Cloud Functions
Lambda needs an identity too
Serverless functions scale to zero and back. Execution roles scoped to the function, not the team. Aembit intercepts outbound calls from functions and attaches identity-bound tokens — even in cold-start scenarios.
Lambda Extension pattern
No SDK required. No application code changes.
Aembit runs as a Lambda Extension layer. It intercepts HTTP calls before they leave the function's execution environment — the function code is unchanged.
Lambda Extension
Runs alongside your function, not inside it
The Aembit Lambda Extension is attached as a layer. It starts before your function handler and intercepts outbound HTTP calls at the execution environment level. Your function code doesn't know it's there.
cold-start overhead: < 2ms
code changes required: zero
runtimes: Node.js 18+, Python 3.10+, Go 1.21+
Supported platforms
All major serverless environments
Aembit supports AWS Lambda, GCP Cloud Functions, Azure Functions, and Cloudflare Workers. Each uses the platform's native identity primitive as the SVID source.
AWS Lambda: execution role via OIDC federation
GCP Cloud Functions: workload identity pool
Azure Functions: managed identity + OIDC
serverless.yml — attach Aembit extension layer
functions:
dataProcessor:
handler: src/handler.main
layers:
- arn:aws:lambda:us-east-1:123456789:layer:aembit-extension:3
environment:
AEMBIT_POLICY: lambda-data-processor-prod
# no AWS_ACCESS_KEY_ID needed anywhere