No. The agent has no AWS dependency - it only needs network access to the Dirless backend over HTTPS. Agents run on any Linux host: on-premises, other cloud providers, bare metal, or VMs anywhere. Only the syncer needs to run on an EC2 instance (to access the instance role for IAM credentials).
Nothing bad. The agent maintains a local database on each host. NSS lookups read from it directly - no network call at query time. If the backend is unreachable, the last-known-good snapshot stays on disk and identity resolution continues working normally. Users already on the host stay logged in; new lookups still resolve. The only thing that stops during an outage is pulling fresh changes from Identity Center.
Yes. In addition to users synced from IAM Identity Center, you can add local users directly through the web portal. These users are encrypted with the same age keypair and distributed to all enrolled hosts just like cloud-sourced users. This is useful for service accounts, contractors, or anyone who needs a Linux identity but isn't in IdC.
Dirless handles the identity layer - making users exist in the OS - which is the prerequisite
for SSH key authentication and other tools. This works for both cloud-sourced and locally-added
users. You still configure SSH authorization as you normally would
(e.g. authorized_keys, a PAM module, or an AuthorizedKeysCommand).
An SSH authorized-keys helper is on the roadmap as a natural extension, since Dirless already
knows which IAM user maps to which Linux user.
The backend assigns UIDs and GIDs deterministically and stably for all users - whether synced from IAM Identity Center or added through the web portal. Once assigned, they never change, even if the user is removed and re-added. This is critical for shared filesystems where file ownership is stored numerically. You never end up with a UID recycled to a different user.
Yes. Dirless is fully self-hostable. The backend is a single static binary with a TOML config file. Point your syncer and agents at your own URL. The protocol between all components is identical regardless of who operates the backend. Customers who need full control over their infrastructure or air-gapped deployments use this path.
Not in readable form. At enrollment time, the agent generates an age keypair and sends only the public key to the backend. The backend encrypts every snapshot before storing or serving it. The private key lives only on your host - we never see it. Even if our backend were compromised, an attacker would only find encrypted blobs they cannot decrypt.