Merge pull request #1 from aliyun/feature/edit_ak_sk_load

Feature/edit ak sk load

Author: RinaisSuper

README.md

@@ -52,8 +52,42 @@
     ![image](./images/find_slowest_trace.png)
 
 
+### 权限要求
+
+为了确保 MCP Server 能够成功访问和操作您的阿里云可观测性资源，您需要配置以下权限：
+
+1.  **阿里云访问密钥 (AccessKey)**：
+    *   服务运行需要有效的阿里云 AccessKey ID 和 AccessKey Secret。
+    *   获取和管理 AccessKey，请参考 [阿里云 AccessKey 管理官方文档](https://help.aliyun.com/document_detail/53045.html)。
+  
+2. 当你初始化时候不传入 AccessKey 和 AccessKey Secret 时，会使用[默认凭据链进行登录](https://www.alibabacloud.com/help/zh/sdk/developer-reference/v2-manage-python-access-credentials#62bf90d04dztq)
+   1. 如果环境变量 中的ALIBABA_CLOUD_ACCESS_KEY_ID 和 ALIBABA_CLOUD_ACCESS_KEY_SECRET均存在且非空，则使用它们作为默认凭据。
+   2. 如果同时设置了ALIBABA_CLOUD_ACCESS_KEY_ID、ALIBABA_CLOUD_ACCESS_KEY_SECRET和ALIBABA_CLOUD_SECURITY_TOKEN，则使用STS Token作为默认凭据。
+   
+3.  **RAM 授权 (重要)**：
+    *   与 AccessKey 关联的 RAM 用户或角色**必须**被授予访问相关云服务所需的权限。
+    *   **强烈建议遵循"最小权限原则"**：仅授予运行您计划使用的 MCP 工具所必需的最小权限集，以降低安全风险。
+    *   根据您需要使用的工具，参考以下文档进行权限配置：
+        *   **日志服务 (SLS)**：如果您需要使用 `sls_*` 相关工具，请参考 [日志服务权限说明](https://help.aliyun.com/zh/sls/overview-8)，并授予必要的读取、查询等权限。
+        *   **应用实时监控服务 (ARMS)**：如果您需要使用 `arms_*` 相关工具，请参考 [ARMS 权限说明](https://help.aliyun.com/zh/arms/security-and-compliance/overview-8?scm=20140722.H_74783._.OR_help-T_cn~zh-V_1)，并授予必要的查询权限。
+    *   请根据您的实际应用场景，精细化配置所需权限。
+
+### 安全与部署建议
+
+请务必关注以下安全事项和部署最佳实践：
+
+1.  **密钥安全**：
+    *   本 MCP Server 在运行时会使用您提供的 AccessKey 调用阿里云 OpenAPI，但**不会以任何形式存储您的 AccessKey**，也不会将其用于设计功能之外的任何其他用途。
+
+2.  **访问控制 (关键)**：
+    *   当您选择通过 **SSE (Server-Sent Events) 协议** 访问 MCP Server 时，**您必须自行负责该服务接入点的访问控制和安全防护**。
+    *   **强烈建议**将 MCP Server 部署在**内部网络或受信环境**中，例如您的私有 VPC (Virtual Private Cloud) 内，避免直接暴露于公共互联网。
+    *   推荐的部署方式是使用**阿里云函数计算 (FC)**，并配置其网络设置为**仅 VPC 内访问**，以实现网络层面的隔离和安全。
+    *   **注意**：**切勿**在没有任何身份验证或访问控制机制的情况下，将配置了您 AccessKey 的 MCP Server SSE 端点暴露在公共互联网上，这会带来极高的安全风险。
+
 ### 使用说明
 
+
 在使用 MCP Server 之前，需要先获取阿里云的 AccessKeyId 和 AccessKeySecret，请参考 [阿里云 AccessKey 管理](https://help.aliyun.com/document_detail/53045.html)
 
 
@@ -64,25 +98,31 @@
 ```bash
 pip install mcp-server-aliyun-observability
 ```
-安装之后，直接运行即可，运行命令如下：
+1. 安装之后，直接运行即可，运行命令如下：
 
 ```bash
 python -m mcp_server_aliyun_observability --transport sse --access-key-id <your_access_key_id> --access-key-secret <your_access_key_secret>
 ```
 可通过命令行传递指定参数:
 - `--transport` 指定传输方式，可选值为 `sse` 或 `stdio`，默认值为 `stdio`
-- `--access-key-id` 指定阿里云 AccessKeyId
-- `--access-key-secret` 指定阿里云 AccessKeySecret
+- `--access-key-id` 指定阿里云 AccessKeyId，不指定时会使用环境变量中的ALIBABA_CLOUD_ACCESS_KEY_ID
+- `--access-key-secret` 指定阿里云 AccessKeySecret，不指定时会使用环境变量中的ALIBABA_CLOUD_ACCESS_KEY_SECRET
 - `--log-level` 指定日志级别，可选值为 `DEBUG`、`INFO`、`WARNING`、`ERROR`，默认值为 `INFO`
 - `--transport-port` 指定传输端口，默认值为 `8000`,仅当 `--transport` 为 `sse` 时有效
 
-
-
+2. 使用uv 命令启动
+   
+```bash
+uv run mcp-server-aliyun-observability 
+```
 ### 从源码安装
 
 ```bash
+
 # clone 源码
-cd src/mcp_server_aliyun_observability
+git clone [email protected]:aliyun/alibabacloud-observability-mcp-server.git
+# 进入源码目录
+cd alibabacloud-observability-mcp-server
 # 安装
 pip install -e .
 # 运行
@@ -91,7 +131,62 @@ python -m mcp_server_aliyun_observability --transport sse --access-key-id <your_
 
 
 ### AI 工具集成
+
 > 以 SSE 启动方式为例,transport 端口为 8888,实际使用时需要根据实际情况修改
+
+#### Cursor，Cline 等集成
+1. 使用 SSE 启动方式
+```json
+{
+  "mcpServers": {
+    "alibaba_cloud_observability": {
+      "url": "http://localhost:7897/sse"
+        }
+  }
+}
+```
+2. 使用 stdio 启动方式
+   直接从源码目录启动,注意
+    1. 需要指定 `--directory` 参数,指定源码目录，最好是绝对路径
+    2. uv命令 最好也使用绝对路径，如果使用了虚拟环境，则需要使用虚拟环境的绝对路径
+```json
+{
+  "mcpServers": {
+    "alibaba_cloud_observability": {
+      "command": "uv",
+      "args": [
+        "--directory",
+        "/path/to/your/alibabacloud-observability-mcp-server",
+        "run",
+        "mcp-server-aliyun-observability"
+      ],
+      "env": {
+        "ALIBABA_CLOUD_ACCESS_KEY_ID": "<your_access_key_id>",
+        "ALIBABA_CLOUD_ACCESS_KEY_SECRET": "<your_access_key_secret>"
+      }
+    }
+  }
+}
+```
+1. 使用 stdio 启动方式-从 module 启动
+```json
+{
+  "mcpServers": {
+    "alibaba_cloud_observability": {
+      "command": "uv",
+      "args": [
+        "run",
+        "mcp-server-aliyun-observability"
+      ],
+      "env": {
+        "ALIBABA_CLOUD_ACCESS_KEY_ID": "<your_access_key_id>",
+        "ALIBABA_CLOUD_ACCESS_KEY_SECRET": "<your_access_key_secret>"
+      }
+    }
+  }
+}
+```
+
 #### Cherry Studio集成
 
 ![image](./images/cherry_studio_inter.png)

pyproject.toml

@@ -9,6 +9,7 @@ dependencies = [
     "pydantic>=2.10.0",
     "alibabacloud_arms20190808==8.0.0",
     "alibabacloud_sls20201230==5.7.0",
+    "alibabacloud_credentials>=1.0.1",
     "tenacity>=8.0.0",
 ]
 

requirements.txt

@@ -1,9 +1,9 @@
 mcp>=1.3.0
 pydantic>=2.10.0
 alibabacloud_arms20190808>=8.0.0
-alibabacloud_sls20201230>=5.7.0
+alibabacloud_credentials>=1.0.1
 tenacity>=8.0.0
 pytest>=7.0.0
 pytest-asyncio>=0.21.0
 pytest-cov>=4.0.0
-pytest-mock>=3.10.0 
+pytest-mock>=3.10.0 

src/mcp_server_aliyun_observability/__init__.py

@@ -5,6 +5,7 @@
 import dotenv
 
 from mcp_server_aliyun_observability.server import server
+from mcp_server_aliyun_observability.utils import CredentialWrapper
 
 dotenv.load_dotenv()
 
@@ -14,22 +15,22 @@
     "--access-key-id",
     type=str,
     help="aliyun access key id",
-    default=lambda: os.environ.get("ALIYUN_ACCESS_KEY_ID"),
+    required=False,
 )
 @click.option(
     "--access-key-secret",
     type=str,
     help="aliyun access key secret",
-    default=lambda: os.environ.get("ALIYUN_ACCESS_KEY_SECRET"),
+    required=False,
 )
 @click.option(
     "--transport", type=str, help="transport type. stdio or sse", default="stdio"
 )
 @click.option("--log-level", type=str, help="log level", default="INFO")
 @click.option("--transport-port", type=int, help="transport port", default=8000)
 def main(access_key_id, access_key_secret, transport, log_level, transport_port):
-    if not access_key_id or not access_key_secret:
-        raise click.UsageError(
-            "access_key_id and access_key_secret are required, please set them in environment variables or command line arguments"
-        )
-    server(access_key_id, access_key_secret, transport, log_level, transport_port)
+    if access_key_id and access_key_secret:
+        credential = CredentialWrapper(access_key_id, access_key_secret)
+    else:
+        credential = None
+    server(credential, transport, log_level, transport_port)

src/mcp_server_aliyun_observability/server.py

@@ -1,6 +1,7 @@
 from contextlib import asynccontextmanager
-from typing import AsyncIterator
+from typing import AsyncIterator, Optional
 
+from alibabacloud_credentials.client import Client as CredClient
 from mcp.server import FastMCP
 from mcp.server.fastmcp import FastMCP
 
@@ -9,15 +10,16 @@
 from mcp_server_aliyun_observability.toolkit.util_toolkit import UtilToolkit
 from mcp_server_aliyun_observability.utils import (
     ArmsClientWrapper,
+    CredentialWrapper,
     SLSClientWrapper,
 )
 
 
-def create_lifespan(access_key_id: str, access_key_secret: str):
+def create_lifespan(credential: Optional[CredentialWrapper] = None):
     @asynccontextmanager
     async def lifespan(fastmcp: FastMCP) -> AsyncIterator[dict]:
-        sls_client = SLSClientWrapper(access_key_id, access_key_secret)
-        arms_client = ArmsClientWrapper(access_key_id, access_key_secret)
+        sls_client = SLSClientWrapper(credential)
+        arms_client = ArmsClientWrapper(credential)
         yield {
             "sls_client": sls_client,
             "arms_client": arms_client,
@@ -27,15 +29,14 @@ async def lifespan(fastmcp: FastMCP) -> AsyncIterator[dict]:
 
 
 def init_server(
-    access_key_id: str,
-    access_key_secret: str,
+    credential: Optional[CredentialWrapper] = None,
     log_level: str = "INFO",
     transport_port: int = 8000,
 ):
     """initialize the global mcp server instance"""
     mcp_server = FastMCP(
         name="mcp_aliyun_observability_server",
-        lifespan=create_lifespan(access_key_id, access_key_secret),
+        lifespan=create_lifespan(credential),
         log_level=log_level,
         port=transport_port,
     )
@@ -46,13 +47,12 @@ def init_server(
 
 
 def server(
-    access_key_id: str,
-    access_key_secret: str,
-    transport: str,
-    log_level: str,
-    transport_port: int,
+    credential: Optional[CredentialWrapper] = None,
+    transport: str = "stdio",
+    log_level: str = "INFO",
+    transport_port: int = 8000,
 ):
     server: FastMCP = init_server(
-        access_key_id, access_key_secret, log_level, transport_port
+        credential, log_level, transport_port
     )
     server.run(transport)

src/mcp_server_aliyun_observability/utils.py

@@ -1,22 +1,14 @@
 import hashlib
 import logging
 from functools import wraps
-from typing import (
-    Any,
-    Callable,
-    Optional,
-    TypeVar,
-    cast,
-)
+from typing import Any, Callable, Optional, TypeVar, cast
 
 from alibabacloud_arms20190808.client import Client as ArmsClient
+from alibabacloud_credentials.client import Client as CredClient
 from alibabacloud_sls20201230.client import Client
 from alibabacloud_sls20201230.client import Client as SLSClient
-from alibabacloud_sls20201230.models import (
-    CallAiToolsRequest,
-    CallAiToolsResponse,
-    IndexJsonKey,
-)
+from alibabacloud_sls20201230.models import (CallAiToolsRequest,
+                                             CallAiToolsResponse, IndexJsonKey)
 from alibabacloud_tea_openapi import models as open_api_models
 from alibabacloud_tea_util import models as util_models
 from mcp.server.fastmcp import Context
@@ -26,23 +18,40 @@
 
 logger = logging.getLogger(__name__)
 
-
-class SLSClientWrapper:
+class CredentialWrapper:
     """
-    A wrapper for aliyun client
+    A wrapper for aliyun credentials
     """
 
+    access_key_id: str
+    access_key_secret: str
+
     def __init__(self, access_key_id: str, access_key_secret: str):
         self.access_key_id = access_key_id
         self.access_key_secret = access_key_secret
+    
+    
+    
+class SLSClientWrapper:
+    """
+    A wrapper for aliyun client
+    """
+
+    def __init__(self, credential: Optional[CredentialWrapper] = None):
+        self.credential = credential
+    
 
     def with_region(
         self, region: str = None, endpoint: Optional[str] = None
     ) -> SLSClient:
-        config = open_api_models.Config(
-            access_key_id=self.access_key_id,
-            access_key_secret=self.access_key_secret,
-        )
+        if self.credential:
+            config = open_api_models.Config(
+                access_key_id=self.credential.access_key_id,
+                access_key_secret=self.credential.access_key_secret,
+            )
+        else:
+            credentialsClient = CredClient()
+            config = open_api_models.Config(credential=credentialsClient)
         config.endpoint = f"{region}.log.aliyuncs.com"
         return SLSClient(config)
 
@@ -52,15 +61,18 @@ class ArmsClientWrapper:
     A wrapper for aliyun arms client
     """
 
-    def __init__(self, access_key_id: str, access_key_secret: str):
-        self.access_key_id = access_key_id
-        self.access_key_secret = access_key_secret
+    def __init__(self, credential: Optional[CredentialWrapper] = None):
+        self.credential = credential
 
     def with_region(self, region: str, endpoint: Optional[str] = None) -> ArmsClient:
-        config = open_api_models.Config(
-            access_key_id=self.access_key_id,
-            access_key_secret=self.access_key_secret,
-        )
+        if self.credential:
+            config = open_api_models.Config(
+                access_key_id=self.credential.access_key_id,
+                access_key_secret=self.credential.access_key_secret,
+            )
+        else:
+            credentialsClient = CredClient()
+            config = open_api_models.Config(credential=credentialsClient)
         config.endpoint = endpoint or f"arms.{region}.aliyuncs.com"
         return ArmsClient(config)
 
@@ -180,3 +192,4 @@ def text_to_sql(
     except Exception as e:
         logger.error(f"调用SLS AI工具失败: {str(e)}")
         raise
+