SPIFFE IDs & SVIDs

Trust domains, X.509 vs JWT identity documents.

Advanced35 min · lesson 4 of 15

SPIFFE — Secure Production Identity Framework For Everyone — is the open standard that makes workload identity portable and verifiable across clusters, clouds, and even VMs. It defines what a workload identity is and how it is proven, which is the vocabulary every mesh and identity system in this course speaks.

SPIFFE IDs and SVIDs

A SPIFFE ID is a URI of the form spiffe://trust-domain/path — for example spiffe://acme.internal/ns/prod/sa/payments — that names a workload within a trust domain. The workload proves it holds that identity by presenting an SVID (SPIFFE Verifiable Identity Document), which comes in two forms: an X.509-SVID (a certificate, ideal for mTLS between services) or a JWT-SVID (a token, ideal for request-level authentication across L7 proxies). The trust domain is the root of trust — a CA under which all its identities are issued and verified — and a trust bundle is the set of public keys used to verify SVIDs from a domain.

the anatomy of a SPIFFE identity
# SPIFFE ID — a URI naming a workload in a trust domain:
spiffe://acme.internal/ns/prod/sa/payments
# └── trust domain ──┘└─── path (who) ───┘
# SVID — the credential proving that ID:
# X.509-SVID : a short-lived cert with the SPIFFE ID in a URI SAN → mTLS
# JWT-SVID : a short-lived token with the SPIFFE ID as subject → L7 / requests
# Trust bundle: the public roots used to VERIFY SVIDs from a trust domain.

Why a standard matters

Before SPIFFE, every platform invented its own workload-identity scheme, so identities did not travel — a Kubernetes service account meant nothing to a VM or another cloud. SPIFFE gives one portable identity plane: the same identity model works for pods, VMs, serverless, and across organizations, and any SPIFFE-aware system (Istio, Linkerd, SPIRE, cloud services) can consume it. That portability is what enables federation across trust domains and consistent authentication in heterogeneous environments. SPIFFE defines the identity; SPIRE (next lesson) is the runtime that actually issues and rotates it.

SPIFFE identity model
the identity
SPIFFE ID (URI)
spiffe://domain/path
trust domain
the root of trust (a CA)
proving it
X.509-SVID
cert for mTLS
JWT-SVID
token for L7/requests
trust bundle
public roots to verify SVIDs
A portable, verifiable identity for any workload anywhere. This standard is what the meshes and federation later build on.
A trust domain is a security boundary — scope it deliberately
Every workload in a trust domain shares a root CA and can be issued identities under it. Sprawling one trust domain across unrelated environments blurs the blast radius of a CA compromise. Define trust domains to match real administrative and trust boundaries, and connect them with federation rather than merging everything under one root.