Manage the full lifecycle of Alibaba Cloud DataHub resources (Project → Topic → Subscription) using the Aliyun CLI plugin mode.
Architecture: Region → Project → Topic → Subscription
Prerequisites
Pre-check: Aliyun CLI >= 3.3.3 required
Run aliyun version to verify >= 3.3.3. If not installed or version too low,
see references/cli-installation-guide.md for installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
[MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.
Authentication
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
NEVER ask the user to input AK/SK directly in the conversation or command line
NEVER use aliyun configure set with literal credential values
ONLY use aliyun configure list to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
Read references/ram-policies.md to get the full list of permissions required by this SKILL
Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions
Pause and wait until the user confirms that the required permissions have been granted
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,
passwords, domain names, resource specifications, etc.) MUST be confirmed with the
user. Do NOT assume or use default values without explicit user approval.
Parameter
Required
Description
Default
region
Yes
Target region for DataHub resources
— (must confirm)
project-name
Yes
DataHub project name (3-32 chars, letter start, alphanumeric + underscore)
—
topic-name
Yes (for Topic ops)
Topic name (3-128 chars)
—
record-type
Yes (for create-topic)
BLOB or TUPLE
—
shard-count
Yes (for create-topic)
Number of shards
—
lifecycle
Yes (for create-topic)
Data retention in days
—
record-schema
Conditional
Required when record-type is TUPLE
—
application
Yes (for create-subscription)
Application description (max 256 chars)
—
subscription-id
Optional
Manual subscription ID (4-40 chars, lowercase)
Auto-generated
Observability (MUST follow for every aliyun command)
Upon loading this skill, generate a random session ID (32-char lowercase hex string) once for the entire session. Use it as {session-id} below.
Rule: Every aliyun CLI command that calls a cloud API MUST include the --user-agent flag.
Local utility commands (e.g. configure, plugin, version) do not support this flag and should be excluded.
⚠️ DESTRUCTIVE OPERATION — User Confirmation Required
Before executing ANY delete command (delete-subscription, delete-topic, delete-project),
you MUST explicitly list the resources to be deleted and ask the user for confirmation.
Do NOT proceed until the user explicitly approves the deletion.
Example prompt to user:
"I am about to delete the following resources (this action is irreversible):
Subscription: <subscription-id> on topic <topic-name>
⚠️ WARNING: Deleting a Project removes all its Topics, data, and Subscriptions. This operation is irreversible. Always obtain explicit user confirmation before execution.
Success Verification
See references/verification-method.md for detailed verification steps for each operation.
Best Practices
Always verify after creation — Use get-project, get-topic, get-subscription to confirm resources exist.