Changelog
Platform updates
Version history for the Aembit workload identity platform — control plane, proxy sidecar, and API.
Multi-cloud identity federation
A workload attested in AWS can now request tokens for GCP services and vice versa. Cross-cloud federation uses OIDC trust chains with configurable TTLs per cloud boundary.
- AWS OIDC provider ↔ GCP Workload Identity pool federation
- Azure Managed Identity as attestation source for cross-cloud tokens
- Per-federation audit trail with source/destination cloud labels
- Trust chain configuration via API or console
Proxy sidecar token refresh race condition
Fixed a race condition in the proxy sidecar where concurrent requests near token expiry could result in one request receiving an expired token. Tokens are now refreshed with a 30-second pre-expiry buffer.
- Token refresh now uses mutex-protected cache with pre-expiry proactive fetch
- Added
AEMBIT_TOKEN_REFRESH_BUFFER_SECONDSenv var (default: 30)
AI agent identity runtime support
LangChain and AutoGen agent executors can now request Aembit tokens directly via the local proxy, without any code change to the agent itself.
- Python SDK helper:
aembit.get_token(audience=...) - Automatic injection via HTTP_PROXY environment for agentic runtimes
- Scope restrictions: agents can be limited to specific target services
Policy-as-code via Open Policy Agent (OPA)
Credential issuance decisions can now be delegated to an OPA instance. Write Rego policies that evaluate workload claims, time-of-day, environment tags, and more.
- OPA bundle integration (pull from S3, GCS, or HTTP)
- Built-in policy templates for common RBAC patterns
- Policy evaluation latency added to audit log
SOC 2 Type II audit complete + compliance exports
Aembit completed SOC 2 Type II audit. Compliance report exports now available for customers via the console Security & Compliance section.
- SOC 2 Type II report available on request
- Exportable audit log in SIEM-compatible JSON format
- ISO 27001 alignment documentation added to docs
Control plane v2 — declarative API and CRD support
Full rewrite of the control plane API. WorkloadIdentity and CredentialPolicy are now Kubernetes CRDs, enabling GitOps-style workload identity management.
- WorkloadIdentity CRD with kubectl apply support
- CredentialPolicy CRD with OPA policy attachment
- Helm chart for control plane self-hosted option (Enterprise)
- Breaking: REST API v1 deprecated, EOL 2026-08-01
Serverless identity — Lambda Extension GA
The Aembit Lambda Extension is generally available. Zero cold-start penalty, under 5ms overhead per token issuance.
- Lambda Extension published to AWS Lambda Layers
- GCP Cloud Run sidecar container support
- Vercel Edge Runtime support (preview)
SVID replay attack prevention hardening
Implemented nonce binding for SVID-based attestation to prevent replay attacks. All SPIFFE SVID attestation now requires a server-issued nonce tied to the requesting workload's MTLS connection.
- SVID attestation nonce binding (mandatory from v1.7.2)
- Attestation replay window reduced from 60s to 15s
- Added CVE-2025-AEMBIT-001 advisory to security page