SPIFFE: In Theory and in Practice


Authors:   Evan Gilman, Andrew Harding


SPIFFE is a platform-agnostic scheme that provides a uniform identity substrate to enable secure communication across different pieces of infrastructure running in different providers and with different runtimes or software platforms.
  • SPIFFE provides a stable notion of identity that allows for consistent application of security policy across different pieces of infrastructure.
  • SPIFFE brings a cryptographically verifiable document that can be presented to another party to assert identity and allow for authentication.
  • SPIFFE is just one piece of the puzzle and other actions must be taken to use the identity provided by SPIFFE.
  • SPIFFE is useful for modeling trust domains and providing strong security isolation between them.
The main challenge when dealing with infrastructure spread across different providers and runtimes is how to talk across these boundaries and apply security policy in a consistent way. SPIFFE provides a solution to this problem by providing a uniform identity substrate that stabilizes security policy and enables easier tracing, observability, and debugging across different verticals.


Please join us on the maintainer track to learn more about the SPIFFE vision, it's components, and how it fits into the cloud native landscape. In this session, we will do a short intro and deep dive on SPIFFE, followed by a Q&A. This will be an informal session - please bring your questions and use cases! We'll discuss recently completed works, where the project is headed, and how SPIFFE compares/contrasts to other seemingly similar options. Finally, stick around after the session for an extended meetup with the maintainers and other SPIFFE users.


Post a comment

Related work

Authors: Ted Young, Alolita Sharma, Morgan McLean, Daniel Dyla