Skip to content

Pre-flight

These items are shared across every deployment path. Set them up before you start any per-path walkthrough.

You need an active Argus user with admin (or sufficient) permissions to create cloud accounts and mint credentials. Sign up at https://app.argusdspm.com (or your self-hosted Argus URL) if you have not already.

In the dashboard, navigate to Settings > Cloud Accounts > Add cloud account. Provide:

  • Provider: AWS (Azure is in preview and not covered by this guide).
  • External account ID: the 12-digit AWS account number the agent will scan from inside, for example 111122223333. The agent compares this against its actual runtime identity at scan time (the “cross account guard”) and refuses to persist results if they do not match, so this field must be exact.
  • Default region: the AWS region you intend to run the agent in. Used to pre-fill region in deploy snippets and CloudFormation launch URLs.

You will end up with a cloud account record whose ID looks like cloud_<your-cloud-account-id>. Keep this; some deployment paths need it for tags or naming.

Decide Bootstrap or Manual, then:

Bootstrap mode - mint an enrollment token:

  1. Open the cloud account you just created.
  2. Click Generate Enrollment Token.
  3. Copy the full token. It looks like argus_et_<your-token-here>.
  4. Store it somewhere recoverable; the dashboard shows a masked preview after this point, not the full value.

The token is reusable. Every container that runs with it exchanges it for its own per-container API key.

Manual mode - create an agent and copy its API key:

  1. Go to Agents > Create agent.
  2. Pick the cloud account you registered.
  3. The dashboard mints a permanent API key and shows it exactly once. Copy it. It looks like argus_ak_....

What the agent needs from AWS depends on where it runs:

  • Cloud (managed) and Cloud (DIY) paths: the agent runs inside the target AWS account and uses the role you create for it (instance profile on EC2, task role on Fargate). No additional credentials at the agent process layer.
  • Local paths: the agent runs outside AWS and assumes a role inside the target account. You need:
    • A role in the target account with the discovery permissions.
    • That role’s trust policy must allow whatever principal the local agent’s SDK default chain resolves to (your IAM user, your SSO role, etc.). See Local-path assumed role.
    • Source credentials available via the standard chain (~/.aws/credentials, AWS_ACCESS_KEY_ID, instance metadata, etc.).
    • The role ARN and an external ID (optional but recommended) passed via AWS_ROLE_ARN and AWS_EXTERNAL_ID.

The agent only ever initiates outbound connections. No inbound port is opened. Minimum egress:

Destination Port Purpose
api.argusdspm.com (or your self-hosted control plane) 443 Heartbeat, job claim, result upload
ghcr.io and *.actions.githubusercontent.com 443 Image pull (anonymous; no AWS ECR auth needed)
AWS service endpoints in the region you scan (s3.<region>.amazonaws.com, rds.<region>.amazonaws.com, etc.) 443 Datastore discovery and sampling
DNS resolver (typically the VPC resolver) 53 / UDP+TCP Name resolution for the above

Cloud (managed) templates and the deploy-argus Terraform module set up a security group with these rules for you. For Local paths, you ensure the host has internet egress.

Section titled “6. Pin to a known-good agent version (recommended)”

Deploy snippets default to ghcr.io/argusdspm/argus-agent:stable, a rolling tag that always points at the latest published release. For production, pin:

  • Replace :stable with :v0.7.9 (or later) in the image reference.
  • For Terraform, set agent_image_tag = "v0.7.9" in the module block.