Lambda needs an identity too

Serverless functions scale to zero and back. Execution roles scoped to the function, not the team. Aembit intercepts outbound calls from functions and attaches identity-bound tokens — even in cold-start scenarios.

No SDK required. No application code changes.

Aembit runs as a Lambda Extension layer. It intercepts HTTP calls before they leave the function's execution environment — the function code is unchanged.

Lambda Extension
Runs alongside your function, not inside it
The Aembit Lambda Extension is attached as a layer. It starts before your function handler and intercepts outbound HTTP calls at the execution environment level. Your function code doesn't know it's there.
cold-start overhead: < 2ms
code changes required: zero
runtimes: Node.js 18+, Python 3.10+, Go 1.21+
Supported platforms
All major serverless environments
Aembit supports AWS Lambda, GCP Cloud Functions, Azure Functions, and Cloudflare Workers. Each uses the platform's native identity primitive as the SVID source.
AWS Lambda: execution role via OIDC federation
GCP Cloud Functions: workload identity pool
Azure Functions: managed identity + OIDC
serverless.yml — attach Aembit extension layer
functions:
  dataProcessor:
    handler: src/handler.main
    layers:
      - arn:aws:lambda:us-east-1:123456789:layer:aembit-extension:3
    environment:
      AEMBIT_POLICY: lambda-data-processor-prod
# no AWS_ACCESS_KEY_ID needed anywhere

Get Access to start removing execution role sprawl.

Replace over-provisioned execution roles with per-invocation identity-bound tokens.