Aegis Policies
Policy authoring and retrieval are tenant-scoped. Agent policy fetch requires bearer token validation bound to agent and tenant.
Overview
Axis stores policies in tenant scope and serves active transit policies to enrolled agents.
Human operators can query `/api/policies`. Agents consume `/api/agents/{id}/policies` with bearer auth.
Endpoint Assumptions
- Production auth and API host:
https://axis.velikey.com(signin:https://axis.velikey.com/auth/signin). - Non-production override: set
AXIS_BASE_URLexplicitly before running docs commands. - Manual operator substitutions: provide tenant-scoped values for cookies, bearer tokens, agent IDs, and tenant slugs.
Actionable Steps
- Define policy intent and scope (`global`, `region`, `service`, `dataset`).
- Dry-run the rollout plan before applying any change.
- Verify agents can only fetch policy under matching tenant and enrollment binding.
# manual-only example
# production default; set AXIS_BASE_URL explicitly for staging/test.
export AXIS_BASE_URL="${AXIS_BASE_URL:-https://axis.velikey.com}"
export AGENT_ID="agent-001"
export AGENT_BEARER_TOKEN="REDACTED"
curl -fsS \
-H "Authorization: Bearer $AGENT_BEARER_TOKEN" \
"$AXIS_BASE_URL/api/agents/$AGENT_ID/policies" | jq
Validation Checks (Last Step)
# executable example command -v curl command -v jq curl --version
Policy API calls should only be attempted after tenant-authenticated sign-in and endpoint reachability checks.
Common Failure Modes
- Agent token from one tenant reused against another tenant’s agent ID results in `401 Unauthorized`.
- Agent ID typo produces `404 Agent not found`.
- Policy appears missing because it is inactive or outside the target scope.
Navigate Docs
Docs Index • Previous: Aegis Install on Kubernetes • Next: Rollouts and Rollback • Troubleshooting