Client Workload identification is an initial step to recognize the specific software application, script, or automated process that initiates an access request to a Server Workload. This identification is critical because it’s a prerequisite for matching the request to the correct Access Policy and invoking the appropriate Trust Provider for identity attestation. Accurate identification is essential for enforcing the principle of least privilege and preventing misidentification which could lead to security vulnerabilities.
Aembit addresses the need for accurate identification across diverse and heterogeneous environments by offering a variety of methods tailored to different deployment contexts. These methods leverage native identity constructs and environmental evidence available in those platforms.
Examples of Aembit Client Workload identification methods include:
- Kubernetes - Using the Pod Name Prefix, the exact Pod Name, or the Kubernetes Service Account under which the container runs.
- Cloud Platforms (AWS, Azure) - Using Instance Metadata Attributes (like instance ID or tags), AWS IAM Role ARN, Azure Subscription ID, or Azure VM ID.
- CI/CD Systems (GitHub Actions, GitLab Jobs) - Inspecting claims within ephemeral OpenID Connect (OIDC) tokens, such as repository name, subject, namespace path, or project path.
- Serverless Platforms (AWS Lambda) - Using the unique AWS Lambda Function ARN.
- Virtual Machines (VMs) - Identifying by Hostname, Process Name, or both.
- Aembit Native - A unique Aembit Client ID that Aembit assigns for scenarios where other identifiers won’t work.
Aembit supports configuring multiple identifiers for a single Client Workload definition, to increase its uniqueness when identifying your Client Workloads.
Available Client Workload identification methods
Section titled “Available Client Workload identification methods”Aembit supports a variety of identification methods for Client Workloads, allowing you to choose the most suitable one based on your deployment environment and requirements. Each method provides a unique way to identify workloads, making sure that Aembit applies your Policies accurately.
These methods include identifiers based on cloud provider resources, Kubernetes configurations, and more. The choice of identifier can depend on the specific characteristics of your workloads and the environments in which they operate.
The following sections are the different identification methods available:
Generic Client Workload Identifiers
Section titled “Generic Client Workload Identifiers”
Aembit Client ID Identify workloads by their Aembit Client ID.
→
Hostname Identify workloads by their hostname.
→
Process Name Identify workloads by their process name.
→
Process User Name Identify workloads by their process user name.
→
Source IP Address Identify workloads by their source IP address.
→
AWS Client Workload Identifiers
Section titled “AWS Client Workload Identifiers”
AWS Account ID Identify workloads by their AWS Account ID.
→
AWS EC2 Instance ID Identify workloads by their AWS EC2 Instance ID.
→
AWS ECS Task Family Identify workloads by their AWS ECS Task Family.
→
AWS ECS Service Name Identify workloads by their AWS ECS Service Name.
→
AWS Lambda ARN Identify workloads by their AWS Lambda ARN.
→
AWS Region Identify workloads by their AWS Region.
→
Azure Client Workload Identifiers
Section titled “Azure Client Workload Identifiers”
Azure Subscription ID Identify workloads by their Azure Subscription ID.
→
Azure VM ID Identify workloads by their Azure VM ID.
→
GCP Client Workload Identifiers
Section titled “GCP Client Workload Identifiers”
GCP Identity Token Identify workloads by their GCP Identity Token email.
→
GitHub Client Workload Identifiers
Section titled “GitHub Client Workload Identifiers”
GitHub ID Token Repository Identify workloads by their GitHub ID Token Repository.
→
GitHub ID Token Subject Identify workloads by their GitHub ID Token Subject.
→
GitLab Client Workload Identifiers
Section titled “GitLab Client Workload Identifiers”
GitLab ID Token Namespace Path Identify workloads by their GitLab ID Token Namespace Path.
→
GitLab ID Token Project Path Identify workloads by their GitLab ID Token Project Path.
→
GitLab ID Token Ref Path Identify workloads by their GitLab ID Token Ref Path.
→
GitLab ID Token Subject Identify workloads by their GitLab ID Token Subject.
→
Kubernetes Client Workload Identifiers
Section titled “Kubernetes Client Workload Identifiers”
Kubernetes Namespace Identify workloads by their Kubernetes Namespace.
→
Kubernetes Pod Name Prefix Identify workloads by their Kubernetes Pod Name Prefix.
→
Kubernetes Pod Name Identify workloads by their Kubernetes Pod Name.
→
Kubernetes Service Account Name Identify workloads by their Kubernetes Service Account Name.
→
Kubernetes Service Account UID Identify workloads by their Kubernetes Service Account UID.
→
Terraform Cloud
Section titled “Terraform Cloud”
Terraform Cloud ID Token Organization ID Identify workloads by Terraform Cloud ID Token Organization ID.
→
Terraform Cloud ID Token Project ID Identify workloads by Terraform Cloud ID Token Project ID.
→
Terraform Cloud ID Token Workspace ID Identify workloads by Terraform Cloud ID Token Workspace ID.
→