Skip to content
DOCS
User Guide CLI Guide API Guide

Create an Access Policy

This guide walks you through creating an Access Policy: Access Policies define, enforce, and audit access between Client and Server Workloads by cryptographically verifying workload identity and contextual factors rather than relying on static secrets.Learn more using the Access Policy Builder. The example creates an AWS cloud-native policy that allows EC2 instances in Washington State to access AWS S3 buckets.

Prerequisites

Section titled “Prerequisites”
  • Access to the Aembit Admin UI
  • Appropriate permissions to create Access Policies and their components

Open the Access Policy Builder

Section titled “Open the Access Policy Builder”

  1. In the Aembit Admin UI, select Access Policies from the left sidebar.

    Access Policies list page showing the main navigation and policy table

  2. Click + New to open the Access Policy Builder.

    Access Policy Builder initial view with card-based navigation and configuration panel

The Access Policy Builder displays a card-based navigation in the left panel with the following components:

  • Access Policy (Required) - Policy name and metadata
  • Client Workload: Client Workloads represent software applications, scripts, or automated processes that initiate access requests to Server Workloads, operating autonomously without direct user interaction.Learn more (Required) - The application requesting access
  • Server Workload: Server Workloads represent target services, APIs, databases, or applications that receive and respond to access requests from Client Workloads.Learn more (Required) - The service being accessed
  • Trust Provider: Trust Providers validate Client Workload identities through workload attestation, verifying identity claims from the workload's runtime environment rather than relying on pre-shared secrets.Learn more (Recommended) - Identity verification method
  • Access Condition: Access Conditions add dynamic, context-aware constraints to authorization by evaluating circumstances like time, location, or security posture to determine whether to grant access.Learn more (Recommended) - Additional access constraints
  • Credential Provider: Credential Providers obtain the specific access credentials—such as API keys, OAuth tokens, or temporary cloud credentials—that Client Workloads need to authenticate to Server Workloads.Learn more (Optional) - How credentials are obtained

Change the requirement of each Access Policy component based on your organization’s compliance needs, using Global Policy Compliance.

Configure the Access Policy details

Section titled “Configure the Access Policy details”

The Access Policy Details panel displays by default when you open the builder.

  1. In the Access Policy Name field, enter a name for your Access Policy.

  2. (Optional) In the Description field, add a description to help identify the policy’s purpose.

  3. (Optional) In the Tags section, click + New Tag to add tags for organization.

    Access Policy details panel with name, description, and tags fields

Add a Client Workload

Section titled “Add a Client Workload”

Click the Client Workload card in the left panel to configure the client application.

Each component in the Access Policy Builder offers two options:

  • Add New - Create a new component directly within the builder. The component saves to your tenant and associates with this policy.
  • Select Existing - Choose from components you’ve already created. This lets you reuse components across multiple policies.

For detailed information about Client Workload configuration options and identification types, see Client Workloads.

To create a new Client Workload:

  1. Select the Add New tab if not already selected.

    Client Workload Add New form with name and identification fields

  2. In the Name field, enter a name for the Client Workload.

  3. (Optional) In the Description field, add context about the workload.

  4. From the Client Identification dropdown, select an identification type. For AWS EC2 instances, select AWS EC2 Instance Id.

    Client Identification dropdown showing available identification types

  5. In the Value field, enter the identification value (for example, i-0abc123def456789).

  6. (Optional) Click + Additional Client Identifier to add more identifiers.

  7. Click Save to add the Client Workload to the policy.

    Client Workload configured and ready to save

Add a Server Workload

Section titled “Add a Server Workload”

Click the Server Workload card in the left panel to configure the target service.

For detailed information about Server Workload configuration options, protocols, and authentication methods, see Server Workloads.

To create a new Server Workload:

  1. Select the Add New tab if not already selected.

    Server Workload Add New form with service endpoint fields

  2. In the Name field, enter a name for the Server Workload (for example, AWS S3 Storage Bucket).

  3. (Optional) In the Description field, add context about the workload.

  4. In the Service Endpoint section, configure the connection details:

    • Host: Enter the service hostname (for example, s3.us-west-2.amazonaws.com).
    • Application Protocol: Select the protocol (for example, HTTP).
    • Transport Protocol: Select TCP (default).
    • Port: Enter the port number (for example, 443). This field auto-populates based on the selected protocol.
    • TLS: Select this checkbox for secure connections.
    • Forward to Port: (Optional) Enter the destination port if different from the incoming port.

  5. (Optional) From the Authentication Method dropdown, select an authentication method if the server requires it.

  6. Click Save to add the Server Workload to the policy.

    Server Workload configured with endpoint and authentication settings

Add a Trust Provider

Section titled “Add a Trust Provider”

Click the Trust Providers card in the left panel to configure identity verification.

For detailed information about Trust Provider types and match rule configuration, see Trust Providers.

To create a new Trust Provider:

  1. Select the Add New tab if not already selected.

    Trust Provider Add New form with provider type selection

  2. In the Name field, enter a name for the Trust Provider.

  3. (Optional) In the Description field, add context about the provider.

  4. From the Trust Provider dropdown, select a provider type:

    • AWS Metadata Service - For AWS EC2 instance identity verification
    • AWS Role - For AWS Identity and Access Management (IAM) role-based trust
    • Azure Metadata Service - For Azure Virtual Machine (VM) identity
    • GCP Identity Token - For Google Cloud Platform (GCP) identity
    • GitHub Action ID Token - For GitHub Actions workflows
    • GitLab Job ID Token - For GitLab CI/CD pipelines
    • Kubernetes Service Account - For Kubernetes workload identity
    • OIDC ID Token - For generic OpenID Connect (OIDC) providers

  5. Configure the type-specific settings. For most provider types, configure Match Rules to specify which identity claims to verify.

  6. Click Save to add the Trust Provider to the policy.

    Trust Provider configured with match rules

To add multiple Trust Providers, click + Add Another after saving the first one. This opens a menu where you can select Add New to create another provider or Select Existing to choose from existing providers.

Add Another menu for adding multiple Trust Providers

Policy with multiple Trust Providers configured

Add Access Conditions (optional)

Section titled “Add Access Conditions (optional)”

Click the Access Conditions card in the left panel to add optional access constraints. Access Conditions provide additional security by restricting access based on factors like geographic location or time of day.

For detailed information about Access Condition types and integration options, see Access Conditions.

To create a new Access Condition:

  1. Select the Add New tab if not already selected.

    Access Condition Add New form with integration selection

  2. In the Display Name field, enter a name for the Access Condition (for example, Washington State Location).

  3. (Optional) In the Description field, add context about the condition.

  4. From the Integration dropdown, select a condition type:

    • Aembit GeoIP Condition - Restrict access based on geographic location
    • Aembit Time Condition - Restrict access based on time windows
    • Other third-party integrations as configured in your tenant

  5. Configure the integration-specific settings. For GeoIP conditions:

    • Click Add Country to add a location rule.
    • From the Country dropdown, select a country (for example, United States of America).
    • (Optional) From the Subdivision dropdown, select a specific state or region (for example, Washington).

  6. Click Save to add the Access Condition to the policy.

    Access Condition configured with geographic restrictions

Add a Credential Provider

Section titled “Add a Credential Provider”

Click the Credential Provider card in the left panel to configure how the policy obtains credentials for accessing the Server Workload.

For detailed information about Credential Provider types and configuration options, see Credential Providers.

To create a new Credential Provider:

  1. Select the Add New tab if not already selected.

    Credential Provider Add New form with credential type selection

  2. In the Name field, enter a name for the Credential Provider (for example, AWS S3 Access Credential).

  3. (Optional) In the Description field, add context about the credential.

  4. From the Credential Type dropdown, select a credential type:

    Credential Type dropdown showing available credential types

    • Aembit Access Token - For Aembit-native authentication
    • API Key - For static API key credentials
    • AWS Secrets Manager Value - For credentials stored in AWS Secrets Manager
    • AWS Security Token Service Federation - For AWS STS AssumeRole credentials
    • Azure Entra Identity Federation - For Azure identity federation
    • Azure Key Vault Secret Value - For credentials stored in Azure Key Vault
    • Google Workload Identity Federation - For GCP identity federation
    • OAuth 2.0 Client Credentials - For OAuth client credentials flow

  5. Configure the type-specific settings. For AWS Security Token Service Federation:

    • OIDC Issuer URL: Auto-populated with your tenant’s identity URL.
    • AWS IAM Role Arn: Enter the Amazon Resource Name (ARN) of the IAM role to assume (for example, arn:aws:iam::123456789012:role/AembitS3AccessRole).
    • Aembit IdP Token Audience: The Identity Provider (IdP) token audience, auto-populated with sts.amazonaws.com.
    • Lifetime: Set the credential lifetime in seconds (default: 3600).

  6. Click Save to add the Credential Provider to the policy.

    Credential Provider configured with AWS STS settings

Save the Access Policy

Section titled “Save the Access Policy”

After configuring all required components, you can save the Access Policy.

  1. Review the left panel to verify all required components are configured. Hover over or select each compliance item card to see a green checkmark indicating the component is configured:

    • Access Policy (name configured)
    • Client Workload
    • Server Workload
    • Trust Providers
    • Credential Provider

    All components configured with green checkmarks

  2. Click Save Policy in the header bar to create the Access Policy.

    Access Policy created successfully

  3. (Optional) To activate the policy immediately, enable the Active toggle.

    Access Policy activated with Active toggle enabled

The Access Policy now governs access from the configured Client Workload to the Server Workload based on the Trust Provider verification, Access Conditions, and Credential Provider settings.