Edge Component environment variables reference

The following sections list and describe the environment variables available for Edge Components:

• Agent Controller

• Agent Proxy

• Agent Injector

Agent Controller environment variables

Here is a list of all available environment variables for configuring the Agent Controller installer:

AEMBIT_AGENT_CONTROLLER_ID Required

Default - not set

OS-All

Required if not using AEMBIT_DEVICE_CODE.

The Agent Controller ID, available in your tenant’s administrative console for each Agent Controller. This ID is utilized for Trust Provider registration. You must provide either this or the AEMBIT_DEVICE_CODE environment variable.

Example:
01234567-89ab-cdef-0123-456789abcdef

---

AEMBIT_DEVICE_CODE Required

Default - not set

OS-All

Required if not using AEMBIT_AGENT_CONTROLLER_ID.

The device code for the Agent Controller, which can be generated in your tenant’s administrative console and is used for code-based registration. You must provide either this or the AEMBIT_AGENT_CONTROLLER_ID environment variable.

Example:
123456

---

AEMBIT_TENANT_ID Required

Default - not set

OS-All

The Aembit Tenant ID that the Agent Controller will register with.

Example:
123abc

---

AEMBIT_HTTP_PORT_DISABLED

Default - false

OS-All

When true, disables HTTP support in Agent Controller, allowing communication exclusively over HTTPS. When false, HTTP is enabled. HTTP traffic uses port 5000 for virtual machine installations and port 80 for container-based deployments.

Example:
true

---

AEMBIT_KERBEROS_ATTESTATION_ENABLED

Default - not set

OS-All

When true, enables Kerberos-based attestation.

For Linux: You must set KRB5_KTNAME with the Agent Controller keytab file path. If Kerberos is installed, KRB5_KTNAME defaults to /etc/krb5.keytab.

For Windows: Kerberos information is inherited from the user the Agent Controller runs as.

Example:
true

---

AEMBIT_LOG_LEVEL

Default - information

OS-All

Set the Agent Controller log level. The supported levels include fatal, error, warning, information, debug, verbose. The log level value is case insensitive. See Log level reference for details.

Example:
verbose

---

AEMBIT_MANAGED_TLS_HOSTNAME

Default - not set

OS-All

The hostname Agent Proxy uses to connect to the Agent Controller. If set, Aembit uses its own PKI for Agent Controller TLS.

This is mutually exclusive with TLS_PEM_PATH and TLS_KEY_PATH.

Example:
aembit-agent-controller.example.com

---

AEMBIT_METRICS_ENABLED

Default - true

OS-All

Enable Prometheus metrics. This is enabled by default.

Example:
true

---

AEMBIT_STACK_DOMAIN

Default - useast2.aembit.io

OS-All

The cloud stack to connect to. Do not set this value unless directed by your Aembit representative.

---

SERVICE_LOGON_ACCOUNT

Default - not set

OS-Windows

When set, this runs the Agent Controller as a different user which is useful for High Availability deployments. The name you provide must be the fully qualified sAMAccount name.

Example:
myDomain\MyServiceAccount$

---

TLS_PEM_PATH

Default - not set

OS-All

The path to your TLS certificate file. Allows you to specify your own TLS key and certificate to use with Agent Controller TLS.

This must be used along side TLS_KEY_PATH and is mutually exclusive with AEMBIT_MANAGED_TLS_HOSTNAME.

Example:
C:\aembit.crt, /etc/ssl/certs/aembit.crt

---

TLS_KEY_PATH

Default - not set

OS-All

The path to your TLS private key file. Allows you to specify your own TLS key and certificate to use with Agent Controller TLS.

This must be used along side TLS_PEM_PATH and is mutually exclusive with AEMBIT_MANAGED_TLS_HOSTNAME.

Example:
C:\aembit.key, /etc/ssl/private/.aembit.key

Agent Proxy environment variables

Here is a list of all available environment variables for configuring the Agent Proxy installer:

AEMBIT_AGENT_CONTROLLER Required

Default - not set

OS-All

The location (scheme, host, and port) of the Agent Controller that the Agent Proxy should use.

Example:
http://agentcontroller.local:5000

---

AEMBIT_CLIENT_WORKLOAD_PROCESS_IDENTIFICATION_ENABLED

Default - false

OS-Linux

Enable Process Name Client Workload identification.

Example:
false

---

AEMBIT_DEBUG_MAX_CAPTURED_PACKETS_PER_DEVICE

Default - not set

OS-Linux

The maximum number of network packets that Agent Proxy monitors per IPv4 network device.

Example:
2000

---

AEMBIT_DOCKER_CONTAINER_CIDR

Default - not set

OS-Linux

Supports Client Workloads running in Docker Compose on a Virtual Machine. This environment variable specifies the Docker Compose network CIDR that Agent Proxy handles.

Example:
100.64.0.0/10

---

AEMBIT_HTTP_SERVER_PORT

Default - 8000

OS-All

Specifies the port the Agent Proxy uses to manage HTTP traffic directed to it via the http_proxy and https_proxy environment variables. If this port conflicts with any Client Workload ports, it can be overridden with this environment variable.

Example:
8080

---

AEMBIT_KERBEROS_ATTESTATION_ENABLED

Default - not set

OS-Linux

Enable Kerberos-based attestation. This value isn’t set by default. To enable it, set this value to true.

Example:
true

---

AEMBIT_LOG (deprecated) / AEMBIT_LOG_LEVEL

Default - info

OS-All

Set the Agent Proxy log level. The supported levels include error, warn, info, debug, trace, off. The log level value is case insensitive. See Log level reference for details.

Example:
debug

---

AEMBIT_METRICS_ENABLED

Default - true

OS-All

Enable Prometheus metrics. By default, this is set to true.

Example:
true

---

AEMBIT_METRICS_PORT

Default - 9099

OS-All

The port where Prometheus metrics are exposed.

Example:
9099

---

AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION

Default - true

OS-All

When set to true, Agent Proxy operates in Passthrough mode, allowing connections to proceed without credential injection until Aembit Cloud registration completes. When set to false, incoming Client Workloads will be unable to connect until after registration completes. On Kubernetes this has the effect of delaying pod startup.

Example:
false

---

AEMBIT_POST_START_MAX_WAIT_SEC Kubernetes only

Default - 60

OS-All

The maximum number of seconds you permit the Agent Proxy postStart lifecycle hook to run before failing Client Workload pod deployment.

See Delaying pod startup until the Agent Proxy has registered.

Example:
100

---

AEMBIT_PRIVILEGED_KEYTAB

Default - false

OS-Linux

Set the configuration flag to enable the Agent Proxy to access a Kerberos principal located in a keytab file, which is restricted to root-only read permissions. Mandatory if AEMBIT_KERBEROS_ATTESTATION_ENABLED is enabled.

Example:
true

---

AEMBIT_RESOURCE_SET_ID

Default - not set

OS-All

Associates Agent Proxy with a specific Resource Set.

Example:
de48ebc2-3587-4cc6-823b-46434991e896

---

AEMBIT_SIGTERM_STRATEGY

Default - immediate

OS-Linux

The strategy used by Agent Proxy to handle the SIGTERM signal. Supported values are immediate, which exits immediately, and sigkill, which ignores the SIGTERM signal and waits for a SIGKILL. For details on configuring the AEMBIT_SIGTERM_STRATEGY environment variable and termination strategies, see Agent Proxy Termination Strategy.

Example:
sigkill

---

AEMBIT_STEERING_ALLOWED_HOSTS

Default - not set

OS-Linux

A list of comma-separated hostnames for which Agent Proxy should proxy traffic.

Example:
graph.microsoft.com,google.com

---

CLIENT_WORKLOAD_ID

Default - not set

OS-All

Associate Agent Proxy with the specified Client Workload Id. Aembit uses this in conjunction with Aembit Client Id configuration.

Example:
7e75e718-7634-480b-9f7b-a07bb5a4f11d

---

AEMBIT_CLOUD_LOCATION

Default - not set

OS-All

Defines the backend gRPC endpoint for Agent Proxy communication. WARNING: This is an internal configuration parameter with no valid customer use cases. Modifying this value can compromise Agent Proxy integrity.

Agent Injector environment variables

AEMBIT_LOG (deprecated) / AEMBIT_LOG_LEVEL

Default - info

OS-All

Set the Agent Injector log level. The supported levels include error, warn, info (default value), debug, trace, and off. See Log level reference for details.

Example:
warn