Skip to main content
Cloud Use is a capability of Qoder Cloud Agents that lets a cloud-resident agent operate your Alibaba Cloud resources under a governed identity, completing tasks end-to-end in the cloud. This page walks you through setup and a few typical cloud-use scenarios.

How it works

Setup takes two steps: in the console, authorize the Alibaba Cloud OpenAPI MCP via OAuth, and import official Alibaba Cloud skills from the Skill marketplace as needed. After that, in a cloud session the agent uses a platform-injected machine identity to call the Alibaba Cloud OpenAPI through MCP and complete tasks with those skills. Because the agent runs in the cloud, it can run long-term, be triggered in real time by events, and every cloud action is recorded server-side. Typical use: ops and incident response, data analytics, data processing, and cost governance — tasks that need an agent to run long-term, trigger in real time, and operate Alibaba Cloud resources under a governed identity.

Connect to Alibaba Cloud (OAuth · in the console)

Cloud Use operates the cloud through the Alibaba Cloud OpenAPI MCP, authenticated with OAuth in the console. The five steps below are all done in the console.
Prerequisite: you have an Alibaba Cloud account with permission to install third-party applications in RAM.
1

Get your MCP URL

Open the MCP onboarding page of the Alibaba Cloud OpenAPI portal, and choose the domain for your account’s site:On the page, select Streamable HTTP Endpoint and copy your dedicated MCP server URL.
2

Install the official app in Alibaba Cloud RAM

Open the RAM console’s Third-party applications page for your site:Then go to Third-party applicationsInstall official app → select OpenAPI MCP Server to finish installation.
This is a prerequisite for OAuth. If the official app isn’t installed, the authorization page fails with “application not authorized to install”.
3

Create a Vault and authorize in the console

In the Cloud Agents consoleVaults → click Add to create a credential:
  • Credential type: MCP OAuth
  • MCP server: select the pinned “Alibaba Cloud · Cloud Use” from the dropdown (or choose “Custom URL” and paste the address from Step 1). If you’re unsure of the URL, click “Alibaba Cloud MCP Setup Guide” and follow the guide.
Save, then complete the one-time OAuth redirect; the credential status changes to “Authorized”.
4

Bind the MCP on your agent

In the agent’s MCP Servers settings, select the MCP OAuth credential created in Step 3 (recommended: pick an existing credential from the Vault so you don’t re-enter the URL).
5

Link the Vault when creating a session

When starting a session, choose this agent and link the corresponding Vault. The platform automatically injects the OAuth token into the MCP call chain, and the agent calls tools under the authorized Alibaba Cloud identity.

Import cloud-use skills

In the console under Skills → Create → Import from Skill marketplace:
  • Pick the pinned “Cloud Use” category to see the curated cloud-use skills;
  • Or search for official Alibaba Cloud skills (e.g., RAM Permission Diagnosis, DataWorks Data Development, Quick BI NL2SQL) and import them;
  • After Import, the skill appears in your Skills list and can be used in your agent right away.

Typical scenarios

Incident Response

  • Outcome: on alert → locate root cause → controlled mitigation → fix PR.
  • Key permissions: logs / monitoring read-only allow; restart / scale / shift traffic (mitigation) ask; delete / release deny.
  • Recommended skills: RAM Permission Diagnosis & Policy Generator, CloudMonitor 2.0 Lifecycle Management, Elasticsearch Cluster Diagnosis & Repair.
  • Trigger: event-driven (alert webhook, real time).

Data Analytics

  • Outcome: natural-language question → explore schema → generate and run SQL → chart → attribution explanation.
  • Key permissions: query / run SQL (read-only) allow; write operations deny.
  • Recommended skills: Smart-Q Data Analytics (Quick BI), NL2SQL Engine (DMS, 60+ sources), Data Visualization.
  • Trigger: real-time Q&A; optional daily digest at 08:00.

Data Processing

  • Outcome: read source → rule-based clean / transform / aggregate → write to target dataset → validate row count and schema.
  • Key permissions: read source allow; write back to target table / OSS ask; delete source data deny. Tasks must be idempotent and re-runnable.
  • Recommended skills: DataWorks Data Development, ClickHouse Data Migration, MaxCompute Metadata Analysis.
  • Trigger: daily batch at 02:00 (cron configurable).

Cost Governance (FinOps)

  • Outcome: pull bills and utilization → top cost items, each with “estimated monthly savings + a one-line fix”.
  • Key permissions: bills / utilization (read-only) allow; stop idle / downsize / lifecycle ask.
  • Recommended skills: EMR Cluster Lifecycle Management (cost tags), MaxCompute Metadata (task cost tracking), DAS Database Autonomy.
  • Trigger: daily at 09:00 (cron configurable).

FAQ

Q: How is this different from running a local coding agent + Alibaba Cloud MCP? A: A Cloud Use agent runs in the cloud — it can run 24/7 and be triggered in real time by events (e.g., an alert webhook), without needing your machine online. It operates the cloud under an authorized machine identity, with credentials injected by the platform and never stored locally, and every cloud action is recorded server-side and auditable. Q: Authorization fails with “application not authorized to install, please restart the flow to authorize.” A: Go back to Step 2 and confirm the OpenAPI MCP Server official app is installed under Third-party applications in Alibaba Cloud RAM, then restart OAuth. Q: Where do the Alibaba Cloud charges show up? A: Cloud-use consumption runs on the Alibaba Cloud account you authorized — whichever account completes the MCP OAuth authorization is the one billed. The API calls and resource usage are charged to that account, and the bill appears under that account’s Billing center. Q: Are the China site and the International site different? A: Yes. Both the Alibaba Cloud MCP onboarding portal and the RAM console have separate domains for the China site and the International site (onboarding page in Step 1, RAM console in Step 2). Use the domain that matches your account’s site. Q: Can multiple sessions reuse the same authorization? A: Yes. Authorization and connection live in the Vault; the agent only references them. Configure once, attach anywhere.