1. Prerequisites
Pre-check: Aliyun CLI >= 3.3.1 required
Run
to verify >= 3.3.1. If not installed or version too low,
see
references/cli-installation-guide.md
for installation instructions.
Then
[MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use with literal credential values
- ONLY use to check credential status
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via in terminal or environment variables in shell profile)
- Return and re-run after shows a valid profile
2. Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,
passwords, domain names, resource specifications, etc.) MUST be confirmed with the
user. Do NOT assume and use default values without explicit user approval.
| Parameter | Required/Optional | Description | Default Value |
|---|
| Required (cross-account) | Cross-account search scope: Resource Directory ID, Root Folder ID, Folder ID, or Member ID | None |
| Optional | Resource type (e.g., ) | None (all types) |
| Optional | Resource Region ID (e.g., ) | None (all regions) |
| Optional | Resource ID | None |
| Optional | Resource name | None |
| Optional | VPC ID (e.g., ) | None |
| Optional | VSwitch (e.g., ) | None |
| Optional | IP address | None |
| Optional | Statistics grouping dimension: , , | None |
| Optional | Page size for paginated APIs. | 20 |
3. RAM Policy
See references/ram-policies.md for full permission lists.
Recommended system policies:
- Read-only:
AliyunResourceCenterReadOnlyAccess
- Full access:
AliyunResourceCenterFullAccess
Opening Resource Center will auto-create the service-linked role
AliyunServiceRoleForResourceMetaCenter
.
Resource Visibility Scope
RAM policies (defined in
) control whether a user
can call a Resource Center API. However, for
search APIs (
,
,
,
SearchMultiAccountResources
,
GetMultiAccountResourceCounts
,
GetMultiAccountResourceConfiguration
), the
scope of resources visible in results is determined by each cloud product's own permissions:
Single Account
- Cloud resource read permissions: A RAM user can only see resources in Resource Center for which they have read-only access on the corresponding cloud product. For example, granting lets the user see all resources they have access to; granting only limits visibility to VPC resources.
- Resource group scoped permissions: If resources are organized by resource groups, you can grant a RAM user read access scoped to a specific resource group. The user will only see resources within that group, achieving resource isolation.
Cross-Account
- Grant the system policy
AliyunResourceCenterFullAccess
4. Core Workflow
Step 1: Identify APIs Based on User Requirements
Determine which APIs are needed based on the user's specific scenario. Refer to the scenario cards below.
Step 2: [MUST] Read API Documentation Before Every CLI Call
CRITICAL WARNING: DO NOT execute any
command without first reading the exact parameter format in
references/related-apis.md
.
Failure Pattern: Guessing parameters like
format will cause errors. The correct JSON structure MUST be copied from the documentation.
Mandatory Action: Open and read the specific API section in references/related-apis.md BEFORE constructing any CLI command.
Scenario Cards
Scenario 1: Service Activation
| Requirement | Account Type | API | Description |
|---|
| Check if enabled | Single-account | get-resource-center-service-status
| Returns service status |
| Enable service | Single-account | | Required for first-time use |
| Check cross-account status | Resource Directory | get-multi-account-resource-center-service-status
| Multi-account scenario |
| Enable cross-account service | Resource Directory | enable-multi-account-resource-center
| Requires management account or delegated admin |
Scenario 2: ResourceType Discovery
| Requirement | Account Type | Script | Description |
|---|
| Find resource type codes by keyword | Single-account | scripts/query-resource-types.py
| Search across ResourceType, ProductName, and ResourceTypeName fields |
Decision Logic:
- When you needs to filter by resource type but doesn't know the exact code -> Use this script first
- After discovering the correct code -> Use it in search or count API with parameter
Scenario 3: Resource Search
| Requirement | Account Scope | API | Key Parameters |
|---|
| Search resources by criteria | Current account | | |
| Cross-account resource search | Resource Directory | search-multi-account-resources
| + |
| Search including deleted resources | Current account | | --include-deleted-resources=true
|
Scenario 4: View Resource Details
| Requirement | Account Scope | API | Use Case |
|---|
| Get single resource configuration | Current account | get-resource-configuration
| Get complete configuration details |
| Batch get multiple resource configurations | Current account | batch-get-resource-configurations
| Get multiple resources at once |
| Get resource configuration from another account | Resource Directory | get-multi-account-resource-configuration
| Cross-account view |
Scenario 5: Statistics and Analysis
| Requirement | Account Scope | API | Grouping Dimensions |
|---|
| Count resources | Current account | | , , |
| Cross-account statistics | Resource Directory | get-multi-account-resource-counts
| , , |
Scenario 6: Tag Discovery
| Requirement | Account Scope | API | Description |
|---|
| List all tag keys | Current account | | Browse tag catalog |
| List values for a specific tag key | Current account | | e.g., list all values for |
| Cross-account tag keys | Resource Directory | list-multi-account-tag-keys
| Multi-account scenario |
| Cross-account tag values | Resource Directory | list-multi-account-tag-values
| Multi-account scenario |
5. Success Verification
See references/verification-method.md for detailed verification steps and commands for each workflow step.
6. Precautions
[MUST] High-Risk Operation Confirmation — Before executing
or
disable-multi-account-resource-center
:
- MUST explicitly inform the user of the impacts:
- Disable Impact
- After disabling Resource Center, resource data will no longer be viewable in Resource Center. Specifically:
- For a single Alibaba Cloud account, after disabling Resource Center, resource data in the current account will no longer be viewable.
- For the management account of a Resource Directory and the delegated administrator account of Resource Center, disabling Resource Center will also disable the cross-account resource search feature. Resource data in the current account and members of the Resource Directory will no longer be viewable. Additionally, members will not be able to view resource data in their own accounts.
- After disabling Resource Center, the resource management module on the console homepage, Config Audit service, and other related scenarios will also be unable to view resource data.
- Disable Restrictions
- If the management account of a Resource Directory or the delegated administrator account of Resource Center has cross-account resource features enabled by another account, Resource Center cannot be disabled.
- If there are cloud products or features that have strong dependencies on Resource Center, such as Config Audit and associated resource transfer, you must first disable those cloud products or features before you can disable Resource Center.
- MUST obtain explicit user confirmation (e.g., user types "confirm disable" or similar clear affirmation)
- DO NOT proceed without user's explicit acknowledgment
Disable Resource Center
Warning: Disabling will remove all resource data and affect dependent services (e.g., Config Audit). Must first disable cross-account if enabled.
bash
aliyun resourcecenter disable-resource-center \
--user-agent AlibabaCloud-Agent-Skills
Disable Cross-Account Resource Center
Must be done before disabling single-account resource center (if cross-account is enabled). Requires management account or delegated admin.
bash
aliyun resourcecenter disable-multi-account-resource-center \
--user-agent AlibabaCloud-Agent-Skills
7. Best Practices
- on every Resource Center CLI call — All examples in this skill include
--user-agent AlibabaCloud-Agent-Skills
- Use filters for targeted search — Combining , , and filters improves search efficiency
- Use for quick statistics — Get resource distribution by type, region, or resource group without iterating
- Cross-account scope selection — Use the most specific scope (member ID > folder ID > root folder ID > directory ID) to narrow search results
- Wait after enabling — Resource Center needs a few minutes to build data after activation; large accounts may take longer
- Prefer read-only policies — For daily search and statistics operations, use
AliyunResourceCenterReadOnlyAccess
- ResourceType discovery — When the exact resource type code is unknown, use the helper script documented in Section 8 (run from the skill root directory).
- Tag discovery vs tag-filtered search — For “what tag keys/values exist”, use / (and multi-account variants with ). Reserve for finding resources that match tag conditions.
8. Available scripts
| Script | Purpose | Usage |
|---|
scripts/query-resource-types.py
| Queries resource types by keyword from Alibaba Cloud Resource Center; stdout is JSON (, , , ; failures use and ) | python3 scripts/query-resource-types.py <keyword> [--language LANGUAGE]
|
9. Troubleshooting
When a Resource Center API call or
command fails, read the response’s
HTTP status,
Code (error code), and
Message, then match them against the catalog.
Full error list: references/error-codes.md
10. Reference Links
| Reference | Description |
|---|
| references/related-apis.md | All CLI commands list |
| references/ram-policies.md | RAM permission policies |
| references/verification-method.md | Verification steps for each workflow |
| references/error-codes.md | Deduplicated Resource Center API error code catalog (HTTP, Code, Message) and lookup hints |
| references/cli-installation-guide.md | Aliyun CLI installation guide |
| references/acceptance-criteria.md | For maintainers/CI only: Skill testing acceptance criteria, correct CLI command patterns, parameter validation rules. Note: This document is intended for human maintainers and automated testing, not required reading for end users. |