Skip to content
Releases GitHub

Changelog

Subscribe with RSS

All areas
All changes

OAuth 2.0 Authorization Code Credential Provider enters beta

Aembit has released beta support for the OAuth 2.0 Authorization Code Credential Provider.

Many organizations require Credential Provider support for various 3rd party SaaS services which only support short lived credentials with the OAuth 2.0 Authorization Code Flow. These services included:

  • Atlassian
  • GitLab
  • Slack
  • GCP BigQuery
  • Apigee
  • PagerDuty

This beta release enables users to use 3rd party SaaS services and have short-lived access tokens generated on demand for authentication to APIs that these 3rd party services provide.

For more information on how to configure the OAuth 2.0 Authorization Code Credential Provider to be used with any of these 3rd party services, please see the OAUth 2.0 Authorization Code Credential Provider page.

Tags:

Non-root Aembit containers and configurable Agent Proxy file descriptor limits

Aembit has released two new feature updates that enhance existing Aembit functionality.

Aembit Containers

All injected Aembit containers are now run as non-root users.

Agent Proxy File Descriptor Limits

Users may configure limits for the number of file descriptors Agent Proxy is allowed to open on a VM. You may configure this number when Agent Proxy is installed (using the AEMBIT_FD_LIMIT flag).

virtual machines

  • Default Limit - 65535, set by Agent Proxy installer

  • Configuration - This limit is configurable via the AEMBIT_FD_LIMIT environment variable. This value is passed directly to systemd in Agent Proxy’s service file at the time of installation.

  • Example - AEMBIT_FD_LIMIT=200000 [...] ./install

Kubernetes

  • Default Limit - This limit is inherited from container runtime.

  • Configuration - There is no official support without modifying the underlying runtime. For more information on configuring these limits, please see the Kubernetes limits support GitHub thread.

AWS ECS

  • Default Limit - 1024

  • Configuration - This limit is configurable via the ECS Task Definition API or ECS Dashboard. Please refer to the AWS ECS Developer Guide for more detailed information on how to configure these limits.

AWS Lambda

  • Default Limit - 1024

  • Configuration - This limit is not configurable. For more information, please refer to the AWS Lambda Developer Guide.

Tags:

AWS Role Trust Provider now available

Aembit has released an update to support AWS Role-Based Trust Providers.

The ability to create and use different types of Trust Providers in your Aembit environment enables you to have flexibility in how resources are managed. With this enhancement, you now have an additional option when selecting a Trust Provider.

For more information on AWS Role-Based Trust Providers, please see the AWS Role Trust Provider page.

Tags:

Resource Sets now available

Many organizations have certain security requirements that specify which resources should be managed by a group. To address these security needs, Aembit has released a new Resource Sets feature that enables you to determine which groups will have access to various resources.

You may find it necessary to segment management responsibilities for certain entities and resources in your Aembit environment between different individuals and groups for security reasons. To accommodate this requirement, Aembit has released the Resource Sets feature.

Resource Sets enable you to group entities and resources (e.g. Credential Providers, Trust Providers, Identity Providers, etc.) into a single collection and assign specific users to manage these resources.

For more detailed technical information on how to use create and manage Resource Sets, please refer to the Resource Sets technical documentation.

Tags:

Graceful Agent Proxy shutdown for sidecars

In some cases, you may find it necessary to manually shut down Agent Proxy when the main container exits, but a sidecar is still running. Since you may not want to kill the whole job, since it will look like a cancelled job, Aembit now provides a solution that enables you to gracefully terminate the job while allowing the sidecar to still run.

For more detailed information on this feature, please refer to the Agent Proxy Shutdown page.

Tags:

AWS Lambda Container deployment now supported

There are many different deployment options you can currently use to deploy Aembit Edge Components in your environment, including GitHub Actions, GitLab Jobs, and Kubernetes.

To increase the available deployment options for our users, Aembit now provides support for users who wish to deploy Aembit Edge Components to an Amazon Web Services (AWS) Lambda Container.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Containers, please refer to the AWS Lambda Container technical documentation.

Tags:

GeoIP Access Conditions and Google Cloud Storage Log Streams now available

Aembit has released two new features on Aembit Cloud:

  • Access Condition support for Geographic IP (GeoIP) restrictions
  • Log Stream support for streaming to Google Cloud Storage Buckets

Aembit GeoIP Access Conditions

You may now configure and add Aembit GeoIP conditions in your Aembit Tenant. This new Access Condition type enables you to explicitly designate which countries/regions will have access to Server Workloads from policy-enabled Client Workloads.

For more information on this feature, please refer to the Access Conditions for GeoIP Restriction page.

Google Cloud Storage Bucket Log Streams

Aembit now supports Log Streams that target Google Cloud Storage (GCS) Buckets. You may add or configure this new Log Stream destination type in the Administration tab of your Aembit Tenant.

For more information on this feature, please refer to the Google Cloud Storage Bucket Log Streams page.

Tags:

Kerberos Trust Provider now available for Active Directory

Aembit has released a Kerberos Trust Provider that enables the attestation of Client Workloads running in virtual machine environments joined to Active Directory. This attestation method is specifically designed for on-premise deployments where alternative attestation methods, such as AWS or Azure metadata service trust providers, are not available.

For more detailed information on this Kerberos Trust Provider, please refer to the Kerberos Trust Provider technical documentation.

Tags:

SAML SSO authentication now available for administrators

Aembit now supports SAML/SSO authentication for administrators who wish to simplify the Aembit Tenant login process for their users. Instead of requiring a user to enter their username/password credentials every time a user tries to access the Aembit Tenant, users will now be able to use a 3rd party SAML SSO Provider (e.g. Google, Okta, Microsoft Entrata) to log into the tenant.

For more information on how to configure Identity Providers using SAML, please see the Configuring Identity Providers technical documentation.

Tags:

Access Authorization Events and Google Cloud Run Jobs support now available

Support for Access Authorization Events

Aembit has now enabled support for Access Authorization Events. Access Authorization Events enable customers to observe credential requests.

Support for Google CloudRun Jobs as Client Workloads

Aembit supports Google CloudRun Jobs as Client Workloads. With this support, you can now:

  • authenticate to the Aembit IdP using Attestation with the GCP Cloud Run Job Identity

  • request and retrieve a secret from GCP Secret Manager

Tags:

Agent Controller high availability now supported

The Aembit Agent Controller can now be installed in high availability configurations. Because the Agent Controller is a critical Aembit Edge Component that manages Agent Proxy registration and credential acquisition for Aembit Cloud access, HA support was necessary to ensure the continuous availability of the Agent Controller.

For information on installing and configuring Agent Controller in high availability environments, please see the Agent Controller High Availability page.

Tags:

MFA support and Linux virtual machine Edge deployment now available

Several new feature updates and additions have been made to improve Aembit user experience. These updates include:

  • Admin console multi-factor authentication support
  • Edge components VM deployment support

Multi-factor authentication support

Aembit now supports Multi-Factor Authentication (MFA) so users can provide different authentication methods. Users can:

  • scan a QR code to configure their compatible authentication application
  • retrieve MFA Recovery Codes in case the device or application is unavailable
  • view the users who have configured MFA within the Aembit Users view.

Linux-based VM deployment support

Users may now deploy Aembit Edge Components to VMs (non-Kubernetes). This feature enables users to have options on how they want to deploy these components.

For more detailed information about this feature, please see the virtual machine Installation page.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit