Deploy Hermes Agent
to Any Cloud —
In One Command.
A beautiful, wizard-first CLI that provisions your Hermes Agent on AWS, Azure, or GCP — with IAM permission profiles, persistent EBS storage, built-in billing insights, and one-command instance migration.
Everything you need. Nothing you don't.
A self-contained Bash CLI that handles provisioning, secret wiring, and first-boot configuration — no GUI, no SaaS dependency.
Beautiful Wizard TUI
Step-by-step interactive wizard powered by Charm gum. Real-time progress spinners, masked secret input, and colour-coded summaries — all in your terminal.
Multi-Cloud, One Tool
AWS EC2, Azure VM, and Google Compute Engine supported out of the box. Each cloud uses Terraform under the hood for reproducible, destroy-safe infrastructure.
IAM Permission Profiles
Choose minimal, S3, Billing, RDS, or full access — the wizard attaches the right IAM policies, Azure RBAC roles, or GCP IAM bindings automatically. Zero manual console work.
Built-in Billing Insights
Run hermes-agent-cloud billing to query AWS Cost Explorer, Azure Cost Management, or GCP Billing — cost breakdown by service, budget alerts, and monthly totals.
One wizard. Three clouds.
Every cloud provider ships its own Terraform module, IAM wiring, and secret injection strategy — all consistent from the CLI's perspective.
Amazon Web Services
18 regions pre-validated
- EC2Ubuntu 24.04 · t3.large default
- SSM Parameter StoreSecureString · /hermes/* prefix
- IAM Instance ProfileSSMManagedInstanceCore + inline
- Security GroupSSH 22 + Gateway 8080 by CIDR
Fetches latest Ubuntu 24.04 AMI automatically
Microsoft Azure
12 locations pre-validated
- Virtual MachineStandard_D2s_v3 · Ubuntu 24.04
- Azure Key VaultHSM-backed · Managed Identity access
- Managed IdentitySystemAssigned · auto key-vault access
- NSG + VNetDedicated subnet · 2 inbound rules
Resource group created and tagged per deploy
Google Cloud Platform
10 regions pre-validated
- Compute Enginee2-standard-2 · Ubuntu 24.04 LTS
- Secret ManagerCMEK optional · per-secret IAM binding
- Service AccountsecretAccessor role per secret
- Firewall rulesTag-scoped · SSH + 8080
Enables Secret Manager & Compute APIs automatically
Zero compromises.
Every detail of the deploy experience is handled so you can focus on building with Hermes Agent — not debugging infra.
Interactive Wizard
Step-by-step gum wizard for every cloud
IAM Permission Profiles
Attach S3, Billing, RDS/SQL policies from the wizard — no manual IAM console
Built-in Billing Insights
hermes-agent-cloud billing — cost summary, top services, and budget alerts
RDS / Cloud SQL Access
Full database access profile for AWS RDS, Azure SQL, and GCP Cloud SQL
S3 / Blob Storage Access
Read/write access to AWS S3, Azure Blob Storage, and GCP Cloud Storage
Docker Sandbox
5 GB RAM · 50 GB disk · container isolation
Systemd Auto-start
hermes-gateway boots on every instance reboot
hermes doctor
7-point health check runs after every deploy
Post-deploy Access Guide
SSH, gateway, logs, and destroy — all in one output
Masked Secret Input
API keys never echo to screen or shell history
1-line Install
curl | bash · auto-detects macOS or Linux
gp3 / SSD Disks
Encrypted root disks on all three clouds
From zero to live agent in minutes.
Four straightforward steps. No Terraform knowledge required.
Install the CLI
Run the one-line installer — it auto-detects macOS or Linux, installs gum, Terraform, and jq, then symlinks the binary to /usr/local/bin.
curl -sSL https://raw.githubusercontent.com/unrealandychan/Hermes-Agent-Cloud/main/cli/install.sh | bashRun the wizard
Type hermes-agent-cloud and follow the interactive prompts. Choose your cloud, region, instance size, and configure your LLM API keys — all step-by-step.
hermes-agent-cloudChoose permissions & deploy
Select an IAM permission profile (S3, Billing, RDS, or custom). The CLI calls terraform apply and automatically attaches the right cloud policies. A live spinner tracks every step.
hermes-agent-cloud deploy --cloud awsManage & monitor costs
SSH in, stream logs, rotate secrets, or run hermes-agent-cloud billing to check your cloud spend, service breakdown, and budget alerts — all without leaving the CLI.
hermes-agent-cloud billingBuilt secure from the ground up.
Security is not a checkbox — it is the default configuration in every cloud, every deploy, every time.
Secrets never leave your cloud
API keys are written to AWS SSM Parameter Store, Azure Key Vault, or GCP Secret Manager via Terraform — and fetched at boot over IAM-native metadata endpoints. No key ever passes through Hermes Agent Cloud's process.
Masked terminal input
All secret fields use gum input --password — the keystrokes are never echoed, never stored in shell history, and never written to a log file.
IP-restricted firewall
SSH (22) and the gateway (8080) are locked to your public IP via the allowed_cidr Terraform variable. No ports are world-open by default.
IAM least-privilege
EC2 instance roles, Azure Managed Identities, and GCP Service Accounts are each scoped to read only the secrets created for that deployment — nothing more.
Encrypted root disks
AWS uses gp3 encrypted EBS volumes. Azure uses Premium_LRS with encryption-at-rest. GCP uses pd-ssd with AES-256 Google-managed keys.
One line. Any machine.
Installs gum, Terraform, jq, and Hermes Agent Cloud. Works on macOS and Debian/Ubuntu Linux.
curl -sSL https://raw.githubusercontent.com/unrealandychan/Hermes-Agent-Cloud/main/cli/install.sh | bashOr clone manually: git clone https://github.com/unrealandychan/Hermes-Agent-Cloud && cd Hermes-Agent-Cloud && ./install.sh
Available Commands
hermes-agent-cloudLaunch interactive wizardhermes-agent-cloud deploy --cloud awsDeploy to AWS (flags mode)hermes-agent-cloud status --cloud azureShow running instance infohermes-agent-cloud ssh --cloud gcpSSH into the instancehermes-agent-cloud logs --cloud awsTail journalctl logshermes-agent-cloud secrets --cloud azureUpdate API keys in Key Vaulthermes-agent-cloud destroy --cloud awsTear down infra completelyPrerequisites
- →Cloud CLI (aws / az / gcloud) with valid credentials
- →Terraform ≥ 1.6 (installer will set this up)
- →gum ≥ 0.14 (installer will set this up)
- →At least one LLM API key (OpenRouter, OpenAI, Anthropic, or Gemini)
THE BUILDER
About the Author
Hermes Agent Cloud is built and maintained by Eddie Chan, an AI engineer based in Hong Kong.
Eddie Chan
AI Engineer · Hong Kong
Passionate about building agents that actually work in production. I created Hermes Agent Cloud because deploying AI infrastructure should be a first-class experience — not a Terraform archaeology project.
AI Engineer
Building production AI agent systems and multi-agent orchestration frameworks. Specialises in LLM tooling, agentic workflows, and cloud-native AI infrastructure.
Technical Writer · Medium
Writing deep-dive articles on distributed systems, AI architecture, and engineering craft. Covering topics from Martin Kleppmann's DDIA to hands-on LLM agent patterns.
Open Source Builder
Maintains Hermes Agent Cloud and close-wiki — tools built out of real frustration with painful developer workflows. Everything ships with proper CLI UX and zero magic.
“Good tooling should feel like magic the first time — and stay out of your way every time after that. That’s the bar I hold Hermes Agent Cloud to.”
— Eddie Chan