The Secure Production Identity Framework For Everyone (SPIFFE) Project defines a framework and set of standards for identifying and securing communications between application services. At its core, SPIFFE is:
A standard defining how services identify themselves to each other. These are called SPIFFE IDs and are implemented as Uniform Resource Identifiers (URIs).
A standard for encoding SPIFFE IDs in a cryptographically-verifiable document called a SPIFFE Verifiable Identity Document or SVIDs.
An API specification for issuing and/or retrieving SVIDs. This is the Workload API.
The SPIFFE Project has a reference implementation, the SPIRE (the SPIFFE Runtime Environment), that in addition to the above, it:
Performs node and workload attestation.
Implements a signing framework for securely issuing and renewing SVIDs.
Provides an API for registering nodes and workloads, along with their designated SPIFFE IDs.
Provides and manages the rotation of keys and certs for mutual authentication and encryption between workloads.
Simplifies access from identified services to secret stores, databases, services meshes and cloud provider services.
Interoperability and federation to SPIFFE compatible systems across heterogeneous environments and administrative trust boundaries.
SPIFFE is hosted by the Cloud Native Computing Foundation (CNCF) as an incubation-level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the CNCF announcement.
- Secure Production Identity Framework for Everyone (SPIFFE)
- The SPIFFE Identity and Verifiable Identity Document
- The X.509 SPIFFE Verifiable Identity Document
- The JWT SPIFFE Verifiable Identity Document
- The SPIFFE Trust Domain and Bundle
- The SPIFFE Workload Endpoint
- The SPIFFE Workload API
- spiffe: This repository includes the SPIFFE ID, SVID and Workload API specifications, example code, and tests, as well as project governance, policies, and processes.
- spire: This is a reference implementation of SPIFFE and the SPIFFE Workload API that can be run on and across varying hosting environments.
- go-spiffe: Golang client libraries.
- java-spiffe: Java client libraries
- Slack (Join here).
- email@example.com (View or join here).
- firstname.lastname@example.org (View or join here).
- email@example.com (View or join here).
Most community activity is organized into Special Interest Groups (SIGs), time-bounded working groups, and our monthly community-wide meetings. SIGs follow these guidelines, although each may operate differently depending on their needs and workflows. Each group's material can be found in the /community directory of this repository.
|SIG-Community||Umair Khan (HPE)||Here||Here||Notes|
|SIG-Spec||Evan Gilman (VMware)||Here||Here||Notes|
|SIG-SPIRE||Andres Vega (VMware) | Daniel Feldman (HPE)||Here||Here||Notes|
The SPIFFE Steering Committee meets on a regular cadence to review project progress, address maintainer needs, and provide feedback on strategic direction and industry trends. Community members interested in joining this call can find details below.
To contact the SSC privately, please send an email to firstname.lastname@example.org.