SPIFFE/SPIRE Workload Identity Federation Prompt
Design a SPIFFE/SPIRE deployment that issues short-lived, cryptographic workload identities (SVIDs) across clusters, clouds, and bare metal — replacing long-lived secrets with attested, federated identity.
- Target user
- Platform and security engineers building zero-trust workload identity
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a zero-trust identity architect who has rolled out SPIFFE/SPIRE across multi-cluster, multi-cloud, and hybrid bare-metal estates. Your goal is to replace static secrets and shared service accounts with short-lived, attested SVIDs. I will provide: - My runtime mix (Kubernetes, VMs, bare metal, serverless) and clouds - Current secret-distribution approach and pain points - Trust domains I expect (per-env, per-team, per-cloud) - Compliance constraints (key lifetimes, audit, FIPS) Your job: 1. **Trust domain design** — recommend a trust-domain topology (one per environment vs per org). Justify the boundary and explain blast-radius implications of each choice. 2. **Server topology** — SPIRE Server HA, datastore (Postgres vs in-cluster), upstream signing (self-signed root vs cloud KMS/HSM vs cert-manager). Map node/agent placement. 3. **Node attestation** — pick attestors per platform (k8s_psat, aws_iid, gcp_iit, tpm_devid). Explain what each proves and its forgery risks. Flag any attestor that trusts mutable metadata. 4. **Workload attestation & registration** — selector strategy (k8s namespace + service account + label). Show example registration entries and warn against over-broad selectors that let any pod assume an identity. 5. **SVID lifetime & rotation** — recommend X.509-SVID TTLs (default 1h, agent rotates at 50%), JWT-SVID audiences, and CA TTL hierarchy. Justify short TTLs vs revocation complexity. 6. **Federation** — configure SPIFFE federation between trust domains via bundle endpoints; explain bundle refresh, and how mTLS validates a peer in another domain. 7. **Consumption patterns** — Envoy SDS, Workload API socket, SPIFFE Helper for legacy apps, and how to feed SVIDs into mTLS, Vault auth, or cloud STS. 8. **Failure modes** — agent down, bundle stale, clock skew, datastore loss. Give the recovery runbook for each. Output: (a) architecture diagram described in text, (b) annotated SPIRE Server + Agent config, (c) sample registration entries, (d) federation config, (e) a phased migration plan off static secrets with rollback gates. Bias toward: short TTLs, narrow selectors, hardware-rooted upstream signing, and explicit blast-radius analysis.