Build Systems that Drive Business
30–31 Oct 2018: Training
31 Oct–2 Nov 2018: Tutorials & Conference
London, UK

Building trust between distributed systems with SPIFFE

Sabree Blackmon (Scytale)
15:4016:20 Friday, 2 November 2018
Building Secure Systems
Location: Park Suite (St. James / Regents)
Secondary topics:  Systems Architecture & Infrastructure
Average rating: ***..
(3.50, 2 ratings)

Prerequisite knowledge

  • Familiarity with security, PKI, and cloud infrastructure (useful but not required)

What you'll learn

  • Explore the SPIFFE and SPIRE projects, which provide an open standard and toolchain for trusted communication in modern cloud computing environments


Modern infrastructure patterns like microservices, container orchestration, and hybrid and multicloud deployments have turned conventional models for data center authentication and security on their heads. In the face of highly dynamic compute and network resources, a new challenge has risen: how to authenticate and trust service-to-service communication in this brave new world. Enter the problem known as workload identity.

Sabree Blackmon explores the challenges in solving this problem, from what kind of credentials to settle on and how to rotate them to how to automatically (and securely) bootstrap trust to issue them and how to make sure a wide variety of external systems can authenticate them appropriately. Sabree then offers an overview of SPIFFE and SPIRE, open source projects sponsored by the Linux foundation aimed at solving these problems.

Inspired by similar infrastructure developed at Google, Twitter, and Netflix, SPIFFE was first proposed by Joe Beda at GlueCon 2016, and SPIRE, an open source implementation was first announced at KubeCon Austin in 2017, where it received widespread interest. It is fast emerging as an important component for providing “dial-tone” authentication for distributed systems running in hybrid environments. Sabree concludes by discussing some of the emerging real-world applications of SPIRE, including JWT token signing, secure introduction to Vault and Envoy, and how SPIRE can form the foundation of an organization-wide service mesh.

Photo of Sabree Blackmon

Sabree Blackmon


Sabree Blackmon is a technologist and developer advocate at Scytale, where he helps organize the SPIFFE and SPIRE open source communities while also mentoring engineers on application identity and security.