aiworkspace list-workspaces
to list workspaces. Supports the following filter and sort parameters:
- — Fuzzy match by name
--workspace-ids <id1,id2,...>
--workspace-ids "123,456,789"
- — Filter by status, enum values (all uppercase): | | | | |
- — Sort field (case-sensitive): (default) |
- — Sort direction (all uppercase): (default) |
- / — Pagination parameters
--option GetResourceLimits
--option CheckWorkspaceExists
[MUST] API selection rules: Use
get-workspace --workspace-id
(GetWorkspace API) for querying a
single ID; use
list-workspaces --workspace-ids "id1,id2,..."
for querying
multiple IDs (2 or more) in a single batch query (ListWorkspaces API). Do not call
individually for each ID.
[MUST] Batch query results are final: The
array returned by
list-workspaces --workspace-ids
already contains complete information for each workspace (Status, EnvTypes, GmtCreateTime, etc.).
Do not call
for any ID in the batch results to get additional details. If some IDs are not in the response, those IDs do not exist — report this to the user directly.
[MUST] Enum values are case-sensitive:
must be
or
(camelCase),
must be
or
(all uppercase),
must be all uppercase like
. Using incorrect casing (e.g.,
,
,
) will cause API errors or unexpected results.
[MUST] ListWorkspaces sensitive field masking: Each workspace object returned by
always contains
(creator user ID) and
(admin account list) —
no needed. The Agent must mask these fields when displaying (
: last 4 digits only;
: first character +
). Do not output JSON containing the raw values, and do not save raw responses to files via redirection (
) or scripts.
Success Verification
| Verification Target | Method | Success Criteria |
|---|
| WorkspaceId returned | Parse create command response | is not empty |
| Workspace status is normal | command | |
| Visible in console | Log in to PAI Console and verify manually | New workspace appears in the list |
See
references/verification-method.md
for detailed verification methods
Cleanup (Delete Workspace)
Warning: Deleting a workspace is an irreversible operation that removes all resources within it. Proceed with caution.
Note: Workspace deletion
cannot be performed directly via CLI (the
plugin does not currently support
). Use the following methods:
- Console deletion: Log in to PAI Console -> Workspace List -> Select workspace -> Delete
- API call: Use the
DELETE /api/v1/workspaces/{WorkspaceId}
Best Practices
- Naming conventions: Use project names or team identifier prefixes for WorkspaceName, e.g., , (note: hyphens are not supported, use underscores)
- Environment selection: Use standard mode ( + ) for production projects to separate development and production resources
- Description: Description should indicate the purpose, team, or project for easier management
- Region selection: Choose the region closest to your data storage to minimize data transfer latency
- Resource group management: Use different resource groups for multi-project scenarios to facilitate cost allocation and permission management
- DisplayName: Use business-friendly names as the display name while using English identifiers for WorkspaceName
Reference Documentation
| Document | Description |
|---|
| references/ram-policies.md | RAM permission policies, Policy JSON, and instructions |
| references/related-commands.md | Complete CLI command templates, parameter tables, enum values, and return fields |
| references/verification-method.md | Verification steps and scripts |
| references/acceptance-criteria.md | CLI command acceptance criteria (correct/incorrect patterns) |
| references/cli-installation-guide.md | Aliyun CLI installation and configuration |
| ListWorkspaces API Doc | ListWorkspaces API reference |
| CreateWorkspace API Doc | CreateWorkspace API reference |
| GetWorkspace API Doc | GetWorkspace API reference |
| ListProducts API Doc | ListProducts API reference (product activation status check) |