Skip to main content

Overview

Annie can execute read-only cloud CLI commands against your live infrastructure during investigations and chat sessions. This complements the knowledge graph: the graph maps relationships and topology, while live queries verify live state in real time.

Setup

Live queries are enabled per credential from the credential list in your cloud integration settings. For each connected AWS role, AWS IAM user, GCP service account, or Azure credential, a toggle controls whether Annie can run live queries with it.
1

Connect your cloud account

Connect via the existing integrations: AWS (IAM Assume Role or IAM User), GCP (Service Account), or Azure (Service Principal or Workload Identity Federation).
2

Open your cloud integration settings

Go to Integrations and select the cloud provider (AWS, GCP, or Azure).
3

Enable the toggle

On the credentials list page, toggle “Read-Only Agentic Live Queries” for each credential you want to enable. This grants Annie permission to run allowlisted CLI commands using that specific credential.
4

Annie is ready

Annie uses the enabled credentials for live query operations during investigations and chat sessions. No restart or configuration reload needed.
You can enable live queries on some credentials and not others. For example, enable it on your production AWS role for incident investigation but leave it off on staging credentials.

Security

Every CLI command Annie can execute is explicitly allowlisted. If a command is not on the allowlist, it is rejected.
  • Strict allowlisting: Only explicitly reviewed and approved commands can run. Unknown commands are blocked by default.
  • Read-only operations only: The allowlist includes only describe, list, get, and show commands. No create, update, delete, or terminate operations are permitted.
  • Pagination limits: Commands returning large datasets enforce pagination via --max-items or --top to prevent runaway queries and excessive costs.
  • Restricted utility flags: Tools like curl and dig have a strict subset of allowed flags. For example, curl can only access HTTPS URLs and cannot send custom headers.
Annie cannot modify your infrastructure through CLI commands. All access is strictly read-only. If a command isn’t on the allowlist, it’s rejected with a clear error and Annie falls back to the knowledge graph.

Reference

Every command goes through multiple validation checks before execution:
Annie uses the cloud credentials you’ve already configured in Anyshift, only those with “Read-Only Agentic Live Queries” enabled. The same credentials used for infrastructure graph ingestion are reused for live queries.
  • Credential selection: When Annie runs a CLI command, she selects the appropriate credential set for the target account. With multiple enabled accounts (e.g., prod-aws, staging-gcp, azure-prod), she picks the one relevant to the investigation.
  • Secure injection: Credentials are injected server-side into the command execution environment. They are never exposed to the AI model, never logged, and never included in responses.
Annie uses cloud CLI commands when she needs information beyond what the knowledge graph snapshot provides.
  • Live state verification: During an RCA, Annie found EC2 instance i-0abc123 in the graph but runs aws ec2 describe-instance-status to confirm it’s still running and healthy, catching stale snapshots or recent changes.
  • Resource enumeration: For “How many Lambda functions do we have in production?”, Annie runs aws lambda list-functions for an accurate real-time count. CLI is often more direct than a graph query for counts and listings.
  • Operational diagnostics: Seeing connection timeouts in logs, Annie uses dig and curl to verify DNS resolution and endpoint reachability, useful when logs reference external dependencies or network issues.
  • Configuration verification: Investigating a flagged security group change, Annie runs aws ec2 describe-security-groups to compare current rules against what the graph recorded.
  • Load balancer health: On 5xx alerts from an ALB, Annie checks aws elbv2 describe-target-health for unhealthy targets and correlates with ECS task status via aws ecs describe-tasks, then traces the issue using the graph’s dependency map.
  • Azure metrics & monitoring: For a high-CPU Azure VM, Annie runs az monitor metrics list for latest values and az monitor metrics alert list to check firing alert rules.
  • Azure Container App logs: Investigating errors in an Azure Container App, Annie pulls recent console output with az containerapp logs show --tail and, when logs are forwarded to Log Analytics, queries them historically with az monitor log-analytics query.
ComputeNetworkingStorage & DatabasesIdentity & SecurityMonitoring & Events
Compute & ContainersNetworkingDatabasesStorage & DataIdentity & ProjectsMonitoring & Logging
Monitoring & DiagnosticsComputeNetworkingStorage & DatabasesResource Discovery
Azure supports both Service Principal (client secret) and Workload Identity Federation (OIDC) authentication. Both work with live queries. See the Azure integration guide for setup.
Alongside cloud CLIs, Annie has access to utility tools for diagnostics and data processing:

Get Started

Create Account

Sign up for Anyshift and connect your cloud accounts

Request Demo

See Annie’s live query capabilities in action