Lab guide — live March 26, 2026

Agents in Action

Deploy your own AI assistant powered by OpenClaw on AWS Lightsail. Your hardware, your control, about a dollar a day.

Where CloudHesive FTL When March 26, 2026 Time ~45 min lab
01

Prerequisites — Do These Before the Lab

Complete these before arriving at CloudHesive. The lab moves fast — if you're creating accounts during the session, you'll fall behind.

AWS Account

You need an AWS account with permissions to create Lightsail instances. Free tier is fine for testing.

Create your account at least 24 hours before the meetup. New accounts sometimes have Lightsail creation delays.

Enable Bedrock Model Access (Required)

The Lightsail blueprint uses AWS Bedrock as the model provider — no separate Anthropic account needed. But you must request access to Claude models first.

  • Go to AWS Console → Amazon Bedrock → Model access
  • Find Anthropic — Claude and click Request access
  • Accept the EULA. Access is usually granted instantly.
  • Confirm "Access granted" appears next to Claude Sonnet 4.6
If you skip model access, onboarding will fail. Bedrock returns a permissions error and the wizard gives you no useful guidance on why.

Telegram

Install on your phone and desktop before the lab.

  • Phone: App Store / Play Store → "Telegram" → sign up with your phone number
  • Desktop: web.telegram.org — no install needed, same account
  • Create your bot now: Open Telegram → search @BotFather → send /newbot → follow prompts → copy the token
Bot token looks like 123456789:ABCdef... — save it somewhere. Bot username must end in bot (e.g. MyAgentBot).

Set an AWS Budget Alert (Required)

Bedrock charges per token on your AWS bill. Without a budget alert, a debugging loop or runaway cron job can cost you $40+ in a single day. Set this up now.

  • Go to AWS Console → Billing → Budgets → Create budget
  • Budget type: Cost budget
  • Amount: $25/month (covers Lightsail + moderate Bedrock use)
  • Alert threshold: 80% → your email
  • Add a second alert at 100%
This is not optional. Anthropic Console spending caps do NOT apply to Bedrock. AWS Budgets is your only cost protection here.

Brave Search API Key (Optional — for web search)

Gives your agent the ability to search the web. Not required for the core lab, but makes the agent significantly more useful.

  • Sign up at api.search.brave.com
  • Create an API key (free tier: 2,000 queries/month)
  • Requires a credit card to sign up

If you want your agent to respond with voice notes, sign up for an ElevenLabs account before the lab:

  • Create a free account at elevenlabs.io
  • Go to Profile + API key → generate an API key
  • Free tier gives you premade voices only (that's fine — Bella is great)

This is covered in detail in Section 05: Give It a Voice.

02

Deploy in 20 Minutes

This follows the official AWS blog walkthrough — the same flow Channy Yun published on launch day.

Launch Lightsail Instance

AWS Console 
AWS Console → Lightsail → Create instance

Platform:   Linux/Unix
Blueprint:  Apps + OS → search "OpenClaw" → select it  (shows as OpenClaw 2026.2.17)
Plan:       $24/month (4 GB RAM) — AWS recommended for optimal performance
Name it:    OpenClaw-Lab
Click:      Create instance  (takes ~2 minutes)

Connect via Browser SSH

Lightsail Console → your instance → Getting started tab → Connect using SSH (orange button).

A browser terminal opens with the Lightsail OpenClaw MOTD displaying three things you need:

MOTD — what you'll see 
Lightsail OpenClaw MOTD v1.0.0
+----------------------------------------------+
|          OpenClaw Dashboard Access            |
+----------------------------------------------+

Dashboard URL:
    https://<your-ip>/overview

Access Token:
    <your-token>

Current Model:
    bedrock/global.anthropic.claude-sonnet-4-6

Continue with device pairing? (y = pair now, n = skip):
Don't press y yet. First, copy the Dashboard URL and Access Token — you'll need them in the next step.

Pair Your Browser with the Dashboard

  • Open the Dashboard URL in a new browser tab
  • Paste the Access Token into the Gateway Token field
  • Click Connect
  • The dashboard will show a "device pairing required" message — that's expected

Now go back to the SSH terminal:

SSH terminal 
Continue with device pairing? (y = pair now, n = skip): y
...approve prompt appears...
a   ← approve the device pairing

The dashboard should now show Health: OK with a green indicator. Your browser is paired.

Enable Bedrock API Access (CloudShell Script)

Your instance needs IAM permissions to call Bedrock. The Getting started tab in the Lightsail console shows a script — copy it and run it in AWS CloudShell.

  • Go back to the Lightsail console → your instance → Getting started tab
  • Find the "Enable Amazon Bedrock as your model provider" section
  • Click Copy the script
  • Click Launch CloudShell (or open it from the AWS Console top bar)
  • Paste and run the script — it creates an IAM role granting Bedrock access
This is a one-time setup. The script creates an IAM role attached to your Lightsail instance. You don't need to run it again unless you delete and recreate the instance.

Test: Chat via Dashboard

Go to Chat in the OpenClaw dashboard and send a message. If you get a response, Bedrock is working and your agent is live.

Checkpoint: You should have a working AI agent responding in the dashboard. If not — verify Bedrock model access is granted and the CloudShell script completed successfully.

Set Tools Profile (REQUIRED)

Back in the SSH terminal:

terminal 
openclaw config set tools.profile full
Don't skip this. The default tools profile is nearly useless — your agent can barely do anything without full.

Connect Telegram

terminal 
openclaw channels add telegram
# Enter your bot token from BotFather when prompted

Send a message to your bot on Telegram. It will reply with a pairing code and instructions:

terminal 
openclaw pairing approve telegram <CODE>
Checkpoint: Send "Hello, what can you do?" to your bot on Telegram. If it responds, you have a working agent on your phone. If not — check Gotchas.

Enable Web Search — Brave (Optional)

terminal 
echo "BRAVE_SEARCH_API_KEY=your_key_here" >> ~/.openclaw/.env
sudo systemctl restart openclaw-gateway

Test it: send your bot "Search the web for the latest AWS news"

HTTPS is automatic. Your instance is accessible at https://<your-ip> with a Let's Encrypt certificate. The Lightsail pre-baked image handles everything — no manual setup needed.
03

Give It a Name

Your agent is alive. Now give it an identity. Send these messages to your bot on Telegram — it'll internalize them and carry the persona forward.

Send via Telegram 
"Your name is [whatever you want]. You're my personal AI assistant.
You run on AWS Lightsail in [your region].
My timezone is [your timezone]. Use it for all time references."

That's it. Your agent now has a name, a home, and a sense of time. Try it — ask "What's your name?" or "What time is it?"

OpenClaw supports a SOUL.md file in the workspace directory that defines your agent's personality, boundaries, and operating rules. It's loaded into context on every interaction.

terminal — create SOUL.md 
cat > ~/.openclaw/workspace/SOUL.md << 'EOF'
# Identity
Name: [Your agent's name]
Timezone: Eastern (ET)
Owner: [Your name]

# Behavior
- Be concise and direct
- Always confirm before taking destructive actions
- Use my timezone for all time references
EOF

This is how Mira (Jorge's agent) knows her name, timezone, stock watchlist, and operating rules. Keep it lean — everything in SOUL.md costs tokens on every single interaction.

04

Security — The Non-Negotiables

Run the Security Audit

terminal 
openclaw security audit
openclaw security audit --fix    # apply safe auto-remediations

Verify Key Settings

terminal 
openclaw config get gateway.bind         # should be: loopback ✅
openclaw config get tools.profile        # should be: full

Lock Down File Permissions

terminal 
chmod 600 ~/.openclaw/.env
chmod 700 ~/.openclaw

Rotate your gateway token once everything is confirmed working. This is your main authentication credential — treat it like a password.

terminal 
openclaw token rotate

⚠️ This immediately invalidates the old token and disconnects paired browsers.

PriorityActionHow
#1Run security audit after onboardingopenclaw security audit --fix
#2Keep DM policy as "pairing"Default — never change to "open"
#3Lock down ~/.openclaw permissionschmod 700 ~/.openclaw && chmod 600 ~/.openclaw/.env
#4Don't install random skills from ClawHubCheck what permissions a skill requests first
#5Stop your instance when not using itLightsail Console → Stop instance
Why this matters: In February 2026, over 42,000 exposed OpenClaw instances were found online — 93.4% had authentication bypasses. The Lightsail blueprint is better isolated than a raw EC2/Docker setup, but your gateway token is still your only authentication layer. Treat it like a password.
No port 18789 to worry about. Unlike a raw EC2/Docker install, the Lightsail pre-baked image routes the Control UI through HTTPS on port 443 via a built-in reverse proxy. The gateway never binds to a public port.
05

Give It a Voice — ElevenLabs + sag

This is the "wow moment." Your agent responds to voice notes with voice notes — a real human-sounding voice powered by ElevenLabs. Takes about 15 minutes.

Heads up: This skill requires building a Go binary from source. The ClawHub installer rate-limits, and Homebrew on a headless Linux server is a dead end. The commands below are the reliable path — tested on the Lightsail pre-baked image.

Install Go 1.24+ (the apt version is too old)

terminal 
# Download official Go binary
wget https://go.dev/dl/go1.24.1.linux-amd64.tar.gz

# Remove any old Go and install
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.24.1.linux-amd64.tar.gz

# Add to PATH (and make it persist)
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc

# Verify
go version
# → go version go1.24.1 linux/amd64

Install ALSA dev libraries (required for Go audio build)

terminal 
sudo apt install -y libasound2-dev

Build sag from source

terminal 
go install github.com/steipete/sag/cmd/sag@latest

Symlink so the gateway service can find it

terminal 
sudo ln -sf ~/go/bin/sag /usr/local/bin/sag
Why the symlink? The gateway runs as a system service with its own PATH. Binaries in ~/go/bin are invisible to it. Without this symlink, the skill stays permanently "blocked" with no useful error message.

Set API key and voice ID

terminal 
cat >> ~/.openclaw/.env << 'EOF'
ELEVENLABS_API_KEY=your_elevenlabs_api_key_here
ELEVENLABS_VOICE_ID=hpp4J3VqNfWAUOO0d1Us
EOF

# Lock down permissions (secrets file)
chmod 600 ~/.openclaw/.env

# Restart for changes to take effect
sudo systemctl restart openclaw-gateway
Voice ID hpp4J3VqNfWAUOO0d1Us is "Bella" — a premade voice available on the free tier. Browse other voices at elevenlabs.io/app/voice-library and swap the ID anytime:
sed -i 's/ELEVENLABS_VOICE_ID=.*/ELEVENLABS_VOICE_ID=<new_id>/' ~/.openclaw/.env

Test it

Send a voice note to your bot on Telegram. It should reply with a voice note back in Bella's voice.

🎤 Checkpoint: If your bot replies with a voice note, the sag skill is fully working. If it replies with text only, check that ELEVENLABS_API_KEY is in ~/.openclaw/.env (not just the gateway UI) and that you restarted the gateway.
symptom Skill shows as "blocked" in gateway

Cause: sag binary not in the gateway service's PATH.

Fix: sudo ln -sf ~/go/bin/sag /usr/local/bin/sag then restart gateway.

symptom Go build fails with "cannot find package"

Cause: apt-installed Go is too old (< 1.24).

Fix: Install Go from the official tarball, not apt. See step 1 above.

symptom Build fails with "alsa/asoundlib.h: No such file"

Cause: Missing ALSA development headers.

Fix: sudo apt install -y libasound2-dev

symptom Bot replies with text instead of voice

Cause: ELEVENLABS_API_KEY set in the gateway UI but not in ~/.openclaw/.env. The sag skill reads from the environment, not the UI.

Fix: Add both ELEVENLABS_API_KEY and ELEVENLABS_VOICE_ID to ~/.openclaw/.env, then sudo systemctl restart openclaw-gateway.

symptom ClawHub installer hangs or fails

Cause: ClawHub rate-limits npx clawhub install.

Fix: Skip ClawHub entirely. Build sag from Go source as shown above — it's faster and more reliable.

06

What It Actually Costs

Real numbers from Mira — a production agent running 24/7 on this exact Lightsail + Bedrock stack since March 2026.

Lightsail InstanceBedrock (Sonnet 4.6)Monthly Total
Today's lab~$0.80< $0.50~$1
Light use$24/month~$3–5/month~$27–29
Daily driver$24/month~$15–20/month~$39–44

Mira runs 5 cron jobs daily. Here's what each costs in steady state:

JobModelTokens/runCost/day
Calendar Briefing (7am)Sonnet~11k~$0.17
Tech & AI Briefing (7:30am)Sonnet~50k~$0.75
Morning Stock Update (10am)Haiku~7–35k~$0.04
Pre-Close Stock Update (3pm)Haiku~8–31k~$0.04
Total cron cost~$1/day

The cost lever: model routing. Simple structured tasks (stock lookups) go to Haiku at ~10x cheaper per token. Complex tasks (news analysis, calendar reasoning) stay on Sonnet. One command:

terminal — route a cron job to Haiku 
openclaw models aliases add haiku bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0
openclaw cron edit <job-id> --model haiku
The $44 day. During setup, a calendar cron ran 12 times in one day while debugging sandbox issues. Each run burned Sonnet tokens. Normal operation is $1–2/day — but debugging loops can spike costs fast. Set an AWS Budget alert before experimenting.

Bedrock billing goes to your AWS account — the same place as your Lightsail instance. One bill, one place to set budget alerts. No separate Anthropic account needed.

Stop your instance when you're done — Lightsail charges even when idle.

07

Gotchas & Troubleshooting

Hard-won lessons from ~6 OpenClaw installs across EC2 and Lightsail. Every one of these cost real debugging time.

symptom Agent can barely do anything / tools seem missing

Cause: Default tools profile is nearly useless.

Fix: openclaw config set tools.profile full

symptom Dashboard shows 1008 WebSocket error, can't connect

Cause: Stale browser device token — NOT an outage. Your Telegram bot is still working fine.

Fix:

terminal 
# Get the current valid token
openclaw config get gateway.auth.token
# Paste into dashboard → Gateway Token field → hit Connect

# If that still fails:
openclaw devices list
openclaw devices approve <requestId>
symptom Sandbox can't find a binary you installed

Cause: OpenClaw's sandbox only mounts /usr/bin — not /usr/local/bin where most manually installed binaries land.

Fix: Symlink into /usr/bin:

terminal 
sudo ln -sf /usr/local/bin/<binary> /usr/bin/<binary>
symptom Sandbox can't access OAuth tokens or config files

Cause: ~/.config directories aren't mounted in the sandbox.

Fix: Copy configs into the workspace and set XDG_CONFIG_HOME:

terminal 
cp -r ~/.config/<tool> ~/.openclaw/workspace/.<tool>
# Then in your cron command, prefix with:
XDG_CONFIG_HOME=/workspace/.<tool> /usr/bin/<tool> ...
symptom Skill set in gateway UI but still "blocked"

Cause: ~/.openclaw/.env is the canonical secrets location. Skills like sag read API keys from the environment, not from the gateway UI.

Fix: Put all API keys in ~/.openclaw/.env, then sudo systemctl restart openclaw-gateway.

symptom ClawHub skill install hangs or rate-limits

Cause: ClawHub rate-limits npx clawhub install aggressively.

Fix: Skip ClawHub. Use manual installation (curl for simple skills) or build from source (Go/Node skills). It's more reliable.

symptom Bedrock error: "Invocation of model ID with on-demand throughput is not supported"

Cause: Haiku 4.5 on Bedrock requires the cross-region inference profile prefix us. — bare model IDs are rejected.

Fix:

terminal 
# ❌ Wrong
anthropic.claude-haiku-4-5-20251001-v1:0

# ✅ Correct — note the us. prefix
openclaw models aliases add haiku bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0
symptom Gateway crashes on startup

Cause: agents.defaults.env is NOT a valid config key in this version. Attempting to set it crashes the gateway.

Fix: Use ~/.openclaw/.env for environment variables. Don't try to set env vars through the config system.

symptom Cron job runs but Telegram message never arrives

Cause: Manual test runs via openclaw cron run reuse the same sessionId. OpenClaw deduplicates delivery within the same session.

Fix: Only scheduled runs reliably prove end-to-end Telegram delivery. Manual test runs are unreliable for this — check openclaw cron runs --id <job-id> to confirm the job actually executed.

08

Essential Commands

Gateway service management (native install — no Docker) 
sudo systemctl status openclaw-gateway     # Check if gateway is running
sudo systemctl restart openclaw-gateway    # Restart after config changes
sudo systemctl stop openclaw-gateway       # Stop
sudo systemctl start openclaw-gateway      # Start
OpenClaw CLI 
openclaw security audit                    # Security audit
openclaw security audit --fix              # Audit + auto-remediate
openclaw config get tools.profile          # Check current tools profile
openclaw config set tools.profile full     # Set full tools
openclaw channels list                     # List connected channels
openclaw token rotate                      # Rotate gateway auth token
openclaw logs                              # View recent logs
openclaw cron list                         # List cron jobs
openclaw models list                       # List configured models
09

Resources

ResourceURL
AWS Blog — OpenClaw on Lightsailaws.amazon.com/blogs/aws/introducing-openclaw-on-amazon-lightsail-to-run-your-autonomous-private-ai-agents
OpenClaw Docsdocs.openclaw.ai
OpenClaw GitHubgithub.com/openclaw/openclaw
Security Referencedocs.openclaw.ai/gateway/security
Lightsail Pricingaws.amazon.com/lightsail/pricing
AWS Budgetsconsole.aws.amazon.com/billing
Brave Search APIapi.search.brave.com
ElevenLabselevenlabs.io
Meetup RSVPmeetu.ps/e/PS7pp/dTj9n/i