Skip to main content

88 posts tagged with "stackql"

View All Tags

Azure Provider Update - July 2026

· 4 min read
Technologist and Cloud Consultant

We've released a major update to the StackQL Azure provider family:

  • azure - core Microsoft Azure services: 268 services, 3,473 resources and 13,559 operations (up from 202 services, a 33% increase in service coverage)
  • azure_extras - domain-specific and specialized Microsoft services (44 services)
  • azure_isv - Azure Native ISV and partner services: Databricks, Datadog, Confluent, Elastic, MongoDB Atlas, Oracle Database@Azure and more (27 services)
  • azure_stack - the Azure Stack / Azure Local family (4 services)

Service, resource and method names are consistently snake_cased, service titles carry the official Azure product names, and related services have been consolidated - SHOW SERVICES IN azure now reads like the Azure portal, not like an SDK package index.

Control plane and data plane in one provider

Most Azure tooling stops at ARM. This provider exposes Azure data plane APIs alongside the ARM control plane as first-class services, so the same SQL surface that manages a resource can work with what's inside it.

Enumerate Key Vaults in a subscription (control plane), then list the secrets in one of them (data plane):

SELECT name, location
FROM azure.key_vault.vaults
WHERE subscription_id = '<subscription_id>';

SELECT id, content_type, attributes
FROM azure.key_vault_secrets.secrets
WHERE vault_name = 'my-vault';

The same pattern extends across the platform - Storage blobs, queues and file shares, Cosmos DB tables, App Configuration key-values, Event Grid publishing, Container Registry repositories, Azure Monitor log queries and ingestion, Azure Maps, Azure AI Search documents, Service Fabric cluster operations, Batch jobs, and the Synapse and Purview workspace APIs are all present as data plane services next to their management planes.

The AI surface

The biggest expansion in this release is AI - 20 services covering Azure AI Foundry and the Azure AI services portfolio:

  • Azure AI Foundry: ai_projects, ai_agents, ai_inference, ai_evaluation
  • Language: ai_language (conversational language understanding, question answering and their authoring surfaces in a single service), ai_text_analytics, ai_translation_text, ai_translation_document
  • Vision: ai_vision_image_analysis, ai_vision_face
  • Documents: ai_document_intelligence, ai_form_recognizer
  • Speech: ai_transcription, ai_voice_live
  • Safety and content: ai_content_safety, ai_content_understanding
  • Plus ai_anomaly_detector, ai_personalizer, ai_discovery and the cognitive_services management plane

Inventory every Azure AI services account in a subscription, with kind and provisioning state:

SELECT name, kind, location, provisioning_state
FROM azure.cognitive_services.accounts
WHERE subscription_id = '<subscription_id>';

ARM's nested properties envelope is flattened at query time, so attributes like provisioning_state are ordinary columns - no JSON extraction needed for the common case.

More new and expanded coverage

  • Communication - the full Azure Communication Services surface: email, SMS, chat, calling automation, phone numbers, rooms, job router, advanced messaging and identity (9 services)
  • Databases - Azure NetApp Files, Azure Cache for Redis, Azure Managed Redis, Azure DocumentDB (MongoDB compatibility), Azure HorizonDB, MySQL and PostgreSQL flexible servers, Azure Data Explorer (Kusto)
  • Compute and containers - Compute Fleet, Compute Schedule, AKS (container_service), Kubernetes Fleet Manager, deployment safeguards, Container Registry tasks and data plane, Azure Red Hat OpenShift, Azure VMware Solution
  • Observability - Azure Monitor log query, metrics query and logs ingestion data planes, Azure Monitor workspaces (managed Prometheus), health models
  • Governance - Microsoft Purview catalog, data map, scanning, sharing and workflow APIs; a consolidated resource service spanning deployments, policy, locks, template specs and subscriptions
  • Maps - geocoding, routing, rendering, geolocation, timezone and weather (6 services)
  • Hybrid - Azure Arc-enabled servers, Kubernetes, VMware vSphere and System Center VMM, Arc gateway, Azure Local

Authentication

The provider uses Azure's standard credential chain - an az login session works as-is, or set service principal credentials:

export AZURE_TENANT_ID=<tenant_id>
export AZURE_CLIENT_ID=<client_id>
export AZURE_CLIENT_SECRET=<client_secret>

Get started

Pull the providers from the public registry:

registry pull azure
registry pull azure_extras
registry pull azure_isv
registry pull azure_stack

Then explore - it's just SQL:

SELECT name, location, provisioning_state, vm_id
FROM azure.compute.virtual_machines
WHERE subscription_id = '<subscription_id>';

Provider docs are at azure-provider.stackql.io. Let us know what you build. Star us on GitHub.

Anthropic Providers Update - July 2026

· 3 min read
Technologist and Cloud Consultant

We've released an update to the StackQL providers for the Anthropic platform:

  • anthropic - the Claude API surface: messages, models, batches, files, agents, deployments, environments, sessions, skills, memory stores, user profiles, and vaults (11 services, 26 resources, 103 operations)
  • anthropic_admin [new] - the Admin API surface: organization, users, invites, workspaces, API keys, usage and cost reports, rate limits, and Claude Code analytics (6 services, 11 resources)

Both providers expose a SQL-first surface: authentication is handled automatically, Push down support using the LIMIT clause and built in pagination handling.

Inference as a query

Inference using Claude is accessible via SELECT for instance:

SELECT
id,
model,
stop_reason,
JSON_EXTRACT(content, '$[0].text') AS assistant_message,
JSON_EXTRACT(usage, '$.output_tokens') AS output_tokens
FROM anthropic.messages.messages
WHERE model = 'claude-sonnet-5'
AND max_tokens = 2048
AND messages = '[
{
"role": "user",
"content": "how does stackql work?"
}
]'
AND system = 'You are a technical assistant. Answer in one short paragraph.'
AND thinking = '{"type": "disabled"}';

Token counting works the same way via anthropic.messages.token_counts - free of charge.

Model capabilities view

The provider ships a convenience view that fans the per-model capability matrix out of the capabilities JSON column into flat columns:

SELECT id, display_name, thinking, adaptive, xhigh, max_input_tokens, max_tokens
FROM anthropic.models.vw_model_capabilities;

One row per model with boolean flags for batch, citations, code execution, context management, effort tiers (low through xhigh), image and PDF input, structured outputs, and thinking modes - useful for picking a model programmatically instead of reading release notes.

The admin provider - your Anthropic org as data

The anthropic_admin provider presents the organization management surface as SQL.

Enumerate workspaces and who's in them:

SELECT id, name, created_at, data_residency
FROM anthropic_admin.workspaces.workspaces;

SELECT user_id, workspace_id, workspace_role
FROM anthropic_admin.workspaces.members
WHERE workspace_id = '<workspace_id>';

Audit users and API keys across the org:

SELECT id, email, name, role
FROM anthropic_admin.organization.users;

SELECT id, name, status, workspace_id, partial_key_hint
FROM anthropic_admin.api_keys.api_keys;

Pull usage reports as time-bucketed rows - results is a JSON column you can break down with JSON_EACH, and reports can be grouped and filtered by model, workspace, API key, service tier, and more:

SELECT starting_at, ending_at, results
FROM anthropic_admin.usage.usage_reports
WHERE starting_at = '2026-07-01T00:00:00Z'
AND "group_by[]" = 'model';

Cost reporting and Claude Code adoption analytics work the same way:

SELECT starting_at, ending_at, results
FROM anthropic_admin.cost.cost_reports
WHERE starting_at = '2026-07-01T00:00:00Z';

SELECT starting_at, ending_at, results
FROM anthropic_admin.usage.claude_code_reports
WHERE starting_at = '2026-07-01T00:00:00Z';

Because it's all SQL, you can join usage to workspaces, materialize daily cost snapshots into a database, or point a BI tool at StackQL's Postgres wire protocol server and build an org-wide Claude spend dashboard without writing a line of integration code.

Authentication

The two providers use different key types, which are disjoint by design:

# anthropic - workspace-scoped Claude API key
export ANTHROPIC_API_KEY=sk-ant-api...

# anthropic_admin - org-scoped Admin API key (created by org admins)
export ANTHROPIC_ADMIN_KEY=sk-ant-admin...

Admin keys are available to organization accounts only and can be provisioned by users with the admin role in the Console.

Get started

Pull the providers from the public registry:

registry pull anthropic
registry pull anthropic_admin

Provider docs are at anthropic-provider.stackql.io and anthropic-admin-provider.stackql.io. Let us know what you build. Star us on GitHub.

StackQL MCP server now available in the Anthropic MCP Directory

· 2 min read
Technologist and Cloud Consultant

The StackQL MCP server has been reviewed by Anthropic and is now listed in the Anthropic MCP Directory. StackQL is a member of the Claude Partner Network, and the directory listing makes the MCP server discoverable and installable directly from within Claude Desktop - no manual bundle download, no custom connector configuration.

From finding to fix: cloud auto-remediation with AI and StackQL

· 7 min read
Technologist and Cloud Consultant

A cloud audit tells you what is wrong. The work starts when you have to fix it. Most tooling stops at the findings list and hands a spreadsheet to an engineer, and the findings sit there until someone has a quiet afternoon.

This post walks through the other half: a remediation loop that turns each finding into a reviewable pull request, verifies live state before it changes anything, and applies the fix on merge. It runs entirely in GitHub Actions, authenticates with OIDC, and uses StackQL to talk to cloud control planes. The repo is public at stackql-labs/stackql-ai-remediation, and the example throughout is FinOps waste (unattached disks, idle IPs, zero-VM projects), though the shape is the same for posture and security checks.

Run the StackQL MCP Server Anywhere Your Agent Does

· 5 min read
Technologist and Cloud Consultant

The StackQL MCP server is now available through every runtime an agent is likely to live in: prebuilt Claude Desktop bundles, npm, PyPI, Docker, a GitHub Action, and the Official MCP Registry. It is the same server in each case - one binary, pulled and launched the way your environment prefers.

What the StackQL MCP server is

StackQL exposes cloud and SaaS providers - AWS, Google Cloud, Azure, GitHub, Kubernetes, Snowflake, Databricks and more - as a single SQL surface. The MCP server puts that surface in front of an AI agent: the agent discovers providers, services, resources and methods, then runs SELECT queries to read state and (when you allow it) INSERT / UPDATE / DELETE to change it. Reads and writes are gated by a server mode and recorded to an audit log, so "what the agent did" is always answerable.

For background on the protocol itself, see the original StackQL MCP Server Now Available post and the MCP command reference.

One server, every runtime

Every channel runs the same stackql binary. Pick the one that matches your client:

ChannelGet itBest for
Claude Desktop bundlestackql-mcp-<platform>.mcpb from the release pageOne-click install, no separate StackQL on PATH
npmnpx -y @stackql/mcp-serverNode environments, no global install
PyPIuvx stackql-mcp-server or pip install stackql-mcp-serverPython environments
Dockerdocker run -i --rm stackql/stackql-mcpContainerised / isolated runtimes (amd64 + arm64)
GitHub Actionstackql/setup-stackql-mcp@v1CI and agentic workflows
MCP Registryio.github.stackql/stackql-mcpDirectory-driven discovery and install

A typical stdio client config is three lines. For npx:

{ "mcpServers": { "stackql": { "command": "npx", "args": ["-y", "@stackql/mcp-server"] } } }

Swap npx for uvx stackql-mcp-server or docker run -i --rm stackql/stackql-mcp and you have the Python or Docker form. The npm and PyPI launchers download the signed stackql binary on first run, verify its checksum, and share a single cache. The full matrix - including the manual claude_desktop_config.json form for an existing binary - is in Installing the MCP server.

The approvable MCP server

Letting an agent touch your cloud is a trust decision, so the supply chain is built to be checkable:

  • The embedded stackql binary is Authenticode-signed (Windows) and Apple-notarised (macOS).
  • Every .mcpb bundle ships with a published SHA-256 checksum on the release page.
  • The npm and PyPI launchers verify the downloaded binary's SHA-256 before first use.
  • The MCP Registry entry attests the per-platform hashes, so a directory or marketplace can confirm what it is shipping.

On top of the supply chain, the server defaults to mode: safe - reads run freely, mutations and lifecycle operations need approval through the MCP elicitation flow. Pin read_only for inventory agents that should never write, or full_access for trusted automation. See Server modes.

A worked example: cloud audit in CI

The GitHub Action is where the multi-vector story pays off. stackql/setup-stackql-mcp@v1 installs the binary and writes an MCP config (defaulting to read_only), and anthropics/claude-code-action consumes it through claude_args. The result is an agent that audits your AWS account on every run and files an issue with the SQL it used as evidence:

- id: stackql
uses: stackql/setup-stackql-mcp@v1
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
with:
mode: read_only

- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
Using the stackql tools, audit our AWS account for: S3 buckets without
encryption or with public access, security groups open to 0.0.0.0/0 on
sensitive ports, and IAM users without MFA. Open a GitHub issue
"Cloud audit <date>" summarising findings WITH the SQL you ran as
evidence. If nothing is found, do not open an issue.
claude_args: |
--mcp-config ${{ steps.stackql.outputs.mcp-config-file }}
--allowedTools 'mcp__stackql__*'

Because the config is pinned to read_only, the audit can read everything and change nothing - the safety contract is enforced by the server, not by trust in the prompt. The action README has more recipes, including cost estimates on a pull request and a credential-free GitHub inventory.

What the agent actually sees

Under the hood the agent works the StackQL hierarchy with the same tools whatever the runtime. Pulling the GitHub provider and listing its services looks like this:

> pull_provider {"provider": "github"}
github provider, version 'v26.05.00393' successfully installed

> list_services {"provider": "github"}
actions, activity, apps, billing, checks, code_scanning, codespaces,
copilot, dependabot, gists, git, issues, orgs, packages, projects,
pulls, repos, search, secret_scanning, teams, users, ...

From there the agent can call list_resources and list_methods to discover the required WHERE parameters, then run_select_query to answer a question like "how many public repositories does the stackql org have?" - all without anyone hand-writing SQL.

Get started

⭐ Star us on GitHub and tell us what your agents build.