Add Trust Provider

Trust Providers enable Aembit to authenticate without provisioning credentials or other secrets. Trust Providers are third-party systems or services that can attest identities with identity documents, tokens, or other cryptographically signed evidence.

Client Workload identity attestation is a core functionality to ensure only trusted Client Workloads can access the Server Workloads.

Configure Trust Provider

If you are getting started with Aembit, configuring trust providers is optional; however, it is critical to secure all production deployments.

1. Click the Trust Providers tab.

2. Click + New to create a new Trust Provider.

3. Give the Trust Provider a name and optional description.

4. Choose the appropriate Trust Provider type based on your Client Workloads’ environment.

5. Follow the instructions for the Trust Provider based on your selection.

• AWS Role Trust Provider
• AWS Metadata Service Trust Provider
• Azure Metadata Service trust provider
• Kerberos trust provider
• Kubernetes Service account trust provider

6. Configure one or more match rules (specific to your Trust Provider type).

Note

Aembit recommends making matching criteria as tight as possible.

7. Click Save.

Client Workload Identity Attestation

You must associate one or more Trust Providers with the existing Access Policy for Aembit to use Client Workload identity attestation.

1. Choose one of the existing Access Policies.

2. Click Edit.

3. Add an existing, or create a new Trust Provider.

Agent Controller Identity Attestation

You must associate a Trust Provider with Agent Controller in order for Aembit to use Agent Controller for identity attestation.

1. Click the Edge Components tab.

2. Select one of the existing Agent Controllers.

3. Click Edit.

4. Choose from the dropdown one of the existing Trust Providers.