alibabacloud-resourcecenter-search
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese1. Prerequisites
1. 前置条件
Pre-check: Aliyun CLI >= 3.3.1 required Runto verify >= 3.3.1. If not installed or version too low, seealiyun versionfor installation instructions. Then [MUST] runreferences/cli-installation-guide.mdto enable automatic plugin installation.aliyun configure set --auto-plugin-install true
Pre-check: Alibaba Cloud Credentials RequiredSecurity Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
is FORBIDDEN)echo $ALIBABA_CLOUD_ACCESS_KEY_ID- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use
with literal credential valuesaliyun configure set- ONLY use
to check credential statusaliyun configure listbashaliyun configure listCheck the output for a valid profile (AK, STS, or OAuth identity).If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via
in terminal or environment variables in shell profile)aliyun configure- Return and re-run after
shows a valid profilealiyun configure list
预检查:要求Aliyun CLI版本 >= 3.3.1 运行确认版本不低于3.3.1。如果未安装或者版本过低,请查看aliyun version获取安装指引。然后**[必须]**运行references/cli-installation-guide.md开启插件自动安装功能。aliyun configure set --auto-plugin-install true
预检查:需要阿里云凭据安全规则:
- 绝对不要读取、回显或打印AK/SK值(例如禁止执行
)echo $ALIBABA_CLOUD_ACCESS_KEY_ID- 绝对不要要求用户在对话或命令行中直接输入AK/SK
- 绝对不要在
命令中使用明文凭据值aliyun configure set- 仅可使用
检查凭据状态aliyun configure listbashaliyun configure list检查输出中是否存在有效的配置项(AK、STS或OAuth身份)。如果不存在有效配置项,请停止后续操作。
- 从阿里云控制台获取凭据
- 在当前会话外配置凭据(通过终端执行
命令,或在shell配置文件中设置环境变量)aliyun configure- 待
显示有效配置项后,返回重新执行操作aliyun configure list
2. Parameter Confirmation
2. 参数确认
IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume and use default values without explicit user approval.
| Parameter | Required/Optional | Description | Default Value |
|---|---|---|---|
| Required (cross-account) | Cross-account search scope: Resource Directory ID, Root Folder ID, Folder ID, or Member ID | None |
| Optional | Resource type (e.g., | None (all types) |
| Optional | Resource Region ID (e.g., | None (all regions) |
| Optional | Resource ID | None |
| Optional | Resource name | None |
| Optional | VPC ID (e.g., | None |
| Optional | VSwitch (e.g., | None |
| Optional | IP address | None |
| Optional | Statistics grouping dimension: | None |
| Optional | Page size for paginated APIs. | 20 |
重要提示:参数确认 — 在执行任何命令或API调用前,所有用户可自定义参数(例如RegionId、实例名称、CIDR块、密码、域名、资源规格等)必须与用户确认。没有获得用户明确许可的情况下,请勿假设或使用默认值。
| 参数 | 必填/可选 | 描述 | 默认值 |
|---|---|---|---|
| 必填(跨账户场景) | 跨账户搜索范围:资源目录ID、根文件夹ID、文件夹ID或成员ID | 无 |
| 可选 | 资源类型(例如 | 无(全部类型) |
| 可选 | 资源地域ID(例如 | 无(全部地域) |
| 可选 | 资源ID | 无 |
| 可选 | 资源名称 | 无 |
| 可选 | VPC ID(例如 | 无 |
| 可选 | 交换机ID(例如 | 无 |
| 可选 | IP地址 | 无 |
| 可选 | 统计分组维度: | 无 |
| 可选 | 分页API的每页数量 | 20 |
3. RAM Policy
3. RAM策略
See references/ram-policies.md for full permission lists.
Recommended system policies:
- Read-only:
AliyunResourceCenterReadOnlyAccess - Full access:
AliyunResourceCenterFullAccess
Opening Resource Center will auto-create the service-linked role.AliyunServiceRoleForResourceMetaCenter
完整权限列表请查看 references/ram-policies.md。
推荐系统策略:
- 只读权限:
AliyunResourceCenterReadOnlyAccess - 全量权限:
AliyunResourceCenterFullAccess
开启资源中心会自动创建服务关联角色。AliyunServiceRoleForResourceMetaCenter
Resource Visibility Scope
资源可见范围
RAM policies (defined in ) control whether a user can call a Resource Center API. However, for search APIs (, , , , , ), the scope of resources visible in results is determined by each cloud product's own permissions:
ram-policies.mdSearchResourcesGetResourceCountsGetResourceConfigurationSearchMultiAccountResourcesGetMultiAccountResourceCountsGetMultiAccountResourceConfigurationRAM策略(定义在中)控制用户是否可以调用资源中心API。但对于搜索类API(、、、、、),结果中可见的资源范围由各云产品自身的权限决定:
ram-policies.mdSearchResourcesGetResourceCountsGetResourceConfigurationSearchMultiAccountResourcesGetMultiAccountResourceCountsGetMultiAccountResourceConfigurationSingle Account
单账户
- Cloud resource read permissions: A RAM user can only see resources in Resource Center for which they have read-only access on the corresponding cloud product. For example, granting lets the user see all resources they have access to; granting only
ReadOnlyAccesslimits visibility to VPC resources.AliyunVPCReadOnlyAccess - Resource group scoped permissions: If resources are organized by resource groups, you can grant a RAM user read access scoped to a specific resource group. The user will only see resources within that group, achieving resource isolation.
- 云资源读权限:RAM用户仅能在资源中心看到自己对对应云产品拥有只读权限的资源。例如授予权限可以让用户看到所有有权限的资源;仅授予
ReadOnlyAccess权限则只能看到VPC资源。AliyunVPCReadOnlyAccess - 资源组范围权限:如果资源按资源组组织,可以给RAM用户授予特定资源组的读权限,用户将只能看到该组内的资源,实现资源隔离。
Cross-Account
跨账户
- Grant the system policy to the RAM user of the Resource Directory management account to enable cross-account resource search.
AliyunResourceCenterFullAccess
- 给资源目录管理账户的RAM用户授予系统策略即可开启跨账户资源搜索。
AliyunResourceCenterFullAccess
4. Core Workflow
4. 核心工作流
Step 1: Identify APIs Based on User Requirements
步骤1:根据用户需求确定API
Determine which APIs are needed based on the user's specific scenario. Refer to the scenario cards below.
根据用户的具体场景确定需要使用的API,可参考下方的场景卡片。
Step 2: [MUST] Read API Documentation Before Every CLI Call
步骤2:[必填]每次调用CLI前先阅读API文档
CRITICAL WARNING: DO NOT execute anycommand without first reading the exact parameter format inaliyun resourcecenter.references/related-apis.mdFailure Pattern: Guessing parameters likeformat will cause errors. The correct JSON structure MUST be copied from the documentation.--filterMandatory Action: Open and read the specific API section in references/related-apis.md BEFORE constructing any CLI command.
严重警告:未提前阅读中的具体参数格式前,请勿执行任何references/related-apis.md命令。aliyun resourcecenter错误示例:猜测等参数的格式会导致报错,必须从文档中复制正确的JSON结构。--filter强制操作:在构造任何CLI命令前,先打开并阅读references/related-apis.md中对应API的章节。
Scenario Cards
场景卡片
Scenario 1: Service Activation
场景1:服务激活
| Requirement | Account Type | API | Description |
|---|---|---|---|
| Check if enabled | Single-account | | Returns service status |
| Enable service | Single-account | | Required for first-time use |
| Check cross-account status | Resource Directory | | Multi-account scenario |
| Enable cross-account service | Resource Directory | | Requires management account or delegated admin |
| 需求 | 账户类型 | API | 描述 |
|---|---|---|---|
| 检查是否已开启 | 单账户 | | 返回服务状态 |
| 开启服务 | 单账户 | | 首次使用时需要开启 |
| 检查跨账户服务状态 | 资源目录 | | 多账户场景 |
| 开启跨账户服务 | 资源目录 | | 需要管理账户或委派管理员权限 |
Scenario 2: ResourceType Discovery
场景2:ResourceType查询
| Requirement | Account Type | Script | Description |
|---|---|---|---|
| Find resource type codes by keyword | Single-account | | Search across ResourceType, ProductName, and ResourceTypeName fields |
Decision Logic:
- When you needs to filter by resource type but doesn't know the exact code -> Use this script first
- After discovering the correct code -> Use it in search or count API with
ResourceTypeparameter--filter
| 需求 | 账户类型 | 脚本 | 描述 |
|---|---|---|---|
| 按关键词查找资源类型编码 | 单账户 | | 搜索ResourceType、ProductName和ResourceTypeName字段 |
判断逻辑:
- 当需要按资源类型过滤但不知道准确编码时 -> 先使用此脚本
- 找到正确的编码后 -> 在搜索或统计API中通过
ResourceType参数使用--filter
Scenario 3: Resource Search
场景3:资源搜索
| Requirement | Account Scope | API | Key Parameters |
|---|---|---|---|
| Search resources by criteria | Current account | | |
| Cross-account resource search | Resource Directory | | |
| Search including deleted resources | Current account | | |
| 需求 | 账户范围 | API | 核心参数 |
|---|---|---|---|
| 按条件搜索资源 | 当前账户 | | |
| 跨账户资源搜索 | 资源目录 | | |
| 搜索包含已删除的资源 | 当前账户 | | |
Scenario 4: View Resource Details
场景4:查看资源详情
| Requirement | Account Scope | API | Use Case |
|---|---|---|---|
| Get single resource configuration | Current account | | Get complete configuration details |
| Batch get multiple resource configurations | Current account | | Get multiple resources at once |
| Get resource configuration from another account | Resource Directory | | Cross-account view |
| 需求 | 账户范围 | API | 使用场景 |
|---|---|---|---|
| 获取单个资源配置 | 当前账户 | | 获取完整配置详情 |
| 批量获取多个资源配置 | 当前账户 | | 一次获取多个资源信息 |
| 获取其他账户的资源配置 | 资源目录 | | 跨账户查看 |
Scenario 5: Statistics and Analysis
场景5:统计分析
| Requirement | Account Scope | API | Grouping Dimensions |
|---|---|---|---|
| Count resources | Current account | | |
| Cross-account statistics | Resource Directory | | |
| 需求 | 账户范围 | API | 分组维度 |
|---|---|---|---|
| 统计资源数量 | 当前账户 | | |
| 跨账户统计 | 资源目录 | | |
Scenario 6: Tag Discovery
场景6:标签查询
| Requirement | Account Scope | API | Description |
|---|---|---|---|
| List all tag keys | Current account | | Browse tag catalog |
| List values for a specific tag key | Current account | | e.g., list all values for |
| Cross-account tag keys | Resource Directory | | Multi-account scenario |
| Cross-account tag values | Resource Directory | | Multi-account scenario |
| 需求 | 账户范围 | API | 描述 |
|---|---|---|---|
| 列出所有标签键 | 当前账户 | | 浏览标签目录 |
| 列出指定标签键的所有值 | 当前账户 | | 例如列出 |
| 跨账户查询标签键 | 资源目录 | | 多账户场景 |
| 跨账户查询标签值 | 资源目录 | | 多账户场景 |
5. Success Verification
5. 成功验证
See references/verification-method.md for detailed verification steps and commands for each workflow step.
每个工作流步骤的详细验证步骤和命令请查看 references/verification-method.md。
6. Precautions
6. 注意事项
[MUST] High-Risk Operation Confirmation — Before executingordisable-resource-center:disable-multi-account-resource-center
- MUST explicitly inform the user of the impacts:
- Disable Impact
- After disabling Resource Center, resource data will no longer be viewable in Resource Center. Specifically:
- For a single Alibaba Cloud account, after disabling Resource Center, resource data in the current account will no longer be viewable.
- For the management account of a Resource Directory and the delegated administrator account of Resource Center, disabling Resource Center will also disable the cross-account resource search feature. Resource data in the current account and members of the Resource Directory will no longer be viewable. Additionally, members will not be able to view resource data in their own accounts.
- After disabling Resource Center, the resource management module on the console homepage, Config Audit service, and other related scenarios will also be unable to view resource data.
- Disable Restrictions
- If the management account of a Resource Directory or the delegated administrator account of Resource Center has cross-account resource features enabled by another account, Resource Center cannot be disabled.
- If there are cloud products or features that have strong dependencies on Resource Center, such as Config Audit and associated resource transfer, you must first disable those cloud products or features before you can disable Resource Center.
- MUST obtain explicit user confirmation (e.g., user types "confirm disable" or similar clear affirmation)
- DO NOT proceed without user's explicit acknowledgment
[必填]高风险操作确认 — 在执行或disable-resource-center前:disable-multi-account-resource-center
- 必须明确告知用户操作影响:
- 关闭影响
- 关闭资源中心后,将无法再在资源中心查看资源数据,具体:
- 对于单个阿里云账户,关闭资源中心后将无法查看当前账户的资源数据。
- 对于资源目录的管理账户和资源中心的委派管理员账户,关闭资源中心还会停用跨账户资源搜索功能,无法查看当前账户和资源目录成员的资源数据,同时成员也无法查看自身账户的资源数据。
- 关闭资源中心后,控制台首页资源管理模块、配置审计服务等相关场景也将无法查看资源数据。
- 关闭限制
- 如果资源目录管理账户或资源中心委派管理员账户的跨账户资源功能被其他账户启用,则无法关闭资源中心。
- 如果存在强依赖资源中心的云产品或功能(例如配置审计和关联的资源流转),必须先关闭这些云产品或功能,才能关闭资源中心。
- 必须获得用户明确确认(例如用户输入"confirm disable"或类似的明确确认语句)
- 没有获得用户明确确认前请勿执行操作
Disable Resource Center
关闭资源中心
Warning: Disabling will remove all resource data and affect dependent services (e.g., Config Audit). Must first disable cross-account if enabled.
bash
aliyun resourcecenter disable-resource-center \
--user-agent AlibabaCloud-Agent-Skills**警告:**关闭操作会删除所有资源数据,且会影响依赖服务(例如配置审计)。如果已开启跨账户功能,必须先关闭跨账户功能。
bash
aliyun resourcecenter disable-resource-center \
--user-agent AlibabaCloud-Agent-SkillsDisable Cross-Account Resource Center
关闭跨账户资源中心
Must be done before disabling single-account resource center (if cross-account is enabled). Requires management account or delegated admin.
bash
aliyun resourcecenter disable-multi-account-resource-center \
--user-agent AlibabaCloud-Agent-Skills如果已开启跨账户功能,必须先执行此操作再关闭单账户资源中心,需要管理账户或委派管理员权限。
bash
aliyun resourcecenter disable-multi-account-resource-center \
--user-agent AlibabaCloud-Agent-Skills7. Best Practices
7. 最佳实践
- on every Resource Center CLI call — All
--user-agentexamples in this skill includealiyun resourcecenter. When executing commands for this skill, always pass the same flag so usage is consistent with verification, maintainers’ expectations, and any automated checks.--user-agent AlibabaCloud-Agent-Skills - Use filters for targeted search — Combining ,
ResourceType, andRegionIdfilters improves search efficiencyTag - Use for quick statistics — Get resource distribution by type, region, or resource group without iterating
GroupByKey - Cross-account scope selection — Use the most specific scope (member ID > folder ID > root folder ID > directory ID) to narrow search results
- Wait after enabling — Resource Center needs a few minutes to build data after activation; large accounts may take longer
- Prefer read-only policies — For daily search and statistics operations, use for security
AliyunResourceCenterReadOnlyAccess - ResourceType discovery — When the exact resource type code is unknown, use the helper script documented in Section 8 (run from the skill root directory).
- Tag discovery vs tag-filtered search — For “what tag keys/values exist”, use /
list-tag-keys(and multi-account variants withlist-tag-values). Reserve--scopefor finding resources that match tag conditions.search-resources
- 所有资源中心CLI调用都添加参数 — 本技能中所有
--user-agent示例都包含aliyun resourcecenter参数。执行本技能相关命令时,请始终传递相同的参数,确保使用方式符合验证要求、维护者预期和所有自动化检查规则。--user-agent AlibabaCloud-Agent-Skills - 使用过滤器实现精准搜索 — 组合、
ResourceType和RegionId过滤器可以提升搜索效率Tag - 使用实现快速统计 — 无需遍历即可按类型、地域或资源组获取资源分布
GroupByKey - 跨账户范围选择 — 使用最精确的范围(成员ID > 文件夹ID > 根文件夹ID > 目录ID)来缩小搜索结果范围
- 开启后等待数据同步 — 资源中心激活后需要几分钟时间构建数据,大账户可能需要更长时间
- 优先使用只读策略 — 日常搜索和统计操作使用保障安全
AliyunResourceCenterReadOnlyAccess - ResourceType查询 — 不知道准确的资源类型编码时,使用第8节中记录的辅助脚本(从技能根目录运行)。
- 区分标签查询和标签过滤搜索 — 要查询「存在哪些标签键/值」时,使用/
list-tag-keys(跨账户版本添加list-tag-values参数);--scope仅用于查找符合标签条件的资源。search-resources
8. Available scripts
8. 可用脚本
| Script | Purpose | Usage |
|---|---|---|
| Queries resource types by keyword from Alibaba Cloud Resource Center; stdout is JSON ( | |
| 脚本 | 用途 | 使用方式 |
|---|---|---|
| 从阿里云资源中心按关键词查询资源类型;标准输出为JSON格式(包含 | |
9. Troubleshooting
9. 故障排查
When a Resource Center API call or command fails, read the response’s HTTP status, Code (error code), and Message, then match them against the catalog.
aliyun resourcecenterFull error list: references/error-codes.md
当资源中心API调用或命令执行失败时,读取响应的HTTP状态码、Code(错误码)和Message,然后对照目录匹配问题。
aliyun resourcecenter完整错误列表: references/error-codes.md
10. Reference Links
10. 参考链接
| Reference | Description |
|---|---|
| references/related-apis.md | All CLI commands list |
| references/ram-policies.md | RAM permission policies |
| references/verification-method.md | Verification steps for each workflow |
| references/error-codes.md | Deduplicated Resource Center API error code catalog (HTTP, Code, Message) and lookup hints |
| references/cli-installation-guide.md | Aliyun CLI installation guide |
| references/acceptance-criteria.md | For maintainers/CI only: Skill testing acceptance criteria, correct CLI command patterns, parameter validation rules. Note: This document is intended for human maintainers and automated testing, not required reading for end users. |
| 参考文档 | 描述 |
|---|---|
| references/related-apis.md | 所有CLI命令列表 |
| references/ram-policies.md | RAM权限策略 |
| references/verification-method.md | 每个工作流的验证步骤 |
| references/error-codes.md | 去重后的资源中心API错误码目录(HTTP状态码、错误码、错误信息)和查询提示 |
| references/cli-installation-guide.md | Aliyun CLI安装指引 |
| references/acceptance-criteria.md | 仅面向维护者/CI:技能测试验收标准、正确CLI命令模式、参数校验规则。**注意:**本文档面向人工维护者和自动化测试,终端用户无需阅读。 |