Edge Component environment variables reference
The tables on this page list and describe the environment variables available for Edge Components:
Agent Controller environment variables​
Here is a list of all available environment variables for configuring the Agent Controller installer:
| Name | OS | Default | Description |
|---|---|---|---|
AEMBIT_AGENT_CONTROLLER_ID * | All | not set | * Required if not using AEMBIT_DEVICE_CODEThe Agent Controller ID, available in your tenant's administrative console for each Agent Controller. This ID is utilized for Trust Provider registration. You must provide either this or the AEMBIT_DEVICE_CODE environment variable. Example: 01234567-89ab-cdef-0123-456789abcdef |
AEMBIT_DEVICE_CODE * | All | not set | * Required if not using AEMBIT_AGENT_CONTROLLER_IDThe device code for the Agent Controller, which can be generated in your tenant's administrative console and is used for code-based registration. You must provide either this or the AEMBIT_AGENT_CONTROLLER_ID environment variable. Example: 123456 |
AEMBIT_TENANT_ID * | All | not set | * Required The Aembit Tenant ID that the Agent Controller will register with. Example: 123abc |
AEMBIT_KERBEROS_ATTESTATION_ENABLED | All ** | not set | When true, enables Kerberos-based attestation. ** For Linux You must set KRB5_KTNAME with the Agent Controller keytab file path. If Kerberos is installed, KRB5_KTNAME defaults to /etc/krb5.keytab.** For Windows, Kerberos information is inherited from the user the Agent Controller runs as. Example: true |
AEMBIT_LOG_LEVEL | All | information | Set the Agent Controller log level. The supported levels include fatal, error, warning, information, debug, verbose. The log level value is case insensitive. See Log level reference for details. Example: verbose |
AEMBIT_MANAGED_TLS_HOSTNAME | All | not set | The hostname Agent Proxy uses to connect to the Agent Controller. If set, Aembit uses its own PKI for Agent Controller TLS. This is mutually exclusive with TLS_PEM_PATH and TLS_KEY_PATH.Example: aembit-agent-controller.example.com |
AEMBIT_METRICS_ENABLED | All | true | Enable Prometheus metrics. This is enabled by default. Example: true |
AEMBIT_STACK_DOMAIN | All | useast2.aembit.io | The cloud stack to connect to. Do not set this value unless directed by your Aembit representative. |
SERVICE_LOGON_ACCOUNT | Windows | not set | When set, this runs the Agent Controller as a different user which is useful for High Availability deployments. The name you provide must be the fully-qualified sAMAccount name. Example: myDomain\MyServiceAccount$ |
TLS_PEM_PATH | All | not set | The path to your TLS certificate file. Allows you to specify your own TLS key and certificate to use with Agent Controller TLS. This must be used along side TLS_KEY_PATH and is mutually exclusive with AEMBIT_MANAGED_TLS_HOSTNAME.Examples: C:\aembit.crt, /etc/ssl/certs/aembit.crt |
TLS_KEY_PATH | All | not set | The path to your TLS private key file. Allows you to specify your own TLS key and certificate to use with Agent Controller TLS. This must be used along side TLS_PEM_PATH and is mutually exclusive with AEMBIT_MANAGED_TLS_HOSTNAME..Examples: C:\aembit.key, /etc/ssl/private/.aembit.key |
Agent Proxy environment variables​
Here is a list of all available environment variables for configuring the Agent Proxy installer:
| Name | OS | Default | Description |
|---|---|---|---|
AEMBIT_AGENT_CONTROLLER * | All | not set | * Required The location (scheme, host, and port) of the Agent Controller that the Agent Proxy should use. Example: http://agentcontroller.local:5000 |
AEMBIT_DEBUG_MAX_CAPTURED_PACKETS_PER_DEVICE | Linux | not set | The maximum number of network packets that Agent Proxy monitors per IPv4 network device. Example: 2000 |
AEMBIT_DOCKER_CONTAINER_CIDR | Linux | not set | Supports Client Workloads running in Docker Compose on a Virtual Machine. This environment variable specifies the Docker Compose network CIDR that Agent Proxy handles. Example: 100.64.0.0/10 |
AEMBIT_HTTP_SERVER_PORT | All | 8000 | Specifies the port the Agent Proxy uses to manage HTTP traffic directed to it via the http_proxy and https_proxy environment variables. If this port conflicts with any Client Workload ports, it can be overridden with this environment variable. Example: 8080 |
AEMBIT_KERBEROS_ATTESTATION_ENABLED | All | not set | Enable Kerberos-based attestation. This value isn't set by default. To enable it, set this value to true. Example: true |
AEMBIT_LOG (deprecated) AEMBIT_LOG_LEVEL | All | info | Set the Agent Proxy log level. The supported levels include error, warn, info, debug, trace, off. The log level value is case insensitive. See Log level reference for details. Example: debug |
AEMBIT_METRICS_ENABLED | All | true | Enable Prometheus metrics. By default, this is set to true. Example: true |
AEMBIT_METRICS_PORT | All | 9099 | The port where Prometheus metrics are exposed. Example: 9099 |
AEMBIT_PRIVILEGED_KEYTAB | Linux | false | Set the configuration flag to enable the Agent Proxy to access a Kerberos principal located in a keytab file, which is restricted to root-only read permissions. Mandatory if AEMBIT_KERBEROS_ATTESTATION_ENABLED is enabled. Example: true |
AEMBIT_RESOURCE_SET_ID | All | not set | Associates Agent Proxy with a specific Resource Set. Example: de48ebc2-3587-4cc6-823b-46434991e896 |
AEMBIT_SIGTERM_STRATEGY | Linux | immediate | The strategy used by Agent Proxy to handle the SIGTERM signal. Supported values are immediate, which exits immediately, and sigkill, which ignores the SIGTERM signal and waits for a SIGKILL. For details on configuring the AEMBIT_SIGTERM_STRATEGY environment variable and termination strategies, see Agent Proxy Termination Strategy. Example: sigkill |
AEMBIT_STEERING_ALLOWED_HOSTS | Linux | not set | A list of comma-separated hostnames for which Agent Proxy should proxy traffic. Example: graph.microsoft.com,google.com |
CLIENT_WORKLOAD_ID | All | not set | Associate Agent Proxy with the specified Client Workload Id. Aembit uses this in conjunction with Aembit Client Id configuration. Example: 7e75e718-7634-480b-9f7b-a07bb5a4f11d |
AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION | All | true | When set to true, Agent Proxy operates in Passthrough mode, allowing connections to proceed without credential injection until Aembit Cloud registration completes. When set to false, incoming Client Workloads will be unable to connect until after registration completes. On Kubernetes this has the effect of delaying pod startup. Example: true |
AEMBIT_POST_START_MAX_WAIT_SEC | All | 120 | Kubernetes-only. The maximum number of seconds you permit the Agent Proxy postStart lifecycle hook to run before failing Client Workload pod deployment. See Delaying pod startup until the Agent Proxy has registered Example: 100 |
Agent Injector environment variables​
| Name | OS | Description |
|---|---|---|
AEMBIT_LOG | All | Set the Agent Injector log level. The supported levels include error, warn, info (default value), debug, trace, and off.See Log level reference for details. Example: warn |