Skip to content

Local: docker run

The same shape as the Docker Compose path, but expressed as a single docker run command. Pick this for one-off testing, smoke checks, or scripted deploys where you do not want a separate YAML file.

  • You want a single line that fits in a CI script.
  • You do not want to manage a docker-compose.yml file.
  • You are debugging container behavior and want to swap flags quickly.

Identical to Docker Compose: a target-account role with the discovery policy, source credentials reachable via the SDK default chain, and a token or API key. Complete Pre-flight first.

  1. Export the role-target variables in your shell:

    Terminal window
    export AWS_ROLE_ARN=arn:aws:iam::111122223333:role/argus-discovery
    export AWS_EXTERNAL_ID=your-external-id
    # plus source credentials (one of):
    export AWS_ACCESS_KEY_ID=AKIA...
    export AWS_SECRET_ACCESS_KEY=...
  2. Run the agent. The drawer snippet with placeholders substituted:

    Terminal window
    docker run -d --restart unless-stopped \
    --name argus-agent \
    -v argus_agent_data:/var/lib/argus \
    -e ARGUS_BACKEND_URL=https://api.argusdspm.com \
    -e CLOUD_PROVIDER=aws \
    -e ENROLLMENT_TOKEN="argus_et_<your-token-here>" \
    -e ENROLLMENT_POOL=baseline \
    -e AWS_ROLE_ARN=$AWS_ROLE_ARN \
    -e AWS_EXTERNAL_ID=$AWS_EXTERNAL_ID \
    ghcr.io/argusdspm/argus-agent:stable

    To pass source credentials via a mounted file instead of env vars, add:

    Terminal window
    -v $HOME/.aws:/home/argus_agent/.aws:ro \
  3. Follow logs:

    Terminal window
    docker logs -f argus-agent

Same log signals as the Compose path. To confirm the API key persisted:

Terminal window
docker exec argus-agent ls -la /var/lib/argus
# expect: -rw------- argus_agent argus_agent 59 agent.key
Terminal window
docker stop argus-agent && docker rm argus-agent
docker volume rm argus_agent_data