Private Network Access (PNA) allows Aembit to retrieve credentials from secrets managers in your private network. This includes secrets managers accessible only within an AWS Virtual Private Cloud (VPC) or Azure Virtual Network.
By default, Aembit Cloud connects directly to external secrets managers (like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault) to retrieve credentials on behalf of your workloads. However, if you restrict your secrets manager to a private network, Aembit Cloud can’t reach it.
With PNA, credential retrieval happens through your Aembit Edge component (Aembit CLI or Agent Proxy) instead of Aembit Cloud. This allows you to keep your secrets manager in a private network while still using Aembit for workload identity and access management.
When to use Private Network Access
Section titled “When to use Private Network Access”Enable PNA when:
- Your secrets manager endpoint is only reachable from within a private network or VPC endpoint
- You don’t want to maintain IP allowlists for Aembit Cloud in your cloud environment
- You want all access to your secrets manager to originate from your own infrastructure
How it works
Section titled “How it works”When you enable PNA for a Credential Provider:
- Aembit Cloud instructs your Edge component to retrieve the credential using the integration you configured.
- The Edge component accesses the secrets manager from your private network and reads the secret.
- Aembit receives the secret value and injects it into your Server Workloads according to your Access Policies.
Enabling PNA only affects where Aembit retrieves credentials from (Aembit Cloud vs your Edge component). It doesn’t change how Aembit delivers credentials to your Server Workloads—your Access Policies and Server Workload configuration still control those behaviors.
Requirements
Section titled “Requirements”PNA requires:
- An Aembit Edge component (Aembit CLI or Agent Proxy) running in your private network
- Network connectivity from the Edge component to your secrets manager
- The same integration and permissions you would use without PNA
Agent Proxy version requirements
Section titled “Agent Proxy version requirements”| Credential Provider | Minimum Version | Recommended Version | Notes |
|---|---|---|---|
| HashiCorp Vault Client Token | Agent Proxy 1.20 | Agent Proxy 1.20+ | Initial and current PNA behavior are the same. When you enable PNA, all Vault access for this provider runs through your Edge component. |
| AWS Secrets Manager Value | Agent Proxy 1.25 | Agent Proxy 1.27+ | Agent Proxy 1.25 adds basic PNA support so your Edge component can retrieve secrets. Use Agent Proxy 1.27+ for full PNA support, where your Edge component handles all AWS access for this Credential Provider. |
| Azure Key Vault Value | Agent Proxy 1.26 | Agent Proxy 1.26+ | Private Network Access for Azure Key Vault requires Agent Proxy 1.26 or later. When you enable PNA, your Edge component handles all Key Vault access for this provider. |
Supported Credential Providers
Section titled “Supported Credential Providers”The following Credential Providers support PNA:
| Credential Provider | PNA Support | Limitations |
|---|---|---|
| HashiCorp Vault Client Token | Supported | None |
| AWS Secrets Manager Value | Supported | HTTP Basic Auth with Username/Password not supported |
| Azure Key Vault Value | Supported | None |
Troubleshooting
Section titled “Troubleshooting”If credential retrieval fails with PNA enabled:
- Check network connectivity: Confirm the host running the Aembit CLI or Agent Proxy can reach your secrets manager endpoint (check DNS resolution, firewall rules, and VPC peering/endpoints)
- Verify permissions: Confirm the integration’s identity (IAM role, service principal, or Vault token) has permission to read the specified secret
- Check secret format: Ensure the secret data format matches your selected Credential Value Type
For provider-specific troubleshooting, see the individual Credential Provider documentation in the preceding section.