Solving Secret Sprawl with SPIFFE

Most organizations suffer from secret sprawl. There are IAM credentials for cloud workloads, SSH keys for devs, .env files passed around in Slack, or API keys hardcoded into CI jobs. If you've lived this, you know that revoking these credentials is a nightmare. Enter SPIFFE.

SPIFFE gives every workload its own digital passport: a short-lived X.509 certificate called an SVID. This certificate identifies the workload with a SPIFFE ID (e.g. spiffe://example.org/web/frontend). The certificate expires quickly, lets the service prove who it is without dragging around long-lived secrets, and is rotated frequently so it's hard to steal or misuse.

I'm enamored by SPIFFE'S approach to solving this. There's clearly more to it and so to ground myself, I plan to explore using SPIFFE in various contexts.

What this series covers

I’ll walk through setting up SPIRE on AWS and using it as the single source of identity for everything from dev machines to EKS workloads.

We won’t cover HA deployments, multi-region SPIRE, or plugging into enterprise PKI. But we’ll go over the basics and you can swap out the toy pieces for enterprise-grade alternatives that meet your security posture.

If you’ve ever wished for one source of truth for identity across your cloud, clusters, laptops, and runtime services you're in the right spot!

Part 1: Grant AWS Access to GitHub Codespaces via SPIFFE/SPIRE & IAM Roles Anywhere

Part 2: Connecting GitHub Codespaces to AWS VPN via SPIFFE/SPIRE & IAM Roles Anywhere

Part 3: Automated AWS Credential Renewal Using SPIFFE Helper and IAM Roles Anywhere

Part 4: Grant AWS Access to Kubernetes Workloads via SPIFFE/SPIRE & IAM Roles Anywhere