Don't Mind the Gap: Securely Accessing Cloud Resources From Anywhere With SPIFFE/SPIRE

The presentation discusses how to use SPIFFE/SPIRE to securely access cloud resources from anywhere without having to generate, store, or manage API keys.

• SPIFFE and SPIRE enable identity federation for cloud native workloads
• SPIFFE IDs are structured strings that include a trust domain name and service name
• Trust domains are security domains that have a one-to-one relationship with a set of identity issuers
• SPIRE can be used to securely access AWS, Azure, and GCP resources without a secret access key

The speaker mentions that accessing cloud services from anywhere without having to manage API keys is a powerful feature of SPIFFE/SPIRE. This eliminates the need for encryption at rest, tokens that never expire, and manual rotation processes. The speaker also notes that the exploding trust domain problem is a common issue, particularly for larger scale deployments. However, there are ways to address this problem, such as using nested architectures and tree-like topologies to achieve scale and reliability.

Of all the things you can do with SPIFFE and SPIRE, accessing cloud services from anywhere without having to generate, store, or manage API keys is a particularly powerful one. Without it, answering  simple questions such as "How can I access an S3 bucket from Azure?" means solving for headaches like encryption at rest, tokens that never expire, and manual rotation processes. Unfortunately, this is still par for the course in many environments, but SPIRE is here to help.In this session, we will go over the basics of identity federation with SPIFFE and SPIRE, which brings the "Sign in with Google" experience to cloud native workloads. We'll discuss how this approach compares to others, and demonstrate how you can use it to securely access AWS resources and more without a secret access key.