Follow the steps on this page to use the Aembit CLI to retrieve credentials to access a Server Workload.
The command aembit credentials get allows you to obtain credentials that you can use in scripts or applications to
access Server Workloads protected by Aembit Access Policies.
The command requires you to provide the Edge SDK Client ID, Server Workload host, and Server Workload port as
parameters.
In this procedure, you’ll be accessing your Aembit Tenant and using the Aembit CLI in your terminal to get credentials from a Credential Provider to access a specific Server Workload.
Prerequisites
Section titled “Prerequisites”Before you can retrieve credentials, ensure you have the following:
- Aembit CLI installed
- Access to your Aembit Tenant with your fully configured Access Policy
- The Edge SDK Client ID from your Supported Trust Provider
- A supported Credential Provider
- The hostname and port of the Server Workload you want to access
About Credential Providers
Section titled “About Credential Providers”Your Credential Provider determines the type of credentials you can retrieve and how you can use them to access a Server Workload. If you change the Server Workload in an Access Policy, you’ll likely need to change the Credential Provider to match the authentication requirements of the new Server Workload. You can add or remove Client Workloads from Access Policies without requiring changes to the Credential Provider or underlying credentials, since the Client Workload only matches the environment where you run the CLI.
This procedure includes two different ways to run the aembit credentials get command, depending on the type of
credentials your Credential Provider retrieves.
Get credentials to access a Server Workload
Section titled “Get credentials to access a Server Workload”To retrieve credentials to access a specific Server Workload, follow these steps:
-
Log into your Aembit Tenant.
-
Follow the steps in Find your Edge SDK Client ID to obtain your Edge SDK Client ID.
-
Identify the hostname and port of the Server Workload you want the credential for.
You can do this by checking the Server Workload’s configuration or by checking the Access Policy that applies to the Workload in your Aembit Tenant.
-
Open your terminal that has Aembit CLI installed.
-
Run the
aembit credentials getcommand with the required parameters for the type of credential you want to retrieve:Use this approach for Credential Providers that output a single credential value.
The
evalcommand executes the CLI output as shell commands, setting the credentials as environment variables in your current shell session.Basic command (sets credential in
TOKENenvironment variable):Terminal window eval $(aembit credentials get \--client-id <clientId> \--server-workload-host <host> \--server-workload-port <port>)With custom credential name:
Terminal window eval $(aembit credentials get \--client-id <clientId> \--server-workload-host <host> \--server-workload-port <port> \--credential-names MY_ACCESS_TOKEN)Use this approach for the Username & Password Credential Provider. This Credential Provider outputs two separate credentials that must use the names
USERNAMEandPASSWORD.Terminal window eval $(aembit credentials get \--client-id <clientId> \--server-workload-host <host> \--server-workload-port <port> \--credential-names USERNAME,PASSWORD) -
Verify that Aembit CLI set the credentials correctly:
Terminal window echo $TOKEN# or if you used a custom name:echo $MY_ACCESS_TOKENTerminal window echo $USERNAMEecho $PASSWORD
Example commands
Section titled “Example commands”Here are complete examples using real client IDs and Server Workloads:
Single-value credential example:
eval $(aembit credentials get \ --client-id aembit:useast2:a12bc3:identity:github_idtoken:63ab7be6-9785-4a14-be1c-2acf0253070b \ --server-workload-host api.example.com \ --server-workload-port 443)Username & Password examples:
-
Without HTTP Basic Auth:
Terminal window eval $(aembit credentials get \--client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \--server-workload-host database.example.com \--server-workload-port 5432 \--credential-names USERNAME,PASSWORD) -
With HTTP Basic Auth
This is for Server Workloads that use “HTTP Authentication / Basic:Terminal window eval $(aembit credentials get \--client-id aembit:useast2:a12bc3:identity:aws_metadata:63ab7be6-9785-4a14-be1c-2acf0253070b \--server-workload-port 443 \--server-workload-host basic-auth.example.com \--credential-names USERPASS)curl -H "Authorization: Basic $USERPASS" https://basic-auth.example.comThe username/password Credential Provider outputs a single Base64-encoded value when used with HTTP Basic Auth. You can choose any name for the credential (like
USERPASSin the preceding example).
Next steps
Section titled “Next steps”Once you’ve retrieved the credentials, you can use them directly in your scripts or applications. The credentials are now available as environment variables in your current shell session.
Example usage in a script:
# Use the credential to make an API callcurl -H "Authorization: Bearer $TOKEN" https://api.example.com/data
# Or with username/password credentialscurl -u "$USERNAME:$PASSWORD" https://api.example.com/secure-endpointImportant notes:
- The
evalcommand executes the CLI output as shell commands, setting the credentials as environment variables - Credentials are only available in the current shell session
- To use credentials in a different shell session, you must run the command again
- For troubleshooting common issues, see the CLI troubleshooting guide