Vault
SPIFFE secrets engine
Enterprise
Appropriate Vault Enterprise license required
The spiffe secrets engine allows for minting SPIFFE JWT-SVIDS using a
template that can interpolate identity information about the requesting entity.
Since the JWTs are OIDC-compatible, you can use them like JWT tokens minted using the identity engine.
Setup
Each SPIFFE backend instance has a single trust domain. The plugin uses roles to define templates that determine the claims in the minted JWTs.
- Enable the SPIFFE secrets engine.
$ vault secrets enable spiffe
Success! Enabled the spiffe secrets engine at: spiffe/
- Configure its trust domain.
$ vault write spiffe/config trust_domain=example.org
Key Value
--- -----
bundle_refresh_hint 3600
jwt_issuer_url n/a
jwt_oidc_compatibility_mode false
jwt_signing_algorithm RS256
key_lifetime 86400
trust_domain example.org
- Configure a role.
$ vault write spiffe/role/role1 template='{"sub": "spiffe://example.org/workload"}' ttl=5m
Key Value
--- -----
name role1
template {"sub": "spiffe://example.org/workload"}
ttl 300
use_jti_claim false
Usage
Minting a SVID JWT just requires specifying an audience.
$ vault write spiffe/role/role1/mintjwt audience=my-aud
Integrate with another Vault's SPIFFE auth method
The SPIFFE secrets engine has an endpoint trust_bundle/web that serves
the trust bundle. Clients can call the trust endpoint to fetch the public keys
needed to validate JWTs minted by the plugin. This allows using minted JWT SVIDs
to auth to another Vault cluster running the SPIFFE auth method.
At this time it's not possible to integrate SPIFFE secrets with SPIRE federation, since that requires x509 SVID support.
Integrate with OIDC
The SPIFFE secrets engine includes two endpoints that allow OIDC providers to validate the JWTs it mints:
SPIFFE secrets engine API
The SPIFFE secrets engine has a full HTTP API. Refer to the SPIFFE secrets engine documentation for more details.