Skip to main content

Aembit API

Overview​

Aembit is a Workload Identity and Access Management (IAM) Platform for managing access between workloads—Workload IAM. The Aembit API enables client workloads, such as CI/CD tools, to authenticate and interact with Aembit without relying on long-lived secrets. This secret-less authentication is achieved through workload attestation via a Trust Provider. By configuring Client Workloads with the appropriate trust and credential components, Aembit ensures secure, role-based access to your tenant's API resources.

Below you can find the Aembit configuration required to work with the Aembit service as a Server Workload using the REST API.

Prerequisites

Before proceeding with the configuration, make sure you have configured your Aembit tenant.

For more detailed information on how to use the Aembit API, please refer to the official Aembit documentation.

Credential Provider Configuration​

  1. Create a new Credential Provider.
  • Name - Choose a user-friendly name.
  • Credential Type - Aembit Access Token
  • Audience - Auto-generated by Aembit, this is a tenant specific server hostname used for authentication and connectivity with the Aembit API. Copy this value for use in the configuration that follows.
  • Role - Choose a role with the appropriate permissions that align with your Client Workload's needs. We recommend following the principle of least privilege, assigning the minimum necessary permissions for the task. If needed, you can create new customer roles.
  • Lifetime - Specify the duration for which the generated access token remains valid.

Server Workload Configuration​

  1. Create a new Server Workload.
  • Name - Choose a user-friendly name.
  1. Configure the service endpoint:
  • Host - Enter the previously copied audience value.
  • Application Protocol - HTTP
  • Port - 443 with TLS
  • Forward to Port - 443 with TLS
  • Authentication method - HTTP Authentication
  • Authentication scheme - Bearer

Access Policy​

This page covers the configuration of the Server Workload and Credential Provider, which are tailored to different types of Server Workloads. To complete the setup, you will need to create an access policy for a Client Workload to access the Aembit Server Workload and associate it with the Credential Provider, Trust Provider, and any optional Access Conditions.

Client Workload Configuration​

Aembit now handles the credentials required to access the Aembit API as a Server Workload, eliminating the need for you to manage them directly. You can safely remove any previously used credentials from the Client Workload.

Required Features​

  • The TLS Decrypt feature is required if the Client Workload uses the Agent Proxy to access the Aembit API.