// Execution Management (XEM)

Cloud Tools

AWS, GCP, and Azure tool bundles for the XEM agent. Each tool is a thin shell over the provider CLI (aws, gcloud, az) on the agent host. Identifiers use snake_case with a provider prefix; destructive operations route through the standard approval flow.

AWS

Twelve tools shelling out to the aws CLI.

  • aws_ec2_describe_instances, List EC2 instances
  • aws_ec2_start_instances, Start stopped instances
  • aws_ec2_stop_instances, Stop running instances
  • aws_ec2_reboot_instances, Reboot instances
  • aws_ec2_describe_security_groups, List security groups
  • aws_s3_list_buckets, List S3 buckets
  • aws_s3_cp, Copy objects to or from S3
  • aws_rds_describe_db_instances, List RDS DB instances
  • aws_iam_list_users, List IAM users
  • aws_eks_list_clusters, List EKS clusters
  • aws_cloudwatch_get_metric_stats, Fetch CloudWatch metric statistics
  • aws_logs_tail, Tail a CloudWatch Logs group

GCP

Twelve tools shelling out to the gcloud CLI.

  • gcloud_compute_instances_list, List Compute Engine instances
  • gcloud_compute_instances_start, Start Compute Engine instances
  • gcloud_compute_instances_stop, Stop Compute Engine instances
  • gcloud_compute_networks_list, List VPC networks
  • gcloud_storage_buckets_list, List Cloud Storage buckets
  • gcloud_container_clusters_list, List GKE clusters
  • gcloud_redis_instances_list, List Memorystore Redis instances
  • gcloud_sql_instances_list, List Cloud SQL instances
  • gcloud_logging_read, Read Cloud Logging entries
  • gcloud_iam_list_service_accounts, List service accounts
  • gcloud_projects_list, List accessible projects
  • gcloud_pubsub_list_topics, List Pub/Sub topics

Azure

Twelve tools shelling out to the az CLI.

  • az_vm_list, List virtual machines
  • az_vm_start, Start virtual machines
  • az_vm_stop, Stop virtual machines
  • az_vm_restart, Restart virtual machines
  • az_vm_power_state, Report VM power state
  • az_storage_account_list, List storage accounts
  • az_aks_list, List AKS clusters
  • az_aks_nodepool_list, List AKS node pools
  • az_sql_server_list, List SQL servers
  • az_resource_group_list, List resource groups
  • az_keyvault_list, List Key Vaults
  • az_monitor_metrics_list, Query Azure Monitor metrics

Credential Setup

Cloud tools do not read credentials from a workspace vault. They invoke the provider CLI installed on the agent host and rely on the standard provider credential resolution chain:

  • AWS, environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_REGION), shared config and credentials files under ~/.aws, or an attached instance/role profile.
  • GCP, an active gcloud authenticated account, application default credentials at ~/.config/gcloud, or GOOGLE_APPLICATION_CREDENTIALS pointing at a service-account key file.
  • Azure, a prior az login session, a service-principal login via environment variables (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET), or a managed identity available to the host.

The agent host must have the corresponding CLI binary installed and on PATH. See the source under Sources/ExecTools/Cloud for the full set of shipped tools and their invoker shims.