#SPIRE

Posts about spire. ← All posts

A2AADKAI GovernanceAIGPAMLAPI DesignAWSAadhaarAccountingAgentsAnomaly DetectionArchitectureAuditAudit LogAzureBCPBankingBedrockBenchmarksBhashiniBigQueryCRAGCareerCase StudyClinical Decision SupportCloud ArchitectureCloud KMSCloud RunComplianceConcurrencyConfigCost OptimisationCryptographyCultureCures ActDSLData ResidencyDatabase DesignDatabase MigrationDatabase SecurityDataflowDatastreamDeploymentDesign PatternDevOpsDevice FlowDistributed SystemsElevenLabsEngineeringEntity ResolutionEnvoyEvaluationFHIRFREE-AIFinOpsFinTechFraudGCPGDPRGKEGOMEMLIMITGSoCGeminiGenieGitHubGoGo 1.23Google CloudGoogle Cloud NextGovernanceGraphQLGraphRAGHIPAAHITLHL7 v2Healthcare ITHyDEIAPPISO 27001IdempotencyIdentity FederationIncident ResponseIndic LanguagesIntegrationJWTKMSKYCKafkaKnowledge GraphKubernetesLLMLLM OpsLatencyLendingLessons LearnedLoggingMARAML EngineeringMemoryMentorshipMicroservicesMiddlewareMigrationMulti-AgentMulti-Agent AIMulti-CloudMulti-LanguageMultilingualNPCINetworkingOAuthOPAOTelObservabilityOpen BankingOpen SourceOpenTelemetryOperationsOperatorsOpinionOrchestrationPAMPCSEPKCEPasskeysPatternsPaymentsPerformancePolicyPolicy as CodePostgreSQLPrivacy EngineeringProductionPrometheusProtocolsProvider AbstractionPub/SubPythonRAGRBACRBIRFC 8693RedisRegulationReliabilityReservationsResilienceRetrievalRetrospectiveSAMLSLOSOC 2SPIFFESPIRESQLSRESagaSaudi ArabiaSchemaSecuritySecurity Command CenterSelf-RAGService MeshSoftware ArchitectureSpannerSpeakingState ManagementStdlibStorageTata GroupTerraformTestingTier PromotionToken BudgetingToolsUAEUPIVertex AIVoice AIVotingWebAuthnWorkflowWorkload IdentityWorkload Identity FederationWritingZero-Trustembed.FSerrgroupgRPCiter.SeqmTLSslog
· Engineering ·5 min read

SPIFFE/SPIRE basics — workload identity at deploy time

Services need identity too, not just users. SPIFFE issues SVIDs (verifiable identity documents) to workloads; SPIRE is the reference issuer. The shape and the first deploy.

SPIFFESPIREWorkload IdentityZero-Trust
· Engineering ·5 min read

mTLS at the proxy — Envoy + SPIRE-issued SVIDs

Pushing mTLS into a service mesh removes it from every individual service. Envoy + SPIRE is the canonical pattern; the implementation has fewer moving parts than the architecture diagrams suggest.

mTLSEnvoySPIREService Mesh