SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running.

Distributed design patterns and practices such as micro-services, container orchestrators, and cloud computing have led to production environments that are increasingly dynamic and heterogeneous. Conventional security practices (such as network policies that only allow traffic between particular IP addresses) struggle to scale under this complexity. A first-class identity framework for workloads in an organization becomes necessary.

Further, modern developers are expected to understand and play a role in how applications are deployed and managed in production environments. Operations teams require deeper visibility into the applications they are managing. As we move to a more evolved security stance, we must offer better tools to both teams so they can play an active role in building secure, distributed applications.

SPIFFE is a set of open-source specifications for a framework capable of bootstrapping and issuing identity to services across heterogeneous environments and organizational boundaries. The heart of these specifications is the one that defines short lived cryptographic identity documents – called SVIDs via a simple API. Workloads can then use these identity documents when authenticating to other workloads, for example by establishing a TLS connection or by signing and verifying a JWT token.

You can read more about how the SPIFFE APIs are defined and used in the Concepts guide.

Which Tools Implement SPIFFE?

SPIFFE comprises many specifications, each providing different parts of the SPIFFE functionality. Software that implements SPIFFE may support some or all of these functionalities. The following tables captures software that’s capable of providing your infrastructure with SPIFFE identities, along with the functionalities they support.

Open Source Software That Implements SPIFFE

Commercial Software That Implements SPIFFE

Explanation of Columns - Software that Implements SPIFFE

X.509 SVID

Can generate X.509 SVIDs for workloads

JWT SVID

Can generate JWT SVIDs for workloads

Attestation-based Issuance

Leverages node and/or workload attestation for issuing SVIDs

Workload API

Can serve the Workload API for automatic rotation

SDS API

Can serve Envoy SDS API

SPIFFE Federation

Can serve and consume the SPIFFE Federation API

OIDC Federation

Can serve OIDC Federation API

PKI Integration

Can leverage existing or external PKI for X.509 SVID issuance

Kubernetes Support

Supports workloads running in Kubernetes

VM and Bare Metal Support

Supports workloads running in VMs or on bare metal

Serverless Support

Supports workloads running in serverless environments

Which Tools Work with SPIFFE?

SPIFFE enjoys a broad ecosystem, with many software projects, products, and platforms providing SPIFFE support in one way or another. While SPIFFE works with any software that knows how to use a JWT or an X.509 certificate, the following list captures software that supports SPIFFE as a first class citizen, along with the level of support they provide.

Open Source Software that Works with SPIFFE

Commercial Software that Works with SPIFFE

Explanation of Columns - Software that Works with SPIFFE

X.509 SVID

Supports X.509 SVID-based authentication

JWT SVID

Supports JWT SVID based authentication

SPIFFE Authentication

Supports federated SPIFFE authentication based on trust domain name

Workload API

Supports attaching to the SPIFFE Workload API