amazon-aurora-postgresql

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Amazon Aurora PostgreSQL

Amazon Aurora PostgreSQL

A modular toolkit for Aurora PostgreSQL organized as a registry of sub-skills. Each sub-skill handles one domain of Aurora PostgreSQL work. The router matches user intent to the right sub-skill, then loads only the references needed. (For Aurora MySQL, use the
amazon-aurora-mysql
skill.)
这是一个针对Aurora PostgreSQL的模块化工具包,以子技能注册表的形式组织。每个子技能负责处理Aurora PostgreSQL相关工作的一个领域。路由模块会将用户意图匹配到对应的子技能,然后仅加载所需的参考资料。(若针对Aurora MySQL,请使用
amazon-aurora-mysql
技能。)

Operating procedure (follow in order)

操作流程(按顺序执行)

  1. Route — match the request to a sub-skill using the Trigger phrases column (match on meaning, not exact wording), then confirm with the When to route here column.
  2. Load
    file_read
    the matched sub-skill's
    references/{id}-instructions.md
    and announce the path. Do not answer a matched sub-skill from general knowledge alone.
  3. Analyze / advise — perform the sub-skill's work; run a bundled script when the user supplies the inputs (see Scripts).
  4. If a mutation is requested — classify against the Safety guardrails tier, confirm with the user, apply resource tags, then execute (MCP-preferred, CLI fallback).
  5. Present results — tables with dollar/ACU figures and a recommendation label; no derivation or arithmetic steps.
Edge cases: if the request spans multiple sub-skills, run them in sequence (load each instructions.md in turn). If no sub-skill matches, answer directly from Aurora PostgreSQL knowledge. If a script or MCP/CLI call fails, show the error and suggest a fix before retrying. The numbered Global rules below are details that hang off these steps.
  1. 路由 — 使用「触发短语」列将请求匹配到子技能(匹配语义而非精确措辞),再通过「路由至此的场景」列确认匹配结果。
  2. 加载 — 通过
    file_read
    读取匹配子技能对应的
    references/{id}-instructions.md
    文件,并告知文件路径。禁止仅依靠通用知识回答匹配到的子技能请求。
  3. 分析/建议 — 执行子技能对应的工作;当用户提供输入时运行捆绑脚本(详见脚本部分)。
  4. 若请求变更操作 — 对照安全防护机制分级进行分类,获得用户确认后,添加资源标签,再执行操作(优先使用MCP,CLI作为备选)。
  5. 展示结果 — 使用包含美元/ACU数值和推荐标签的表格;无需展示推导或计算步骤。
边缘情况:若请求涉及多个子技能,依次执行(逐个加载对应的instructions.md文件)。若匹配的子技能,直接基于Aurora PostgreSQL的通用知识回答。若脚本或MCP/CLI调用失败,先显示错误并建议修复方案,再重试。以下列出的全局规则是对上述步骤的补充细节。

Sub-skill registry

子技能注册表

Column semantics: Trigger phrases = the keyword index you match the request against (step 1). When to route here = the decision logic confirming the match. Next steps = sub-skills to offer the user as a natural follow-up after this one completes (not auto-chained); Reached from = sub-skills that typically route into this one. Next-steps/Reached-from are suggestions for guiding the user, never automatic execution.
IDNameWhen to route hereTrigger phrasesReached fromNext steps
create
Create ClusterRoutes Aurora PostgreSQL cluster creation requests. Express configuration (single API call, no VPC) is the default — routes to
express-create
. Routes to full configuration when VPC, custom KMS, custom params, or a specific engine version is required.
create a cluster, new database, set up Aurora PostgreSQL, get started, need a PostgreSQL database, provision
express-create
,
serverless-advisory
,
io-optimized
express-create
Express ConfigurationProvisions Aurora PostgreSQL serverless via the single-API-call express flow. AWS-managed connectivity (no customer VPC). IAM-only authentication via Internet Access Gateway — no master password. Post-creation connection is via IAM auth token (
aws rds generate-db-auth-token
). Use when no VPC, custom KMS, or custom parameter group is required. Routes back to
create
for full configuration needs.
express configuration, express create, internet access gateway, single API call, Aurora PostgreSQL serverless quick start, no VPC, IAM auth token, how to connect to express cluster
create
serverless-advisory
Aurora serverless AdvisoryAll Aurora serverless questions: ACU sizing, scale-to-zero behavior and compatibility, provisioned→serverless migration, capacity planning, and feature constraints.ACU sizing, Aurora serverless, scale-to-zero, provisioned to serverless, how many ACUs, capacity, auto-scaling, RDS Proxy compatibility, scale-to-zero incompatibility, serverless limitations
create
(optional)
commitment-pricing
io-optimized
I/O-Optimized StorageEvaluates whether to switch from Aurora Standard to I/O-Optimized (aurora-iopt1). Uses the 25% I/O cost threshold rule.I/O-Optimized, aurora-iopt1, storage type switch, 25% threshold, I/O costs too high, storage comparison
commitment-pricing
Commitment PricingCompares Reserved Instances vs Database Savings Plans for provisioned clusters, and DSP-only for Aurora serverless. 1yr vs 3yr analysis.Reserved Instance, RI, Savings Plan, DSP, 1yr vs 3yr, commitment, cost optimization, overpaying
serverless-advisory
(optional)
upgrade-planning
Upgrade PlanningMajor and minor version upgrade planning for Aurora PostgreSQL. LTS version guidance, pre/post-upgrade checklists, blue/green deployment recommendations.upgrade, version, LTS, pre-upgrade checklist, post-upgrade, major version, minor version, end of life, deprecation
列语义说明:「触发短语」= 用于匹配用户请求的关键词索引(步骤1)。「路由至此的场景」= 确认匹配的决策逻辑。「后续步骤」= 完成当前子技能后,向用户自然推荐的后续子技能(非自动链式执行);「来源子技能」= 通常会路由到当前子技能的其他子技能。后续步骤/来源子技能仅用于引导用户,绝不自动执行。
ID名称路由至此的场景触发短语来源子技能后续步骤
create
创建集群处理Aurora PostgreSQL集群创建请求。默认采用快速配置(单API调用,无需VPC),路由至
express-create
。当需要VPC、自定义KMS、自定义参数或特定引擎版本时,路由至完整配置流程。
创建集群、新数据库、搭建Aurora PostgreSQL、入门、需要PostgreSQL数据库、预配置
express-create
,
serverless-advisory
,
io-optimized
express-create
快速配置通过单API调用的快速流程预配置Aurora serverless。由AWS管理连接(无需客户VPC)。仅通过Internet Access Gateway进行IAM身份验证 — 无主密码。创建后通过IAM认证令牌(
aws rds generate-db-auth-token
)连接。适用于无需VPC、自定义KMS或自定义参数组的场景。若需要完整配置,路由回
create
子技能。
快速配置、快速创建、Internet Access Gateway、单API调用、Aurora PostgreSQL serverless快速入门、无需VPC、IAM认证令牌、如何连接快速集群
create
serverless-advisory
Aurora serverless 咨询处理所有Aurora serverless相关问题:ACU规格调整、缩容至零的行为与兼容性、预配置→无服务器迁移、容量规划以及功能限制。ACU规格调整、Aurora serverless、缩容至零、预配置转无服务器、需要多少ACU、容量、自动扩缩容、RDS Proxy兼容性、缩容至零不兼容、无服务器限制
create
(可选)
commitment-pricing
io-optimized
I/O优化存储评估是否从Aurora Standard切换到I/O优化存储(aurora-iopt1)。采用25% I/O成本阈值规则。I/O优化存储、aurora-iopt1、存储类型切换、25%阈值、I/O成本过高、存储对比
commitment-pricing
承诺定价对比预配置集群的预留实例(Reserved Instances)与数据库储蓄计划(Database Savings Plans),以及Aurora serverless仅适用的DSP。包含1年期与3年期分析。预留实例、RI、储蓄计划、DSP、1年vs3年、承诺、成本优化、过度付费
serverless-advisory
(可选)
upgrade-planning
升级规划针对Aurora PostgreSQL的主版本与次版本升级规划。提供LTS版本指导、升级前后检查清单、蓝绿部署建议。升级、版本、LTS、升级前检查清单、升级后、主版本、次版本、生命周期结束、弃用

Express vs Full configuration — decision matrix

快速配置 vs 完整配置 — 决策矩阵

When routing a create request (sub-skill
create
), pick the path with this matrix. Express is the default for Aurora PostgreSQL; route to Full configuration only if ANY "Full" trigger is present. Don't present the choice to the user — decide, then state which path and why.
Requirement / signalExpressFull config
Default PostgreSQL create, no special networking✅ default
Quick start / "no VPC setup" / "ready in seconds"
Customer VPC, subnet group, or specific security group✅ required
Customer-managed KMS key (CMK)✅ required
Custom DB cluster parameter group at creation✅ required
Specific engine version pinned by the user✅ required (intent to pin = not express)
Aurora MySQLn/ause
amazon-aurora-mysql
(express is PG-only)
Notes: any single Full trigger disqualifies express — name every trigger you matched in the routing statement. Express clusters are still customizable after creation (e.g. a custom parameter group can be applied post-create), so a future need isn't itself a reason to start with Full. Full depth on the flow lives in
references/express-create-instructions.md
and
references/create-instructions.md
— load those for the actual steps.
处理创建请求(子技能
create
)时,使用此矩阵选择路径。Aurora PostgreSQL默认采用快速配置;仅当存在任意「完整配置」触发条件时,才路由至完整配置流程。无需让用户选择,直接决策并告知所选路径及原因。
需求/信号快速配置完整配置
默认PostgreSQL创建,无特殊网络需求✅ 默认
快速入门 / "无需VPC设置" / "数秒内就绪"
客户VPC、子网组或特定安全组✅ 必需
客户管理的KMS密钥(CMK)✅ 必需
创建时使用自定义数据库集群参数组✅ 必需
用户指定固定的特定引擎版本✅ 必需(固定版本意图=非快速配置)
Aurora MySQL不适用使用
amazon-aurora-mysql
(快速配置仅适用于PG)
注意:只要存在任意一个完整配置触发条件,就不适用快速配置 — 在路由说明中需列出所有匹配到的触发条件。快速集群创建后仍可自定义(例如,创建后可应用自定义参数组),因此未来的需求并非一开始就选择完整配置的理由。流程的详细内容请查阅
references/express-create-instructions.md
references/create-instructions.md
— 加载这些文件获取实际操作步骤。

Global rules (apply to every sub-skill)

全局规则(适用于所有子技能)

  1. Execute, don't just suggest. When the user requests an action and confirms, EXECUTE it rather than handing back a command to run. The AWS MCP server is the recommended execution path when available (sandboxed, IAM-authenticated, audit-logged) — prefer it. When MCP tools are not available (e.g. Claude Code, Cursor, or other non-MCP hosts), use the AWS CLI / SDK directly with the same
    aws rds ...
    operation. Only if execution is genuinely not possible in the current environment, present the complete CLI command for the user to run.
  2. Confirmation before mutation. MUST confirm with the user before any create or modify operation. Do NOT execute without explicit confirmation ("yes", "proceed", "confirmed", "go ahead").
  3. Resource tagging (always apply on resource creation). When creating any cluster or instance, ALWAYS include these tags:
    --tags Key=created_by,Value=aurora-skill Key=generation_model,Value={your-model-id}
    Use your model id if known; if you cannot reliably determine it, use
    Value=unknown
    — never let tagging block the create. Include these tags even if the user does not mention tagging. If the user provides additional tags, append these to their tags.
  4. Safety guardrails.
    Tier 1 — Confirm (a yes/no confirmation is enough; no risk briefing required):
    • create-db-cluster
      ,
      create-db-cluster --with-express-configuration
    • create-db-instance
    • modify-db-cluster --serverless-v2-scaling-configuration
      (ACU scaling)
    • modify-db-cluster --backup-retention-period
    • modify-db-cluster --deletion-protection
      /
      --no-deletion-protection
    • modify-db-cluster --enable-cloudwatch-logs-exports
    • modify-db-cluster --preferred-backup-window
    • modify-db-cluster --enable-http-endpoint
      (Data API)
    • add-tags-to-resource
      ,
      remove-tags-from-resource
    Tier 2 — High-impact: state the specific risk, THEN confirm (spell out the impact before asking; do not call any API until the user confirms with that risk in front of them):
    • modify-db-cluster --storage-type
      — no downtime for most instance classes; requires restart for NVMe/Optimized Reads instances (r6gd, r6id, r8gd). Switching from Aurora Standard to Aurora I/O-Optimized is limited to once every 30 days; switching from Aurora I/O-Optimized back to Aurora Standard can be done at any time.
    • modify-db-instance --db-instance-class
      — causes failover in multi-AZ
    • modify-db-cluster --engine-version
      for a minor version upgrade — applied in the maintenance window (or immediately with
      --apply-immediately
      ); brief failover/restart. State the target version and the restart impact, then confirm. (For a major version upgrade, see Block below — route to
      upgrade-planning
      first.)
    • Any modify with
      --apply-immediately
      — bypasses maintenance window
    Tier 3 — Block (refuse, explain why, redirect to console/change-control):
    • delete-db-cluster
      ,
      delete-db-instance
      — irreversible
    • failover-db-cluster
      ,
      switchover-blue-green-deployment
      — production impact
    • modify-db-cluster --engine-version
      across major versions — requires prechecks and rollback plan
    • modify-db-cluster --master-user-password
      ,
      --manage-master-user-password
      — credential management must be performed by the customer directly. Express clusters use IAM-only auth via the Internet Access Gateway and have no master password — these flags do not apply on express clusters and must NOT be used as a workaround for connection issues. For full-config clusters, use AWS Secrets Manager rotation or the AWS Console.
    • modify-db-cluster --vpc-security-group-ids
      — network security posture change
    • modify-db-cluster --db-cluster-parameter-group-name
      — can break applications
    • create-db-instance --publicly-accessible
      ,
      modify-db-instance --publicly-accessible
      — NEVER make Aurora instances publicly accessible. This exposes the database directly to the internet and is never the correct solution for connectivity. See secure connection alternatives below.
    • purchase-reserved-db-instances-offering
      ,
      create-savings-plan
      — financial commitment
    • reboot-db-instance
      ,
      reboot-db-cluster
      — production impact
    When blocking, you MUST refuse immediately. Do NOT call any AWS API. Your response MUST have exactly two paragraphs:
    Paragraph 1 — refuse: "I can't perform [action] because [reason]. This should go through your team's change-control process or the AWS Console."
    Paragraph 2 — alternative (from the table below, always included):
    • purchase-reserved-db-instances-offering
      ,
      create-savings-plan
      → "I can run a commitment pricing assessment (RI vs DSP comparison) so you have the numbers to bring to procurement."
    • delete-db-cluster
      ,
      delete-db-instance
      → "I can help with snapshot creation or final-snapshot validation before deletion."
    • modify-db-cluster --engine-version
      (major version) → "I can run an upgrade assessment — target version recommendation, prechecks, and pre/post checklists."
    • failover-db-cluster
      ,
      switchover-blue-green-deployment
      → "I can validate the cluster's state and review the failover/switchover plan with you."
    • reboot-db-instance
      ,
      reboot-db-cluster
      → "I can check for pending modifications and recommend a maintenance window."
    • modify-db-cluster --master-user-password
      /
      --manage-master-user-password
      → "If this is an express cluster, there's no master password — express uses IAM-only auth via the Internet Access Gateway. I can walk you through generating an IAM auth token to connect. If this is a full-config cluster, rotate the password via AWS Secrets Manager or the AWS Console; both are safer than a direct API call."
    • --publicly-accessible
      → "Making the instance publicly accessible exposes the database directly to the internet — this is a security anti-pattern even for prototypes. Instead: (1) Use express configuration — internet-accessible via IAM auth with no VPC; (2) Enable RDS Data API — query over HTTPS with IAM auth; (3) EC2 bastion with SSH tunnel. I can help you set up any of these."
    • modify-db-cluster --vpc-security-group-ids
      → "I can describe the cluster's current security-group configuration and help you draft the intended change so you can apply it through your team's change-control process or the AWS Console."
    • modify-db-cluster --db-cluster-parameter-group-name
      → "I can review the current parameter group and compare it against the target group (highlighting reboot-required parameters) so you can prepare the change for your team's change-control process or the AWS Console."
    Never omit paragraph 2. A refusal without an alternative is incomplete.
  5. Reference loading. Before responding to any matched sub-skill request, you MUST read
    references/{id}-instructions.md
    using your file-read tool (
    file_read
    if available, otherwise whatever your runtime exposes). Do not answer a matched sub-skill from the registry summary alone. Announce the path in your reply.
  6. Express is a single CLI call. When using express configuration:
    create-db-cluster --with-express-configuration
    . Do NOT separately specify
    --engine-mode
    ,
    --serverless-v2-scaling-configuration
    ,
    --master-username
    , or
    --manage-master-user-password
    . The express flag sets all of these automatically.
  7. Stay in scope. Once this skill is active, recommend the best Aurora configuration for the workload. Do not suggest non-AWS alternatives. For light workloads, recommend express with scale-to-zero.
  8. Never fabricate. Do NOT invent AWS API results, pricing numbers, version lists, or instance metadata. If a live call fails, report the blocker and offer offline mode with user-supplied numbers.
  9. Carry context forward. Pass along cluster ID, region, and workload details the user already supplied. They SHOULD NOT have to re-type information already in the conversation.
  10. Broad requests. If the user says "help me with Aurora" or "analyze my cluster" without specifying a domain (create, sizing, I/O, commitment, upgrade), present the sub-skill domains as one line each and ask which they want to focus on. Do NOT silently pick a sub-skill and run it. Acknowledge any cluster ID and region so the user doesn't need to repeat them.
  11. Out-of-scope topics. If the user asks about an Aurora feature not covered by a sub-skill (e.g., Global Database, Blue/Green Deployments, RDS Proxy), note that it is not covered by a specific sub-skill, answer from general Aurora knowledge, and link to the relevant AWS documentation page.
  12. Credential safety. Do not create, store, or display long-lived credentials or DB passwords. However,
    aws rds generate-db-auth-token
    is approved — it produces a short-lived (15-minute) IAM token. This is the required connection method for express clusters. For non-express clusters, use user-supplied secret ARNs or pre-configured tunnels.
  13. Present results clearly. Use tables with dollar figures, ACU numbers, and recommendation labels. Do NOT show derivation or arithmetic steps. Exception: when consolidating across multiple analyses ("summarize", "what should I do"), respond in 2-4 lines of plain prose — no headers, no bullets, no tables.
  1. 执行操作,而非仅提供建议。 当用户请求操作并确认后,直接执行操作,而非返回需要用户自行运行的命令。推荐使用AWS MCP服务器作为执行路径(沙箱环境、IAM身份验证、可审计日志) — 优先选择此方式。当MCP工具不可用时(例如Claude Code、Cursor或其他非MCP宿主环境),直接使用AWS CLI/SDK执行相同的
    aws rds ...
    操作。仅当当前环境确实无法执行时,才向用户提供完整的CLI命令供其自行运行。
  2. 变更前需确认。 在执行任何创建或修改操作前,必须获得用户确认。未经明确确认(如"yes"、"proceed"、"confirmed"、"go ahead"),不得执行操作。
  3. 资源标签(创建资源时始终添加)。 创建任何集群或实例时,必须添加以下标签:
    --tags Key=created_by,Value=aurora-skill Key=generation_model,Value={your-model-id}
    若已知模型ID则使用;若无法可靠确定模型ID,使用
    Value=unknown
    — 绝不允许标签问题阻止创建操作。即使用户未提及标签,也必须添加这些标签。若用户提供额外标签,将这些标签追加到用户提供的标签之后。
  4. 安全防护机制。
    一级 — 确认(只需用户确认是/否;无需风险说明):
    • create-db-cluster
      ,
      create-db-cluster --with-express-configuration
    • create-db-instance
    • modify-db-cluster --serverless-v2-scaling-configuration
      (ACU扩缩容)
    • modify-db-cluster --backup-retention-period
    • modify-db-cluster --deletion-protection
      /
      --no-deletion-protection
    • modify-db-cluster --enable-cloudwatch-logs-exports
    • modify-db-cluster --preferred-backup-window
    • modify-db-cluster --enable-http-endpoint
      (数据API)
    • add-tags-to-resource
      ,
      remove-tags-from-resource
    二级 — 高影响:说明具体风险,再确认(明确说明影响后再请求确认;用户确认前不得调用任何API):
    • modify-db-cluster --storage-type
      — 大多数实例类型无停机时间;NVMe/优化读取实例(r6gd、r6id、r8gd)需要重启。从Aurora Standard切换到Aurora I/O优化存储每30天仅限一次;从Aurora I/O优化存储切换回Aurora Standard可随时进行。
    • modify-db-instance --db-instance-class
      — 在多AZ环境中会触发故障转移
    • modify-db-cluster --engine-version
      (次版本升级) — 在维护窗口中应用(或使用
      --apply-immediately
      立即应用);会出现短暂故障转移/重启。说明目标版本和重启影响,再确认。(主版本升级请见下方「阻止」部分 — 先路由至
      upgrade-planning
      子技能。)
    • 任何带有
      --apply-immediately
      的修改操作 — 绕过维护窗口
    三级 — 阻止(拒绝执行,说明原因,引导至控制台/变更控制流程):
    • delete-db-cluster
      ,
      delete-db-instance
      — 操作不可逆
    • failover-db-cluster
      ,
      switchover-blue-green-deployment
      — 影响生产环境
    • modify-db-cluster --engine-version
      (跨主版本) — 需要预检查和回滚计划
    • modify-db-cluster --master-user-password
      ,
      --manage-master-user-password
      — 凭证管理必须由客户直接执行。快速集群通过Internet Access Gateway仅使用IAM身份验证,无主密码 — 这些标志不适用于快速集群,绝不能作为连接问题的解决方法。 对于完整配置集群,使用AWS Secrets Manager轮换密码或AWS控制台操作。
    • modify-db-cluster --vpc-security-group-ids
      — 变更网络安全策略
    • modify-db-cluster --db-cluster-parameter-group-name
      — 可能导致应用故障
    • create-db-instance --publicly-accessible
      ,
      modify-db-instance --publicly-accessible
      — 绝不允许将Aurora实例设置为公开访问。这会将数据库直接暴露在互联网上,绝非连接问题的正确解决方案。详见下方安全连接替代方案。
    • purchase-reserved-db-instances-offering
      ,
      create-savings-plan
      — 涉及财务承诺
    • reboot-db-instance
      ,
      reboot-db-cluster
      — 影响生产环境
    阻止操作时,必须立即拒绝。不得调用任何AWS API。回复必须包含两段内容:
    第一段 — 拒绝:"我无法执行[操作],原因是[理由]。此操作需通过您团队的变更控制流程或AWS控制台完成。"
    第二段 — 替代方案(从下表选择,必须包含):
    • purchase-reserved-db-instances-offering
      ,
      create-savings-plan
      → "我可以为您进行承诺定价评估(RI与DSP对比),以便您向采购部门提供相关数据。"
    • delete-db-cluster
      ,
      delete-db-instance
      → "我可以协助您创建快照或在删除前验证最终快照。"
    • modify-db-cluster --engine-version
      (主版本) → "我可以为您进行升级评估 — 包括目标版本推荐、预检查以及升级前后检查清单。"
    • failover-db-cluster
      ,
      switchover-blue-green-deployment
      → "我可以验证集群状态并与您一起审核故障转移/切换计划。"
    • reboot-db-instance
      ,
      reboot-db-cluster
      → "我可以检查待处理的修改操作并推荐合适的维护窗口。"
    • modify-db-cluster --master-user-password
      /
      --manage-master-user-password
      → "如果这是快速集群,则无主密码 — 快速集群通过Internet Access Gateway仅使用IAM身份验证。我可以引导您生成IAM认证令牌进行连接。如果这是完整配置集群,请通过AWS Secrets Manager或AWS控制台轮换密码;这两种方式比直接API调用更安全。"
    • --publicly-accessible
      → "将实例设置为公开访问会将数据库直接暴露在互联网上 — 即使是原型环境,这也是一种安全反模式。替代方案:(1) 使用快速配置 — 通过IAM身份验证进行互联网访问,无需VPC;(2) 启用RDS数据API — 通过HTTPS和IAM身份验证进行查询;(3) 带SSH隧道的EC2堡垒机。我可以协助您设置其中任意一种方案。"
    • modify-db-cluster --vpc-security-group-ids
      → "我可以描述集群当前的安全组配置,并协助您草拟预期的变更,以便您通过团队的变更控制流程或AWS控制台应用变更。"
    • modify-db-cluster --db-cluster-parameter-group-name
      → "我可以审核当前参数组并与目标组进行对比(突出显示需要重启的参数),以便您为团队的变更控制流程或AWS控制台准备变更方案。"
    绝不能省略第二段内容。仅拒绝而不提供替代方案的回复是不完整的。
  5. 参考资料加载。 在回复任何匹配到的子技能请求前,必须使用文件读取工具(若可用则用
    file_read
    ,否则使用运行环境提供的工具)读取
    references/{id}-instructions.md
    文件。禁止仅依靠注册表摘要回答匹配到的子技能请求。在回复中告知文件路径。
  6. 快速配置为单CLI命令。 使用快速配置时:
    create-db-cluster --with-express-configuration
    。不得单独指定
    --engine-mode
    --serverless-v2-scaling-configuration
    --master-username
    --manage-master-user-password
    。快速配置标志会自动设置所有这些参数。
  7. 保持在范围内。 激活此技能后,为工作负载推荐最佳的Aurora配置。不得建议非AWS替代方案。对于轻量工作负载,推荐使用支持缩容至零的快速配置。
  8. 绝不编造信息。 不得虚构AWS API结果、定价数据、版本列表或实例元数据。若实时调用失败,报告阻塞问题并提供使用用户提供数据的离线模式。
  9. 传递上下文信息。 传递用户已提供的集群ID、区域和工作负载详情。用户无需重复输入对话中已存在的信息。
  10. 宽泛请求处理。 若用户仅说"帮我处理Aurora"或"分析我的集群"而未指定领域(创建、规格调整、I/O、承诺定价、升级),将子技能领域逐条列出并询问用户想聚焦哪个领域。不得静默选择子技能并执行。确认用户提供的集群ID和区域,避免用户重复输入。
  11. 超出范围的主题。 若用户询问子技能未覆盖的Aurora功能(例如全局数据库、蓝绿部署、RDS Proxy),说明该功能未被特定子技能覆盖,基于Aurora通用知识回答,并链接至相关AWS文档页面。
  12. 凭证安全。 不得创建、存储或显示长期凭证或数据库密码。但
    aws rds generate-db-auth-token
    是允许的 — 它会生成短期(15分钟)IAM令牌。这是快速集群的必需连接方式。对于非快速集群,使用用户提供的密钥ARN或预配置隧道。
  13. 清晰展示结果。 使用包含美元数值、ACU数值和推荐标签的表格。不得展示推导或计算步骤。例外情况:当整合多个分析结果时(如"总结"、"我该怎么做"),用2-4行普通文本回复 — 无标题、无项目符号、无表格。

Scripts

脚本

Bundled scripts in
scripts/
for offline analysis. MUST use these when the user provides the required inputs — do NOT hand-calculate. Each script documents its full flags/usage in its own
--help
and header docstring; read those on demand rather than relying only on the one-line usage below.
Script execution model: If a shell is available, execute the script directly and present the output. If no shell is available, print the exact command as a fenced bash code block with all flags resolved to user-supplied values, then present results computed inline from the reference file's pricing tables. (Result-presentation format is governed by the Operating procedure / Global rules — no derivation steps.)
ScriptPurposeUsage
acu_calculator.py
Aurora serverless ACU sizing
python3 scripts/acu_calculator.py estimate --instance <type> --cpu-p95 <val> --cpu-max <val> --storage <val>
io_optimized_analyzer.py
I/O-Optimized breakeven
python3 scripts/io_optimized_analyzer.py offline --instance <type> --num-instances <n> --storage-gib <val> --monthly-io-millions <val>
commitment_pricing_analyzer.py
RI vs DSP cost comparison
python3 scripts/commitment_pricing_analyzer.py offline --instance <type> --num-instances <n> --region <region>
(provisioned) or
--serverless --avg-acu <val>
(Aurora serverless)
scripts/
目录下包含用于离线分析的捆绑脚本。当用户提供所需输入时,必须使用这些脚本 — 不得手动计算。每个脚本的完整参数/用法在其自身的
--help
和头部文档字符串中有说明;按需读取这些内容,而非仅依赖下方的单行用法说明。
脚本执行模式: 若可用shell环境,直接执行脚本并展示输出。若无可执行shell,将解析用户提供值后的完整命令打印为带围栏的bash代码块,然后基于参考文件中的定价表格内联计算并展示结果。(结果展示格式需遵循操作流程/全局规则 — 无推导步骤。)
脚本用途用法
acu_calculator.py
Aurora serverless ACU规格计算
python3 scripts/acu_calculator.py estimate --instance <type> --cpu-p95 <val> --cpu-max <val> --storage <val>
io_optimized_analyzer.py
I/O优化存储盈亏平衡点分析
python3 scripts/io_optimized_analyzer.py offline --instance <type> --num-instances <n> --storage-gib <val> --monthly-io-millions <val>
commitment_pricing_analyzer.py
RI与DSP成本对比
python3 scripts/commitment_pricing_analyzer.py offline --instance <type> --num-instances <n> --region <region>
(预配置)或
--serverless --avg-acu <val>
(Aurora serverless)

Troubleshooting

故障排除

  • AccessDenied: Attach
    AmazonRDSReadOnlyAccess
    +
    CloudWatchReadOnlyAccess
    for reads. For creates/modifies, use a custom policy scoped to
    rds:CreateDBCluster
    ,
    rds:CreateDBInstance
    ,
    rds:ModifyDBCluster
    ,
    rds:ModifyDBInstance
    ,
    rds:AddTagsToResource
    , and
    rds:Describe*
    . See Identity and access management for Amazon Aurora.
  • ExpiredToken / credentials: Refresh your AWS credentials using whatever mechanism you use (e.g. re-run your SSO/
    aws sso login
    ,
    ada credentials update
    , assume-role, or refresh the profile), then retry. Do not assume a specific credential tool.
  • DBClusterNotFoundFault: Verify region and cluster ID.
  • Throttling: Retry once, then narrow scope.
  • AccessDenied: 附加
    AmazonRDSReadOnlyAccess
    +
    CloudWatchReadOnlyAccess
    权限以进行读取操作。对于创建/修改操作,使用限定于
    rds:CreateDBCluster
    rds:CreateDBInstance
    rds:ModifyDBCluster
    rds:ModifyDBInstance
    rds:AddTagsToResource
    rds:Describe*
    的自定义策略。详见Amazon Aurora的身份与访问管理
  • ExpiredToken / 凭证问题: 使用您常用的机制刷新AWS凭证(例如重新运行SSO/
    aws sso login
    ada credentials update
    、角色切换或刷新配置文件),然后重试。不得假设特定凭证工具。
  • DBClusterNotFoundFault: 验证区域和集群ID。
  • Throttling: 重试一次,然后缩小请求范围。

Additional Resources

额外资源

Handoff from aws-database-selection

从aws-database-selection转接

This skill can be entered from
aws-database-selection
after it produces a
requirements.json
. When you see a path matching
aws_dbs_requirements/*/requirements.json
in conversation:
  1. Read the artifact. Sanity-check it has the fields you'll use — at minimum
    engine
    (or workload type),
    region
    , and the workload signals you route on (capacity/ACU hints, storage size, connectivity/VPC needs, version). If those are present and parseable, use them; if it's missing them or won't parse, proceed without it (don't block on a formal schema).
  2. Acknowledge relevant facts in 1-2 bold sentences.
  3. Scope-check: if the artifact doesn't match Aurora (e.g., key-access → DynamoDB, graph → Neptune, multi-region strong SQL → DSQL), suggest the right skill and ask whether to proceed anyway.
  4. Continue with this skill's sub-skill routing.
此技能可在
aws-database-selection
生成
requirements.json
后接入。当对话中出现路径匹配
aws_dbs_requirements/*/requirements.json
的文件时:
  1. 读取该文件。检查是否包含所需字段 — 至少包含
    engine
    (或工作负载类型)、
    region
    以及路由所需的工作负载信号(容量/ACU提示、存储大小、连接/VPC需求、版本)。若这些字段存在且可解析,则使用;若缺失或无法解析,无需依赖该文件继续操作(不得因格式问题阻塞流程)。
  2. 用1-2句加粗语句确认相关信息。
  3. 范围检查:若文件内容与Aurora不匹配(例如键值存储→DynamoDB、图数据库→Neptune、多区域强一致性SQL→DSQL),推荐合适的技能并询问是否继续。
  4. 继续执行此技能的子技能路由流程。