Skip to content
Releases GitHub

Changelog — Agent Proxy

Subscribe with RSS

Agent Proxy
All changes
Clear all

End-to-end mTLS between Client and Server Workloads with SPIFFE X.509-SVID certificates

Introducing end-to-end mutual TLS (mTLS) between Client Workloads and Server Workloads using SPIFFE-compliant X.509-SVID certificates.

Aembit has released new versions of the following components and packages:

  • Agent Proxy
  • Cloud (Tenant UI + API)
  • EdgeAPI
  • Terraform Provider
  • Helm Chart
  • Terraform ECS module
  • AWS Lambda Extension
  • AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Agent Proxy outbound mTLS with X.509-SVID: Agent Proxy can now establish outbound mTLS connections to Server Workloads using SPIFFE-compliant X.509-SVID certificates, with no application code changes required.
  • mTLS Authentication method for Server Workloads: A new authentication method, mTLS Authentication with the x509 Certificate scheme, lets Server Workloads validate the client certificate that Agent Proxy presents during the mTLS handshake.
  • X.509-SVID Credential Provider: A new Credential Provider type that issues SPIFFE-compliant X.509 certificates. This release’s Agent Proxy update is what consumes them for outbound mTLS to Server Workloads.

Agent Proxy can now establish outbound mTLS connections to Server Workloads using SPIFFE-compliant X.509-SVID certificates, enabling certificate-based workload-to-workload authentication without application code changes.

What’s new:

  • In-memory private key: Agent Proxy generates an ECDSA key pair in memory for each X.509-SVID certificate. The private key is never written to disk and is never transmitted to Aembit Cloud.
  • Automatic rotation at 80% of certificate lifetime: Agent Proxy refreshes the certificate well before expiration, generating a new key pair on each refresh. In-progress mTLS connections continue using the prior certificate until they close.
  • mTLS Authentication for Server Workloads: A new Server Workload authentication method (mTLS Authentication with the x509 Certificate scheme) lets the Server Workload side validate the X.509-SVID certificate that Agent Proxy presents during the handshake.

For the end-to-end workflow and procedure, see Enable mTLS on a Server Workload. For the authentication-method catalog, see Authentication methods and schemes.

Aembit is introducing a new X.509-SVID Credential Provider type that issues SPIFFE-compliant X.509 certificates to Client Workloads, signed by an Aembit Standalone CA.

What’s new:

  • SPIFFE-compliant identity in the URI Subject Alternative Name (SAN): Every issued certificate embeds the workload’s SPIFFE ID as a URI SAN, so SPIFFE-aware Server Workloads can authenticate the Client Workload during the TLS handshake.
  • Literal or dynamic Subject and SPIFFE ID: Configure either field with a fixed value or with template expressions that resolve at issuance time using workload attestation attributes.
  • Configurable Extended Key Usage: Default to id-kp-clientAuth for outbound mTLS, or add id-kp-serverAuth to use the same certificate as a server credential.
  • Configurable certificate lifetime: Set the lifetime in minutes (default 15). Agent Proxy automatically refreshes the certificate before expiration (typically at 80% of the configured lifetime).

For setup instructions, see Create an X.509-SVID Credential Provider. For concepts and the end-to-end issuance flow, see About the X.509-SVID Credential Provider.

Tags:

Edge components release with Oracle GA and HTTP proxy support

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • VM Agent Proxy package
  • Agent CLI
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Injector
  • Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Oracle Application Protocol GA: Oracle Database protocol support is now available for production use, including mid-connection TLS support, improved client error handling, Prometheus metrics for Oracle credential injection events, and internal packet-handling improvements.
  • Upstream HTTP proxy support: Agent Proxy and Aembit CLI now support upstream HTTP proxy configuration for gRPC and Server-Workload-bound HTTP/HTTPS traffic, with NO_PROXY honored.
  • S3 upload size restriction removed: Large file uploads to AWS S3 Log Streams are now supported via streaming AWS chunked signing, removing the previous upload size limit. See How Aembit uses AWS SigV4 and SigV4a for more details.
  • Expanded credential resolver capabilities: Enhanced support for credential provider resolution across deployment types.
  • Dynamic claims from environment variables: Agent Proxy and Aembit CLI can now gather dynamic claims from environment variables, controlled by the AEMBIT_ENV_VAR_ALLOWLIST.
  • CLI enhancements: Aembit CLI adds the --client-workload-id flag and OIDC token expiration validation.
  • General improvements: Numerous stability reliability improvements across edge components.
  • Security upgrades: Security dependency upgrades across edge components.
  • Improved logging and observability: Improved request logging and enhanced error reporting for common failure conditions.
Tags:

Agent Proxy now honors HTTP proxy environment variables

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • VM Agent Proxy package
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Proxy

Agent Proxy now honors HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. If your network routes outbound traffic through an HTTP proxy, you can configure these environment variables so that Agent Proxy routes its outbound connections through the proxy.

For details, see Agent Proxy environment variables.

For the latest available versions of these components, see the Edge Components Supported Versions page.

Tags:

Edge components release with S3 stability and OpenShift improvements

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • VM Agent Proxy package
  • VM Agent Controller package
  • Agent Proxy
  • Agent Controller

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Apply stability improvements for S3 uploads and downloads
  • Improve Helm Chart compatibility across Kubernetes platforms including Red Hat OpenShift (ROSA)
Tags:

Oracle Database support enters beta with new process-based identifiers

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • VM Agent Proxy package
  • VM Agent Controller package
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Injector
  • Agent Proxy
  • Agent Controller

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Oracle Database protocol support (Limited Beta)
  • Support Process Command Line and Process Path client workload identification

Aembit’s Agent Proxy now supports the Oracle Database application protocol in Limited Beta. This enables Aembit to manage access for client workloads connecting to Oracle databases by intercepting the TNS wire protocol and injecting credentials transparently.

Key capabilities:

  • Username/password credential injection for Oracle 19c and 21c databases (12C password verifier only)
  • Support for thin Oracle clients (Java, Python), with experimental thick client support
  • Tested with AWS RDS for Oracle and containerized Oracle environments
  • Transparent steering on Linux VM deployments

For setup instructions, see the Oracle Database Server Workload guide. For an overview of how Oracle protocol support works, see About Oracle Databases.

Aembit’s Agent Proxy now supports Process Command Line and Process Path as Client Workload identifiers. These identifiers allow you to identify client workloads based on their full command line or executable path, providing more granular control over which applications can access your protected resources.

Key capabilities:

  • Process Command Line: Identify workloads by the full command used to start them, including arguments. Supports wildcard matching to target specific arguments (for example, *--env production*).
  • Process Path: Identify workloads by the exact filesystem path of the executable.
  • Combine with other identifiers like Process Name and Process User Name for precise matching.
  • Supports Linux virtual machine deployments.

For configuration details, see Process Command Line and Process Path.

Tags:

Edge components release with S3 streaming and Secrets Manager improvements

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Improved AWS S3 upload streaming signature support
  • AWS Secrets Manager Private Network Access username/password credential support (requires Agent Proxy 1.28)

Aembit has improved Agent Proxy’s AWS S3 upload support with enhanced streaming signature handling. Agent Proxy 1.28 addresses limitations from the 1.27 release related to streaming signed payloads.

Key capabilities:

  • Improved handling of aws-chunked content encoding for streaming uploads
  • Better compatibility with AWS SDK streaming operations
  • Enhanced request signing for chunked transfer encoding

For complete documentation, see How Aembit uses AWS SigV4 and SigV4a.

The AWS Secrets Manager Credential Provider with Private Network Access now supports username/password credentials. This extends the PNA capability introduced in Agent Proxy 1.27 to include secrets stored as username/password pairs.

Requirements:

  • Agent Proxy 1.28 or later

For configuration details, see AWS Secrets Manager Credential Provider.

  • VM Agent Proxy package
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Key Updates:

  • Added private network access support for HTTP Basic Auth Credential Providers using AWS Secrets Manager.
  • Added process name and process username as Client Workload Identifiers.
  • Extended AWS S3 support to include all SigV4 headers, enabling required signing type specification.
Tags:

Edge components release with AWS S3 uploads and multiple AWS STS support

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy
  • AWS Lambda Extension
  • AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Support AWS S3 upload request workloads
  • Support multiple AWS STS Credential Providers in a single Access Policy via Access Key ID mapping

Aembit’s Agent Proxy now supports AWS S3 file uploads. Agent Proxy transparently handles S3’s complex signing requirements, including detecting client signatures, re-signing requests with injected credentials, and streaming large file uploads.

Key capabilities:

  • Automatic detection of S3 signing methods using the x-amz-content-sha256 header
  • Support for unsigned payloads, streaming signatures, and standard SigV4 signing
  • Transparent credential injection without client-side configuration changes

Known limitations in this release:

For complete documentation and workarounds, see How Aembit uses AWS SigV4 and SigV4a.

Aembit now supports multiple AWS Security Token Service (STS) Credential Providers within a single Access Policy. This feature enables a single Client Workload to access multiple AWS resources, each requiring different IAM roles, without creating separate Access Policies.

Key capabilities:

  • Access Key ID selectors for automatic Credential Provider matching
  • Simplified policy management with multiple AWS STS Credential Providers per Access Policy
  • Seamless credential injection for applications accessing different AWS services

Minimum Edge Component versions required:

  • Agent Proxy 1.27.3865
  • Agent Controller 1.27.2906

For complete documentation, see Using multiple AWS STS Credential Providers.

Aembit has expanded the Server Workload documentation with new guides covering architecture patterns, credential lifecycle management, developer integration, and troubleshooting. These resources help you understand how Aembit manages credentials for your Server Workloads and provide guidance for integrating Aembit into your applications.

New documentation:

New and updated Server Workload guides:

  • NEW Microsoft Entra ID - Authenticate to Entra ID-protected resources using Azure Entra Workload Identity Federation or OAuth interception
  • UPDATED AWS services - Authenticate to AWS services using AWS Security Token Service (STS) Credential Providers and SigV4 signing
Tags:

Azure Key Vault Credential Provider and OIDC SSO now available

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Injector

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Azure Key Vault Private Network Access: Added support for accessing Azure Key Vault instances configured with private network endpoints
  • Performance Improvements: Enhanced performance for Secure Parameter Exchange (SPE) Postgres database operations
  • Dependency Updates: Updated multiple project dependencies to their latest stable versions
  • Rust and Hyper Upgrade: Upgraded to Rust 1.89.0 and introduced the hyper HTTP library for improved performance and security
  • Logging Enhancements: Internal improvements to logging functionality for better observability and debugging

Aembit has released the new Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider.

Together, they enable you to retrieve secrets from Azure Key Vault directly through Aembit using Azure’s Workload Identity Federation.

The Azure Entra Federation integration leverages OpenID Connect (OIDC) standards to authenticate with Azure Entra without requiring long-lived secrets or static credentials. This allows Aembit to securely access your Azure Key Vault instances using short-lived, federated tokens.

The Azure Key Vault Credential Provider supports:

  • Single value credentials (API keys, tokens)
  • Username/Password credentials
  • Both public and private network access scenarios
  • Policy-driven access controls and centralized auditing

See Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider to learn more.

You can now configure OIDC 1.0 Identity Providers for administrator Single Sign-On (SSO) authentication. This enables you to use OIDC-compliant identity providers such as Okta, Azure AD, and Auth0 to simplify the Aembit Tenant login process for your users. With OIDC support, you can leverage your existing identity infrastructure for secure, standardized authentication to the Aembit administrative console.

For more information, see Create an OIDC Identity Provider.

Tags:

Edge components release with OpenShift support and AWS Secrets Manager private network access

Aembit has updated Aembit Edge Components to include the latest versions of Agent Proxy, Sidecar Init, and the Aembit Helm chart. These updates include support for:

  • Official Red Hat OpenShift and OpenShift Service on AWS (ROSA) support for Agent Proxy and Sidecar Init, including SecurityContextConstraint configurations and deployment best practices. See OpenShift deployment guide.
  • AWS Secrets Manager private network access for Aembit CLI and Agent Proxy.
  • Aembit CLI CrowdStrike support.
  • Enhanced Helm chart with support for custom annotations on Kubernetes resources. See Helm chart configuration options.
  • New guide for managing Agent Injector TLS certificates in Kubernetes deployments. See Managing Agent Injector certificates.
  • Support for volume-mounted certificates in Aembit Edge Components.
  • Security and performance enhancements.

Updated Edge Components:

  • Agent Proxy 1.25.3494
  • Sidecar Init 1.25.127
  • Helm Chart 1.25.494

See Edge Components supported versions for more details.

Aembit has added Private Network Access to the AWS Secrets Manager Credential Provider. This feature allows you to securely access AWS Secrets Manager secrets from Aembit Edge Components running in private networks, such as AWS VPCs, without exposing them to the public internet.

When you enable Private Network Access, the Aembit CLI or Agent Proxy retrieve secrets from AWS Secrets Manager directly, ensuring secure and private access to your secrets.

See AWS Secrets Manager Credential Provider for more details on how to configure this feature.

Tags:

Discovery filtering and OIDC ID Token Trust Provider now available

Aembit has added more advanced filtering options to the Discovered tab for Client and Server Workloads. This enables you to find specific discovered workloads based on the criteria you filter.

Discovered Client Workloads page

Discovered Server Workloads page

See Filtering Discovered Workloads for more info.

Aembit has added the OIDC ID Token Trust Provider. This Trust Provider is Aembit’s solution for authenticating workloads using standard OIDC ID tokens. It validates incoming tokens against specific issuer, audience, and subject claims, giving you maximum flexibility to integrate with virtually any OIDC-compliant identity provider for secure, token-based workload access.

See OIDC ID Token Trust Provider for more info.

Aembit has applied security and performance enhancements to Agent Proxy version 1.24.3324 in this release.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions for more details.

Tags:

Kerberos and PKI security enhancements for Agent Proxy

Aembit has released a new version of Agent Controller, version 1.23.2160, with the following changes:

  • Security enhancements for Kerberos and Aembit-managed PKI.

  • Added the AEMBIT_HTTP_PORT_DISABLED environment variable to enable you to disable Agent Controller’s HTTP port.

Updated Edge Components:

  • Agent Proxy 1.23.2160

Updated Edge Packages:

  • Helm Chart 1.23

  • Terraform ECS module 1.23

See Edge Components supported versions for more details.

Tags:

CrowdStrike SIEM Log Streams and Agent Proxy enhancements

Introducing Log Streams for CrowdStrike Next-Gen SIEM for real-time security event monitoring and enhanced threat detection. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to CrowdStrike’s Next-Gen Security Information and Event Management (SIEM) platform using the HTTP Event Collector (HEC) protocol.

By connecting Aembit with CrowdStrike Next-Gen SIEM, you can:

  • Stream Access Authorization Events, Audit Logs, and Workload Events to CrowdStrike SIEM
  • Configure TLS encryption and verification options
  • Automatic failure notifications for Aembit admins
  • Seamless integration with existing CrowdStrike HEC configurations

This feature enhances your organization’s security posture by improving threat detection capabilities, streamlining incident management, and supporting compliance monitoring requirements through centralized log analysis in CrowdStrike.

To learn more, see Log Streams for CrowdStrike Next-Gen SIEM.

Aembit has applied security and performance enhancements to Agent Proxy in this release.

Aembit has added the AEMBIT_CLIENT_WORKLOAD_PROCESS_IDENTIFICATION_ENABLED Agent Proxy environment variable to Enable Process Name Client Workload identification.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

  • AWS Lambda Layer

See Edge Components supported versions for more details.

Tags:

Pod startup delay and security enhancements for Agent Proxy

Aembit has added the AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION Agent Proxy environment variable to enable you to delay the Client Workload Kubernetes pod startup until registration between Agent Proxy and Agent Controller completes. See Delaying pod startup until Agent Proxy has registered for details.

Aembit has applied security enhancements and hardening to Agent Proxy in this release.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions for more details.

Tags:

AWS SigV4 and SigV4a request signing now supported

The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.

See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:

Vault private network access and CrowdStrike on Windows now available

Aembit now supports accessing HashiCorp Vault Credential Providers that reside on private networks. This allows your colocated Agent Proxy to handle authentication directly instead of Aembit Cloud. See Accessing Vault on private networks for more info.

Aembit now supports Conditional Access for CrowdStrike on Windows. To set up Conditional Access for CrowdStrike on Windows, follow the steps in Access Condition for CrowdStrike.

Aembit now supports the AWS Role Trust Provider on Agent Proxy for ECS Fargate deployments.

Enhanced Vault token header behavior.

Enhanced Agent Proxy initialization on Kubernetes to prevent other processes from interfering and impacting its startup.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

  • VM Agent Proxy package

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit