Skip to content
Releases GitHub

Changelog

Subscribe with RSS

All areas
All changes

Agent Proxy now injected as a native Kubernetes sidecar

Kubernetes recently introduced support for native sidecar containers. Aembit now leverages this model for the Agent Proxy, where possible.

Aembit now automatically injects the Agent Proxy as a native sidecar, allowing init container Client Workloads.

This change only applies to Kubernetes deployments of version 1.29 and above.

For more information on how you can use Agent Proxy as a sidecar to support init containers, please see the Kubernetes Deployment page.

Tags:

Comprehensive Aembit API documentation now available

Aembit has released comprehensive API technical documentation for the Aembit API.

With this documentation release, you now have access to a complete library technical content, usage information, and the latest version of the OpenAPI specification, which you can use to learn how to use the Aembit API.

For more detailed information on the Aembit API technical documentation, please see the page.

Tags:

Aembit Edge Terraform module and ECS TLS support now available

Aembit has released two major enhancements to Aembit Edge Components: Aembit Edge Terraform Module for AWS ECS, and ECS TLS support.

Aembit ECS Terraform Registry

Aembit releases updates to the Aembit ECS Terraform Registry on a regular basis to provide users with additional features and functionality, including improvements to Agent Proxy and Agent Controller.

For more information on the latest ECS Terraform Registry release, please see the Aembit Terraform Registry page.

ECS TLS Support

Aembit has released an ECS deployment enhancement that enable Transport Layer Security (TLS) between the Agent Proxy and Agent Controller using Aembit-provided Private Key Infrastructure (PKI).

There is no option to use your own PKI for ECS deployments.

Tags:

Aembit Terraform Provider update with Custom Resource Sets and OAuth

Aembit has released an Aembit Terraform Provider update to the Terraform Registry.

This update includes several improvements and enhancements, including:

  • Support for Custom Resource Sets.
  • Removal of the deprecated AWS ECS Role Trust Provider (replaced previously by the AWS Role Trust Provider).
  • Support for Credential Providers of type OAuth2 Authorization Code.

For more information on these updates and changes, please see the Aembit Terraform Registry page.

Tags:

Dynamic steering to specific hostnames now available

Aembit now supports dynamically steering only specific traffic to the Agent Proxy.

The dynamic steering feature introduces the ability to restrict this proxied traffic to a specific list of hostnames. When this feature is enabled, only egress traffic to the user-specified hostnames will be proxied. This enables you to have more precise control over which destinations’ traffic is managed by the Agent Proxy.

Tags:

OAuth 2.0 Authorization Code Credential Provider now available

Aembit now supports 3-legged OAuth (3LO) workflows through the new OAuth 2.0 Authorization Code Credential Provider. Applications can request a user’s permission to access their account data and act on the user’s behalf.

With 3LO support, an application can access services or applications that the user has authorized.

Aembit supports the following third-party services with OAuth 2.0 Authorization Code Credential Providers:

For configuration details, see the OAuth 2.0 Authorization Code Credential documentation.

An expansion to Client Workload identification and Trust Provider match rules also shipped in this release; see Expanded Client Workload identification and Trust Provider match rules.

Tags:

OAuth 2.0 Authorization Code Credential Provider enters beta

Aembit has released beta support for the OAuth 2.0 Authorization Code Credential Provider.

Many organizations require Credential Provider support for various 3rd party SaaS services which only support short lived credentials with the OAuth 2.0 Authorization Code Flow. These services included:

  • Atlassian
  • GitLab
  • Slack
  • GCP BigQuery
  • Apigee
  • PagerDuty

This beta release enables users to use 3rd party SaaS services and have short-lived access tokens generated on demand for authentication to APIs that these 3rd party services provide.

For more information on how to configure the OAuth 2.0 Authorization Code Credential Provider to be used with any of these 3rd party services, please see the OAUth 2.0 Authorization Code Credential Provider page.

Tags:

Non-root Aembit containers and configurable Agent Proxy file descriptor limits

Aembit has released two new feature updates that enhance existing Aembit functionality.

Aembit Containers

All injected Aembit containers are now run as non-root users.

Agent Proxy File Descriptor Limits

Users may configure limits for the number of file descriptors Agent Proxy is allowed to open on a VM. You may configure this number when Agent Proxy is installed (using the AEMBIT_FD_LIMIT flag).

virtual machines

  • Default Limit - 65535, set by Agent Proxy installer

  • Configuration - This limit is configurable via the AEMBIT_FD_LIMIT environment variable. This value is passed directly to systemd in Agent Proxy’s service file at the time of installation.

  • Example - AEMBIT_FD_LIMIT=200000 [...] ./install

Kubernetes

  • Default Limit - This limit is inherited from container runtime.

  • Configuration - There is no official support without modifying the underlying runtime. For more information on configuring these limits, please see the Kubernetes limits support GitHub thread.

AWS ECS

  • Default Limit - 1024

  • Configuration - This limit is configurable via the ECS Task Definition API or ECS Dashboard. Please refer to the AWS ECS Developer Guide for more detailed information on how to configure these limits.

AWS Lambda

  • Default Limit - 1024

  • Configuration - This limit is not configurable. For more information, please refer to the AWS Lambda Developer Guide.

Tags:

AWS Role Trust Provider now available

Aembit has released an update to support AWS Role-Based Trust Providers.

The ability to create and use different types of Trust Providers in your Aembit environment enables you to have flexibility in how resources are managed. With this enhancement, you now have an additional option when selecting a Trust Provider.

For more information on AWS Role-Based Trust Providers, please see the AWS Role Trust Provider page.

Tags:

Resource Sets now available

Many organizations have certain security requirements that specify which resources should be managed by a group. To address these security needs, Aembit has released a new Resource Sets feature that enables you to determine which groups will have access to various resources.

You may find it necessary to segment management responsibilities for certain entities and resources in your Aembit environment between different individuals and groups for security reasons. To accommodate this requirement, Aembit has released the Resource Sets feature.

Resource Sets enable you to group entities and resources (e.g. Credential Providers, Trust Providers, Identity Providers, etc.) into a single collection and assign specific users to manage these resources.

For more detailed technical information on how to use create and manage Resource Sets, please refer to the Resource Sets technical documentation.

Tags:

Graceful Agent Proxy shutdown for sidecars

In some cases, you may find it necessary to manually shut down Agent Proxy when the main container exits, but a sidecar is still running. Since you may not want to kill the whole job, since it will look like a cancelled job, Aembit now provides a solution that enables you to gracefully terminate the job while allowing the sidecar to still run.

For more detailed information on this feature, please refer to the Agent Proxy Shutdown page.

Tags:

AWS Lambda Container deployment now supported

There are many different deployment options you can currently use to deploy Aembit Edge Components in your environment, including GitHub Actions, GitLab Jobs, and Kubernetes.

To increase the available deployment options for our users, Aembit now provides support for users who wish to deploy Aembit Edge Components to an Amazon Web Services (AWS) Lambda Container.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Containers, please refer to the AWS Lambda Container technical documentation.

Tags:

GeoIP Access Conditions and Google Cloud Storage Log Streams now available

Aembit has released two new features on Aembit Cloud:

  • Access Condition support for Geographic IP (GeoIP) restrictions
  • Log Stream support for streaming to Google Cloud Storage Buckets

Aembit GeoIP Access Conditions

You may now configure and add Aembit GeoIP conditions in your Aembit Tenant. This new Access Condition type enables you to explicitly designate which countries/regions will have access to Server Workloads from policy-enabled Client Workloads.

For more information on this feature, please refer to the Access Conditions for GeoIP Restriction page.

Google Cloud Storage Bucket Log Streams

Aembit now supports Log Streams that target Google Cloud Storage (GCS) Buckets. You may add or configure this new Log Stream destination type in the Administration tab of your Aembit Tenant.

For more information on this feature, please refer to the Google Cloud Storage Bucket Log Streams page.

Tags:

Kerberos Trust Provider now available for Active Directory

Aembit has released a Kerberos Trust Provider that enables the attestation of Client Workloads running in virtual machine environments joined to Active Directory. This attestation method is specifically designed for on-premise deployments where alternative attestation methods, such as AWS or Azure metadata service trust providers, are not available.

For more detailed information on this Kerberos Trust Provider, please refer to the Kerberos Trust Provider technical documentation.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit