Inspired by production infrastructure at Facebook, Google, Netflix, and more, SPIFFE is a set of open-source standards for securely authenticating software services in dynamic and heterogeneous infrastructures through platform-agnostic, cryptographic identities. SPIRE is an open-source system that implements the SPIFFE specification in a wide variety of environments.

Together, the projects deliver a foundational capability, service identity, for cloud- and container-deployed microservices. They enable organizations to deploy consistent, fine-grained cross-service authentication via a “dial-tone” API across heterogeneous environments.

SPIFFE and SPIRE are graduated projects from the Cloud Native Computing Foundation (CNCF). Joining the group of 16 already graduated projects,  including HELM and Kubernetes, SPIFFE and SPIRE projects have received contributions from Bloomberg, Google, Pinterest, Square, Uber, and others and have grown to become a foundational layer within the cloud native ecosystem. These projects integrate with multiple cloud native technologies and projects, such as Istio, Envoy, gPRC, and OPA (Open Policy Agent).

• Project web site at CNCF

You can download an eBook that presents the SPIFFE standard for service identity, and SPIRE, the reference implementation for SPIFFE here.

Learn from the experts

Introduction to SPIFFE and SPIRE

In this lightboard video, Evan Gilman, co-author of O’Reilly’s book Zero Trust Networks and a maintainer for SPIRE, provides an overview of CNCF’s SPIFFE and SPIRE Projects. Evan goes into the security issues that SPIFFE/SPIRE solve and how through workload identity attestation.

How to prevent software supply chain attacks using SPIRE and Sigstore

In this video, Daniel Feldman, Cloud Security Architect at HPE, shows how HPE is using the innovative Open Source project SPIRE (the SPIFFE Runtime Environment) with Sigstore integration. He covers how it is used to establish trust between workloads, secure and prevent complex cyber attacks on the software supply chain, and protect modern infrastructure environments.

GitHub repositories

• spiffe: This repository includes the SPIFFE ID, SVID and Workload API specifications, example code, and tests, as well as project governance, policies, and processes.
• spire: This is a reference implementation of SPIFFE and the SPIFFE Workload API that can be run on and across varying hosting environments.
• go-spiffe: Golang client libraries.
• java-spiffe: Java client libraries
• py-spiffe: Python client libraries
• c-spiffe: C client libraries

Integrations

• Tutorial on how to configure the Envoy proxy with SPIFFE and SPIRE
• Tutorial on how to configure Istio with SPIRE. The Istio integration was contributed to by HPE engineers, and is now part of Istio, since V1.14.

Workshops-on-Demand

Take advantage of our free, Jupyter-Notebook based Workshops-on-Demand available in the Hack Shack. These technical workshops provide you with an in-depth, hands-on learning experience where you can interact with and learn from the experts. Designed to fit your schedule, these workshops are available 24/7 – any time, from anywhere. SPIFFE and SPIRE workshops are available today.

Any questions on SPIFFE?

Join the SPIFFE Slack Workspace and start a discussion.