Alibaba Cloud Shell Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Developer Tools

by

Category

Developer Tools

1. Introduction

Alibaba Cloud Cloud Shell is a browser-based command-line environment that lets you manage Alibaba Cloud resources without installing tools or storing access keys on your own laptop.

In simple terms: you open Cloud Shell from the Alibaba Cloud console, get an instant Linux terminal, and run commands (for example, Alibaba Cloud CLI) to inspect and operate your cloud infrastructure.

Technically, Cloud Shell provides a managed shell session that is authenticated to your Alibaba Cloud identity (such as an Alibaba Cloud account or a RAM user). From that session you can call Alibaba Cloud APIs using command-line tools. This is especially useful for repeatable operations, quick troubleshooting, and learning-by-doing labs where you want a ready-to-use environment.

Cloud Shell solves common problems such as:

  • “I need the CLI right now, but I can’t install it on this machine.”
  • “I don’t want to download long-lived AccessKey secrets to my laptop.”
  • “I need a consistent, cloud-hosted admin terminal for my team and runbooks.”
  • “I’m on a locked-down corporate device but still need to automate cloud tasks.”

Service name note: Alibaba Cloud documentation refers to this service as Cloud Shell. If Alibaba Cloud renames or changes the service scope in the future, verify in official docs before standardizing internal runbooks.

2. What is Cloud Shell?

Official purpose (what it’s for)
Cloud Shell is an Alibaba Cloud Developer Tools service that provides an interactive shell environment in the browser for operating and automating Alibaba Cloud resources using command-line tools and scripts.

Core capabilities (what you can do)

  • Launch a managed terminal session from the Alibaba Cloud console
  • Use CLI tooling (commonly including Alibaba Cloud CLI) to call Alibaba Cloud APIs
  • Store and run scripts in a cloud-hosted environment
  • Perform operational tasks without managing local credentials and tool installation (credential handling and exact behavior should be verified in official docs)

Major components (conceptual)

  • Web terminal UI: Console-based entry point where you type commands
  • Managed shell runtime: A Linux environment hosted and managed by Alibaba Cloud
  • Identity and token injection: Uses your logged-in identity to authorize API calls (typically via temporary credentials/STS-like mechanisms; verify in official docs)
  • User workspace: A per-user working directory (persistence, size, retention, and quotas should be verified in official docs)
  • Outbound connectivity: Network path to Alibaba Cloud public service endpoints (and possibly other endpoints depending on policy; verify in official docs)

Service type
Cloud Shell is a managed, interactive development/operations tool (not an IaaS VM you administer). You do not manage the underlying OS image lifecycle or patching.

Scope: regional/global/account/project

  • Cloud Shell is accessed from the Alibaba Cloud console and is primarily account- and identity-scoped (your shell experience is tied to the identity that logs in).
  • API operations you run are still regional when the target service is regional (for example, ECS, VPC). You must pass the correct RegionId/region context in your commands.
  • Cloud Shell availability and the location/region of the shell runtime can vary; verify in official docs for region support and constraints.

How it fits into the Alibaba Cloud ecosystem

Cloud Shell sits alongside other operational and automation tools such as:

  • Alibaba Cloud CLI (command-line API client)
  • Resource Access Management (RAM) (identity and authorization)
  • ActionTrail (auditing of API calls)
  • Cloud Assistant / O&M tooling (remote command execution on ECS—different from Cloud Shell)
  • ROS (Resource Orchestration Service) and infrastructure-as-code tools (declarative provisioning)

Cloud Shell is best viewed as the “instant, authenticated admin terminal” for Alibaba Cloud.

3. Why use Cloud Shell?

Business reasons

  • Faster incident response and troubleshooting: No waiting for workstation setup; open Cloud Shell and execute known runbooks.
  • Reduced onboarding time: New engineers can run CLI commands without installing toolchains or configuring credentials.
  • Consistency across teams: A standard environment for operational scripts reduces “works on my machine” issues.

Technical reasons

  • Preconfigured access to Alibaba Cloud APIs: Avoids local CLI configuration drift (exact preconfiguration behavior should be verified in official docs).
  • Scriptability: Repeat tasks using shell scripts and CLI commands.
  • Portable operations: Works from any device that can access the Alibaba Cloud console.

Operational reasons

  • Centralized terminal for runbooks: Teams can document and execute runbooks using Cloud Shell as the baseline environment.
  • Lower operational friction: Useful for periodic tasks: inventory, compliance checks, backups validation, and resource cleanup.
  • Reduced dependency on jump hosts: For tasks that only need API access, Cloud Shell can reduce the need for maintaining bastion servers.

Security/compliance reasons

  • Avoid long-lived AccessKeys on laptops: Cloud Shell commonly reduces the need to store secrets locally by using console identity. However, the exact credential model and persistence must be verified in official docs.
  • Least privilege enforcement through RAM: The actions your shell can perform are still restricted by RAM policies.
  • Auditability: API calls generally appear in ActionTrail (terminal commands themselves are not necessarily audited; verify in official docs).

Scalability/performance reasons

  • Scales operational workflows via automation: Use scripts to manage fleets of resources.
  • Lightweight operations: Great for API-driven operations; not designed for heavy compute.

When teams should choose Cloud Shell

Choose Cloud Shell when you need:

  • A quick, authenticated shell for Alibaba Cloud operations
  • A standard place to run CLI-based automation and ad-hoc queries
  • A low-friction learning environment for Alibaba Cloud CLI and APIs

When teams should not choose it

Avoid Cloud Shell when you need:

  • Long-running compute workloads (use ECS, ACK, Batch Compute, Function Compute, etc.)
  • Private network-only access to resources without public endpoints (you may need VPN/Express Connect + a bastion host, or service-specific tooling like ECS Cloud Assistant; verify connectivity options)
  • Highly customized OS/tooling or privileged system access
  • Guaranteed performance/SLA characteristics beyond what the service provides (check official SLA/limits)

4. Where is Cloud Shell used?

Industries

Cloud Shell is broadly applicable wherever teams operate cloud resources, including:

  • SaaS and internet companies
  • Finance and fintech (subject to strict IAM and audit controls)
  • Gaming and media
  • Manufacturing and IoT (fleet operations, logging checks)
  • Education and research (hands-on labs with minimal setup)

Team types

  • Platform engineering and internal developer platforms
  • DevOps/SRE teams running operations and automation
  • Security engineering (inventory and policy checks)
  • Developers needing occasional cloud administration
  • Students learning Alibaba Cloud CLI and cloud operations

Workloads and architectures

Cloud Shell appears most often in:

  • API-driven infrastructure (ECS, VPC, OSS, RDS, SLB/ALB, RAM, etc.)
  • Kubernetes operations (for example, interacting with ACK from a safe terminal—ensure network access and kubeconfig handling are correct)
  • Multi-account governance (Resource Directory setups—inventory and compliance checks)
  • CI/CD support tasks (manual interventions, validation, rollback steps)

Real-world deployment contexts

  • Production operations: Controlled use for break-glass, verification, and runbook execution (with strict IAM and audit)
  • Dev/test: The most common use—quick provisioning, teardown, and experimentation
  • Training and enablement: Labs where students can run commands without installing toolchains

5. Top Use Cases and Scenarios

Below are realistic scenarios where Alibaba Cloud Cloud Shell fits well.

1) Instant Alibaba Cloud CLI environment for new engineers

  • Problem: Engineers waste hours installing and configuring tools (CLI, dependencies, credentials).
  • Why Cloud Shell fits: Provides a ready terminal from the console.
  • Example: A new SRE joins and immediately runs ECS inventory commands to understand the fleet.

2) Least-privilege operational runbooks

  • Problem: Shared jump boxes accumulate credentials and broad access over time.
  • Why Cloud Shell fits: Access is mediated by RAM policies tied to the user identity.
  • Example: A runbook to rotate OSS lifecycle rules is executed from Cloud Shell by on-call engineers with narrow permissions.

3) Resource inventory and compliance snapshot

  • Problem: You need a repeatable way to list resources across regions and produce evidence.
  • Why Cloud Shell fits: CLI + scripting in a central environment.
  • Example: Export a monthly CSV report of ECS instances (name, instance type, VPC, security group, tags).

4) Troubleshooting from a clean environment

  • Problem: A developer’s local machine has broken dependencies.
  • Why Cloud Shell fits: Known-good baseline environment (as managed by Alibaba Cloud).
  • Example: Verify whether AccessDenied is caused by RAM policy vs local credential misconfiguration.

5) Break-glass access with strong controls

  • Problem: During an incident, you need a controlled admin environment.
  • Why Cloud Shell fits: Operate from the console with MFA and auditing of API calls via ActionTrail.
  • Example: Temporarily detach a problematic SLB listener rule after validating change tickets.

6) Scripting repetitive cleanup for dev/test

  • Problem: Dev/test accounts accumulate unused resources and cost leaks.
  • Why Cloud Shell fits: Quick scripting to find and delete stale resources.
  • Example: Identify and delete unused EIPs older than 7 days (with safeguards).

7) OSS object operations without local configuration

  • Problem: Upload/download artifacts but you cannot install ossutil locally.
  • Why Cloud Shell fits: Run OSS-related CLI operations from the browser.
  • Example: Upload a diagnostic bundle to OSS for support review.

8) Rapid verification of RAM policy changes

  • Problem: You need to confirm a policy update fixes a permission issue.
  • Why Cloud Shell fits: Use the same identity to test API calls immediately.
  • Example: Test whether a RAM user can describe ECS instances but cannot terminate them.

9) Learning labs and workshops

  • Problem: Training attendees use different OS versions and can’t install tools.
  • Why Cloud Shell fits: Uniform entry point for workshops.
  • Example: Students learn Alibaba Cloud CLI basics by listing regions and resources.

10) Operational data gathering for support tickets

  • Problem: Support requires exact API outputs and timestamps.
  • Why Cloud Shell fits: Run commands, capture outputs, and upload to OSS.
  • Example: Collect ECS instance metadata and relevant configurations into a file.

11) Multi-region checks during migrations

  • Problem: You must confirm resources are aligned across regions during a migration.
  • Why Cloud Shell fits: Script loops across regions and collect output.
  • Example: Ensure security group rules are consistent between cn-hangzhou and ap-southeast-1.

12) Controlled access from restricted corporate networks

  • Problem: Corporate endpoints block package downloads and CLI use.
  • Why Cloud Shell fits: Only the console needs to be accessible.
  • Example: An engineer in a restricted network still executes ECS describe operations and checks billing tags.

6. Core Features

Cloud Shell feature sets evolve. The items below reflect common, documented capabilities for a managed cloud shell; verify exact current behavior and limits in official Cloud Shell docs.

1) Browser-based Linux terminal

  • What it does: Provides an interactive terminal session in the Alibaba Cloud console.
  • Why it matters: No local terminal tooling required.
  • Practical benefit: Works from any machine with a browser and console access.
  • Limitations/caveats: Sessions can time out; interactive work is not intended to run indefinitely.

2) Identity-based authentication to Alibaba Cloud APIs

  • What it does: Lets you call Alibaba Cloud APIs using your current console identity.
  • Why it matters: Reduces reliance on manually managed AccessKeys.
  • Practical benefit: Faster and safer CLI usage for day-to-day operations.
  • Limitations/caveats: Authorization is still controlled by RAM policies; you can only do what your identity is allowed to do.

3) Preinstalled command-line tooling (at minimum, Alibaba Cloud CLI)

  • What it does: Provides CLI tooling to interact with Alibaba Cloud services.
  • Why it matters: Eliminates installation and versioning friction.
  • Practical benefit: You can begin scripting immediately.
  • Limitations/caveats: Tool versions and available utilities can change. If you depend on a specific tool/version, verify in official docs and consider pinning in your own container/VM instead.

4) Workspace for files and scripts

  • What it does: Allows you to create files (scripts, outputs, reports) during your session.
  • Why it matters: Enables repeatable runbooks and lightweight automation.
  • Practical benefit: You can store and rerun scripts without moving them to a local machine.
  • Limitations/caveats: Persistence, retention, and size quotas vary; do not store sensitive long-term secrets in your workspace.

5) Convenience for API exploration and learning

  • What it does: Provides a low-barrier environment to test API calls.
  • Why it matters: Helps teams learn correct parameters, region behavior, and response formats.
  • Practical benefit: Faster development of automation scripts and operational checks.
  • Limitations/caveats: Use guardrails. Even “read-only” exploration can become impactful if scripts later include write operations.

6) Works well with auditing (ActionTrail) for API calls

  • What it does: API calls you execute can be captured by Alibaba Cloud audit services (commonly ActionTrail).
  • Why it matters: Supports governance and incident investigations.
  • Practical benefit: You can correlate operational changes with identities and timestamps.
  • Limitations/caveats: Cloud Shell terminal command history and keystrokes are not the same as API-level auditing; treat API auditing and terminal activity as separate concerns.

7. Architecture and How It Works

High-level service architecture

At a high level, Cloud Shell works like this:

  1. You authenticate to the Alibaba Cloud console (often with MFA and SSO if configured).
  2. You open Cloud Shell, which starts a managed shell session.
  3. Cloud Shell provides an environment where CLI tools can call Alibaba Cloud APIs.
  4. When you run a command (for example, aliyun ecs DescribeInstances), the CLI sends requests to the relevant Alibaba Cloud service endpoint.
  5. Authorization is evaluated via RAM policies for your identity (and any assumed roles).
  6. API activity can be audited via ActionTrail (for supported services/events).

Request/data/control flow (practical view)

  • Control plane operations: Most Cloud Shell usage is control plane (API calls) rather than data plane traffic.
  • Data plane operations: If you upload/download large objects to OSS or pull container images, that is data plane and may have bandwidth/cost implications.

Integrations with related services

Cloud Shell commonly integrates (directly or indirectly) with:

  • RAM: Identity, permissions, and role assumptions
  • STS: Temporary credentials and session tokens (model varies; verify in official docs)
  • ActionTrail: API auditing
  • CloudMonitor / SLS: Not Cloud Shell itself, but the resources you manage may emit metrics/logs there
  • OSS: Storing scripts, outputs, and artifacts
  • ECS / VPC / ACK / RDS: Typical targets of CLI operations

Dependency services (what Cloud Shell relies on)

  • Alibaba Cloud control plane endpoints (regional services)
  • Alibaba Cloud identity systems (RAM / SSO integrations)

Security/authentication model (conceptual)

  • You authenticate to the console.
  • Cloud Shell uses your console identity to obtain authorization for API calls (often via temporary credentials).
  • RAM policies determine allowed actions.
  • You should still follow least privilege and avoid embedding secrets in scripts.

Networking model (conceptual)

  • Cloud Shell runs in Alibaba Cloud-managed infrastructure.
  • It can typically access Alibaba Cloud public APIs.
  • Accessing private-only endpoints inside a VPC may require additional networking patterns (bastion host, VPN/Express Connect, private endpoints where supported by the target service). Cloud Shell is not a drop-in replacement for a VPC jump box—verify connectivity requirements per service.

Monitoring/logging/governance considerations

  • API-level auditing: Use ActionTrail for governance and investigations.
  • Operational observability: Cloud Shell is a tool; the workloads you manage should have monitoring/logging configured in their respective services.
  • Change management: Pair Cloud Shell usage with change tickets, peer review for scripts, and guardrails like RAM policies and approvals.

Simple architecture diagram (Mermaid)

flowchart LR
  U[Engineer in Browser] --> C[Alibaba Cloud Console]
  C --> CS[Cloud Shell Session]
  CS --> CLI[CLI Tools (e.g., Alibaba Cloud CLI)]
  CLI --> API[Alibaba Cloud Service APIs\n(ECS / OSS / VPC / RAM ...)]
  API --> AT[ActionTrail (API Audit Logs)]

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph Identity[Identity & Governance]
    SSO[Enterprise SSO/IdP] --> CONSOLE[Alibaba Cloud Console Login]
    RAM[RAM Policies / Roles] --> AUTHZ[Authorization Decisions]
    AT[ActionTrail] --> SIEM[SIEM / Log Analytics\n(optional)]
  end

  subgraph Ops[Operations Tooling]
    CONSOLE --> CS[Cloud Shell]
    CS --> RUNBOOKS[Runbooks & Scripts\n(in workspace or version control)]
  end

  subgraph Cloud[Alibaba Cloud Services]
    ECS[ECS]:::svc
    VPC[VPC]:::svc
    OSS[OSS]:::svc
    RDS[RDS]:::svc
    ACK[ACK]:::svc
  end

  CS -->|API calls| ECS
  CS -->|API calls| VPC
  CS -->|API calls| OSS
  CS -->|API calls| RDS
  CS -->|API calls| ACK

  ECS --> AT
  VPC --> AT
  OSS --> AT
  RDS --> AT
  ACK --> AT

  RAM --> AUTHZ
  AUTHZ -.enforces.-> ECS
  AUTHZ -.enforces.-> VPC
  AUTHZ -.enforces.-> OSS
  AUTHZ -.enforces.-> RDS
  AUTHZ -.enforces.-> ACK

  classDef svc fill:#eef7ff,stroke:#2b6cb0,stroke-width:1px;

8. Prerequisites

Before you start, confirm the following.

Account and access requirements

  • An active Alibaba Cloud account or a RAM user in an Alibaba Cloud account
  • Permission to access Cloud Shell in the console
  • Permission to call the APIs used in this tutorial:
  • STS (to verify identity)
  • ECS (to list instances)
  • Optionally OSS (to create a bucket and upload a report)

IAM note: Alibaba Cloud uses RAM policies. The exact managed policy names and required actions can change. Use least privilege and verify required permissions in official docs for Cloud Shell and each target service.

Billing requirements

  • Cloud Shell itself may be free or included at no additional charge depending on current Alibaba Cloud policy; verify in official billing/pricing docs.
  • The tutorial’s optional OSS steps can incur small storage and request charges.

Tools needed

  • A web browser to open Alibaba Cloud console
  • Cloud Shell provides the shell environment and (typically) the Alibaba Cloud CLI.
  • If a required tool (for example, python3) is missing, use the troubleshooting section and verify in official docs what tools are available.

Region availability

  • Cloud Shell availability may differ by account type or region. Verify in official docs.
  • Many Alibaba Cloud services are regional; you must choose a region for operations (for example, cn-hangzhou, ap-southeast-1).

Quotas/limits

Common constraints to validate (exact values vary; verify):

  • Session timeout / maximum session duration
  • CPU/memory constraints of the shell environment
  • Workspace storage quota and persistence
  • Outbound network restrictions

Prerequisite services

  • For the core lab (resource inventory): ECS API access (even if you have no instances, the describe call should work with permissions)
  • For optional artifact storage: OSS enabled and accessible in your chosen region

9. Pricing / Cost

Cloud Shell pricing can change, and Alibaba Cloud pricing is often region- and product-dependent. Follow these guidelines:

Pricing dimensions (how cost is typically determined)

For Cloud Shell itself, check whether pricing is based on:

  • Per-session usage
  • Runtime resources
  • Storage quota
  • Or provided at no additional charge

Verify using official sources: – Cloud Shell documentation and billing pages – Alibaba Cloud pricing pages and pricing calculator (if a dedicated Cloud Shell pricing page exists)

Free tier (if applicable)

Many cloud providers offer Cloud Shell as a free convenience service, but you must verify Alibaba Cloud’s current policy in official docs.

Cost drivers (direct and indirect)

Even if Cloud Shell is free, your commands can create cost elsewhere:

  • Resource creation: ECS, RDS, NAT Gateway, EIP, SLB, ACK clusters, etc.
  • OSS storage and requests: Storing and retrieving objects costs money.
  • Network egress: Uploading/downloading data may incur outbound transfer fees depending on direction, region, and pricing model.
  • API request charges: Some services may charge per API call or per feature usage (often not, but verify for each service).

Hidden or indirect costs to watch

  • Scripts that loop across regions and accounts can generate many API calls.
  • Exporting large inventories and uploading to OSS frequently can accumulate request and storage costs.
  • Pulling large artifacts (container images, packages) can generate transfer costs depending on source and network path.

Network/data transfer implications

  • Cloud Shell runs in Alibaba Cloud-managed infrastructure; transfers to and from OSS or other services may be “in-cloud” but billing rules are service-specific.
  • Always check:
  • Intra-region vs inter-region transfer pricing
  • Internet egress pricing
  • Cross-zone traffic (if applicable)

How to optimize cost

  • Prefer read-only inventory operations for discovery.
  • Use filters and paging when describing resources.
  • Avoid creating chargeable resources in tutorials unless necessary.
  • For OSS artifacts:
  • Store small files
  • Delete promptly
  • Use lifecycle policies if retention is required

Example low-cost starter estimate (no fabricated numbers)

A minimal learning workflow can be near-zero incremental cost if you:

  • Use Cloud Shell only for Describe/List API calls
  • Avoid creating chargeable resources
  • If using OSS, upload a small text/CSV file and delete it the same day

The exact cost depends on your region and OSS pricing; verify in the official OSS pricing page and calculator.

Example production cost considerations

In production, Cloud Shell is usually not the cost center; the main cost impact comes from:

  • The cloud resources your automation provisions or modifies
  • Data transfer from scripted diagnostics and artifact movement
  • Operational mistakes (for example, accidentally creating large ECS fleets)

Use guardrails:

  • RAM least privilege
  • Budget alerts and cost anomaly detection
  • Approval workflows for write operations (especially in production accounts)

Official references to start: – Alibaba Cloud product documentation for Cloud Shell: https://www.alibabacloud.com/help/en/cloud-shell/ – Alibaba Cloud pricing overview and calculator entry points (verify current URLs from console):
– Pricing: https://www.alibabacloud.com/pricing
– Calculator: https://www.alibabacloud.com/calculator

10. Step-by-Step Hands-On Tutorial

Objective

Use Alibaba Cloud Cloud Shell to:

  1. Confirm your identity (who Cloud Shell is authenticated as)
  2. Inventory ECS instances in a chosen region
  3. Generate a simple CSV report
  4. Optionally upload the report to OSS
  5. Clean up any created artifacts

This lab is designed to be safe and low-cost. The OSS upload step is optional and may incur small charges.

Lab Overview

You will:

  • Open Cloud Shell from the Alibaba Cloud console
  • Run a few Alibaba Cloud CLI commands
  • Use a short Python script to convert JSON output into a CSV report
  • Optionally store the report in OSS
  • Validate outputs and then clean up

Step 1: Open Cloud Shell

  1. Sign in to the Alibaba Cloud Console.
  2. Open Cloud Shell (you can usually find it by searching “Cloud Shell” in the console search bar or from the developer tools area).

Expected outcome:
A terminal window opens in your browser and you have a shell prompt.

Verification:
Run a simple command:

pwd
whoami || true

Notes: – whoami may not reflect your Alibaba Cloud identity; it reflects the Linux user inside the shell runtime.

Step 2: Verify the CLI is available

Cloud Shell commonly includes Alibaba Cloud CLI. Check if aliyun is available:

aliyun --version

Expected outcome:
A version string is printed.

If it fails:
See Troubleshooting (“aliyun: command not found”).

Step 3: Confirm which Alibaba Cloud identity you are using

Use STS GetCallerIdentity to confirm the effective identity:

aliyun sts GetCallerIdentity --output json

Expected outcome:
A JSON response showing fields such as your account ID / RAM user or role identity.

Why this matters:
It confirms whether Cloud Shell is operating as your expected RAM user/role (important before running any write operations).

Step 4: Choose a region and test a read-only API call

Set a region you want to query. Pick a region where you operate (examples: cn-hangzhou, ap-southeast-1). If unsure, start with the region your main resources are in.

export REGION_ID="cn-hangzhou"

Now call a read-only ECS API: DescribeInstances.

aliyun ecs DescribeInstances --RegionId "$REGION_ID" --PageSize 50 --output json > ecs-instances.json

Expected outcome:

  • The file ecs-instances.json is created.
  • The command exits without error.
  • If you have no ECS instances in that region, the response should still be valid JSON with an empty list.

Verification:

ls -lh ecs-instances.json
head -n 20 ecs-instances.json

Step 5: Convert the ECS JSON output into a CSV report

To avoid depending on extra tools, use Python to parse JSON and emit CSV.

Create a Python script:

cat > ecs_report.py <<'PY'
import json, csv

INPUT = "ecs-instances.json"
OUTPUT = "ecs-instances-report.csv"

with open(INPUT, "r", encoding="utf-8") as f:
    data = json.load(f)

# The Alibaba Cloud ECS response structure may vary by API version.
# This script targets the common "Instances" -> "Instance" list pattern.
instances = []
try:
    instances = data["Instances"]["Instance"]
except Exception:
    instances = []

fields = [
    "InstanceId",
    "InstanceName",
    "RegionId",
    "ZoneId",
    "InstanceType",
    "VpcAttributes.VpcId",
    "VpcAttributes.VSwitchId",
    "Status",
    "CreationTime",
]

def get_nested(obj, path):
    cur = obj
    for part in path.split("."):
        if isinstance(cur, dict) and part in cur:
            cur = cur[part]
        else:
            return ""
    return cur if cur is not None else ""

with open(OUTPUT, "w", newline="", encoding="utf-8") as f:
    w = csv.writer(f)
    w.writerow(fields)
    for inst in instances:
        row = [
            get_nested(inst, "InstanceId"),
            get_nested(inst, "InstanceName"),
            get_nested(inst, "RegionId"),
            get_nested(inst, "ZoneId"),
            get_nested(inst, "InstanceType"),
            get_nested(inst, "VpcAttributes.VpcId"),
            get_nested(inst, "VpcAttributes.VSwitchId"),
            get_nested(inst, "Status"),
            get_nested(inst, "CreationTime"),
        ]
        w.writerow(row)

print(f"Wrote {len(instances)} rows to {OUTPUT}")
PY

Run it:

python3 ecs_report.py

Expected outcome:
A message like Wrote N rows to ecs-instances-report.csv.

Verification:

ls -lh ecs-instances-report.csv
sed -n '1,10p' ecs-instances-report.csv

Step 6 (Optional): Upload the report to OSS

This step is optional and may incur small OSS charges. You can either:

  • Upload to an existing OSS bucket, or
  • Create a temporary bucket (must be globally unique)

Option A: Upload to an existing bucket

Set your bucket name:

export BUCKET_NAME="your-existing-bucket-name"

Try uploading with Alibaba Cloud CLI OSS helper (availability may vary; verify in your Cloud Shell):

aliyun oss cp ecs-instances-report.csv "oss://$BUCKET_NAME/reports/ecs-instances-report.csv" --region "$REGION_ID"

Expected outcome:
Upload completes successfully.

Verify by listing:

aliyun oss ls "oss://$BUCKET_NAME/reports/" --region "$REGION_ID"

Option B: Create a temporary bucket and upload

Bucket names must be globally unique and follow OSS naming rules (verify in OSS docs). Example pattern:

export BUCKET_NAME="cloudshell-ecs-report-$RANDOM-$RANDOM"

Create the bucket:

aliyun oss mb "oss://$BUCKET_NAME" --region "$REGION_ID"

Upload:

aliyun oss cp ecs-instances-report.csv "oss://$BUCKET_NAME/ecs-instances-report.csv" --region "$REGION_ID"

List:

aliyun oss ls "oss://$BUCKET_NAME" --region "$REGION_ID"

Expected outcome:
You see the uploaded CSV in the bucket listing.

If the aliyun oss subcommands are not available in your environment, use the console OSS upload as a fallback, or install/configure ossutil if supported. See Troubleshooting.

Validation

Use the checklist below:

  1. Identity check works:
aliyun sts GetCallerIdentity --output json
  1. ECS describe call returns JSON (even if empty):
test -s ecs-instances.json && echo "OK: JSON captured" || echo "ERROR: no JSON"
  1. CSV report exists:
test -s ecs-instances-report.csv && echo "OK: CSV generated" || echo "ERROR: no CSV"
  1. (Optional) OSS upload verification:
aliyun oss ls "oss://$BUCKET_NAME" --region "$REGION_ID"

Troubleshooting

Error: aliyun: command not found

  • Cause: Alibaba Cloud CLI is not installed in this Cloud Shell image, or PATH is not set.
  • Fix:
  • Check if Cloud Shell provides a package manager and whether you can install the Alibaba Cloud CLI (varies by environment).
  • Use the Alibaba Cloud console to confirm Cloud Shell’s default toolset.
  • Official CLI docs: https://www.alibabacloud.com/help/en/alibaba-cloud-cli/

Error: AccessDenied or UnauthorizedOperation

  • Cause: Your RAM identity lacks permission for the API you called (ECS/STS/OSS).
  • Fix:
  • Confirm identity with aliyun sts GetCallerIdentity.
  • Ask your admin to grant least-privilege permissions for the required actions.
  • Check ActionTrail for denied events (if enabled).

Error: InvalidRegionId or empty results when you expect instances

  • Cause: Wrong region, or resources are in a different region.
  • Fix:
  • Confirm correct REGION_ID.
  • Query other regions if needed (build a loop after you confirm access).

Error: OSS bucket create fails with naming errors

  • Cause: Bucket naming rules or global uniqueness conflicts.
  • Fix:
  • Use a more unique name.
  • Verify OSS bucket naming constraints in official docs: https://www.alibabacloud.com/help/en/oss/

Error: aliyun oss commands not recognized

  • Cause: Your Alibaba Cloud CLI build may not include OSS helper commands, or requires a plugin.
  • Fix:
  • Use ossutil if available and configured (verify official OSS tooling docs).
  • Upload/download via the OSS console for this lab.
  • Verify in official Cloud Shell docs what OSS tooling is included.

Cleanup

If you created an OSS bucket in Option B, remove the object and bucket to avoid ongoing charges:

# Remove the object
aliyun oss rm "oss://$BUCKET_NAME/ecs-instances-report.csv" --region "$REGION_ID"

# Remove the bucket (only works if empty)
aliyun oss rb "oss://$BUCKET_NAME" --region "$REGION_ID"

Remove local files (optional):

rm -f ecs-instances.json ecs_report.py ecs-instances-report.csv

Expected outcome:
No objects remain in OSS from this lab, and local files are deleted.

11. Best Practices

Architecture best practices

  • Use Cloud Shell for control-plane automation (API-driven tasks), not as a compute runtime for production workloads.
  • For recurring workflows, store scripts in version control and copy them into Cloud Shell when needed, or pull them from a repository.
  • Combine Cloud Shell with infrastructure as code (ROS/Terraform) rather than doing large-scale provisioning manually.

IAM/security best practices

  • Enforce least privilege in RAM:
  • Separate read-only inventory permissions from write permissions.
  • Use roles for elevated access and restrict who can assume them.
  • Prefer short-lived access patterns (SSO + MFA + roles) and avoid long-lived AccessKeys in shell history.
  • Use explicit region scoping and resource-level conditions in policies where supported.

Cost best practices

  • Start with Describe* and List* calls; avoid resource creation in scripts until validated.
  • Add guardrails to scripts:
  • Dry-run modes (when supported)
  • Resource filters
  • Confirmation prompts before deletions
  • Clean up artifacts (OSS objects, temporary resources) immediately after validation.

Performance best practices

  • Use paging (PageSize, PageNumber) to avoid huge responses.
  • Use filters to limit results (tags, instance status, resource group).
  • For multi-region checks, parallelize carefully (do not trigger throttling).

Reliability best practices

  • Treat Cloud Shell as interactive tooling; for mission-critical automation use CI runners or dedicated automation environments.
  • Save important outputs to durable storage (OSS) if needed for audits or incident records.
  • Document “known good” command versions and expected outputs for runbooks.

Operations best practices

  • Use ActionTrail to correlate changes with identities and timestamps.
  • Standardize naming conventions for output files and OSS paths, for example:
  • oss://<bucket>/ops-reports/<service>/<yyyy-mm-dd>/...
  • Write idempotent scripts where possible.

Governance/tagging/naming best practices

  • Always tag resources created through scripts (where supported) with:
  • Owner, Environment, CostCenter, Application, ManagedBy
  • Use resource groups and consistent naming for easy search and cleanup.

12. Security Considerations

Identity and access model

  • Cloud Shell actions are governed by the Alibaba Cloud identity you use to log in:
  • Alibaba Cloud account (root) should be avoided for daily ops
  • RAM users and roles are recommended
  • Authorization decisions are enforced by RAM policies attached to users/roles/groups.

Recommendation: – Use a dedicated RAM role for operations and require explicit role assumption for production changes.

Encryption

  • API traffic to Alibaba Cloud endpoints uses TLS.
  • If you store outputs in OSS, enable OSS security controls (encryption options vary; verify OSS encryption features in official docs).

Network exposure

  • Cloud Shell is accessed via the console; it is not a public endpoint you expose yourself.
  • Connectivity from Cloud Shell to your resources depends on whether the resource is reachable via public endpoints or supports private access methods. Do not assume Cloud Shell can reach private VPC addresses.

Secrets handling

Common mistakes:

  • Pasting AccessKeys into the terminal and leaving them in shell history
  • Storing secrets in plain text files in the workspace
  • Uploading sensitive logs to OSS without access controls

Secure recommendations:

  • Avoid long-lived AccessKeys in Cloud Shell unless absolutely necessary.
  • If you must use secrets:
  • Prefer temporary tokens
  • Avoid echoing secrets in logs
  • Remove secrets from history and delete files promptly
  • Use RAM and service-native secret solutions where applicable (verify Alibaba Cloud’s current secret management offerings for your use case).

Audit/logging

  • Enable and configure ActionTrail to capture API events.
  • Store ActionTrail logs in a protected OSS bucket with strict access controls.
  • Consider centralizing logs in an enterprise SIEM if required.

Compliance considerations

  • Determine whether Cloud Shell usage is allowed under your compliance regime (data residency, access logging, separation of duties).
  • Document:
  • Who can access Cloud Shell
  • Which roles can perform write operations
  • How audit logs are retained and reviewed

13. Limitations and Gotchas

Cloud Shell is intentionally constrained. Common limitations include (exact values and behavior vary; verify in official docs):

  • Session timeouts: Your session may terminate after inactivity or a maximum duration.
  • Not for long-running jobs: Background processes may stop when the session ends.
  • Compute and storage quotas: CPU/memory and workspace capacity are limited.
  • Tooling variability: Preinstalled tools and versions may change over time.
  • Networking constraints:
  • May not have direct access to private VPC-only endpoints
  • May require public endpoints or alternative access methods
  • No inbound services: Not intended for hosting services that require inbound connections.
  • API throttling: High-rate loops can hit API rate limits.
  • Multi-account complexity: In Resource Directory environments, cross-account access requires correct role assumptions and policies.
  • Audit expectations: ActionTrail audits API calls, not necessarily interactive terminal commands.

Operational gotchas:

  • Region mismatches cause confusing “resource not found” results.
  • Bucket naming rules and global uniqueness commonly block OSS bucket creation in labs.
  • Permission errors can look like “tool problems” but are often IAM issues.

14. Comparison with Alternatives

Cloud Shell is one tool in a broader operations toolbox.

Options inside Alibaba Cloud

  • Cloud Shell: interactive API-driven ops from the browser
  • ECS + bastion host: full Linux control and private network access (but you manage patching and credentials)
  • Cloud Assistant (ECS): run commands on ECS instances without SSH (different purpose; focuses on OS-level operations)
  • ROS (Resource Orchestration Service): declarative provisioning and change management
  • CI/CD runners (self-hosted or managed): reliable automation pipelines

Similar services in other clouds (do not confuse products)

  • AWS CloudShell (AWS)
  • Azure Cloud Shell (Microsoft Azure)
  • Google Cloud Shell (Google Cloud)

These services are conceptually similar but have different limits, tooling, and identity models.

Open-source/self-managed alternatives

  • Local terminal + Alibaba Cloud CLI (aliyun) installed on your machine
  • Containerized “toolbox” image you maintain (Docker) with pinned versions
  • Managed jump box pattern (ECS) with hardened OS and audited access

Comparison table

Option Best For Strengths Weaknesses When to Choose
Alibaba Cloud Cloud Shell Quick interactive operations and learning No local install, identity-based access, fast start Session/compute limits, networking constraints, not for long jobs Ad-hoc admin, runbooks, inventory, training
Local terminal + Alibaba Cloud CLI Power users and developers Full control, works offline (except API calls), integrates with local dev tools Credential management burden, device compliance issues Engineers with managed endpoints and strong secret controls
ECS bastion / jump host Private network operations Access to VPC-only resources, full OS control You manage patching, hardening, costs, access governance When you need VPC-level connectivity and long-running tooling
ECS Cloud Assistant OS-level command execution on ECS No SSH needed, good for fleet operations Only for ECS instances, not general API exploration Patch/install/config management for ECS fleets
ROS (Resource Orchestration Service) Infrastructure provisioning Declarative, repeatable, auditable changes Learning curve, less flexible for ad-hoc Standardized infrastructure delivery
AWS/Azure/GCP Cloud Shell Other cloud ecosystems Similar convenience patterns Different IAM/tooling/limits When operating in those clouds, not Alibaba Cloud

15. Real-World Example

Enterprise example: Security-driven inventory and change verification

  • Problem: A regulated enterprise must produce monthly evidence of cloud asset inventory and verify no unauthorized changes occurred.
  • Proposed architecture:
  • Engineers use Cloud Shell with a read-only RAM role to collect inventories (ECS, VPC, security groups, OSS buckets).
  • Results are exported to CSV and stored in a locked-down OSS bucket.
  • ActionTrail is enabled to log API calls and changes; logs are shipped to the enterprise SIEM.
  • Why Cloud Shell was chosen:
  • Reduces local credential sprawl.
  • Provides a standardized environment for audits and runbooks.
  • Simplifies training for rotating compliance/on-call staff.
  • Expected outcomes:
  • Faster evidence generation
  • Fewer tooling discrepancies across teams
  • Improved audit readiness through consistent processes and API logs

Startup/small-team example: Lightweight ops toolbox without a jump host

  • Problem: A small team runs a SaaS on Alibaba Cloud and needs a quick way to run operational checks without maintaining an admin VM.
  • Proposed architecture:
  • Use Cloud Shell for:
    • Checking ECS instance state
    • Reviewing OSS objects used for backups
    • Running periodic scripts for tag enforcement
  • Use least-privilege RAM policies and require MFA for console access.
  • Why Cloud Shell was chosen:
  • No need to provision and secure a bastion host early on.
  • Immediate access from anywhere with console login.
  • Expected outcomes:
  • Lower operational overhead
  • Fewer long-lived keys
  • Faster response to incidents and deployments

16. FAQ

1) Is Alibaba Cloud Cloud Shell the same as AWS CloudShell or Azure Cloud Shell?
No. They are separate services from different providers. This tutorial is specifically about Alibaba Cloud Cloud Shell.

2) Do I need to install Alibaba Cloud CLI to use Cloud Shell?
Usually not, because Cloud Shell commonly includes the CLI. However, available tools can change—verify in official Cloud Shell docs.

3) How does Cloud Shell authenticate to Alibaba Cloud?
Cloud Shell uses your console identity and RAM authorization. The exact credential mechanism (for example, temporary credentials) should be verified in official docs.

4) Can I use Cloud Shell without AccessKeys?
Often yes for many operations, because it uses console identity-based auth. If you need explicit AccessKeys for a workflow, avoid persisting them and follow secret-handling best practices.

5) Are my Cloud Shell commands logged?
API calls are typically captured by ActionTrail. Terminal keystrokes/command history logging is not the same thing; verify Cloud Shell logging behavior in official docs.

6) Can Cloud Shell access my VPC private IP addresses?
Not necessarily. Cloud Shell is not automatically inside your VPC. For private-only access you may need a bastion host, VPN/Express Connect, or service-specific private endpoints—verify per service.

7) Can I run long-running scripts in Cloud Shell?
Cloud Shell sessions can time out and are not intended for long-running jobs. For durable automation, use CI/CD runners, Function Compute, ECS, or other services.

8) Is Cloud Shell free?
Cloud Shell is often provided at no additional charge, but policies change. Always verify Cloud Shell billing in the official Alibaba Cloud documentation. You will still pay for resources you create/manage.

9) What regions does Cloud Shell support?
Availability can vary. Verify the region support list in official docs.

10) Can multiple team members share the same Cloud Shell environment?
Cloud Shell is typically identity-scoped. Each user should use their own RAM identity for accountability and least privilege.

11) What’s the best way to store scripts used in Cloud Shell?
Store scripts in version control (Git) and pull them into Cloud Shell when needed. Avoid keeping sensitive scripts and secrets only in the shell workspace.

12) How do I ensure least privilege for Cloud Shell usage?
Grant only the RAM actions required for the intended tasks (read-only vs write). Use separate roles for production write access and require role assumption.

13) Why does DescribeInstances return empty results?
Most commonly: wrong region, no instances in that region, or insufficient permissions.

14) Can I use Cloud Shell for Kubernetes (ACK) operations?
Potentially, if you have the right credentials and network reachability to the cluster API endpoint. Handle kubeconfig securely and verify ACK access patterns.

15) How do I troubleshoot permission issues quickly?
Run aliyun sts GetCallerIdentity to confirm identity, then check RAM policies and ActionTrail denied events.

17. Top Online Resources to Learn Cloud Shell

Resource Type Name Why It Is Useful
Official documentation Cloud Shell documentation (Alibaba Cloud) – https://www.alibabacloud.com/help/en/cloud-shell/ Primary source for features, limits, workflows, and updates
Official pricing entry point Alibaba Cloud Pricing – https://www.alibabacloud.com/pricing Starting point to confirm whether Cloud Shell has a cost and to navigate service pricing
Official calculator Alibaba Cloud Pricing Calculator – https://www.alibabacloud.com/calculator Estimate costs for services you might operate from Cloud Shell (OSS/ECS/etc.)
Official CLI documentation Alibaba Cloud CLI – https://www.alibabacloud.com/help/en/alibaba-cloud-cli/ Essential for understanding aliyun command structure and authentication
Official IAM documentation Resource Access Management (RAM) – https://www.alibabacloud.com/help/en/ram/ Required for least-privilege access, roles, and policy design
Official auditing documentation ActionTrail – https://www.alibabacloud.com/help/en/actiontrail/ Learn how to audit API calls triggered from Cloud Shell operations
Official OSS documentation Object Storage Service (OSS) – https://www.alibabacloud.com/help/en/oss/ For storing scripts/artifacts and understanding OSS security and pricing
Official ECS documentation Elastic Compute Service (ECS) – https://www.alibabacloud.com/help/en/ecs/ For the APIs used in inventory and operational workflows
Official STS documentation Security Token Service (STS) – https://www.alibabacloud.com/help/en/sts/ Understand identity tokens and temporary credential patterns used in cloud operations
Learning platform (official) Alibaba Cloud Academy – https://edu.alibabacloud.com/ Courses and learning paths for Alibaba Cloud services (availability varies by region)

18. Training and Certification Providers

The providers below may offer training that can complement hands-on Cloud Shell practice. Verify course outlines and delivery modes on their websites.

  1. DevOpsSchool.comSuitable audience: DevOps engineers, SREs, platform teams, developers – Likely learning focus: DevOps practices, automation, CI/CD, cloud tooling – Mode: Check website – Website: https://www.devopsschool.com/

  2. ScmGalaxy.comSuitable audience: DevOps practitioners, build/release engineers – Likely learning focus: SCM, CI/CD tooling, DevOps fundamentals – Mode: Check website – Website: https://www.scmgalaxy.com/

  3. CLoudOpsNow.inSuitable audience: Cloud operations and infrastructure teams – Likely learning focus: Cloud operations, monitoring, automation – Mode: Check website – Website: https://www.cloudopsnow.in/

  4. SreSchool.comSuitable audience: SREs, reliability and operations engineers – Likely learning focus: SRE practices, observability, incident management – Mode: Check website – Website: https://www.sreschool.com/

  5. AiOpsSchool.comSuitable audience: Ops teams exploring AIOps and automation – Likely learning focus: AIOps concepts, automation, operational analytics – Mode: Check website – Website: https://www.aiopsschool.com/

19. Top Trainers

Use these as training resource platforms and verify the exact offerings directly on each site.

  1. RajeshKumar.xyzLikely specialization: DevOps/cloud training resources (verify current scope on site) – Suitable audience: Beginners to intermediate engineers – Website: https://rajeshkumar.xyz/

  2. devopstrainer.inLikely specialization: DevOps tooling and practices training (verify current scope on site) – Suitable audience: DevOps engineers, developers transitioning to DevOps – Website: https://www.devopstrainer.in/

  3. devopsfreelancer.comLikely specialization: DevOps freelance/training resources (verify current scope on site) – Suitable audience: Teams seeking external DevOps help or guidance – Website: https://www.devopsfreelancer.com/

  4. devopssupport.inLikely specialization: DevOps support and operational guidance (verify current scope on site) – Suitable audience: Operations teams needing practical troubleshooting support – Website: https://www.devopssupport.in/

20. Top Consulting Companies

The organizations below may provide consulting related to DevOps and cloud operations. Verify specific Alibaba Cloud experience, references, and service details directly with each company.

  1. cotocus.comLikely service area: Cloud/DevOps consulting (verify on website) – Where they may help: Operational automation, cloud adoption, governance design – Consulting use case examples:

    • Designing least-privilege RAM policies for operations teams
    • Building operational runbooks that use Cloud Shell + CLI safely
    • Website: https://cotocus.com/

  2. DevOpsSchool.comLikely service area: DevOps consulting and training services (verify on website) – Where they may help: DevOps transformation, CI/CD pipelines, operational maturity – Consulting use case examples:

    • Standardizing CLI-based operational workflows using Cloud Shell
    • Creating audit-friendly automation patterns with ActionTrail
    • Website: https://www.devopsschool.com/

  3. DEVOPSCONSULTING.INLikely service area: DevOps consulting services (verify on website) – Where they may help: Automation, platform engineering, operations optimization – Consulting use case examples:

    • Implementing governance guardrails for production operations
    • Cost control runbooks for dev/test cleanup driven from Cloud Shell
    • Website: https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before Cloud Shell

To get the most value from Cloud Shell, learn:

  • Basic Linux shell commands (files, pipes, environment variables)
  • Core Alibaba Cloud concepts:
  • Regions and zones
  • RAM users/roles/policies
  • VPC fundamentals (VPC, vSwitch, security groups)
  • The difference between control plane (APIs) and data plane (traffic/storage)

What to learn after Cloud Shell

  • Alibaba Cloud CLI deeper usage:
  • Pagination, filtering, output formats
  • Scripting patterns and error handling
  • Infrastructure as Code:
  • ROS templates (Alibaba Cloud)
  • Terraform (if used in your organization—verify provider support and best practices)
  • Audit and governance:
  • ActionTrail configuration and log retention
  • Resource Directory (multi-account) governance patterns
  • Operations excellence:
  • Monitoring/alerting (CloudMonitor)
  • Logging patterns (SLS / Log Service)
  • Incident response playbooks

Job roles that use it

  • Cloud engineer / cloud operations engineer
  • DevOps engineer
  • Site Reliability Engineer (SRE)
  • Platform engineer
  • Security engineer (cloud security / IAM)
  • Solutions architect (for demos, validation, and prototyping)

Certification path (if available)

Alibaba Cloud certifications and learning paths can change. Check Alibaba Cloud Academy for current certification offerings and role-based paths: – https://edu.alibabacloud.com/

Project ideas for practice

  1. Account inventory script: Generate a multi-region inventory of ECS + VPC + OSS.
  2. Least-privilege policy exercise: Create read-only RAM policies for inventory and validate using Cloud Shell.
  3. Change verification runbook: After a deployment, verify critical configurations via CLI and store evidence in OSS.
  4. Cost hygiene report: Identify unused EIPs, stopped instances, unattached disks (be careful—validate APIs and permissions).
  5. Incident response checklist: Use Cloud Shell to collect snapshots of configs and ActionTrail event queries (within your governance model).

22. Glossary

  • Alibaba Cloud: Cloud service provider offering compute, storage, networking, and platform services.
  • Cloud Shell: Alibaba Cloud Developer Tools service providing a browser-based shell for operating cloud resources.
  • Developer Tools: Category of services used to build, deploy, and operate workloads (CLI, shells, CI/CD, etc.).
  • RAM (Resource Access Management): Alibaba Cloud identity and access management service.
  • STS (Security Token Service): Service for issuing temporary security credentials/tokens.
  • ActionTrail: Alibaba Cloud service for auditing API calls and events.
  • ECS (Elastic Compute Service): Alibaba Cloud virtual machine service.
  • VPC (Virtual Private Cloud): Networking construct for isolated virtual networks.
  • OSS (Object Storage Service): Alibaba Cloud object storage.
  • RegionId: Identifier for the region where a service operation applies (for regional services).
  • Least privilege: Security principle of granting only the minimum permissions required.
  • Control plane: Management APIs that create/modify/list resources.
  • Data plane: The actual workload traffic and data movement (downloads/uploads, application traffic).
  • Runbook: Documented operational procedure (often with executable commands).
  • Throttling: Rate limiting enforced by an API to protect service stability.

23. Summary

Alibaba Cloud Cloud Shell is a Developer Tools service that provides a browser-based, managed terminal for operating Alibaba Cloud resources through CLI commands and scripts. It matters because it reduces setup time, lowers credential sprawl, and provides a consistent environment for runbooks, learning, and day-to-day operations.

Cost-wise, Cloud Shell is often not the main cost driver, but actions taken from it can create or modify chargeable resources. Security-wise, it should be used with RAM least privilege, MFA/SSO where possible, and ActionTrail auditing for API calls.

Use Cloud Shell when you need fast, authenticated, interactive cloud operations; avoid it for long-running compute tasks or private-network-only workflows that require a VPC-resident jump host.

Next step: deepen your skills with Alibaba Cloud CLI, RAM policy design, and ActionTrail auditing using the official documentation starting at https://www.alibabacloud.com/help/en/cloud-shell/.