What's Up In Workload Identity - November 2024
SPIFFE? WIMSE? All that and more inside the November edition of What's Up in Workload Identity.
Hey!
Welcome to the fourth edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)
It’s a world that’s moving fast - and it’s hard to keep up 🚀
You can expect to see each edition covering:
News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss
Who am I? I’m Noah. I’ve been working in the Workload Identity space for the past few years. I currently work at Teleport, leading the development of our Workload Identity product. That being said, this newsletter is in a personal capacity and I’m keen to keep it unbiased! You can find out more about me on my website.
News
The latest news from the Workload Identity space
SPIKE: A Rather SPIFFY SPIFFE Secrets Store
Christmas is, the last time I checked, not in November but this month we awoke to rather exciting new project in the workload identity world: SPIKE - Secure Production Identity for Key Encryption.
SPIKE is a SPIFFE-native take on the world of secrets management. In practice, what this means, is that it safely stores secrets and allows workloads to request access to them using their SPIFFE-compatible credentials as a form of authentication.
Now, you might be thinking: “Noah, I could’ve sworn that you have proclaimed that shared secrets are the devil’s play-thing - surely a secrets manager is the last thing you’d be singing the praises of!” and you’d be partially right!
I do think that our end goal, as an ecosystem and community, should be to eliminate the use of long-lived shared secrets. But, the truth is that the complete elimination of these secrets is going to purely aspirational for most organizations, at least if we’re thinking about the next five to ten years.
When setting up workload identity in an organization, there’s a bunch of low hanging fruit - easy opportunities to replace long-lived secrets with X509 or JWT SVIDs. This might be authentication to cloud providers APIs that support workload identity federation (GCP, Azure or AWS) or authentication between services that you control internally.
There’s always going to be secrets that are harder to shift, such as those used to authenticate to legacy systems or to third-party APIs that haven’t quite caught up with the latest and greatest. This is where SPIKE fits in neatly!
But why SPIKE? and not some existing secrets manager? SPIKE represents a fantastic opportunity to treat your workload identities as first-class citizens, and to enjoy the user experience that will come from a solution that’s intentionally designed to interface with SPIFFE IDs and SVIDs. It’s true that you can configure tools like Vault to accept SVIDs as authentication, but, let’s be honest, do you really want to do that?
Now, like any recently released project, this probably isn’t quite ready to be rolled out into production environments yet - but it’s off to a promising start and over the past few weeks we’ve seen a slew of new features added. It’ll definitely be one to keep an eye on, and I highly recommend giving it a try to get a taste of what the future of secrets management looks like!
Check out the introductory video from the great mind behind SPIKE, Volkan Özçelik:
To learn more, check out SPIKE’s website: https://spike.ist
Content
The best of recent blogs, webinars and talks on Workload Identity
From Years to Seconds: Rethinking Public Key Infrastructure
November 27th 2024, on the “unmitigated risk blog”.
https://unmitigatedrisk.com/?p=904
SPIFFE Deployments in Non-Kubernetes Environments
By Nadin El-Yabroudi & Eli Nesterov (SPIRL) at KubeCon 2024
SPIFFE the Easy Way: Universal X509 and JWT Identities Using cert-manager
By Tim Ramlot & Ashley Davis (Venafi) at KubeCon 2024
Workload Identity Federation – Stop Using Long-Lived Credentials
By Benjamin Dronen (Ford Motor Company) & Anjali Telang (Red Hat) at KubeCon 2024
Releases
Highlights from recent releases to Workload Identity tools
SPIFFE-Helper - 0.9.0 - November 21st
This release includes a variety of changes.
Notably, use of the SPIRE_AGENT_ADDRESS environment variable has been deprecated in favour of SPIFFE_ENDPOINT_SOCKET. This brings it a little more inline with other tools within the community.
You can also now specify an external process, via a pid file, which should be sent a signal when spiffe-helper has rotated the artefacts that are written to disk. This’ll be great for legacy services that may not support automatically reloading credentials loaded from disk.
Check out the GitHub Release for the full list of changes!
Coming Up…
What’s happening soon in the world of Workload Identity
KubeCon India
December 11th to the 12th - Delhi
Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-india/
That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!
Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk
"It’s true that you can configure tools like Vault to accept SVIDs as authentication, but, let’s be honest, do you really want to do that?" so true...