Aembit Edge represents the collection of components deployed directly within your operational environments to enforce Access Policies and enable secretless workload communication. It functions as a distributed enforcement and interaction layer, positioned within your compute environments alongside your workloads—spanning Kubernetes clusters, virtual machines, and serverless platforms.
The Edge architecture separates the control plane (Aembit Cloud) from the data plane (where workload traffic flows). While Aembit Cloud makes authorization decisions and manages credential lifecycles, Aembit Edge components handle traffic interception, credential injection, and forwarding locally within your environment. This design ensures that your sensitive workload data remains within your network boundaries and never passes through Aembit’s infrastructure.
Aembit Edge is essential for translating centralized policies into concrete access control actions at the point where your workloads interact. It eliminates the need for applications to store or manage long-lived secrets by intercepting requests, verifying identities, and injecting short-lived credentials just-in-time.
Start deploying Aembit Edge See Aembit Edge deployment in the User Guide
→
Edge Component registration
Section titled “Edge Component registration”Before Aembit Edge can enforce access control, first you must deploy it within your operational environments. This involves installing the necessary components that intercept workload traffic, gather identity evidence, and inject credentials as needed.
Upon deployment, Aembit Edge components must register with Aembit Cloud to establish trust and enable policy synchronization. This registration process typically involves the following steps:
-
Controller Registration - Agent Controller registers with Aembit Cloud to establish trust. Agent Controller has two registration options: using a Device Code flow or by providing a Controller ID and configured Trust Providers.
-
Proxy Retrieves Token - Agent Proxy registers with Agent Controller to obtain a token for authenticating with Aembit Cloud. This is typically done via an HTTP/S call to the Agent Controller API endpoint
/api/token. -
Aembit Cloud Grants Token - Aembit Cloud verifies grants Agent Proxy a token. This token is used to authenticate the Agent Proxy with Aembit Cloud.
-
Proxy Registration with Aembit Cloud - The Agent Proxy uses the obtained token to register with Aembit Cloud, allowing it to receive Access Policies and interact with the Aembit Cloud services.
From there, Agent Proxy can start intercepting outbound requests from Client Workloads, gathering identity evidence, and injecting credentials as needed based on the Access Policies defined in Aembit Cloud.
Credential injection
Section titled “Credential injection”Once Aembit Edge registers with Aembit Cloud and is operational, it can perform credential injection to enable secure workload communication. This process allows Client Workloads to access Server Workloads without needing to store or manage long-lived credentials. Aembit Edge intercepts outbound requests from Client Workloads, gathers identity evidence, and injects short-lived credentials just-in-time based on the evaluated Access Policy.
The credential injection process typically follows these steps:
-
Request Interception - Agent Proxy intercepts outbound requests from the Client Workload. This interception allows Aembit to gather identity evidence and contextual information about the Client Workload and its runtime environment.
-
Identity Attestation - Agent Proxy collects identity attributes and contextual information about the Client Workload, such as Kubernetes service account tokens, cloud provider metadata, or process information.
-
Credential Request - Agent Proxy directly requests the necessary short-lived access credentials from Aembit Cloud for the target Server Workload based on the evaluated Access Policy.
-
Credential Retrieval - Aembit Cloud interacts with the configured Credential Provider to obtain the necessary short-lived access credentials and returns them to the Agent Proxy.
-
Credential Injection - Agent Proxy receives the credentials and injects them just-in-time into the original client request, modifying headers, connection parameters, or authentication fields as required.
-
Request Forwarding - Agent Proxy forwards the modified request to the target Server Workload, which can now authenticate the Client Workload using the injected credentials.
The following diagram illustrates this process:
Supported deployment environments
Section titled “Supported deployment environments”Aembit designed Edge components for deployment across diverse modern computing environments:
Container Orchestration
- Kubernetes deployment - Agent Controller and Agent Injector deployed via Helm chart, with Agent Proxy automatically injected as a sidecar container
- Amazon ECS deployment - Components deployed as ECS tasks and services using Terraform modules
Virtual Machines
- Linux deployment - Downloadable installers for Ubuntu 20.04/22.04 LTS and Red Hat Enterprise Linux 8/9 with SELinux support
- Windows deployment - MSI packages for Windows Server 2019/2022 environments
CI/CD Platforms
- GitHub Actions - Agent Proxy deployed as a GitHub Action for workflow-based access control
- GitLab CI/CD - Agent Proxy deployed as a GitLab Runner for pipeline-based access control
- Jenkins Pipelines - Agent Proxy deployed as a Jenkins Pipeline step for job-based access control
Serverless Platforms
- AWS Lambda containers - Agent Proxy deployed as a Lambda Extension layer for containerized functions
- AWS Lambda functions - Agent Proxy deployed as a Lambda layer for standard Lambda functions
Specialized Deployments
- Virtual appliance - Pre-packaged
.ovaformat bundling Agent Controller and Agent Proxy for virtualized environments - High availability configurations - Multiple Agent Controller instances with load balancing
Benefits of using Aembit Edge
Section titled “Benefits of using Aembit Edge”- Local Traffic Control - Intercepts and processes workload traffic within your environment, ensuring sensitive data never leaves your network boundaries while Aembit enforces Access Policies.
- Secretless Architecture - Eliminates the need for workloads to store or manage long-lived credentials by handling credential injection transparently at the network layer.
- Environment Integration - Deploys natively within your existing infrastructure using standard tools like Helm, installers, and container images without requiring application code changes.
- Distributed Enforcement - Provides consistent policy enforcement across heterogeneous environments while maintaining centralized policy management through Aembit Cloud.
- Performance Optimization - Processes requests locally to minimize latency and includes credential caching to maintain availability during temporary network disruptions.