Authenticate your first workload in 5 steps

No secrets to store, no certificates to rotate. You'll have a Kubernetes pod authenticated to an external API using short-lived OIDC tokens by the end of this guide.

Prerequisites
  • A Kubernetes cluster (1.24+) with OIDC discovery enabled
  • An Aembit account (create one free)
  • kubectl configured against your cluster
1

Install the Aembit Workload Proxy

The workload proxy runs as a sidecar or DaemonSet and intercepts outbound calls to inject ephemeral tokens. Install via Helm:

# Add the Aembit Helm chart repository
helm repo add aembit https://charts.aembit.io
helm repo update

# Install the workload proxy into its own namespace
helm install aembit-proxy aembit/workload-proxy \
  --namespace aembit-system \
  --create-namespace \
  --set tenantId="your-tenant-id" \
  --set controlPlane.endpoint="https://control.aembit.io"
2

Register the workload identity

In the Aembit console, create a workload registration. The attestation policy maps the Kubernetes Service Account to a workload identity:

# workload-registration.yaml
apiVersion: aembit.io/v1
kind: WorkloadIdentity
metadata:
  name: payment-service
  namespace: production
spec:
  attestation:
    type: kubernetes-service-account
    serviceAccount: payment-svc
    namespace: production
kubectl apply -f workload-registration.yaml
3

Define the credential policy

A credential policy maps a workload identity to the target service it's allowed to authenticate against:

apiVersion: aembit.io/v1
kind: CredentialPolicy
metadata:
  name: payment-to-stripe
spec:
  workloadIdentity: payment-service
  targetService: stripe-api
  credentialProvider:
    type: oidc-token
    audience: "https://api.stripe.com"
    ttl: 300  # seconds
4

Annotate your Deployment

Add the Aembit workload annotation. The proxy sidecar is injected automatically:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: payment-service
spec:
  template:
    metadata:
      annotations:
        aembit.io/inject: "true"
        aembit.io/workload-identity: "payment-service"
    spec:
      serviceAccountName: payment-svc
      containers:
      - name: payment
        image: registry.example.com/payment:latest
5

Verify authentication

Redeploy your application and confirm the token exchange in the audit log:

# Check the proxy sidecar logs
kubectl logs -n production \
  deployment/payment-service \
  -c aembit-proxy --follow

# Expected output
2026-06-15T14:22:01Z INFO  workload attested via kubernetes-service-account
2026-06-15T14:22:01Z INFO  oidc token issued, audience=https://api.stripe.com ttl=300s
2026-06-15T14:22:01Z INFO  header injected: Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

The outbound HTTP request to the target API now carries a short-lived OIDC bearer token. No API key was stored or transmitted.

What's next?