Developer Guide

AWS X-Ray Daemon

The AWS X-Ray daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API. The daemon works in conjunction with the AWS X-Ray SDKs and must be running so that data sent by the SDKs can reach the X-Ray service.

On AWS Lambda and AWS Elastic Beanstalk, use those services' integration with X-Ray to run the daemon. Lambda runs the daemon automatically any time a function is invoked for a sampled request. On Elastic Beanstalk, use the XRayEnabled configuration option to run the daemon on the instances in your environment.

To run the X-Ray daemon locally, on-premises, or on other AWS services, download it from Amazon S3, run it, and then give it permission to upload segment documents to X-Ray.

Downloading the Daemon

You can download the daemon from Amazon S3 to run it locally, or to install it on an Amazon EC2 instance on launch.

X-Ray daemon installers and executables

These links always point to the latest v2 release of the daemon. To download a specific release, replace 2.x with the version number. For example, 2.0.0.

X-Ray assets are replicated to buckets in every supported region. To use the bucket closest to you or your AWS resources, replace the region in the above links with your region.

Verifying the Daemon Archive's Signature

GPG signature files are included for daemon assets compressed in ZIP archives. The public key is here: aws-xray.gpg.

You can use the public key to verify that the daemon's ZIP archive is original and unmodified. First, import the public key with GnuPG.

To import the public key

  1. Download the public key.

    $ BUCKETURL= $ wget $BUCKETURL/xray-daemon/aws-xray.gpg
  2. Import the public key into your keyring.

    $ gpg --import aws-xray.gpg gpg: /Users/me/.gnupg/trustdb.gpg: trustdb created gpg: key 7BFE036BFE6157D3: public key "AWS X-Ray <>" imported gpg: Total number processed: 1 gpg: imported: 1

Use the imported key to verify the signature of the daemon's ZIP archive.

To verify an archive's signature

  1. Download the archive and signature file.

    $ BUCKETURL= $ wget $BUCKETURL/xray-daemon/ $ wget $BUCKETURL/xray-daemon/
  2. Run gpg --verify to verify the signature.

    $ gpg --verify gpg: Signature made Wed 19 Apr 2017 05:06:31 AM UTC using RSA key ID FE6157D3 gpg: Good signature from "AWS X-Ray <>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EA6D 9271 FBF3 6990 277F 4B87 7BFE 036B FE61 57D3

Note the warning about trust. A key is only trusted if you or someone you trust has signed it. This does not mean that the signature is invalid, only that you have not verified the public key.

Running the Daemon

Run the daemon locally from the command line.

~/Downloads$ ./xray

For detailed platform-specific instructions, see the following topics:

Giving the Daemon Permission to Send Data to X-Ray

The X-Ray daemon uses the AWS SDK to upload trace data to X-Ray, and it needs AWS credentials with permission to do that.

On Amazon EC2, the daemon uses the instance's instance profile role automatically. Locally, save your access keys to a file named credentials in your user directory under a folder named .aws.

Example ~/.aws/credentials

[default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

For more information about providing credentials to an SDK, see Specifying Credentials in the AWS SDK for Go Developer Guide.

The IAM role or user that the daemon's credentials belong to must have permission to write data to the service on your behalf.

  • To use the daemon on Amazon EC2, create a new instance profile role or add the managed policy to an existing one.

  • To use the daemon on Elastic Beanstalk, add the managed policy to the Elastic Beanstalk default instance profile role.

  • To run the daemon locally, create an IAM user and save its access keys on your computer.

For more information, see AWS X-Ray Permissions.

X-Ray Daemon Logs

The daemon outputs information about its current configuration and segments that it sends to AWS X-Ray.

2016-11-24T06:07:06Z [Info] Initializing AWS X-Ray daemon 2.0.0 2016-11-24T06:07:06Z [Info] Using memory limit of 49 MB 2016-11-24T06:07:06Z [Info] 313 segment buffers allocated 2016-11-24T06:07:08Z [Info] Successfully sent batch of 1 segments (0.123 seconds) 2016-11-24T06:07:09Z [Info] Successfully sent batch of 1 segments (0.006 seconds)