Alibaba Cloud integration, supporting ECS, Cloud Monitor, OOS and widely used cloud products.
4.3K
Description: Alibaba Cloud integration, supporting ECS, Cloud Monitor, OOS and widely used cloud products.
Packaged by Acuvity and published to our curated MCP server registry from alibaba-cloud-ops-mcp-server original sources.
Quick links:
At Acuvity, security is central to our mission—especially for critical systems like MCP servers and integration in agentic systems. To address this need, we've created a secure and robust Docker image designed to ensure alibaba-cloud-ops-mcp-server run reliably and safely.
Minibridge Integration: Minibridge establishes secure Agent-to-MCP connectivity, supports Rego/HTTP-based policy enforcement 🕵️, and simplifies orchestration.
The ARC container includes a built-in Rego policy that enables a set of runtime "guardrails"" to help enforce security, privacy, and correct usage of your services. Below is an overview of each guardrail provided.
Mitigates MCP Rug Pull Attacks
Monitors incoming requests for hidden or obfuscated directives that could alter policy behavior.
Block user-defined sensitive data patterns (credential paths, filesystem references).
.env files, RSA key paths, directory traversal sequences.Detects and blocks "shadowing" attacks, where a malicious MCP server sneaks hidden directives into its own tool descriptions to hijack or override the behavior of other, trusted tools.
send_email tool).<IMPORTANT> sections referencing other tool names, hidden side‐effects, or directives that apply to a different server’s API. Any description that attempts to shadow or extend instructions for a tool outside its own namespace triggers a policy violation and is rejected.Enforces strict adherence to MCP input schemas.
Controls whether tools may invoke tools or services from external origins.
Automatically masks sensitive values so they never appear in logs or responses.
[REDACTED] before the response is sent or recorded.These controls ensure robust runtime integrity, prevent unauthorized behavior, and provide a foundation for secure-by-design system operations.
To activate guardrails in your Docker containers, define the GUARDRAILS environment variable with the protections you need.
| Guardrail | Summary |
|---|---|
covert-instruction-detection | Detects hidden or obfuscated directives in requests. |
sensitive-pattern-detection | Flags patterns suggesting sensitive data or filesystem exposure. |
shadowing-pattern-detection | Identifies tool descriptions that override or influence others. |
schema-misuse-prevention | Enforces strict schema compliance on input data. |
cross-origin-tool-access | Controls calls to external services or APIs. |
secrets-redaction | Prevents exposure of credentials or sensitive values. |
Example: add -e GUARDRAILS="secrets-redaction sensitive-pattern-detection" to enable those guardrails.
Provides a lightweight auth layer using a single shared token.
Authorization header with the predefined secret.To turn on Basic Authentication, define BASIC_AUTH_SECRET environment variable with a shared secret.
Example: add -e BASIC_AUTH_SECRET="supersecret" to enable the basic authentication.
While basic auth will protect against unauthorized access, you should use it only in controlled environment, rotate credentials frequently and always use TLS.
Note
By default, all guardrails are turned off. You can enable or disable each one individually, ensuring that only the protections your environment needs are active.
Maintained by:
Where to get help:
Where to file issues:
Supported architectures:
amd64arm64Base image:
ghcr.io/astral-sh/uv:python3.12-alpineResources:
Latest tags:
latest -> 1.0.0-0.8.7 -> 0.8.7Verify signature with cosign:
cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/acuvity/mcp-servers-registry/.github/workflows/release.yaml@refs/heads/main" docker.io/acuvity/mcp-server-alibaba-cloud-ops:latestcosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/acuvity/mcp-servers-registry/.github/workflows/release.yaml@refs/heads/main" docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/acuvity/mcp-servers-registry/.github/workflows/release.yaml@refs/heads/main" docker.io/acuvity/mcp-server-alibaba-cloud-ops:1.0.0-0.8.7Tip
Given mcp-server-alibaba-cloud-ops scope of operation it can be hosted anywhere.
Environment variables and secrets:
ALIBABA_CLOUD_ACCESS_KEY_ID required to be setALIBABA_CLOUD_ACCESS_KEY_SECRET required to be setFor more information and extra configuration you can consult the package documentation.
Below are the steps for configuring most clients that use MCP to elevate their Copilot experience.
Note
These integrations function natively across all Minibridge modes. To keep things brief, only the docker local-run setup is covered here.
To get started immediately, you can use the "one-click" link below:
Press ctrl + shift + p and type Preferences: Open User Settings JSON to add the following section:
{
"mcp": {
"servers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"env": {
"ALIBABA_CLOUD_ACCESS_KEY_ID": "TO_BE_SET",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_ID",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET",
"docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7"
]
}
}
}
}
In your workspace create a file called .vscode/mcp.json and add the following section:
{
"servers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"env": {
"ALIBABA_CLOUD_ACCESS_KEY_ID": "TO_BE_SET",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_ID",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET",
"docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7"
]
}
}
}
To pass secrets you should use the
promptStringinput type described in the Visual Studio Code documentation.
In ~/.codeium/windsurf/mcp_config.json add the following section:
{
"mcpServers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"env": {
"ALIBABA_CLOUD_ACCESS_KEY_ID": "TO_BE_SET",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_ID",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET",
"docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7"
]
}
}
}
See Windsurf documentation for more info.
Add the following JSON block to your mcp configuration file:
~/.cursor/mcp.json for global scope.cursor/mcp.json for project scope{
"mcpServers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"env": {
"ALIBABA_CLOUD_ACCESS_KEY_ID": "TO_BE_SET",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_ID",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET",
"docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7"
]
}
}
}
See cursor documentation for more information.
In the claude_desktop_config.json configuration file add the following section:
{
"mcpServers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"env": {
"ALIBABA_CLOUD_ACCESS_KEY_ID": "TO_BE_SET",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_ID",
"-e",
"ALIBABA_CLOUD_ACCESS_KEY_SECRET",
"docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7"
]
}
}
}
See Anthropic documentation for more information.
async with MCPServerStdio(
params={
"env": {"ALIBABA_CLOUD_ACCESS_KEY_ID":"TO_BE_SET","ALIBABA_CLOUD_ACCESS_KEY_SECRET":"TO_BE_SET"},
"command": "docker",
"args": ["run","-i","--rm","--read-only","-e","ALIBABA_CLOUD_ACCESS_KEY_ID","-e","ALIBABA_CLOUD_ACCESS_KEY_SECRET","docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7"]
}
) as server:
tools = await server.list_tools()
async with MCPServerSse(
params={
"url": "http://<ip>:<port>/sse",
}
) as server:
tools = await server.list_tools()
See OpenAI Agents SDK docs for more info.
In your client configuration set:
dockerrun -i --rm --read-only -e ALIBABA_CLOUD_ACCESS_KEY_ID -e ALIBABA_CLOUD_ACCESS_KEY_SECRET docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7Simply run as:
docker run -it -p 8000:8000 --rm --read-only -e ALIBABA_CLOUD_ACCESS_KEY_ID -e ALIBABA_CLOUD_ACCESS_KEY_SECRET docker.io/acuvity/mcp-server-alibaba-cloud-ops:0.8.7
Then on your application/client, you can configure to use it like:
{
"mcpServers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"url": "http://localhost:8000/sse"
}
}
}
You might have to use different ports for different tools.
This section assume you are familiar with TLS and certificates and will require:
- a server certificate with proper DNS/IP field matching your tool deployment.
- a client-ca used to sign client certificates
backend mode-e MINIBRIDGE_MODE=backend/certs ex (-v $PWD/certs:/certs)-e MINIBRIDGE_TLS_SERVER_CERT=/certs/server-cert.pem-e MINIBRIDGE_TLS_SERVER_KEY=/certs/server-key.pem-e MINIBRIDGE_TLS_SERVER_KEY_PASS=optional-e MINIBRIDGE_TLS_SERVER_CLIENT_CA=/certs/client-ca.pemminibridge locally in frontend mode:In your client configuration, Minibridge works like any other STDIO command.
Example for Claude Desktop:
{
"mcpServers": {
"acuvity-mcp-server-alibaba-cloud-ops": {
"command": "minibridge",
"args": ["frontend", "--backend", "wss://<remote-url>:8000/ws", "--tls-client-backend-ca", "/path/to/ca/that/signed/the/server-cert.pem/ca.pem", "--tls-client-cert", "/path/to/client-cert.pem", "--tls-client-key", "/path/to/client-key.pem"]
}
}
}
That's it.
Minibridge offers a host of additional features. For step-by-step guidance, please visit the wiki. And if anything’s unclear, don’t hesitate to reach out!
This chart requires some mandatory information to be installed.
Mandatory Secrets:
ALIBABA_CLOUD_ACCESS_KEY_ID secret to be set as secrets.ALIBABA_CLOUD_ACCESS_KEY_ID either by .value or from existing with .valueFromALIBABA_CLOUD_ACCESS_KEY_SECRET secret to be set as secrets.ALIBABA_CLOUD_ACCESS_KEY_SECRET either by .value or from existing with .valueFromYou can inspect the chart README:
helm show readme oci://docker.io/acuvity/mcp-server-alibaba-cloud-ops --version 1.0.0
You can inspect the values that you can configure:
helm show values oci://docker.io/acuvity/mcp-server-alibaba-cloud-ops --version 1.0.0
Install with helm
helm install mcp-server-alibaba-cloud-ops oci://docker.io/acuvity/mcp-server-alibaba-cloud-ops --version 1.0.0
From there your MCP server mcp-server-alibaba-cloud-ops will be reachable by default through http/sse from inside the cluster using the Kubernetes Service mcp-server-alibaba-cloud-ops on port 8000 by default. You can change that by looking at the service section of the values.yaml file.
The deployment will create a Kubernetes service with a healthPort, that is used for liveness probes and readiness probes. This health port can also be used by the monitoring stack of your choice and exposes metrics under the /metrics path.
See full charts Readme for more details about settings and runtime security including guardrails activation.
For detailed list of all features, tools, arguments and SBOM hashes provided by this server please consult the readme
💬 Questions? Open an issue or contact us [email protected] . 📦 Contributions welcome!
Content type
Image
Digest
sha256:05deb6491…
Size
268 Bytes
Last updated
about 1 year ago
docker pull acuvity/mcp-server-alibaba-cloud-ops:sha256-f6fdbe211dc4051a3702914134524bcfd4db82a736271deb6114bc87826f1a38.sig