Installation
AIOStack deploys as a DaemonSet on every node in your cluster. Installation takes under 10 minutes and requires no changes to your applications.
One-line installer (recommended)
The fastest way to get started. The interactive installer checks prerequisites, prompts for your Company ID, and walks you through cloud IAM setup — generating ready-to-run commands with your account ID, OIDC issuer, cluster name, and namespace already filled in. No manual substitution required.
curl -fsSL https://aurva.ai/install.sh | bash
The installer runs 8 steps: prerequisites check → Helm repo setup → credentials → namespace → environment settings → IAM access → configuration review → deployment verification. At the IAM step it detects your cloud provider and prints copy-paste commands pre-populated with your actual account details.
To reuse a saved config from a previous run:
curl -fsSL https://aurva.ai/install.sh | bash -s -- --config aiostack-config.yaml
Manual Helm installation
The following prerequisites and steps are for teams who prefer to install directly with Helm rather than using the one-line installer.
Prerequisites
Tools
- Kubernetes 1.29+ with eBPF support enabled on nodes
- Linux kernel 5.15+ on all cluster nodes
- Helm 3.x installed and configured
- kubectl with access to your target cluster
- An Aurva account and Company ID — sign up at app.aurva.ai
uname -r. On managed Kubernetes (GKE, EKS, AKS), most standard node images with kernel 5.15+ are supported. Contact support@aurva.io if you need help validating your environment.Cloud IAM access
AIOStack's outpost component needs read-only cloud API access to enumerate IAM roles, RDS instances, and S3 buckets in your account. This is configured via a cloud service account before installation.
The outpost uses IAM Roles for Service Accounts (IRSA). You need to create an IAM role with the following read-only permissions and bind it to the aiostack-outpost-sa Kubernetes service account.
Required IAM permissions:
| Scope | Actions |
|---|---|
| IAM inventory | iam:ListRoles iam:GetRole iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:ListRolePolicies iam:GetRolePolicy |
| RDS inventory | rds:DescribeDBInstances rds:DescribeDBClusters rds:DescribeDBSubnetGroups rds:ListTagsForResource |
| S3 inventory | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetBucketVersioning s3:GetBucketAcl |
Setup commands — replace YOUR_ACCOUNT_ID and YOUR_OIDC_ID with your values:
# 1. Create the IAM policy
aws iam create-policy \
--policy-name AIOStackOutpostSecureReadOnlyPolicy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMInventory",
"Effect": "Allow",
"Action": [
"iam:ListRoles","iam:GetRole",
"iam:ListAttachedRolePolicies","iam:GetPolicy","iam:GetPolicyVersion",
"iam:ListRolePolicies","iam:GetRolePolicy"
],
"Resource": "*"
},
{
"Sid": "RDSDatasourceInventory",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances","rds:DescribeDBClusters",
"rds:DescribeDBSubnetGroups","rds:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "S3DatasourceInventory",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets","s3:GetBucketLocation",
"s3:GetBucketPublicAccessBlock","s3:GetBucketTagging",
"s3:GetBucketVersioning","s3:GetBucketAcl"
],
"Resource": "*"
}
]
}'
# 2. Create the role with OIDC trust for the AIOStack service account
aws iam create-role \
--role-name aiostack-outpost-secure-readonly-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/YOUR_OIDC_ID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {"StringEquals": {
"oidc.eks.REGION.amazonaws.com/id/YOUR_OIDC_ID:sub": "system:serviceaccount:aiostack:aiostack-outpost-sa",
"oidc.eks.REGION.amazonaws.com/id/YOUR_OIDC_ID:aud": "sts.amazonaws.com"
}}
}]
}'
# 3. Attach the policy to the role
aws iam attach-role-policy \
--role-name aiostack-outpost-secure-readonly-role \
--policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/AIOStackOutpostSecureReadOnlyPolicy
Keep the resulting role ARN (arn:aws:iam::YOUR_ACCOUNT_ID:role/aiostack-outpost-secure-readonly-role) — you'll need it during installation.
The outpost uses GCP Workload Identity to impersonate a GCP service account. You need to create a service account with roles/iam.securityReviewer and bind it to the aiostack-outpost-sa Kubernetes service account.
Setup commands — replace YOUR_PROJECT_ID with your GCP project:
# 1. Create the GCP service account
gcloud iam service-accounts create aiostack-outpost \
--project=YOUR_PROJECT_ID \
--display-name="AIOStack Outpost"
# 2. Grant IAM read permissions
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:aiostack-outpost@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.securityReviewer"
# 3. Allow the Kubernetes SA to impersonate the GCP SA
gcloud iam service-accounts add-iam-policy-binding \
aiostack-outpost@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:YOUR_PROJECT_ID.svc.id.goog[aiostack/aiostack-outpost-sa]"
Keep the service account email (aiostack-outpost@YOUR_PROJECT_ID.iam.gserviceaccount.com) — you'll need it during installation.
IAM access is optional — the installer lets you skip it. Without it, the outpost cannot enumerate IAM roles, RDS instances, or S3 buckets, which reduces identity chain and datasource visibility.
Helm installation
For production deployments or GitOps workflows:
Add the Aurva Helm repository
helm repo add aiostack https://charts.aurva.ai/
helm repo update
Create a namespace
kubectl create namespace aiostack
Install AIOStack
Replace <YOUR_COMPANY_ID> with your ID from app.aurva.ai:
helm install myaiostack aiostack/aiostack \
--namespace aiostack \
--set outpost.env[3].name=COMPANY_ID \
--set outpost.env[3].value=<YOUR_COMPANY_ID> \
--set outpost.env[2].name=COMMANDER_URL \
--set outpost.env[2].value=hq.aurva.ai:443
With AWS IRSA — add the IAM role ARN:
helm install myaiostack aiostack/aiostack \
--namespace aiostack \
--set outpost.env[3].name=COMPANY_ID \
--set outpost.env[3].value=<YOUR_COMPANY_ID> \
--set outpost.serviceAccount.aws.iamRoleArn=<YOUR_ROLE_ARN>
With GCP Workload Identity — add the service account email:
helm install myaiostack aiostack/aiostack \
--namespace aiostack \
--set outpost.env[3].name=COMPANY_ID \
--set outpost.env[3].value=<YOUR_COMPANY_ID> \
--set outpost.serviceAccount.gcp.serviceAccount=<YOUR_GCP_SA_EMAIL>
Verify the deployment
kubectl get pods -n aiostack
You should see one observer (DaemonSet) pod per node and one outpost pod. All should reach Running within a minute or two.
Open the console
Sign in to app.aurva.ai. Your cluster's runtime inventory will begin populating within a few minutes — agents, identities, data access, and destinations appear as AIOStack observes live traffic.
Configuration reference
| Parameter | Default | Description |
|---|---|---|
outpost.env[3].value (COMPANY_ID) | — | Your Aurva Company ID (required) |
outpost.env[2].value (COMMANDER_URL) | hq.aurva.ai:443 | AIOStack control plane endpoint |
outpost.env[0].value (SKIP_NAMESPACES) | kube-system,aiostack,... | Namespaces excluded from monitoring |
outpost.env[1].value (INSECURE_SKIP_VERIFY) | true | Skip TLS verification — set to false in production |
outpost.serviceAccount.aws.iamRoleArn | — | AWS IAM role ARN for IRSA (optional) |
outpost.serviceAccount.gcp.serviceAccount | — | GCP service account email for Workload Identity (optional) |
observer.version | latest | Observer (eBPF agent) image version |
outpost.version | trueID-delta | Outpost image version |