Skip to content
Releases GitHub

Changelog — Credential Provider

Subscribe with RSS

Credential Provider
All changes
Clear all

Standalone CAs and Credential Provider Integrations now available

Introducing Standalone CAs for more granular control over TLS Decrypt management. This feature allows you to create and manage dedicated Certificate Authorities (CAs) that function independently from Aembit’s default Tenant-level certificates.

With Standalone CAs, you can assign CAs directly to specific Client Workloads or Resource Sets, creating isolated trust boundaries and enabling precise management of TLS traffic across different environments. Aembit intelligently selects the appropriate CA using a clear hierarchy: Client Workload level -> Resource Set level -> Tenant level.

To learn more about Standalone CAs, see About Standalone CA for TLS Decrypt.

We’ve updated the Deploy Edge Components experience in the Aembit admin UI to streamline how you deploy Aembit Edge Components.

We’ve added deployment guides directly in the Aembit admin UI for each type of deployment such as Kubernetes, Ubuntu Linux, Red Hat Enterprise Linux, or Microsoft. Now when you’re deploying new Aembit Edge Components, you’ll have a guided experience to get you up and running faster.

Deploy Aembit Edge screen

Introducing Credential Provider Integrations, which automate credential lifecycle management for third-party systems. This feature makes sure your workloads always have valid credentials without manual management, enhancing both security and operational efficiency, eliminating manual credential management.

Our new Credential Provider Integrations feature makes this possible by connecting Aembit directly to third-party systems like with the GitLab Service Account integration. The GitLab Service Account integration enables you to create a Managed GitLab Account Credential Provider, which allows you to manage the credential lifecycle of your GitLab service accounts.

This gives you fine-grained control while eliminating the overhead of manual credential management.

Tags:

AWS SigV4 and SigV4a request signing now supported

The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.

See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:

Vault private network access and CrowdStrike on Windows now available

Aembit now supports accessing HashiCorp Vault Credential Providers that reside on private networks. This allows your colocated Agent Proxy to handle authentication directly instead of Aembit Cloud. See Accessing Vault on private networks for more info.

Aembit now supports Conditional Access for CrowdStrike on Windows. To set up Conditional Access for CrowdStrike on Windows, follow the steps in Access Condition for CrowdStrike.

Aembit now supports the AWS Role Trust Provider on Agent Proxy for ECS Fargate deployments.

Enhanced Vault token header behavior.

Enhanced Agent Proxy initialization on Kubernetes to prevent other processes from interfering and impacting its startup.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

  • VM Agent Proxy package

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:

Azure Entra Workload Identity Federation and automatic user creation now available

Aembit now supportsAzure Entra Workload Identity Federation as a Credential Provider. This enables you to automatically obtain credentials through Aembit as a third-party federated Identity Provider (IdP) to securely authenticate with Azure Entra to access your Azure Entra registered applications and managed identities.

Aembit now supports Automatic User Creation triggered by SSO login requests. Aembit has enhanced the Identity Provider configuration page with additional parameters, enabling you to map SAML attributes from your Identity Provider to the user roles defined in your Aembit Tenant.

You can now change the leaf certificate lifetime when using the TLS Decrypt feature.

Tags:

OAuth 2.0 Authorization Code Credential Provider now available

Aembit now supports 3-legged OAuth (3LO) workflows through the new OAuth 2.0 Authorization Code Credential Provider. Applications can request a user’s permission to access their account data and act on the user’s behalf.

With 3LO support, an application can access services or applications that the user has authorized.

Aembit supports the following third-party services with OAuth 2.0 Authorization Code Credential Providers:

For configuration details, see the OAuth 2.0 Authorization Code Credential documentation.

An expansion to Client Workload identification and Trust Provider match rules also shipped in this release; see Expanded Client Workload identification and Trust Provider match rules.

Tags:

OAuth 2.0 Authorization Code Credential Provider enters beta

Aembit has released beta support for the OAuth 2.0 Authorization Code Credential Provider.

Many organizations require Credential Provider support for various 3rd party SaaS services which only support short lived credentials with the OAuth 2.0 Authorization Code Flow. These services included:

  • Atlassian
  • GitLab
  • Slack
  • GCP BigQuery
  • Apigee
  • PagerDuty

This beta release enables users to use 3rd party SaaS services and have short-lived access tokens generated on demand for authentication to APIs that these 3rd party services provide.

For more information on how to configure the OAuth 2.0 Authorization Code Credential Provider to be used with any of these 3rd party services, please see the OAUth 2.0 Authorization Code Credential Provider page.

Tags:

Dynamic Claims now available for Credential Providers

Aembit has released a new feature for Credential Providers called “Dynamic Claims.” This feature allows you to set the Subject claim and Custom claims with either literal strings or dynamic values when setting up Credential Providers in your Aembit client tenant.

For more detailed information about Dynamic Claims, please refer to Dynamic Claims page

This feature is currently only supported for Vault integration.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit