{"id":108,"date":"2026-04-12T20:38:10","date_gmt":"2026-04-12T20:38:10","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-shell-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-developer-tools\/"},"modified":"2026-04-12T20:38:10","modified_gmt":"2026-04-12T20:38:10","slug":"alibaba-cloud-shell-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-developer-tools","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-shell-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-developer-tools\/","title":{"rendered":"Alibaba Cloud Shell Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Developer Tools"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Developer Tools<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Cloud Shell<\/strong> is a browser-based command-line environment that lets you manage Alibaba Cloud resources without installing tools or storing access keys on your own laptop.<\/p>\n\n\n\n<p>In simple terms: you open Cloud Shell from the Alibaba Cloud console, get an instant Linux terminal, and run commands (for example, Alibaba Cloud CLI) to inspect and operate your cloud infrastructure.<\/p>\n\n\n\n<p>Technically, Cloud Shell provides a managed shell session that is authenticated to your Alibaba Cloud identity (such as an Alibaba Cloud account or a RAM user). From that session you can call Alibaba Cloud APIs using command-line tools. This is especially useful for repeatable operations, quick troubleshooting, and learning-by-doing labs where you want a ready-to-use environment.<\/p>\n\n\n\n<p>Cloud Shell solves common problems such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cI need the CLI right now, but I can\u2019t install it on this machine.\u201d<\/li>\n<li>\u201cI don\u2019t want to download long-lived AccessKey secrets to my laptop.\u201d<\/li>\n<li>\u201cI need a consistent, cloud-hosted admin terminal for my team and runbooks.\u201d<\/li>\n<li>\u201cI\u2019m on a locked-down corporate device but still need to automate cloud tasks.\u201d<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Service name note: Alibaba Cloud documentation refers to this service as <strong>Cloud Shell<\/strong>. If Alibaba Cloud renames or changes the service scope in the future, <strong>verify in official docs<\/strong> before standardizing internal runbooks.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Cloud Shell?<\/h2>\n\n\n\n<p><strong>Official purpose (what it\u2019s for)<\/strong><br\/>\nCloud Shell is an Alibaba Cloud <strong>Developer Tools<\/strong> service that provides an interactive shell environment in the browser for operating and automating Alibaba Cloud resources using command-line tools and scripts.<\/p>\n\n\n\n<p><strong>Core capabilities (what you can do)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Launch a managed terminal session from the Alibaba Cloud console<\/li>\n<li>Use CLI tooling (commonly including Alibaba Cloud CLI) to call Alibaba Cloud APIs<\/li>\n<li>Store and run scripts in a cloud-hosted environment<\/li>\n<li>Perform operational tasks without managing local credentials and tool installation (credential handling and exact behavior should be <strong>verified in official docs<\/strong>)<\/li>\n<\/ul>\n\n\n\n<p><strong>Major components (conceptual)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Web terminal UI<\/strong>: Console-based entry point where you type commands<\/li>\n<li><strong>Managed shell runtime<\/strong>: A Linux environment hosted and managed by Alibaba Cloud<\/li>\n<li><strong>Identity and token injection<\/strong>: Uses your logged-in identity to authorize API calls (typically via temporary credentials\/STS-like mechanisms; <strong>verify in official docs<\/strong>)<\/li>\n<li><strong>User workspace<\/strong>: A per-user working directory (persistence, size, retention, and quotas should be <strong>verified in official docs<\/strong>)<\/li>\n<li><strong>Outbound connectivity<\/strong>: Network path to Alibaba Cloud public service endpoints (and possibly other endpoints depending on policy; <strong>verify in official docs<\/strong>)<\/li>\n<\/ul>\n\n\n\n<p><strong>Service type<\/strong><br\/>\nCloud Shell is a <strong>managed, interactive development\/operations tool<\/strong> (not an IaaS VM you administer). You do not manage the underlying OS image lifecycle or patching.<\/p>\n\n\n\n<p><strong>Scope: regional\/global\/account\/project<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell is accessed from the Alibaba Cloud console and is primarily <strong>account- and identity-scoped<\/strong> (your shell experience is tied to the identity that logs in).<\/li>\n<li>API operations you run are still <strong>regional<\/strong> when the target service is regional (for example, ECS, VPC). You must pass the correct <code>RegionId<\/code>\/region context in your commands.<\/li>\n<li>Cloud Shell availability and the location\/region of the shell runtime can vary; <strong>verify in official docs<\/strong> for region support and constraints.<\/li>\n<\/ul>\n\n\n\n<p><strong>How it fits into the Alibaba Cloud ecosystem<\/strong><\/p>\n\n\n\n<p>Cloud Shell sits alongside other operational and automation tools such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud CLI<\/strong> (command-line API client)<\/li>\n<li><strong>Resource Access Management (RAM)<\/strong> (identity and authorization)<\/li>\n<li><strong>ActionTrail<\/strong> (auditing of API calls)<\/li>\n<li><strong>Cloud Assistant \/ O&amp;M tooling<\/strong> (remote command execution on ECS\u2014different from Cloud Shell)<\/li>\n<li><strong>ROS (Resource Orchestration Service)<\/strong> and infrastructure-as-code tools (declarative provisioning)<\/li>\n<\/ul>\n\n\n\n<p>Cloud Shell is best viewed as the <strong>\u201cinstant, authenticated admin terminal\u201d<\/strong> for Alibaba Cloud.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Cloud Shell?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster incident response and troubleshooting<\/strong>: No waiting for workstation setup; open Cloud Shell and execute known runbooks.<\/li>\n<li><strong>Reduced onboarding time<\/strong>: New engineers can run CLI commands without installing toolchains or configuring credentials.<\/li>\n<li><strong>Consistency across teams<\/strong>: A standard environment for operational scripts reduces \u201cworks on my machine\u201d issues.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Preconfigured access to Alibaba Cloud APIs<\/strong>: Avoids local CLI configuration drift (exact preconfiguration behavior should be <strong>verified in official docs<\/strong>).<\/li>\n<li><strong>Scriptability<\/strong>: Repeat tasks using shell scripts and CLI commands.<\/li>\n<li><strong>Portable operations<\/strong>: Works from any device that can access the Alibaba Cloud console.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized terminal for runbooks<\/strong>: Teams can document and execute runbooks using Cloud Shell as the baseline environment.<\/li>\n<li><strong>Lower operational friction<\/strong>: Useful for periodic tasks: inventory, compliance checks, backups validation, and resource cleanup.<\/li>\n<li><strong>Reduced dependency on jump hosts<\/strong>: For tasks that only need API access, Cloud Shell can reduce the need for maintaining bastion servers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoid long-lived AccessKeys on laptops<\/strong>: Cloud Shell commonly reduces the need to store secrets locally by using console identity. However, the exact credential model and persistence must be <strong>verified in official docs<\/strong>.<\/li>\n<li><strong>Least privilege enforcement through RAM<\/strong>: The actions your shell can perform are still restricted by RAM policies.<\/li>\n<li><strong>Auditability<\/strong>: API calls generally appear in <strong>ActionTrail<\/strong> (terminal commands themselves are not necessarily audited; <strong>verify in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scales operational workflows via automation<\/strong>: Use scripts to manage fleets of resources.<\/li>\n<li><strong>Lightweight operations<\/strong>: Great for API-driven operations; not designed for heavy compute.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Cloud Shell<\/h3>\n\n\n\n<p>Choose Cloud Shell when you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A quick, authenticated shell for Alibaba Cloud operations<\/li>\n<li>A standard place to run CLI-based automation and ad-hoc queries<\/li>\n<li>A low-friction learning environment for Alibaba Cloud CLI and APIs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Avoid Cloud Shell when you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Long-running compute<\/strong> workloads (use ECS, ACK, Batch Compute, Function Compute, etc.)<\/li>\n<li><strong>Private network-only access<\/strong> to resources without public endpoints (you may need VPN\/Express Connect + a bastion host, or service-specific tooling like ECS Cloud Assistant; <strong>verify connectivity options<\/strong>)<\/li>\n<li><strong>Highly customized OS\/tooling<\/strong> or privileged system access<\/li>\n<li>Guaranteed performance\/SLA characteristics beyond what the service provides (check official SLA\/limits)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Cloud Shell used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<p>Cloud Shell is broadly applicable wherever teams operate cloud resources, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and internet companies<\/li>\n<li>Finance and fintech (subject to strict IAM and audit controls)<\/li>\n<li>Gaming and media<\/li>\n<li>Manufacturing and IoT (fleet operations, logging checks)<\/li>\n<li>Education and research (hands-on labs with minimal setup)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering and internal developer platforms<\/li>\n<li>DevOps\/SRE teams running operations and automation<\/li>\n<li>Security engineering (inventory and policy checks)<\/li>\n<li>Developers needing occasional cloud administration<\/li>\n<li>Students learning Alibaba Cloud CLI and cloud operations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<p>Cloud Shell appears most often in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API-driven infrastructure<\/strong> (ECS, VPC, OSS, RDS, SLB\/ALB, RAM, etc.)<\/li>\n<li><strong>Kubernetes operations<\/strong> (for example, interacting with ACK from a safe terminal\u2014ensure network access and kubeconfig handling are correct)<\/li>\n<li><strong>Multi-account governance<\/strong> (Resource Directory setups\u2014inventory and compliance checks)<\/li>\n<li><strong>CI\/CD support tasks<\/strong> (manual interventions, validation, rollback steps)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production operations<\/strong>: Controlled use for break-glass, verification, and runbook execution (with strict IAM and audit)<\/li>\n<li><strong>Dev\/test<\/strong>: The most common use\u2014quick provisioning, teardown, and experimentation<\/li>\n<li><strong>Training and enablement<\/strong>: Labs where students can run commands without installing toolchains<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Alibaba Cloud Cloud Shell fits well.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Instant Alibaba Cloud CLI environment for new engineers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Engineers waste hours installing and configuring tools (CLI, dependencies, credentials).<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Provides a ready terminal from the console.<\/li>\n<li><strong>Example<\/strong>: A new SRE joins and immediately runs ECS inventory commands to understand the fleet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Least-privilege operational runbooks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Shared jump boxes accumulate credentials and broad access over time.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Access is mediated by RAM policies tied to the user identity.<\/li>\n<li><strong>Example<\/strong>: A runbook to rotate OSS lifecycle rules is executed from Cloud Shell by on-call engineers with narrow permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Resource inventory and compliance snapshot<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You need a repeatable way to list resources across regions and produce evidence.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: CLI + scripting in a central environment.<\/li>\n<li><strong>Example<\/strong>: Export a monthly CSV report of ECS instances (name, instance type, VPC, security group, tags).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Troubleshooting from a clean environment<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A developer\u2019s local machine has broken dependencies.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Known-good baseline environment (as managed by Alibaba Cloud).<\/li>\n<li><strong>Example<\/strong>: Verify whether AccessDenied is caused by RAM policy vs local credential misconfiguration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Break-glass access with strong controls<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: During an incident, you need a controlled admin environment.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Operate from the console with MFA and auditing of API calls via ActionTrail.<\/li>\n<li><strong>Example<\/strong>: Temporarily detach a problematic SLB listener rule after validating change tickets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Scripting repetitive cleanup for dev\/test<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Dev\/test accounts accumulate unused resources and cost leaks.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Quick scripting to find and delete stale resources.<\/li>\n<li><strong>Example<\/strong>: Identify and delete unused EIPs older than 7 days (with safeguards).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) OSS object operations without local configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Upload\/download artifacts but you cannot install <code>ossutil<\/code> locally.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Run OSS-related CLI operations from the browser.<\/li>\n<li><strong>Example<\/strong>: Upload a diagnostic bundle to OSS for support review.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Rapid verification of RAM policy changes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You need to confirm a policy update fixes a permission issue.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Use the same identity to test API calls immediately.<\/li>\n<li><strong>Example<\/strong>: Test whether a RAM user can describe ECS instances but cannot terminate them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Learning labs and workshops<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Training attendees use different OS versions and can\u2019t install tools.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Uniform entry point for workshops.<\/li>\n<li><strong>Example<\/strong>: Students learn Alibaba Cloud CLI basics by listing regions and resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Operational data gathering for support tickets<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Support requires exact API outputs and timestamps.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Run commands, capture outputs, and upload to OSS.<\/li>\n<li><strong>Example<\/strong>: Collect ECS instance metadata and relevant configurations into a file.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Multi-region checks during migrations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You must confirm resources are aligned across regions during a migration.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Script loops across regions and collect output.<\/li>\n<li><strong>Example<\/strong>: Ensure security group rules are consistent between <code>cn-hangzhou<\/code> and <code>ap-southeast-1<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Controlled access from restricted corporate networks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Corporate endpoints block package downloads and CLI use.<\/li>\n<li><strong>Why Cloud Shell fits<\/strong>: Only the console needs to be accessible.<\/li>\n<li><strong>Example<\/strong>: An engineer in a restricted network still executes ECS describe operations and checks billing tags.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Cloud Shell feature sets evolve. The items below reflect common, documented capabilities for a managed cloud shell; <strong>verify exact current behavior and limits in official Cloud Shell docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Browser-based Linux terminal<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides an interactive terminal session in the Alibaba Cloud console.<\/li>\n<li><strong>Why it matters<\/strong>: No local terminal tooling required.<\/li>\n<li><strong>Practical benefit<\/strong>: Works from any machine with a browser and console access.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Sessions can time out; interactive work is not intended to run indefinitely.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Identity-based authentication to Alibaba Cloud APIs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you call Alibaba Cloud APIs using your current console identity.<\/li>\n<li><strong>Why it matters<\/strong>: Reduces reliance on manually managed AccessKeys.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster and safer CLI usage for day-to-day operations.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Authorization is still controlled by RAM policies; you can only do what your identity is allowed to do.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Preinstalled command-line tooling (at minimum, Alibaba Cloud CLI)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides CLI tooling to interact with Alibaba Cloud services.<\/li>\n<li><strong>Why it matters<\/strong>: Eliminates installation and versioning friction.<\/li>\n<li><strong>Practical benefit<\/strong>: You can begin scripting immediately.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Tool versions and available utilities can change. If you depend on a specific tool\/version, <strong>verify in official docs<\/strong> and consider pinning in your own container\/VM instead.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Workspace for files and scripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Allows you to create files (scripts, outputs, reports) during your session.<\/li>\n<li><strong>Why it matters<\/strong>: Enables repeatable runbooks and lightweight automation.<\/li>\n<li><strong>Practical benefit<\/strong>: You can store and rerun scripts without moving them to a local machine.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Persistence, retention, and size quotas vary; do not store sensitive long-term secrets in your workspace.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Convenience for API exploration and learning<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides a low-barrier environment to test API calls.<\/li>\n<li><strong>Why it matters<\/strong>: Helps teams learn correct parameters, region behavior, and response formats.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster development of automation scripts and operational checks.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Use guardrails. Even \u201cread-only\u201d exploration can become impactful if scripts later include write operations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Works well with auditing (ActionTrail) for API calls<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: API calls you execute can be captured by Alibaba Cloud audit services (commonly ActionTrail).<\/li>\n<li><strong>Why it matters<\/strong>: Supports governance and incident investigations.<\/li>\n<li><strong>Practical benefit<\/strong>: You can correlate operational changes with identities and timestamps.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Cloud Shell terminal command history and keystrokes are not the same as API-level auditing; treat API auditing and terminal activity as separate concerns.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>At a high level, Cloud Shell works like this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You authenticate to the <strong>Alibaba Cloud console<\/strong> (often with MFA and SSO if configured).<\/li>\n<li>You open <strong>Cloud Shell<\/strong>, which starts a managed shell session.<\/li>\n<li>Cloud Shell provides an environment where CLI tools can call Alibaba Cloud APIs.<\/li>\n<li>When you run a command (for example, <code>aliyun ecs DescribeInstances<\/code>), the CLI sends requests to the relevant Alibaba Cloud service endpoint.<\/li>\n<li>Authorization is evaluated via <strong>RAM<\/strong> policies for your identity (and any assumed roles).<\/li>\n<li>API activity can be audited via <strong>ActionTrail<\/strong> (for supported services\/events).<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (practical view)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane operations<\/strong>: Most Cloud Shell usage is control plane (API calls) rather than data plane traffic.<\/li>\n<li><strong>Data plane operations<\/strong>: If you upload\/download large objects to OSS or pull container images, that is data plane and may have bandwidth\/cost implications.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Cloud Shell commonly integrates (directly or indirectly) with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RAM<\/strong>: Identity, permissions, and role assumptions<\/li>\n<li><strong>STS<\/strong>: Temporary credentials and session tokens (model varies; <strong>verify in official docs<\/strong>)<\/li>\n<li><strong>ActionTrail<\/strong>: API auditing<\/li>\n<li><strong>CloudMonitor \/ SLS<\/strong>: Not Cloud Shell itself, but the resources you manage may emit metrics\/logs there<\/li>\n<li><strong>OSS<\/strong>: Storing scripts, outputs, and artifacts<\/li>\n<li><strong>ECS \/ VPC \/ ACK \/ RDS<\/strong>: Typical targets of CLI operations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services (what Cloud Shell relies on)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud control plane endpoints (regional services)<\/li>\n<li>Alibaba Cloud identity systems (RAM \/ SSO integrations)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You authenticate to the console.<\/li>\n<li>Cloud Shell uses your console identity to obtain authorization for API calls (often via temporary credentials).<\/li>\n<li>RAM policies determine allowed actions.<\/li>\n<li>You should still follow least privilege and avoid embedding secrets in scripts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell runs in Alibaba Cloud-managed infrastructure.<\/li>\n<li>It can typically access Alibaba Cloud public APIs.<\/li>\n<li>Accessing <strong>private-only<\/strong> endpoints inside a VPC may require additional networking patterns (bastion host, VPN\/Express Connect, private endpoints where supported by the target service). Cloud Shell is not a drop-in replacement for a VPC jump box\u2014<strong>verify connectivity requirements per service<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API-level auditing<\/strong>: Use <strong>ActionTrail<\/strong> for governance and investigations.<\/li>\n<li><strong>Operational observability<\/strong>: Cloud Shell is a tool; the workloads you manage should have monitoring\/logging configured in their respective services.<\/li>\n<li><strong>Change management<\/strong>: Pair Cloud Shell usage with change tickets, peer review for scripts, and guardrails like RAM policies and approvals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Engineer in Browser] --&gt; C[Alibaba Cloud Console]\n  C --&gt; CS[Cloud Shell Session]\n  CS --&gt; CLI[CLI Tools (e.g., Alibaba Cloud CLI)]\n  CLI --&gt; API[Alibaba Cloud Service APIs\\n(ECS \/ OSS \/ VPC \/ RAM ...)]\n  API --&gt; AT[ActionTrail (API Audit Logs)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Identity[Identity &amp; Governance]\n    SSO[Enterprise SSO\/IdP] --&gt; CONSOLE[Alibaba Cloud Console Login]\n    RAM[RAM Policies \/ Roles] --&gt; AUTHZ[Authorization Decisions]\n    AT[ActionTrail] --&gt; SIEM[SIEM \/ Log Analytics\\n(optional)]\n  end\n\n  subgraph Ops[Operations Tooling]\n    CONSOLE --&gt; CS[Cloud Shell]\n    CS --&gt; RUNBOOKS[Runbooks &amp; Scripts\\n(in workspace or version control)]\n  end\n\n  subgraph Cloud[Alibaba Cloud Services]\n    ECS[ECS]:::svc\n    VPC[VPC]:::svc\n    OSS[OSS]:::svc\n    RDS[RDS]:::svc\n    ACK[ACK]:::svc\n  end\n\n  CS --&gt;|API calls| ECS\n  CS --&gt;|API calls| VPC\n  CS --&gt;|API calls| OSS\n  CS --&gt;|API calls| RDS\n  CS --&gt;|API calls| ACK\n\n  ECS --&gt; AT\n  VPC --&gt; AT\n  OSS --&gt; AT\n  RDS --&gt; AT\n  ACK --&gt; AT\n\n  RAM --&gt; AUTHZ\n  AUTHZ -.enforces.-&gt; ECS\n  AUTHZ -.enforces.-&gt; VPC\n  AUTHZ -.enforces.-&gt; OSS\n  AUTHZ -.enforces.-&gt; RDS\n  AUTHZ -.enforces.-&gt; ACK\n\n  classDef svc fill:#eef7ff,stroke:#2b6cb0,stroke-width:1px;\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Before you start, confirm the following.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account and access requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> or a <strong>RAM user<\/strong> in an Alibaba Cloud account<\/li>\n<li>Permission to access <strong>Cloud Shell<\/strong> in the console<\/li>\n<li>Permission to call the APIs used in this tutorial:<\/li>\n<li><strong>STS<\/strong> (to verify identity)<\/li>\n<li><strong>ECS<\/strong> (to list instances)<\/li>\n<li>Optionally <strong>OSS<\/strong> (to create a bucket and upload a report)<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>IAM note: Alibaba Cloud uses <strong>RAM<\/strong> policies. The exact managed policy names and required actions can change. Use least privilege and <strong>verify required permissions in official docs<\/strong> for Cloud Shell and each target service.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell itself may be free or included at no additional charge depending on current Alibaba Cloud policy; <strong>verify in official billing\/pricing docs<\/strong>.<\/li>\n<li>The tutorial\u2019s optional OSS steps can incur small storage and request charges.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A web browser to open Alibaba Cloud console<\/li>\n<li>Cloud Shell provides the shell environment and (typically) the Alibaba Cloud CLI.<\/li>\n<li>If a required tool (for example, <code>python3<\/code>) is missing, use the troubleshooting section and <strong>verify in official docs<\/strong> what tools are available.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell availability may differ by account type or region. <strong>Verify in official docs<\/strong>.<\/li>\n<li>Many Alibaba Cloud services are regional; you must choose a region for operations (for example, <code>cn-hangzhou<\/code>, <code>ap-southeast-1<\/code>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Common constraints to validate (exact values vary; <strong>verify<\/strong>):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Session timeout \/ maximum session duration<\/li>\n<li>CPU\/memory constraints of the shell environment<\/li>\n<li>Workspace storage quota and persistence<\/li>\n<li>Outbound network restrictions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For the core lab (resource inventory): ECS API access (even if you have no instances, the describe call should work with permissions)<\/li>\n<li>For optional artifact storage: OSS enabled and accessible in your chosen region<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Cloud Shell pricing can change, and Alibaba Cloud pricing is often region- and product-dependent. Follow these guidelines:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (how cost is typically determined)<\/h3>\n\n\n\n<p>For Cloud Shell itself, check whether pricing is based on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Per-session usage<\/li>\n<li>Runtime resources<\/li>\n<li>Storage quota<\/li>\n<li>Or provided at <strong>no additional charge<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Verify<\/strong> using official sources:\n&#8211; Cloud Shell documentation and billing pages\n&#8211; Alibaba Cloud pricing pages and pricing calculator (if a dedicated Cloud Shell pricing page exists)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>Many cloud providers offer Cloud Shell as a free convenience service, but you must <strong>verify Alibaba Cloud\u2019s current policy<\/strong> in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct and indirect)<\/h3>\n\n\n\n<p>Even if Cloud Shell is free, your commands can create cost elsewhere:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resource creation<\/strong>: ECS, RDS, NAT Gateway, EIP, SLB, ACK clusters, etc.<\/li>\n<li><strong>OSS storage and requests<\/strong>: Storing and retrieving objects costs money.<\/li>\n<li><strong>Network egress<\/strong>: Uploading\/downloading data may incur outbound transfer fees depending on direction, region, and pricing model.<\/li>\n<li><strong>API request charges<\/strong>: Some services may charge per API call or per feature usage (often not, but <strong>verify<\/strong> for each service).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs to watch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scripts that loop across regions and accounts can generate many API calls.<\/li>\n<li>Exporting large inventories and uploading to OSS frequently can accumulate request and storage costs.<\/li>\n<li>Pulling large artifacts (container images, packages) can generate transfer costs depending on source and network path.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell runs in Alibaba Cloud-managed infrastructure; transfers to and from OSS or other services may be \u201cin-cloud\u201d but billing rules are service-specific.<\/li>\n<li>Always check:<\/li>\n<li>Intra-region vs inter-region transfer pricing<\/li>\n<li>Internet egress pricing<\/li>\n<li>Cross-zone traffic (if applicable)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>read-only inventory<\/strong> operations for discovery.<\/li>\n<li>Use <strong>filters<\/strong> and paging when describing resources.<\/li>\n<li>Avoid creating chargeable resources in tutorials unless necessary.<\/li>\n<li>For OSS artifacts:<\/li>\n<li>Store small files<\/li>\n<li>Delete promptly<\/li>\n<li>Use lifecycle policies if retention is required<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A minimal learning workflow can be near-zero incremental cost if you:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Cloud Shell only for <strong>Describe\/List<\/strong> API calls<\/li>\n<li>Avoid creating chargeable resources<\/li>\n<li>If using OSS, upload a small text\/CSV file and delete it the same day<\/li>\n<\/ul>\n\n\n\n<p>The exact cost depends on your region and OSS pricing; <strong>verify in the official OSS pricing page<\/strong> and calculator.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, Cloud Shell is usually not the cost center; the main cost impact comes from:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The cloud resources your automation provisions or modifies<\/li>\n<li>Data transfer from scripted diagnostics and artifact movement<\/li>\n<li>Operational mistakes (for example, accidentally creating large ECS fleets)<\/li>\n<\/ul>\n\n\n\n<p>Use guardrails:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM least privilege<\/li>\n<li>Budget alerts and cost anomaly detection<\/li>\n<li>Approval workflows for write operations (especially in production accounts)<\/li>\n<\/ul>\n\n\n\n<p>Official references to start:\n&#8211; Alibaba Cloud product documentation for Cloud Shell: https:\/\/www.alibabacloud.com\/help\/en\/cloud-shell\/\n&#8211; Alibaba Cloud pricing overview and calculator entry points (verify current URLs from console):<br\/>\n  &#8211; Pricing: https:\/\/www.alibabacloud.com\/pricing<br\/>\n  &#8211; Calculator: https:\/\/www.alibabacloud.com\/calculator  <\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Use <strong>Alibaba Cloud Cloud Shell<\/strong> to:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Confirm your identity (who Cloud Shell is authenticated as)<\/li>\n<li>Inventory ECS instances in a chosen region<\/li>\n<li>Generate a simple CSV report<\/li>\n<li>Optionally upload the report to OSS<\/li>\n<li>Clean up any created artifacts<\/li>\n<\/ol>\n\n\n\n<p>This lab is designed to be safe and low-cost. The OSS upload step is optional and may incur small charges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open Cloud Shell from the Alibaba Cloud console<\/li>\n<li>Run a few Alibaba Cloud CLI commands<\/li>\n<li>Use a short Python script to convert JSON output into a CSV report<\/li>\n<li>Optionally store the report in OSS<\/li>\n<li>Validate outputs and then clean up<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Open Cloud Shell<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sign in to the <strong>Alibaba Cloud Console<\/strong>.<\/li>\n<li>Open <strong>Cloud Shell<\/strong> (you can usually find it by searching \u201cCloud Shell\u201d in the console search bar or from the developer tools area).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nA terminal window opens in your browser and you have a shell prompt.<\/p>\n\n\n\n<p><strong>Verification<\/strong>:<br\/>\nRun a simple command:<\/p>\n\n\n\n<pre><code class=\"language-bash\">pwd\nwhoami || true\n<\/code><\/pre>\n\n\n\n<p>Notes:\n&#8211; <code>whoami<\/code> may not reflect your Alibaba Cloud identity; it reflects the Linux user inside the shell runtime.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Verify the CLI is available<\/h3>\n\n\n\n<p>Cloud Shell commonly includes <strong>Alibaba Cloud CLI<\/strong>. Check if <code>aliyun<\/code> is available:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun --version\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nA version string is printed.<\/p>\n\n\n\n<p><strong>If it fails<\/strong>:<br\/>\nSee Troubleshooting (\u201c<code>aliyun: command not found<\/code>\u201d).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Confirm which Alibaba Cloud identity you are using<\/h3>\n\n\n\n<p>Use STS <code>GetCallerIdentity<\/code> to confirm the effective identity:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun sts GetCallerIdentity --output json\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nA JSON response showing fields such as your account ID \/ RAM user or role identity.<\/p>\n\n\n\n<p><strong>Why this matters<\/strong>:<br\/>\nIt confirms whether Cloud Shell is operating as your expected RAM user\/role (important before running any write operations).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Choose a region and test a read-only API call<\/h3>\n\n\n\n<p>Set a region you want to query. Pick a region where you operate (examples: <code>cn-hangzhou<\/code>, <code>ap-southeast-1<\/code>). If unsure, start with the region your main resources are in.<\/p>\n\n\n\n<pre><code class=\"language-bash\">export REGION_ID=\"cn-hangzhou\"\n<\/code><\/pre>\n\n\n\n<p>Now call a read-only ECS API: <code>DescribeInstances<\/code>.<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun ecs DescribeInstances --RegionId \"$REGION_ID\" --PageSize 50 --output json &gt; ecs-instances.json\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The file <code>ecs-instances.json<\/code> is created.<\/li>\n<li>The command exits without error.<\/li>\n<li>If you have no ECS instances in that region, the response should still be valid JSON with an empty list.<\/li>\n<\/ul>\n\n\n\n<p><strong>Verification<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ls -lh ecs-instances.json\nhead -n 20 ecs-instances.json\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Convert the ECS JSON output into a CSV report<\/h3>\n\n\n\n<p>To avoid depending on extra tools, use Python to parse JSON and emit CSV.<\/p>\n\n\n\n<p>Create a Python script:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt; ecs_report.py &lt;&lt;'PY'\nimport json, csv\n\nINPUT = \"ecs-instances.json\"\nOUTPUT = \"ecs-instances-report.csv\"\n\nwith open(INPUT, \"r\", encoding=\"utf-8\") as f:\n    data = json.load(f)\n\n# The Alibaba Cloud ECS response structure may vary by API version.\n# This script targets the common \"Instances\" -&gt; \"Instance\" list pattern.\ninstances = []\ntry:\n    instances = data[\"Instances\"][\"Instance\"]\nexcept Exception:\n    instances = []\n\nfields = [\n    \"InstanceId\",\n    \"InstanceName\",\n    \"RegionId\",\n    \"ZoneId\",\n    \"InstanceType\",\n    \"VpcAttributes.VpcId\",\n    \"VpcAttributes.VSwitchId\",\n    \"Status\",\n    \"CreationTime\",\n]\n\ndef get_nested(obj, path):\n    cur = obj\n    for part in path.split(\".\"):\n        if isinstance(cur, dict) and part in cur:\n            cur = cur[part]\n        else:\n            return \"\"\n    return cur if cur is not None else \"\"\n\nwith open(OUTPUT, \"w\", newline=\"\", encoding=\"utf-8\") as f:\n    w = csv.writer(f)\n    w.writerow(fields)\n    for inst in instances:\n        row = [\n            get_nested(inst, \"InstanceId\"),\n            get_nested(inst, \"InstanceName\"),\n            get_nested(inst, \"RegionId\"),\n            get_nested(inst, \"ZoneId\"),\n            get_nested(inst, \"InstanceType\"),\n            get_nested(inst, \"VpcAttributes.VpcId\"),\n            get_nested(inst, \"VpcAttributes.VSwitchId\"),\n            get_nested(inst, \"Status\"),\n            get_nested(inst, \"CreationTime\"),\n        ]\n        w.writerow(row)\n\nprint(f\"Wrote {len(instances)} rows to {OUTPUT}\")\nPY\n<\/code><\/pre>\n\n\n\n<p>Run it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">python3 ecs_report.py\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nA message like <code>Wrote N rows to ecs-instances-report.csv<\/code>.<\/p>\n\n\n\n<p><strong>Verification<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ls -lh ecs-instances-report.csv\nsed -n '1,10p' ecs-instances-report.csv\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6 (Optional): Upload the report to OSS<\/h3>\n\n\n\n<p>This step is optional and may incur small OSS charges. You can either:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Upload to an existing OSS bucket, or<\/li>\n<li>Create a temporary bucket (must be globally unique)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: Upload to an existing bucket<\/h4>\n\n\n\n<p>Set your bucket name:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export BUCKET_NAME=\"your-existing-bucket-name\"\n<\/code><\/pre>\n\n\n\n<p>Try uploading with Alibaba Cloud CLI OSS helper (availability may vary; <strong>verify in your Cloud Shell<\/strong>):<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun oss cp ecs-instances-report.csv \"oss:\/\/$BUCKET_NAME\/reports\/ecs-instances-report.csv\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nUpload completes successfully.<\/p>\n\n\n\n<p>Verify by listing:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun oss ls \"oss:\/\/$BUCKET_NAME\/reports\/\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: Create a temporary bucket and upload<\/h4>\n\n\n\n<p>Bucket names must be globally unique and follow OSS naming rules (<strong>verify in OSS docs<\/strong>). Example pattern:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export BUCKET_NAME=\"cloudshell-ecs-report-$RANDOM-$RANDOM\"\n<\/code><\/pre>\n\n\n\n<p>Create the bucket:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun oss mb \"oss:\/\/$BUCKET_NAME\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<p>Upload:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun oss cp ecs-instances-report.csv \"oss:\/\/$BUCKET_NAME\/ecs-instances-report.csv\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<p>List:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun oss ls \"oss:\/\/$BUCKET_NAME\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nYou see the uploaded CSV in the bucket listing.<\/p>\n\n\n\n<blockquote>\n<p>If the <code>aliyun oss<\/code> subcommands are not available in your environment, use the console OSS upload as a fallback, or install\/configure <code>ossutil<\/code> if supported. See Troubleshooting.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use the checklist below:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Identity check works:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">aliyun sts GetCallerIdentity --output json\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>ECS describe call returns JSON (even if empty):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">test -s ecs-instances.json &amp;&amp; echo \"OK: JSON captured\" || echo \"ERROR: no JSON\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>CSV report exists:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">test -s ecs-instances-report.csv &amp;&amp; echo \"OK: CSV generated\" || echo \"ERROR: no CSV\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li>(Optional) OSS upload verification:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">aliyun oss ls \"oss:\/\/$BUCKET_NAME\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Error: <code>aliyun: command not found<\/code><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause<\/strong>: Alibaba Cloud CLI is not installed in this Cloud Shell image, or PATH is not set.<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Check if Cloud Shell provides a package manager and whether you can install the Alibaba Cloud CLI (varies by environment).<\/li>\n<li>Use the Alibaba Cloud console to confirm Cloud Shell\u2019s default toolset.<\/li>\n<li>Official CLI docs: https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Error: <code>AccessDenied<\/code> or <code>UnauthorizedOperation<\/code><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause<\/strong>: Your RAM identity lacks permission for the API you called (ECS\/STS\/OSS).<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Confirm identity with <code>aliyun sts GetCallerIdentity<\/code>.<\/li>\n<li>Ask your admin to grant least-privilege permissions for the required actions.<\/li>\n<li>Check ActionTrail for denied events (if enabled).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Error: <code>InvalidRegionId<\/code> or empty results when you expect instances<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause<\/strong>: Wrong region, or resources are in a different region.<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Confirm correct <code>REGION_ID<\/code>.<\/li>\n<li>Query other regions if needed (build a loop after you confirm access).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Error: OSS bucket create fails with naming errors<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause<\/strong>: Bucket naming rules or global uniqueness conflicts.<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Use a more unique name.<\/li>\n<li>Verify OSS bucket naming constraints in official docs: https:\/\/www.alibabacloud.com\/help\/en\/oss\/<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Error: <code>aliyun oss<\/code> commands not recognized<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause<\/strong>: Your Alibaba Cloud CLI build may not include OSS helper commands, or requires a plugin.<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Use <code>ossutil<\/code> if available and configured (verify official OSS tooling docs).<\/li>\n<li>Upload\/download via the OSS console for this lab.<\/li>\n<li>Verify in official Cloud Shell docs what OSS tooling is included.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>If you created an OSS bucket in Option B, remove the object and bucket to avoid ongoing charges:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Remove the object\naliyun oss rm \"oss:\/\/$BUCKET_NAME\/ecs-instances-report.csv\" --region \"$REGION_ID\"\n\n# Remove the bucket (only works if empty)\naliyun oss rb \"oss:\/\/$BUCKET_NAME\" --region \"$REGION_ID\"\n<\/code><\/pre>\n\n\n\n<p>Remove local files (optional):<\/p>\n\n\n\n<pre><code class=\"language-bash\">rm -f ecs-instances.json ecs_report.py ecs-instances-report.csv\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\nNo objects remain in OSS from this lab, and local files are deleted.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Cloud Shell for <strong>control-plane automation<\/strong> (API-driven tasks), not as a compute runtime for production workloads.<\/li>\n<li>For recurring workflows, store scripts in version control and copy them into Cloud Shell when needed, or pull them from a repository.<\/li>\n<li>Combine Cloud Shell with infrastructure as code (ROS\/Terraform) rather than doing large-scale provisioning manually.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce <strong>least privilege<\/strong> in RAM:<\/li>\n<li>Separate read-only inventory permissions from write permissions.<\/li>\n<li>Use roles for elevated access and restrict who can assume them.<\/li>\n<li>Prefer short-lived access patterns (SSO + MFA + roles) and avoid long-lived AccessKeys in shell history.<\/li>\n<li>Use explicit region scoping and resource-level conditions in policies where supported.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <code>Describe*<\/code> and <code>List*<\/code> calls; avoid resource creation in scripts until validated.<\/li>\n<li>Add guardrails to scripts:<\/li>\n<li>Dry-run modes (when supported)<\/li>\n<li>Resource filters<\/li>\n<li>Confirmation prompts before deletions<\/li>\n<li>Clean up artifacts (OSS objects, temporary resources) immediately after validation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use paging (<code>PageSize<\/code>, <code>PageNumber<\/code>) to avoid huge responses.<\/li>\n<li>Use filters to limit results (tags, instance status, resource group).<\/li>\n<li>For multi-region checks, parallelize carefully (do not trigger throttling).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat Cloud Shell as interactive tooling; for mission-critical automation use CI runners or dedicated automation environments.<\/li>\n<li>Save important outputs to durable storage (OSS) if needed for audits or incident records.<\/li>\n<li>Document \u201cknown good\u201d command versions and expected outputs for runbooks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use ActionTrail to correlate changes with identities and timestamps.<\/li>\n<li>Standardize naming conventions for output files and OSS paths, for example:<\/li>\n<li><code>oss:\/\/&lt;bucket&gt;\/ops-reports\/&lt;service&gt;\/&lt;yyyy-mm-dd&gt;\/...<\/code><\/li>\n<li>Write idempotent scripts where possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always tag resources created through scripts (where supported) with:<\/li>\n<li><code>Owner<\/code>, <code>Environment<\/code>, <code>CostCenter<\/code>, <code>Application<\/code>, <code>ManagedBy<\/code><\/li>\n<li>Use resource groups and consistent naming for easy search and cleanup.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell actions are governed by the Alibaba Cloud identity you use to log in:<\/li>\n<li>Alibaba Cloud account (root) should be avoided for daily ops<\/li>\n<li>RAM users and roles are recommended<\/li>\n<li>Authorization decisions are enforced by <strong>RAM<\/strong> policies attached to users\/roles\/groups.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendation<\/strong>:\n&#8211; Use a dedicated RAM role for operations and require explicit role assumption for production changes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API traffic to Alibaba Cloud endpoints uses TLS.<\/li>\n<li>If you store outputs in OSS, enable OSS security controls (encryption options vary; <strong>verify OSS encryption features in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Shell is accessed via the console; it is not a public endpoint you expose yourself.<\/li>\n<li>Connectivity from Cloud Shell to your resources depends on whether the resource is reachable via public endpoints or supports private access methods. Do not assume Cloud Shell can reach private VPC addresses.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<p>Common mistakes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pasting AccessKeys into the terminal and leaving them in shell history<\/li>\n<li>Storing secrets in plain text files in the workspace<\/li>\n<li>Uploading sensitive logs to OSS without access controls<\/li>\n<\/ul>\n\n\n\n<p>Secure recommendations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid long-lived AccessKeys in Cloud Shell unless absolutely necessary.<\/li>\n<li>If you must use secrets:<\/li>\n<li>Prefer temporary tokens<\/li>\n<li>Avoid echoing secrets in logs<\/li>\n<li>Remove secrets from history and delete files promptly<\/li>\n<li>Use RAM and service-native secret solutions where applicable (verify Alibaba Cloud\u2019s current secret management offerings for your use case).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and configure <strong>ActionTrail<\/strong> to capture API events.<\/li>\n<li>Store ActionTrail logs in a protected OSS bucket with strict access controls.<\/li>\n<li>Consider centralizing logs in an enterprise SIEM if required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Determine whether Cloud Shell usage is allowed under your compliance regime (data residency, access logging, separation of duties).<\/li>\n<li>Document:<\/li>\n<li>Who can access Cloud Shell<\/li>\n<li>Which roles can perform write operations<\/li>\n<li>How audit logs are retained and reviewed<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Cloud Shell is intentionally constrained. Common limitations include (exact values and behavior vary; <strong>verify in official docs<\/strong>):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Session timeouts<\/strong>: Your session may terminate after inactivity or a maximum duration.<\/li>\n<li><strong>Not for long-running jobs<\/strong>: Background processes may stop when the session ends.<\/li>\n<li><strong>Compute and storage quotas<\/strong>: CPU\/memory and workspace capacity are limited.<\/li>\n<li><strong>Tooling variability<\/strong>: Preinstalled tools and versions may change over time.<\/li>\n<li><strong>Networking constraints<\/strong>:<\/li>\n<li>May not have direct access to private VPC-only endpoints<\/li>\n<li>May require public endpoints or alternative access methods<\/li>\n<li><strong>No inbound services<\/strong>: Not intended for hosting services that require inbound connections.<\/li>\n<li><strong>API throttling<\/strong>: High-rate loops can hit API rate limits.<\/li>\n<li><strong>Multi-account complexity<\/strong>: In Resource Directory environments, cross-account access requires correct role assumptions and policies.<\/li>\n<li><strong>Audit expectations<\/strong>: ActionTrail audits API calls, not necessarily interactive terminal commands.<\/li>\n<\/ul>\n\n\n\n<p>Operational gotchas:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Region mismatches cause confusing \u201cresource not found\u201d results.<\/li>\n<li>Bucket naming rules and global uniqueness commonly block OSS bucket creation in labs.<\/li>\n<li>Permission errors can look like \u201ctool problems\u201d but are often IAM issues.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Cloud Shell is one tool in a broader operations toolbox.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Options inside Alibaba Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Shell<\/strong>: interactive API-driven ops from the browser<\/li>\n<li><strong>ECS + bastion host<\/strong>: full Linux control and private network access (but you manage patching and credentials)<\/li>\n<li><strong>Cloud Assistant (ECS)<\/strong>: run commands on ECS instances without SSH (different purpose; focuses on OS-level operations)<\/li>\n<li><strong>ROS (Resource Orchestration Service)<\/strong>: declarative provisioning and change management<\/li>\n<li><strong>CI\/CD runners<\/strong> (self-hosted or managed): reliable automation pipelines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Similar services in other clouds (do not confuse products)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS CloudShell<\/strong> (AWS)<\/li>\n<li><strong>Azure Cloud Shell<\/strong> (Microsoft Azure)<\/li>\n<li><strong>Google Cloud Shell<\/strong> (Google Cloud)<\/li>\n<\/ul>\n\n\n\n<p>These services are conceptually similar but have different limits, tooling, and identity models.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source\/self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Local terminal + Alibaba Cloud CLI (<code>aliyun<\/code>) installed on your machine<\/li>\n<li>Containerized \u201ctoolbox\u201d image you maintain (Docker) with pinned versions<\/li>\n<li>Managed jump box pattern (ECS) with hardened OS and audited access<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Alibaba Cloud Cloud Shell<\/td>\n<td>Quick interactive operations and learning<\/td>\n<td>No local install, identity-based access, fast start<\/td>\n<td>Session\/compute limits, networking constraints, not for long jobs<\/td>\n<td>Ad-hoc admin, runbooks, inventory, training<\/td>\n<\/tr>\n<tr>\n<td>Local terminal + Alibaba Cloud CLI<\/td>\n<td>Power users and developers<\/td>\n<td>Full control, works offline (except API calls), integrates with local dev tools<\/td>\n<td>Credential management burden, device compliance issues<\/td>\n<td>Engineers with managed endpoints and strong secret controls<\/td>\n<\/tr>\n<tr>\n<td>ECS bastion \/ jump host<\/td>\n<td>Private network operations<\/td>\n<td>Access to VPC-only resources, full OS control<\/td>\n<td>You manage patching, hardening, costs, access governance<\/td>\n<td>When you need VPC-level connectivity and long-running tooling<\/td>\n<\/tr>\n<tr>\n<td>ECS Cloud Assistant<\/td>\n<td>OS-level command execution on ECS<\/td>\n<td>No SSH needed, good for fleet operations<\/td>\n<td>Only for ECS instances, not general API exploration<\/td>\n<td>Patch\/install\/config management for ECS fleets<\/td>\n<\/tr>\n<tr>\n<td>ROS (Resource Orchestration Service)<\/td>\n<td>Infrastructure provisioning<\/td>\n<td>Declarative, repeatable, auditable changes<\/td>\n<td>Learning curve, less flexible for ad-hoc<\/td>\n<td>Standardized infrastructure delivery<\/td>\n<\/tr>\n<tr>\n<td>AWS\/Azure\/GCP Cloud Shell<\/td>\n<td>Other cloud ecosystems<\/td>\n<td>Similar convenience patterns<\/td>\n<td>Different IAM\/tooling\/limits<\/td>\n<td>When operating in those clouds, not Alibaba Cloud<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Security-driven inventory and change verification<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A regulated enterprise must produce monthly evidence of cloud asset inventory and verify no unauthorized changes occurred.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Engineers use <strong>Cloud Shell<\/strong> with a read-only RAM role to collect inventories (ECS, VPC, security groups, OSS buckets).<\/li>\n<li>Results are exported to CSV and stored in a locked-down <strong>OSS<\/strong> bucket.<\/li>\n<li><strong>ActionTrail<\/strong> is enabled to log API calls and changes; logs are shipped to the enterprise SIEM.<\/li>\n<li><strong>Why Cloud Shell was chosen<\/strong>:<\/li>\n<li>Reduces local credential sprawl.<\/li>\n<li>Provides a standardized environment for audits and runbooks.<\/li>\n<li>Simplifies training for rotating compliance\/on-call staff.<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Faster evidence generation<\/li>\n<li>Fewer tooling discrepancies across teams<\/li>\n<li>Improved audit readiness through consistent processes and API logs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Lightweight ops toolbox without a jump host<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A small team runs a SaaS on Alibaba Cloud and needs a quick way to run operational checks without maintaining an admin VM.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Use <strong>Cloud Shell<\/strong> for:<ul>\n<li>Checking ECS instance state<\/li>\n<li>Reviewing OSS objects used for backups<\/li>\n<li>Running periodic scripts for tag enforcement<\/li>\n<\/ul>\n<\/li>\n<li>Use least-privilege RAM policies and require MFA for console access.<\/li>\n<li><strong>Why Cloud Shell was chosen<\/strong>:<\/li>\n<li>No need to provision and secure a bastion host early on.<\/li>\n<li>Immediate access from anywhere with console login.<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Lower operational overhead<\/li>\n<li>Fewer long-lived keys<\/li>\n<li>Faster response to incidents and deployments<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Alibaba Cloud Cloud Shell the same as AWS CloudShell or Azure Cloud Shell?<\/strong><br\/>\nNo. They are separate services from different providers. This tutorial is specifically about <strong>Alibaba Cloud Cloud Shell<\/strong>.<\/p>\n\n\n\n<p>2) <strong>Do I need to install Alibaba Cloud CLI to use Cloud Shell?<\/strong><br\/>\nUsually not, because Cloud Shell commonly includes the CLI. However, available tools can change\u2014<strong>verify in official Cloud Shell docs<\/strong>.<\/p>\n\n\n\n<p>3) <strong>How does Cloud Shell authenticate to Alibaba Cloud?<\/strong><br\/>\nCloud Shell uses your console identity and RAM authorization. The exact credential mechanism (for example, temporary credentials) should be <strong>verified in official docs<\/strong>.<\/p>\n\n\n\n<p>4) <strong>Can I use Cloud Shell without AccessKeys?<\/strong><br\/>\nOften yes for many operations, because it uses console identity-based auth. If you need explicit AccessKeys for a workflow, avoid persisting them and follow secret-handling best practices.<\/p>\n\n\n\n<p>5) <strong>Are my Cloud Shell commands logged?<\/strong><br\/>\nAPI calls are typically captured by <strong>ActionTrail<\/strong>. Terminal keystrokes\/command history logging is not the same thing; <strong>verify Cloud Shell logging behavior in official docs<\/strong>.<\/p>\n\n\n\n<p>6) <strong>Can Cloud Shell access my VPC private IP addresses?<\/strong><br\/>\nNot necessarily. Cloud Shell is not automatically inside your VPC. For private-only access you may need a bastion host, VPN\/Express Connect, or service-specific private endpoints\u2014<strong>verify per service<\/strong>.<\/p>\n\n\n\n<p>7) <strong>Can I run long-running scripts in Cloud Shell?<\/strong><br\/>\nCloud Shell sessions can time out and are not intended for long-running jobs. For durable automation, use CI\/CD runners, Function Compute, ECS, or other services.<\/p>\n\n\n\n<p>8) <strong>Is Cloud Shell free?<\/strong><br\/>\nCloud Shell is often provided at no additional charge, but policies change. Always <strong>verify Cloud Shell billing<\/strong> in the official Alibaba Cloud documentation. You will still pay for resources you create\/manage.<\/p>\n\n\n\n<p>9) <strong>What regions does Cloud Shell support?<\/strong><br\/>\nAvailability can vary. <strong>Verify the region support list in official docs<\/strong>.<\/p>\n\n\n\n<p>10) <strong>Can multiple team members share the same Cloud Shell environment?<\/strong><br\/>\nCloud Shell is typically identity-scoped. Each user should use their own RAM identity for accountability and least privilege.<\/p>\n\n\n\n<p>11) <strong>What\u2019s the best way to store scripts used in Cloud Shell?<\/strong><br\/>\nStore scripts in version control (Git) and pull them into Cloud Shell when needed. Avoid keeping sensitive scripts and secrets only in the shell workspace.<\/p>\n\n\n\n<p>12) <strong>How do I ensure least privilege for Cloud Shell usage?<\/strong><br\/>\nGrant only the RAM actions required for the intended tasks (read-only vs write). Use separate roles for production write access and require role assumption.<\/p>\n\n\n\n<p>13) <strong>Why does <code>DescribeInstances<\/code> return empty results?<\/strong><br\/>\nMost commonly: wrong region, no instances in that region, or insufficient permissions.<\/p>\n\n\n\n<p>14) <strong>Can I use Cloud Shell for Kubernetes (ACK) operations?<\/strong><br\/>\nPotentially, if you have the right credentials and network reachability to the cluster API endpoint. Handle kubeconfig securely and <strong>verify ACK access patterns<\/strong>.<\/p>\n\n\n\n<p>15) <strong>How do I troubleshoot permission issues quickly?<\/strong><br\/>\nRun <code>aliyun sts GetCallerIdentity<\/code> to confirm identity, then check RAM policies and ActionTrail denied events.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Cloud Shell<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Cloud Shell documentation (Alibaba Cloud) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/cloud-shell\/<\/td>\n<td>Primary source for features, limits, workflows, and updates<\/td>\n<\/tr>\n<tr>\n<td>Official pricing entry point<\/td>\n<td>Alibaba Cloud Pricing \u2013 https:\/\/www.alibabacloud.com\/pricing<\/td>\n<td>Starting point to confirm whether Cloud Shell has a cost and to navigate service pricing<\/td>\n<\/tr>\n<tr>\n<td>Official calculator<\/td>\n<td>Alibaba Cloud Pricing Calculator \u2013 https:\/\/www.alibabacloud.com\/calculator<\/td>\n<td>Estimate costs for services you might operate from Cloud Shell (OSS\/ECS\/etc.)<\/td>\n<\/tr>\n<tr>\n<td>Official CLI documentation<\/td>\n<td>Alibaba Cloud CLI \u2013 https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/<\/td>\n<td>Essential for understanding <code>aliyun<\/code> command structure and authentication<\/td>\n<\/tr>\n<tr>\n<td>Official IAM documentation<\/td>\n<td>Resource Access Management (RAM) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/ram\/<\/td>\n<td>Required for least-privilege access, roles, and policy design<\/td>\n<\/tr>\n<tr>\n<td>Official auditing documentation<\/td>\n<td>ActionTrail \u2013 https:\/\/www.alibabacloud.com\/help\/en\/actiontrail\/<\/td>\n<td>Learn how to audit API calls triggered from Cloud Shell operations<\/td>\n<\/tr>\n<tr>\n<td>Official OSS documentation<\/td>\n<td>Object Storage Service (OSS) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/oss\/<\/td>\n<td>For storing scripts\/artifacts and understanding OSS security and pricing<\/td>\n<\/tr>\n<tr>\n<td>Official ECS documentation<\/td>\n<td>Elastic Compute Service (ECS) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/ecs\/<\/td>\n<td>For the APIs used in inventory and operational workflows<\/td>\n<\/tr>\n<tr>\n<td>Official STS documentation<\/td>\n<td>Security Token Service (STS) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/sts\/<\/td>\n<td>Understand identity tokens and temporary credential patterns used in cloud operations<\/td>\n<\/tr>\n<tr>\n<td>Learning platform (official)<\/td>\n<td>Alibaba Cloud Academy \u2013 https:\/\/edu.alibabacloud.com\/<\/td>\n<td>Courses and learning paths for Alibaba Cloud services (availability varies by region)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The providers below may offer training that can complement hands-on Cloud Shell practice. Verify course outlines and delivery modes on their websites.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DevOpsSchool.com<\/strong>\n   &#8211; <strong>Suitable audience<\/strong>: DevOps engineers, SREs, platform teams, developers\n   &#8211; <strong>Likely learning focus<\/strong>: DevOps practices, automation, CI\/CD, cloud tooling\n   &#8211; <strong>Mode<\/strong>: Check website\n   &#8211; <strong>Website<\/strong>: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>ScmGalaxy.com<\/strong>\n   &#8211; <strong>Suitable audience<\/strong>: DevOps practitioners, build\/release engineers\n   &#8211; <strong>Likely learning focus<\/strong>: SCM, CI\/CD tooling, DevOps fundamentals\n   &#8211; <strong>Mode<\/strong>: Check website\n   &#8211; <strong>Website<\/strong>: https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n<li>\n<p><strong>CLoudOpsNow.in<\/strong>\n   &#8211; <strong>Suitable audience<\/strong>: Cloud operations and infrastructure teams\n   &#8211; <strong>Likely learning focus<\/strong>: Cloud operations, monitoring, automation\n   &#8211; <strong>Mode<\/strong>: Check website\n   &#8211; <strong>Website<\/strong>: https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n<li>\n<p><strong>SreSchool.com<\/strong>\n   &#8211; <strong>Suitable audience<\/strong>: SREs, reliability and operations engineers\n   &#8211; <strong>Likely learning focus<\/strong>: SRE practices, observability, incident management\n   &#8211; <strong>Mode<\/strong>: Check website\n   &#8211; <strong>Website<\/strong>: https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>AiOpsSchool.com<\/strong>\n   &#8211; <strong>Suitable audience<\/strong>: Ops teams exploring AIOps and automation\n   &#8211; <strong>Likely learning focus<\/strong>: AIOps concepts, automation, operational analytics\n   &#8211; <strong>Mode<\/strong>: Check website\n   &#8211; <strong>Website<\/strong>: https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>Use these as training resource platforms and verify the exact offerings directly on each site.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>RajeshKumar.xyz<\/strong>\n   &#8211; <strong>Likely specialization<\/strong>: DevOps\/cloud training resources (verify current scope on site)\n   &#8211; <strong>Suitable audience<\/strong>: Beginners to intermediate engineers\n   &#8211; <strong>Website<\/strong>: https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n<li>\n<p><strong>devopstrainer.in<\/strong>\n   &#8211; <strong>Likely specialization<\/strong>: DevOps tooling and practices training (verify current scope on site)\n   &#8211; <strong>Suitable audience<\/strong>: DevOps engineers, developers transitioning to DevOps\n   &#8211; <strong>Website<\/strong>: https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n<li>\n<p><strong>devopsfreelancer.com<\/strong>\n   &#8211; <strong>Likely specialization<\/strong>: DevOps freelance\/training resources (verify current scope on site)\n   &#8211; <strong>Suitable audience<\/strong>: Teams seeking external DevOps help or guidance\n   &#8211; <strong>Website<\/strong>: https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n<li>\n<p><strong>devopssupport.in<\/strong>\n   &#8211; <strong>Likely specialization<\/strong>: DevOps support and operational guidance (verify current scope on site)\n   &#8211; <strong>Suitable audience<\/strong>: Operations teams needing practical troubleshooting support\n   &#8211; <strong>Website<\/strong>: https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>The organizations below may provide consulting related to DevOps and cloud operations. Verify specific Alibaba Cloud experience, references, and service details directly with each company.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>cotocus.com<\/strong>\n   &#8211; <strong>Likely service area<\/strong>: Cloud\/DevOps consulting (verify on website)\n   &#8211; <strong>Where they may help<\/strong>: Operational automation, cloud adoption, governance design\n   &#8211; <strong>Consulting use case examples<\/strong>:<\/p>\n<ul>\n<li>Designing least-privilege RAM policies for operations teams<\/li>\n<li>Building operational runbooks that use Cloud Shell + CLI safely<\/li>\n<li><strong>Website<\/strong>: https:\/\/cotocus.com\/<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>DevOpsSchool.com<\/strong>\n   &#8211; <strong>Likely service area<\/strong>: DevOps consulting and training services (verify on website)\n   &#8211; <strong>Where they may help<\/strong>: DevOps transformation, CI\/CD pipelines, operational maturity\n   &#8211; <strong>Consulting use case examples<\/strong>:<\/p>\n<ul>\n<li>Standardizing CLI-based operational workflows using Cloud Shell<\/li>\n<li>Creating audit-friendly automation patterns with ActionTrail<\/li>\n<li><strong>Website<\/strong>: https:\/\/www.devopsschool.com\/<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>DEVOPSCONSULTING.IN<\/strong>\n   &#8211; <strong>Likely service area<\/strong>: DevOps consulting services (verify on website)\n   &#8211; <strong>Where they may help<\/strong>: Automation, platform engineering, operations optimization\n   &#8211; <strong>Consulting use case examples<\/strong>:<\/p>\n<ul>\n<li>Implementing governance guardrails for production operations<\/li>\n<li>Cost control runbooks for dev\/test cleanup driven from Cloud Shell<\/li>\n<li><strong>Website<\/strong>: https:\/\/www.devopsconsulting.in\/<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Cloud Shell<\/h3>\n\n\n\n<p>To get the most value from Cloud Shell, learn:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Basic Linux shell commands (files, pipes, environment variables)<\/li>\n<li>Core Alibaba Cloud concepts:<\/li>\n<li>Regions and zones<\/li>\n<li>RAM users\/roles\/policies<\/li>\n<li>VPC fundamentals (VPC, vSwitch, security groups)<\/li>\n<li>The difference between control plane (APIs) and data plane (traffic\/storage)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Cloud Shell<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud CLI<\/strong> deeper usage:<\/li>\n<li>Pagination, filtering, output formats<\/li>\n<li>Scripting patterns and error handling<\/li>\n<li><strong>Infrastructure as Code<\/strong>:<\/li>\n<li>ROS templates (Alibaba Cloud)<\/li>\n<li>Terraform (if used in your organization\u2014verify provider support and best practices)<\/li>\n<li><strong>Audit and governance<\/strong>:<\/li>\n<li>ActionTrail configuration and log retention<\/li>\n<li>Resource Directory (multi-account) governance patterns<\/li>\n<li><strong>Operations excellence<\/strong>:<\/li>\n<li>Monitoring\/alerting (CloudMonitor)<\/li>\n<li>Logging patterns (SLS \/ Log Service)<\/li>\n<li>Incident response playbooks<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ cloud operations engineer<\/li>\n<li>DevOps engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Platform engineer<\/li>\n<li>Security engineer (cloud security \/ IAM)<\/li>\n<li>Solutions architect (for demos, validation, and prototyping)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certifications and learning paths can change. Check Alibaba Cloud Academy for current certification offerings and role-based paths:\n&#8211; https:\/\/edu.alibabacloud.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Account inventory script<\/strong>: Generate a multi-region inventory of ECS + VPC + OSS.<\/li>\n<li><strong>Least-privilege policy exercise<\/strong>: Create read-only RAM policies for inventory and validate using Cloud Shell.<\/li>\n<li><strong>Change verification runbook<\/strong>: After a deployment, verify critical configurations via CLI and store evidence in OSS.<\/li>\n<li><strong>Cost hygiene report<\/strong>: Identify unused EIPs, stopped instances, unattached disks (be careful\u2014validate APIs and permissions).<\/li>\n<li><strong>Incident response checklist<\/strong>: Use Cloud Shell to collect snapshots of configs and ActionTrail event queries (within your governance model).<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud<\/strong>: Cloud service provider offering compute, storage, networking, and platform services.<\/li>\n<li><strong>Cloud Shell<\/strong>: Alibaba Cloud Developer Tools service providing a browser-based shell for operating cloud resources.<\/li>\n<li><strong>Developer Tools<\/strong>: Category of services used to build, deploy, and operate workloads (CLI, shells, CI\/CD, etc.).<\/li>\n<li><strong>RAM (Resource Access Management)<\/strong>: Alibaba Cloud identity and access management service.<\/li>\n<li><strong>STS (Security Token Service)<\/strong>: Service for issuing temporary security credentials\/tokens.<\/li>\n<li><strong>ActionTrail<\/strong>: Alibaba Cloud service for auditing API calls and events.<\/li>\n<li><strong>ECS (Elastic Compute Service)<\/strong>: Alibaba Cloud virtual machine service.<\/li>\n<li><strong>VPC (Virtual Private Cloud)<\/strong>: Networking construct for isolated virtual networks.<\/li>\n<li><strong>OSS (Object Storage Service)<\/strong>: Alibaba Cloud object storage.<\/li>\n<li><strong>RegionId<\/strong>: Identifier for the region where a service operation applies (for regional services).<\/li>\n<li><strong>Least privilege<\/strong>: Security principle of granting only the minimum permissions required.<\/li>\n<li><strong>Control plane<\/strong>: Management APIs that create\/modify\/list resources.<\/li>\n<li><strong>Data plane<\/strong>: The actual workload traffic and data movement (downloads\/uploads, application traffic).<\/li>\n<li><strong>Runbook<\/strong>: Documented operational procedure (often with executable commands).<\/li>\n<li><strong>Throttling<\/strong>: Rate limiting enforced by an API to protect service stability.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Cloud Shell<\/strong> is a <strong>Developer Tools<\/strong> service that provides a browser-based, managed terminal for operating Alibaba Cloud resources through CLI commands and scripts. It matters because it reduces setup time, lowers credential sprawl, and provides a consistent environment for runbooks, learning, and day-to-day operations.<\/p>\n\n\n\n<p>Cost-wise, Cloud Shell is often not the main cost driver, but actions taken from it can create or modify chargeable resources. Security-wise, it should be used with <strong>RAM least privilege<\/strong>, MFA\/SSO where possible, and <strong>ActionTrail<\/strong> auditing for API calls.<\/p>\n\n\n\n<p>Use Cloud Shell when you need fast, authenticated, interactive cloud operations; avoid it for long-running compute tasks or private-network-only workflows that require a VPC-resident jump host.<\/p>\n\n\n\n<p>Next step: deepen your skills with <strong>Alibaba Cloud CLI<\/strong>, RAM policy design, and ActionTrail auditing using the official documentation starting at https:\/\/www.alibabacloud.com\/help\/en\/cloud-shell\/.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Developer Tools<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,18],"tags":[],"class_list":["post-108","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-developer-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=108"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/108\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}