Back to Details

alibabacloud-resourcecenter-search

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

1. Prerequisites

1. 前置条件

Pre-check: Aliyun CLI >= 3.3.1 required Run 
aliyun version
to verify >= 3.3.1. If not installed or version too low, see 
references/cli-installation-guide.md
for installation instructions. Then [MUST] run 
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
  • NEVER read, echo, or print AK/SK values (e.g., 
    echo $ALIBABA_CLOUD_ACCESS_KEY_ID
    is FORBIDDEN)
  • NEVER ask the user to input AK/SK directly in the conversation or command line
  • NEVER use 
    aliyun configure set
    with literal credential values
  • ONLY use 
    aliyun configure list
    to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
  1. Obtain credentials from Alibaba Cloud Console
  2. Configure credentials outside of this session (via 
    aliyun configure
    in terminal or environment variables in shell profile)
  3. Return and re-run after 
    aliyun configure list
    shows a valid profile
预检查:要求Aliyun CLI版本 >= 3.3.1 运行 
aliyun version
确认版本不低于3.3.1。如果未安装或者版本过低,请查看 
references/cli-installation-guide.md
获取安装指引。然后**[必须]**运行 
aliyun configure set --auto-plugin-install true
开启插件自动安装功能。
预检查:需要阿里云凭据
安全规则:
  • 绝对不要读取、回显或打印AK/SK值(例如禁止执行 
    echo $ALIBABA_CLOUD_ACCESS_KEY_ID
  • 绝对不要要求用户在对话或命令行中直接输入AK/SK
  • 绝对不要
    aliyun configure set
    命令中使用明文凭据值
  • 仅可使用 
    aliyun configure list
    检查凭据状态
bash
aliyun configure list
检查输出中是否存在有效的配置项(AK、STS或OAuth身份)。
如果不存在有效配置项,请停止后续操作。
  1. 阿里云控制台获取凭据
  2. 在当前会话外配置凭据(通过终端执行
    aliyun configure
    命令,或在shell配置文件中设置环境变量)
  3. aliyun configure list
    显示有效配置项后,返回重新执行操作

2. Parameter Confirmation

2. 参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume and use default values without explicit user approval.
ParameterRequired/OptionalDescriptionDefault Value
Scope
Required (cross-account)Cross-account search scope: Resource Directory ID, Root Folder ID, Folder ID, or Member IDNone
ResourceType
OptionalResource type (e.g., 
ACS::ECS::Instance
)		None (all types)
RegionId
OptionalResource Region ID (e.g., 
cn-hangzhou
)		None (all regions)
ResourceId
OptionalResource IDNone
ResourceName
OptionalResource nameNone
VpcId
OptionalVPC ID (e.g., 
vpc-xxx
)		None
VSwitchId
OptionalVSwitch (e.g., 
vsw-xxx
)		None
IpAddress
OptionalIP addressNone
GroupByKey
OptionalStatistics grouping dimension: 
ResourceType
, 
RegionId
, 
ResourceGroupId
None
MaxResults
OptionalPage size for paginated APIs.20
重要提示:参数确认 — 在执行任何命令或API调用前,所有用户可自定义参数(例如RegionId、实例名称、CIDR块、密码、域名、资源规格等)必须与用户确认。没有获得用户明确许可的情况下,请勿假设或使用默认值。
参数必填/可选描述默认值
Scope
必填(跨账户场景)跨账户搜索范围:资源目录ID、根文件夹ID、文件夹ID或成员ID
ResourceType
可选资源类型(例如 
ACS::ECS::Instance
无(全部类型)
RegionId
可选资源地域ID(例如 
cn-hangzhou
无(全部地域)
ResourceId
可选资源ID
ResourceName
可选资源名称
VpcId
可选VPC ID(例如 
vpc-xxx
VSwitchId
可选交换机ID(例如 
vsw-xxx
IpAddress
可选IP地址
GroupByKey
可选统计分组维度:
ResourceType
RegionId
ResourceGroupId
MaxResults
可选分页API的每页数量20

3. RAM Policy

3. RAM策略

See references/ram-policies.md for full permission lists.
Recommended system policies:
  • Read-only: 
    AliyunResourceCenterReadOnlyAccess
  • Full access: 
    AliyunResourceCenterFullAccess
Opening Resource Center will auto-create the service-linked role 
AliyunServiceRoleForResourceMetaCenter
.
完整权限列表请查看 references/ram-policies.md
推荐系统策略:
  • 只读权限
    AliyunResourceCenterReadOnlyAccess
  • 全量权限
    AliyunResourceCenterFullAccess
开启资源中心会自动创建服务关联角色 
AliyunServiceRoleForResourceMetaCenter

Resource Visibility Scope

资源可见范围

RAM policies (defined in 
ram-policies.md
) control whether a user can call a Resource Center API. However, for search APIs (
SearchResources
, 
GetResourceCounts
, 
GetResourceConfiguration
, 
SearchMultiAccountResources
, 
GetMultiAccountResourceCounts
, 
GetMultiAccountResourceConfiguration
), the scope of resources visible in results is determined by each cloud product's own permissions:
RAM策略(定义在
ram-policies.md
中)控制用户是否可以调用资源中心API。但对于搜索类API
SearchResources
GetResourceCounts
GetResourceConfiguration
SearchMultiAccountResources
GetMultiAccountResourceCounts
GetMultiAccountResourceConfiguration
),结果中可见的资源范围由各云产品自身的权限决定:

Single Account

单账户

  • Cloud resource read permissions: A RAM user can only see resources in Resource Center for which they have read-only access on the corresponding cloud product. For example, granting 
    ReadOnlyAccess
    lets the user see all resources they have access to; granting only 
    AliyunVPCReadOnlyAccess
    limits visibility to VPC resources.
  • Resource group scoped permissions: If resources are organized by resource groups, you can grant a RAM user read access scoped to a specific resource group. The user will only see resources within that group, achieving resource isolation.
  • 云资源读权限:RAM用户仅能在资源中心看到自己对对应云产品拥有只读权限的资源。例如授予
    ReadOnlyAccess
    权限可以让用户看到所有有权限的资源;仅授予
    AliyunVPCReadOnlyAccess
    权限则只能看到VPC资源。
  • 资源组范围权限:如果资源按资源组组织,可以给RAM用户授予特定资源组的读权限,用户将只能看到该组内的资源,实现资源隔离。

Cross-Account

跨账户

  • Grant the system policy 
    AliyunResourceCenterFullAccess
    to the RAM user of the Resource Directory management account to enable cross-account resource search.
  • 资源目录管理账户的RAM用户授予系统策略
    AliyunResourceCenterFullAccess
    即可开启跨账户资源搜索。

4. Core Workflow

4. 核心工作流

Step 1: Identify APIs Based on User Requirements

步骤1:根据用户需求确定API

Determine which APIs are needed based on the user's specific scenario. Refer to the scenario cards below.
根据用户的具体场景确定需要使用的API,可参考下方的场景卡片。

Step 2: [MUST] Read API Documentation Before Every CLI Call

步骤2:[必填]每次调用CLI前先阅读API文档

CRITICAL WARNING: DO NOT execute any 
aliyun resourcecenter
command without first reading the exact parameter format in 
references/related-apis.md
.
Failure Pattern: Guessing parameters like 
--filter
format will cause errors. The correct JSON structure MUST be copied from the documentation.
Mandatory Action: Open and read the specific API section in references/related-apis.md BEFORE constructing any CLI command.
严重警告:未提前阅读
references/related-apis.md
中的具体参数格式前,请勿执行任何
aliyun resourcecenter
命令。
错误示例:猜测
--filter
等参数的格式会导致报错,必须从文档中复制正确的JSON结构。
强制操作:在构造任何CLI命令前,先打开并阅读references/related-apis.md中对应API的章节。

Scenario Cards

场景卡片

Scenario 1: Service Activation

场景1:服务激活

RequirementAccount TypeAPIDescription
Check if enabledSingle-account
get-resource-center-service-status
Returns service status
Enable serviceSingle-account
enable-resource-center
Required for first-time use
Check cross-account statusResource Directory
get-multi-account-resource-center-service-status
Multi-account scenario
Enable cross-account serviceResource Directory
enable-multi-account-resource-center
Requires management account or delegated admin
需求账户类型API描述
检查是否已开启单账户
get-resource-center-service-status
返回服务状态
开启服务单账户
enable-resource-center
首次使用时需要开启
检查跨账户服务状态资源目录
get-multi-account-resource-center-service-status
多账户场景
开启跨账户服务资源目录
enable-multi-account-resource-center
需要管理账户或委派管理员权限

Scenario 2: ResourceType Discovery

场景2:ResourceType查询

RequirementAccount TypeScriptDescription
Find resource type codes by keywordSingle-account
scripts/query-resource-types.py
Search across ResourceType, ProductName, and ResourceTypeName fields
Decision Logic:
  • When you needs to filter by resource type but doesn't know the exact code -> Use this script first
  • After discovering the correct 
    ResourceType
    code -> Use it in search or count API with 
    --filter
    parameter
需求账户类型脚本描述
按关键词查找资源类型编码单账户
scripts/query-resource-types.py
搜索ResourceType、ProductName和ResourceTypeName字段
判断逻辑:
  • 当需要按资源类型过滤但不知道准确编码时 -> 先使用此脚本
  • 找到正确的
    ResourceType
    编码后 -> 在搜索或统计API中通过
    --filter
    参数使用

Scenario 3: Resource Search

场景3:资源搜索

RequirementAccount ScopeAPIKey Parameters
Search resources by criteriaCurrent account
search-resources
--filter
Cross-account resource searchResource Directory
search-multi-account-resources
--scope
+ 
--filter
Search including deleted resourcesCurrent account
search-resources
--include-deleted-resources=true
需求账户范围API核心参数
按条件搜索资源当前账户
search-resources
--filter
跨账户资源搜索资源目录
search-multi-account-resources
--scope
+ 
--filter
搜索包含已删除的资源当前账户
search-resources
--include-deleted-resources=true

Scenario 4: View Resource Details

场景4:查看资源详情

RequirementAccount ScopeAPIUse Case
Get single resource configurationCurrent account
get-resource-configuration
Get complete configuration details
Batch get multiple resource configurationsCurrent account
batch-get-resource-configurations
Get multiple resources at once
Get resource configuration from another accountResource Directory
get-multi-account-resource-configuration
Cross-account view
需求账户范围API使用场景
获取单个资源配置当前账户
get-resource-configuration
获取完整配置详情
批量获取多个资源配置当前账户
batch-get-resource-configurations
一次获取多个资源信息
获取其他账户的资源配置资源目录
get-multi-account-resource-configuration
跨账户查看

Scenario 5: Statistics and Analysis

场景5:统计分析

RequirementAccount ScopeAPIGrouping Dimensions
Count resourcesCurrent account
get-resource-counts
ResourceType
, 
RegionId
, 
ResourceGroupId
Cross-account statisticsResource Directory
get-multi-account-resource-counts
ResourceType
, 
RegionId
, 
ResourceGroupId
需求账户范围API分组维度
统计资源数量当前账户
get-resource-counts
ResourceType
RegionId
ResourceGroupId
跨账户统计资源目录
get-multi-account-resource-counts
ResourceType
RegionId
ResourceGroupId

Scenario 6: Tag Discovery

场景6:标签查询

RequirementAccount ScopeAPIDescription
List all tag keysCurrent account
list-tag-keys
Browse tag catalog
List values for a specific tag keyCurrent account
list-tag-values
e.g., list all values for 
env
Cross-account tag keysResource Directory
list-multi-account-tag-keys
Multi-account scenario
Cross-account tag valuesResource Directory
list-multi-account-tag-values
Multi-account scenario
需求账户范围API描述
列出所有标签键当前账户
list-tag-keys
浏览标签目录
列出指定标签键的所有值当前账户
list-tag-values
例如列出
env
标签的所有值
跨账户查询标签键资源目录
list-multi-account-tag-keys
多账户场景
跨账户查询标签值资源目录
list-multi-account-tag-values
多账户场景

5. Success Verification

5. 成功验证

See references/verification-method.md for detailed verification steps and commands for each workflow step.
每个工作流步骤的详细验证步骤和命令请查看 references/verification-method.md

6. Precautions

6. 注意事项

[MUST] High-Risk Operation Confirmation — Before executing 
disable-resource-center
or 
disable-multi-account-resource-center
:
  1. MUST explicitly inform the user of the impacts:
  • Disable Impact
    • After disabling Resource Center, resource data will no longer be viewable in Resource Center. Specifically:
      • For a single Alibaba Cloud account, after disabling Resource Center, resource data in the current account will no longer be viewable.
      • For the management account of a Resource Directory and the delegated administrator account of Resource Center, disabling Resource Center will also disable the cross-account resource search feature. Resource data in the current account and members of the Resource Directory will no longer be viewable. Additionally, members will not be able to view resource data in their own accounts.
      • After disabling Resource Center, the resource management module on the console homepage, Config Audit service, and other related scenarios will also be unable to view resource data.
  • Disable Restrictions
    • If the management account of a Resource Directory or the delegated administrator account of Resource Center has cross-account resource features enabled by another account, Resource Center cannot be disabled.
    • If there are cloud products or features that have strong dependencies on Resource Center, such as Config Audit and associated resource transfer, you must first disable those cloud products or features before you can disable Resource Center.
  1. MUST obtain explicit user confirmation (e.g., user types "confirm disable" or similar clear affirmation)
  2. DO NOT proceed without user's explicit acknowledgment
[必填]高风险操作确认 — 在执行
disable-resource-center
disable-multi-account-resource-center
前:
  1. 必须明确告知用户操作影响:
  • 关闭影响
    • 关闭资源中心后,将无法再在资源中心查看资源数据,具体:
      • 对于单个阿里云账户,关闭资源中心后将无法查看当前账户的资源数据。
      • 对于资源目录的管理账户和资源中心的委派管理员账户,关闭资源中心还会停用跨账户资源搜索功能,无法查看当前账户和资源目录成员的资源数据,同时成员也无法查看自身账户的资源数据。
      • 关闭资源中心后,控制台首页资源管理模块、配置审计服务等相关场景也将无法查看资源数据。
  • 关闭限制
    • 如果资源目录管理账户或资源中心委派管理员账户的跨账户资源功能被其他账户启用,则无法关闭资源中心。
    • 如果存在强依赖资源中心的云产品或功能(例如配置审计和关联的资源流转),必须先关闭这些云产品或功能,才能关闭资源中心。
  1. 必须获得用户明确确认(例如用户输入"confirm disable"或类似的明确确认语句)
  2. 没有获得用户明确确认前请勿执行操作

Disable Resource Center

关闭资源中心

Warning: Disabling will remove all resource data and affect dependent services (e.g., Config Audit). Must first disable cross-account if enabled.
bash
aliyun resourcecenter disable-resource-center \
  --user-agent AlibabaCloud-Agent-Skills
**警告:**关闭操作会删除所有资源数据,且会影响依赖服务(例如配置审计)。如果已开启跨账户功能,必须先关闭跨账户功能。
bash
aliyun resourcecenter disable-resource-center \
  --user-agent AlibabaCloud-Agent-Skills

Disable Cross-Account Resource Center

关闭跨账户资源中心

Must be done before disabling single-account resource center (if cross-account is enabled). Requires management account or delegated admin.
bash
aliyun resourcecenter disable-multi-account-resource-center \
  --user-agent AlibabaCloud-Agent-Skills
如果已开启跨账户功能,必须先执行此操作再关闭单账户资源中心,需要管理账户或委派管理员权限。
bash
aliyun resourcecenter disable-multi-account-resource-center \
  --user-agent AlibabaCloud-Agent-Skills

7. Best Practices

7. 最佳实践

  1. --user-agent
    on every Resource Center CLI call     — All 
    aliyun resourcecenter
    examples in this skill include 
    --user-agent AlibabaCloud-Agent-Skills
    . When executing commands for this skill, always pass the same flag so usage is consistent with verification, maintainers’ expectations, and any automated checks.
  2. Use filters for targeted search — Combining 
    ResourceType
    , 
    RegionId
    , and 
    Tag
    filters improves search efficiency
  3. Use 
    GroupByKey
    for quick statistics     — Get resource distribution by type, region, or resource group without iterating
  4. Cross-account scope selection — Use the most specific scope (member ID > folder ID > root folder ID > directory ID) to narrow search results
  5. Wait after enabling — Resource Center needs a few minutes to build data after activation; large accounts may take longer
  6. Prefer read-only policies — For daily search and statistics operations, use 
    AliyunResourceCenterReadOnlyAccess
    for security
  7. ResourceType discovery — When the exact resource type code is unknown, use the helper script documented in Section 8 (run from the skill root directory).
  8. Tag discovery vs tag-filtered search — For “what tag keys/values exist”, use 
    list-tag-keys
    / 
    list-tag-values
    (and multi-account variants with 
    --scope
    ). Reserve 
    search-resources
    for finding resources that match tag conditions.
  1. 所有资源中心CLI调用都添加
    --user-agent
    参数     — 本技能中所有
    aliyun resourcecenter
    示例都包含
    --user-agent AlibabaCloud-Agent-Skills
    参数。执行本技能相关命令时,请始终传递相同的参数,确保使用方式符合验证要求、维护者预期和所有自动化检查规则。
  2. 使用过滤器实现精准搜索 — 组合
    ResourceType
    RegionId
    Tag
    过滤器可以提升搜索效率
  3. 使用
    GroupByKey
    实现快速统计     — 无需遍历即可按类型、地域或资源组获取资源分布
  4. 跨账户范围选择 — 使用最精确的范围(成员ID > 文件夹ID > 根文件夹ID > 目录ID)来缩小搜索结果范围
  5. 开启后等待数据同步 — 资源中心激活后需要几分钟时间构建数据,大账户可能需要更长时间
  6. 优先使用只读策略 — 日常搜索和统计操作使用
    AliyunResourceCenterReadOnlyAccess
    保障安全
  7. ResourceType查询 — 不知道准确的资源类型编码时,使用第8节中记录的辅助脚本(从技能根目录运行)。
  8. 区分标签查询和标签过滤搜索 — 要查询「存在哪些标签键/值」时,使用
    list-tag-keys
    /
    list-tag-values
    (跨账户版本添加
    --scope
    参数);
    search-resources
    仅用于查找符合标签条件的资源

8. Available scripts

8. 可用脚本

ScriptPurposeUsage
scripts/query-resource-types.py
Queries resource types by keyword from Alibaba Cloud Resource Center; stdout is JSON (
resourceTypes
, 
count
, 
keyword
, 
language
; failures use 
success: false
and 
error
)
python3 scripts/query-resource-types.py <keyword> [--language LANGUAGE]
脚本用途使用方式
scripts/query-resource-types.py
从阿里云资源中心按关键词查询资源类型;标准输出为JSON格式(包含
resourceTypes
count
keyword
language
字段;失败时返回
success: false
error
字段)
python3 scripts/query-resource-types.py <keyword> [--language LANGUAGE]

9. Troubleshooting

9. 故障排查

When a Resource Center API call or 
aliyun resourcecenter
command fails, read the response’s HTTP status, Code (error code), and Message, then match them against the catalog.
Full error list: references/error-codes.md
当资源中心API调用或
aliyun resourcecenter
命令执行失败时,读取响应的HTTP状态码Code(错误码)Message,然后对照目录匹配问题。
完整错误列表: references/error-codes.md

10. Reference Links

10. 参考链接

ReferenceDescription
references/related-apis.mdAll CLI commands list
references/ram-policies.mdRAM permission policies
references/verification-method.mdVerification steps for each workflow
references/error-codes.mdDeduplicated Resource Center API error code catalog (HTTP, Code, Message) and lookup hints
references/cli-installation-guide.mdAliyun CLI installation guide
references/acceptance-criteria.mdFor maintainers/CI only: Skill testing acceptance criteria, correct CLI command patterns, parameter validation rules. Note: This document is intended for human maintainers and automated testing, not required reading for end users.
参考文档描述
references/related-apis.md所有CLI命令列表
references/ram-policies.mdRAM权限策略
references/verification-method.md每个工作流的验证步骤
references/error-codes.md去重后的资源中心API错误码目录(HTTP状态码、错误码、错误信息)和查询提示
references/cli-installation-guide.mdAliyun CLI安装指引
references/acceptance-criteria.md仅面向维护者/CI:技能测试验收标准、正确CLI命令模式、参数校验规则。**注意:**本文档面向人工维护者和自动化测试,终端用户无需阅读。