Install
openclaw skills install alibabacloud-resourcecenter-searchAlibabacloud Resourcecenter Search
Alibaba Cloud Resource Center - Global Resource Inventory, Search & Statistics Skill. Provides cross-region, cross-product, and cross-account resource inventory, search, and statistical analysis capabilities. Also supports enabling and disabling Resource Center service. Triggers: "resource center", "resource search", "resource inventory", "resource statistics", "cross-account resource", "global resource", "resource count".
1. Prerequisites
[MUST] CLI User-Agent — Every
aliyunCLI command invocation must include:--user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search
[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any other
aliyunCLI invocation:aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search"
Pre-check: Aliyun CLI >= 3.3.3 required Run
aliyun versionto verify >= 3.3.3. If not installed or version too low, runcurl -fsSL https://aliyuncli.alicdn.com/setup.sh | bashto install/update, or seereferences/cli-installation-guide.mdfor installation instructions. Then [MUST] runaliyun configure set --auto-plugin-install trueto enable automatic plugin installation. Then [MUST] runaliyun plugin updateto ensure that any existing plugins on your local machine are always up-to-date.
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_IDis FORBIDDEN)- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use
aliyun configure setwith literal credential values- ONLY use
aliyun configure listto check credential statusaliyun configure listCheck the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via
aliyun configurein terminal or environment variables in shell profile)- Return and re-run after
aliyun configure listshows a valid profile
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
aliyun configure ai-mode disable
2. Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume and use default values without explicit user approval.
| Parameter | Required/Optional | Description | Default Value |
|---|---|---|---|
Scope | Required (cross-account) | Cross-account search scope: Resource Directory ID, Root Folder ID, Folder ID, or Member ID | None |
ResourceType | Optional | Resource type (e.g., ACS::ECS::Instance) | None (all types) |
RegionId | Optional | Resource Region ID (e.g., cn-hangzhou) | None (all regions) |
ResourceId | Optional | Resource ID | None |
ResourceName | Optional | Resource name | None |
VpcId | Optional | VPC ID (e.g., vpc-xxx) | None |
VSwitchId | Optional | VSwitch (e.g., vsw-xxx) | None |
IpAddress | Optional | IP address | None |
GroupByKey | Optional | Statistics grouping dimension: ResourceType, RegionId, ResourceGroupId | None |
MaxResults | Optional | Page size for paginated APIs. | 20 |
3. RAM Policy
See references/ram-policies.md for full permission lists.
Recommended system policies:
- Read-only:
AliyunResourceCenterReadOnlyAccess - Full access:
AliyunResourceCenterFullAccess
Opening Resource Center will auto-create the service-linked role
AliyunServiceRoleForResourceMetaCenter.
Resource Visibility Scope
RAM policies (defined in ram-policies.md) control whether a user can call a Resource Center API. However, for search APIs (SearchResources, GetResourceCounts, GetResourceConfiguration, SearchMultiAccountResources, GetMultiAccountResourceCounts, GetMultiAccountResourceConfiguration), the scope of resources visible in results is determined by each cloud product's own permissions:
Single Account
- Cloud resource read permissions: A RAM user can only see resources in Resource Center for which they have read-only access on the corresponding cloud product. For example, granting
ReadOnlyAccesslets the user see all resources they have access to; granting onlyAliyunVPCReadOnlyAccesslimits visibility to VPC resources. - Resource group scoped permissions: If resources are organized by resource groups, you can grant a RAM user read access scoped to a specific resource group. The user will only see resources within that group, achieving resource isolation.
Cross-Account
- Grant the system policy
AliyunResourceCenterFullAccessto the RAM user of the Resource Directory management account to enable cross-account resource search.
4. Core Workflow
Step 1: Identify APIs Based on User Requirements
Determine which APIs are needed based on the user's specific scenario. Refer to the scenario cards below.
Step 2: [MUST] Read API Documentation Before Every CLI Call
CRITICAL WARNING: DO NOT execute any
aliyun resourcecentercommand without first reading the exact parameter format inreferences/related-apis.md.Failure Pattern: Guessing parameters like
--filterformat will cause errors. The correct JSON structure MUST be copied from the documentation.Mandatory Action: Open and read the specific API section in references/related-apis.md BEFORE constructing any CLI command.
Scenario Cards
Scenario 1: Service Activation
| Requirement | Account Type | API | Description |
|---|---|---|---|
| Check if enabled | Single-account | get-resource-center-service-status | Returns service status |
| Enable service | Single-account | enable-resource-center | Required for first-time use |
| Check cross-account status | Resource Directory | get-multi-account-resource-center-service-status | Multi-account scenario |
| Enable cross-account service | Resource Directory | enable-multi-account-resource-center | Requires management account or delegated admin |
Scenario 2: ResourceType Discovery
| Requirement | Account Type | Script | Description |
|---|---|---|---|
| Find resource type codes by keyword | Single-account | scripts/query-resource-types.py | Search across ResourceType, ProductName, and ResourceTypeName fields |
Decision Logic:
- When you needs to filter by resource type but doesn't know the exact code -> Use this script first
- After discovering the correct
ResourceTypecode -> Use it in search or count API with--filterparameter
Scenario 3: Resource Search
| Requirement | Account Scope | API | Key Parameters |
|---|---|---|---|
| Search resources by criteria | Current account | search-resources | --filter |
| Cross-account resource search | Resource Directory | search-multi-account-resources | --scope + --filter |
| Search including deleted resources | Current account | search-resources | --include-deleted-resources=true |
Scenario 4: View Resource Details
| Requirement | Account Scope | API | Use Case |
|---|---|---|---|
| Get single resource configuration | Current account | get-resource-configuration | Get complete configuration details |
| Batch get multiple resource configurations | Current account | batch-get-resource-configurations | Get multiple resources at once |
| Get resource configuration from another account | Resource Directory | get-multi-account-resource-configuration | Cross-account view |
Scenario 5: Statistics and Analysis
| Requirement | Account Scope | API | Grouping Dimensions |
|---|---|---|---|
| Count resources | Current account | get-resource-counts | ResourceType, RegionId, ResourceGroupId |
| Cross-account statistics | Resource Directory | get-multi-account-resource-counts | ResourceType, RegionId, ResourceGroupId |
Scenario 6: Tag Discovery
| Requirement | Account Scope | API | Description |
|---|---|---|---|
| List all tag keys | Current account | list-tag-keys | Browse tag catalog |
| List values for a specific tag key | Current account | list-tag-values | e.g., list all values for env |
| Cross-account tag keys | Resource Directory | list-multi-account-tag-keys | Multi-account scenario |
| Cross-account tag values | Resource Directory | list-multi-account-tag-values | Multi-account scenario |
5. Success Verification
See references/verification-method.md for detailed verification steps and commands for each workflow step.
6. Precautions
[MUST] High-Risk Operation Confirmation — Before executing
disable-resource-centerordisable-multi-account-resource-center:
- MUST explicitly inform the user of the impacts:
- Disable Impact
- After disabling Resource Center, resource data will no longer be viewable in Resource Center. Specifically:
- For a single Alibaba Cloud account, after disabling Resource Center, resource data in the current account will no longer be viewable.
- For the management account of a Resource Directory and the delegated administrator account of Resource Center, disabling Resource Center will also disable the cross-account resource search feature. Resource data in the current account and members of the Resource Directory will no longer be viewable. Additionally, members will not be able to view resource data in their own accounts.
- After disabling Resource Center, the resource management module on the console homepage, Config Audit service, and other related scenarios will also be unable to view resource data.
- Disable Restrictions
- If the management account of a Resource Directory or the delegated administrator account of Resource Center has cross-account resource features enabled by another account, Resource Center cannot be disabled.
- If there are cloud products or features that have strong dependencies on Resource Center, such as Config Audit and associated resource transfer, you must first disable those cloud products or features before you can disable Resource Center.
- MUST obtain explicit user confirmation (e.g., user types "confirm disable" or similar clear affirmation)
- DO NOT proceed without user's explicit acknowledgment
Disable Resource Center
Warning: Disabling will remove all resource data and affect dependent services (e.g., Config Audit). Must first disable cross-account if enabled.
aliyun resourcecenter disable-resource-center \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search
Disable Cross-Account Resource Center
Must be done before disabling single-account resource center (if cross-account is enabled). Requires management account or delegated admin.
aliyun resourcecenter disable-multi-account-resource-center \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search
7. Best Practices
--user-agenton every Resource Center CLI call — Allaliyun resourcecenterexamples in this skill include--user-agent AlibabaCloud-Agent-Skills/alibabacloud-resourcecenter-search. When executing commands for this skill, always pass the same flag so usage is consistent with verification, maintainers’ expectations, and any automated checks.- Use filters for targeted search — Combining
ResourceType,RegionId, andTagfilters improves search efficiency - Use
GroupByKeyfor quick statistics — Get resource distribution by type, region, or resource group without iterating - Cross-account scope selection — Use the most specific scope (member ID > folder ID > root folder ID > directory ID) to narrow search results
- Wait after enabling — Resource Center needs a few minutes to build data after activation; large accounts may take longer
- Prefer read-only policies — For daily search and statistics operations, use
AliyunResourceCenterReadOnlyAccessfor security - ResourceType discovery — When the exact resource type code is unknown, use the helper script documented in Section 8 (run from the skill root directory).
- Tag discovery vs tag-filtered search — For “what tag keys/values exist”, use
list-tag-keys/list-tag-values(and multi-account variants with--scope). Reservesearch-resourcesfor finding resources that match tag conditions.
8. Available scripts
| Script | Purpose | Usage |
|---|---|---|
scripts/query-resource-types.py | Queries resource types by keyword from Alibaba Cloud Resource Center; stdout is JSON (resourceTypes, count, keyword, language; failures use success: false and error) | python3 scripts/query-resource-types.py <keyword> [--language LANGUAGE] |
9. Troubleshooting
When a Resource Center API call or aliyun resourcecenter command fails, read the response’s HTTP status, Code (error code), and Message, then match them against the catalog.
Full error list: references/error-codes.md
10. Reference Links
| Reference | Description |
|---|---|
| references/related-apis.md | All CLI commands list |
| references/ram-policies.md | RAM permission policies |
| references/verification-method.md | Verification steps for each workflow |
| references/error-codes.md | Deduplicated Resource Center API error code catalog (HTTP, Code, Message) and lookup hints |
| references/cli-installation-guide.md | Aliyun CLI installation guide |
| references/acceptance-criteria.md | For maintainers/CI only: Skill testing acceptance criteria, correct CLI command patterns, parameter validation rules. Note: This document is intended for human maintainers and automated testing, not required reading for end users. |