SPIFFE

To use SPIFFE as a workload identity provider, you must install and configure the SPIRE (SPIFFE Runtime Environment) server and agent. For more information about SPIFFE, see SPIFFE Concepts.

1. Install and configure an SPIRE server on a local environment or AWS cloud instance. For more information on installing SPIRE on Linux and MacOS, see SPIRE - Quickstart for Linux and MacOS X. Configure the federation bundle endpoint on the SPIRE server in <spire root installation dir>/conf/server/server.conf.

   server {
       bind_address = "spire.britive.com"
       bind_port = 9080
       trust_domain = "user.britive-app.com"
       data_dir = "./data/server"
       log_level = "DEBUG"
       ca_ttl = "168h"
       default_jwt_svid_ttl = "10m"
       jwt_issuer = "https://example.britive-app.com"
       federation {
           bundle_endpoint {
               address = "spire.britive.com"
               port = 9443
               profile "https_web" {
                   serving_cert_file {
                       cert_file_path = "./data/server/root.crt"
                       key_file_path = "./data/server/root.key"
                       file_sync_interval = "1h"
                   }
               }
           }
       }
   }
   
   plugins {
       DataStore "sql" {
           plugin_data {
               database_type = "sqlite3"
               connection_string = "./data/server/datastore.sqlite3"
           }
       }
   
       KeyManager "disk" {
           plugin_data {
               keys_path = "./data/server/keys.json"
           }
       }
   
       NodeAttestor "join_token" {
           plugin_data {}
       }
   
       UpstreamAuthority "disk" {
           plugin_data {
               cert_file_path = "./data/server/root.crt"
               key_file_path = "./data/server/root.key"
           }
       }
   }

2. Start the SPIRE server from the SPIRE installation directory:

    $ bin/spire-server run -config conf/server/server.conf

3. Install and configure an SPIRE agent on the same instance. Configure the SPIRE agent in <spire root installation dir>/conf/agent/agent.conf to attest to the above SPIRE Server.  Ensure trust_domain, server_address, and server_port match the SPIRE server configuration.

   agent {
       data_dir = "./data/agent"
       log_level = "DEBUG"
       trust_domain = "user.britive-app.com"
       server_address = "spire.britive.com"
       server_port = 9080
   
       # Insecure bootstrap is NOT appropriate for production use but is ok for 
       # simple testing/evaluation purposes.
       insecure_bootstrap = true
   }
   
   plugins {
      KeyManager "disk" {
           plugin_data {
               directory = "./data/agent"
           }
       }
   
       NodeAttestor "join_token" {
           plugin_data {}
       }
   
       WorkloadAttestor "unix" {
           plugin_data {}
       }
   }
   

4. Create a join token to attest the SPIRE agent to the SPIRE server from the SPIRE installation directory:

    $ bin/spire-agent run -config conf/agent/agent.conf -joinToken <token_string> &

5. Start the SPIRE agent from the SPIRE installation directory:

   $ bin/spire-agent run -config conf/agent/agent.conf -joinToken <token_string> &

6. Register Workload with the SPIRE server. Workload registration tells SPIRE how to identify the workload and which SPIFFE ID to give it.

   $ ./bin/spire-server entry create -parentID spiffe://user.britive-app.com/britive_test_agent -spiffeID spiffe://yiumen.britive-app.com/spiffe_test_workload -selector unix:uid:$(id -u)
   Entry ID         : 4905e92e-4455-45bf-9191-c0b97a9c4949
   SPIFFE ID        : spiffe://user.britive-app.com/spiffe_test_workload
   Parent ID        : spiffe://user.britive-app.com/britive_test_agent
   TTL              : 600
   Selector         : unix:uid:501