Overview
Annie can execute read-only cloud CLI commands against your live infrastructure during investigations and chat sessions. This complements the knowledge graph — while the graph maps relationships and topology, live queries verify live state in real time.Enable Live Queries
Live queries are enabled per credential from the credential list in your cloud integration settings. For each AWS role, AWS IAM user, GCP service account, or Azure credential you’ve connected, a toggle controls whether Annie is allowed to run live queries with those credentials.Go to your cloud integration settings
Navigate to Integrations and select the cloud provider (AWS, GCP, or Azure).
Enable the toggle
On the credentials list page, toggle “Read-Only Agentic Live Queries” for the credential you want to enable. This grants Annie permission to run whitelisted CLI commands using this specific credential.
When Does Annie Use Live Queries?
Annie decides to use cloud CLI commands when she needs information that goes beyond what the knowledge graph snapshot provides. Here are common scenarios:Live State Verification
Live State Verification
During an RCA, Annie found an EC2 instance
i-0abc123 in the knowledge graph but needs to check if it’s still running and healthy.She runs aws ec2 describe-instance-status to verify the current state matches what the graph shows — catching cases where the graph snapshot is stale or a resource was recently modified.Resource Enumeration
Resource Enumeration
A user asks “How many Lambda functions do we have in production?”Annie runs
aws lambda list-functions to get an accurate real-time count rather than relying on the last graph snapshot. For simple counts and listings, CLI is often more direct than a graph query.Operational Diagnostics
Operational Diagnostics
During an incident, Annie sees connection timeout errors in application logs. She uses
dig and curl to verify DNS resolution and endpoint reachability — something monitoring dashboards can’t directly check.This is especially useful when logs reference external dependencies or network issues that need verification beyond what observability tools show.Configuration Verification
Configuration Verification
Annie is investigating a security group change flagged by the knowledge graph. She runs
aws ec2 describe-security-groups to compare the current rules against what the graph recorded, confirming whether a recent change caused the issue.Load Balancer Health
Load Balancer Health
An alert reports 5xx errors from an ALB. Annie checks
aws elbv2 describe-target-health to identify which targets are unhealthy and correlates with ECS task status via aws ecs describe-tasks.By combining live health data with the knowledge graph’s dependency map, Annie can trace the issue from the load balancer down to the root cause.Azure Metrics & Monitoring
Azure Metrics & Monitoring
Annie needs to check real-time metrics for an Azure VM experiencing high CPU. She runs
az monitor metrics list to pull the latest metric values and az monitor metrics alert list to check if any alert rules are firing.This provides live observability data that complements the infrastructure graph’s static view.How Credentials Work
Annie uses the cloud credentials you’ve already configured in Anyshift — only those with “Read-Only Agentic Live Queries” enabled.Enable live queries
On the credentials list page, toggle “Read-Only Agentic Live Queries” for each credential you want Annie to use.
Annie selects the right credentials
When Annie needs to run a CLI command, she selects the appropriate credential set for the target account. If you have multiple enabled accounts (e.g.,
prod-aws, staging-gcp, azure-prod), Annie picks the one relevant to the investigation.| Cloud Provider | Credential Type | What’s Used |
|---|---|---|
| AWS | IAM Assume Role / IAM User | Temporary STS credentials (access key, secret key, session token) |
| GCP | Service Account | Short-lived access token + project ID |
| Azure | Service Principal | Per-execution az login with client secret via stdin |
| Azure | Workload Identity Federation (OIDC) | Per-execution az login with JWT federated token |
The Whitelist — Security by Design
Every CLI command Annie can execute is explicitly allowlisted. This is a strict security model — if a command is not on the allowlist, it is rejected.How It Works
- Strict allowlisting: Only commands that have been explicitly reviewed and approved can run. Unknown commands are blocked by default.
- Read-only operations only: The allowlist only includes
describe,list,get, andshowcommands. Nocreate,update,delete, orterminateoperations are permitted. - Pagination limits: Commands that return large datasets enforce pagination via
--max-itemsor--topto prevent runaway queries and excessive costs. - Restricted utility flags: Tools like
curlanddighave a strict subset of allowed flags — for example,curlcan only access HTTPS URLs and cannot send custom headers.
What Gets Validated
Every command goes through multiple validation checks before execution:| Validation | What It Checks | Example |
|---|---|---|
| Binary | The tool must have a registered validator | rm, chmod, wget → rejected |
| Command | The specific subcommand must be allowlisted | aws ec2 terminate-instances → rejected |
| Flags | Every flag must be explicitly permitted | curl -H "Authorization: ..." → rejected |
| URLs | Must be HTTPS, no internal/metadata endpoints | curl http://169.254.169.254/ → rejected |
| Pagination | Large-output commands must include limits | aws ec2 describe-instances without --max-items → enforced |
Annie cannot modify your infrastructure through CLI commands. All access is strictly read-only. If a command isn’t on the allowlist, it’s rejected with a clear error and Annie falls back to the knowledge graph.
Supported Operations
AWS CLI
Compute
Compute
| Service | Commands |
|---|---|
| EC2 | describe-instances, describe-instance-status, describe-images, describe-volumes, describe-snapshots |
| ECS | list-clusters, describe-clusters, list-services, describe-services, list-tasks, describe-tasks, describe-task-definition |
| EKS | list-clusters, describe-cluster, list-nodegroups, describe-nodegroup, list-addons, describe-addon-versions |
| Lambda | list-functions, get-function, get-policy, list-event-source-mappings, get-function-concurrency, get-function-url-config, get-function-code-signing-config, list-provisioned-concurrency-configs |
Networking
Networking
| Service | Commands |
|---|---|
| EC2 (VPC) | describe-vpcs, describe-subnets, describe-security-groups, describe-route-tables, describe-nat-gateways, describe-internet-gateways, describe-network-interfaces |
| ELBv2 | describe-load-balancers, describe-listeners, describe-target-groups, describe-target-health |
| CloudFront | list-distributions, get-distribution |
| API Gateway | get-integration, get-stage |
Storage & Databases
Storage & Databases
| Service | Commands |
|---|---|
| S3 | ls |
| S3 API | list-buckets, get-bucket-encryption, get-bucket-lifecycle-configuration, get-bucket-policy, get-bucket-replication, get-bucket-versioning, get-public-access-block |
| RDS | describe-db-instances, describe-db-clusters, describe-db-log-files |
| DynamoDB | describe-table, describe-continuous-backups, describe-time-to-live |
| ElastiCache | describe-cache-clusters, describe-replication-groups |
Identity & Security
Identity & Security
| Service | Commands |
|---|---|
| IAM | list-roles, list-users, list-policies, list-attached-role-policies, get-role, get-policy, get-account-summary |
| STS | get-caller-identity, get-access-key-info |
Monitoring & Events
Monitoring & Events
| Service | Commands |
|---|---|
| CloudWatch | describe-alarms, describe-alarm-history, get-metric-statistics |
| CloudWatch Logs | describe-log-groups, describe-log-streams, filter-log-events |
| EventBridge | list-rules, describe-rule, list-targets-by-rule |
Google Cloud CLI (gcloud)
Compute & Containers
Compute & Containers
| Service | Commands |
|---|---|
| Compute Instances | list, describe, get-serial-port-output |
| Compute Disks | list, describe |
| Instance Groups | list, managed describe |
| GKE Clusters | list, describe |
| GKE Node Pools | list |
| Cloud Run Services | list, describe |
| Cloud Run Revisions | list |
Networking
Networking
| Service | Commands |
|---|---|
| Networks | list, peerings list, subnets list |
| Firewall Rules | list |
| Forwarding Rules | list |
| Routes | list |
| Addresses | list |
| Backend Services | list, get-health |
Databases
Databases
| Service | Commands |
|---|---|
| Cloud SQL | instances list, instances describe, databases list, backups list, operations list |
| Spanner | instances list, instances describe, databases list, operations list |
| Memorystore (Redis) | instances list, instances describe |
Storage & Data
Storage & Data
| Service | Commands |
|---|---|
| Cloud Storage | buckets list, buckets describe |
| Pub/Sub | topics list, subscriptions list, subscriptions describe |
| Dataproc | clusters list, clusters describe, jobs list |
Identity & Projects
Identity & Projects
| Service | Commands |
|---|---|
| Projects | list, describe, get-iam-policy |
| IAM Service Accounts | list, describe, keys list |
Monitoring & Logging
Monitoring & Logging
| Service | Commands |
|---|---|
| Monitoring | dashboards list, policies list |
| Logging | read |
Azure CLI
Monitoring & Diagnostics
Monitoring & Diagnostics
| Service | Commands |
|---|---|
| Monitor Metrics | list, list-definitions, list-namespaces |
| Monitor Alerts | alert list, alert show |
| Activity Log | list |
| Log Analytics | workspace list |
| Diagnostic Settings | list |
Compute
Compute
| Service | Commands |
|---|---|
| Virtual Machines | list, show |
| AKS | list, show, nodepool list |
Networking
Networking
| Service | Commands |
|---|---|
| Virtual Networks | vnet list |
| Network Security Groups | nsg list, nsg rule list |
| Public IPs | public-ip list |
Storage & Databases
Storage & Databases
| Service | Commands |
|---|---|
| Storage Accounts | account list |
| SQL Server | server list, server show |
| SQL Databases | db list |
| Cosmos DB | list |
Resource Discovery
Resource Discovery
| Service | Commands |
|---|---|
| Account | show, list |
| Resource Groups | list |
| Resources | list, show |
Azure supports both Service Principal (client secret) and Workload Identity Federation (OIDC) authentication. Both work with live queries — see the Azure integration guide for setup.
Utility Tools
In addition to cloud CLIs, Annie has access to a set of utility tools for diagnostics and data processing:| Tool | Purpose | Example Use Case |
|---|---|---|
| curl | HTTP endpoint checks (HTTPS only, no custom headers) | Check if an API endpoint is reachable and responding |
| dig | DNS lookups and diagnostics | Verify DNS resolution for a service endpoint during connectivity issues |
| jq | JSON processing and filtering | Parse and filter complex CLI output |
| yq | YAML processing | Parse Kubernetes manifests or configuration files |
| base64 | Encode/decode data | Decode base64-encoded configuration values |
| date | Date/time operations | Convert timestamps between formats during log analysis |
| openssl | Certificate inspection | Check TLS certificate expiry and chain validity |
Get Started
Create Account
Sign up for Anyshift and connect your cloud accounts
Request Demo
See Annie’s live query capabilities in action