All Products
Search

This Product

    OpenAPI Explorer:Use OpenAPI MCP Server in multi-account scenarios

    Document Center

    OpenAPI Explorer:Use OpenAPI MCP Server in multi-account scenarios

    Last Updated:Jun 21, 2026

    Managing a separate OpenAPI MCP Server for each Alibaba Cloud account is complex and inefficient. The multi-account MCP feature simplifies this process. This feature lets you use a single, centralized MCP Server and a consistent access model to manage resources across all your Alibaba Cloud accounts.

    Important

    The multi-account MCP feature uses role assumption. It requires a RAM user or RAM role for OAuth authorization; you cannot use an Alibaba Cloud account directly for this purpose.

    Multi-account MCP parameters

    Multi-account MCP

    On the OpenAPI MCP Server configuration page in the console, use the Multi-account MCP drop-down list to select either Only this account or Multiple accounts to define the server's access scope.

    Option

    Description

    Only this account

    The MCP Server can operate only on cloud resources in the current account.

    Multiple accounts

    The MCP Server can operate on cloud resources in both the current account and other accounts.

    Multi-account RAM role name

    Option

    Use case

    Description

    Resource Directory management role ResourceDirectoryAccountAccessRole

    If your organization uses Resource Directory to set up a multi-account environment and your RAM user belongs to the management account, you can select this role to manage resources in all member accounts.

    Resource Directory automatically creates a RAM role named ResourceDirectoryAccountAccessRole in all member accounts. The trust policy for this role designates the management account as the trusted principal, which allows it to assume the role and access the member accounts.

    Custom role

    To delegate access between any two Alibaba Cloud accounts.

    You must manually create a RAM role in the target Alibaba Cloud account and set its trusted principal to the Alibaba Cloud account hosting the OpenAPI MCP Server.

    Note

    Grant the RAM role the required permissions.

    Example 1: Use the Resource Directory management role

    If your organization uses Resource Directory to manage a multi-account environment, you can assume the RAM role (ResourceDirectoryAccountAccessRole) in member accounts to access their cloud resources.

    1. Create MCP Server in the management account

    Go to the Alibaba Cloud OpenAPI MCP Server page to create an MCP service. Select Multiple accounts, and for the multi-account RAM role name, select Resource Directory management role ResourceDirectoryAccountAccessRole.

    Enter multi-account for Name, select Chinese for Documentation Language, and choose Alibaba Cloud Official OAuth for OAuth Configuration.

    2. Monitor member account resources

    This example uses Tongyi Lingma as the MCP client.

    1. Configure the OpenAPI MCP Server according to the instructions in Configure MCP in Tongyi Lingma.

    2. In the Tongyi Lingma interface, click the Agent button in the lower-left corner to switch to agent mode. In the input box, enter a natural language query, such as "Query the running status of ECS instances in the China (Hangzhou) region", and then click Send.

    3. When the MCP tool runs, OpenAPI MCP Server automatically assumes the role in the target account (if permissions are sufficient) and performs the operation.

      Tongyi Lingma uses the MCP tool rd-role/Ecs-20140526-DescribeInstanceStatus to query the ECS instance status in the target member account in the China (Hangzhou) (cn-hangzhou) region. The result shows that there is one ECS instance in the account, and its status is Running.

    Example 2: Use a custom role

    A company uses a multi-account architecture on Alibaba Cloud, assigning departments such as R&D, marketing, operations, and finance to separate accounts for resource isolation and access control. To securely access resources, teams use RAM role assumption. For instance, the operations team centrally monitors the status of various business accounts. Previously, operators had to manually assume roles and log in to different accounts—a tedious, inefficient, and error-prone process. OpenAPI MCP Server's multi-account feature lets the operations team deploy a unified server. Operators can simply enter natural language commands (such as "query the status of ECS instances in account X in region Y") in an MCP client to quickly retrieve information across accounts, significantly improving operational efficiency.

    1. Create a RAM role

    In each business account that the operations team needs to access, create a RAM role that the operations team's account can assume.

    1. Go to the Create Role page in the RAM console. Create a RAM role by selecting Cloud Account for the Trusted Entity Type. Select Other Alibaba Cloud Account as the trusted entity, enter the operations team's Alibaba Cloud account ID and click OK.

    2. O&M personnel access the cloud resources of the business account by assuming this role. Therefore, you must grant the RAM role permissions on the corresponding resources. To learn how to grant permissions to a RAM role, see Manage the permissions of a RAM role.

    3. Provide the name of this RAM role to the operations team.

    2. Create an OpenAPI MCP Server

    From the operations team's Alibaba Cloud account, go to the Alibaba Cloud OpenAPI MCP Server page. When creating the MCP service, select Multiple accounts and enter the RAM role name provided by the business account in the custom role field.

    Enter multi-account for Name, select Chinese for Documentation Language, choose Alibaba Cloud Official OAuth for OAuth Configuration, and enter a custom role name such as multi-account-test.

    3. Execute MCP operations

    For example, an operations engineer can monitor the running status of ECS instances from an MCP client. This example uses Tongyi Lingma.

    1. Configure the OpenAPI MCP Server according to the instructions in Configure MCP in Tongyi Lingma.

    2. In the Tongyi Lingma chat window, select an agent and enter a natural language query, such as "Query the running status of ECS instances in account X in region Y."

    3. When the MCP tool runs, OpenAPI MCP Server automatically assumes the role in the target account (if permissions are sufficient) and performs the operation.

      For example, Tongyi Lingma executes the MCP tool multi-account/Ecs-20140526-DescribeInstances. It specifies the target account by using the x_assume_account_id parameter and sets RegionId to cn-hangzhou to query ECS instances in the China (Hangzhou) region. The OpenAPI MCP Server automatically switches to the target account to complete the call. The result shows two ECS instances in the account, both in a Running state.