Aegis Install on EC2

Install Aegis on Linux EC2 instances and bind each host to the correct Axis tenant.

Last updated: March 3, 2026
Source: VeliKey Docs Team
Owner: Aegis Product Engineering

Overview

This flow installs the `velikey-aegis` service on Linux EC2, writes a systemd environment file under `/etc/velikey-aegis`, and registers to Axis over TLS.

Generate a tenant-scoped bootstrap script per environment and do not reuse scripts across tenants.

Endpoint Assumptions

Production auth and API host: https://axis.velikey.com (signin: https://axis.velikey.com/auth/signin).
Non-production override: set AXIS_BASE_URL explicitly before running docs commands.
Generate the host install script from Axis rather than hand-authoring bootstrap tokens.

Actionable Steps

Confirm outbound connectivity from instance to Axis domain.
Generate a tenant-scoped install script from Axis (dashboard or API).
Confirm service health and enrollment in Axis dashboard.

# manual-only example
# Sign in to Axis and generate a deployment bundle in Dashboard (Environments),
# or generate the bundle via API using a valid session cookie:
curl -sS -X POST "https://axis.velikey.com/api/agent-install/generate" \
  -H "Content-Type: application/json" \
  -H "Cookie: next-auth.session-token=<SESSION_COOKIE>" \
  --data '{"customerName":"acme-prod","environment":"production","agentIdPrefix":"agent","expiresInDays":7}' \
  > deployment-bundle.json

jq -r '.installScript' deployment-bundle.json > install-aegis.sh

chmod +x install-aegis.sh
./install-aegis.sh

# Optional override if your binary mirror differs from the default Axis mirror:
# export AEGIS_BINARY_URL="https://<your-binary-host>/aegis-agent-linux-amd64"
sudo systemctl status velikey-aegis --no-pager
sudo journalctl -u velikey-aegis -n 100 --no-pager

The generated bundle installs runtime dependencies (libpcap and CA certificates) on apt/dnf/yum/zypper hosts before starting the agent.

Validation Checks (Last Step)

# manual-only example
command -v bash
command -v curl
command -v openssl
command -v shasum
curl -fsS --max-time 5 http://127.0.0.1:9080/health

When these commands are unavailable, bootstrap prerequisites before host enrollment.

Common Failure Modes

Install script generated from the wrong tenant/session, resulting in failed enrollment or cross-tenant denial.
Binary host is unreachable from EC2. Set AEGIS_BINARY_URL, or override AEGIS_RELEASES_BASE_URL/AEGIS_FALLBACK_RELEASES_BASE_URL before running the script.
Host lacks packet-capture capability (CAP_NET_RAW/CAP_NET_ADMIN). Check systemctl status + journalctl for permission errors.
Missing egress to Axis endpoint blocks certificate exchange and first policy pull.
Service appears active but cannot fetch policy due to stale host time or TLS trust chain issues.

Navigate Docs

Docs Index • Previous: Aegis Overview • Next: Aegis Install on Kubernetes • Troubleshooting