[Webinar] Ditch Static Credentials: Embrace WIF for Enhanced Security | Nov 6 at 11 a.m. PT | Register Now

Aembit Earns Prestigious Runner-Up Spot at RSA Innovation Sandbox Contest! Watch the Announcement

Access Your Copy of the 2024 Non-Human Identity Security Survey

Register for the NHI Summit 2024! | 9 a.m. to noon PT | Oct. 30

REQUEST A DEMO
REQUEST A DEMO
Blog
X
Blog

Aembit Adds AWS Workload Identity Federation (WIF) Support

4 min read
Screenshot of Aembit WIF Support.

Like Google Cloud before it, Aembit now supports AWS workload identity federation (WIF), extending its universal identity federation capabilities. This integration enhances non-human access security, improves the developer experience, and simplifies multi-cloud and on-premises federation.

AWS Security Token Service (STS) WIF issues short-lived tokens for AWS access, but the Aembit Workload IAM Platform eliminates the need for managing secrets or modifying developer code for authentication. By cryptographically identifying client workloads, Aembit adds an extra layer of security with MFA and conditional access – even when the service itself doesn’t natively support those capabilities.

Why Use WIF and Aembit

Before configuring WIF, here’s why pairing it with Aembit strengthens security and simplifies management:

  • Secure Multi-Cloud Access: Applications outside AWS can securely connect to AWS resources without managing service account keys, reducing credential leakage risks. Aembit injects tokens dynamically, requiring no code changes.
  • Unified Federation Across Environments: Hybrid and multi-cloud organizations can consolidate workload identity management with a single identity source. Aembit supports deployments across on-prem, SaaS, cloud, and serverless environments.
  • Seamless Cloud Migration: Existing applications retain their identities during cloud migrations without re-architecting authentication. Aembit’s policies enable a smooth transition without modifying the application or identity provider.
  • Temporary and Ephemeral Access: WIF issues short-lived tokens for enhanced security. Aembit enforces conditional access policies, restricting access by origin, time, and risk level – ensuring one-time access is both controlled and secure.

Pairing WIF With Aembit

An organization using AI tools to analyze sales data stored across Salesforce, Stripe, and AWS S3 can use Aembit’s AWS WIF support to simplify access. For a custom application storing transaction data in an S3 bucket, Aembit directs AWS STS to grant time-limited access without requiring long-lived secrets or hardcoded credentials. When pulling customer data from external sources like Stripe and Salesforce, Aembit enforces secure identity mapping and policy controls, ensuring integration through AWS STS-assumed roles.

Once the data is consolidated in S3, the application can use SageMaker for analysis, with Aembit managing secure identity federation to ensure access is granted only to necessary roles. This approach strengthens security, automates policy-driven authentication, and minimizes the complexity of managing sensitive data workflows—without requiring developers to write authentication or authorization code.

How Aembit’s AWS WIF Support Works

The diagram below illustrates how Aembit integrates with AWS STS WIF. On the AWS side, STS is enabled, and an IAM role is created with the necessary permissions for the target service.

Instead of using a service account directly, Aembit verifies that the workload is authorized to access the resource and requests a short-lived token from AWS STS. This token is linked to the IAM role and grants temporary access. Aembit then injects the token into the workload’s API call, allowing it to communicate with the AWS resource without storing long-lived credentials.

Diagram depicting how Aembit supports AWS WIF.

How AWS STS WIF Is Configured in Aembit

Below is the credential provider (CP) configuration for AWS STS. There are no hardcoded credentials or API tokens – static keys are avoided in favor of stronger authentication methods. OIDC is used to establish a trusted connection without storing secrets, reducing risk while maintaining compatibility with AWS security best practices.

Screenshot showing the the credential provider (CP) configuration for AWS STS in Aembit.

The server workload configuration for AWS Bedrock can be reached directly via APIs or using AWS CLI.

Screenshot of the server workload configuration for AWS Bedrock in Aembit.

The access policy below defines the client workload – an application running in Kubernetes – by its pod name prefix. This workload is granted access only to AWS Bedrock, with no permissions for other AWS services.

The configuration also includes a trust provider that verifies the workload’s identity using a Kubernetes service account. To further restrict access, two conditions are applied: connections must originate from California, and requests can only be made within a specific day and time window for this application.

Screenshot of the access policy, which defines the client workload – an application running in Kubernetes – by its pod name prefix.

Request Code

Here is some sample code for making basic Bedrock calls using the SDK (source).

code snippet

To learn more about how Aembit’s WIF support can help secure and accelerate your Workload IAM deployment, schedule a demo today.

Aembit logo

The Workload IAM Company

Manage Access, Not Secrets

Boost Productivity, Slash DevSecOps Time

No-Code, Centralized Access Management

Try it Free-Forever
Picture of Ashur Kanoon

Ashur Kanoon

Ashur Kanoon is the technical product marketing guy at Aembit. I started off as a software engineer at Cisco working on Y2K (remember that). I take what excited (and highly caffeinated) engineers build and make sure that business and technical buyers know why to partner with us. I’ve done this at 1 spin-out (later acquired) and 2 other startups (both acquired). I enjoy mechanical things (mostly cars and watches) and love spending time with my wife and two teenagers. I have a CIS degree and MBA.

You might also like

Image of back of developer working at three computers.

GitHub Action Supply Chain Breach Exposes Non-Human Identity Risks in CI/CD

Long-lived credentials and secrets fueled the attack.
4 min read

How to Stop Expired Secrets from Disrupting Your Operations

Credential expiration is more than an SSL/TLS certificate problem.
5 min read
Words stating Aembit achieves ISO 27001 certification.

Aembit Achieves ISO 27001 Certification

Hot on the heels of our SOC 2 Type II certification – Aembit has now achieved ISO 27001, demonstrating our unwavering commitment to resilience and compliance.
3 min read

Straight to your inbox

Identity-obsessed? Want to keep up with the Identity Universe? Sign up to receive the latest news from Aembit!
Aembit logo white
Manage Access, Not Secrets.
SOC logo
ISO27001
Gartner Cool Vendor 2022
CSO startups to watch award
RSAC™ Innovation Sandbox FINALIST 2024 banner
Cyber Security Excellence Awards 2025 for Aembit
2024 Sinet16 Innovator Award
Support
Platform
Company

Copyright © 2024. All rights reserved.

Linkedin Twitter Youtube