> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qoder.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloud Use

Cloud Use is a capability of Qoder Cloud Agents that lets a cloud-resident agent operate your Alibaba Cloud resources under a governed identity, completing tasks end-to-end in the cloud.

This page walks you through setup and a few typical cloud-use scenarios.

## How it works

Setup takes two steps: in the console, authorize the **Alibaba Cloud OpenAPI MCP** via **OAuth**, and import **official Alibaba Cloud skills** from the Skill marketplace as needed. After that, in a cloud session the agent uses a platform-injected machine identity to call the Alibaba Cloud OpenAPI through MCP and complete tasks with those skills. Because the agent runs in the cloud, it can run long-term, be triggered in real time by events, and every cloud action is recorded server-side.

Typical use: ops and incident response, data analytics, data processing, and cost governance — tasks that need an agent to run long-term, trigger in real time, and operate Alibaba Cloud resources under a governed identity.

## Connect to Alibaba Cloud (OAuth · in the console)

Cloud Use operates the cloud through the **Alibaba Cloud OpenAPI MCP**, authenticated with **OAuth** in the console. The five steps below are all done in the console.

<Note>
  Prerequisite: you have an Alibaba Cloud account with permission to install third-party applications in RAM.
</Note>

<Steps>
  <Step title="Get your MCP URL">
    <span id="step-1" />

    Open the MCP onboarding page of the Alibaba Cloud OpenAPI portal, and choose the domain for your account's site:

    * **China site**: [https://api.aliyun.com/mcp](https://api.aliyun.com/mcp)
    * **International site**: [https://api.alibabacloud.com/mcp](https://api.alibabacloud.com/mcp)

    On the page, select **Streamable HTTP Endpoint** and copy your dedicated MCP server URL.
  </Step>

  <Step title="Install the official app in Alibaba Cloud RAM">
    <span id="step-2" />

    Open the RAM console's **Third-party applications** page for your site:

    * **China site**: [https://ram.console.aliyun.com/applications?activeTab=ThirdParty](https://ram.console.aliyun.com/applications?activeTab=ThirdParty)
    * **International site**: [https://ram.console.alibabacloud.com/applications?activeTab=ThirdParty](https://ram.console.alibabacloud.com/applications?activeTab=ThirdParty)

    Then go to **Third-party applications** → **Install official app** → select **OpenAPI MCP Server** to finish installation.

    <Warning>
      This is a **prerequisite** for OAuth. If the official app isn't installed, the authorization page fails with "application not authorized to install".
    </Warning>
  </Step>

  <Step title="Create a Vault and authorize in the console">
    <span id="step-3" />

    In the [Cloud Agents console](https://qoder.com/cloud/secrets) → **Vaults** → click **Add** to create a credential:

    * **Credential type**: `MCP OAuth`
    * **MCP server**: select the pinned **"Alibaba Cloud · Cloud Use"** from the dropdown (or choose "Custom URL" and paste the address from [Step 1](#step-1)). If you're unsure of the URL, click "Alibaba Cloud MCP Setup Guide" and follow the guide.

    Save, then complete the one-time **OAuth redirect**; the credential status changes to "Authorized".
  </Step>

  <Step title="Bind the MCP on your agent">
    In the agent's **MCP Servers** settings, select the MCP OAuth credential created in [Step 3](#step-3) (recommended: pick an existing credential from the Vault so you don't re-enter the URL).
  </Step>

  <Step title="Link the Vault when creating a session">
    When starting a session, choose this agent and link the corresponding Vault. The platform automatically injects the OAuth token into the MCP call chain, and the agent calls tools under the authorized Alibaba Cloud identity.
  </Step>
</Steps>

## Import cloud-use skills

In the console under **Skills → Create → Import from Skill marketplace**:

* Pick the pinned **"Cloud Use"** category to see the curated cloud-use skills;
* Or search for official Alibaba Cloud skills (e.g., RAM Permission Diagnosis, DataWorks Data Development, Quick BI NL2SQL) and import them;
* After **Import**, the skill appears in your **Skills** list and can be used in your agent right away.

## Typical scenarios

### Incident Response

* **Outcome**: on alert → locate root cause → controlled mitigation → fix PR.
* **Key permissions**: logs / monitoring read-only `allow`; restart / scale / shift traffic (mitigation) `ask`; delete / release `deny`.
* **Recommended skills**: RAM Permission Diagnosis & Policy Generator, CloudMonitor 2.0 Lifecycle Management, Elasticsearch Cluster Diagnosis & Repair.
* **Trigger**: event-driven (alert webhook, real time).

### Data Analytics

* **Outcome**: natural-language question → explore schema → generate and run SQL → chart → attribution explanation.
* **Key permissions**: query / run SQL (read-only) `allow`; write operations `deny`.
* **Recommended skills**: Smart-Q Data Analytics (Quick BI), NL2SQL Engine (DMS, 60+ sources), Data Visualization.
* **Trigger**: real-time Q\&A; optional daily digest at 08:00.

### Data Processing

* **Outcome**: read source → rule-based clean / transform / aggregate → write to target dataset → validate row count and schema.
* **Key permissions**: read source `allow`; write back to target table / OSS `ask`; delete source data `deny`. Tasks must be idempotent and re-runnable.
* **Recommended skills**: DataWorks Data Development, ClickHouse Data Migration, MaxCompute Metadata Analysis.
* **Trigger**: daily batch at 02:00 (cron configurable).

### Cost Governance (FinOps)

* **Outcome**: pull bills and utilization → top cost items, each with "estimated monthly savings + a one-line fix".
* **Key permissions**: bills / utilization (read-only) `allow`; stop idle / downsize / lifecycle `ask`.
* **Recommended skills**: EMR Cluster Lifecycle Management (cost tags), MaxCompute Metadata (task cost tracking), DAS Database Autonomy.
* **Trigger**: daily at 09:00 (cron configurable).

## FAQ

**Q: How is this different from running a local coding agent + Alibaba Cloud MCP?**

A: A Cloud Use agent runs in the cloud — it can run 24/7 and be triggered in real time by events (e.g., an alert webhook), without needing your machine online. It operates the cloud under an authorized machine identity, with credentials injected by the platform and never stored locally, and every cloud action is recorded server-side and auditable.

**Q: Authorization fails with "application not authorized to install, please restart the flow to authorize."**

A: Go back to [Step 2](#step-2) and confirm the **OpenAPI MCP Server** official app is installed under **Third-party applications** in Alibaba Cloud RAM, then restart OAuth.

**Q: Where do the Alibaba Cloud charges show up?**

A: Cloud-use consumption runs on the Alibaba Cloud account you authorized — whichever account completes the MCP OAuth authorization is the one billed. The API calls and resource usage are charged to that account, and the bill appears under that account's Billing center.

**Q: Are the China site and the International site different?**

A: Yes. Both the Alibaba Cloud MCP onboarding portal and the RAM console have separate domains for the China site and the International site (onboarding page in [Step 1](#step-1), RAM console in [Step 2](#step-2)). Use the domain that matches your account's site.

**Q: Can multiple sessions reuse the same authorization?**

A: Yes. Authorization and connection live in the **Vault**; the agent only references them. Configure once, attach anywhere.