Today we’re announcing a powerful new integration for the Aembit Workload IAM Platform – full support for AWS Secrets Manager. With this update, Aembit can validate workload identity and enforce access policies while retrieving credentials directly from AWS Secrets Manager.
This expands our already robust list of integrations and broadens the types of identity and credential providers we support, making it even easier for organizations to manage and secure access to their critical AI and workload resources in AWS and beyond to support your modern applications.
This enhancement can be used along with Aembit’s AWS Workload Identity Federation (WIF) using STS support to further secure your secrets and simplify multi-cloud access.
Aembit is now available on the AWS marketplace here.
Why AWS Secrets Manager Matters
While the industry is steadily moving toward more secure, short-lived tokens and identity federation for authentication, an estimated 200,000 to 500,000 organizations still rely on AWS Secrets Manager to store and retrieve long-lived credentials. Many agentic AI workloads continue to use static, long-lived secrets for both human and nonhuman identities.
At Aembit, we aim to meet customers where they are today while helping them transition to a more secure future. This integration bridges that gap, providing essential support for organizations that use AWS Secrets Manager even as services evolve toward ephemeral credentials.
Modern applications hosted on a cloud platform like AWS are architected as networks of decoupled components (microservices) that communicate through secure APIs. These components can easily incorporate specialized functionality from external third-party services, each requiring different authentication methods and credential types often stored in AWS Secrets Manager.
Rather than building every feature from scratch, developers integrate with best-in-class providers for specific domains. For payments, for example, applications rarely handle sensitive card data directly, instead relying on Payment Service Providers (PSPs) like Stripe or Braintree to securely process transactions and subscriptions.
For AI capabilities, they can connect to external model APIs such as OpenAI (for the GPT series of large language models) or Google Cloud AI to integrate natural language generation or image recognition. For broader business functions, applications might use Twilio for messaging, Salesforce for customer relationship management (CRM) data synchronization, or Google Maps Platform for real-time geolocation and mapping – creating a rich, composable experience where the cloud platform serves as a scalable, secure integration layer.
Below is an example of applications accessing static and ephemeral tokens from AWS Secrets Manager to reach various AI services.
At Aembit, we aim to meet customers where they are today while helping them transition to a more secure future. This integration bridges that gap, providing essential support for organizations that use AWS Secrets Manager.
Supporting Modernization and Security
Aembit supports three ways of delivering a credential: minting a short token, vaulting one, or using another source such as KMS or an external vault. Minting an ephemeral token is the most secure, but some services still support only static tokens or keys that must be vaulted.
This new capability lets you continue leveraging the power of AWS Secrets Manager while benefiting from Aembit’s granular access control and policy enforcement. As services gradually move away from long-lived credentials, Aembit will continue to support that evolution, ensuring a smooth and secure transition.
The feature also centralizes audit logs – whether you’re accessing AWS-specific services like Amazon Bedrock and SageMaker or external services such as OpenAI, Anthropic, Perplexity, and others.
Getting Started With Aembit and AWS Secrets Manager
Configuring Aembit to work with AWS Secrets Manager is straightforward. Here’s a summary of the steps involved:
1. Configure the AWS Secrets Manager integration
First, set up the integration within the Aembit platform by providing an AWS IAM role ARN to securely access your AWS environment. Aembit can automatically populate the secret ARNs to simplify the creation of credential providers in the next step.
2. Create AWS Secrets Manager Credentials Providers.
Once the integration is configured, you can then create various credentials providers within Aembit. Each provider can be configured to retrieve a single, service-specific secret from your AWS Secrets Manager, allowing you to define precise access policies and scoping for each service separately. This also allows for granular logging of each call to the secrets manager and downstream service.
To further improve security, Aembit supports private network access so that secrets can be retrieved when the AWS Secrets Manager is in a private AWS VPC.
Here’s an example of how you might configure a credential provider to fetch a username/password pair for a AWS hosted MySQL database:
The integration with AWS Secrets Manager reinforces Aembit’s commitment to providing comprehensive and flexible access management solutions. By supporting this widely used service, we enable organizations to strengthen the security and control of their long-lived credentials, even as the broader ecosystem shifts toward more dynamic authentication methods. This addition allows customers to maintain their existing infrastructure while preparing for future advancements in credential management—all within the trusted Aembit platform.
In the following sample code, both
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
may be stored in AWS Secrets Manager. Both can be retrieved and used to make the call to Bedrock.
Conclusion
Aembit’s new AWS Secrets Manager integration marks a strategic step forward in bridging the gap between current security practices and future-ready authentication. By supporting the hundreds of thousands of organizations that still rely on AWS Secrets Manager for long-lived credentials – while also providing granular access control and centralized audit logging across both AWS services and external AI platforms – Aembit enables organizations to maintain their existing infrastructure while preparing to adopt more secure, ephemeral credential systems.
This integration reinforces Aembit’s commitment to meeting customers where they are today – while guiding them toward a more secure tomorrow.
To unlock secure access to agentic AI and workloads using AWS Secrets Manager, try Aembit today at aembit.io.
