--- title: "SPIFFE" slug: "spiffe-integration" updated: 2026-01-12T10:03:34Z published: 2026-01-12T10:15:19Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.britive.com/llms.txt > Use this file to discover all available pages before exploring further. # SPIFFE To use SPIFFE as a workload identity provider, you must install and configure the SPIRE (SPIFFE Runtime Environment) server and agent. For more information about SPIFFE, see [SPIFFE Concepts](https://spiffe.io/docs/latest/spire-about/). 1. Install and configure an SPIRE server on a local environment or AWS cloud instance. For more information on installing SPIRE on Linux and MacOS, see [SPIRE - Quickstart for Linux and MacOS X](https://spiffe.io/docs/latest/try/getting-started-linux-macos-x/). Configure the federation bundle endpoint on the SPIRE server in */conf/server/server.conf*. ```plaintext server {    bind_address = "spire.britive.com"    bind_port = 9080    trust_domain = "user.britive-app.com"    data_dir = "./data/server"    log_level = "DEBUG"    ca_ttl = "168h"    default_jwt_svid_ttl = "10m"    jwt_issuer = "https://example.britive-app.com"    federation {        bundle_endpoint {            address = "spire.britive.com"            port = 9443            profile "https_web" {                serving_cert_file {                    cert_file_path = "./data/server/root.crt"                    key_file_path = "./data/server/root.key"                    file_sync_interval = "1h"                }            }        }    } } plugins {    DataStore "sql" {        plugin_data {            database_type = "sqlite3"            connection_string = "./data/server/datastore.sqlite3"        }    }    KeyManager "disk" {        plugin_data {            keys_path = "./data/server/keys.json"        }    }    NodeAttestor "join_token" {        plugin_data {}    }    UpstreamAuthority "disk" {        plugin_data {            cert_file_path = "./data/server/root.crt"            key_file_path = "./data/server/root.key"        }    } } ``` 2. Start the SPIRE server from the SPIRE installation directory: ```shell $ bin/spire-server run -config conf/server/server.conf ``` 3. Install and configure an SPIRE agent on the same instance. Configure the SPIRE agent in */conf/agent/agent.conf* to attest to the above SPIRE Server. Ensure **trust_domain**, **server_address**, and **server_port** match the SPIRE server configuration. ```plaintext agent {    data_dir = "./data/agent"    log_level = "DEBUG"    trust_domain = "user.britive-app.com"    server_address = "spire.britive.com"    server_port = 9080    # Insecure bootstrap is NOT appropriate for production use but is ok for    # simple testing/evaluation purposes.    insecure_bootstrap = true } plugins {   KeyManager "disk" {        plugin_data {            directory = "./data/agent"        }    }    NodeAttestor "join_token" {        plugin_data {}    }    WorkloadAttestor "unix" {        plugin_data {}    } } ``` 4. Create a **join token****to attest the SPIRE agent to the SPIRE server from the SPIRE installation directory: ```shell $ bin/spire-agent run -config conf/agent/agent.conf -joinToken & ``` 5. Start the SPIRE agent from the SPIRE installation directory: ```shell $ bin/spire-agent run -config conf/agent/agent.conf -joinToken & ``` 6. Register Workload with the SPIRE server. Workload registration tells SPIRE how to identify the workload and which SPIFFE ID to give it. ```shell $ ./bin/spire-server entry create -parentID spiffe://user.britive-app.com/britive_test_agent -spiffeID spiffe://yiumen.britive-app.com/spiffe_test_workload -selector unix:uid:$(id -u) Entry ID         : 4905e92e-4455-45bf-9191-c0b97a9c4949 SPIFFE ID        : spiffe://user.britive-app.com/spiffe_test_workload Parent ID        : spiffe://user.britive-app.com/britive_test_agent TTL              : 600 Selector         : unix:uid:501 ```