Overview
Annie can execute read-only cloud CLI commands against your live infrastructure during investigations and chat sessions. This complements the knowledge graph — while the graph maps relationships and topology, CLI commands verify live state in real time.Enable CLI Access
CLI access is enabled per credential from your cloud integration settings. For each AWS role, AWS IAM user, or GCP service account you’ve connected, you can choose whether Annie is allowed to run CLI commands with those credentials.Go to your cloud integration settings
Navigate to Integrations and select the cloud credential you want to configure (AWS or GCP).
Enable the toggle
On the credential edit page, toggle “Allow read-only CLI access” to on. This grants Annie permission to run whitelisted CLI commands using this specific credential.
When Does Annie Use CLI Commands?
Annie decides to use cloud CLI commands when she needs information that goes beyond what the knowledge graph snapshot provides. Here are common scenarios:Live State Verification
Live State Verification
During an RCA, Annie found an EC2 instance
i-0abc123 in the knowledge graph but needs to check if it’s still running and healthy.She runs aws ec2 describe-instance-status to verify the current state matches what the graph shows — catching cases where the graph snapshot is stale or a resource was recently modified.Resource Enumeration
Resource Enumeration
A user asks “How many Lambda functions do we have in production?”Annie runs
aws lambda list-functions to get an accurate real-time count rather than relying on the last graph snapshot. For simple counts and listings, CLI is often more direct than a graph query.Operational Diagnostics
Operational Diagnostics
During an incident, Annie sees connection timeout errors in application logs. She uses
dig and curl to verify DNS resolution and endpoint reachability — something monitoring dashboards can’t directly check.This is especially useful when logs reference external dependencies or network issues that need verification beyond what observability tools show.Configuration Verification
Configuration Verification
Annie is investigating a security group change flagged by the knowledge graph. She runs
aws ec2 describe-security-groups to compare the current rules against what the graph recorded, confirming whether a recent change caused the issue.Load Balancer Health
Load Balancer Health
An alert reports 5xx errors from an ALB. Annie checks
aws elbv2 describe-target-health to identify which targets are unhealthy and correlates with ECS task status via aws ecs describe-tasks.By combining live health data with the knowledge graph’s dependency map, Annie can trace the issue from the load balancer down to the root cause.How Credentials Work
Annie uses the cloud credentials you’ve already configured in Anyshift — only those with “Allow read-only CLI access” enabled.Enable CLI access
On the credential’s edit page, toggle “Allow read-only CLI access” to on. Only credentials with this toggle enabled are available for CLI operations.
Annie selects the right credentials
When Annie needs to run a CLI command, it selects the appropriate credential set for the target account. If you have multiple CLI-enabled accounts (e.g.,
prod-aws, staging-gcp), Annie picks the one relevant to the investigation.| Cloud Provider | Credential Type | What’s Used |
|---|---|---|
| AWS | IAM Assume Role / IAM User | Temporary STS credentials (access key, secret key, session token) |
| GCP | Service Account | Short-lived access token + project ID |
| Azure | Azure CLI auth | Coming soon |
The Whitelist — Security by Design
Every CLI command Annie can execute is explicitly allowlisted. This is a strict security model — if a command is not on the allowlist, it is rejected.How It Works
- Strict allowlisting: Only commands that have been explicitly reviewed and approved can run. Unknown commands are blocked by default.
- Read-only operations only: The allowlist only includes
describe,list, andgetcommands. Nocreate,update,delete, orterminateoperations are permitted. - Pagination limits: Commands that return large datasets enforce pagination via
--max-itemsto prevent runaway queries and excessive costs. - Restricted utility flags: Tools like
curlanddighave a strict subset of allowed flags — for example,curlcan only access HTTPS URLs and cannot send custom headers.
What Gets Validated
Every command goes through multiple validation checks before execution:| Validation | What It Checks | Example |
|---|---|---|
| Binary | The tool must have a registered validator | rm, chmod, wget → rejected |
| Command | The specific subcommand must be allowlisted | aws ec2 terminate-instances → rejected |
| Flags | Every flag must be explicitly permitted | curl -H "Authorization: ..." → rejected |
| URLs | Must be HTTPS, no internal/metadata endpoints | curl http://169.254.169.254/ → rejected |
| Pagination | Large-output commands must include limits | aws ec2 describe-instances without --max-items → enforced |
Annie cannot modify your infrastructure through CLI commands. All access is strictly read-only. If a command isn’t on the allowlist, it’s rejected with a clear error and Annie falls back to the knowledge graph.
Supported Operations
AWS CLI
Compute
Compute
| Service | Commands |
|---|---|
| EC2 | describe-instances, describe-instance-status, describe-images, describe-volumes, describe-snapshots |
| ECS | list-clusters, describe-clusters, list-services, describe-services, list-tasks, describe-tasks, describe-task-definition |
| EKS | list-clusters, describe-cluster, list-nodegroups, describe-nodegroup, list-addons, describe-addon-versions |
| Lambda | list-functions, get-function, get-policy, list-event-source-mappings, get-function-concurrency, get-function-url-config, get-function-code-signing-config, list-provisioned-concurrency-configs |
Networking
Networking
| Service | Commands |
|---|---|
| EC2 (VPC) | describe-vpcs, describe-subnets, describe-security-groups, describe-route-tables, describe-nat-gateways, describe-internet-gateways, describe-network-interfaces |
| ELBv2 | describe-load-balancers, describe-listeners, describe-target-groups, describe-target-health |
| CloudFront | list-distributions, get-distribution |
| API Gateway | get-integration, get-stage |
Storage & Databases
Storage & Databases
| Service | Commands |
|---|---|
| S3 | ls |
| S3 API | list-buckets, get-bucket-encryption, get-bucket-lifecycle-configuration, get-bucket-policy, get-bucket-replication, get-bucket-versioning, get-public-access-block |
| RDS | describe-db-instances, describe-db-clusters, describe-db-log-files |
| DynamoDB | describe-table, describe-continuous-backups, describe-time-to-live |
| ElastiCache | describe-cache-clusters, describe-replication-groups |
Identity & Security
Identity & Security
| Service | Commands |
|---|---|
| IAM | list-roles, list-users, list-policies, list-attached-role-policies, get-role, get-policy, get-account-summary |
| STS | get-caller-identity, get-access-key-info |
Monitoring & Events
Monitoring & Events
| Service | Commands |
|---|---|
| CloudWatch | describe-alarms, describe-alarm-history, get-metric-statistics |
| CloudWatch Logs | describe-log-groups, describe-log-streams, filter-log-events |
| EventBridge | list-rules, describe-rule, list-targets-by-rule |
Google Cloud CLI (gcloud)
Compute & Containers
Compute & Containers
| Service | Commands |
|---|---|
| Compute Instances | list, describe, get-serial-port-output |
| Compute Disks | list, describe |
| Instance Groups | list, managed describe |
| GKE Clusters | list, describe |
| GKE Node Pools | list |
| Cloud Run Services | list, describe |
| Cloud Run Revisions | list |
Networking
Networking
| Service | Commands |
|---|---|
| Networks | list, peerings list, subnets list |
| Firewall Rules | list |
| Forwarding Rules | list |
| Routes | list |
| Addresses | list |
| Backend Services | list, get-health |
Databases
Databases
| Service | Commands |
|---|---|
| Cloud SQL | instances list, instances describe, databases list, backups list, operations list |
| Spanner | instances list, instances describe, databases list, operations list |
| Memorystore (Redis) | instances list, instances describe |
Storage & Data
Storage & Data
| Service | Commands |
|---|---|
| Cloud Storage | buckets list, buckets describe |
| Pub/Sub | topics list, subscriptions list, subscriptions describe |
| Dataproc | clusters list, clusters describe, jobs list |
Identity & Projects
Identity & Projects
| Service | Commands |
|---|---|
| Projects | list, describe, get-iam-policy |
| IAM Service Accounts | list, describe, keys list |
Monitoring & Logging
Monitoring & Logging
| Service | Commands |
|---|---|
| Monitoring | dashboards list, policies list |
| Logging | read |
Azure CLI
Azure CLI support is coming soon. The allowlist is currently being built.
Utility Tools
In addition to cloud CLIs, Annie has access to a set of utility tools for diagnostics and data processing:| Tool | Purpose | Example Use Case |
|---|---|---|
| curl | HTTP endpoint checks (HTTPS only, no custom headers) | Check if an API endpoint is reachable and responding |
| dig | DNS lookups and diagnostics | Verify DNS resolution for a service endpoint during connectivity issues |
| jq | JSON processing and filtering | Parse and filter complex CLI output |
| yq | YAML processing | Parse Kubernetes manifests or configuration files |
| base64 | Encode/decode data | Decode base64-encoded configuration values |
| date | Date/time operations | Convert timestamps between formats during log analysis |
| openssl | Certificate inspection | Check TLS certificate expiry and chain validity |