Aliyun CLI Expert
Guide users to manage Alibaba Cloud resources effectively using the aliyun command-line tool.
Required permissions : see ./references/ram-policies.md (## required_permissions). Extend on demand for other CLI commands.
Instructions
User-Agent (this skill)
Any aliyun invocation that calls Alibaba Cloud APIs while following this skill MUST identify the client with:
CODEBLOCK0
Use the same shell for subsequent commands, or prefix a single run: ALIBABA_CLOUD_USER_AGENT=AlibabaCloud-Agent-Skills aliyun .... Omit this only for steps that do not call cloud APIs (for example local aliyun configure browser OAuth setup before any API call). When you give the user copy-paste blocks, include this export once at the top of the block (or the inline prefix on each aliyun line).
Examples below assume ALIBABA_CLOUD_USER_AGENT is set whenever an aliyun command hits the API.
1. Install and configure the CLI
If the user hasn't installed or configured the CLI, guide them through setup.
See ./references/installation-guide.md for full details. Quick path:
CODEBLOCK1
OAuth (browser login)
When a browser can be opened on the same machine (for example a local desktop with a GUI), prefer OAuth over storing AccessKey pairs: credentials are not kept as plaintext AK/SecretKey in configuration, and sign-in can use SSO. Requires Alibaba Cloud CLI 3.0.299 or later. Not suitable for headless environments (for example SSH-only servers without a local browser).
Run interactively:
CODEBLOCK2
Full setup (administrator consent, RAM identity assignments, CN vs INTL site) is documented in Configure OAuth authentication for Alibaba Cloud CLI and ./references/installation-guide.md.
CODEBLOCK3
Aliyun CLI 3.3.0+ supports all published Alibaba Cloud product plugins.
Authentication modes (environment variables)
For modes that use explicit keys or tokens (not OAuth), choose what fits the deployment context. When set, these environment variables override any values in ~/.aliyun/config.json.
| Mode | When to use | Environment variables |
|---|
| AK | Development, long-lived credentials | INLINECODE15�, ALIBABA_CLOUD_ACCESS_KEY_SECRET, �INLINECODE17 |
| StsToken |
CI/CD, temporary credentials | Same as AK, plus
ALIBABA_CLOUD_SECURITY_TOKEN |
|
RamRoleArn | After AssumeRole or cross-account session | Export the temporary pair from the role session: same variables as
StsToken (AK + secret +
ALIBABA_CLOUD_SECURITY_TOKEN) |
Multiple accounts or environments
Use separate export blocks per shell session, CI job, or secret store (different ALIBABA_CLOUD_ACCESS_KEY_ID / ALIBABA_CLOUD_ACCESS_KEY_SECRET / ALIBABA_CLOUD_REGION_ID values). For profile-based workflows backed by the config file, see ./references/installation-guide.md.
2. Consult --help before constructing any command
Built-in commands have inconsistent parameter naming across APIs — some use PascalCase,
others camelCase, and the exact names are not predictable. Guessing parameter names frequently
leads to errors that require multiple retries. Running --help first takes seconds:
CODEBLOCK4
Help output is the authoritative source. Plugin help is especially rich — it includes type
info, structure fields, format hints, and constraints for every parameter.
When a plugin is installed, aliyun <product> --help automatically shows plugin help. To view
the legacy built-in (OpenAPI-style) help instead:
CODEBLOCK5
3. Ensure service plugins are available
Each Alibaba Cloud product has a CLI plugin. Plugins provide consistent kebab-case commands
with comprehensive help, while the legacy built-in system has inconsistent naming and minimal
help. If you know which product to use, install the plugin directly — plugin install is
idempotent (safe to run even if already installed):
CODEBLOCK6
To discover or verify plugins:
CODEBLOCK7
Plugin names accept both short form (ecs) and full form (aliyun-cli-ecs), case-insensitive.
Plugin lifecycle:
CODEBLOCK8
4. Prefer plugin commands over built-in commands
The CLI has two command styles, and the subcommand casing determines which system handles it:
- - All-lowercase subcommand → routed to plugin (CLI Native style)
- Contains uppercase → routed to built-in (OpenAPI style)
Plugin commands use consistent kebab-case naming for both subcommands and parameters, making
them predictable. Built-in commands use PascalCase subcommands with mixed/inconsistent parameter
naming that varies by API — you must check --help for every command to know the exact names.
CODEBLOCK9
Mixing styles causes silent failures — the CLI routes to different backends based on subcommand
casing. A kebab-case subcommand with PascalCase parameters will be sent to the plugin system,
which doesn't recognize PascalCase parameter names.
Product code is always case-insensitive (ecs, Ecs, ECS all work).
| Aspect | Plugin (CLI Native) | Built-in (OpenAPI) |
|---|
| Subcommand | INLINECODE35 | INLINECODE36 |
| Parameters |
kebab-case (consistent) | Mixed (inconsistent) |
| ROA Body | Expanded to individual params | Single
--body JSON |
| Header params | Visible in help, usable directly | Hidden, manual
--header only |
| Help | Comprehensive with structure | Basic |
5. Understand global vs business parameter naming
The CLI plugin system reserves certain global parameters for its own use:
- -
--region-id / --region — controls which API endpoint the request is sent to (e.g.
ecs.cn-hangzhou.aliyuncs.com). This is a routing concern, not a business field.
- - Other globals include
--profile, --api-version, --output, etc.
Many APIs also define their own RegionId or Region parameter in the API spec — these are
business parameters with API-specific meaning (e.g. "the region to create this resource in").
The global --region-id and the API's RegionId serve different purposes, but they would
collide on the command line.
The plugin system resolves this automatically during code generation:
- 1.
--biz- prefix (default): the API parameter RegionId becomes �INLINECODE51 --<product>- prefix (fallback): if --biz-region-id is already taken by another
parameter, the plugin falls back to
--<product>-region-id (e.g.
--ecs-region-id)
This means in plugin commands, --region-id is always the global endpoint selector, and
the business region is --biz-region-id (or --<product>-region-id). Using --region-id where
you meant the business parameter silently changes the endpoint without setting the intended field.
Always check --help to see the actual parameter name — it is the authoritative source for
whether a given command uses --biz-region-id, --<product>-region-id, or something else.
6. Use structured parameter syntax
Plugins support structured input that the framework serializes automatically. This avoids
the error-prone legacy --Tag.N.Key / --Param.N=value syntax.
Primitives and lists:
CODEBLOCK10
Key-value objects and repeatable structures:
CODEBLOCK11
Check --help for each command — it shows the exact type, structure fields, and whether a
parameter is repeatable.
7. OSS uses custom commands
Unlike other products, OSS has a hand-written implementation with custom command syntax.
API-style commands like PutBucket or GetObject do not exist for OSS — using them will fail
silently or produce confusing errors. Always check help first:
CODEBLOCK12
The lines below are syntax examples only (<your-*> placeholders). Do not run them verbatim — substitute real paths, bucket names, and file names before executing.
CODEBLOCK13
8. Filter and format output
Use --cli-query (JMESPath) to extract specific fields from API responses, and --output
to control the format. This avoids piping large JSON blobs through external tools:
CODEBLOCK14
9. Pagination
Many list commands return paginated results. Use --page-number and --page-size to control:
CODEBLOCK15
To fetch all pages automatically without manual loops, use --pager:
CODEBLOCK16
The path argument specifies which JSON field contains the page data to merge.
10. Wait for resource state
Some commands support built-in waiters for automation — poll until a resource reaches the desired state:
CODEBLOCK17
11. Debugging
When troubleshooting command failures, these flags reveal what's happening under the hood — the full HTTP request/response and parameter validation details:
- -
--log-level debug — detailed request/response logs (shows endpoint, serialized params, response) - INLINECODE76� — validate command without executing (checks parameter parsing)
- INLINECODE77� — environment variable to set log level globally
For 403, Forbidden, NoPermission, or other RAM-style denials, the identity behind the credentials lacks permission for the underlying API action. See ./references/ram-policies.md for the skill’s required_permissions table, on-demand authorization, and how to narrow permissions.
12. Multi-version API support
Some products (e.g. ESS, SLB) ship multiple API versions with different command sets and
capabilities. Using the wrong version may cause missing parameters, deprecated behavior, or
entirely different command availability. Not all products have multiple versions — if
list-api-versions returns an error, the product is single-version and no action is needed.
Discover versions
CODEBLOCK18
Example output (ESS):
CODEBLOCK19
The * marks the default version. Each version may expose a different set of commands — newer
versions often add commands or change parameter names.
Specify version per command
CODEBLOCK20
Set a default version via environment variable
To avoid passing --api-version on every call, set the default for a product:
CODEBLOCK21
The pattern is ALIBABA_CLOUD_<PRODUCT_CODE>_API_VERSION (product code in uppercase).
This is especially useful in scripts or CI/CD where you want consistent version behavior
across multiple commands.
View commands for a specific version
Different API versions may have different command sets. To see what's available:
CODEBLOCK22
When to specify version
- - Default version works for most cases — only specify when you need features from a newer version
- Check
--help output — if a parameter you expect is missing, it may exist in a different version - Pinning versions in scripts — use the environment variable to ensure reproducible behavior
Global Flags Reference
These flags are available on all plugin commands:
| Flag | Purpose |
|---|
| INLINECODE85 | API endpoint region (global, not business region) |
| INLINECODE86 |
Use a named credential profile |
|
--api-version <ver> | Override API version for this command |
|
--output json\|table\|cols=... | Response format |
|
--cli-query <jmespath> | JMESPath filter on response |
|
--log-level debug | Verbose request/response logging |
|
--cli-dry-run | Validate without executing |
|
--endpoint <url> | Override service endpoint |
|
--retry <n> | Retry count for failed requests |
|
--quiet | Suppress output |
|
--pager | Auto-merge all pages for pageable APIs |
Common Workflows
ECS Instances
CODEBLOCK23
The create-instance example below provisions billable resources (fixed image ID, instance type, and disk as illustration). Do not run it verbatim — adjust region, image, type, disks, network, and tags for your account and policies before executing.
CODEBLOCK24
Function Compute (ROA Body Expansion)
CODEBLOCK25
The block below is a syntax example (<your-function-name> and other values are illustrative). Do not run verbatim — set the real function name, runtime, handler, memory, timeout, and add any required VPC or service role settings for your environment. Plugin commands expand ROA body fields into individual params (no --body JSON needed).
CODEBLOCK26
Multi-Version API (ESS)
CODEBLOCK27
Response Format
When providing CLI commands:
- 1. Explain what the command does and why specific parameters are used
- Show the complete command with all required parameters
- Call out non-obvious values — especially
--biz- prefixed parameters and their reason - Suggest
--log-level debug when the user is troubleshooting - For API calls, ensure
ALIBABA_CLOUD_USER_AGENT=AlibabaCloud-Agent-Skills is set in the same shell or inlined before aliyun (see User-Agent (this skill))
References
- -
./references/installation-guide.md — Installation, configuration modes, credential setup - INLINECODE104� — Complete command syntax guide
- INLINECODE105� — Global flags reference
- INLINECODE106� — On-demand RAM, least privilege, common permission errors
Aliyun CLI 专家
指导用户使用 aliyun 命令行工具高效管理阿里云资源。
所需权限:参见 ./references/ram-policies.md(## required_permissions 部分)。根据其他 CLI 命令的需要按需扩展权限。
使用说明
用户代理(本技能)
任何遵循本技能调用阿里云 API 的 aliyun 调用必须使用以下方式标识客户端:
bash
export ALIBABACLOUDUSER_AGENT=AlibabaCloud-Agent-Skills
在后续命令中使用同一个 shell,或为单次运行添加前缀:ALIBABACLOUDUSER_AGENT=AlibabaCloud-Agent-Skills aliyun ...。仅在不调用云 API 的步骤中可省略此设置(例如在任何 API 调用前通过本地 aliyun configure 浏览器 OAuth 设置)。当向用户提供可复制粘贴的代码块时,在代码块顶部包含一次 export(或在每个 aliyun 行添加内联前缀)。
以下示例假设每当 aliyun 命令调用 API 时都已设置 ALIBABACLOUDUSER_AGENT。
1. 安装和配置 CLI
如果用户尚未安装或配置 CLI,引导他们完成设置。
完整详情参见 ./references/installation-guide.md。快速路径:
bash
安装或更新(macOS / Linux — 单条命令)
/bin/bash -c $(curl -fsSL --connect-timeout 10 --max-time 120 https://aliyuncli.alicdn.com/setup.sh)
OAuth(浏览器登录)
当同一台机器上可以打开浏览器时(例如带有图形界面的本地桌面),优先使用 OAuth 而非存储 AccessKey 对:凭据不会以明文 AK/SecretKey 形式保存在配置中,并且登录可以使用 SSO。需要阿里云 CLI 3.0.299 或更高版本。不适合无头环境(例如没有本地浏览器的纯 SSH 服务器)。
交互式运行:
bash
aliyun configure --profile <您的配置文件名称> --mode OAuth
完整设置(管理员同意、RAM 身份分配、CN 与 INTL 站点)记录在为阿里云 CLI 配置 OAuth 认证和 ./references/installation-guide.md 中。
bash
通过环境变量设置凭据(自动化、CI/CD、无头环境或无法使用 OAuth 时)
export ALIBABA
CLOUDACCESS
KEYID=<密钥ID>
export ALIBABA
CLOUDACCESS
KEYSECRET=<密钥Secret>
export ALIBABA
CLOUDREGION_ID=cn-hangzhou
临时凭据(StsToken)— 添加:
export ALIBABACLOUDSECURITY_TOKEN=
使用本技能进行 API 调用时必须设置 — 参见上方用户代理(本技能)
export ALIBABA
CLOUDUSER_AGENT=AlibabaCloud-Agent-Skills
验证
aliyun version # 应 >= 3.3.0
aliyun ecs describe-regions # 测试认证
Aliyun CLI 3.3.0+ 支持所有已发布的阿里云产品插件。
认证模式(环境变量)
对于使用显式密钥或令牌(非 OAuth)的模式,根据部署环境选择合适的方式。设置后,这些环境变量会覆盖 ~/.aliyun/config.json 中的任何值。
| 模式 | 使用场景 | 环境变量 |
|---|
| AK | 开发环境、长期凭据 | ALIBABACLOUDACCESSKEYID、ALIBABACLOUDACCESSKEYSECRET、ALIBABACLOUDREGIONID |
| StsToken |
CI/CD、临时凭据 | 与 AK 相同,加上 ALIBABACLOUD
SECURITYTOKEN |
|
RamRoleArn | AssumeRole 或跨账号会话后 | 导出角色会话的临时凭据对:与
StsToken 相同的变量(AK + Secret + ALIBABA
CLOUDSECURITY_TOKEN) |
多账号或环境
每个 shell 会话、CI 任务或密钥存储使用独立的 export 块(不同的 ALIBABACLOUDACCESSKEYID / ALIBABACLOUDACCESSKEYSECRET / ALIBABACLOUDREGION_ID 值)。对于基于配置文件的工作流程,参见 ./references/installation-guide.md。
2. 在构造任何命令前查阅 --help
内置命令在不同 API 间存在不一致的参数命名 — 有些使用 PascalCase,有些使用 camelCase,且确切名称不可预测。猜测参数名称经常导致需要多次重试的错误。先运行 --help 只需几秒钟:
bash
aliyun <产品> --help # 发现可用的子命令
aliyun <产品> <子命令> --help # 获取确切的参数名称、类型、结构
帮助输出是权威来源。插件帮助尤其丰富 — 它包含每个参数的类型信息、结构字段、格式提示和约束。
当安装了插件时,aliyun <产品> --help 会自动显示插件帮助。要查看传统的内置(OpenAPI 风格)帮助:
bash
ALIBABACLOUDORIGINALPRODUCTHELP=true aliyun ecs --help
3. 确保服务插件可用
每个阿里云产品都有一个 CLI 插件。插件提供一致的 kebab-case 命令和全面的帮助信息,而传统内置系统命名不一致且帮助信息有限。如果知道要使用哪个产品,直接安装插件 — plugin install 是幂等的(即使已安装也可以安全运行):
bash
aliyun plugin install --names ecs # 安装(短名称,不区分大小写)
aliyun plugin install --names ECS VPC RDS # 同时安装多个
发现或验证插件:
bash
aliyun plugin list # 已安装的插件
aliyun plugin list-remote # 所有可用插件
aliyun plugin search <关键词> # 按关键词搜索
插件名称接受短格式(ecs)和完整格式(aliyun-cli-ecs),不区分大小写。
插件生命周期:
bash
aliyun plugin update --name ecs # 更新插件
aliyun plugin uninstall --name ecs # 移除插件
4. 优先使用插件命令而非内置命令
CLI 有两种命令风格,子命令的大小写决定了由哪个系统处理:
- - 全小写子命令 → 路由到插件(CLI Native 风格)
- 包含大写字母 → 路由到内置(OpenAPI 风格)
插件命令对子命令和参数都使用一致的 kebab-case 命名,使其可预测。内置命令使用 PascalCase 子命令,参数命名混合/不一致,因 API 而异 — 必须为每个命令检查 --help 才能知道确切的名称。
bash
插件(推荐):一致的 kebab-case
aliyun ecs describe-instances --biz-region-id cn-hangzhou
内置(备选):PascalCase 子命令,参数不一致
aliyun ecs DescribeInstances --RegionId cn-hangzhou
混合使用风格会导致静默失败 — CLI 根据子命令大小写路由到不同的后端。kebab-case 子命令配合 PascalCase 参数会被发送到插件系统,而插件系统不识别 PascalCase 参数名称。
产品代码始终不区分大小写(ecs、Ecs、ECS 都有效)。
| 方面 | 插件(CLI Native) | 内置(OpenAPI) |
|---|
| 子命令 | describe-instances | DescribeInstances |
| 参数 |
kebab-case(一致) | 混合(不一致) |
| ROA Body | 展开为独立参数 | 单个 --body JSON |
| 头部参数 | 在帮助中可见,可直接使用 | 隐藏,仅手动 --header |
| 帮助 | 包含结构的全面信息 | 基础信息 |
5. 理解全局参数与业务参数命名
CLI 插件系统保留某些全局参数供自身使用:
- - --region-id / --region — 控制请求发送到哪个 API 端点(例如 ecs.cn-hangzhou.aliyuncs.com)。这是路由问题,不是业务字段。
- 其他全局参数包括 --profile、--api-version、--output 等。
许多 API 也在 API 规范中定义了自己的 RegionId 或 Region 参数 — 这些是具有 API 特定含义的业务参数(例如要在其中创建此资源的区域)。全局
