Skip to content
Releases GitHub

Changelog

Subscribe with RSS

All areas
All changes

Edge components release with S3 streaming and Secrets Manager improvements

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Improved AWS S3 upload streaming signature support
  • AWS Secrets Manager Private Network Access username/password credential support (requires Agent Proxy 1.28)

Aembit has improved Agent Proxy’s AWS S3 upload support with enhanced streaming signature handling. Agent Proxy 1.28 addresses limitations from the 1.27 release related to streaming signed payloads.

Key capabilities:

  • Improved handling of aws-chunked content encoding for streaming uploads
  • Better compatibility with AWS SDK streaming operations
  • Enhanced request signing for chunked transfer encoding

For complete documentation, see How Aembit uses AWS SigV4 and SigV4a.

The AWS Secrets Manager Credential Provider with Private Network Access now supports username/password credentials. This extends the PNA capability introduced in Agent Proxy 1.27 to include secrets stored as username/password pairs.

Requirements:

  • Agent Proxy 1.28 or later

For configuration details, see AWS Secrets Manager Credential Provider.

  • VM Agent Proxy package
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Key Updates:

  • Added private network access support for HTTP Basic Auth Credential Providers using AWS Secrets Manager.
  • Added process name and process username as Client Workload Identifiers.
  • Extended AWS S3 support to include all SigV4 headers, enabling required signing type specification.
Tags:

GitHub Action, MCP Authorization Server beta, and Access Policy Builder now available

Aembit now provides an official GitHub Action for injecting credentials into your CI/CD workflows. The action retrieves credentials from Aembit and makes them available to subsequent steps in your workflow.

Key capabilities:

  • Retrieve credentials using workload identity federation with GitHub’s OIDC tokens
  • Support for AWS, Azure, database, and API key credential types
  • Automatic credential masking in workflow logs

For setup instructions, see the GitHub Actions tutorial. For usage examples with different credential types, see the how-to guide.

Aembit now supports Private Network Access (PNA) for the AWS Secrets Manager Credential Provider. This allows your Aembit Edge components (Aembit CLI or Agent Proxy) to retrieve secrets directly from AWS Secrets Manager instances in private networks, such as AWS VPCs with private endpoints.

Key capabilities:

  • Retrieve secrets from AWS Secrets Manager without exposing your VPC to the public internet
  • Works with both Aembit CLI and Agent Proxy deployments
  • No changes required to your existing AWS IAM policies or VPC endpoint configuration

For configuration details, see Private Network Access for Credential Providers and AWS Secrets Manager Credential Provider.

Aembit has released the MCP Authorization Server (beta), which secures Model Context Protocol (MCP) workloads using OAuth 2.1 authorization flows. This enables you to apply Aembit Access Policies to AI agents and MCP clients, controlling which users can access which MCP servers.

Beta feature

The MCP Authorization Server is currently in beta. Contact your Aembit representative to request access.

Key capabilities:

  • OAuth 2.1 authorization code flow implementation for MCP-compliant workloads
  • Dynamic Client Registration support for tools like Claude Desktop and Gemini CLI
  • Integration with OIDC and SAML identity providers for user authentication
  • Access Policies with time and location-based conditions

Aembit has redesigned the Access Policy creation experience with the new Access Policy Builder. The builder provides a card-based interface that guides you through configuring each component of an Access Policy.

Access Policy Builder showing a completed policy configuration

Key capabilities:

  • Visual card-based navigation for policy components
  • Inline creation of Client Workloads, Server Workloads, Trust Providers, and other components
  • Clear indicators for required, recommended, and optional components based on Global Policy Compliance settings

To use the new builder, enable Use new access policy in your user profile preferences. For a walkthrough, see Create an Access Policy.

Tags:

Edge components release with AWS S3 uploads and multiple AWS STS support

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy
  • AWS Lambda Extension
  • AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Support AWS S3 upload request workloads
  • Support multiple AWS STS Credential Providers in a single Access Policy via Access Key ID mapping

Aembit’s Agent Proxy now supports AWS S3 file uploads. Agent Proxy transparently handles S3’s complex signing requirements, including detecting client signatures, re-signing requests with injected credentials, and streaming large file uploads.

Key capabilities:

  • Automatic detection of S3 signing methods using the x-amz-content-sha256 header
  • Support for unsigned payloads, streaming signatures, and standard SigV4 signing
  • Transparent credential injection without client-side configuration changes

Known limitations in this release:

For complete documentation and workarounds, see How Aembit uses AWS SigV4 and SigV4a.

Aembit now supports multiple AWS Security Token Service (STS) Credential Providers within a single Access Policy. This feature enables a single Client Workload to access multiple AWS resources, each requiring different IAM roles, without creating separate Access Policies.

Key capabilities:

  • Access Key ID selectors for automatic Credential Provider matching
  • Simplified policy management with multiple AWS STS Credential Providers per Access Policy
  • Seamless credential injection for applications accessing different AWS services

Minimum Edge Component versions required:

  • Agent Proxy 1.27.3865
  • Agent Controller 1.27.2906

For complete documentation, see Using multiple AWS STS Credential Providers.

Aembit has expanded the Server Workload documentation with new guides covering architecture patterns, credential lifecycle management, developer integration, and troubleshooting. These resources help you understand how Aembit manages credentials for your Server Workloads and provide guidance for integrating Aembit into your applications.

New documentation:

New and updated Server Workload guides:

  • NEW Microsoft Entra ID - Authenticate to Entra ID-protected resources using Azure Entra Workload Identity Federation or OAuth interception
  • UPDATED AWS services - Authenticate to AWS services using AWS Security Token Service (STS) Credential Providers and SigV4 signing
Tags:

Azure Key Vault Credential Provider and OIDC SSO now available

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Injector

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Azure Key Vault Private Network Access: Added support for accessing Azure Key Vault instances configured with private network endpoints
  • Performance Improvements: Enhanced performance for Secure Parameter Exchange (SPE) Postgres database operations
  • Dependency Updates: Updated multiple project dependencies to their latest stable versions
  • Rust and Hyper Upgrade: Upgraded to Rust 1.89.0 and introduced the hyper HTTP library for improved performance and security
  • Logging Enhancements: Internal improvements to logging functionality for better observability and debugging

Aembit has released the new Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider.

Together, they enable you to retrieve secrets from Azure Key Vault directly through Aembit using Azure’s Workload Identity Federation.

The Azure Entra Federation integration leverages OpenID Connect (OIDC) standards to authenticate with Azure Entra without requiring long-lived secrets or static credentials. This allows Aembit to securely access your Azure Key Vault instances using short-lived, federated tokens.

The Azure Key Vault Credential Provider supports:

  • Single value credentials (API keys, tokens)
  • Username/Password credentials
  • Both public and private network access scenarios
  • Policy-driven access controls and centralized auditing

See Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider to learn more.

You can now configure OIDC 1.0 Identity Providers for administrator Single Sign-On (SSO) authentication. This enables you to use OIDC-compliant identity providers such as Okta, Azure AD, and Auth0 to simplify the Aembit Tenant login process for your users. With OIDC support, you can leverage your existing identity infrastructure for secure, standardized authentication to the Aembit administrative console.

For more information, see Create an OIDC Identity Provider.

Tags:

Faster, more reliable Agent Controller cloud detection and attestation

Aembit has applied performance enhancements to Agent Controller in this release, including:

  • improved cloud environment detection and attestation, making Agent Controller onboarding faster and more reliable across AWS and Azure
  • improved logging around TLS-related errors
  • deprecated the AEMBIT_HTTP_DISABLED environment variable (HTTP is now disabled when TLS is enabled)

For the latest available versions of these components, see the Edge Components Supported Versions page.

Tags:

Edge components release with OpenShift support and AWS Secrets Manager private network access

Aembit has updated Aembit Edge Components to include the latest versions of Agent Proxy, Sidecar Init, and the Aembit Helm chart. These updates include support for:

  • Official Red Hat OpenShift and OpenShift Service on AWS (ROSA) support for Agent Proxy and Sidecar Init, including SecurityContextConstraint configurations and deployment best practices. See OpenShift deployment guide.
  • AWS Secrets Manager private network access for Aembit CLI and Agent Proxy.
  • Aembit CLI CrowdStrike support.
  • Enhanced Helm chart with support for custom annotations on Kubernetes resources. See Helm chart configuration options.
  • New guide for managing Agent Injector TLS certificates in Kubernetes deployments. See Managing Agent Injector certificates.
  • Support for volume-mounted certificates in Aembit Edge Components.
  • Security and performance enhancements.

Updated Edge Components:

  • Agent Proxy 1.25.3494
  • Sidecar Init 1.25.127
  • Helm Chart 1.25.494

See Edge Components supported versions for more details.

Aembit has added Private Network Access to the AWS Secrets Manager Credential Provider. This feature allows you to securely access AWS Secrets Manager secrets from Aembit Edge Components running in private networks, such as AWS VPCs, without exposing them to the public internet.

When you enable Private Network Access, the Aembit CLI or Agent Proxy retrieve secrets from AWS Secrets Manager directly, ensuring secure and private access to your secrets.

See AWS Secrets Manager Credential Provider for more details on how to configure this feature.

Tags:

GitLab CI/CD Component, OIDC dynamic claims, and CrowdStrike conditions now available

The Aembit Edge GitLab CI/CD Component is now available to simplify Aembit integration within your pipelines. Find the component in the GitLab CI/CD Catalog and learn how to use it in the component documentation.

The OIDC ID Token Credential Provider now supports dynamic claims, allowing you to extract and use values from OIDC tokens in the credential data. This feature creates personalized and context-aware credentials that reflect the workload’s identity and attributes from their original OIDC token.

See OIDC ID Token Dynamic Claims for more information.

Aembit has added two new Access Conditions for CrowdStrike:

  • MAC Address - Ensures the CrowdStrike Agent Host MAC Address matches the Host MAC Address that Agent Proxy retrieved.
  • Local IP Address - Ensures the CrowdStrike Agent Host Local IP Address matches the Host Local IP Address that Agent Proxy retrieved.

See Create Access Conditions for CrowdStrike to learn how to create Access Conditions for CrowdStrike.

Tags:

Aembit CLI, AWS Secrets Manager, and Jenkins Pipelines now available

Aembit has released the new AWS IAM Role Credential Provider Integration and Secrets Manager Credential Provider. Together, they enable you to retrieve secrets from AWS Secrets Manager directly through Aembit.

See AWS IAM Role Credential Provider Integration and AWS Secrets Manager Credential Provider to learn more.

Aembit has released the Aembit CLI, a command-line interface that allows you to inject credentials into your CI/CD pipelines. Compatible with GitLab, GitHub, and now Jenkins.

Check out the Aembit CLI Guide to get started with the Aembit CLI!
Also, see Aembit Edge on CI/CD services for more information on how to use Aembit CLI with your CI/CD pipelines.

Aembit has released support for Jenkins Pipelines to help you integrate Aembit into your Jenkins CI/CD workflows. This integration allows you to securely retrieve and use Aembit-managed credentials directly in your Jenkins Pipelines, streamlining your CI/CD processes and enhancing security.

Check out Jenkins Pipelines to learn more about how to use Aembit with Jenkins Pipelines.

Aembit now supports Server Workloads with a wildcard hostname.

This enables you to simplify your server workloads in a flexible and well defined manner.

As of Agent Controller version 1.24.xxxx, Aembit has enhanced Agent Controller to automatically close insecure HTTP ports when you enable TLS. This update streamlines security by ensuring only encrypted connections are active.

When you enable TLS, Agent Controller now automatically:

  • Opens Secure Ports: 443 (or 5443 on VMs) and the secure Prometheus port 9091.
  • Closes Insecure Ports: 80 (or 5000 on VMs) and the insecure Prometheus port 9090.

This automation removes the manual step of closing insecure, vulnerable ports, preventing potential misconfigurations and enforcing a more secure, “secure-by-default” posture.

Aembit has applied security enhancements to Agent Controller version 1.24.2485 in this release, including:

  • Disabling insecure HTTP ports when you enable TLS.

Updated Edge Components:

  • Agent Controller

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

See Edge Components supported versions for more details.

Tags:

Discovery filtering and OIDC ID Token Trust Provider now available

Aembit has added more advanced filtering options to the Discovered tab for Client and Server Workloads. This enables you to find specific discovered workloads based on the criteria you filter.

Discovered Client Workloads page

Discovered Server Workloads page

See Filtering Discovered Workloads for more info.

Aembit has added the OIDC ID Token Trust Provider. This Trust Provider is Aembit’s solution for authenticating workloads using standard OIDC ID tokens. It validates incoming tokens against specific issuer, audience, and subject claims, giving you maximum flexibility to integrate with virtually any OIDC-compliant identity provider for secure, token-based workload access.

See OIDC ID Token Trust Provider for more info.

Aembit has applied security and performance enhancements to Agent Proxy version 1.24.3324 in this release.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions for more details.

Tags:

Aembit Edge API now available with expanded Wiz Discovery

Introducing Aembit Edge API, the new way your cloud-native applications can retrieve credentials dynamically without deploying additional infrastructure. Perfect for serverless functions, containers, and CI/CD pipelines that need secure access to third-party services.

With Aembit Edge API you can:

  • Retrieve credentials on-demand for any configured service from your CI/CD pipelines.
  • Authenticate workloads using platform-native identity tokens (GitHub Actions, GitLab CI, AWS Lambda, etc.).
  • Eliminate hardcoded secrets by fetching credentials just-in-time.
  • Support multiple credential types including API keys, username/password, and CI/CD provider tokens.

Check out the Edge API get started page to learn more or start using it right away with the Aembit Edge quickstart guide.

Aembit Discovery can now discover additional resources when you use Wiz as a Discovery Source.

Through the Wiz integration, Aembit now discovers Client Workload resources such as VMs, AWS- and Azure-specific Client Workload Identifies, and many others. As for Server Workload resources, Aembit now discovers Azure Blob Storage, GCP BigQuery, and many others.

For the full list, see Wiz-discoverable resource types.

Tags:

Improved Agent Controller TLS reporting and environment variable logging

Aembit has released a new version of Agent Controller, version 1.23.2263, with the following changes:

  • Enhanced TLS certificate status reporting with improved retry and error handling.

  • Added comprehensive logging for environment variable configuration with sensitive data masking for secure review.

Updated Edge Components:

  • Agent Controller

Updated Edge Packages:

  • Helm Chart

  • VM Agent Controller package

  • Terraform ECS module

See Edge Components supported versions for more details.

Tags:

Workload Discovery filtering and Global Policy Compliance reporting now available

Introducing Workload Discovery Filtering for improved workload management and visibility across your discovered infrastructure. This enhancement adds comprehensive filtering capabilities to both Client Workloads and Server Workloads discovery pages, enabling you to quickly locate and analyze specific workloads.

Filtering options include:

  • Client Workloads: Filter by Client Workload Identifiers and Workload Discovery Source
  • Server Workloads: Filter by Port, Protocol, and Workload Discovery Source

Server Workload discovery filtering

This feature streamlines workload management by enabling you to efficiently search through discovered workloads, making it easier to identify, analyze, and onboard relevant workloads into your Aembit environment.

To learn more about discovered workload filtering, see Workload Discovery Filtering.

You can now view the Global Policy Compliance status of your Access Policies using the new Global Policy Compliance page under Reporting in the left nav menu. Quickly get an overall view of the compliance status of your Access Policies and optionally filter for specific statuses.

Global Policy Compliance report dashboard

To learn more about reporting on Global Policy Compliance status, see How to review Global Policy Compliance.

Tags:

Kerberos and PKI security enhancements for Agent Proxy

Aembit has released a new version of Agent Controller, version 1.23.2160, with the following changes:

  • Security enhancements for Kerberos and Aembit-managed PKI.

  • Added the AEMBIT_HTTP_PORT_DISABLED environment variable to enable you to disable Agent Controller’s HTTP port.

Updated Edge Components:

  • Agent Proxy 1.23.2160

Updated Edge Packages:

  • Helm Chart 1.23

  • Terraform ECS module 1.23

See Edge Components supported versions for more details.

Tags:

CrowdStrike SIEM Log Streams and Agent Proxy enhancements

Introducing Log Streams for CrowdStrike Next-Gen SIEM for real-time security event monitoring and enhanced threat detection. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to CrowdStrike’s Next-Gen Security Information and Event Management (SIEM) platform using the HTTP Event Collector (HEC) protocol.

By connecting Aembit with CrowdStrike Next-Gen SIEM, you can:

  • Stream Access Authorization Events, Audit Logs, and Workload Events to CrowdStrike SIEM
  • Configure TLS encryption and verification options
  • Automatic failure notifications for Aembit admins
  • Seamless integration with existing CrowdStrike HEC configurations

This feature enhances your organization’s security posture by improving threat detection capabilities, streamlining incident management, and supporting compliance monitoring requirements through centralized log analysis in CrowdStrike.

To learn more, see Log Streams for CrowdStrike Next-Gen SIEM.

Aembit has applied security and performance enhancements to Agent Proxy in this release.

Aembit has added the AEMBIT_CLIENT_WORKLOAD_PROCESS_IDENTIFICATION_ENABLED Agent Proxy environment variable to Enable Process Name Client Workload identification.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

  • AWS Lambda Layer

See Edge Components supported versions for more details.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit