PAI Workspace Management

Create, query, and list workspaces on Alibaba Cloud Platform for AI (PAI). Workspaces serve as isolated management units for AI model training, data processing, and related tasks.

Architecture: PAI AIWorkSpace (Workspace)

Workspace Modes:

- Simple Mode: Production environment only (prod)
Standard Mode: Development (dev) + Production (prod) environments

Installation

Pre-check: Aliyun CLI >= 3.3.1 required
Run aliyun version to verify >= 3.3.1. If not installed or version too low,
see references/cli-installation-guide.md for installation instructions.
Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

CODEBLOCK0

Credential Verification

Pre-check: Alibaba Cloud Credentials Required
Security Rules:

- NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
NEVER ask the user to input AK/SK directly in the conversation or command line
NEVER use aliyun configure set with literal credential values
ONLY use aliyun configure list to check credential status

Sensitive Data Masking:

- The following fields in API responses contain personally identifiable information and MUST be masked before displaying to the user:

- Owner.UserId / Creator — Show only last 4 digits, e.g., ****1234
- Owner.UserKp — Never display, omit entirely
- Owner.UserName / Owner.DisplayName — Show only first character + ***, e.g., z***
- Accounts in AdminNames — Mask as u***@example.com format

- [MUST] Raw sensitive data MUST NOT appear in stdout, execution logs, on disk, or in the conversation: The execution framework logs ALL command stdout to execution logs/transcripts (e.g., ran-scripts/executed-actions.log). Therefore, EVERY execution of get-workspace or list-workspaces (including basic queries without --verbose) must include | jq -r pipe filtering — because Creator is always returned and is sensitive. There must be NO execution step where the raw API JSON appears in command output, even as an intermediate step. The | jq -r pipe must be part of a single pipeline command:

Basic query (without --verbose):
>   aliyun aiworkspace get-workspace --workspace-id <ID> --region <RegionId> \
>     --user-agent AlibabaCloud-Agent-Skills \
>     | jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
>   Status: \(.Status)
>   Environment: \(.EnvTypes | join(", "))
>   Created: \(.GmtCreateTime)
>   Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)"'
>   
Verbose query (with --verbose true):
>   aliyun aiworkspace get-workspace --workspace-id <ID> --verbose true --region <RegionId> \
>     --user-agent AlibabaCloud-Agent-Skills \
>     | jq -r '"Workspace: \(.WorkspaceName) (ID: \(.WorkspaceId))
>   Status: \(.Status)
>   Owner: \(.Owner.UserName // "" | if length > 0 then .[0:1] + "***" else "N/A" end) (ID: \(.Owner.UserId // "" | if length > 0 then "****" + .[-4:] else "N/A" end))
>   Creator ID: \(.Creator // "" | if length > 0 then "****" + .[-4:] else "N/A" end)
>   Administrators: \(.AdminNames // [] | map(.[0:1] + "***") | join(", "))"'
>   
The raw API response flows through the pipe internally and never reaches shell stdout. Only jq's output (with masked values and natural language keys) is captured by the execution framework. The following are all prohibited:
- Running the CLI command without | jq pipe filtering — even for basic queries (the Creator field is always returned and sensitive)
- Two-step processing — running the CLI command first to get raw output, then separately masking it. The raw JSON would appear in the execution transcript before masking is applied. The | jq -r MUST be part of the same single pipeline command
- Capturing raw output to shell variables — e.g., response=$(aliyun ...) then echo "$response" | jq .... The variable assignment captures raw data into the execution log
- Output redirection (> file.json, >> file.log, | tee file)
- Executing commands via shell scripts saved to disk (e.g., ran-scripts/*.sh)
- Embedding raw API response data in any script or code file — e.g., writing a Python/shell script that contains raw JSON values as string literals, variables, or data structures (such as ran_scripts/process_workspace_data.py). All data processing must be done entirely within the | jq -r pipe; do NOT create intermediate processing scripts that contain raw data
- Displaying raw JSON snippets in the conversation

- [MUST] Original API field names MUST NOT be used as output keys: Even when values are masked, using original API field names (such as UserId, UserName, UserKp, AdminNames) as JSON keys or structured output key names in any output (conversation or files) is prohibited. Use natural language key names instead:

- UserId / Creator → Owner ID or Creator ID
- UserName → Username
- DisplayName → Display Name
- AdminNames → Administrators
Correct approach: EVERY execution of get-workspace or list-workspaces must be a single pipeline command with | jq -r appended. The Agent must NEVER run the CLI command first and then process the output in a separate step — the raw JSON would appear in the execution transcript before masking is applied. All data extraction, masking, and formatting must happen inside the jq filter. If saving to a file, redirect the jq output (not the CLI output) using > file.md at the end of the pipeline. This rule applies to ALL queries — basic, verbose, and list.
> aliyun configure list
> 
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.

1. Obtain credentials from Alibaba Cloud Console
Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
Return and re-run after aliyun configure list shows a valid profile

RAM Permissions

See references/ram-policies.md for required permissions (including Policy JSON and instructions).

[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:

1. Read references/ram-policies.md to get the full list of permissions required by this SKILL
Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions
Pause and wait until the user confirms that the required permissions have been granted

Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, WorkspaceName, Description, EnvTypes, etc.)
MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.

Parameter	Required/Optional	Description	Example
INLINECODE64	Required	Region ID (global parameter), must be specified by the user, do not use default values	INLINECODE65
INLINECODE66

Note: Once --resource-group-id is set, it cannot be modified via CLI/code. To change it, use the console or recreate the workspace.

Timeout Configuration

API calls support timeout configuration (in seconds):

Option 1: Command-line parameters (applies to the current command only):

- --connect-timeout <seconds> — Connection timeout
INLINECODE80 — I/O read timeout

Option 2: Persistent configuration (applies globally, written to current profile):
CODEBLOCK4

Command-line parameters take precedence over persistent configuration. If not set, the CLI uses built-in defaults. When encountering timeout or context deadline exceeded errors, increase --read-timeout (e.g., 30-60 seconds).

Core Workflow

See references/related-commands.md for all CLI command templates and parameter details.

Prerequisite: Region Selection and PAI Activation Check

[MUST] Do not use a default region: The Agent must not assume or use a default region. It must explicitly ask the user which region to use.
[MUST] Check PAI activation on first use of a region: After the user specifies a region (or the first time a region is used in a session), the Agent must call list-products to check whether PAI is activated in that region before executing any subsequent workspace operations.

Step 1: Confirm Region

Ask the user which region to use. If the user has not specified one, provide the list of common regions for selection (see the Common Region IDs table in references/related-commands.md). Do not automatically select a default region.

Step 2: Check PAI Activation Status

Use aliyun aiworkspace list-products to check whether PAI and its dependent products are activated in the user-specified region:

CODEBLOCK5

Step 3: Handle Check Results

Inspect the returned Products array for the matching product entry:

Decision logic:

1. IsPurchased == true → PAI is activated, proceed with subsequent workflows
IsPurchased == false → PAI is not activated, guide the user to activate:

- Check the HasPermissionToPurchase field:
- true → User has permission. Show the PurchaseUrl link and prompt the user to complete activation in the console before continuing
- false → User lacks permission (requires the primary account or a RAM user with pai:CreateOrder permission). Inform the user to contact the primary account administrator
- Do not proceed with creating/querying workspaces when PAI is not activated

Workflow 1: Create Workspace (CreateWorkspace)

Use aliyun aiworkspace create-workspace to create a workspace. Required parameters: --region, --workspace-name, --description, --env-types. Simple mode uses --env-types prod, standard mode uses --env-types dev prod. Optionally add --display-name and --resource-group-id.

Step 1: Input Parameter Validation

[MUST] Parameter format validation: Before calling the API, the Agent must validate user-provided parameters as follows. If validation fails, prompt the user to correct the input. Do not submit non-compliant parameters:
Parameter Validation Rules Example
INLINECODE105 3-23 characters, must start with a letter, may only contain letters, digits, and underscores (_). Hyphens (-), spaces, Chinese characters, and other special characters are not allowed INLINECODE108
INLINECODE109
Max 80 characters, wrap with quotes if containing special characters | "My AI workspace" |
| --env-types | Must be prod or dev prod, list format | prod |
| --display-name | Optional, no strict format restrictions | My Workspace |

Parameter	Validation Rules	Example
INLINECODE105	3-23 characters, must start with a letter, may only contain letters, digits, and underscores (`_`). Hyphens (`-`), spaces, Chinese characters, and other special characters are not allowed	INLINECODE108
INLINECODE109

Step 2: Name Existence Check (check-then-act idempotency pattern)

[MUST] Idempotency guarantee: The CreateWorkspace API does not support ClientToken, so idempotency is ensured via a check-then-act pattern. Before creating, you must call list-workspaces --option CheckWorkspaceExists --workspace-name <name> to check if the name already exists.
Decision logic:

- TotalCount == 0 → Name is available, proceed to Step 3 to create
INLINECODE119 → Name already exists, perform the following:

1. Extract the existing WorkspaceId from the returned Workspaces[0]
2. Call get-workspace --workspace-id <id> to get full details
3. Compare the existing workspace's key parameters (EnvTypes, Description, etc.) with the current request parameters
4. Match → Treat as already created, return the existing WorkspaceId directly, do not recreate
5. Mismatch → Inform the user that the name is already taken with a different configuration, ask the user to choose a different name

Step 3: Execute Creation

After parameter validation passes and the name does not exist, execute the create-workspace command. On success, a WorkspaceId is returned. If the creation returns a WorkspaceNameAlreadyExists error (concurrent scenario), handle it using the TotalCount >= 1 logic from Step 2.

Workflow 2: Get Workspace Details (GetWorkspace)

[MUST] Single workspace queries must use get-workspace: When querying the details of one specific workspace, you must use aliyun aiworkspace get-workspace --workspace-id <id>. Do not use list-workspaces --workspace-ids as a substitute. get-workspace calls the GetWorkspace API and returns the complete details of a single workspace.

Only accepts --workspace-id (required) and --verbose (optional). The region is specified via the global --region parameter. A Status of ENABLED indicates the workspace is ready.

[MUST] --verbose true trigger rules: --verbose true returns Owner (UserKp, UserId, UserName, DisplayName) and AdminNames (admin account list). The Agent must follow these rules:

1. Trigger conditions — When the user's request involves any of the following keywords, --verbose true must be appended when constructing the command (determined before calling the API, not dependent on API success):

- Chinese keywords: 所有者, 拥有者, 创建者, 管理员, 负责人, 归属
- English keywords: owner, admin, administrator, verbose
- Field names: Owner, AdminNames

2. When not triggered — When the user only queries basic info (status, environment types, etc.), do not append INLINECODE142
Masking rules — UserId/Creator: last 4 digits only (****1234); UserKp: omit entirely; UserName/DisplayName: first character only (z***); AdminNames entries: INLINECODE145
No raw sensitive data in stdout, execution logs, on disk, or in output — EVERY execution of get-workspace (with or without --verbose) or list-workspaces must be a single pipeline command with | jq -r appended. The Agent must NEVER run the CLI command first and then mask the output separately — the raw JSON would appear in the execution transcript. No two-step processing, no variable capture (response=$(aliyun ...)), no intermediate scripts. All masking must happen inside the jq filter of the same pipeline. See the Sensitive Data Masking section and references/related-commands.md for templates

[MUST] 404 error handling: When get-workspace returns StatusCode: 404, Code: 100400027, Message: Workspace not exists, the workspace ID does not exist. The Agent must directly report to the user that the workspace does not exist, including the original workspace-id specified by the user. Do not fall back to list-workspaces or other APIs to try to "find" the workspace after receiving a 404. Do not silently ignore the error. If the user subsequently provides a new workspace-id, the Agent must retry get-workspace with the same parameters as the initial call (including --verbose true, etc.).

Workflow 3: List Workspaces (ListWorkspaces)

Use aliyun aiworkspace list-workspaces to list workspaces. Supports the following filter and sort parameters:

- --workspace-name <name> — Fuzzy match by name
INLINECODE160 — Batch query by ID list, comma-separated (e.g., --workspace-ids "123,456,789")
INLINECODE162 — Filter by status, enum values (all uppercase): ENABLED | INITIALIZING | FAILURE | DISABLED | FROZEN | INLINECODE168
INLINECODE169 — Sort field (case-sensitive): GmtCreateTime (default) | INLINECODE171
INLINECODE172 — Sort direction (all uppercase): ASC (default) | INLINECODE174
INLINECODE175 / --page-size <n> — Pagination parameters
INLINECODE177 — Get resource limit information instead of workspace list
INLINECODE178 — Check if a workspace with the specified name already exists (pre-creation check, use with --workspace-name)

[MUST] API selection rules: Use get-workspace --workspace-id (GetWorkspace API) for querying a single ID; use list-workspaces --workspace-ids "id1,id2,..." for querying multiple IDs (2 or more) in a single batch query (ListWorkspaces API). Do not call get-workspace individually for each ID.
[MUST] Batch query results are final: The Workspaces array returned by list-workspaces --workspace-ids already contains complete information for each workspace (Status, EnvTypes, GmtCreateTime, etc.). Do not call get-workspace for any ID in the batch results to get additional details. If some IDs are not in the response, those IDs do not exist — report this to the user directly.

[MUST] Enum values are case-sensitive: --sort-by must be GmtCreateTime or GmtModifiedTime (camelCase), --order must be ASC or DESC (all uppercase), --status must be all uppercase like ENABLED. Using incorrect casing (e.g., desc, gmtCreateTime, enabled) will cause API errors or unexpected results.

[MUST] ListWorkspaces sensitive field masking: Each workspace object returned by list-workspaces always contains Creator (creator user ID) and AdminNames (admin account list) — no --verbose true needed. The Agent must mask these fields when displaying (Creator: last 4 digits only; AdminNames: first character + ***). Do not output JSON containing the raw values, and do not save raw responses to files via redirection (> file) or scripts.

Success Verification

Verification Target	Method	Success Criteria
WorkspaceId returned	Parse create command response	INLINECODE205 is not empty
Workspace status is normal

See references/verification-method.md for detailed verification methods

Cleanup (Delete Workspace)

Warning: Deleting a workspace is an irreversible operation that removes all resources within it. Proceed with caution.
Note: Workspace deletion cannot be performed directly via CLI (the aiworkspace plugin does not currently support delete-workspace). Use the following methods:

1. Console deletion: Log in to PAI Console -> Workspace List -> Select workspace -> Delete
API call: Use the DELETE /api/v1/workspaces/{WorkspaceId} endpoint (via SDK or direct HTTP call)

Best Practices

1. Naming conventions: Use project names or team identifier prefixes for WorkspaceName, e.g., nlp_prod, cv_dev (note: hyphens are not supported, use underscores)
Environment selection: Use standard mode (dev + prod) for production projects to separate development and production resources
Description: Description should indicate the purpose, team, or project for easier management
Region selection: Choose the region closest to your data storage to minimize data transfer latency
Resource group management: Use different resource groups for multi-project scenarios to facilitate cost allocation and permission management
DisplayName: Use business-friendly names as the display name while using English identifiers for WorkspaceName

Reference Documentation

Document	Description
references/ram-policies.md	RAM permission policies, Policy JSON, and instructions
references/related-commands.md

PAI 工作空间管理

在阿里云人工智能平台（PAI）上创建、查询和列出工作空间。工作空间作为AI模型训练、数据处理及相关任务的隔离管理单元。

架构：PAI AIWorkSpace（工作空间）

工作空间模式：

- 简单模式：仅生产环境（prod）
标准模式：开发环境（dev）+ 生产环境（prod）

安装

前置检查：需要 Aliyun CLI >= 3.3.1
运行 aliyun version 验证版本是否 >= 3.3.1。如果未安装或版本过低，
请参阅 references/cli-installation-guide.md 获取安装说明。
然后[必须]运行 aliyun configure set --auto-plugin-install true 以启用自动插件安装。

bash
aliyun version
aliyun configure set --auto-plugin-install true

凭证验证

前置检查：需要阿里云凭证
安全规则：

- 绝对不要读取、回显或打印AK/SK值（例如，echo $ALIBABACLOUDACCESSKEYID 是被禁止的）
绝对不要要求用户在对话或命令行中直接输入AK/SK
绝对不要使用带有字面凭证值的 aliyun configure set
仅使用 aliyun configure list 检查凭证状态

敏感数据脱敏：

- API响应中的以下字段包含个人身份信息，必须在显示给用户前进行脱敏：

- Owner.UserId / Creator — 仅显示最后4位，例如 1234
- Owner.UserKp — 绝不显示，完全省略
- Owner.UserName / Owner.DisplayName — 仅显示首字符 + ，例如 z
- AdminNames 中的账户 — 脱敏为 u*@example.com 格式

- [必须] 原始敏感数据不得出现在标准输出、执行日志、磁盘或对话中：执行框架会将所有命令的标准输出记录到执行日志/记录中（例如 ran-scripts/executed-actions.log）。因此，每次执行 get-workspace 或 list-workspaces（包括不带 --verbose 的基本查询）都必须包含 | jq -r 管道过滤——因为 Creator 始终会被返回且是敏感的。不能有任何执行步骤让原始API JSON出现在命令输出中，即使是作为中间步骤。| jq -r 管道必须是单条管道命令的一部分：

基本查询（不带 --verbose）：
bash
aliyun aiworkspace get-workspace --workspace-id --region \
--user-agent AlibabaCloud-Agent-Skills \
| jq -r 工作空间: \(.WorkspaceName) (ID: \(.WorkspaceId))
状态: \(.Status)
环境: \(.EnvTypes | join(, ))
创建时间: \(.GmtCreateTime)
创建者ID: \(.Creator // | if length > 0 then + .[-4:] else N/A end)

详细查询（带 --verbose true）：
bash
aliyun aiworkspace get-workspace --workspace-id --verbose true --region \
--user-agent AlibabaCloud-Agent-Skills \
| jq -r 工作空间: \(.WorkspaceName) (ID: \(.WorkspaceId))
状态: \(.Status)
所有者: \(.Owner.UserName // | if length > 0 then .[0:1] + else N/A end) (ID: \(.Owner.UserId // | if length > 0 then * + .[-4:] else N/A end))
创建者ID: \(.Creator // | if length > 0 then + .[-4:] else N/A end)
管理员: \(.AdminNames // [] | map(.[0:1] + *) | join(, ))

原始API响应在管道内部流转，永远不会到达shell标准输出。只有 jq 的输出（包含脱敏值和自然语言键）会被执行框架捕获。以下所有操作均被禁止：
- 运行CLI命令时不带 | jq 管道过滤——即使是基本查询（Creator 字段始终返回且敏感）
- 两步处理——先运行CLI命令获取原始输出，然后单独进行脱敏。原始JSON会在脱敏前出现在执行记录中。| jq -r 必须是同一条管道命令的一部分
- 将原始输出捕获到shell变量——例如 response=$(aliyun ...) 然后 echo $response | jq ...。变量赋值会将原始数据捕获到执行日志中
- 输出重定向（> file.json、>> file.log、| tee file）
- 通过保存到磁盘的shell脚本执行命令（例如 ran-scripts/*.sh）
- 将原始API响应数据嵌入任何脚本或代码文件中——例如编写包含原始JSON值作为字符串字面量、变量或数据结构的Python/shell脚本（例如 ranscripts/processworkspace_data.py）。所有数据处理必须完全在 | jq -r 管道内完成；不要创建包含原始数据的中间处理脚本
- 在对话中显示原始JSON片段

- [必须] 不得使用原始API字段名作为输出键：即使值已被脱敏，在任何输出（对话或文件）中使用原始API字段名（如 UserId、UserName、UserKp、AdminNames）作为JSON键或结构化输出键名是被禁止的。请改用自然语言键名：

- UserId / Creator → 所有者ID 或创建者ID
- UserName → 用户名
- DisplayName → 显示名称
- AdminNames → 管理员
正确做法：每次执行 get-workspace 或 list-workspaces 都必须是一条带有 | jq -r 的单条管道命令。Agent绝不能先运行CLI命令再单独处理输出——原始JSON会在脱敏前出现在执行记录中。所有数据提取、脱敏和格式化都必须在 jq 过滤器中完成。如果需要保存到文件，请在管道末尾使用 > file.md 重定向 jq 的输出（而不是CLI输出）。此规则适用于所有查询——基本查询、详细查询和列表查询。
bash
aliyun configure list

检查输出中是否存在有效的配置文件（AK、STS或OAuth身份）。
如果没有有效的配置文件，请在此处停止。

1. 从阿里云控制台获取凭证
在此会话之外配置凭证（通过终端中的 aliyun configure 或shell配置文件中的环境变量）
在 aliyun configure list 显示有效配置文件后返回并重新运行

RAM权限

请参阅 references/ram-policies.md 了解所需权限（包括策略JSON和说明）。

[必须] 权限失败处理： 当任何命令或API调用在执行过程中因权限错误而失败时，请遵循以下流程：

1. 阅读 references/ram-policies.md 获取此技能所需权限的完整列表
使用 ram-permission-diagnose 技能指导用户请求必要的权限
暂停并等待，直到用户确认已授予所需权限

参数确认

重要提示：参数确认 — 在执行任何命令或API调用之前，
所有用户可自定义的参数（例如 RegionId、WorkspaceName、Description、EnvTypes 等）
必须与用户确认。未经用户明确批准，不得假定或使用默认值。

参数	必需/可选	描述	示例
--region	必需	地域ID（全局参数），必须由用户指定，不要使用默认值	cn-hangzhou
--workspace-name

alibabacloud-pai-workspace-manage阿里云PAI工作台管理