Skip to content
Releases GitHub

Changelog — Aembit CLI

Subscribe with RSS

Aembit CLI
All changes
Clear all

Edge components release with Aembit CLI and Secrets Operator updates

Aembit has released new versions of the following components and packages:

  • Aembit Secrets Operator
  • Aembit Secrets Operator Helm chart

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • AWS and Kubernetes Trust Provider attestation in Aembit CLI: The aembit credentials get command now supports the AWS Metadata Service, AWS Role, and Kubernetes Service Account Trust Providers. Aembit CLI gathers attestation data from the local environment—instance metadata, an STS GetCallerIdentity request, or the projected service account token—so an externally supplied --id-token isn’t needed for these Trust Providers. The --deployment-model option now accepts vm, kubernetes, ecs_fargate, and lambda_container. The AWS Role Trust Provider requires this option.
  • Aembit Secrets Operator credential type support: Secrets Operator 1.32.322 now retrieves any credential type your Access Policy issues, not just HashiCorp Vault tokens. See Aembit Secrets Operator now supports more credential types.
Tags:

Edge components release with reliability and CLI enhancements

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • VM Agent Proxy package
  • VM Agent Controller package
  • Agent CLI
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • X.509-SVID retrieval through Aembit CLI: The aembit credentials get command now accepts --client-tls-private-key to retrieve a SPIFFE-compliant X.509-SVID certificate from the existing X.509-SVID Credential Provider. You supply a PEM-encoded private key; Aembit CLI generates the certificate signing request locally and returns the signed chain in CLIENT_CERT_CHAIN, and the private key never leaves the local machine.
  • Configurable gRPC keep-alives: Two optional environment variables, AEMBIT_TENANT_GRPC_PING_INTERVAL_SECS and AEMBIT_TENANT_GRPC_PING_TIMEOUT_SECS, let Agent Proxy send keep-alives on its connection to your Tenant so it detects a dead connection and reconnects faster. They’re off by default and useful for networks, such as a Secure Web Gateway, that stall idle connections.
  • CA certificate configuration for the Cloud connection: AGENT_TRUST_PATH again lets you supply a custom CA certificate for the Agent Proxy’s connection to the Aembit Cloud, which is useful when an inspecting proxy terminates TLS on outbound traffic.
  • Configurable HTTP idle timeout on Windows: The Windows installer now exposes AEMBIT_HTTP_IDLE_TIMEOUT_SECS, letting you tune the idle timeout for HTTP/1.1 connections handled by the Agent Proxy.
  • Caching enhancements: Improvements to credential caching across the Agent Proxy and Aembit CLI.
  • Improved upstream proxy diagnostics: When the Agent Proxy can’t reach a configured upstream HTTP proxy, logs now include the full error source chain instead of a generic connection error, making a misconfigured upstream proxy easier to diagnose.
  • General improvements: Stability, robustness, and dependency updates across edge components, including improved hardware-identification handling during process identification on Linux virtual machines.
Tags:

Aembit CLI now retrieves X.509-SVID certificates

Aembit CLI now retrieves SPIFFE-compliant X.509-SVID certificates directly from the X.509-SVID Credential Provider.

Aembit has released new versions of the following components and packages:

  • Aembit CLI

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • X.509-SVID retrieval through Aembit CLI: The aembit credentials get command now accepts --client-tls-private-key to retrieve a SPIFFE-compliant X.509-SVID certificate from the existing X.509-SVID Credential Provider. You supply a PEM-encoded private key; Aembit CLI generates the CSR locally, submits it through the credential retrieval flow, and returns the signed certificate chain in CLIENT_CERT_CHAIN. The private key never leaves the local machine.
Tags:

Edge components release with Oracle GA and HTTP proxy support

Aembit has released new versions of the following components and packages:

  • Helm Chart
  • Terraform ECS module
  • VM Agent Proxy package
  • Agent CLI
  • AWS Lambda Extension
  • AWS Lambda Layer
  • Agent Injector
  • Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

  • Oracle Application Protocol GA: Oracle Database protocol support is now available for production use, including mid-connection TLS support, improved client error handling, Prometheus metrics for Oracle credential injection events, and internal packet-handling improvements.
  • Upstream HTTP proxy support: Agent Proxy and Aembit CLI now support upstream HTTP proxy configuration for gRPC and Server-Workload-bound HTTP/HTTPS traffic, with NO_PROXY honored.
  • S3 upload size restriction removed: Large file uploads to AWS S3 Log Streams are now supported via streaming AWS chunked signing, removing the previous upload size limit. See How Aembit uses AWS SigV4 and SigV4a for more details.
  • Expanded credential resolver capabilities: Enhanced support for credential provider resolution across deployment types.
  • Dynamic claims from environment variables: Agent Proxy and Aembit CLI can now gather dynamic claims from environment variables, controlled by the AEMBIT_ENV_VAR_ALLOWLIST.
  • CLI enhancements: Aembit CLI adds the --client-workload-id flag and OIDC token expiration validation.
  • General improvements: Numerous stability reliability improvements across edge components.
  • Security upgrades: Security dependency upgrades across edge components.
  • Improved logging and observability: Improved request logging and enhanced error reporting for common failure conditions.
Tags:

Edge components release with OpenShift support and AWS Secrets Manager private network access

Aembit has updated Aembit Edge Components to include the latest versions of Agent Proxy, Sidecar Init, and the Aembit Helm chart. These updates include support for:

  • Official Red Hat OpenShift and OpenShift Service on AWS (ROSA) support for Agent Proxy and Sidecar Init, including SecurityContextConstraint configurations and deployment best practices. See OpenShift deployment guide.
  • AWS Secrets Manager private network access for Aembit CLI and Agent Proxy.
  • Aembit CLI CrowdStrike support.
  • Enhanced Helm chart with support for custom annotations on Kubernetes resources. See Helm chart configuration options.
  • New guide for managing Agent Injector TLS certificates in Kubernetes deployments. See Managing Agent Injector certificates.
  • Support for volume-mounted certificates in Aembit Edge Components.
  • Security and performance enhancements.

Updated Edge Components:

  • Agent Proxy 1.25.3494
  • Sidecar Init 1.25.127
  • Helm Chart 1.25.494

See Edge Components supported versions for more details.

Aembit has added Private Network Access to the AWS Secrets Manager Credential Provider. This feature allows you to securely access AWS Secrets Manager secrets from Aembit Edge Components running in private networks, such as AWS VPCs, without exposing them to the public internet.

When you enable Private Network Access, the Aembit CLI or Agent Proxy retrieve secrets from AWS Secrets Manager directly, ensuring secure and private access to your secrets.

See AWS Secrets Manager Credential Provider for more details on how to configure this feature.

Tags:

Aembit CLI, AWS Secrets Manager, and Jenkins Pipelines now available

Aembit has released the new AWS IAM Role Credential Provider Integration and Secrets Manager Credential Provider. Together, they enable you to retrieve secrets from AWS Secrets Manager directly through Aembit.

See AWS IAM Role Credential Provider Integration and AWS Secrets Manager Credential Provider to learn more.

Aembit has released the Aembit CLI, a command-line interface that allows you to inject credentials into your CI/CD pipelines. Compatible with GitLab, GitHub, and now Jenkins.

Check out the Aembit CLI Guide to get started with the Aembit CLI!
Also, see Aembit Edge on CI/CD services for more information on how to use Aembit CLI with your CI/CD pipelines.

Aembit has released support for Jenkins Pipelines to help you integrate Aembit into your Jenkins CI/CD workflows. This integration allows you to securely retrieve and use Aembit-managed credentials directly in your Jenkins Pipelines, streamlining your CI/CD processes and enhancing security.

Check out Jenkins Pipelines to learn more about how to use Aembit with Jenkins Pipelines.

Aembit now supports Server Workloads with a wildcard hostname.

This enables you to simplify your server workloads in a flexible and well defined manner.

As of Agent Controller version 1.24.xxxx, Aembit has enhanced Agent Controller to automatically close insecure HTTP ports when you enable TLS. This update streamlines security by ensuring only encrypted connections are active.

When you enable TLS, Agent Controller now automatically:

  • Opens Secure Ports: 443 (or 5443 on VMs) and the secure Prometheus port 9091.
  • Closes Insecure Ports: 80 (or 5000 on VMs) and the insecure Prometheus port 9090.

This automation removes the manual step of closing insecure, vulnerable ports, preventing potential misconfigurations and enforcing a more secure, “secure-by-default” posture.

Aembit has applied security enhancements to Agent Controller version 1.24.2485 in this release, including:

  • Disabling insecure HTTP ports when you enable TLS.

Updated Edge Components:

  • Agent Controller

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

See Edge Components supported versions for more details.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit