Aembit CLI changelog

Version history

Aembit CLI Version	Release Date	Platforms	Notes
1.31.4764	5/2/2026	Linux (amd64, arm64) Windows (amd64)	Add upstream HTTP proxy support; add --client-workload-id flag and OIDC token expiration validation; add support for gathering dynamic claims from environment variables
1.24.3328	7/29/2025	Linux (amd64, arm64) Windows (amd64)

The version number has three parts: major.minor.patch. For example, 1.24.3328 indicates:

Major version: 1 - This indicates a major release that may include breaking changes.
Minor version: 24 - This indicates a minor release that adds new features or improvements without breaking existing functionality.
Patch version: 3328 - This indicates a patch release that includes bug fixes or minor improvements.

Added support for the AWS Metadata Service, AWS Role, and Kubernetes Service Account Trust Providers to credentials get. Aembit CLI gathers attestation data from the local environment (IMDS, STS GetCallerIdentity, or the projected service account token), so --id-token isn’t needed for these Trust Providers.
Added vm, kubernetes, ecs_fargate, and lambda_container as accepted values for the --deployment-model option. This option is required for the AWS Role Trust Provider.

Added --client-tls-private-key option (and the AEMBIT_CLIENT_TLS_PRIVATE_KEY environment variable) to the credentials get command for retrieving X.509-SVID certificates. Aembit CLI generates a CSR locally from the supplied private key, submits it through the credential retrieval flow, and returns the signed certificate chain in CLIENT_CERT_CHAIN. See aembit credentials get --client-tls-private-key.

Added --client-workload-id option to the credentials get command. Use this to specify a Client Workload ID when multiple workloads share the same Trust Provider.
Added expiration validation for OIDC tokens provided with --id-token.

Initial release!