Quickstart
Authenticate your first workload in 5 steps
No secrets to store, no certificates to rotate. You'll have a Kubernetes pod authenticated to an external API using short-lived OIDC tokens by the end of this guide.
- A Kubernetes cluster (1.24+) with OIDC discovery enabled
- An Aembit account (create one free)
kubectlconfigured against your cluster
Install the Aembit Workload Proxy
The workload proxy runs as a sidecar or DaemonSet and intercepts outbound calls to inject ephemeral tokens. Install via Helm:
# Add the Aembit Helm chart repository
helm repo add aembit https://charts.aembit.io
helm repo update
# Install the workload proxy into its own namespace
helm install aembit-proxy aembit/workload-proxy \
--namespace aembit-system \
--create-namespace \
--set tenantId="your-tenant-id" \
--set controlPlane.endpoint="https://control.aembit.io"
Register the workload identity
In the Aembit console, create a workload registration. The attestation policy maps the Kubernetes Service Account to a workload identity:
# workload-registration.yaml
apiVersion: aembit.io/v1
kind: WorkloadIdentity
metadata:
name: payment-service
namespace: production
spec:
attestation:
type: kubernetes-service-account
serviceAccount: payment-svc
namespace: production
kubectl apply -f workload-registration.yaml
Define the credential policy
A credential policy maps a workload identity to the target service it's allowed to authenticate against:
apiVersion: aembit.io/v1
kind: CredentialPolicy
metadata:
name: payment-to-stripe
spec:
workloadIdentity: payment-service
targetService: stripe-api
credentialProvider:
type: oidc-token
audience: "https://api.stripe.com"
ttl: 300 # seconds
Annotate your Deployment
Add the Aembit workload annotation. The proxy sidecar is injected automatically:
apiVersion: apps/v1
kind: Deployment
metadata:
name: payment-service
spec:
template:
metadata:
annotations:
aembit.io/inject: "true"
aembit.io/workload-identity: "payment-service"
spec:
serviceAccountName: payment-svc
containers:
- name: payment
image: registry.example.com/payment:latest
Verify authentication
Redeploy your application and confirm the token exchange in the audit log:
# Check the proxy sidecar logs
kubectl logs -n production \
deployment/payment-service \
-c aembit-proxy --follow
# Expected output
2026-06-15T14:22:01Z INFO workload attested via kubernetes-service-account
2026-06-15T14:22:01Z INFO oidc token issued, audience=https://api.stripe.com ttl=300s
2026-06-15T14:22:01Z INFO header injected: Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
The outbound HTTP request to the target API now carries a short-lived OIDC bearer token. No API key was stored or transmitted.