Skip to content

SPIRE

SPIRE issues short-lived cryptographic identities (X509-SVID and JWT-SVID) to workloads with no shared bootstrap secret, and is the reference implementation of the SPIFFE specification.

  • Category: Identity & Policy
  • CNCF maturity: Graduated
  • Language: Go (go 1.26.4, go.mod:3)
  • License: Apache-2.0 (LICENSE:1-3)
  • Repository: spiffe/spire
  • Documented at commit: 73215a39 (near tag v1.15.1, 2026-06-22)

What it is

SPIRE is the SPIFFE Runtime Environment. It runs as two binaries: a spire-server that acts as the certificate authority for a trust domain, and a spire-agent that runs on each node and hands identities to local workloads over a Unix domain socket. The server attests nodes and signs identity documents (SVIDs) from registration entries; the agent attests the processes that ask for an identity and delivers the SVID the manager has already fetched and rotated.

The defining idea is that a workload presents no credential when it asks for its identity. Identity is derived from process metadata the kernel verified, so there is no bootstrap secret to distribute or rotate. SPIRE works across Kubernetes, VMs, bare metal, and serverless, and federates trust between separate trust domains.

It sits below a service mesh, an API gateway, or any mTLS-using system, supplying the identities those layers consume. Envoy, Istio, Linkerd, and Consul can all consume SPIRE-issued SVIDs.

When to use it

  • You need workload identity that spans more than one platform (Kubernetes plus VMs, multiple clouds, on-prem) under a single trust model.
  • You want to remove long-lived shared secrets from service-to-service authentication and replace them with short-lived attested certificates.
  • You need to federate identity across organizational or trust-domain boundaries.
  • You want a vendor-neutral implementation of an open standard (SPIFFE) rather than a mesh-specific or cloud-specific identity system.

When it is not the right fit:

  • A single Kubernetes cluster inside one mesh, where the mesh's built-in CA (such as istiod) already covers every workload, may not need a separate identity plane.
  • A team that only needs generic secret storage or a general PKI, without attestation, is served by a tool like Vault PKI.

In this deep-dive

Sources

  1. spiffe/spire (GitHub)
  2. spiffe/spire ADOPTERS.md
  3. SPIFFE and SPIRE Projects Graduate from CNCF Incubator
  4. SPIRE / CNCF project page
  5. 10 Years of SPIFFE (Joe Beda)
  6. Sunil James, CEO of Scytale, Explains SPIFFE (The New Stack)
  7. Opensource SPIFFE and SPIRE (Scytale)
  8. SPIFFE/SPIRE graduates (HPE Developer)
  9. SPIFFE Getting Started (Kubernetes quickstart)
  10. AWS: mTLS with SPIFFE/SPIRE in App Mesh on EKS
  11. Anthropic: SPIFFE WIF provider for Claude API
  12. Square: providing mTLS identities to Lambdas
  13. Production Identity Framework SPIRE Graduates from CNCF (InfoQ)