Service-to-Service
Service-to-service auth without shared secrets
Every microservice call is a trust decision. mTLS + short-lived OIDC tokens make each decision verifiable, revocable, and logged — without storing anything.
Technical detail
Kubernetes service mesh integration
Aembit integrates with Istio and Envoy at the sidecar layer. No code changes to your application. Enable it with a single Kubernetes annotation.
kubernetes deployment — enable Aembit sidecar injection
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-service
namespace: production
annotations:
aembit.io/inject: "true"
aembit.io/policy: "prod-api-to-data"
spec:
selector:
matchLabels:
app: api-service
Sidecar interception
Transparent proxy at iptables level
Aembit's sidecar intercepts outbound TCP on port 443 before traffic leaves the pod. The application calls its target service normally — the sidecar handles all authentication transparently.
mTLS enforcement
Both ends of every connection verified
Mutual TLS requires both the calling service and the target service to present valid certificates. Certificate rotation is handled automatically by the SPIRE workload API — no manual cert management.
Policy evaluation
Allow/deny at the service pair level
Policies are evaluated per service-to-service pair. You can restrict which services can call which other services, under which conditions, with which scopes. Policies are version-controlled JSON — reviewable in pull requests.
Audit log
Every call logged with full identity context
Every authenticated service call generates a log entry with calling SVID, target service, policy matched, token issued, TTL, and timestamp. Exportable to your SIEM via the Aembit export API.