Deploy Hermes Agent
to Any Cloud —
In One Command.
A beautiful, wizard-first CLI that provisions your Hermes Agent on AWS, GCP, or Azure — with IAM permission profiles, persistent EBS storage, built-in billing insights, and one-command instance migration.
Hermes Agent v0.14.0
The biggest release yet — PyPI distribution, 22 messaging platforms, Windows beta, a local proxy, LSP diagnostics, live handoffs, and a built-in web dashboard.
Multi-Cloud Redundancy
Deploy to two clouds simultaneously with automatic failover. hermes-deploy deploy --redundant gcp keeps you online even if one region goes down.
GitHub Actions Integration
Generate a tailored CI/CD workflow with hermes-deploy ci-setup. Auto-deploy on PR, destroy on close, upgrade on merge to main.
GCP Capability Packs
13 opt-in packs — Secret Manager, Vertex AI, BigQuery, Cloud Run and more. Mix presets with extra packs in one flag.
rekipedia VS Code Extension
Ask, Search, and Wiki sidebar — full rekipedia integration inside VS Code. Scan any workspace from the command palette.
pip install hermes-agent
Now a first-class PyPI package — install in seconds, no manual setup.
22 Messaging Platforms
LINE and SimpleX added. Slack, Discord, Telegram, WhatsApp, and 18 more.
Windows Beta Support
Run Hermes Agent natively on Windows — no WSL required.
hermes proxy
OpenAI-compatible local proxy — drop-in for any app that speaks the OpenAI API.
LSP Semantic Diagnostics
Live language-server diagnostics injected on every file write.
/handoff Command
Transfer a live session between models mid-conversation without losing context.
hermes web Dashboard
Built-in FastAPI + React SPA — monitor agents, logs, and tasks in real time.
Everything you need. Nothing you don't.
A self-contained Bash CLI that handles provisioning, secret wiring, and first-boot configuration — no GUI, no SaaS dependency.
Beautiful Wizard TUI
Step-by-step interactive wizard powered by Charm gum. Real-time progress spinners, masked secret input, and colour-coded summaries — all in your terminal.
Multi-Cloud, One Tool
AWS EC2, Google Compute Engine, and Azure VM supported out of the box. Each cloud uses Terraform under the hood for reproducible, destroy-safe infrastructure.
IAM Permission Profiles
Choose minimal, S3, Billing, RDS, or full access — the wizard attaches the right IAM policies, Azure RBAC roles, or GCP IAM bindings automatically. Zero manual console work.
Built-in Billing Insights
Run hermes-agent-cloud billing to query AWS Cost Explorer, GCP Billing, or Azure Cost Management — cost breakdown by service, budget alerts, and monthly totals.
One wizard. Three clouds today.
Every cloud provider ships its own Terraform module, IAM wiring, and secret injection strategy — all consistent from the CLI's perspective, with other VPS platforms on the roadmap.
Amazon Web Services
18 regions pre-validated
- EC2Ubuntu 24.04 · t3.large default
- SSM Parameter StoreSecureString · /hermes/* prefix
- IAM Instance ProfileSSMManagedInstanceCore + inline
- Security GroupSSH 22 + Gateway 8080 by CIDR
Fetches latest Ubuntu 24.04 AMI automatically
Google Cloud Platform
10 regions pre-validated
- Compute Enginee2-standard-2 · Ubuntu 24.04 LTS
- Secret ManagerCMEK optional · per-secret IAM binding
- Service AccountsecretAccessor role per secret
- Firewall rulesTag-scoped · SSH + 8080
Enables Secret Manager & Compute APIs automatically
Microsoft Azure
12 locations pre-validated
- Virtual MachineStandard_D2s_v3 · Ubuntu 24.04
- Azure Key VaultHSM-backed · Managed Identity access
- Managed IdentitySystemAssigned · auto key-vault access
- NSG + VNetDedicated subnet · 2 inbound rules
Resource group created and tagged per deploy
Next: Bring Your Own VPS (SSH bootstrap), then provider adapters for additional VPS platforms.
Zero compromises.
Every detail of the deploy experience is handled so you can focus on building with Hermes Agent — not debugging infra.
Interactive Wizard
Step-by-step gum wizard for every cloud
IAM Permission Profiles
Attach S3, Billing, RDS/SQL policies from the wizard — no manual IAM console
Built-in Billing Insights
hermes-agent-cloud billing — cost summary, top services, and budget alerts
RDS / Cloud SQL Access
Full database access profile for AWS RDS, GCP Cloud SQL, and Azure SQL
S3 / Blob Storage Access
Read/write access to AWS S3, GCP Cloud Storage, and Azure Blob Storage
GCP Capability Packs
13 opt-in packs: Secret Manager, Vertex AI, BigQuery, Cloud Run, KMS, and more
Docker Sandbox
5 GB RAM · 50 GB disk · container isolation
Systemd Auto-start
hermes-gateway boots on every instance reboot
hermes doctor
7-point health check runs after every deploy
Post-deploy Access Guide
SSH, gateway, logs, and destroy — all in one output
Masked Secret Input
API keys never echo to screen or shell history
Dynamic IP Update
hermes-deploy update-ip — re-sync firewall rules when your local IP changes
1-line Install
curl | bash · auto-detects macOS or Linux
gp3 / SSD Disks
Encrypted root disks on all three clouds
Self-update Check
CLI warns you on launch if a newer version is available on GitHub
Multi-Cloud Redundancy
Active/standby across AWS, GCP, Azure with one-command failover
GitHub Actions CI/CD
Auto-generate deploy workflows for PR staging, merge upgrades, health checks
Bitwarden Secrets
Pull API keys directly from Bitwarden Secrets Manager vault
Backup & Restore
One-command snapshot of skills/memory/config to S3, GCS or Azure Blob
From zero to live agent in minutes.
Four straightforward steps. No Terraform knowledge required.
Install the CLI
Run the one-line installer — it auto-detects macOS or Linux, installs gum, Terraform, and jq, then symlinks the binary to /usr/local/bin.
curl -sSL https://raw.githubusercontent.com/unrealandychan/Hermes-Agent-Cloud/main/cli/install.sh | bashRun the wizard
Type hermes-deploy and follow the interactive prompts. Choose your cloud, region, instance size, and configure your LLM API keys — all step-by-step. GCP users can also pick a preset (minimal, dev-agent, ai-agent…) and mix in extra capability packs.
hermes-deployChoose permissions & deploy
Select an IAM permission profile (S3, Billing, RDS, or custom). The CLI calls terraform apply and automatically attaches the right cloud policies. A live spinner tracks every step.
hermes-deploy deploy --cloud awsManage & monitor costs
SSH in, stream logs, rotate secrets, or run hermes-deploy billing to check your cloud spend, service breakdown, and budget alerts — all without leaving the CLI.
hermes-deploy billingBuilt secure from the ground up.
Security is not a checkbox — it is the default configuration in every cloud, every deploy, every time.
Secrets never leave your cloud
API keys are written to AWS SSM Parameter Store, GCP Secret Manager, or Azure Key Vault via Terraform — and fetched at boot over IAM-native metadata endpoints. No key ever passes through Hermes Agent Cloud's process.
Masked terminal input
All secret fields use gum input --password — the keystrokes are never echoed, never stored in shell history, and never written to a log file.
IP-restricted firewall
SSH (22) and the gateway (8080) are locked to your public IP via the allowed_cidr Terraform variable. No ports are world-open by default.
IAM least-privilege
EC2 instance roles, GCP Service Accounts, and Azure Managed Identities are each scoped to read only the secrets created for that deployment — nothing more.
Encrypted root disks
AWS uses gp3 encrypted EBS volumes. GCP uses pd-ssd with AES-256 Google-managed keys. Azure uses Premium_LRS with encryption-at-rest.
One line. Any machine.
Installs gum, Terraform, jq, and Hermes Agent Cloud. Works on macOS and Debian/Ubuntu Linux.
curl -sSL https://raw.githubusercontent.com/unrealandychan/Hermes-Agent-Cloud/main/cli/install.sh | bashOr clone manually: git clone https://github.com/unrealandychan/Hermes-Agent-Cloud && cd Hermes-Agent-Cloud && ./install.sh
Available Commands
hermes-deployLaunch interactive wizardhermes-deploy deploy --cloud awsDeploy to AWS (flags mode)hermes-deploy deploy --cloud gcp --preset ai-agent --packs vertexai,storageGCP deploy with AI preset + extra packshermes-deploy openOpen gateway URL in browserhermes-deploy tunnelSSH tunnel to gateway (port 8080)hermes-deploy update-ipRe-sync firewall to your current IPhermes-deploy status --cloud azureShow running instance infohermes-deploy ssh --cloud gcpSSH into the instancehermes-deploy logs --cloud awsTail journalctl logshermes-deploy secrets --cloud azureUpdate API keys in Key Vaulthermes-deploy billingCost summary, top services, budget alertshermes-deploy destroy --cloud awsTear down infra completelyPrerequisites
- →Cloud CLI (aws / az / gcloud) with valid credentials
- →Terraform ≥ 1.6 (installer will set this up)
- →gum ≥ 0.14 (installer will set this up)
- →At least one LLM API key (OpenRouter, OpenAI, Anthropic, or Gemini)
THE BUILDER
About the Author
Hermes Agent Cloud is built and maintained by Eddie Chan, an AI engineer based in Hong Kong.
Eddie Chan
AI Engineer · Hong Kong
Passionate about building agents that actually work in production. I created Hermes Agent Cloud because deploying AI infrastructure should be a first-class experience — not a Terraform archaeology project.
AI Engineer
Building production AI agent systems and multi-agent orchestration frameworks. Specialises in LLM tooling, agentic workflows, and cloud-native AI infrastructure.
Technical Writer · Medium
Writing deep-dive articles on distributed systems, AI architecture, and engineering craft. Covering topics from Martin Kleppmann's DDIA to hands-on LLM agent patterns.
Open Source Builder
Maintains Hermes Agent Cloud and close-wiki — tools built out of real frustration with painful developer workflows. Everything ships with proper CLI UX and zero magic.
“Good tooling should feel like magic the first time — and stay out of your way every time after that. That’s the bar I hold Hermes Agent Cloud to.”
— Eddie Chan