About Trust Providers

Trust ProvidersTrust Provider: Trust Providers validate Client Workload identities through workload attestation, verifying identity claims from the workload's runtime environment rather than relying on pre-shared secrets.Learn more validate the identity of Client Workloads through a process called workload attestationWorkload Attestation: Workload attestation cryptographically verifies a workload's identity using evidence from its runtime environment, such as platform identity documents or tokens, rather than using static credentials.Learn more. Instead of relying on pre-shared secrets like API keys, passwords, or certificates Trust Providers verify identity by consulting trusted systems in the workload’s runtime environment.

The core idea is simple but powerful: rather than asking, “What secret do you know?”, Trust Providers ask, “Can your environment vouch for who you are?” It’s similar to checking someone’s government-issued ID rather than taking their word for it.

You can think of Trust Providers as a kind of certificate authority for workloads—but instead of issuing certificates, they produce cryptographically verifiable claims about a workload’s environment. Aembit uses these claims to establish trust before granting access, reducing the risk of unauthorized workloads posing as trusted ones.

Start configuring Trust Providers See Trust Providers in the User Guide

→

How Trust Providers work

The following steps outline the process of how Trust Providers work in Aembit:

1. Client Workload Request - A Client WorkloadClient Workload: Client Workloads represent software applications, scripts, or automated processes that initiate access requests to Server Workloads, operating autonomously without direct user interaction.Learn more (for example, a microservice or application) attempts to access a Server WorkloadServer Workload: Server Workloads represent target services, APIs, databases, or applications that receive and respond to access requests from Client Workloads.Learn more (for example, a database or API).

2. Workload Attestation - When a Client Workload attempts to access a Server Workload, Aembit EdgeAembit Edge: Aembit Edge represents components deployed within your operational environments that enforce Access Policies by intercepting traffic, verifying identities, and injecting credentials just-in-time.Learn more gathers identity evidence from the Client Workload’s runtime environment.

3. Evidence Submission - Aembit Edge submits this identity evidence to Aembit CloudAembit Cloud: Aembit Cloud serves as both the central control plane and management plane, making authorization decisions, evaluating policies, coordinating credential issuance, and providing administrative interfaces for configuration.Learn more.

4. Trust Provider Validation - Aembit Cloud uses a configured Trust Provider to validate the submitted evidence. The Trust Provider checks the evidence against its own records and policies to confirm the workload’s identity.

   Trust Providers vs. Attestation Sources

   When configuring a Trust Provider in Aembit, you aren’t configuring the external attestation source itself (like AWS, Azure, Kubernetes, or GitHub). Instead, you’re telling Aembit how to validate the identity evidence coming from that attestation source and what criteria to use when determining if Aembit should trust a workload.

5. Identity Confirmation - If the Trust Provider validates the evidence, Aembit Cloud confirms the Client Workload’s identity.

6. Access PolicyAccess Policy: Access Policies define, enforce, and audit access between Client and Server Workloads by cryptographically verifying workload identity and contextual factors rather than relying on static secrets.Learn more Evaluation - With the workload’s identity established, Aembit Cloud proceeds with evaluating the remaining components of the Access Policy.

   At this point in the process, Aembit continues to evaluate the Access Policy, which may include additional Access ConditionsAccess Condition: Access Conditions add dynamic, context-aware constraints to authorization by evaluating circumstances like time, location, or security posture to determine whether to grant access.Learn more, such as checking the workload’s attributes, permissions, or other contextual information.

The following diagram illustrates this process:

Supported environments

Aembit integrates with a variety of Trust Providers to support workload attestation across different environments, including:

Cloud Providers

• AWS Role and AWS Metadata Service
• Azure Metadata Service
• Google Cloud Platform Identity Token

Container Orchestration

• Kubernetes Service Account

CI/CD Platforms

• GitHub Actions
• GitLab Jobs
• Terraform Cloud Identity Token

On-Premises

• Kerberos

Benefits of using trust providers

• Enhanced Security - Eliminates reliance on static, long-lived secrets, reducing the attack surface.
• Simplified Management - Centralizes identity verification, simplifying access control across diverse environments.
• Improved Auditability - Provides a clear audit trail of workload identities and access attempts.
• Zero-Trust Architecture - This approach verifies every workload access request before granting access, enabling a zero-trust model.