Platform updates

Version history for the Aembit workload identity platform — control plane, proxy sidecar, and API.

v2.4.0

Multi-cloud identity federation

A workload attested in AWS can now request tokens for GCP services and vice versa. Cross-cloud federation uses OIDC trust chains with configurable TTLs per cloud boundary.

  • AWS OIDC provider ↔ GCP Workload Identity pool federation
  • Azure Managed Identity as attestation source for cross-cloud tokens
  • Per-federation audit trail with source/destination cloud labels
  • Trust chain configuration via API or console
v2.3.1 Fix

Proxy sidecar token refresh race condition

Fixed a race condition in the proxy sidecar where concurrent requests near token expiry could result in one request receiving an expired token. Tokens are now refreshed with a 30-second pre-expiry buffer.

  • Token refresh now uses mutex-protected cache with pre-expiry proactive fetch
  • Added AEMBIT_TOKEN_REFRESH_BUFFER_SECONDS env var (default: 30)
v2.3.0

AI agent identity runtime support

LangChain and AutoGen agent executors can now request Aembit tokens directly via the local proxy, without any code change to the agent itself.

  • Python SDK helper: aembit.get_token(audience=...)
  • Automatic injection via HTTP_PROXY environment for agentic runtimes
  • Scope restrictions: agents can be limited to specific target services
v2.2.0

Policy-as-code via Open Policy Agent (OPA)

Credential issuance decisions can now be delegated to an OPA instance. Write Rego policies that evaluate workload claims, time-of-day, environment tags, and more.

  • OPA bundle integration (pull from S3, GCS, or HTTP)
  • Built-in policy templates for common RBAC patterns
  • Policy evaluation latency added to audit log
v2.1.0

SOC 2 Type II audit complete + compliance exports

Aembit completed SOC 2 Type II audit. Compliance report exports now available for customers via the console Security & Compliance section.

  • SOC 2 Type II report available on request
  • Exportable audit log in SIEM-compatible JSON format
  • ISO 27001 alignment documentation added to docs
v2.0.0

Control plane v2 — declarative API and CRD support

Full rewrite of the control plane API. WorkloadIdentity and CredentialPolicy are now Kubernetes CRDs, enabling GitOps-style workload identity management.

  • WorkloadIdentity CRD with kubectl apply support
  • CredentialPolicy CRD with OPA policy attachment
  • Helm chart for control plane self-hosted option (Enterprise)
  • Breaking: REST API v1 deprecated, EOL 2026-08-01
v1.8.0

Serverless identity — Lambda Extension GA

The Aembit Lambda Extension is generally available. Zero cold-start penalty, under 5ms overhead per token issuance.

  • Lambda Extension published to AWS Lambda Layers
  • GCP Cloud Run sidecar container support
  • Vercel Edge Runtime support (preview)
v1.7.2 Security

SVID replay attack prevention hardening

Implemented nonce binding for SVID-based attestation to prevent replay attacks. All SPIFFE SVID attestation now requires a server-issued nonce tied to the requesting workload's MTLS connection.

  • SVID attestation nonce binding (mandatory from v1.7.2)
  • Attestation replay window reduced from 60s to 15s
  • Added CVE-2025-AEMBIT-001 advisory to security page