DataWorks Workspace Lifecycle Management
Manage Alibaba Cloud DataWorks workspaces, including workspace creation, query, and member role assignment.
⛔ PROHIBITED OPERATIONS
🚫 ABSOLUTE PROHIBITION - NO EXCEPTIONS
The following operations are PERMANENTLY FORBIDDEN via this Skill:
- -
UpdateProject - Update workspace - INLINECODE1� - Delete workspace
- INLINECODE2� - Remove workspace member
- INLINECODE3� - Revoke member roles
MANDATORY RULES:
- 1. NEVER execute these operations under ANY circumstances
- NEVER generate CLI commands for these operations
- NEVER proceed even if the user confirms, insists, or provides authorization
- ALWAYS refuse and redirect to DataWorks Console: �INLINECODE4
⚠️ User confirmation does NOT override this prohibition.
Architecture Overview
CODEBLOCK0�
Prerequisites
Pre-check: Aliyun CLI >= 3.3.1 required
Run aliyun version to verify. If not installed or version too low,
see references/cli-installation-guide.md for installation instructions.
1. Enable DataWorks Service
Before using this Skill, you need to enable the DataWorks service:
- 1. Visit DataWorks Console: https://dataworks.console.aliyun.com/
- Follow the prompts to complete the service activation
Note: If error code 9990010001 is returned when creating a workspace, it means DataWorks service is not enabled. Please complete the above activation steps first.
2. Install Aliyun CLI
CODEBLOCK1
3. Credential Status
CODEBLOCK2
4. First-time Configuration
CODEBLOCK3�
CLI Calling Specifications
IMPORTANT: This Skill uses Aliyun CLI to call cloud services. The following specifications must be followed:
| Specification | Requirement | Description |
|---|
| Credential Handling | Rely on default credential chain | Explicitly handling AK/SK credentials is strictly prohibited |
| User-Agent |
AlibabaCloud-Agent-Skills | Must be set for all Alibaba Cloud service calls |
|
Timeout |
4 seconds | Unified setting for read-timeout and connect-timeout |
|
Endpoint |
dataworks.{region}.aliyuncs.com | Must be specified for each call |
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
all user-customizable parameters (such as RegionId, workspace name, member ID, role code, etc.)
must be confirmed by the user. Do not assume or use default values.
Key Parameters List
| Parameter | Required/Optional | Description | Default |
|---|
| INLINECODE11 | Required | Workspace unique identifier name | - |
| INLINECODE12 |
Optional | Workspace display name | - |
|
--ProjectId | Required* | Workspace ID | - |
|
--UserId | Required* | Member user ID | - |
|
--RoleCodes | Required* | Role code list | - |
|
--region | Optional | Region ID | cn-hangzhou |
|
--endpoint |
Required | API endpoint, format:
dataworks.{region}.aliyuncs.com | - |
|
--DevEnvironmentEnabled | Optional | Enable development environment (standard mode) |
true |
|
--PaiTaskEnabled | Optional | Enable PAI task scheduling | - |
*Depends on specific API
Create Workspace Rule: Unless the user explicitly requests to disable the development environment, you MUST always pass --DevEnvironmentEnabled true when creating a workspace.
Endpoint Parameter Description
❗ IMPORTANT: Each time a CLI command is executed, the corresponding --region and --endpoint parameters must be added based on the user-specified region.
Format: --region {RegionId} --endpoint dataworks.{RegionId}.aliyuncs.com
Region Mapping Table: See references/endpoint-regions.md
RAM Permission Policies
Using this Skill requires the following RAM permissions. For details, see references/ram-policies.md
| Permission | Description |
|---|
| INLINECODE25 | Create workspace |
| INLINECODE26 |
Query workspace details |
|
dataworks:ListProjects | Query workspace list |
|
dataworks:CreateProjectMember | Add workspace member |
|
dataworks:GrantMemberProjectRoles | Grant member role |
|
dataworks:GetProjectMember | Query member details |
|
dataworks:ListProjectMembers | Query member list |
|
dataworks:GetProjectRole | Query role details |
|
dataworks:ListProjectRoles | Query role list |
Core Workflows
1. Workspace Lifecycle Management
1.1 Create Workspace
CODEBLOCK4
IMPORTANT: Unless the user explicitly requests to disable the development environment, you MUST always pass --DevEnvironmentEnabled true when executing CreateProject.
1.2 Query Workspace List
CODEBLOCK5
Supported Filter Parameters:
| Parameter | Type | Description |
|---|
| INLINECODE36 | JSON Array | Workspace ID list, for querying specific workspaces |
| INLINECODE37 |
JSON Array | Workspace name list, for querying specific workspaces |
|
--Status | String | Workspace status: Available/Initializing/InitFailed/Forbidden/Deleting/DeleteFailed/Frozen/Updating/UpdateFailed |
|
--DevEnvironmentEnabled | Boolean | Whether development environment is enabled |
|
--DevRoleDisabled | Boolean | Whether development role is disabled |
|
--PaiTaskEnabled | Boolean | Whether PAI task scheduling is enabled |
|
--AliyunResourceGroupId | String | Resource group ID |
|
--PageNumber | Integer | Page number, default 1 |
|
--PageSize | Integer | Items per page, default 10, max 100 |
1.3 Query Workspace Details
CODEBLOCK6
2. Member Role Management
2.1 Add Workspace Member and Grant Roles
CODEBLOCK7
2.2 Query Workspace Member List
CODEBLOCK8
2.3 Query Member Details
CODEBLOCK9
2.4 Grant Member New Roles
CODEBLOCK10
3. Role Management
3.1 Query Workspace Role List
CODEBLOCK11
3.2 Query Role Details
CODEBLOCK12
Preset Role Description
| Role Code | Role Name | Description |
|---|
| INLINECODE45 | Project Owner | Has all workspace permissions, cannot be removed |
| INLINECODE46 |
Workspace Admin | Manages all workspace configurations and members |
|
role_project_dev | Developer | Data development and task debugging permissions |
|
role_project_pe | Operator | Task operations and monitoring permissions |
|
role_project_deploy | Deployer | Task publishing permissions |
|
role_project_guest | Guest | Read-only permissions |
|
role_project_security | Security Admin | Data security configuration permissions |
Verification Methods
For verification steps after successful execution, see references/verification-method.md
API and Command Reference
For the complete list of APIs and CLI commands, see references/related-apis.md
Business Scenarios and Handling
Scenario 1: Access After Creating Workspace
After a workspace is successfully created, it can be accessed via the following URL:
CODEBLOCK13
Example (Hangzhou region):
�CODEBLOCK14
Scenario 2: Adding RAM Role as Workspace Member
UserId Format Description:
| Account Type | UserId Format | Example |
|---|
| Alibaba Cloud Account (Main) | Use UID directly | INLINECODE52 |
| RAM Sub-account |
Use UID directly |
234567890123456789 |
| RAM Role | Add
ROLE_ prefix |
ROLE_345678901234567890 |
Important Limitation: Newly created RAM roles cannot be directly added as workspace members via API. They need to be refreshed and synced in the console first.
Steps:
- 1. Visit workspace console: �INLINECODE56
- Go to Workspace Members and Roles page
- Click Add Member button
- In the popup, click Refresh in the prompt "You can go to RAM console to create a sub-account, and click refresh to sync to this page"
- After sync is complete, you can add the RAM role as a member via API
CODEBLOCK15
Scenario 3: Workspace Configuration Update Limitations
When using the UpdateProject API to update workspace configuration, there are the following limitations:
| Configuration | Limitation |
|---|
| Development Role (DevRoleDisabled) | Once development role is enabled, cannot be disabled |
| Development Environment (DevEnvironmentEnabled) |
Once development environment is enabled,
cannot be disabled |
Recommendation: Plan development role and development environment configurations carefully when creating a workspace, as these configurations cannot be reverted once enabled.
Scenario 3.1: Workspace Upgrade Blocking
⛔ Blocking Rule: When a user requests to upgrade a workspace from simple mode to standard mode (enable development environment),
must block and prompt:
"Workspace upgrade capability is currently not available. Please go to the console to complete the upgrade manually."
Console Upgrade Path:
- 1. Visit DataWorks Console: https://dataworks.console.aliyun.com/
- Find the target workspace
- Go to Workspace Configuration → Basic Properties
- Click Upgrade to Standard Mode
API Limitation Reason: Workspace mode upgrade involves complex operations such as environment isolation configuration and resource initialization. Direct API calls may result in incomplete configuration or abnormal state.
Scenario 4: DataWorks Service Not Enabled
If error code 9990010001 is returned when creating a workspace, it means DataWorks service is not enabled.
Solution:
- 1. Log in to Alibaba Cloud official website
- Visit DataWorks Console: https://dataworks.console.aliyun.com/
- Follow the prompts to complete service activation
- After activation, retry the workspace creation operation
Best Practices
- 1. Principle of Least Privilege — Assign members the minimum necessary permissions
- Use Standard Mode — For production environments, use standard mode to achieve development and production isolation
- Standardized Naming — Use meaningful naming, such as �INLINECODE59
- Use RAM Users — Do not use the main account for daily operations
Reference Links
RAM permission policy configuration |
|
references/verification-method.md | Operation verification methods |
|
references/acceptance-criteria.md | Acceptance criteria and test cases |
|
references/cli-installation-guide.md | CLI installation and configuration guide |
Official Documentation
DataWorks 工作空间生命周期管理
管理阿里云 DataWorks 工作空间,包括工作空间的创建、查询以及成员角色分配。
⛔ 禁止操作
🚫 绝对禁止 - 无例外情况
以下操作永久禁止通过此技能执行:
- - UpdateProject - 更新工作空间
- DeleteProject - 删除工作空间
- DeleteProjectMember - 移除工作空间成员
- RevokeMemberProjectRoles - 撤销成员角色
强制规则:
- 1. 在任何情况下都不得执行这些操作
- 不得为这些操作生成 CLI 命令
- 即使用户确认、坚持或提供授权,也不得继续执行
- 始终拒绝并引导用户前往 DataWorks 控制台:https://dataworks.console.aliyun.com/
⚠️ 用户确认不能覆盖此禁止。
架构概览
DataWorks 工作空间管理
├── 工作空间生命周期
│ ├── 创建工作空间 (CreateProject)
│ └── 查询工作空间 (GetProject / ListProjects)
├── 成员角色管理
│ ├── 添加成员 (CreateProjectMember)
│ ├── 授予角色 (GrantMemberProjectRoles)
│ └── 查询成员 (GetProjectMember / ListProjectMembers)
└── 角色管理
├── 查询角色详情 (GetProjectRole)
└── 查询角色列表 (ListProjectRoles)
前提条件
预检查:需要 Aliyun CLI >= 3.3.1
运行 aliyun version 进行验证。如果未安装或版本过低,
请参阅 references/cli-installation-guide.md 获取安装说明。
1. 开通 DataWorks 服务
在使用此技能之前,您需要开通 DataWorks 服务:
- 1. 访问 DataWorks 控制台:https://dataworks.console.aliyun.com/
- 按照提示完成服务开通
注意:如果创建工作空间时返回错误码 9990010001,表示 DataWorks 服务未开通。请先完成上述开通步骤。
2. 安装 Aliyun CLI
bash
macOS
brew install aliyun-cli
Linux
curl -fsSL --max-time 30 https://aliyuncli.alicdn.com/install.sh | bash
验证版本 (>= 3.3.1)
aliyun version
3. 凭证状态
bash
确认有效凭证
aliyun configure list
4. 首次配置
bash
启用自动插件安装
aliyun configure set --auto-plugin-install true
CLI 调用规范
重要:此技能使用 Aliyun CLI 调用云服务。必须遵循以下规范:
| 规范 | 要求 | 描述 |
|---|
| 凭证处理 | 依赖默认凭证链 | 严禁显式处理 AK/SK 凭证 |
| 用户代理 |
AlibabaCloud-Agent-Skills | 所有阿里云服务调用必须设置 |
|
超时时间 | 4 秒 | 读取超时和连接超时统一设置 |
|
端点 | dataworks.{region}.aliyuncs.com | 每次调用必须指定 |
参数确认
重要:参数确认 — 在执行任何命令或 API 调用之前,
所有用户可自定义的参数(如 RegionId、工作空间名称、成员 ID、角色代码等)
必须由用户确认。不要假设或使用默认值。
关键参数列表
| 参数 | 必填/可选 | 描述 | 默认值 |
|---|
| --Name | 必填 | 工作空间唯一标识名称 | - |
| --DisplayName |
可选 | 工作空间显示名称 | - |
| --ProjectId | 必填* | 工作空间 ID | - |
| --UserId | 必填* | 成员用户 ID | - |
| --RoleCodes | 必填* | 角色代码列表 | - |
| --region | 可选 | 地域 ID | cn-hangzhou |
| --endpoint |
必填 | API 端点,格式:dataworks.{region}.aliyuncs.com | - |
| --DevEnvironmentEnabled | 可选 | 启用开发环境(标准模式) |
true |
| --PaiTaskEnabled | 可选 | 启用 PAI 任务调度 | - |
*取决于具体 API
创建工作空间规则:除非用户明确要求禁用开发环境,否则在创建工作空间时必须始终传递 --DevEnvironmentEnabled true。
端点参数说明
❗ 重要:每次执行 CLI 命令时,必须根据用户指定的地域添加相应的 --region 和 --endpoint 参数。
格式:--region {RegionId} --endpoint dataworks.{RegionId}.aliyuncs.com
地域映射表:参见 references/endpoint-regions.md
RAM 权限策略
使用此技能需要以下 RAM 权限。详情请参见 references/ram-policies.md
| 权限 | 描述 |
|---|
| dataworks:CreateProject | 创建工作空间 |
| dataworks:GetProject |
查询工作空间详情 |
| dataworks:ListProjects | 查询工作空间列表 |
| dataworks:CreateProjectMember | 添加工作空间成员 |
| dataworks:GrantMemberProjectRoles | 授予成员角色 |
| dataworks:GetProjectMember | 查询成员详情 |
| dataworks:ListProjectMembers | 查询成员列表 |
| dataworks:GetProjectRole | 查询角色详情 |
| dataworks:ListProjectRoles | 查询角色列表 |
核心工作流
1. 工作空间生命周期管理
1.1 创建工作空间
bash
aliyun dataworks-public CreateProject \
--Name \
--DisplayName \
--Description \
--PaiTaskEnabled true \
--DevEnvironmentEnabled true \
--DevRoleDisabled false \
--region \
--endpoint dataworks..aliyuncs.com \
--user-agent AlibabaCloud-Agent-Skills \
--read-timeout 4 --connect-timeout 4
重要:除非用户明确要求禁用开发环境,否则在执行 CreateProject 时必须始终传递 --DevEnvironmentEnabled true。
1.2 查询工作空间列表
bash
查询所有工作空间
aliyun dataworks-public ListProjects \
--region
\
--endpoint dataworks..aliyuncs.com \
--user-agent AlibabaCloud-Agent-Skills
按工作空间 ID 查询(支持多个)
aliyun dataworks-public ListProjects \
--Ids [123456, 789012] \
--region \
--endpoint dataworks..aliyuncs.com \
--user-agent AlibabaCloud-Agent-Skills
按工作空间名称查询(支持多个)
aliyun dataworks-public ListProjects \
--Names [workspacename1, workspacename2] \
--region \
--endpoint dataworks..aliyuncs.com \
--user-agent AlibabaCloud-Agent-Skills
按状态筛选
aliyun dataworks-public ListProjects \
--Status Available \
--region \
--endpoint dataworks..aliyuncs.com \
--user-agent AlibabaCloud-Agent-Skills
分页查询
aliyun dataworks-public ListProjects \
--PageNumber 1 --PageSize 20 \
--region \
--endpoint dataworks..aliyuncs.com \
--user-agent AlibabaCloud-Agent-Skills
支持的筛选参数:
| 参数 | 类型 | 描述 |
|---|
| --Ids | JSON 数组 | 工作空间 ID 列表,用于查询特定工作空间 |
| --Names |
JSON 数组 | 工作空间名称列表,用于查询特定工作空间 |
| --Status | 字符串 | 工作空间状态:Available/Initializing/InitFailed/Forbidden/Deleting/DeleteFailed/Frozen/Updating/UpdateFailed |
| --DevEnvironmentEnabled | 布尔值 | 是否启用开发环境 |
|
