Installing armoctl

Overview

armoctl is a CLI tool for instrumenting ECS task definitions with the ARMO runtime security agent. It is used to patch Fargate task definitions with the ARMO ptrace sidecar for runtime monitoring.

Installation

Install the latest armoctl:

curl -fsSL https://package-distribution.armosec.io/armoctl/install.sh | bash

Verify the installation:

armoctl --help

Check the installed version:

armoctl version

Authentication

armoctl uses two separate sets of credentials:

ARMO credentials — required for operations that register or deploy task definitions (--register for patch, --deploy for instrument). Local patching without these flags does not require ARMO authentication.

AWS credentials — resolved through the standard AWS SDK credential chain (environment variables, ~/.aws/credentials, IAM role, etc.). Required when fetching a task definition from an ARN or a running service, and for registering or deploying task definitions.

Providing ARMO Credentials

You can provide ARMO credentials in three ways:

CLI flags:

armoctl --customer-guid <GUID> --access-key <KEY> ecs patch ...

Environment variables:

export ARMO_CUSTOMER_GUID=<YOUR_CUSTOMER_GUID>
export ARMO_ACCESS_KEY=<YOUR_ACCESS_KEY>

Config file (~/.armoctl/config.yaml):

customer-guid: <YOUR_CUSTOMER_GUID>
access-key: <YOUR_ACCESS_KEY>
api-url: cloud.armosec.io

Your ARMO Account ID (Customer GUID) and Access Key are available from the ARMO Platform.

🚧

The URLs used in this guide (cloud.armosec.io for the platform and https://api.armosec.io for the API) are for the default ARMO environment. Verify what are the correct URLs for you before proceeding.

Global Flags

Available Commands

For detailed usage of ECS commands, see the ECS Fargate installation guide.

Next Steps

• Install the ptrace agent on ECS Fargate
• Install the ECS agent on EC2