Edge components release with AWS S3 uploads and multiple AWS STS support

December 4, 2025

Aembit has released new versions of the following components and packages:

• Helm Chart
• Terraform ECS module
• Agent Proxy
• AWS Lambda Extension
• AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

• Support AWS S3 upload request workloads
• Support multiple AWS STS Credential Providers in a single Access Policy via Access Key ID mapping

---

Aembit’s Agent Proxy now supports AWS S3 file uploads. Agent Proxy transparently handles S3’s complex signing requirements, including detecting client signatures, re-signing requests with injected credentials, and streaming large file uploads.

Key capabilities:

• Automatic detection of S3 signing methods using the x-amz-content-sha256 header
• Support for unsigned payloads, streaming signatures, and standard SigV4 signing
• Transparent credential injection without client-side configuration changes

Known limitations in this release:

• Streaming signed payload uploads default to a 50 MiB limit (configurable via AEMBIT_AWS_MAX_BUFFERED_PAYLOAD_BYTES)
• Request compression isn’t supported for S3 requests

For complete documentation and workarounds, see How Aembit uses AWS SigV4 and SigV4a.

---

Aembit now supports multiple AWS Security Token Service (STS) Credential Providers within a single Access Policy. This feature enables a single Client Workload to access multiple AWS resources, each requiring different IAM roles, without creating separate Access Policies.

Key capabilities:

• Access Key ID selectors for automatic Credential Provider matching
• Simplified policy management with multiple AWS STS Credential Providers per Access Policy
• Seamless credential injection for applications accessing different AWS services

Minimum Edge Component versions required:

• Agent Proxy 1.27.3865
• Agent Controller 1.27.2906

For complete documentation, see Using multiple AWS STS Credential Providers.

---

Aembit has expanded the Server Workload documentation with new guides covering architecture patterns, credential lifecycle management, developer integration, and troubleshooting. These resources help you understand how Aembit manages credentials for your Server Workloads and provide guidance for integrating Aembit into your applications.

New documentation:

• Architecture patterns - OAuth flows, trust boundaries, and deployment models
• Credential lifecycle - How Aembit manages credential rotation and security
• Developer integration - SDK integration patterns and placeholder credentials for local development
• Troubleshooting - Diagnostic steps for common configuration issues

New and updated Server Workload guides:

• NEW Microsoft Entra ID - Authenticate to Entra ID-protected resources using Azure Entra Workload Identity Federation or OAuth interception
• UPDATED AWS services - Authenticate to AWS services using AWS Security Token Service (STS) Credential Providers and SigV4 signing

Tags:

• Enhancement
• Agent Proxy
• Credential Provider
• Server Workloads

← Back to changelog