Skip to content
Releases GitHub

Changelog — Credential Provider Enhancements

Subscribe with RSS

Credential Provider
Enhancement
Clear all

End-to-end mTLS between Client and Server Workloads with SPIFFE X.509-SVID certificates

Introducing end-to-end mutual TLS (mTLS) between Client Workloads and Server Workloads using SPIFFE-compliant X.509-SVID certificates.

Aembit has released new versions of the following components and packages:

  • Agent Proxy
  • Cloud (Tenant UI + API)
  • EdgeAPI
  • Terraform Provider
  • Helm Chart
  • Terraform ECS module
  • AWS Lambda Extension
  • AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Agent Proxy outbound mTLS with X.509-SVID: Agent Proxy can now establish outbound mTLS connections to Server Workloads using SPIFFE-compliant X.509-SVID certificates, with no application code changes required.
  • mTLS Authentication method for Server Workloads: A new authentication method, mTLS Authentication with the x509 Certificate scheme, lets Server Workloads validate the client certificate that Agent Proxy presents during the mTLS handshake.
  • X.509-SVID Credential Provider: A new Credential Provider type that issues SPIFFE-compliant X.509 certificates. This release’s Agent Proxy update is what consumes them for outbound mTLS to Server Workloads.

Agent Proxy can now establish outbound mTLS connections to Server Workloads using SPIFFE-compliant X.509-SVID certificates, enabling certificate-based workload-to-workload authentication without application code changes.

What’s new:

  • In-memory private key: Agent Proxy generates an ECDSA key pair in memory for each X.509-SVID certificate. The private key is never written to disk and is never transmitted to Aembit Cloud.
  • Automatic rotation at 80% of certificate lifetime: Agent Proxy refreshes the certificate well before expiration, generating a new key pair on each refresh. In-progress mTLS connections continue using the prior certificate until they close.
  • mTLS Authentication for Server Workloads: A new Server Workload authentication method (mTLS Authentication with the x509 Certificate scheme) lets the Server Workload side validate the X.509-SVID certificate that Agent Proxy presents during the handshake.

For the end-to-end workflow and procedure, see Enable mTLS on a Server Workload. For the authentication-method catalog, see Authentication methods and schemes.

Aembit is introducing a new X.509-SVID Credential Provider type that issues SPIFFE-compliant X.509 certificates to Client Workloads, signed by an Aembit Standalone CA.

What’s new:

  • SPIFFE-compliant identity in the URI Subject Alternative Name (SAN): Every issued certificate embeds the workload’s SPIFFE ID as a URI SAN, so SPIFFE-aware Server Workloads can authenticate the Client Workload during the TLS handshake.
  • Literal or dynamic Subject and SPIFFE ID: Configure either field with a fixed value or with template expressions that resolve at issuance time using workload attestation attributes.
  • Configurable Extended Key Usage: Default to id-kp-clientAuth for outbound mTLS, or add id-kp-serverAuth to use the same certificate as a server credential.
  • Configurable certificate lifetime: Set the lifetime in minutes (default 15). Agent Proxy automatically refreshes the certificate before expiration (typically at 80% of the configured lifetime).

For setup instructions, see Create an X.509-SVID Credential Provider. For concepts and the end-to-end issuance flow, see About the X.509-SVID Credential Provider.

Tags:

Dynamic claims now support custom environment variables

Custom environment variables on Agent Proxy and Aembit CLI can now feed into OIDC and JWT-SVID dynamic claims, gated by an explicit allowlist.

What’s new:

  • AEMBIT_ENV_VAR_ALLOWLIST: A new environment variable that defines which custom variables Agent Proxy and Aembit CLI may capture for use in dynamic claims. By default, Agent Proxy and Aembit CLI capture no custom variables.
  • Always-available Kubernetes variables: K8S_POD_NAME, K8S_NAMESPACE, and KUBERNETES_PROVIDER_ID are now usable in dynamic claims regardless of the allowlist.

For setup instructions, see Configure custom environment variables for Agent Proxy. For the dynamic claims expression syntax, see OIDC and JWT-SVID dynamic claims.

Tags:

OAuth 2.0 Authorization Code now uses centralized callback URL

The OAuth 2.0 Authorization Code Credential Provider now uses a centralized callback URL and supports an optional Final Redirect URL that supports custom or embedded integration scenarios.

What’s new:

  • Centralized Callback URL - OAuth 2.0 Authorization Code Credential Providers now use a single, centralized callback URL shared across Credential Providers on your Aembit stack. If you previously registered a per-tenant callback URL with a third-party provider, you don’t need to take any action.
  • Final Redirect URL - A new optional field that redirects users to a specified URL after completing the OAuth authorization flow, instead of returning to the Aembit Credential Provider page. Contact Aembit support to enable this feature.

For details, see OAuth 2.0 Authorization Code Credential Provider.

Tags:

MCP Identity Gateway enters beta with MCP Server and component copying

Aembit now offers an MCP Identity Gateway (Beta) that sits between AI agents and MCP servers, enforcing Access Policies, performing secure token exchange, and providing visibility into MCP activity. Deployed on a Linux VM, the Gateway ensures AI agents never hold direct credentials for enterprise systems.

Key capabilities:

  • Proxies MCP traffic with identity-aware policy enforcement
  • Performs secure token exchange using OAuth 2.0 and API key credentials
  • Provides per-user credential management and centralized MCP routing
  • Logs agent identity, user identity, and policy decisions for auditability
  • Fail-closed behavior—denies access by default unless explicitly allowed

For setup instructions and architecture details, see MCP Identity Gateway.

Aembit now provides an MCP Server that enables AI agents and users to query Aembit event logs using structured commands. Built on the Model Context Protocol specification, the MCP Server enables agentic observability and auditability for organizations using Aembit.

Key capabilities:

  • Query audit logs, authorization events, and workload events
  • Integrations with MCP Inspector, Claude Code, GitHub Copilot, and Visual Studio
  • Resource-set-based access scoping for least-privilege access
  • Read-only access—no create, update, or delete operations
  • Full audit trail of all MCP Server queries

For setup and connection guides, see Aembit MCP Server.

Aembit has added a new MCP User-Based Access Token Credential Provider type. This type enables per-user OAuth credentials for MCP servers using the OAuth 2.0 Authorization Code flow. The MCP Identity Gateway manages user-specific tokens when connecting to downstream MCP servers.

Key capabilities:

  • OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE) support
  • MCP Server URL discovery with auto-population of OAuth endpoints
  • Per-user credential scoping
  • Token introspection and lifetime management

For configuration details, see MCP User-Based Access Token Credential Provider.

Aembit now supports component copying between Resource Sets. You can replicate Access Policy components—including Client Workloads, Server Workloads, Trust Providers, Credential Providers, and Access Conditions—from one Resource Set to another. You can also copy entire Access Policies with all related components at once.

Key capabilities:

  • Copy individual components or entire Access Policies between Resource Sets
  • Each copy receives a unique identifier while the original remains unchanged
  • Supports environment promotion, regional deployments, and safe experimentation

For details, see About component copying and Copy components.

Tags:

Edge components release with S3 streaming and Secrets Manager improvements

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Improved AWS S3 upload streaming signature support
  • AWS Secrets Manager Private Network Access username/password credential support (requires Agent Proxy 1.28)

Aembit has improved Agent Proxy’s AWS S3 upload support with enhanced streaming signature handling. Agent Proxy 1.28 addresses limitations from the 1.27 release related to streaming signed payloads.

Key capabilities:

  • Improved handling of aws-chunked content encoding for streaming uploads
  • Better compatibility with AWS SDK streaming operations
  • Enhanced request signing for chunked transfer encoding

For complete documentation, see How Aembit uses AWS SigV4 and SigV4a.

The AWS Secrets Manager Credential Provider with Private Network Access now supports username/password credentials. This extends the PNA capability introduced in Agent Proxy 1.27 to include secrets stored as username/password pairs.

Requirements:

  • Agent Proxy 1.28 or later

For configuration details, see AWS Secrets Manager Credential Provider.

  • VM Agent Proxy package
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Key Updates:

  • Added private network access support for HTTP Basic Auth Credential Providers using AWS Secrets Manager.
  • Added process name and process username as Client Workload Identifiers.
  • Extended AWS S3 support to include all SigV4 headers, enabling required signing type specification.
Tags:

GitHub Action, MCP Authorization Server beta, and Access Policy Builder now available

Aembit now provides an official GitHub Action for injecting credentials into your CI/CD workflows. The action retrieves credentials from Aembit and makes them available to subsequent steps in your workflow.

Key capabilities:

  • Retrieve credentials using workload identity federation with GitHub’s OIDC tokens
  • Support for AWS, Azure, database, and API key credential types
  • Automatic credential masking in workflow logs

For setup instructions, see the GitHub Actions tutorial. For usage examples with different credential types, see the how-to guide.

Aembit now supports Private Network Access (PNA) for the AWS Secrets Manager Credential Provider. This allows your Aembit Edge components (Aembit CLI or Agent Proxy) to retrieve secrets directly from AWS Secrets Manager instances in private networks, such as AWS VPCs with private endpoints.

Key capabilities:

  • Retrieve secrets from AWS Secrets Manager without exposing your VPC to the public internet
  • Works with both Aembit CLI and Agent Proxy deployments
  • No changes required to your existing AWS IAM policies or VPC endpoint configuration

For configuration details, see Private Network Access for Credential Providers and AWS Secrets Manager Credential Provider.

Aembit has released the MCP Authorization Server (beta), which secures Model Context Protocol (MCP) workloads using OAuth 2.1 authorization flows. This enables you to apply Aembit Access Policies to AI agents and MCP clients, controlling which users can access which MCP servers.

Beta feature

The MCP Authorization Server is currently in beta. Contact your Aembit representative to request access.

Key capabilities:

  • OAuth 2.1 authorization code flow implementation for MCP-compliant workloads
  • Dynamic Client Registration support for tools like Claude Desktop and Gemini CLI
  • Integration with OIDC and SAML identity providers for user authentication
  • Access Policies with time and location-based conditions

Aembit has redesigned the Access Policy creation experience with the new Access Policy Builder. The builder provides a card-based interface that guides you through configuring each component of an Access Policy.

Access Policy Builder showing a completed policy configuration

Key capabilities:

  • Visual card-based navigation for policy components
  • Inline creation of Client Workloads, Server Workloads, Trust Providers, and other components
  • Clear indicators for required, recommended, and optional components based on Global Policy Compliance settings

To use the new builder, enable Use new access policy in your user profile preferences. For a walkthrough, see Create an Access Policy.

Tags:

Edge components release with AWS S3 uploads and multiple AWS STS support

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy
  • AWS Lambda Extension
  • AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Support AWS S3 upload request workloads
  • Support multiple AWS STS Credential Providers in a single Access Policy via Access Key ID mapping

Aembit’s Agent Proxy now supports AWS S3 file uploads. Agent Proxy transparently handles S3’s complex signing requirements, including detecting client signatures, re-signing requests with injected credentials, and streaming large file uploads.

Key capabilities:

  • Automatic detection of S3 signing methods using the x-amz-content-sha256 header
  • Support for unsigned payloads, streaming signatures, and standard SigV4 signing
  • Transparent credential injection without client-side configuration changes

Known limitations in this release:

For complete documentation and workarounds, see How Aembit uses AWS SigV4 and SigV4a.

Aembit now supports multiple AWS Security Token Service (STS) Credential Providers within a single Access Policy. This feature enables a single Client Workload to access multiple AWS resources, each requiring different IAM roles, without creating separate Access Policies.

Key capabilities:

  • Access Key ID selectors for automatic Credential Provider matching
  • Simplified policy management with multiple AWS STS Credential Providers per Access Policy
  • Seamless credential injection for applications accessing different AWS services

Minimum Edge Component versions required:

  • Agent Proxy 1.27.3865
  • Agent Controller 1.27.2906

For complete documentation, see Using multiple AWS STS Credential Providers.

Aembit has expanded the Server Workload documentation with new guides covering architecture patterns, credential lifecycle management, developer integration, and troubleshooting. These resources help you understand how Aembit manages credentials for your Server Workloads and provide guidance for integrating Aembit into your applications.

New documentation:

New and updated Server Workload guides:

  • NEW Microsoft Entra ID - Authenticate to Entra ID-protected resources using Azure Entra Workload Identity Federation or OAuth interception
  • UPDATED AWS services - Authenticate to AWS services using AWS Security Token Service (STS) Credential Providers and SigV4 signing
Tags:

Azure Key Vault Credential Provider and OIDC SSO now available

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • Agent Proxy
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Injector

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Azure Key Vault Private Network Access: Added support for accessing Azure Key Vault instances configured with private network endpoints
  • Performance Improvements: Enhanced performance for Secure Parameter Exchange (SPE) Postgres database operations
  • Dependency Updates: Updated multiple project dependencies to their latest stable versions
  • Rust and Hyper Upgrade: Upgraded to Rust 1.89.0 and introduced the hyper HTTP library for improved performance and security
  • Logging Enhancements: Internal improvements to logging functionality for better observability and debugging

Aembit has released the new Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider.

Together, they enable you to retrieve secrets from Azure Key Vault directly through Aembit using Azure’s Workload Identity Federation.

The Azure Entra Federation integration leverages OpenID Connect (OIDC) standards to authenticate with Azure Entra without requiring long-lived secrets or static credentials. This allows Aembit to securely access your Azure Key Vault instances using short-lived, federated tokens.

The Azure Key Vault Credential Provider supports:

  • Single value credentials (API keys, tokens)
  • Username/Password credentials
  • Both public and private network access scenarios
  • Policy-driven access controls and centralized auditing

See Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider to learn more.

You can now configure OIDC 1.0 Identity Providers for administrator Single Sign-On (SSO) authentication. This enables you to use OIDC-compliant identity providers such as Okta, Azure AD, and Auth0 to simplify the Aembit Tenant login process for your users. With OIDC support, you can leverage your existing identity infrastructure for secure, standardized authentication to the Aembit administrative console.

For more information, see Create an OIDC Identity Provider.

Tags:

Edge components release with OpenShift support and AWS Secrets Manager private network access

Aembit has updated Aembit Edge Components to include the latest versions of Agent Proxy, Sidecar Init, and the Aembit Helm chart. These updates include support for:

  • Official Red Hat OpenShift and OpenShift Service on AWS (ROSA) support for Agent Proxy and Sidecar Init, including SecurityContextConstraint configurations and deployment best practices. See OpenShift deployment guide.
  • AWS Secrets Manager private network access for Aembit CLI and Agent Proxy.
  • Aembit CLI CrowdStrike support.
  • Enhanced Helm chart with support for custom annotations on Kubernetes resources. See Helm chart configuration options.
  • New guide for managing Agent Injector TLS certificates in Kubernetes deployments. See Managing Agent Injector certificates.
  • Support for volume-mounted certificates in Aembit Edge Components.
  • Security and performance enhancements.

Updated Edge Components:

  • Agent Proxy 1.25.3494
  • Sidecar Init 1.25.127
  • Helm Chart 1.25.494

See Edge Components supported versions for more details.

Aembit has added Private Network Access to the AWS Secrets Manager Credential Provider. This feature allows you to securely access AWS Secrets Manager secrets from Aembit Edge Components running in private networks, such as AWS VPCs, without exposing them to the public internet.

When you enable Private Network Access, the Aembit CLI or Agent Proxy retrieve secrets from AWS Secrets Manager directly, ensuring secure and private access to your secrets.

See AWS Secrets Manager Credential Provider for more details on how to configure this feature.

Tags:

GitLab CI/CD Component, OIDC dynamic claims, and CrowdStrike conditions now available

The Aembit Edge GitLab CI/CD Component is now available to simplify Aembit integration within your pipelines. Find the component in the GitLab CI/CD Catalog and learn how to use it in the component documentation.

The OIDC ID Token Credential Provider now supports dynamic claims, allowing you to extract and use values from OIDC tokens in the credential data. This feature creates personalized and context-aware credentials that reflect the workload’s identity and attributes from their original OIDC token.

See OIDC ID Token Dynamic Claims for more information.

Aembit has added two new Access Conditions for CrowdStrike:

  • MAC Address - Ensures the CrowdStrike Agent Host MAC Address matches the Host MAC Address that Agent Proxy retrieved.
  • Local IP Address - Ensures the CrowdStrike Agent Host Local IP Address matches the Host Local IP Address that Agent Proxy retrieved.

See Create Access Conditions for CrowdStrike to learn how to create Access Conditions for CrowdStrike.

Tags:

Aembit CLI, AWS Secrets Manager, and Jenkins Pipelines now available

Aembit has released the new AWS IAM Role Credential Provider Integration and Secrets Manager Credential Provider. Together, they enable you to retrieve secrets from AWS Secrets Manager directly through Aembit.

See AWS IAM Role Credential Provider Integration and AWS Secrets Manager Credential Provider to learn more.

Aembit has released the Aembit CLI, a command-line interface that allows you to inject credentials into your CI/CD pipelines. Compatible with GitLab, GitHub, and now Jenkins.

Check out the Aembit CLI Guide to get started with the Aembit CLI!
Also, see Aembit Edge on CI/CD services for more information on how to use Aembit CLI with your CI/CD pipelines.

Aembit has released support for Jenkins Pipelines to help you integrate Aembit into your Jenkins CI/CD workflows. This integration allows you to securely retrieve and use Aembit-managed credentials directly in your Jenkins Pipelines, streamlining your CI/CD processes and enhancing security.

Check out Jenkins Pipelines to learn more about how to use Aembit with Jenkins Pipelines.

Aembit now supports Server Workloads with a wildcard hostname.

This enables you to simplify your server workloads in a flexible and well defined manner.

As of Agent Controller version 1.24.xxxx, Aembit has enhanced Agent Controller to automatically close insecure HTTP ports when you enable TLS. This update streamlines security by ensuring only encrypted connections are active.

When you enable TLS, Agent Controller now automatically:

  • Opens Secure Ports: 443 (or 5443 on VMs) and the secure Prometheus port 9091.
  • Closes Insecure Ports: 80 (or 5000 on VMs) and the insecure Prometheus port 9090.

This automation removes the manual step of closing insecure, vulnerable ports, preventing potential misconfigurations and enforcing a more secure, “secure-by-default” posture.

Aembit has applied security enhancements to Agent Controller version 1.24.2485 in this release, including:

  • Disabling insecure HTTP ports when you enable TLS.

Updated Edge Components:

  • Agent Controller

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

See Edge Components supported versions for more details.

Tags:

Aembit Edge API now available with expanded Wiz Discovery

Introducing Aembit Edge API, the new way your cloud-native applications can retrieve credentials dynamically without deploying additional infrastructure. Perfect for serverless functions, containers, and CI/CD pipelines that need secure access to third-party services.

With Aembit Edge API you can:

  • Retrieve credentials on-demand for any configured service from your CI/CD pipelines.
  • Authenticate workloads using platform-native identity tokens (GitHub Actions, GitLab CI, AWS Lambda, etc.).
  • Eliminate hardcoded secrets by fetching credentials just-in-time.
  • Support multiple credential types including API keys, username/password, and CI/CD provider tokens.

Check out the Edge API get started page to learn more or start using it right away with the Aembit Edge quickstart guide.

Aembit Discovery can now discover additional resources when you use Wiz as a Discovery Source.

Through the Wiz integration, Aembit now discovers Client Workload resources such as VMs, AWS- and Azure-specific Client Workload Identifies, and many others. As for Server Workload resources, Aembit now discovers Azure Blob Storage, GCP BigQuery, and many others.

For the full list, see Wiz-discoverable resource types.

Tags:

Global Policy Compliance, OIDC ID Token Credential Provider, and Splunk Log Streams now available

To increase the available deployment options for Amazon Web Services (AWS) Lambda users, Aembit now provides a Lambda Layer to support zip-based Lambda Functions. This joins our existing AWS Lambda Container support.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Functions using our Lambda Layer, please refer to the AWS Lambda Functions documentation.

Introducing Global Policy Compliance for centralized security enforcement across your Aembit environment. This feature allows administrators to establish organization-wide security standards for Access Policies and Agent Controllers, ensuring consistent security practices and preventing the creation of policies that might inadvertently expose resources.

With Global Policy Compliance, you can enforce requirements for Trust Providers and Access Conditions across all Access Policies, as well as Trust Provider and TLS Hostname requirements for Agent Controllers. The three-tier enforcement model lets you set requirements as Required, Recommended (default), or Optional based on your organization’s security needs.

Global Policy Compliance visually identifies non-compliant components through color-coded status icons:

  • Red indicators for required but missing elements
  • Yellow indicators for recommended but missing elements
  • Green indicators for compliant Access Policies
  • Gray indicators for disabled or not active Access Policies

To learn more about Global Policy Compliance, see the Global Policy Compliance Overview.

Introducing OIDC ID Token Credential Provider for secure identity token generation and exchange with third-party services. By leveraging Aembit’s custom Identity Provider (IdP) capabilities, this Credential Provider generates JWT-formatted tokens that seamlessly integrate with various Workload Identity Federation (WIF) solutions.

The OIDC ID Token Credential Provider offers flexible configuration options including:

  • Custom claims configuration with both dynamic and literal subject support
  • Choice of signing algorithms (RS256 or ES256)
  • Integration with identity brokers such as AWS STS, GCP WIF, Azure WIF, and HashiCorp Vault

This new Credential Provider is particularly valuable for:

  • Secure access to cloud provider resources through their WIF solutions
  • Authentication with HashiCorp Vault using OIDC tokens
  • Integration with any service supporting OIDC/JWT authentication

To learn more about this feature, see About the OIDC ID Token Credential Provider.

Introducing Log Stream for Splunk SIEM to enhance your security monitoring capabilities. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to Splunk using Splunk’s HTTP Event Collector (HEC) protocol.

By connecting Aembit with Splunk SIEM, you can:

  • Enhance threat detection with comprehensive security data
  • Improve incident management through centralized logging
  • Streamline compliance monitoring for your organization

The setup process is straightforward, requiring only a properly configured HTTP Event Collector in your Splunk environment and a few configuration steps in the Aembit Admin UI. Aembit will automatically send email notifications if Log Stream transactions consistently fail, ensuring you’re always aware of your logging status.

To learn more about setting up this integration, see How to stream Aembit events to Splunk SIEM.

Tags:

Standalone CAs and Credential Provider Integrations now available

Introducing Standalone CAs for more granular control over TLS Decrypt management. This feature allows you to create and manage dedicated Certificate Authorities (CAs) that function independently from Aembit’s default Tenant-level certificates.

With Standalone CAs, you can assign CAs directly to specific Client Workloads or Resource Sets, creating isolated trust boundaries and enabling precise management of TLS traffic across different environments. Aembit intelligently selects the appropriate CA using a clear hierarchy: Client Workload level -> Resource Set level -> Tenant level.

To learn more about Standalone CAs, see About Standalone CA for TLS Decrypt.

We’ve updated the Deploy Edge Components experience in the Aembit admin UI to streamline how you deploy Aembit Edge Components.

We’ve added deployment guides directly in the Aembit admin UI for each type of deployment such as Kubernetes, Ubuntu Linux, Red Hat Enterprise Linux, or Microsoft. Now when you’re deploying new Aembit Edge Components, you’ll have a guided experience to get you up and running faster.

Deploy Aembit Edge screen

Introducing Credential Provider Integrations, which automate credential lifecycle management for third-party systems. This feature makes sure your workloads always have valid credentials without manual management, enhancing both security and operational efficiency, eliminating manual credential management.

Our new Credential Provider Integrations feature makes this possible by connecting Aembit directly to third-party systems like with the GitLab Service Account integration. The GitLab Service Account integration enables you to create a Managed GitLab Account Credential Provider, which allows you to manage the credential lifecycle of your GitLab service accounts.

This gives you fine-grained control while eliminating the overhead of manual credential management.

Tags:

AWS SigV4 and SigV4a request signing now supported

The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.

See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:

Vault private network access and CrowdStrike on Windows now available

Aembit now supports accessing HashiCorp Vault Credential Providers that reside on private networks. This allows your colocated Agent Proxy to handle authentication directly instead of Aembit Cloud. See Accessing Vault on private networks for more info.

Aembit now supports Conditional Access for CrowdStrike on Windows. To set up Conditional Access for CrowdStrike on Windows, follow the steps in Access Condition for CrowdStrike.

Aembit now supports the AWS Role Trust Provider on Agent Proxy for ECS Fargate deployments.

Enhanced Vault token header behavior.

Enhanced Agent Proxy initialization on Kubernetes to prevent other processes from interfering and impacting its startup.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

  • VM Agent Proxy package

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:

Azure Entra Workload Identity Federation and automatic user creation now available

Aembit now supportsAzure Entra Workload Identity Federation as a Credential Provider. This enables you to automatically obtain credentials through Aembit as a third-party federated Identity Provider (IdP) to securely authenticate with Azure Entra to access your Azure Entra registered applications and managed identities.

Aembit now supports Automatic User Creation triggered by SSO login requests. Aembit has enhanced the Identity Provider configuration page with additional parameters, enabling you to map SAML attributes from your Identity Provider to the user roles defined in your Aembit Tenant.

You can now change the leaf certificate lifetime when using the TLS Decrypt feature.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit