The Secure Production Identity Framework For Everyone (SPIFFE) Project defines a framework and set of standards for identifying and securing communications between application services. At its core, SPIFFE is:
-
A standard defining how services identify themselves to each other. These are called SPIFFE IDs and are implemented as Uniform Resource Identifiers (URIs).
-
A standard for encoding SPIFFE IDs in a cryptographically-verifiable document called a SPIFFE Verifiable Identity Document or SVIDs.
-
An API specification for issuing and/or retrieving SVIDs. This is the Workload API.
The SPIFFE Project has a reference implementation, the SPIRE (the SPIFFE Runtime Environment), that in addition to the above, it:
-
Performs node and workload attestation.
-
Implements a signing framework for securely issuing and renewing SVIDs.
-
Provides an API for registering nodes and workloads, along with their designated SPIFFE IDs.
-
Provides and manages the rotation of keys and certs for mutual authentication and encryption between workloads.
-
Simplifies access from identified services to secret stores, databases, services meshes and cloud provider services.
-
Interoperability and federation to SPIFFE compatible systems across heterogeneous environments and administrative trust boundaries.
SPIFFE is hosted by the Cloud Native Computing Foundation (CNCF) as an incubation-level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the CNCF announcement.
- Secure Production Identity Framework for Everyone (SPIFFE)
- The SPIFFE Identity and Verifiable Identity Document
- The X.509 SPIFFE Verifiable Identity Document
- The JWT SPIFFE Verifiable Identity Document
- The SPIFFE Trust Domain and Bundle
- The SPIFFE Workload Endpoint
- The SPIFFE Workload API
- spiffe: This repository includes the SPIFFE ID, SVID and Workload API specifications, example code, and tests, as well as project governance, policies, and processes.
- spire: This is a reference implementation of SPIFFE and the SPIFFE Workload API that can be run on and across varying hosting environments.
- go-spiffe: Golang client libraries.
- java-spiffe: Java client libraries
- Slack (Join here).
- announce@spiffe.io (View or join here).
- dev-discussion@spiffe.io (View or join here).
- user-discussion@spiffe.io (View or join here).
Most community activity is organized into Special Interest Groups (SIGs), time-bounded working groups, and our monthly community-wide meetings. SIGs follow these guidelines, although each may operate differently depending on their needs and workflows. Each group's material can be found in the /community directory of this repository.
Name | Lead | Group | Slack Channel | Meetings |
---|---|---|---|---|
SIG-Community | Umair Khan (HPE) | Here | Here | Notes |
SIG-Spec | Evan Gilman (VMware) | Here | Here | Notes |
SIG-SPIRE | Andres Vega (VMware) | Daniel Feldman (HPE) | Here | Here | Notes |
Follow the SPIFFE Project You can find us on Github and Twitter.
The SPIFFE Steering Committee meets on a regular cadence to review project progress, address maintainer needs, and provide feedback on strategic direction and industry trends. Community members interested in joining this call can find details below.
- Calendar: iCal or Browser-based
- Meeting Notes: Google Doc
- Call Details: Zoom Link
To contact the SSC privately, please send an email to ssc@spiffe.io.