SPIFFE
What is SPIFFE?
SPIFFEAn open standard for assigning cryptographic, portable identities to software workloads using URI-based SPIFFE IDs and short-lived X.509 or JWT SVIDs.
SPIFFE (Secure Production Identity Framework For Everyone) is a CNCF standard that defines how workloads — containers, VMs, services — receive verifiable, cryptographic identities independent of network location. A SPIFFE ID is a URI of the form spiffe://trust-domain/path that uniquely names a workload. Identities are issued as SVIDs (SPIFFE Verifiable Identity Documents), either X.509 certificates for mTLS or JWTs for tokenized auth. Trust domains define the boundary of a SPIFFE deployment, with a top-level federation enabling cross-organization trust. SPIFFE is the identity foundation for Istio, Kuma, SPIRE, and many zero-trust architectures, replacing static credentials with automatically rotated, attested workload identities.
● Examples
- 01
spiffe://prod.example/ns/payments/sa/checkout — identity for the checkout service account in payments namespace.
- 02
An mTLS connection where each side validates a SPIFFE X.509 SVID instead of a static client cert.
● Frequently asked questions
What is SPIFFE?
An open standard for assigning cryptographic, portable identities to software workloads using URI-based SPIFFE IDs and short-lived X.509 or JWT SVIDs. It belongs to the Cloud Security category of cybersecurity.
What does SPIFFE mean?
An open standard for assigning cryptographic, portable identities to software workloads using URI-based SPIFFE IDs and short-lived X.509 or JWT SVIDs.
How does SPIFFE work?
SPIFFE (Secure Production Identity Framework For Everyone) is a CNCF standard that defines how workloads — containers, VMs, services — receive verifiable, cryptographic identities independent of network location. A SPIFFE ID is a URI of the form spiffe://trust-domain/path that uniquely names a workload. Identities are issued as SVIDs (SPIFFE Verifiable Identity Documents), either X.509 certificates for mTLS or JWTs for tokenized auth. Trust domains define the boundary of a SPIFFE deployment, with a top-level federation enabling cross-organization trust. SPIFFE is the identity foundation for Istio, Kuma, SPIRE, and many zero-trust architectures, replacing static credentials with automatically rotated, attested workload identities.
How do you defend against SPIFFE?
Defences for SPIFFE typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SPIFFE?
Common alternative names include: Secure Production Identity Framework For Everyone.
● Related terms
- cloud-security№ 1079
SPIRE Runtime
The reference open-source implementation of SPIFFE: a server-and-agent system that attests workloads and issues short-lived X.509 or JWT SVIDs.
- cloud-security№ 1248
Workload Identity
A cryptographic identity assigned to a service, container, or function so it can authenticate to other systems without long-lived shared secrets.
- cloud-security№ 1014
Service Mesh Security
The set of identity, encryption, and authorization controls a service mesh provides to secure service-to-service traffic in a cloud-native environment.
- cloud-security№ 559
Istio Security
The security feature set of the Istio service mesh: workload identity via SPIFFE, automatic mutual TLS, and AuthorizationPolicy/RequestAuthentication for fine-grained access control.
- network-security№ 1262
Zero Trust Network
A network architecture that never trusts users, devices, or services by default and enforces continuous, identity-aware verification of every connection.