About Trust Providers

Trust Providers validate the identity of Client Workloads through a process called workload attestation. Instead of relying on pre-shared secrets like API keys, passwords, or certificates Trust Providers verify identity by consulting trusted systems in the workload’s runtime environment.

The core idea is simple but powerful: rather than asking, “What secret do you know?”, Trust Providers ask, “Can your environment vouch for who you are?” It’s similar to checking someone’s government-issued ID rather than taking their word for it.

You can think of Trust Providers as a kind of certificate authority for workloads—but instead of issuing certificates, they produce cryptographically verifiable claims about a workload’s environment. Aembit uses these claims to establish trust before granting access, reducing the risk of unauthorized workloads posing as trusted ones.

Start configuring Trust Providers See Trust Providers in the User Guide

→

How Trust Providers work

The following steps outline the process of how Trust Providers work in Aembit:

1. Client Workload Request - A Client Workload (e.g., a microservice or application) attempts to access a Server Workload (e.g., a database or API).

2. Workload Attestation - When a Client Workload attempts to access a Server Workload, Aembit Edge gathers identity evidence from the Client Workload’s runtime environment.

3. Evidence Submission - Aembit Edge submits this identity evidence to Aembit Cloud.

4. Trust Provider Validation - Aembit Cloud uses a configured Trust Provider to validate the submitted evidence. The Trust Provider checks the evidence against its own records and policies to confirm the workload’s identity.

   Trust Providers vs. Attestation Sources

   When configuring a Trust Provider in Aembit, you aren’t configuring the external attestation source itself (like AWS, Azure, Kubernetes, or GitHub). Instead, you’re telling Aembit how to validate the identity evidence coming from that attestation source and what criteria to use when determining if a workload should be trusted.

5. Identity Confirmation - If the Trust Provider validates the evidence, Aembit Cloud confirms the Client Workload’s identity.

6. Access Policy Evaluation - With the workload’s identity established, Aembit Cloud proceeds with evaluating the remaining components of the Access Policy.

   At this point in the process, Aembit continues to evaluate the Access Policy, which may include additional Access Conditions, such as checking the workload’s attributes, permissions, or other contextual information.

The following diagram illustrates this process:

Supported environments

Aembit integrates with a variety of Trust Providers to support workload attestation across different environments, including:

Cloud Providers

• AWS Role and AWS Metadata Service
• Azure Metadata Service
• Google Cloud Platform Identity Token

Container Orchestration

• Kubernetes Service Account

CI/CD Platforms

• GitHub Actions
• GitLab Jobs
• Terraform Cloud Identity Token

On-Premises

• Kerberos

Benefits of using trust providers

• Enhanced Security - Eliminates reliance on static, long-lived secrets, reducing the attack surface.
• Simplified Management - Centralizes identity verification, simplifying access control across diverse environments.
• Improved Auditability - Provides a clear audit trail of workload identities and access attempts.
• Zero-Trust Architecture - This approach verifies every workload access request before granting access, enabling a zero-trust model.