SPIRE Use Cases

This is list of the prioritized use cases that the project team intends to support with SPIRE.

Use Case	Description	Method	What does a user need to know?
SPIFFE to SPIFFE authentication using an in-application client library	Two SPIFFE-identitifed workloads need to authenticate and establish an mTLS connection between each other. This method can't be used when a Layer 7 load balancer or web application firewall is between the two workloads.	Java client library or C client library or Go client library	How to install a SPIRE Server on their target environment (Linux or Kubernetes) How to install a SPIRE Agent on their target environment, and configure Node Attestation (Linux or Kubernetes) How to configure workload attestation to identify their target workload (Linux or Kubernetes) How to retrieve and validate X.509-SVIDs from their workload in their language of choice, or using their proxy of choice
SPIFFE to SPIFFE authentication with JWT tokens and using an in-application client library	Two SPIFFE-identitifed workloads need to authenticate. This method can usually be used when a Layer 7 load balancer or web application firewall is between the two workloads, but doesn't provide encryption/confidentiality.	Java client library or C client library or Go client library	As for "SPIFFE to SPIFFE authentication using mTLS" but also: Why they might choose to use JWTs to authenticate workloads How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice
SPIFFE to SPIFFE workload authentication with mTLS and using the Envoy proxy	Two SPIFFE-identitifed workloads need to authenticate and establish an mTLS connection to authenticate the channel. This method can't be used when a Layer 7 load balancer or web application firewall is between the two workloads.	Envoy proxy	As for "SPIFFE to SPIFFE authentication using mTLS" but also: How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice
SPIFFE to SPIFFE workload authentication with JWT and using the Envoy proxy	Two SPIFFE-identitifed workloads need to authenticate. This method can usually be used when a Layer 7 load balancer or web application firewall is between the two workloads, but doesn't provide encryption/confidentiality.	Envoy proxy	As for "SPIFFE to SPIFFE authentication using mTLS" but also: Why they might choose to use JWTs to authenticate workloads How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice
SPIFFE to SPIFFE authentication using JWTs	Two SPIFFE-identitifed workloads need to authenticate. This method can usually be used when a Layer 7 load balancer or web application firewall is between the two workloads, but doesn't provide encryption/confidentiality.	Java client library C client library Go client library Envoy proxy	As for "SPIFFE to SPIFFE authentication using mTLS" but also: Why they might choose to use JWTs to authenticate workloads How to retrieve and validate JWT-SVIDs from their workload in their language of choice, or using their proxy of choice
Authenticating to a datastore - MySQL	A SPIFFE-identified workload is authenticating to MySQL using an SVID-X.509, and should assume a set of entitlements in MySQL when it does.	X.509 authentication (configuration specific to MySQL)	As for "SPIFFE to SPIFFE authentication using mTLS" but also: How to configure a "Bundle Pusher" on MySQL How to configure MySQL to allow authentication using X.509-SVIDs How to configure a MySQL client to use the X.509-SVID and key to authenticate to MySQL
Authenticating to a cloud platform - AWS	A SPIFFE-identified workload is authenticating to Amazon Web Services (note: not a workload running on AWS), and should assume a specific AWS IAM role when it does. See also: Walkthrough from Engineering	OIDC federation to AWS and JWT authentication	As for "SPIFFE to SPIFFE authentication using JWTs" but also: How to configure the SPIFFE Federation endpoint in the context of OIDC How to configure Amazon Web Services to consume the Federation Endpoint How to configure Amazon Web Services to associate AWS IAM roles with a SPIFFE ID How to exchange a retrieved SVID for an AWS STS token
Authenticating to a workload running in an Istio service mesh	A customer wishes to authenticate a SPIFFE-identified workload that was identified by a SPIRE server to a workload running in an Istio cluster, and vice-versa..	(likely) SPIFFE Federation	To be determined
Authenticating two workloads on two different SPIRE installations	A customer wishes to authenticate two SPIFFE-identified workload workloads that are identified by two different SPIRE Servers.	SPIFFE Federation	As for "SPIFFE to SPIFFE authentication using JWTs" but also: How to configure each server to expose it's SPIFFE Federation endpoint using ACME How to configure each server to retrieve trust bundles from the other server (using the federate_with configuration option) How to modify registration entires so that they are federated with other trust domains
Authenticating to a cloud platform - Azure	A SPIFFE-identified workload is authenticating to Azure (note: not a workload running on Azure), and should assume a specific set of MSP entitlements when it does.	OIDC federation to Azure and JWT authentication	Likely similar to "Authenticating to a cloud platform - AWS"
Authenticating to a cloud platform - Google Cloud Platform	A SPIFFE-identified workload is authenticating to Google Cloud Platform (note: not a workload running on Azure), and should assume a specific IAM role when it does.	OIDC federation to GCP and JWT authentication	Likely similar to "Authenticating to a cloud platform - AWS"
Authenticating to a secret store - Hashicorp Vault	A SPIFFE-identified workload is authenticating to Vault using an SVID, and should assume a specific Vault role when it does.	To be determined	To be determined
Authenticating to a datastore - Postgres	A SPIFFE-identified workload is authenticating to Postgres using an SVID-X.509, and should assume a set of entitlements in Postgres when it does.	X.509 authentication (configuration specific to Postgres)	To be determined
Authenticating to a message queue - RabbitMQ	A SPIFFE-identified workload is authenticating to RabbitMQ using an SVID-X.509, and should assume a set of entitlements in RabbitMQ when it does.	X.509 authentication (configuration specific to RabbitMQ)	To be determined
Attesting only signed workloads using Notary	A customer wishes to only issue SPIFFE identities to a container that has been signed by with a Notary signature that indicates it has been processed by the customers' CI/CD system	Configuring a Notary workload attestor	To be determined
Using SPIRE with Envoy and OPA for access policy management	A customer wishes to use SPIRE in conjunction with Open Policy Agent and either the Envoy proxy or in-application client libraries for turn-key authentication and authorization.	Envoy proxy + OPA sidecar in Kubernetes	To be determined
Use SPIRE to authenticate Kubernetes human operators securely to a Kubernetes cluster	Users of Kubernetes need to authenticate to the cluster as a user when they run their kubeproxy or kubectl tools. SPIRE could issue JWTs or X.509 certificates that could be used to identify users to the cluster. The JWTs could be based on a combination of existing user identity (eg. an OIDC directory) and node identity (eg. via a ubikey). Some OSS projects also enable this in limited forms (eg. kube-oidc-proxy and Jenkins SSO operator)	To be determined	To be determined
Use SPIRE to securely bootstrap the components of a distributed Kubernetes cluster	Setting up a Kubernetes cluster requires trust (in the form of X.509 certificates) to be established between member nodes. While there are tools (eg. kubeadm/kops) to automate this, customers may wish to leverage SPIRE attestation to do this based on stronger roots of trust (eg. TPMs)	To be determined	To be determined