Multi-Cloud Workload Identity With SPIFFE

The presentation discusses the use of standardized identities in workload agencies to improve security and simplify the process of moving from on-prem and hybrid environments to clouds.

• The use of standardized identities, such as SPIFFE, can improve security and simplify the process of moving from on-prem and hybrid environments to clouds.
• The presentation demonstrates a toy example of a workload agency using a SPIFFE connector server to issue short-lived cloud credentials to workloads.
• The SPIFFE connector server is configured with an ACL to control which workloads can access which credentials.
• The presentation includes a live demo of the toy example, showing the deployment of the SPIFFE connector server and an example workload with a sidecar.
• The demo illustrates how the SPIFFE connector server issues short-lived credentials to the workload, which can then be used to access cloud APIs.
• The use of standardized identities can improve security by allowing for better auditing and control over which workloads have access to which credentials.

The presenter explains that the use of standardized identities can simplify the process of moving from on-prem and hybrid environments to clouds. This is because workloads can be issued with a single identity document, which is a signed x509 certificate. This certificate can be minted from an internal CA, allowing for better auditing and control over which identities have been issued and who should be using them. This simplifies the process of managing identities across different environments and clouds.

Within a single cloud provider, accessing secured APIs using your own workload identity is simple. Cloud SDKs used by application developers know how to retrieve identities and credentials from the cloud environment for each workload based on its context. A cloud administrator can then assign permissions to these identities which allow access to the required APIs. This is seamless for developers - simply calling an API in their code just works, while behind the scenes the network call is cryptographically authenticated / authorized. Unfortunately for the user, this identity is cloud-specific. With few alternatives, this often leads to long-lived credentials being mounted into workloads instead. This is less secure and harder to use. This presentation will show an alternative solution which combines features of open source CNCF projects Kubernetes, cert-manager, cert-manager-csi-driver-spiffe, cert-manager-trust and spiffe-connector to expand your SPIFFE trust domain to any cloud.Click here to view captioning/translation in the MeetingPlay platform!