Quickstart: Aembit core setup

Aembit is a cloud-native, non-human identity and access management platform that provides secure, seamless access management for workloads across diverse environments. It simplifies how organizations control and authorize access between client and Server Workloads, ensuring that only the right workloads can access critical resources at the right time.

Aembit shifts the focus away from long-term credential management by enabling automated, secure access management for workloads connecting to services. By concentrating on managing access rather than secrets, Aembit provides a flexible and security-first approach to non-human identity across a wide range of infrastructures.

In this guide

This quickstart guide provides a practical introduction to Aembit’s capabilities. Here’s what you’ll do:

1. Set up a sandbox environment with pre-configured client and Server Workloads using Docker Desktop with Kubernetes.

2. Deploy workloads and configure a secure Access Policy between the client and server.

3. Gain practical experience managing automated, secure access between workloads.

Estimated Time to Complete: ~15 minutes (if prerequisites are already installed).

By completing this quickstart guide, you will have practical experience creating an example of Aembit’s capabilities—ensuring quick results as you implement access management in a real-world environment. Once you are comfortable with these foundational steps, Aembit offers the flexibility to manage access for more complex and scalable workloads across a range of infrastructure setups.

Before you begin

Before starting Aembit’s quickstart guide, you must complete the following prerequisites:

1. Sign up with Aembit and you can access your Aembit tenant at https://<tenant-ID>.aembit.io.

2. Install Docker Desktop and enable Kubernetes.

3. Install Helm.

Note

The Aembit quickstart guide doesn’t require complex network configurations, such as a static external IP, outbound connection adjustments, or firewall rule changes. These prerequisites are designed to work securely and seamlessly within your local environment.

Sign up with Aembit

Visit the Sign Up page to create an account and set up your tenant for accessing the platform.

A tenant in Aembit is your organization’s dedicated workspace within the platform. It isolates your workloads, access policies, and configurations, ensuring secure and efficient management of your environment. Your tenant ID is a unique identifier for your workspace and is used to access your tenant at https://<tenant-ID>.aembit.io.

Look for a welcome email from Aembit. It may take a few minutes; check your Junk or Spam folders if you do not see it.

Install Docker Desktop and enable Kubernetes

Docker Desktop includes Docker Engine and Kubernetes, making it easy to manage your containerized applications.

1. Download and install Docker Desktop from the official Docker website for your operating system.

   Once installed, open Docker Desktop.

2. Enable Kubernetes by going to Settings -> Kubernetes in Docker Desktop and toggling the Enable Kubernetes switch to the On position.

   

   Security best practice

   If you get errors or warnings about permissions on your ~/.kube/config file being too permissive, tighten up the file’s permissions by running the following command:

   chmod 600 ~/.kube/config

   Locking down permissions on your ~/.kube/config file is a security best practice since the config file contains sensitive credentials for accessing Kubernetes clusters.

Install Helm

Helm deploys the pre-configured sandbox client and Server Workloads for this quickstart guide. A basic understanding of Helm commands will be helpful for deploying the sandbox workloads.

Select one of the following tabs for your operating system to install Helm:

Windows

1. Download the latest Helm version for Windows.

2. Run the installer and follow the on-screen instructions.

3. Once installed, open a Command Prompt or PowerShell terminal and verify the installation by running:

   helm version

   Expected Output:

   version.BuildInfo{Version:"v3.x.x", GitCommit:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", GitTreeState:"clean", GoVersion:"go1.x.x"}

macOS

1. Use Homebrew to install Helm:

   brew install helm

2. Verify the installation:

   helm version

   Expected Output:

   version.BuildInfo{Version:"v3.x.x", GitCommit:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", GitTreeState:"clean", GoVersion:"go1.x.x"}

Linux

1. Download and install the latest Helm binary:

   curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
   chmod 700 get_helm.sh
   ./get_helm.sh

2. Verify the installation:

   helm version

   Expected Output:

   version.BuildInfo{Version:"v3.x.x", GitCommit:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", GitTreeState:"clean", GoVersion:"go1.x.x"}

With these prerequisites complete, you are ready to deploy the sandbox workloads and configure secure access between workloads.

Deploying workloads

Make sure that your environment is ready for deployment by verifying the following:

• Docker Desktop is installed and Kubernetes enabled.

• Helm is installed and configured correctly.

With these steps in place, you are ready to deploy the workloads.

Install applications

1. From your terminal, add the Aembit Helm chart repo by running:

   helm repo add aembit https://helm.aembit.io

2. Deploy both the client and Server Workloads:

   helm install aembit-quickstart aembit/quickstart \
     -n aembit-quickstart \
     --create-namespace

Verify deployments

After deploying the applications, verify that everything is running correctly using the following commands:

1. Check the Helm release status:

   helm status aembit-quickstart -n aembit-quickstart

   Expected Output:

   NAME: aembit-quickstart
   LAST DEPLOYED: Wed Jan 01 10:00:00 2025
   NAMESPACE: aembit-quickstart
   STATUS: deployed
   REVISION: 1
   TEST SUITE: None

2. List all resources in the namespace:

   kubectl get all -n aembit-quickstart

   Expected Output:

   NAME                                    READY   STATUS    RESTARTS   AGE
   pod/aembit-quickstart-client-abcdef     1/1     Running   0          1m
   pod/aembit-quickstart-server-abcdef     1/1     Running   0          1m
   NAME                               TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
   service/aembit-quickstart-client   NodePort   10.109.109.55    <none>        8080:30080/TCP   1m
   service/aembit-quickstart-server   NodePort   10.109.104.236   <none>        9090:30090/TCP   1m

These outputs help you confirm that the workloads and services have been deployed correctly and are functioning as expected.

Interacting with the applications

In this section, you are going to interact with the pre-configured applications. This interaction will demonstrate that the Client Workload can connect to the Server Workload but lacks the credentials to authenticate to it.

1. With the client and Server Workloads running, open the Client Workload

2. Click the Get Data button.

   You will receive a failure response since you have not deployed Aembit Edge, nor has Aembit injected the necessary credentials for the Client Workload to access the Server Workload yet.

   

In the next sections, you will deploy Aembit Edge. Making it so that Aembit will automatically acquire and inject the credential on behalf of the Client Workload so it can then access the Server Workload.

Deploying Aembit Edge

With your workloads deployed, it’s time to integrate Aembit Edge into your system.

Aembit Edge consists of components that customers install within their environment. These components form the core of Aembit’s Workload IAM functionality.

Proceed with deploying Aembit Edge into your environment.

Create a new Agent Controller

The Agent Controller is a helper component that facilitates the registration of other Aembit Edge Components.

1. In your Aembit tenant, go to Edge Components from the left nav menu.

2. From the top ribbon menu, select Deploy Aembit Edge.

3. Select Kubernetes from the list of Environments.

   

4. In the Prepare Edge Components section, click to New Agent Controller. You will see the Agent Controller setup page displayed.

5. Enter a name, such as Quickstart Agent Controller (or another user-friendly name).

6. Add an optional description for the controller.

7. For now, ignore the Trust Provider section, as you don’t need it for this quickstart guide.

   

8. Click Save.

   Once saved, your newly created Agent Controller will auto-select in the list of available Agent Controllers.

   This reveals the Install Aembit Edge Helm Chart section.

Deploy the Aembit Edge

As part of Aembit Edge, the Agent Proxy is automatically injected within the Client Workload pod. It manages workload identity and securely injects credentials for communication with Server Workloads.

1. In the Install Aembit Edge Helm Chart section, make sure that the Agent Controller you just created is selected in the dropdown menu.

2. In the New Agent Controller section, click Generate Code to generate a Device Code.

   The Device Code is a temporary one-time-use code, valid for 15 minutes, that you use during installation to authenticate the Agent Controller with your Tenant.

   Make sure you complete the next steps promptly before the code expires.

   

3. Since you already installed the Aembit Helm repo, go ahead and install the Aembit Helm chart.

   From your terminal, run the following command, making sure to replace:

   • <tenant> with your tenant ID (Find this in the Aembit website URL: <tenant>.aembit.io)

   • <deviceCode> with the code you generated in the Aembit web UI

   helm install aembit aembit/aembit \
     --create-namespace \
     -n aembit \
     --set tenant=<tenant>,agentController.deviceCode=<deviceCode>

   Tip

   To reduce errors, copy the command from the Aembit Web UI for this step, as it populates your <tenant> and <deviceCode> for you.

   

   Aembit Edge is now deployed in your Kubernetes cluster!

4. Check the current state of quickstart Client pod to confirm it is running without the Agent Proxy container.

   The READY column for the pod/aembit-quickstart-client-abcdef should display 1/1, indicating only the Client Workload container is running.

   kubectl get all -n aembit-quickstart

   Expected Output:

   NAME                                    READY   STATUS    RESTARTS   AGE
   pod/aembit-quickstart-client-abcdef     1/1     Running   0          1m
   pod/aembit-quickstart-server-abcdef     1/1     Running   0          1m

5. Restart the quickstart Client pod to include the Agent Proxy in the deployment:

   kubectl delete pods -l app=aembit-quickstart-client -n aembit-quickstart --grace-period=0 --force

6. After the pod restarts, verify that the aembit-quickstart-client pod now includes two containers: the Client Workload container and the Agent Proxy container.

   After the pod restarts, check its state again. READY column for the aembit-quickstart-client pod should now display 2/2, indicating that both the Client Workload container and the Agent Proxy container are running successfully.

   kubectl get all -n aembit-quickstart

   Expected Output:

   NAME                                    READY   STATUS    RESTARTS   AGE
   pod/aembit-quickstart-client-abcdef     2/2     Running   0          1m
   pod/aembit-quickstart-server-abcdef     1/1     Running   0          1m

   This step confirms that the Agent Proxy has been injected within the Client pod, enabling Aembit to securely manage credentials for communication between Client and Server Workloads.

Configuring an Access Policy

Access Policies define the conditions for granting Client Workloads access to Server Workloads. Aembit evaluates access by verifying if the workloads match the Access Policy, the Client’s identity is authenticated by a Trust Provider, and all conditions are met.

In this quickstart guide, we have omitted configuring a Trust Provider to simplify your first walkthrough. However, Trust Providers are a critical component in securing all production deployments. They enable Aembit to authenticate workloads without provisioning long-lived credentials or secrets, ensuring that only trusted workloads are authenticated and authorized.

Once authorized, Aembit delivers the necessary credentials to the Agent Proxy, which are used to authenticate the Client workload to the Server Workload.

About Client Workload credentials

Credentials are never released to the Client Workload. Instead, they are injected directly into the traffic destined for the Server Workload, ensuring secure communication.

1. From your Aembit tenant, click Access Policies in the left nav menu.

2. Click + New to open the Create New Access Policy page.

   

   Follow the steps in the following sections to configure each part of the Access Policy.

Configure a Client Workload

Client Workloads are software applications that access services provided by Server Workloads. These could be custom apps, CI/CD pipelines, or scripts running without user intervention.

1. On the Access Policy page hover over the Client Workload section, click New, and on the Client Workload page:

   • Name - Quickstart Client (or another user-friendly name).

   • Client Identification - Kubernetes Pod Name Prefix

     • Value - aembit-quickstart-client

2. Click Save.

   

Configure a Server Workload

Server Workloads serve requests from Client Workloads and can include APIs, gateways, databases, and more. The configuration settings define the Service Endpoint and Authentication methods, specifying the networking details and how requests are authenticated.

1. On the Access Policy page hover over the Server Workload section, click New, and on the Server Workload page:

   • Name - Quickstart Server (or another user-friendly name).

   • Host - aembit-quickstart-server.aembit-quickstart.svc.cluster.local

   • Application Protocol - HTTP

   • Transport Protocol - TCP

   • Port - 9090

   • Forward to Port - 9090

   • Authentication Method - HTTP Authentication

   • Authentication Scheme - Bearer

2. Click Save.

   

Configuring a Credential Provider

Credential Providers supply the access credentials, such as OAuth tokens or API keys, that allow Client Workloads to authenticate with Server Workloads. Aembit can also request and manage tokens from third-party services.

Security Best Practice

In this QuickStart, you are using the API Key option for simplicity. However, Aembit recommends using short-lived credentials whenever possible to enhance security and reduce exposure to risks associated with long-lived credentials.

1. From your web browser, go to the sandbox Server Workload.

2. Click Generate API Key.

   This generates a unique API key you will use in later in this section.

   Generating more than one key

   Avoid clicking the button multiple times, as only one API key (the last generated) remains active at a time. Copy the API key immediately after creating it, as it will be used in the next step.

3. Copy the API key.

   

4. After saving your Client Workload on Aembit UI, you will return to the Access Policy page. Hover over the Credential Provider section, click New, and on the Credential Provider page:

   • Name - Quickstart API Key (or another user-friendly name)
   • Credential Type - API Key
   • API Key - Paste the API key you generated from the Server Workload

5. Click Save.

   

Finalizing the Access Policy

Once you have configured the Client Workload, Server Workload, and Credential Provider, click Save & Activate to complete the process and activate the policy.

Testing the Access Policy

To test your newly configured Access Policy, go to the sandbox Client Workload and click Get Data. Since the Access Policy has been activated and Aembit Edge installed the necessary credential into the request, you should see a successful response.

Congratulations! You’ve created a Access Policy that’s securing access between workloads!

With just a few steps, you have deployed workloads, configured an Access Policy, and successfully authenticated requests—all without the complexity of manual credential management.

This quickstart guide is just the foundation of all the features that Aembit has to offer. It supports powerful capabilities for scaling, securing, and managing workload identity across many environments, ensuring security and efficiency as your needs grow.

Troubleshoot

If you encounter any issues or don’t see a successful response, the Aembit Web UI has a useful Troubleshooter that can help you identify potential problems:

1. Go to Access Policies and select the Access Policy you created for this quickstart guide.

2. Click Troubleshoot in the top corner.

   This brings up the Troubleshooter with your Access Policy’s Client and Server Workloads already populated.

   

3. Inspect and make sure that the Access Policy Checks, Client Workload Checks, Credential Provider Checks and Server Workload Checks are Active (they have green checks).

   

4. For any sections that aren’t Active, go back to the respective section in the quickstart guide and double check your configurations.

   Also, make sure all the Prerequisites are complete.

The Troubleshooter helps diagnose potential issues with your configuration. For more details, visit the Troubleshooter Tool page.

Still need help? Please submit a support request to Aembit’s support team.

What’s next?

Now that you’ve completed the basics, it’s time to explore additional features and capabilities to get the most out of Aembit.

See Quickstart: Access Policy enhancements to learn how to:

• Configure Trust Providers to enhance workload identity verification and strengthen access control.

• Set Up Access Conditions to enforce time-based, geo-based, or custom rules for workload access.

• Navigate Reporting Tools to review access events, track policy usage, and analyze workload behavior.

Following the Quickstart: Access Policy enhancements page helps you expand beyond the quickstart, guiding you toward features that enhance security, visibility, and scalability.