> [MUST] CLI User-Agent — Every aliyun CLI command invocation must include:
> --user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search
> [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
> Run the following commands before any other aliyun CLI invocation:
> ```bash
> aliyun configure ai-mode enable
> aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search"
> ```
> Pre-check: Aliyun CLI >= 3.3.3 required
> Run aliyun version to verify >= 3.3.3. If not installed or version too low,
> run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to install/update,
> or see references/cli-installation-guide.md for installation instructions.
> Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
> Then [MUST] run aliyun plugin update to ensure that any existing plugins on your local machine are always up-to-date.
> Pre-check: Alibaba Cloud Credentials Required
>
> Security Rules:
>
> - NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
> - NEVER ask the user to input AK/SK directly in the conversation or command line
> - NEVER use aliyun configure set with literal credential values
> - ONLY use aliyun configure list to check credential status
>
> ```bash
> aliyun configure list
> ```
>
> Check the output for a valid profile (AK, STS, or OAuth identity).
>
> If no valid profile exists, STOP here.
>
> 1. Obtain credentials from Alibaba Cloud Console
> 2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
> 3. Return and re-run after aliyun configure list shows a valid profile
> [MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.
> AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
> ```bash
> aliyun configure ai-mode disable
> ```
> IMPORTANT: Parameter Confirmation — Before executing any command or API call,
> ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,
> passwords, domain names, resource specifications, etc.) MUST be confirmed with the
> user. Do NOT assume and use default values without explicit user approval.
| Parameter | Required/Optional | Description | Default Value |
|---|---|---|---|
| - | - | - | - |
Scope | Required (cross-account) | Cross-account search scope: Resource Directory ID, Root Folder ID, Folder ID, or Member ID | None |
ResourceType | Optional | Resource type (e.g., ACS::ECS::Instance) | None (all types) |
RegionId | Optional | Resource Region ID (e.g., cn-hangzhou) | None (all regions) |
ResourceId | Optional | Resource ID | None |
ResourceName | Optional | Resource name | None |
VpcId | Optional | VPC ID (e.g., vpc-xxx) | None |
VSwitchId | Optional | VSwitch (e.g., vsw-xxx) | None |
IpAddress | Optional | IP address | None |
GroupByKey | Optional | Statistics grouping dimension: ResourceType, RegionId, ResourceGroupId | None |
MaxResults | Optional | Page size for paginated APIs. | 20 |
See references/ram-policies.md for full permission lists.
Recommended system policies:
AliyunResourceCenterReadOnlyAccessAliyunResourceCenterFullAccess> Opening Resource Center will auto-create the service-linked role AliyunServiceRoleForResourceMetaCenter.
RAM policies (defined in ram-policies.md) control whether a user can call a Resource Center API. However, for search APIs (SearchResources, GetResourceCounts, GetResourceConfiguration, SearchMultiAccountResources, GetMultiAccountResourceCounts, GetMultiAccountResourceConfiguration), the scope of resources visible in results is determined by each cloud product's own permissions:
ReadOnlyAccess lets the user see all resources they have access to; granting only AliyunVPCReadOnlyAccess limits visibility to VPC resources.AliyunResourceCenterFullAccess to the RAM user of the Resource Directory management account to enable cross-account resource search.Determine which APIs are needed based on the user's specific scenario. Refer to the scenario cards below.
> CRITICAL WARNING: DO NOT execute any aliyun resourcecenter command without first reading the exact parameter format in references/related-apis.md.
>
> Failure Pattern: Guessing parameters like --filter format will cause errors. The correct JSON structure MUST be copied from the documentation.
>
> Mandatory Action: Open and read the specific API section in references/related-apis.md BEFORE constructing any CLI command.
| Requirement | Account Type | API | Description |
|---|---|---|---|
| - | - | - | - |
| Check if enabled | Single-account | get-resource-center-service-status | Returns service status |
| Enable service | Single-account | enable-resource-center | Required for first-time use |
| Check cross-account status | Resource Directory | get-multi-account-resource-center-service-status | Multi-account scenario |
| Enable cross-account service | Resource Directory | enable-multi-account-resource-center | Requires management account or delegated admin |
| Requirement | Account Type | Script | Description |
|---|---|---|---|
| - | - | - | - |
| Find resource type codes by keyword | Single-account | scripts/query-resource-types.py | Search across ResourceType, ProductName, and ResourceTypeName fields |
Decision Logic:
ResourceType code -> Use it in search or count API with --filter parameter| Requirement | Account Scope | API | Key Parameters |
|---|---|---|---|
| - | - | - | - |
| Search resources by criteria | Current account | search-resources | --filter |
| Cross-account resource search | Resource Directory | search-multi-account-resources | --scope + --filter |
| Search including deleted resources | Current account | search-resources | --include-deleted-resources=true |
| Requirement | Account Scope | API | Use Case |
|---|---|---|---|
| - | - | - | - |
| Get single resource configuration | Current account | get-resource-configuration | Get complete configuration details |
| Batch get multiple resource configurations | Current account | batch-get-resource-configurations | Get multiple resources at once |
| Get resource configuration from another account | Resource Directory | get-multi-account-resource-configuration | Cross-account view |
| Requirement | Account Scope | API | Grouping Dimensions |
|---|---|---|---|
| - | - | - | - |
| Count resources | Current account | get-resource-counts | ResourceType, RegionId, ResourceGroupId |
| Cross-account statistics | Resource Directory | get-multi-account-resource-counts | ResourceType, RegionId, ResourceGroupId |
| Requirement | Account Scope | API | Description |
|---|---|---|---|
| - | - | - | - |
| List all tag keys | Current account | list-tag-keys | Browse tag catalog |
| List values for a specific tag key | Current account | list-tag-values | e.g., list all values for env |
| Cross-account tag keys | Resource Directory | list-multi-account-tag-keys | Multi-account scenario |
| Cross-account tag values | Resource Directory | list-multi-account-tag-values | Multi-account scenario |
See references/verification-method.md for detailed verification steps and commands for each workflow step.
> [MUST] High-Risk Operation Confirmation — Before executing disable-resource-center or disable-multi-account-resource-center:
>
> 1. MUST explicitly inform the user of the impacts:
> - Disable Impact
> - After disabling Resource Center, resource data will no longer be viewable in Resource Center. Specifically:
> - For a single Alibaba Cloud account, after disabling Resource Center, resource data in the current account will no longer be viewable.
> - For the management account of a Resource Directory and the delegated administrator account of Resource Center, disabling Resource Center will also disable the cross-account resource search feature. Resource data in the current account and members of the Resource Directory will no longer be viewable. Additionally, members will not be able to view resource data in their own accounts.
> - After disabling Resource Center, the resource management module on the console homepage, Config Audit service, and other related scenarios will also be unable to view resource data.
> - Disable Restrictions
> - If the management account of a Resource Directory or the delegated administrator account of Resource Center has cross-account resource features enabled by another account, Resource Center cannot be disabled.
> - If there are cloud products or features that have strong dependencies on Resource Center, such as Config Audit and associated resource transfer, you must first disable those cloud products or features before you can disable Resource Center.
> 2. MUST obtain explicit user confirmation (e.g., user types "confirm disable" or similar clear affirmation)
> 3. DO NOT proceed without user's explicit acknowledgment
> Warning: Disabling will remove all resource data and affect dependent services (e.g., Config Audit). Must first disable cross-account if enabled.
aliyun resourcecenter disable-resource-center \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search
> Must be done before disabling single-account resource center (if cross-account is enabled). Requires management account or delegated admin.
aliyun resourcecenter disable-multi-account-resource-center \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search
--user-agent on every Resource Center CLI call — All aliyun resourcecenter examples in this skill include --user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search. When executing commands for this skill, always pass the same flag so usage is consistent with verification, maintainers’ expectations, and any automated checks.ResourceType, RegionId, and Tag filters improves search efficiencyGroupByKey for quick statistics — Get resource distribution by type, region, or resource group without iteratingAliyunResourceCenterReadOnlyAccess for securitylist-tag-keys / list-tag-values (and multi-account variants with --scope). Reserve search-resources for finding resources that match tag conditions.| Script | Purpose | Usage |
|---|---|---|
| - | - | - |
scripts/query-resource-types.py | Queries resource types by keyword from Alibaba Cloud Resource Center; stdout is JSON (resourceTypes, count, keyword, language; failures use success: false and error) | python3 scripts/query-resource-types.py |
When a Resource Center API call or aliyun resourcecenter command fails, read the response’s HTTP status, Code (error code), and Message, then match them against the catalog.
Full error list: references/error-codes.md
| Reference | Description |
|---|---|
| - | - |
| references/related-apis.md | All CLI commands list |
| references/ram-policies.md | RAM permission policies |
| references/verification-method.md | Verification steps for each workflow |
| references/error-codes.md | Deduplicated Resource Center API error code catalog (HTTP, Code, Message) and lookup hints |
| references/cli-installation-guide.md | Aliyun CLI installation guide |
| references/acceptance-criteria.md | For maintainers/CI only: Skill testing acceptance criteria, correct CLI command patterns, parameter validation rules. Note: This document is intended for human maintainers and automated testing, not required reading for end users. |
共 2 个版本