Edge API authentication methods
Aembit Edge API supports multiple authentication methods to accommodate different environments and workloads, including cloud providers, CI/CD systems, and container orchestration platforms. The authentication process involves attesting the identity of Client Workloads and validating them against your configured Trust Providers. Edge API then issues an access token for subsequent API calls.
List of authentication methods
Section titled “List of authentication methods”The /edge/v1/auth endpoint accepts the following attestation methods.
For the full request schema and field-level details, see the auth endpoint reference.
- AWS Metadata Service - Authenticate EC2 instances using the instance identity document and its signature from the AWS Instance Metadata Service (IMDS).
- AWS IAM Role - Authenticate using a signed AWS STS
GetCallerIdentityrequest, proving identity through an attached IAM role. - AWS Lambda - Authenticate Lambda functions with a signed STS
GetCallerIdentityrequest from the function’s execution role, optionally identified by the function ARN. - AWS ECS - Authenticate ECS tasks with a signed STS
GetCallerIdentityrequest from the task’s IAM role, optionally identified by container and task metadata.
Kubernetes
Section titled “Kubernetes”- Kubernetes service account - Authenticate pods using a Kubernetes service account JWT.
CI/CD platforms
Section titled “CI/CD platforms”- GitHub Actions - Authenticate workflows using a GitHub-issued OIDC identity token.
- Terraform Cloud - Authenticate workspaces using a Terraform Cloud OIDC identity token.
- GitLab Jobs - Authenticate CI/CD pipelines using a GitLab-issued OIDC identity token.