Getting started with Queen

How enrolling a machine with Queen will work. Queen is in active design; the shapes below are decided, and the exact command names are pinned as the first releases land.

Getting started with Queen

How enrolling a machine with Queen will work. Queen is in active design; the shapes below are decided, and the exact command names are pinned as the first releases land.

Related:


#Status

Queen is in the specification stage. The flow below is the design; treat it as what to expect, not a shipped command set.

#1. Start from a working Apiary

Queen layers on top of the local Apiary. If you have not already, install the stack on each machine:

# macOS or Linux
curl -fsSL https://get.theapiary.sh | sh
# Windows (PowerShell)
irm https://get.theapiary.sh/install.ps1 | iex

That gives you the local stack with the Hive portal at 127.0.0.1:3853. Queen's cloud enrollment is what connects those machines into a fleet.

#2. Pair a machine to your deployment

Each machine binds once to a cloud deployment. This is a required step; the local Queen agent is inert until it is paired.

queen pair

#3. Check the local view

The Queen agent has no local dashboard by design, because fleet and ROI data belong behind the cloud application's sign-in, not on a loopback port on a possibly throwaway machine. The local view is a command:

queen status

This prints the machine's binding, its identity, and its presence state.

#4. Add a second machine with a join token

On a machine that is already trusted, mint a short-lived join token. On the new machine, redeem it. The token is single-use, low-privilege, and expires; it cannot read memory or decrypt anything.

# on the trusted machine
queen enroll-token create

# on the new machine
queen enroll --token <token>

One heartbeat later, the new machine shows up as healthy on the fleet dashboard. No browser on the server, no credential in a config file, no shared key.

#5. Revoke cleanly

If a machine is lost or a person leaves, two honest steps: revoke the device in Queen, a control-plane action, and rotate the shared memory credential, a data-plane action. Per-agent identity means one revocation cuts off one agent, not the fleet.

#What next