Overview
Annie can execute read-only cloud CLI commands against your live infrastructure during investigations and chat sessions. This complements the knowledge graph: the graph maps relationships and topology, while live queries verify live state in real time.Setup
Live queries are enabled per credential from the credential list in your cloud integration settings. For each connected AWS role, AWS IAM user, GCP service account, or Azure credential, a toggle controls whether Annie can run live queries with it.1
2
Open your cloud integration settings
Go to Integrations and select the cloud provider (AWS, GCP, or Azure).
3
Enable the toggle
On the credentials list page, toggle “Read-Only Agentic Live Queries” for each credential you want to enable. This grants Annie permission to run allowlisted CLI commands using that specific credential.
4
Annie is ready
Annie uses the enabled credentials for live query operations during investigations and chat sessions. No restart or configuration reload needed.
Security
Every CLI command Annie can execute is explicitly allowlisted. If a command is not on the allowlist, it is rejected.- Strict allowlisting: Only explicitly reviewed and approved commands can run. Unknown commands are blocked by default.
- Read-only operations only: The allowlist includes only
describe,list,get, andshowcommands. Nocreate,update,delete, orterminateoperations are permitted. - Pagination limits: Commands returning large datasets enforce pagination via
--max-itemsor--topto prevent runaway queries and excessive costs. - Restricted utility flags: Tools like
curlanddighave a strict subset of allowed flags. For example,curlcan only access HTTPS URLs and cannot send custom headers.
Annie cannot modify your infrastructure through CLI commands. All access is strictly read-only. If a command isn’t on the allowlist, it’s rejected with a clear error and Annie falls back to the knowledge graph.
Reference
What gets validated
What gets validated
Every command goes through multiple validation checks before execution:
How credentials work
How credentials work
Annie uses the cloud credentials you’ve already configured in Anyshift, only those with “Read-Only Agentic Live Queries” enabled. The same credentials used for infrastructure graph ingestion are reused for live queries.
- Credential selection: When Annie runs a CLI command, she selects the appropriate credential set for the target account. With multiple enabled accounts (e.g.,
prod-aws,staging-gcp,azure-prod), she picks the one relevant to the investigation. - Secure injection: Credentials are injected server-side into the command execution environment. They are never exposed to the AI model, never logged, and never included in responses.
When does Annie use live queries?
When does Annie use live queries?
Annie uses cloud CLI commands when she needs information beyond what the knowledge graph snapshot provides.
- Live state verification: During an RCA, Annie found EC2 instance
i-0abc123in the graph but runsaws ec2 describe-instance-statusto confirm it’s still running and healthy, catching stale snapshots or recent changes. - Resource enumeration: For “How many Lambda functions do we have in production?”, Annie runs
aws lambda list-functionsfor an accurate real-time count. CLI is often more direct than a graph query for counts and listings. - Operational diagnostics: Seeing connection timeouts in logs, Annie uses
digandcurlto verify DNS resolution and endpoint reachability, useful when logs reference external dependencies or network issues. - Configuration verification: Investigating a flagged security group change, Annie runs
aws ec2 describe-security-groupsto compare current rules against what the graph recorded. - Load balancer health: On 5xx alerts from an ALB, Annie checks
aws elbv2 describe-target-healthfor unhealthy targets and correlates with ECS task status viaaws ecs describe-tasks, then traces the issue using the graph’s dependency map. - Azure metrics & monitoring: For a high-CPU Azure VM, Annie runs
az monitor metrics listfor latest values andaz monitor metrics alert listto check firing alert rules. - Azure Container App logs: Investigating errors in an Azure Container App, Annie pulls recent console output with
az containerapp logs show --tailand, when logs are forwarded to Log Analytics, queries them historically withaz monitor log-analytics query.
Supported AWS CLI operations
Supported AWS CLI operations
Compute
Networking
Storage & Databases
Identity & Security
Monitoring & Events
Supported Google Cloud CLI (gcloud) operations
Supported Google Cloud CLI (gcloud) operations
Compute & Containers
Networking
Databases
Storage & Data
Identity & Projects
Monitoring & Logging
Supported Azure CLI operations
Supported Azure CLI operations
Monitoring & Diagnostics
Compute
Networking
Storage & Databases
Resource Discovery
Azure supports both Service Principal (client secret) and Workload Identity Federation (OIDC) authentication. Both work with live queries. See the Azure integration guide for setup.
Utility tools
Utility tools
Alongside cloud CLIs, Annie has access to utility tools for diagnostics and data processing:
Get Started
Create Account
Sign up for Anyshift and connect your cloud accounts
Request Demo
See Annie’s live query capabilities in action