Aembit CLI provides the credentials get command to retrieve credentials for a specific Client Workload.
This command is useful for obtaining credentials that you can use in your scripts or applications to access resources
protected by Aembit Access Policies.
General usage:
aembit credentials get [OPTIONS] \ --client-id <CLIENT_ID> \ --server-workload-host <HOST> \ --server-workload-port <PORT>Get help:
aembit credentials get -h | --helpThis command requires the following options:
--client-id--server-workload-host--server-workload-port
Where the --client-id represents the Edge SDK Client ID from your Aembit Trust Provider in your Aembit Tenant that
Agent CLI uses to identify itself.
To retrieve Edge SDK Client ID, see Find your Edge SDK Client
ID.
It’s formatted as follows:
aembit:<region>:<tenantId>:identity:<identityType>:<trustProviderId>Detailed example
If your Aembit Tenant is deployed in the useast2 region, has a tenant ID of a12bc3, and uses a GitLab identity
type with a trust provider ID of 63ab7be6-9785-4a14-be1c-2acf0253070b, your client ID would look like this:
aembit:useast2:a12bc3:identity:gitlab_idtoken:63ab7be6-9785-4a14-be1c-2acf0253070buseast2is the<region>where the Aembit stack is deployeda12bc3is the<tenantId>of your Aembit Tenantgitlab_idtokenis the<identityType>63ab7be6-9785-4a14-be1c-2acf0253070bis the<trustProviderId>
Options
Section titled “Options”--client-id Required
Section titled “--client-id ”Default - not set
Agent Proxy env var: AEMBIT_CLIENT_ID
Description - This value represents the Edge SDK Client ID from your Aembit Trust Provider.
Aembit automatically generates the Edge SDK Client ID when you configure a Trust Provider in your Aembit Tenant UI.
To retrieve your Edge SDK Client ID, see Find your Edge SDK Client
ID.
Example - aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b
--server-workload-host Required
Section titled “--server-workload-host ”Default - not set
Description - The server hostname or IP address, Aembit uses to match an Access Policy
Examples - example.com, localhost, or an IP address
--server-workload-port Required
Section titled “--server-workload-port ”Default - not set
Description -The server port number, Aembit uses to match an Access Policy
Examples - 443, 8443, 8080, etc.
--id-token
Section titled “--id-token”Default - not set
Description - The OIDC token from the platform associated with the Trust Provider that Aembit uses for attestation
--credential-names
Section titled “--credential-names”Default - TOKEN
Description - The names to give the credentials that Aembit receives from the Credential Provider.
This is useful for when you want to use specific names for the credentials in your scripts or applications.
You can specify multiple names by separating them with commas.
Examples - MY_TOKEN,MY_SECRET, MY_ACCESS_TOKEN,MY_REFRESH_TOKEN
--log-level
Section titled “--log-level”Default - warn
Possible values - off, trace, debug, info, warn, error
Agent Proxy env var: AEMBIT_LOG_LEVEL
Description - The log level to use for the Aembit CLI.
This controls the verbosity of the output from the CLI.
--output-format
Section titled “--output-format”Default - sh-export
Possible values - sh-export, powershell-env
Description - Format for outputting credentials
--resource-set-id
Section titled “--resource-set-id”Default - not set
Agent Proxy env var: AEMBIT_RESOURCE_SET_ID
Description - The Resource Set to authenticate against and within which
the Access Policy matching happens.
This is useful for when you want to use a specific Resource Set for your credentials.
You can find the Resource Set ID in your Aembit Tenant UI under the Resource Sets section.
Examples
Section titled “Examples”Each of the following examples demonstrates how to use the aembit credentials get command with different options.
All commands include the following required options:
--client-id--server-workload-host--server-workload-port
# Get credentials for a specific client workloadaembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --id-token <ID_TOKEN># Get credentials with all optionsaembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --id-token <ID_TOKEN> \ --credential-names MY_TOKEN,MY_SECRET \ --output-format powershell-env \ --deployment-model vm \ --resource-set-id my-resource-set-id# Get credentials with custom namesaembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --credential-names MY_TOKEN,MY_SECRET# Get credentials with output formataembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --output-format powershell-env# Get credentials with deployment modelaembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --id-token <ID_TOKEN> \ --deployment-model vm# Get credentials with resource set IDaembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --id-token <ID_TOKEN> \ --resource-set-id 78bg7be6-9301-hj14-d51c-2acf02530y67# Get credentials with log levelaembit credentials get \ --client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host example.com \ --server-workload-port 443 \ --log-level debug