Configure a JSON Web Token (JWT) Credential Provider

A JSON Web Token (JWT), defined by the open standard RFC 7519, is a compact and self-contained method for securely transmitting information as a JSON object between parties.

Aembit’s JWT Credential ProviderCredential Provider: Credential Providers obtain the specific access credentials—such as API keys, OAuth tokens, or temporary cloud credentials—that Client Workloads need to authenticate to Server Workloads.Learn more currently supports Snowflake Key Pair Authentication for connecting to Snowflake Server WorkloadsServer Workload: Server Workloads represent target services, APIs, databases, or applications that receive and respond to access requests from Client Workloads.Learn more.

Multiple providers

You can configure multiple JWT Credential Providers within a single Access PolicyAccess Policy: Access Policies define, enforce, and audit access between Client and Server Workloads by cryptographically verifying workload identity and contextual factors rather than relying on static secrets.Learn more to support different users or services accessing the same Server Workload. See Configure multiple JWT Credential Providers for the procedure, or Using multiple JWT Credential Providers for conceptual details.

Prerequisites

Before configuring a JWT Credential Provider in Aembit, ensure you have the following:

• An active Aembit TenantAembit Tenant: Aembit Tenants serve as isolated, dedicated environments within Aembit that provide complete separation of administrative domains and security configurations.Learn more with appropriate permissions to create and manage Credential Providers.
• A Snowflake account with permissions to configure key pair authentication.

Credential Provider configuration

To configure a JSON Web Token (JWT) Credential Provider, follow these steps:

1. Log into your Aembit Tenant and go to Credential Providers.

   Aembit directs you to the Credential Providers page displaying a list of existing Credential Providers.

   

2. Click + New to open the Credential Providers dialog window.

   

3. In the Credential Providers dialog window, enter the following information:

   • Name - Name of the Credential Provider.

   • Description - An optional text description of the Credential Provider.

   • Credential Type - Select JSON Web Token (JWT) from the dropdown menu.

   • Token Configuration - By default, this field is pre-selected as Snowflake Key Pair Authentication for connecting to Snowflake.

   • Snowflake Account ID - The Snowflake Locator, a unique identifier that distinguishes a Snowflake account within the organization.

   • Username - Your unique Snowflake username associated with the account.

   • Snowflake Alter User Command - After saving the Credential Provider, Aembit generates a SQL command in this field. This command incorporates a public key essential for establishing trust between your Snowflake account and the JWT tokens issued by Aembit. Execute this command on your Snowflake account using a Snowflake-compatible tool.

   

4. Click Save when finished. Aembit directs you back to the Credential Providers page, where you see your newly created Credential Provider.

   

Configure multiple JWT Credential Providers

To configure multiple JWT Credential Providers within a single Access Policy, follow these steps. Each Credential Provider must have a unique mapping value (username for Snowflake, or HTTP header/body value for HTTP workloads).

How it works

For conceptual information about how Aembit routes requests to the appropriate Credential Provider, see Using multiple JWT Credential Providers.

Prerequisites

Before configuring multiple JWT Credential Providers, ensure you have:

• An existing Access Policy with a Client WorkloadClient Workload: Client Workloads represent software applications, scripts, or automated processes that initiate access requests to Server Workloads, operating autonomously without direct user interaction.Learn more and Server Workload configured
• Server Workload Application Protocol set to Snowflake or HTTP
• At least two JWT Credential Providers created (or ready to create)

Add multiple JWT Credential Providers to an Access Policy

1. Create your first JWT Credential Provider by following the Credential Provider configuration procedure.

2. Note the mapping value for this Credential Provider (Snowflake username or the HTTP header/body value you plan to use).

3. Repeat the Credential Provider configuration steps to create additional JWT Credential Providers, each with a unique mapping value.

4. Go to Access Policies and either create a new Access Policy or edit an existing one.

5. In the Credential Providers column, hover over the + icon and select Existing to add your first JWT Credential Provider.

6. Repeat to add additional JWT Credential Providers to the Access Policy.

   Caution

   When you add additional Credential Providers to an Access Policy, you must also map each Credential Provider to ensure Aembit can route requests correctly.

7. After adding Credential Providers, you see a box in the Credential Providers column showing the total number of Credential Providers and an “unmapped” indicator.

Map JWT Credential Providers

After adding multiple JWT Credential Providers to an Access Policy, map each Credential Provider to its selector value.

Snowflake

1. On the Access Policy page, in the Credential Providers column, click the arrow to open the Credential Provider Mappings dialog window.

2. For each Credential Provider with a red ”!” icon (indicating no mapping), hover over the Credential Provider and click the down arrow to open the mapping menu.

   

3. Add the Snowflake usernames that should use this Credential Provider. When a connection request arrives with this username, Aembit uses this Credential Provider for credential injection.

4. Click Save when you finish adding mapping values. The red ”!” icon changes to a green checkbox.

5. Repeat for each Credential Provider in the Access Policy.

6. When all Credential Providers show “All Mapped”, click Save or Save & Activate to save your Access Policy.

HTTP

1. On the Access Policy page, in the Credential Providers column, click the arrow to open the Credential Provider Mappings dialog window.

2. For each Credential Provider with a red ”!” icon (indicating no mapping), hover over the Credential Provider and click the down arrow to open the mapping menu.

   

3. Select the mapping type (HTTP Header or HTTP Body) and add the values that should use this Credential Provider. When a request arrives with these values, Aembit uses this Credential Provider for credential injection.

   

4. Click Save when you finish adding mapping values. The red ”!” icon changes to a green checkbox.

5. Repeat for each Credential Provider in the Access Policy.

6. When all Credential Providers show “All Mapped”, click Save or Save & Activate to save your Access Policy.

Verify your configuration

To confirm your multiple JWT Credential Provider configuration works correctly:

1. Make a request using one of your mapped values (Snowflake username or HTTP header/body value).

2. Check the access authorization events in your Aembit Tenant to confirm:

   • Aembit selected the correct Credential Provider
   • The credentialProvider.name field matches your expected Credential Provider

3. Make a request using a different mapped value and repeat to verify the second Credential Provider.

Related topics

• Using multiple JWT Credential Providers - Learn how Aembit routes requests to multiple JWT Credential Providers
• Configure multiple Credential Providers - Overview of multiple Credential Provider support
• Snowflake Server Workload - Configure Aembit to work with Snowflake
• Credential Providers overview - Overview of all available Credential Provider types
• Access Policies - Learn about Aembit Access Policies and how they work
• Access Authorization Events - Review access authorization event information in the Reporting Dashboard