Creating an OpenAPI MCP Server in each of your Alibaba Cloud accounts is complex and difficult to manage. The OpenAPI MCP Server provides a multi-account feature to simplify this process. This feature lets you centrally manage the MCP Server and use a consistent access mode to access and manage your other Alibaba Cloud accounts.
The multi-account MCP feature uses role assumption. You must use a Resource Access Management (RAM) user or a RAM role for OAuth authorization. This feature does not support authorization using Alibaba Cloud accounts.
Multi-account MCP parameters
Multi-account MCP
Option | Description |
Current account only | MCP can operate only on cloud resources in the current account. |
Multi-account | MCP can operate on cloud resources in the current account and in other accounts. |
Multi-account RAM role name
Option | Scenario | Function Introduction |
ResourceDirectoryAccountAccessRole | If your company uses an enterprise multi-account resource structure that is set up using Resource Directory, and the RAM user that you are using belongs to the management account, you can use the Resource Directory management role to perform operations on cloud resources in all member accounts. | Resource Directory automatically creates a RAM role (ResourceDirectoryAccountAccessRole) in all member accounts. It sets the trusted entity of this role to the management account of the Resource Directory. This gives the management account permission to assume the role and access all member accounts. |
Custom role | Between any two Alibaba Cloud accounts. | You must manually create a RAM role in the Alibaba Cloud account that will be assumed. Set the trusted entity to the Alibaba Cloud account used to create the OpenAPI MCP Server. Note Add permissions to the RAM role as needed. |
Case 1: Use the Resource Directory management role
If your company uses a multi-account resource structure built with Resource Directory, you can directly assume the RAM role (ResourceDirectoryAccountAccessRole) in member accounts to access their cloud resources.
1. Create an OpenAPI MCP Server in the management account
Go to the Alibaba Cloud OpenAPI MCP service page to create an MCP service. Select Multi-account and set the Multi-account RAM role name to ResourceDirectoryAccountAccessRole.
2. Monitor the status of cloud resources in member accounts from the MCP Client
This topic uses Tongyi Lingma as an example.
Follow the instructions in Configure MCP in Tongyi Lingma to configure the OpenAPI MCP Server.
In the Tongyi Lingma session window, select the agent. Then, enter a natural language instruction, such as "Query the running status of ECS instances in the xxx account in the xx region."
When the MCP tool runs, the OpenAPI MCP Server automatically switches to the destination account if permissions are granted. It then performs the MCP operation in that account.
Case 2: Use a custom role
A company uses a multi-account architecture on Alibaba Cloud and assigns departments such as R&D, marketing, O&M, and finance to separate accounts for resource isolation and access control. The O&M team needs to monitor resources across these accounts. Previously, O&M engineers had to manually log on to each account, which was inefficient. With the multi-account support in the OpenAPI MCP Server, the O&M team can deploy a single, unified MCP Server. This allows them to use natural language from an MCP client to query resources across all accounts. For example, they can run a query such as "Query the running status of ECS instances in the xxx account in the xx region." This significantly improves O&M efficiency.
1. Create a RAM role
Create a RAM role in the business team's Alibaba Cloud account for the O&M team to assume.
Go to the Create Role page in the RAM console and create a RAM role. Set the trusted entity type to Alibaba Cloud Account and the trusted entity to the operations account.
Because O&M engineers assume this role to access the cloud resources of the business account, you must grant the required permissions to the RAM role. For more information, see Grant permissions to a RAM role.
Provide the name of this RAM role to the O&M team.
2. Create an OpenAPI MCP Server
In the O&M team's Alibaba Cloud account, go to the Alibaba Cloud OpenAPI MCP service page. When you create the MCP service, select Multi-account. In the Custom role field, enter the RAM role name provided by the business team's account.
3. Perform MCP operations in the MCP Client
An O&M engineer can monitor the running status of ECS instances from the MCP client. The following example uses Tongyi Lingma to perform an MCP operation.
Follow the instructions in Configure MCP in Tongyi Lingma to configure the OpenAPI MCP Server.
In the Tongyi Lingma session window, select the agent. Then, enter a natural language instruction, such as "Query the running status of ECS instances in the xxx account in the xx region."
When the MCP tool runs, the OpenAPI MCP Server automatically switches to the destination account if permissions are granted. It then performs the MCP operation in that account.
