Aembit’s Solution: Secure Access Through Identity Federation

Recognizing the vulnerabilities associated with traditional secrets management, Aembit has introduced a groundbreaking approach through identity federation.

Our platform now seamlessly integrates with CI/CD services, including (but not limited to) GitHub Actions and GitLab, enhancing the security and management of access rights.

How Aembit Enhances Security in GitLab CI/CD

Aembit’s integration with GitLab exemplifies our commitment to secure software development practices. By leveraging identity federation, Aembit interacts directly with GitLab’s underlying infrastructure to manage authentication and authorization processes via short-lived, secretless credentials that are based on the identity of the runner (pick your lingo based on the tool you’re using here). Here’s how it works:

1) Manage Access, Not Secrets: Aembit allows you to set a simple policy that defines access rights to and from your CI/CD pipeline. Based on this, Aembit will automate the delivery of  access credentials when they are needed. 

2) Centralized Identity Federation: Replacing long-lived credentials with identity federation means that Aembit will validate the identity of each runner via GitLab before authorizing and issuing an access credential. This replaces the need for an identity secret and the need for storing an access secret.

3) Just-In-Time Credentials: Aembit eliminates the need for long-lived secrets stored within your CI/CD pipelines. Instead, our system provides just-in-time credentials that are generated when a pipeline job starts – and automatically revoked when it ends. This means each job can have a unique set of credentials, minimizing the risk of secret leakage or unauthorized access.

4) Role-Based Access Control: Within GitLab, Aembit ensures that access to secrets is strictly governed by the principle of least privilege. Processes receive only the credentials necessary to perform their tasks, significantly reducing the attack surface.

5) Audit Trails and Monitoring: Aembit’s integration offers comprehensive logging and monitoring of all access events within your pipelines. This not only helps in maintaining a secure environment but also aids in compliance and forensic analysis should security incidents occur. Logs can be exported to your monitoring and alerting systems.

Flexible Integration

CI/CD systems can be complex and often customized to your company’s specific needs. So Aembit has made it easy and flexible to integrate our capabilities with minimal disruption. We offer two methods of integration today – and plan to continue working with our customers on other methods that make sense for them:

1) Use the Aembit API

With this approach, your runner provides a GitLab OIDC token to Aembit via a simple API call. Aembit then attests to the identity of the runner and provides access based on policy. There is nothing additional to deploy, so it works well for shared runners.

2) Use Aembit Edge

Aembit Edge is a transparent proxy that can fully offload auth from your system. Edge can intercept runner access requests to other workloads, and communicate with Aembit Cloud to obtain necessary access credentials. This method allows you to implement Workload IAM with no disruption to existing runners, and future runners don’t need to worry about authentication to downstream services. (Note: This version of integration is beta and will be generally available soon.)

Your organization will be fully supported with either method of Aembit deployment. You may even use both depending on your situation. 

Transforming CI/CD Security with Aembit

The introduction of the Aembit Access Management feature for CI/CD platforms represents a pivotal shift in how secrets and credentials are handled in the software development lifecycle. By ensuring that credentials are only available on-demand, securely managed, and thoroughly monitored, Aembit is setting new standards for security in CI/CD workflows.

We invite DevOps teams, security professionals, and software developers to give Aembit a try. We provide production-grade service for up to 10 workloads for free, and we’re happy to help you get set up and running.