alibabacloud-pai-workspace-manage

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

PAI Workspace Management

PAI工作空间管理

Create, query, and list workspaces on Alibaba Cloud Platform for AI (PAI). Workspaces serve as isolated management units for AI model training, data processing, and related tasks.

Architecture: PAI AIWorkSpace (Workspace)

Workspace Modes:

Simple Mode: Production environment only (
```
prod
```
)
Standard Mode: Development (
```
dev
```
) + Production (
```
prod
```
) environments

用于在阿里云人工智能平台（PAI）上创建、查询、罗列工作空间。工作空间是AI模型训练、数据处理及相关任务的隔离管理单元。

架构：PAI AIWorkSpace（工作空间）

工作空间模式:

简易模式：仅包含生产环境（
```
prod
```
）
标准模式：包含开发（
```
dev
```
）+ 生产（
```
prod
```
）双环境

Installation

安装

Pre-check: Aliyun CLI >= 3.3.1 required Run
aliyun version
to verify >= 3.3.1. If not installed or version too low, see
references/cli-installation-guide.md
for installation instructions. Then [MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.

bash

aliyun version
aliyun configure set --auto-plugin-install true

前置检查：要求Aliyun CLI版本 >= 3.3.1 执行
aliyun version
确认版本不低于3.3.1。如果未安装或版本过低，参考
references/cli-installation-guide.md
的安装指引操作。之后[必须]执行
aliyun configure set --auto-plugin-install true
开启插件自动安装功能。

bash

aliyun version
aliyun configure set --auto-plugin-install true

Credential Verification

凭证校验

Pre-check: Alibaba Cloud Credentials Required

Security Rules:
NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
is FORBIDDEN)
NEVER ask the user to input AK/SK directly in the conversation or command line
NEVER use
aliyun configure set
with literal credential values
ONLY use
aliyun configure list
to check credential status
Sensitive Data Masking:
The following fields in API responses contain personally identifiable information and MUST be masked before displaying to the user:
Owner.UserId
/
Creator
— Show only last 4 digits, e.g.,
****1234
Owner.UserKp
— Never display, omit entirely
Owner.UserName
/
Owner.DisplayName
— Show only first character +
***
, e.g.,
z***
Accounts in
AdminNames
— Mask as
u***@example.com
format
[MUST] Raw sensitive data MUST NOT appear in stdout, execution logs, on disk, or in the conversation: The execution framework logs ALL command stdout to execution logs/transcripts (e.g.,
ran-scripts/executed-actions.log
). Therefore, EVERY execution of
get-workspace
or
list-workspaces
(including basic queries without
--verbose
) must include
| jq -r
pipe filtering — because
Creator
is always returned and is sensitive. There must be NO execution step where the raw API JSON appears in command output, even as an intermediate step. The
| jq -r
pipe must be part of a single pipeline command:
Basic query (without
--verbose
):
bash
aliyun aiworkspace get-workspace --workspace-id <ID> --region <RegionId> \
  --user-agent AlibabaCloud-Agent-Skills \
  | jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
Status: \(.Status)
Environment: \(.EnvTypes | join(", "))
Created: \(.GmtCreateTime)
Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)"'
Verbose query (with
--verbose true
):
bash
aliyun aiworkspace get-workspace --workspace-id <ID> --verbose true --region <RegionId> \
  --user-agent AlibabaCloud-Agent-Skills \
  | jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
Status: \(.Status)
Owner: \(.Owner.UserName // "" | if length > 0 then .[0:1] + "***" else "N/A" end) (ID: \(.Owner.UserId // "" | if length > 0 then "****" + .[-4:] else "N/A" end))
Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)
Administrators: \(.AdminNames // [] | map(.[0:1] + "***") | join(", "))"'
The raw API response flows through the pipe internally and never reaches shell stdout. Only
jq
's output (with masked values and natural language keys) is captured by the execution framework. The following are all prohibited:
Running the CLI command without
| jq
pipe filtering — even for basic queries (the
Creator
field is always returned and sensitive)
Two-step processing — running the CLI command first to get raw output, then separately masking it. The raw JSON would appear in the execution transcript before masking is applied. The
| jq -r
MUST be part of the same single pipeline command
Capturing raw output to shell variables — e.g.,
response=$(aliyun ...)
then
echo "$response" | jq ...
. The variable assignment captures raw data into the execution log
Output redirection (
> file.json
,
>> file.log
,
| tee file
)
Executing commands via shell scripts saved to disk (e.g.,
ran-scripts/*.sh
)
Embedding raw API response data in any script or code file — e.g., writing a Python/shell script that contains raw JSON values as string literals, variables, or data structures (such as
ran_scripts/process_workspace_data.py
). All data processing must be done entirely within the
| jq -r
pipe; do NOT create intermediate processing scripts that contain raw data
Displaying raw JSON snippets in the conversation
[MUST] Original API field names MUST NOT be used as output keys: Even when values are masked, using original API field names (such as
UserId
,
UserName
,
UserKp
,
AdminNames
) as JSON keys or structured output key names in any output (conversation or files) is prohibited. Use natural language key names instead:
UserId
/
Creator
→
Owner ID
or
Creator ID
UserName
→
Username
DisplayName
→
Display Name
AdminNames
→
Administrators
Correct approach: EVERY execution of
get-workspace
or
list-workspaces
must be a single pipeline command with
| jq -r
appended. The Agent must NEVER run the CLI command first and then process the output in a separate step — the raw JSON would appear in the execution transcript before masking is applied. All data extraction, masking, and formatting must happen inside the
jq
filter. If saving to a file, redirect the jq output (not the CLI output) using
> file.md
at the end of the pipeline. This rule applies to ALL queries — basic, verbose, and list.
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.
Obtain credentials from Alibaba Cloud Console
Configure credentials outside of this session (via
aliyun configure
in terminal or environment variables in shell profile)
Return and re-run after
aliyun configure list
shows a valid profile

前置检查：需要配置阿里云凭证

安全规则:
严禁读取、回显或打印AK/SK值（例如禁止执行
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
）
严禁要求用户在对话或命令行中直接输入AK/SK
严禁在
aliyun configure set
命令中使用明文凭证值
仅允许使用
aliyun configure list
检查凭证状态
敏感数据脱敏规则:
API返回结果中以下字段包含个人可识别信息，展示给用户前必须脱敏:
Owner.UserId
/
Creator
— 仅展示最后4位，例如
****1234
Owner.UserKp
— 完全不展示，直接省略
Owner.UserName
/
Owner.DisplayName
— 仅展示首字符 +
***
，例如
z***
AdminNames
中的账号 — 脱敏为
u***@example.com
格式
[必须] 原始敏感数据禁止出现在标准输出、执行日志、磁盘或对话中: 执行框架会将所有命令的标准输出记录到执行日志/转录文件中（例如
ran-scripts/executed-actions.log
）。因此每次执行
get-workspace
或
list-workspaces
（即使是不带
--verbose
的基础查询）都必须包含
| jq -r
管道过滤 —— 因为
Creator
字段会固定返回且属于敏感信息。不允许任何执行步骤中原始API JSON出现在命令输出中，哪怕是中间步骤也不行。
| jq -r
管道必须是单条管道命令的一部分:
基础查询（不带
--verbose
）:
bash
aliyun aiworkspace get-workspace --workspace-id <ID> --region <RegionId> \
  --user-agent AlibabaCloud-Agent-Skills \
  | jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
Status: \(.Status)
Environment: \(.EnvTypes | join(", "))
Created: \(.GmtCreateTime)
Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)"'
详细查询（带
--verbose true
）:
bash
aliyun aiworkspace get-workspace --workspace-id <ID> --verbose true --region <RegionId> \
  --user-agent AlibabaCloud-Agent-Skills \
  | jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
Status: \(.Status)
Owner: \(.Owner.UserName // "" | if length > 0 then .[0:1] + "***" else "N/A" end) (ID: \(.Owner.UserId // "" | if length > 0 then "****" + .[-4:] else "N/A" end))
Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)
Administrators: \(.AdminNames // [] | map(.[0:1] + "***") | join(", "))"'
原始API响应会在管道内部流转，永远不会到达Shell标准输出。只有
jq
的输出（已脱敏、使用自然语言键名）会被执行框架捕获。以下操作全部禁止:
执行CLI命令不带
| jq
管道过滤 —— 哪怕是基础查询也不行（
Creator
字段固定返回且属于敏感信息）
两步处理 —— 先执行CLI命令获取原始输出，再单独做脱敏处理。原始JSON会在脱敏前被记录到执行转录文件中。
| jq -r
必须是同一条管道命令的组成部分
将原始输出捕获到Shell变量中 —— 例如
response=$(aliyun ...)
再执行
echo "$response" | jq ...
。变量赋值会将原始数据记录到执行日志中
输出重定向（
> file.json
,
>> file.log
,
| tee file
）
通过保存在磁盘的Shell脚本执行命令（例如
ran-scripts/*.sh
）
将原始API响应数据嵌入任何脚本或代码文件中 —— 例如编写Python/Shell脚本，将原始JSON值作为字符串字面量、变量或数据结构存储（例如
ran_scripts/process_workspace_data.py
）。所有数据处理必须完全在
| jq -r
管道内完成，不要创建包含原始数据的中间处理脚本
在对话中展示原始JSON片段
[必须] 禁止使用原始API字段名作为输出键名: 即使值已经脱敏，也禁止在任何输出（对话或文件）中使用原始API字段名（例如
UserId
、
UserName
、
UserKp
、
AdminNames
）作为JSON键或结构化输出键名。请使用自然语言键名替代:
UserId
/
Creator
→
所有者ID
或
创建者ID
UserName
→
用户名
DisplayName
→
展示名称
AdminNames
→
管理员列表
正确做法: 每次执行
get-workspace
或
list-workspaces
都必须是附加了
| jq -r
的单条管道命令。Agent绝对不能先运行CLI命令，再在单独步骤中处理输出 —— 否则原始JSON会在脱敏前被记录到执行转录文件中。所有数据提取、脱敏、格式化操作都必须在
jq
过滤器内部完成。如果需要保存到文件，请在管道末尾使用
> file.md
重定向jq的输出（而非CLI的输出）。该规则适用于所有查询：基础查询、详细查询和列表查询。
bash
aliyun configure list
检查输出中是否存在有效配置（AK、STS或OAuth身份）。

如果不存在有效配置，立即停止操作。
从阿里云控制台获取凭证
在当前会话外配置凭证（通过终端执行
aliyun configure
或在Shell配置文件中设置环境变量）
待
aliyun configure list
显示有效配置后，返回重新执行

RAM Permissions

RAM权限

See

references/ram-policies.md

for required permissions (including Policy JSON and instructions).

[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
Read
references/ram-policies.md
to get the full list of permissions required by this SKILL
Use
ram-permission-diagnose
skill to guide the user through requesting the necessary permissions
Pause and wait until the user confirms that the required permissions have been granted

所需权限参考

references/ram-policies.md

（包含Policy JSON和操作指引）。

[必须] 权限失败处理流程: 执行过程中任何命令或API调用因权限错误失败时，按照以下流程处理:
读取
references/ram-policies.md
获取本Skill所需的完整权限列表
使用
ram-permission-diagnose
skill引导用户申请所需权限
暂停执行，等待用户确认已授予所需权限后再继续

Parameter Confirmation

参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, WorkspaceName, Description, EnvTypes, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.

Parameter	Required/Optional	Description	Example
`--region`	Required	Region ID (global parameter), must be specified by the user, do not use default values	`cn-hangzhou`
`--workspace-name`	Required	Workspace name: 3-23 characters, starts with a letter, may contain letters/digits/underscores, unique within the region	`myworkspace`
`--description`	Required	Workspace description, max 80 characters	`My AI workspace`
`--env-types`	Required	Environment types (list format): `prod` (simple mode) or `dev prod` (standard mode)	`prod`
`--display-name`	Optional	Display name, defaults to WorkspaceName	`My Workspace`
`--resource-group-id`	Optional	Resource group ID, uses default resource group if not specified	`rg-xxxxxxxx`

Note: Once
--resource-group-id
is set, it cannot be modified via CLI/code. To change it, use the console or recreate the workspace.

重要：参数确认 —— 执行任何命令或API调用前，所有用户可自定义参数（例如RegionId、WorkspaceName、Description、EnvTypes等）必须与用户确认。未经用户明确同意，不得假设参数值或使用默认值。

参数	必填/可选	描述	示例
`--region`	必填	地域ID（全局参数），必须由用户指定，不得使用默认值	`cn-hangzhou`
`--workspace-name`	必填	工作空间名称：长度3-23字符，以字母开头，可包含字母/数字/下划线，同地域下唯一	`myworkspace`
`--description`	必填	工作空间描述，最长80字符	`My AI workspace`
`--env-types`	必填	环境类型（列表格式）： `prod` （简易模式）或 `dev prod` （标准模式）	`prod`
`--display-name`	可选	展示名称，默认与WorkspaceName一致	`My Workspace`
`--resource-group-id`	可选	资源组ID，未指定则使用默认资源组	`rg-xxxxxxxx`

注意：
--resource-group-id
一旦设置，无法通过CLI/代码修改。如需修改，请使用控制台或重新创建工作空间。

Timeout Configuration

超时配置

API calls support timeout configuration (in seconds):

Option 1: Command-line parameters (applies to the current command only):

```
--connect-timeout <seconds>
```
— Connection timeout
```
--read-timeout <seconds>
```
— I/O read timeout

Option 2: Persistent configuration (applies globally, written to current profile):

bash

aliyun configure set --connect-timeout 10 --read-timeout 30

Command-line parameters take precedence over persistent configuration. If not set, the CLI uses built-in defaults. When encountering
timeout
or
context deadline exceeded
errors, increase
--read-timeout
(e.g., 30-60 seconds).

API调用支持超时配置（单位：秒）:

方案1：命令行参数（仅对当前命令生效）:

```
--connect-timeout <seconds>
```
— 连接超时时间
```
--read-timeout <seconds>
```
— I/O读取超时时间

方案2：持久化配置（全局生效，写入当前配置文件）:

bash

aliyun configure set --connect-timeout 10 --read-timeout 30

命令行参数优先级高于持久化配置。未设置时CLI将使用内置默认值。遇到
timeout
或
context deadline exceeded
错误时，请调大
--read-timeout
（例如设置为30-60秒）。

Core Workflow

核心工作流

See
references/related-commands.md
for all CLI command templates and parameter details.

所有CLI命令模板和参数详情参考

references/related-commands.md

。

Prerequisite: Region Selection and PAI Activation Check

前置条件：地域选择与PAI激活检查

[MUST] Do not use a default region: The Agent must not assume or use a default region. It must explicitly ask the user which region to use.
[MUST] Check PAI activation on first use of a region: After the user specifies a region (or the first time a region is used in a session), the Agent must call
list-products
to check whether PAI is activated in that region before executing any subsequent workspace operations.

[必须] 不得使用默认地域: Agent不得假设或使用默认地域，必须明确询问用户需要使用的地域。
[必须] 首次使用某地域时检查PAI激活状态: 用户指定地域后（或会话中首次使用某地域时），Agent必须先调用
list-products
检查该地域下PAI是否已激活，再执行后续工作空间操作。

Step 1: Confirm Region

步骤1：确认地域

Ask the user which region to use. If the user has not specified one, provide the list of common regions for selection (see the Common Region IDs table in

references/related-commands.md

). Do not automatically select a default region.

询问用户需要使用的地域。如果用户未指定，提供常用地域列表供选择（参考

references/related-commands.md

中的常用地域ID表）。不得自动选择默认地域。

Step 2: Check PAI Activation Status

步骤2：检查PAI激活状态

Use

aliyun aiworkspace list-products

to check whether PAI and its dependent products are activated in the user-specified region:

bash

aliyun aiworkspace list-products \
  --region <UserSpecifiedRegionId> \
  --product-codes PAI_share \
  --verbose true \
  --user-agent AlibabaCloud-Agent-Skills

使用

aliyun aiworkspace list-products

检查用户指定地域下PAI及其依赖产品是否已激活:

bash

aliyun aiworkspace list-products \
  --region <UserSpecifiedRegionId> \
  --product-codes PAI_share \
  --verbose true \
  --user-agent AlibabaCloud-Agent-Skills

Step 3: Handle Check Results

步骤3：处理检查结果

Inspect the returned

Products

array for the matching product entry:

Decision logic:
IsPurchased == true
→ PAI is activated, proceed with subsequent workflows
IsPurchased == false
→ PAI is not activated, guide the user to activate:
Check the
HasPermissionToPurchase
field:
true
→ User has permission. Show the
PurchaseUrl
link and prompt the user to complete activation in the console before continuing
false
→ User lacks permission (requires the primary account or a RAM user with
pai:CreateOrder
permission). Inform the user to contact the primary account administrator
Do not proceed with creating/querying workspaces when PAI is not activated

检查返回的

Products

数组中匹配的产品条目:

判断逻辑:
IsPurchased == true
→ PAI已激活，可继续执行后续流程
IsPurchased == false
→ PAI未激活，引导用户完成激活:
检查
HasPermissionToPurchase
字段:
true
→ 用户有激活权限，展示
PurchaseUrl
链接，提示用户在控制台完成激活后再继续
false
→ 用户无权限（需要主账号或拥有
pai:CreateOrder
权限的RAM用户操作），告知用户联系主账号管理员
PAI未激活时不得继续执行创建/查询工作空间的操作

Workflow 1: Create Workspace (CreateWorkspace)

工作流1：创建工作空间（CreateWorkspace）

Use

aliyun aiworkspace create-workspace

to create a workspace. Required parameters:

--region

--workspace-name

--description

--env-types

. Simple mode uses

--env-types prod

, standard mode uses

--env-types dev prod

. Optionally add

--display-name

and

--resource-group-id

使用

aliyun aiworkspace create-workspace

创建工作空间。必填参数：

--region

、

--workspace-name

、

--description

、

--env-types

。简易模式使用

--env-types prod

，标准模式使用

--env-types dev prod

。可按需添加

--display-name

和

--resource-group-id

。

Step 1: Input Parameter Validation

步骤1：输入参数校验

[MUST] Parameter format validation: Before calling the API, the Agent must validate user-provided parameters as follows. If validation fails, prompt the user to correct the input. Do not submit non-compliant parameters:
Parameter Validation Rules Example
--workspace-name
3-23 characters, must start with a letter, may only contain letters, digits, and underscores (
_
). Hyphens (
-
), spaces, Chinese characters, and other special characters are not allowed
my_workspace_01
--description
Max 80 characters, wrap with quotes if containing special characters
"My AI workspace"
--env-types
Must be
prod
or
dev prod
, list format
prod
--display-name
Optional, no strict format restrictions
My Workspace

Parameter	Validation Rules	Example
`--workspace-name`	3-23 characters, must start with a letter, may only contain letters, digits, and underscores ( `_` ). Hyphens ( `-` ), spaces, Chinese characters, and other special characters are not allowed	`my_workspace_01`
`--description`	Max 80 characters, wrap with quotes if containing special characters	`"My AI workspace"`
`--env-types`	Must be `prod` or `dev prod` , list format	`prod`
`--display-name`	Optional, no strict format restrictions	`My Workspace`

[必须] 参数格式校验: 调用API前，Agent必须按照以下规则校验用户提供的参数。校验不通过时提示用户修正输入，不得提交不符合规范的参数:
参数校验规则示例
--workspace-name
长度3-23字符，必须以字母开头，仅允许包含字母、数字和下划线（
_
）。不允许连字符（
-
）、空格、中文和其他特殊字符
my_workspace_01
--description
最长80字符，包含特殊字符时需用引号包裹
"My AI workspace"
--env-types
必须为
prod
或
dev prod
，列表格式
prod
--display-name
可选，无严格格式限制
My Workspace

参数	校验规则	示例
`--workspace-name`	长度3-23字符，必须以字母开头，仅允许包含字母、数字和下划线（ `_` ）。不允许连字符（ `-` ）、空格、中文和其他特殊字符	`my_workspace_01`
`--description`	最长80字符，包含特殊字符时需用引号包裹	`"My AI workspace"`
`--env-types`	必须为 `prod` 或 `dev prod` ，列表格式	`prod`
`--display-name`	可选，无严格格式限制	`My Workspace`

Step 2: Name Existence Check (check-then-act idempotency pattern)

步骤2：名称存在性检查（先查后操作的幂等模式）

[MUST] Idempotency guarantee: The CreateWorkspace API does not support ClientToken, so idempotency is ensured via a check-then-act pattern. Before creating, you must call
list-workspaces --option CheckWorkspaceExists --workspace-name <name>
to check if the name already exists.
Decision logic:
TotalCount == 0
→ Name is available, proceed to Step 3 to create
TotalCount >= 1
→ Name already exists, perform the following:
Extract the existing
WorkspaceId
from the returned
Workspaces[0]
Call
get-workspace --workspace-id <id>
to get full details
Compare the existing workspace's key parameters (
EnvTypes
,
Description
, etc.) with the current request parameters
Match → Treat as already created, return the existing
WorkspaceId
directly, do not recreate
Mismatch → Inform the user that the name is already taken with a different configuration, ask the user to choose a different name

[必须] 幂等性保障: CreateWorkspace API不支持ClientToken，因此通过先查后操作的模式保障幂等性。创建前必须调用
list-workspaces --option CheckWorkspaceExists --workspace-name <name>
检查名称是否已存在。
判断逻辑:
TotalCount == 0
→ 名称可用，进入步骤3执行创建
TotalCount >= 1
→ 名称已存在，执行以下操作:
从返回的
Workspaces[0]
中提取已存在的
WorkspaceId
调用
get-workspace --workspace-id <id>
获取完整详情
对比已有工作空间的核心参数（
EnvTypes
、
Description
等）与当前请求参数
匹配 → 视为已创建，直接返回已有的
WorkspaceId
，不要重复创建
不匹配 → 告知用户该名称已被占用且配置不同，要求用户选择其他名称

Step 3: Execute Creation

步骤3：执行创建

After parameter validation passes and the name does not exist, execute the

create-workspace

command. On success, a

WorkspaceId

is returned. If the creation returns a

WorkspaceNameAlreadyExists

error (concurrent scenario), handle it using the

TotalCount >= 1

logic from Step 2.

参数校验通过且名称不存在时，执行

create-workspace

命令。创建成功后会返回

WorkspaceId

。如果创建返回

WorkspaceNameAlreadyExists

错误（并发场景），按照步骤2中

TotalCount >= 1

的逻辑处理。

Workflow 2: Get Workspace Details (GetWorkspace)

工作流2：获取工作空间详情（GetWorkspace）

[MUST] Single workspace queries must use
get-workspace
: When querying the details of one specific workspace, you must use
aliyun aiworkspace get-workspace --workspace-id <id>
. Do not use
list-workspaces --workspace-ids
as a substitute.
get-workspace
calls the GetWorkspace API and returns the complete details of a single workspace.

Only accepts

--workspace-id

(required) and

--verbose

(optional). The region is specified via the global

--region

parameter. A

Status

ENABLED

indicates the workspace is ready.

[MUST]
--verbose true
trigger rules:
--verbose true
returns Owner (UserKp, UserId, UserName, DisplayName) and AdminNames (admin account list). The Agent must follow these rules:
Trigger conditions — When the user's request involves any of the following keywords,
--verbose true
must be appended when constructing the command (determined before calling the API, not dependent on API success):

Chinese keywords: 所有者, 拥有者, 创建者, 管理员, 负责人, 归属

English keywords: owner, admin, administrator, verbose

Field names: Owner, AdminNames
When not triggered — When the user only queries basic info (status, environment types, etc.), do not append
--verbose
Masking rules — UserId/Creator: last 4 digits only (
****1234
); UserKp: omit entirely; UserName/DisplayName: first character only (
z***
); AdminNames entries:
u***@example.com
No raw sensitive data in stdout, execution logs, on disk, or in output — EVERY execution of
get-workspace
(with or without
--verbose
) or
list-workspaces
must be a single pipeline command with
| jq -r
appended. The Agent must NEVER run the CLI command first and then mask the output separately — the raw JSON would appear in the execution transcript. No two-step processing, no variable capture (
response=$(aliyun ...)
), no intermediate scripts. All masking must happen inside the
jq
filter of the same pipeline. See the Sensitive Data Masking section and
references/related-commands.md
for templates

[MUST] 404 error handling: When
get-workspace
returns
StatusCode: 404, Code: 100400027, Message: Workspace not exists
, the workspace ID does not exist. The Agent must directly report to the user that the workspace does not exist, including the original workspace-id specified by the user. Do not fall back to
list-workspaces
or other APIs to try to "find" the workspace after receiving a 404. Do not silently ignore the error. If the user subsequently provides a new workspace-id, the Agent must retry
get-workspace
with the same parameters as the initial call (including
--verbose true
, etc.).

[必须] 单个工作空间查询必须使用
get-workspace
: 查询单个特定工作空间的详情时，必须使用
aliyun aiworkspace get-workspace --workspace-id <id>
。不得使用
list-workspaces --workspace-ids
替代。
get-workspace
调用GetWorkspace API，返回单个工作空间的完整详情。

仅接受

--workspace-id

（必填）和

--verbose

（可选）参数。地域通过全局

--region

参数指定。

Status

为

ENABLED

表示工作空间可用。

[必须]
--verbose true
触发规则:
--verbose true
会返回所有者信息（UserKp、UserId、UserName、DisplayName）和管理员列表（AdminNames）。Agent必须遵循以下规则:
触发条件 —— 用户请求包含以下任意关键词时，构建命令时必须附加
--verbose true
（调用API前判断，不依赖API返回结果）:

中文关键词：所有者、拥有者、创建者、管理员、负责人、归属

英文关键词：owner、admin、administrator、verbose

字段名：Owner、AdminNames
未触发时 —— 用户仅查询基础信息（状态、环境类型等）时，不要附加
--verbose
脱敏规则 —— UserId/创建者：仅展示最后4位（
****1234
）；UserKp：完全省略；UserName/展示名称：仅展示首字符（
z***
）；AdminNames条目：
u***@example.com
格式
标准输出、执行日志、磁盘或输出中不得出现原始敏感数据 —— 每次执行
get-workspace
（无论是否带
--verbose
）或
list-workspaces
都必须是附加了
| jq -r
的单条管道命令。Agent绝对不能先运行CLI命令，再单独脱敏输出 —— 否则原始JSON会被记录到执行转录文件中。禁止两步处理、禁止变量捕获（
response=$(aliyun ...)
）、禁止中间脚本。所有脱敏操作必须在同一条管道的
jq
过滤器内完成。参考敏感数据脱敏章节和
references/related-commands.md
获取命令模板

[必须] 404错误处理: 当
get-workspace
返回
StatusCode: 404, Code: 100400027, Message: Workspace not exists
时，表示工作空间ID不存在。Agent必须直接告知用户工作空间不存在，包含用户指定的原始工作空间ID。收到404错误后不得回退到
list-workspaces
或其他API尝试「查找」工作空间，不得静默忽略错误。如果用户后续提供了新的工作空间ID，Agent必须使用与初始调用相同的参数（包括
--verbose true
等）重试
get-workspace
。

Workflow 3: List Workspaces (ListWorkspaces)

工作流3：罗列工作空间（ListWorkspaces）

Use

aliyun aiworkspace list-workspaces

to list workspaces. Supports the following filter and sort parameters:

```
--workspace-name <name>
```
— Fuzzy match by name

--workspace-ids <id1,id2,...>

— Batch query by ID list, comma-separated (e.g.,

--workspace-ids "123,456,789"

)

--status <STATUS>

— Filter by status, enum values (all uppercase):

ENABLED

INITIALIZING

FAILURE

DISABLED

FROZEN

UPDATING

--sort-by <Field>

— Sort field (case-sensitive):

GmtCreateTime

(default) |

GmtModifiedTime

```
--order <ORDER>
```
— Sort direction (all uppercase):
```
ASC
```
(default) |
```
DESC
```
```
--page-number <n>
```
/
```
--page-size <n>
```
— Pagination parameters
```
--option GetResourceLimits
```
— Get resource limit information instead of workspace list
```
--option CheckWorkspaceExists
```
— Check if a workspace with the specified name already exists (pre-creation check, use with
```
--workspace-name
```
)

[MUST] API selection rules: Use
get-workspace --workspace-id
(GetWorkspace API) for querying a single ID; use
list-workspaces --workspace-ids "id1,id2,..."
for querying multiple IDs (2 or more) in a single batch query (ListWorkspaces API). Do not call
get-workspace
individually for each ID.
[MUST] Batch query results are final: The
Workspaces
array returned by
list-workspaces --workspace-ids
already contains complete information for each workspace (Status, EnvTypes, GmtCreateTime, etc.). Do not call
get-workspace
for any ID in the batch results to get additional details. If some IDs are not in the response, those IDs do not exist — report this to the user directly.

[MUST] Enum values are case-sensitive:
--sort-by
must be
GmtCreateTime
or
GmtModifiedTime
(camelCase),
--order
must be
ASC
or
DESC
(all uppercase),
--status
must be all uppercase like
ENABLED
. Using incorrect casing (e.g.,
desc
,
gmtCreateTime
,
enabled
) will cause API errors or unexpected results.

[MUST] ListWorkspaces sensitive field masking: Each workspace object returned by
list-workspaces
always contains
Creator
(creator user ID) and
AdminNames
(admin account list) — no
--verbose true
needed. The Agent must mask these fields when displaying (
Creator
: last 4 digits only;
AdminNames
: first character +
***
). Do not output JSON containing the raw values, and do not save raw responses to files via redirection (
> file
) or scripts.

使用

aliyun aiworkspace list-workspaces

罗列工作空间。支持以下过滤和排序参数:

```
--workspace-name <name>
```
— 按名称模糊匹配

--workspace-ids <id1,id2,...>

— 按ID列表批量查询，逗号分隔（例如

--workspace-ids "123,456,789"

）

--status <STATUS>

— 按状态过滤，枚举值（全大写）：

ENABLED

INITIALIZING

FAILURE

DISABLED

FROZEN

UPDATING

```
--sort-by <Field>
```
— 排序字段（大小写敏感）：
```
GmtCreateTime
```
（默认） |
```
GmtModifiedTime
```
```
--order <ORDER>
```
— 排序方向（全大写）：
```
ASC
```
（默认） |
```
DESC
```
```
--page-number <n>
```
/
```
--page-size <n>
```
— 分页参数
```
--option GetResourceLimits
```
— 获取资源限制信息而非工作空间列表
```
--option CheckWorkspaceExists
```
— 检查指定名称的工作空间是否已存在（创建前检查，与
```
--workspace-name
```
配合使用）

[必须] API选择规则: 查询单个ID使用
get-workspace --workspace-id
（GetWorkspace API）；查询多个ID（2个及以上）时使用
list-workspaces --workspace-ids "id1,id2,..."
进行单批次查询（ListWorkspaces API）。不要为每个ID单独调用
get-workspace
。
[必须] 批量查询结果为最终结果:
list-workspaces --workspace-ids
返回的
Workspaces
数组已包含每个工作空间的完整信息（状态、环境类型、创建时间等）。不要为批量结果中的任何ID调用
get-workspace
获取额外详情。如果部分ID未出现在响应中，则这些ID不存在 —— 直接告知用户即可。

[必须] 枚举值大小写敏感:
--sort-by
必须为
GmtCreateTime
或
GmtModifiedTime
（驼峰格式），
--order
必须为
ASC
或
DESC
（全大写），
--status
必须为全大写例如
ENABLED
。使用错误的大小写（例如
desc
、
gmtCreateTime
、
enabled
）会导致API错误或非预期结果。

[必须] ListWorkspaces敏感字段脱敏:
list-workspaces
返回的每个工作空间对象始终包含
Creator
（创建者用户ID）和
AdminNames
（管理员账号列表）—— 无需
--verbose true
。Agent展示这些字段时必须脱敏（
Creator
仅展示最后4位；
AdminNames
展示首字符+
***
）。不要输出包含原始值的JSON，不要通过重定向（
> file
）或脚本将原始响应保存到文件。

Success Verification

成功验证

Verification Target	Method	Success Criteria
WorkspaceId returned	Parse create command response	`WorkspaceId` is not empty
Workspace status is normal	`get-workspace` command	`Status == "ENABLED"`
Visible in console	Log in to PAI Console and verify manually	New workspace appears in the list

See
references/verification-method.md
for detailed verification methods

验证目标	方法	成功标准
已返回WorkspaceId	解析创建命令响应	`WorkspaceId` 不为空
工作空间状态正常	执行 `get-workspace` 命令	`Status == "ENABLED"`
控制台可见	登录PAI控制台手动验证	新工作空间出现在列表中

详细验证方法参考
references/verification-method.md

Cleanup (Delete Workspace)

清理（删除工作空间）

Warning: Deleting a workspace is an irreversible operation that removes all resources within it. Proceed with caution.
Note: Workspace deletion cannot be performed directly via CLI (the
aiworkspace
plugin does not currently support
delete-workspace
). Use the following methods:
Console deletion: Log in to PAI Console -> Workspace List -> Select workspace -> Delete
API call: Use the
DELETE /api/v1/workspaces/{WorkspaceId}
endpoint (via SDK or direct HTTP call)

警告: 删除工作空间是不可逆操作，会移除空间内所有资源，请谨慎操作。
注意: 工作空间删除无法直接通过CLI执行（
aiworkspace
插件目前不支持
delete-workspace
能力）。可使用以下方式:
控制台删除: 登录PAI控制台 -> 工作空间列表 -> 选择工作空间 -> 删除
API调用: 使用
DELETE /api/v1/workspaces/{WorkspaceId}
接口（通过SDK或直接HTTP调用）

Best Practices

最佳实践

Naming conventions: Use project names or team identifier prefixes for WorkspaceName, e.g.,
```
nlp_prod
```
,
```
cv_dev
```
(note: hyphens are not supported, use underscores)
Environment selection: Use standard mode (
```
dev
```
+
```
prod
```
) for production projects to separate development and production resources
Description: Description should indicate the purpose, team, or project for easier management
Region selection: Choose the region closest to your data storage to minimize data transfer latency
Resource group management: Use different resource groups for multi-project scenarios to facilitate cost allocation and permission management
DisplayName: Use business-friendly names as the display name while using English identifiers for WorkspaceName

命名规范: WorkspaceName使用项目名或团队标识作为前缀，例如
```
nlp_prod
```
、
```
cv_dev
```
（注意：不支持连字符，使用下划线）
环境选择: 生产项目使用标准模式（
```
dev
```
+
```
prod
```
），隔离开发和生产资源
描述信息: 描述应注明用途、归属团队或项目，方便管理
地域选择: 选择离数据存储最近的地域，最小化数据传输延迟
资源组管理: 多项目场景使用不同资源组，便于成本分摊和权限管理
展示名称: 使用业务友好的名称作为展示名称，WorkspaceName使用英文标识

Reference Documentation

参考文档

Document	Description
references/ram-policies.md	RAM permission policies, Policy JSON, and instructions
references/related-commands.md	Complete CLI command templates, parameter tables, enum values, and return fields
references/verification-method.md	Verification steps and scripts
references/acceptance-criteria.md	CLI command acceptance criteria (correct/incorrect patterns)
references/cli-installation-guide.md	Aliyun CLI installation and configuration
ListWorkspaces API Doc	ListWorkspaces API reference
CreateWorkspace API Doc	CreateWorkspace API reference
GetWorkspace API Doc	GetWorkspace API reference
ListProducts API Doc	ListProducts API reference (product activation status check)

文档	描述
references/ram-policies.md	RAM权限策略、Policy JSON和操作指引
references/related-commands.md	完整CLI命令模板、参数表、枚举值和返回字段说明
references/verification-method.md	验证步骤和脚本
references/acceptance-criteria.md	CLI命令验收标准（正确/错误示例）
references/cli-installation-guide.md	Aliyun CLI安装和配置指引
ListWorkspaces API Doc	ListWorkspaces API参考
CreateWorkspace API Doc	CreateWorkspace API参考
GetWorkspace API Doc	GetWorkspace API参考
ListProducts API Doc	ListProducts API参考（产品激活状态检查）