E2B on AWS provides a secure, scalable, and customizable environment for running AI agent sandboxes in your own AWS account. This project addresses the growing need for organizations to maintain control over their AI infrastructure while leveraging the power of E2B's sandbox technology for AI agent development, testing, and deployment.
This project is built based on version 0c35ed5c3b8492f96d1e0bbfb91fff96541a8c74 (Jul 1). This E2B deployment can be used for testing purposes. If you encounter any issues, please contact the relevant team members or submit a PR directly. We would like to express our special thanks to all contributors involved in the project transformation.
- Prerequisites
- How to Deploy
- Using E2B CLI
- E2B SDK Cookbook
- Troubleshooting
- Resource Cleanup Recommendations
- Appendix
- Architecture Diagram
-
An AWS account with appropriate permissions
-
A domain name that you own(Cloudflare is recommended)
-
Recommended for monitoring and logging
- Grafana Account & Stack (see Step 15 for detailed notes)
- Posthog Account (optional)
Production Security Checklist: Before deploying to production, verify these critical security and reliability settings are enabled:
DB_INSTANCE_BACKUP_ENABLEDRDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLEDRDS_ENHANCED_MONITORING_ENABLEDRDS_INSTANCE_LOGGING_ENABLEDRDS_MULTI_AZ_SUPPORTS3_BUCKET_LOGGING_ENABLEDEC2 Metadata service configuration
-
Deploy CloudFormation Stack
- Git Clone the project
- Open AWS CloudFormation console and create a new stack
- Upload the
e2b-setup-env.ymlfile - Configure the following parameters:
- Stack Name: Enter a name for the stack, must be lowercase(e.g.,
e2b-infra) - VPC Configuration: Deployed new VPC environment configuration
- Environment Configuration: Choose an Environment (Support dev and prod, prod has a more stringent resource protection mechanism)
- Architecture Configuration: Choose CPU architecture (Support x64 and Graviton)
- Domain Configuration: Enter a domain you own(e.g.,
example.com) - EC2 Key Pair: Select an existing key pair for SSH access
- AllowRemoteSSHIPs: Adjust IP range for SSH access (default restricts to private networks for security)
- Database Settings: Configure RDS parameters following password requirements(must be 8-30 characters with letters and numbers)
- Stack Name: Enter a name for the stack, must be lowercase(e.g.,
- Complete all required fields and launch the stack
-
Validate Domain Certificate
- Navigate to Amazon Certificate Manager (ACM)
- Find your domain certificate and note the required CNAME record
- Add the CNAME record to your domain's DNS settings(Cloudflare DNS settings)
- Wait for domain validation (typically in 5 minutes)
-
Connect to Bastion Machine
- Use SSH with your EC2 key pair:
ssh -i your-key.pem ubuntu@<instance-ip> - Or use AWS Session Manager from the EC2 console for browser-based access
- Use SSH with your EC2 key pair:
-
Watch Deployment Logs
# Switch to root user for administrative privileges required for infrastructure setup
sudo su root
tail -f /tmp/e2b.log- Configure E2B DNS records(in Cloudflare)
- Setup Wildcard DNS: Add a CNAME record for
*(wildcard) pointing to the DNS name of the automatically created Application Load Balancer (ALB). This enables all E2B subdomains to route through the load balancer. - Access Nomad Dashboard: Navigate to
https://nomad.<your-domain>in your browser and authenticate using the retrieved token to monitor and manage the Nomad cluster workloads. - Retrieve Nomad Access Token: Execute
cat /opt/config.propertiesto extract the Nomad cluster management token from the configuration file.
- Setup Wildcard DNS: Add a CNAME record for
-
Login to https://grafana.com/ (register if needed)
-
Access your settings page at https://grafana.com/orgs/
-
In your Stack, find 'Manage your stack' page
-
Find 'OpenTelemetry' and click 'Configure'
-
Note the following values from the dashboard:
Endpoint for sending OTLP signals: xxxx Instance ID: xxxxxxx Password / API Token: xxxxx -
Export NOMAD environment variables:(Optional)
cat << EOF >> /opt/config.properties
# Grafana configuration
grafana_otel_collector_token=xxx
grafana_otlp_url=xxx
grafana_username=xxx
EOF
echo "Appended Grafana configuration to /opt/config.properties"- Deploy OpenTelemetry collector:(Optional)
bash nomad/deploy.sh otel-collector- Open Grafana Cloud Dashboard to view metrics, traces, and logs(Optional)
- Create a template:
# There are three ways to create E2B templates:
# Create a template from e2bdev/code-interpreter
bash packages/create_template.sh
# Create a template from a Dockerfile
bash packages/create_template.sh --docker-file <Docker_File_Path>
# Example for create a template of Desktop
bash packages/create_template.sh --docker-file test_use_case/Docckerfile/e2b.Dockerfile.Desktop
# Example for create a template of BrowserUse
bash packages/create_template.sh --docker-file test_use_case/Docckerfile/e2b.Dockerfile.BrowserUse
# Create a template from an ECR image that in your own account
bash packages/create_template.sh --ecr-image <ECR_IMAGE_URI>- Create a sandbox(Get the value of e2b_API to execute commands --- more ../infra-iac/db/config.json):
curl -X POST \
https://api.<e2bdomain>/sandboxes \
-H "X-API-Key: <e2b_API>" \
-H 'Content-Type: application/json' \
-d '{
"templateID": "<template_ID>",
"timeout": 3600,
"autoPause": true,
"metadata": {
"purpose": "test"
}
}'# Installation Guide: https://e2b.dev/docs/cli
# For macOS
brew install e2b
# Export environment variables(you can query the accessToken and teamApiKey in /opt/config.properties)
export E2B_API_KEY=xxx
export E2B_ACCESS_TOKEN=xxx
export E2B_DOMAIN="<e2bdomain>"
# Common E2B CLI commands
# List all sandboxes
e2b sandbox list
# Connect to a sandbox
e2b sandbox connect <sandbox-id>
# Kill a sandbox
e2b sandbox kill <sandbox-id>
e2b sandbox kill --allgit clone https://github.com/e2b-dev/e2b-cookbook.git
cd e2b-cookbook/examples/hello-world-python
poetry install
# Edit .env file
vim .env
# Change E2B_API_KEY value
poetry run start-
No nodes were eligible for evaluation error when deploying applications
- Check node status and constraints
-
Driver Failure: Failed to pull from ECR
- Error:
Failed to pull xxx.dkr.ecr.us-west-2.amazonaws.com/e2b-orchestration/api:latest: API error (404): pull access denied for xxx.dkr.ecr.us-west-2.amazonaws.com/e2b-orchestration/api, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again. - Solution: Execute
aws ecr get-login-password --region us-east-1to get a new ECR token and update the HCL file
- Error:
-
For other unresolved issues, contact support
When you need to delete the E2B environment, follow these steps:
-
Terraform Resource Cleanup:
- Navigate to the Terraform directory:
cd ~/infra-iac/terraform/ - Run
terraform destroyto remove infrastructure resources - Note: Some resources have deletion protection enabled and cannot be deleted directly:
- S3 Buckets: You must manually empty these buckets before they can be deleted
- Application Load Balancers (ALB): These may require manual deletion through the AWS console
- Navigate to the Terraform directory:
-
CloudFormation Stack Cleanup:
- RDS Database: The database has deletion protection enabled for compliance reasons
- First disable deletion protection through the RDS console
- Then delete the CloudFormation stack
- RDS Database: The database has deletion protection enabled for compliance reasons
-
Manual Resource Verification:
- After running the automated cleanup steps, verify in the AWS console that all resources have been properly removed
- Check for any orphaned resources in:
- EC2 (instances, security groups, load balancers)
- S3 (buckets)
- RDS (database instances)
- ECR (container repositories)
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.