> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyshift.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Read-Only Agentic Live Queries
> Annie can query your live cloud infrastructure using native CLI tools to verify state, diagnose issues, and enumerate resources in real time.
# Overview
Annie can execute **read-only cloud CLI commands** against your live infrastructure during investigations and chat sessions. This complements the [knowledge graph](/pages/overview/knowledge_graph): the graph maps relationships and topology, while live queries verify **live state** in real time.
## Setup
Live queries are enabled **per credential** from the credential list in your cloud integration settings. For each connected AWS role, AWS IAM user, GCP service account, or Azure credential, a toggle controls whether Annie can run live queries with it.
Connect via the existing integrations: [AWS](/pages/integration/aws) (IAM Assume Role or IAM User), [GCP](/pages/integration/gcp) (Service Account), or [Azure](/pages/integration/azure) (Service Principal or Workload Identity Federation).
Go to [Integrations](https://app.anyshift.io/integrations) and select the cloud provider (AWS, GCP, or Azure).
On the credentials list page, toggle **"Read-Only Agentic Live Queries"** for each credential you want to enable. This grants Annie permission to run allowlisted CLI commands using that specific credential.
Annie uses the enabled credentials for live query operations during investigations and chat sessions. No restart or configuration reload needed.
You can enable live queries on some credentials and not others. For example, enable it on your production AWS role for incident investigation but leave it off on staging credentials.
## Security
Every CLI command Annie can execute is **explicitly allowlisted**. If a command is not on the allowlist, it is rejected.
* **Strict allowlisting**: Only explicitly reviewed and approved commands can run. Unknown commands are blocked by default.
* **Read-only operations only**: The allowlist includes only `describe`, `list`, `get`, and `show` commands. No `create`, `update`, `delete`, or `terminate` operations are permitted.
* **Pagination limits**: Commands returning large datasets enforce pagination via `--max-items` or `--top` to prevent runaway queries and excessive costs.
* **Restricted utility flags**: Tools like `curl` and `dig` have a strict subset of allowed flags. For example, `curl` can only access HTTPS URLs and cannot send custom headers.
Annie **cannot** modify your infrastructure through CLI commands. All access is strictly read-only. If a command isn't on the allowlist, it's rejected with a clear error and Annie falls back to the knowledge graph.
## Reference
Every command goes through multiple validation checks before execution:
| Validation | What It Checks | Example |
| -------------- | --------------------------------------------- | ------------------------------------------------------------- |
| **Binary** | The tool must have a registered validator | `rm`, `chmod`, `wget` → rejected |
| **Command** | The specific subcommand must be allowlisted | `aws ec2 terminate-instances` → rejected |
| **Flags** | Every flag must be explicitly permitted | `curl -H "Authorization: ..."` → rejected |
| **URLs** | Must be HTTPS, no internal/metadata endpoints | `curl http://169.254.169.254/` → rejected |
| **Pagination** | Large-output commands must include limits | `aws ec2 describe-instances` without `--max-items` → enforced |
Annie uses the cloud credentials you've already configured in Anyshift, only those with **"Read-Only Agentic Live Queries"** enabled. The same credentials used for infrastructure graph ingestion are reused for live queries.
* **Credential selection**: When Annie runs a CLI command, she selects the appropriate credential set for the target account. With multiple enabled accounts (e.g., `prod-aws`, `staging-gcp`, `azure-prod`), she picks the one relevant to the investigation.
* **Secure injection**: Credentials are injected **server-side** into the command execution environment. They are never exposed to the AI model, never logged, and never included in responses.
| Cloud Provider | Credential Type | What's Used |
| -------------- | ----------------------------------- | ----------------------------------------------------------------- |
| **AWS** | IAM Assume Role / IAM User | Temporary STS credentials (access key, secret key, session token) |
| **GCP** | Service Account | Short-lived access token + project ID |
| **Azure** | Service Principal | Per-execution `az login` with client secret via stdin |
| **Azure** | Workload Identity Federation (OIDC) | Per-execution `az login` with JWT federated token |
Annie uses cloud CLI commands when she needs information beyond what the knowledge graph snapshot provides.
* **Live state verification**: During an RCA, Annie found EC2 instance `i-0abc123` in the graph but runs `aws ec2 describe-instance-status` to confirm it's still running and healthy, catching stale snapshots or recent changes.
* **Resource enumeration**: For *"How many Lambda functions do we have in production?"*, Annie runs `aws lambda list-functions` for an accurate real-time count. CLI is often more direct than a graph query for counts and listings.
* **Operational diagnostics**: Seeing connection timeouts in logs, Annie uses `dig` and `curl` to verify DNS resolution and endpoint reachability, useful when logs reference external dependencies or network issues.
* **Configuration verification**: Investigating a flagged security group change, Annie runs `aws ec2 describe-security-groups` to compare current rules against what the graph recorded.
* **Load balancer health**: On 5xx alerts from an ALB, Annie checks `aws elbv2 describe-target-health` for unhealthy targets and correlates with ECS task status via `aws ecs describe-tasks`, then traces the issue using the graph's dependency map.
* **Azure metrics & monitoring**: For a high-CPU Azure VM, Annie runs `az monitor metrics list` for latest values and `az monitor metrics alert list` to check firing alert rules.
**Compute**
| Service | Commands |
| ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **EC2** | `describe-instances`, `describe-instance-status`, `describe-images`, `describe-volumes`, `describe-snapshots` |
| **ECS** | `list-clusters`, `describe-clusters`, `list-services`, `describe-services`, `list-tasks`, `describe-tasks`, `describe-task-definition` |
| **EKS** | `list-clusters`, `describe-cluster`, `list-nodegroups`, `describe-nodegroup`, `list-addons`, `describe-addon-versions` |
| **Lambda** | `list-functions`, `get-function`, `get-policy`, `list-event-source-mappings`, `get-function-concurrency`, `get-function-url-config`, `get-function-code-signing-config`, `list-provisioned-concurrency-configs` |
**Networking**
| Service | Commands |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **EC2 (VPC)** | `describe-vpcs`, `describe-subnets`, `describe-security-groups`, `describe-route-tables`, `describe-nat-gateways`, `describe-internet-gateways`, `describe-network-interfaces` |
| **ELBv2** | `describe-load-balancers`, `describe-listeners`, `describe-target-groups`, `describe-target-health` |
| **CloudFront** | `list-distributions`, `get-distribution` |
| **API Gateway** | `get-integration`, `get-stage` |
**Storage & Databases**
| Service | Commands |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **S3** | `ls` |
| **S3 API** | `list-buckets`, `get-bucket-encryption`, `get-bucket-lifecycle-configuration`, `get-bucket-policy`, `get-bucket-replication`, `get-bucket-versioning`, `get-public-access-block` |
| **RDS** | `describe-db-instances`, `describe-db-clusters`, `describe-db-log-files` |
| **DynamoDB** | `describe-table`, `describe-continuous-backups`, `describe-time-to-live` |
| **ElastiCache** | `describe-cache-clusters`, `describe-replication-groups` |
**Identity & Security**
| Service | Commands |
| ------- | --------------------------------------------------------------------------------------------------------------------------- |
| **IAM** | `list-roles`, `list-users`, `list-policies`, `list-attached-role-policies`, `get-role`, `get-policy`, `get-account-summary` |
| **STS** | `get-caller-identity`, `get-access-key-info` |
**Monitoring & Events**
| Service | Commands |
| ------------------- | -------------------------------------------------------------------- |
| **CloudWatch** | `describe-alarms`, `describe-alarm-history`, `get-metric-statistics` |
| **CloudWatch Logs** | `describe-log-groups`, `describe-log-streams`, `filter-log-events` |
| **EventBridge** | `list-rules`, `describe-rule`, `list-targets-by-rule` |
**Compute & Containers**
| Service | Commands |
| ----------------------- | -------------------------------------------- |
| **Compute Instances** | `list`, `describe`, `get-serial-port-output` |
| **Compute Disks** | `list`, `describe` |
| **Instance Groups** | `list`, `managed describe` |
| **GKE Clusters** | `list`, `describe` |
| **GKE Node Pools** | `list` |
| **Cloud Run Services** | `list`, `describe` |
| **Cloud Run Revisions** | `list` |
**Networking**
| Service | Commands |
| -------------------- | --------------------------------------- |
| **Networks** | `list`, `peerings list`, `subnets list` |
| **Firewall Rules** | `list` |
| **Forwarding Rules** | `list` |
| **Routes** | `list` |
| **Addresses** | `list` |
| **Backend Services** | `list`, `get-health` |
**Databases**
| Service | Commands |
| ----------------------- | ------------------------------------------------------------------------------------------- |
| **Cloud SQL** | `instances list`, `instances describe`, `databases list`, `backups list`, `operations list` |
| **Spanner** | `instances list`, `instances describe`, `databases list`, `operations list` |
| **Memorystore (Redis)** | `instances list`, `instances describe` |
**Storage & Data**
| Service | Commands |
| ----------------- | ------------------------------------------------------------- |
| **Cloud Storage** | `buckets list`, `buckets describe` |
| **Pub/Sub** | `topics list`, `subscriptions list`, `subscriptions describe` |
| **Dataproc** | `clusters list`, `clusters describe`, `jobs list` |
**Identity & Projects**
| Service | Commands |
| ------------------------ | ------------------------------------ |
| **Projects** | `list`, `describe`, `get-iam-policy` |
| **IAM Service Accounts** | `list`, `describe`, `keys list` |
**Monitoring & Logging**
| Service | Commands |
| -------------- | ---------------------------------- |
| **Monitoring** | `dashboards list`, `policies list` |
| **Logging** | `read` |
**Monitoring & Diagnostics**
| Service | Commands |
| ----------------------- | --------------------------------------------- |
| **Monitor Metrics** | `list`, `list-definitions`, `list-namespaces` |
| **Monitor Alerts** | `alert list`, `alert show` |
| **Activity Log** | `list` |
| **Log Analytics** | `workspace list` |
| **Diagnostic Settings** | `list` |
**Compute**
| Service | Commands |
| -------------------- | ------------------------------- |
| **Virtual Machines** | `list`, `show` |
| **AKS** | `list`, `show`, `nodepool list` |
**Networking**
| Service | Commands |
| --------------------------- | --------------------------- |
| **Virtual Networks** | `vnet list` |
| **Network Security Groups** | `nsg list`, `nsg rule list` |
| **Public IPs** | `public-ip list` |
**Storage & Databases**
| Service | Commands |
| -------------------- | ---------------------------- |
| **Storage Accounts** | `account list` |
| **SQL Server** | `server list`, `server show` |
| **SQL Databases** | `db list` |
| **Cosmos DB** | `list` |
**Resource Discovery**
| Service | Commands |
| ------------------- | -------------- |
| **Account** | `show`, `list` |
| **Resource Groups** | `list` |
| **Resources** | `list`, `show` |
Azure supports both **Service Principal** (client secret) and **Workload Identity Federation** (OIDC) authentication. Both work with live queries. See the [Azure integration guide](/pages/integration/azure) for setup.
Alongside cloud CLIs, Annie has access to utility tools for diagnostics and data processing:
| Tool | Purpose | Example Use Case |
| ----------- | ---------------------------------------------------- | ----------------------------------------------------------------------- |
| **curl** | HTTP endpoint checks (HTTPS only, no custom headers) | Check if an API endpoint is reachable and responding |
| **dig** | DNS lookups and diagnostics | Verify DNS resolution for a service endpoint during connectivity issues |
| **jq** | JSON processing and filtering | Parse and filter complex CLI output |
| **yq** | YAML processing | Parse Kubernetes manifests or configuration files |
| **base64** | Encode/decode data | Decode base64-encoded configuration values |
| **date** | Date/time operations | Convert timestamps between formats during log analysis |
| **openssl** | Certificate inspection | Check TLS certificate expiry and chain validity |
## Get Started
Sign up for Anyshift and connect your cloud accounts
See Annie's live query capabilities in action