HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for pre-release version v2.x (rc). View latest version.

SPIFFE secrets engine

Enterprise

Appropriate Vault Enterprise  license required

The spiffe secrets engine allows for minting SPIFFE JWT-SVIDS using a template that can interpolate identity information about the requesting entity. Since the JWTs are OIDC-compatible, you can use them like JWT tokens minted using the identity engine.

Configuration

Each SPIFFE backend instance has a single trust domain. The plugin uses roles to define templates that determine the claims in the minted JWTs.

Integrate with SPIRE

The SPIFFE secrets engine has an endpoint trust_bundle/web that serves the trust bundle. Clients can call the trust endpoint to fetch the public keys needed to validate JWTs minted by the plugin. Compatible clients include any system that implements SPIFFE federation for example, SPIRE or another Vault cluster running the SPIFFE auth method.

Integrate with OIDC

The SPIFFE secrets engine includes two endpoints that allow OIDC providers to validate the JWTs it mints:

SPIFFE secrets engine API

The SPIFFE secrets engine has a full HTTP API. Refer to the SPIFFE secrets engine documentation for more details.

Edit this page on GitHub