What's Up In Workload Identity

What's Up In Workload Identity - January 2025

Noah Stride — Sat, 01 Feb 2025 12:25:51 GMT

Hey!

Welcome to the fifth edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…) - returning after a short break for the Christmas period!

It’s a world that’s moving fast - and it’s hard to keep up 🚀

You can expect to see each edition covering:

News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss

Who am I? I’m Noah. I’ve been working in the Workload Identity space for the past few years. I currently work at Teleport, leading the development of our Workload Identity product. That being said, this newsletter is in a personal capacity and I’m keen to keep it unbiased! You can find out more about me on my website.

News

The latest news from the Workload Identity space

OWASP announces 2025 Non-Human Identities Top 10

Nothing says “Happy New Year!” like a brand new Top Ten from the Open Worldwide Application Security Project (OWASP)! In later December, they unveiled the OWASP 2025 Non-Human Identities Top 10 - their first list focussing on the challenges around securely working with Non-Human/workload identities.

It’s a fantastic start for 2025 to see an organization as prestigious as OWASP recognising the need for wider education in industry around the risks and challenges posed by Non-Human identities and a significant symbol of interest in NHI becoming commonplace. Clearly we’re not the only ones worrying about this!

I’ll admit - at a brief glance, the list is not all too surprising. I don’t think anybody here will be shocked that the likes of “Long-Lived Secrets”, “Overprivileged NHI” or “Secret Leakage” have made it on! What also won’t be a surprise is comparing this list of challenges to the solutions provided by tools like SPIFFE/SPIRE, and seeing that almost all of them are taken care of by taking a more modern workload-identity-esque approach.

You can check out the full list at: https://owasp.org/www-project-non-human-identities-top-10/2025/top-10-2025/

Content

The best of recent blogs, webinars and talks on Workload Identity

Why It’s Time to Rethink Machine and Workload Identity: Lessons from User Security

January 22nd 2025, on the “unmitigated risk blog”.

https://unmitigatedrisk.com/?p=934

SPIFFE as a Glue for Large Scale Telco Deployments

By Rahul Jadhav (AccuKnox) at KubeCon India 2024

SPIFFE runs in the cloud, but can it run on my laptop?

By Mattias Gees (Venafi) at Cloud Native Rejects 2024

Leveraging Micro-Segmentation, SPIFFE-based Identity Networking, and Immutable Infrastructure

By Kerry Steele (Coalfire Systems)

Releases

Highlights from recent releases to Workload Identity tools

SPIRE - 1.11.1 - December 11th

This release includes a variety of minor changes and bugfixes.

Check out the GitHub Release for the full list of changes!

Coming Up…

What’s happening soon in the world of Workload Identity

KubeCon EU

April 1st to the 4th - London

Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/

That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!

Subscribe now

Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk

What's Up In Workload Identity - November 2024

Noah Stride — Thu, 28 Nov 2024 10:13:18 GMT

Hey!

Welcome to the fourth edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)

It’s a world that’s moving fast - and it’s hard to keep up 🚀

You can expect to see each edition covering:

News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss

News

The latest news from the Workload Identity space

SPIKE: A Rather SPIFFY SPIFFE Secrets Store

Christmas is, the last time I checked, not in November but this month we awoke to rather exciting new project in the workload identity world: SPIKE - Secure Production Identity for Key Encryption.

SPIKE is a SPIFFE-native take on the world of secrets management. In practice, what this means, is that it safely stores secrets and allows workloads to request access to them using their SPIFFE-compatible credentials as a form of authentication.

Now, you might be thinking: “Noah, I could’ve sworn that you have proclaimed that shared secrets are the devil’s play-thing - surely a secrets manager is the last thing you’d be singing the praises of!” and you’d be partially right!

I do think that our end goal, as an ecosystem and community, should be to eliminate the use of long-lived shared secrets. But, the truth is that the complete elimination of these secrets is going to purely aspirational for most organizations, at least if we’re thinking about the next five to ten years.

When setting up workload identity in an organization, there’s a bunch of low hanging fruit - easy opportunities to replace long-lived secrets with X509 or JWT SVIDs. This might be authentication to cloud providers APIs that support workload identity federation (GCP, Azure or AWS) or authentication between services that you control internally.

There’s always going to be secrets that are harder to shift, such as those used to authenticate to legacy systems or to third-party APIs that haven’t quite caught up with the latest and greatest. This is where SPIKE fits in neatly!

But why SPIKE? and not some existing secrets manager? SPIKE represents a fantastic opportunity to treat your workload identities as first-class citizens, and to enjoy the user experience that will come from a solution that’s intentionally designed to interface with SPIFFE IDs and SVIDs. It’s true that you can configure tools like Vault to accept SVIDs as authentication, but, let’s be honest, do you really want to do that?

Now, like any recently released project, this probably isn’t quite ready to be rolled out into production environments yet - but it’s off to a promising start and over the past few weeks we’ve seen a slew of new features added. It’ll definitely be one to keep an eye on, and I highly recommend giving it a try to get a taste of what the future of secrets management looks like!

Check out the introductory video from the great mind behind SPIKE, Volkan Özçelik:

To learn more, check out SPIKE’s website: https://spike.ist

Content

The best of recent blogs, webinars and talks on Workload Identity

From Years to Seconds: Rethinking Public Key Infrastructure

November 27th 2024, on the “unmitigated risk blog”.

https://unmitigatedrisk.com/?p=904

SPIFFE Deployments in Non-Kubernetes Environments

By Nadin El-Yabroudi & Eli Nesterov (SPIRL) at KubeCon 2024

SPIFFE the Easy Way: Universal X509 and JWT Identities Using cert-manager

By Tim Ramlot & Ashley Davis (Venafi) at KubeCon 2024

Workload Identity Federation – Stop Using Long-Lived Credentials

By Benjamin Dronen (Ford Motor Company) & Anjali Telang (Red Hat) at KubeCon 2024

Releases

Highlights from recent releases to Workload Identity tools

SPIFFE-Helper - 0.9.0 - November 21st

This release includes a variety of changes.

Notably, use of the SPIRE_AGENT_ADDRESS environment variable has been deprecated in favour of SPIFFE_ENDPOINT_SOCKET. This brings it a little more inline with other tools within the community.

You can also now specify an external process, via a pid file, which should be sent a signal when spiffe-helper has rotated the artefacts that are written to disk. This’ll be great for legacy services that may not support automatically reloading credentials loaded from disk.

Check out the GitHub Release for the full list of changes!

Coming Up…

What’s happening soon in the world of Workload Identity

KubeCon India

December 11th to the 12th - Delhi

SPIFFE as a Glue for Large Scale Telco Deployments: A Nephio Perspective - Rahul Jadhav (AccuKnox)

Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-india/

That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!

Subscribe now

Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk

What's Up In Workload Identity - October 2024

Noah Stride — Mon, 28 Oct 2024 18:11:44 GMT

Hey!

Welcome to the third edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)

It’s a world that’s moving fast - and it’s hard to keep up 🚀

You can expect to see each edition covering:

News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss

News

The latest news from the Workload Identity space

Latest updates on WIMSE drafts

Ahead of the IETF 121 meeting in Dublin next week, the WIMSE WG have published new versions of two of their existing internet drafts.

The Workload Identity in a Multi System Environment (WIMSE) Architecture draft has entered its third (or if you, like the IETF, prefer to count from zero - 02nd) iteration. This document focusses on Workload Identity at a higher level, setting out various fundamental terminology and concepts.

The latest iteration brings significantly more clarity to several key concepts, such as that of trust domains and workload identifiers. If you’re familiar with the space, you won’t be surprised to see the definitions largely encompassing and being compatible with the definitions made by SPIFFE, with the WIMSE draft directly calling out SPIFFE IDs as an example of a compatible workload identifier.

It’s also encouraging to see the Workload Identity Token (WIT), which was first introduced in the Service to Service Authentication draft, being deemed notable enough to be mentioned and referred to within the Architecture draft.

Speaking of Service to Service Authentication, this draft has also received a round of changes as part of a second (uh, 01st) iteration. This document focusses more specifically on techniques and protocols for authenticating workload identity within the context of service to service communication.

Amongst the changes to this draft is the addition of a new claim to the proposed Workload Proof Token (WPT). The WPT is created by a workload as part of service to service authentication flows to prove its possession of a key pair that is contained within the Workload Identity Token (WIT) that contains claims that describe the workload’s identity. The new claim, “wth”, will contain a SHA256 hash of a WIT that the WPT has been produced for. This creates a more specific binding between the two, particularly in cases where the WIT may have been extended with additional attributes of the workload identity.

The draft now also includes a temporary comparison as part of the ongoing discussion on which authentication flow become the draft’s recommendation. Today, the draft describes two options: a flow based on OAuth DPoP using the WPT and a flow based on RFC9421 HTTP message signatures. If you’re using HTTP for service to service communication, it’s definitely worth diving into this discussion, there’s some really interesting trade-offs between the two options. I’m looking forward to reading up on this discussion as the working group tries to reach consensus.

You can check out the changes included in the latest revisions over on the IETF Datatracker:

Content

The best of recent blogs, webinars and talks on Workload Identity

Fortifying gRPC Microservices: Beyond JWT with mTLS and SPIFFE

By Mehrdad Afshari (Signeen, Inc.) at gRPConf 2024

Federating Secrets Across Clusters Using SPIFFE, SPIRE, and VMware Secrets Manager

By Volkan Özçelik

CNL: Secure workload identities with SPIFFE, cert-manager, trust-manager

By Mattias Gees (Venafi) on CNCF’s Cloud Native Live

Releases

Highlights from recent releases to Workload Identity tools

SPIRE - 1.11.0 - October 24th

Introduces the “forced rotation and revocation” functionality which allows administrators to manually rotate certificate authorities and JWT key pairs within SPIRE. It’s well worth learning more about this functionality if you’re operating SPIRE in production and need to prepare for how to respond to exfiltration of CA private key material.

This release also includes a number of bug fixes and optimisations.

GitHub Release

VMWare Secrets Manager - 0.28.0 - October 16th

Introduced an interesting proof of concept feature to support sharing secrets between clusters, and, support for PostgreSQL as a backing store.

GitHub Discussion

Teleport Workload Identity - 16.4.3 - October 16th

Introduced support for issuing JWT-SVIDs to workloads. This includes compatibility with OIDC for OIDC-based federation and authentication to third-party APIs such as cloud providers.

GitHub Release

Coming Up…

What’s happening soon in the world of Workload Identity

KubeCon North America

November 12th to the 15th - Salt Lake City, Utah

Poster Session: What's Happening with SPIFFE and WIMSE? - Daniel Feldman (Quasic)

Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/

You also won’t want to miss the “Workload Identity Day 0” event being hosted by Venafi at their HQ. The schedule is jam-packed with talks on SPIFFE, SPIRE and the workload identity space as a whole. You can find out more about that at https://venafi.com/events/workload-identity-day-zero/

KubeCon India

December 11th to the 12th - Delhi

SPIFFE as a Glue for Large Scale Telco Deployments: A Nephio Perspective - Rahul Jadhav (AccuKnox)

Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-india/

That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!

Subscribe now

Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk

What's Up In Workload Identity - September 2024

Noah Stride — Wed, 11 Sep 2024 11:33:55 GMT

Hey!

Welcome to the second edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)

It’s a world that’s moving fast - and it’s hard to keep up 🚀

You can expect to see each edition covering:

News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss

News

The latest news from the Workload Identity space

KubeCon NA 2024 Schedule Announced

The schedule for KubeCon North America 2024 has dropped and it’s exciting to see so many talks on the topic of Workload Identity and SPIFFE. There’s a good range of content, some at a more introductory level and some diving deep into the inner mechanics of Workload Identity.

Some of the highlights from the schedule:

Poster Session: What's Happening with SPIFFE and WIMSE? - Daniel Feldman (Quasic)

If you can’t make it to KubeCon NA 2024, rest assured, talks are usually recorded and uploaded in the months following the event.

Content

The best of recent blogs, webinars and talks on Workload Identity

From keyless to careless: Abusing misconfigured OIDC authentication in cloud environments

By Christophe Tafani-Dereeper at BSidesLV

Long Live Short Lived Credentials - Auto-rotating Secrets At Scale

By Dwayne McDaniel at BSidesLV

Zero-Trust mTLS Automation With HAProxy and SPIFFE/SPIRE

By Jakub Suchy (HAProxy Technologies)
https://www.haproxy.com/blog/zero-trust-mtls-automation-with-haproxy-and-spiffe-spire

Getting Started With SPIFFE For Multi-Cloud Secure Workload Authentication

By Mattias Gees (Venafi)
https://blog.gitguardian.com/getting-started-with-spiffe/

Releases

Highlights from recent releases to Workload Identity tools

SPIRE - 1.10.2 - September 3rd

SPIRE’s had two releases in the past month, 1.10.2 and 1.10.3. Whilst 1.10.3 was a bugfix release, 1.10.2 contains a handful of new features.

The introduction of a HTTP challenge based node attestor will be particularly interesting to those running SPIRE in an on-premise environment. It’s a great alternative to the existing limited options for node attestation in these kinds of environments, especially if you don’t have pre-existing PKI.

The release also includes improvements to the experimental SigStore support. This functionality is super exciting to me, allowing you to restrict the issuance of SVIDs to container workloads that are running a container image with a valid signature and attestations. If you’re looking to shore up your supply chain security, then you won’t regret looking into container image signing.

GitHub Release

Coming Up…

What’s happening soon in the world of Workload Identity

Open Source Summit Europe

September 16th to 18th - Vienna

Find out more at https://events.linuxfoundation.org/open-source-summit-europe/

Teleport Connect 2024

September 25th - San Francisco

Securing Modern Infrastructure with Teleport Workload Identity - Noah Stride and Dave Sudia (Teleport)

Find out more at https://goteleport.com/teleport-connect-2024/

KubeCon North America

November 12th to the 15th - Salt Lake City, Utah

Poster Session: What's Happening with SPIFFE and WIMSE? - Daniel Feldman (Quasic)

Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/

That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!

Subscribe now

Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk

What's Up In Workload Identity - August 2024

Noah Stride — Tue, 13 Aug 2024 14:39:13 GMT

Hey!

Welcome to the inaugural edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)

It’s a world that’s moving fast - and it’s hard to keep up 🚀

You can expect to see each edition covering:

News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss

News

The latest news from the Workload Identity space

WIMSE adopts Service to Service Authentication draft

On the 13th of August, the IETF Workload Identity in Multi System Environments (WIMSE) working group formally adopted the Service to Service Authentication draft following a vote. This is the third draft to have been adopted by the working group since they were established in March of this year.

The Service to Service Authentication draft is a “standards track” document and defines strategies for authentication and authorization between two services. Whilst the draft primarily focusses on authentication and authorization regarding HTTP services, there’s no reason why these same techniques couldn’t be applied to the other protocols we know and love (e.g gRPC).

The draft covers a range of topics, but the most interesting to me is the introduction of the Workload Identity Token (WIT) and Workload Proof Token (WPT). Together, these support an authentication flow similar to OAuth’s “Demonstrating Proof of Possession (dPoP)”. The flow mitigates many of the concerns traditionally associated with using JWTs for authentication, such as replay attacks, without significantly sacrificing performance or flexibility. This provides a strong alternative to mTLS for client authentication - which despite being popular, simply isn’t feasible in every scenario.

You can read the draft in full over on the IETF website: https://datatracker.ietf.org/doc/draft-sheffer-wimse-s2s-protocol/

Although the document is still in its infancy, and with formalisation as an RFC far on the horizon, it’s a fantastic sign of the things to come. WIMSE is also working on several other drafts, including setting out an overall architecture for Workload Identity and establishing procedures for Token Translation. Overall, I think we can expect to see their work covered in many of the coming editions of this newsletter.

Content

The best of recent blogs, webinars and talks on Workload Identity

Everyone’s Starting to Look SPIFFE: MTLS and Identity with Linkerd & Teleport

By Dave Sudia (Teleport) at CloudNativeSecurityCon

Solving ‘secret zero’, why you should care about SPIFFE!

By Mattias Gees (Venafi) at South California Linux Expo

Bringing SPIFFE to Linkerd for Mesh Expansion

By Zahari Dichev (Buoyant) at CloudNativeCon

Memory Armor for SPIRE: Fortifying SPIRE with Confidential Containers (CoCo)

By Matthew Bates (Cofide) and Suraj Deshmukh (Microsoft) at CloudNativeCon

Releases

Highlights from recent releases to Workload Identity tools

I’d love to cover more releases here! So, if you work on something in this space, please get in contact!

Teleport Workload Identity - v16.1.3 - August 7th

Introduced support for Kubernetes Workload Attestation. This allowing the Workload Identity agent to issue SVIDs with specific SPIFFE IDs to specific Kubernetes workloads.

GitHub Release

SPIRE - v1.10.1 - August 1st

Includes a number of bug fixes and support for publishing trust bundles directly to AWS Roles Anywhere as a trust anchor.

GitHub Release

Coming Up…

What’s happening soon in the world of Workload Identity

Open Source Summit Europe

September 16th to 18th - Vienna

Find out more at https://events.linuxfoundation.org/open-source-summit-europe/

Teleport Connect 2024 in San Francisco

September 25th - San Francisco

Securing Modern Infrastructure with Teleport Workload Identity - Noah Stride and Dave Sudia (Teleport)

Find out more at https://goteleport.com/teleport-connect-2024/

That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!

Subscribe now

Got something you’d love to see in the next edition? Please get in touch at wuiwi@noahstride.co.uk !