SPIFFE Ecosystem
Official and community projects in the SPIFFE ecosystem
SPIFFE is supported by a broad ecosystem of projects, ranging from the core specifications and their reference implementation through to SDKs, deployment tooling, and the many open-source and commercial platforms that issue or consume SPIFFE identities.
This page collects some of the more notable projects, grouped by what they do. Each one is marked as a SPIFFE official project, a community project, or a commercial offering. The list is not exhaustive - if a project is missing, contributions are welcome via a pull request to this site.
Key: SPIFFE official project Community project Commercial project
SPIRE & Plugins
SPIRE, the reference implementation of SPIFFE, along with the plugins and tooling that extend and operate it.
- SPIRE - The SPIFFE Runtime Environment - the reference implementation of SPIFFE, handling node and workload attestation and SVID issuance and rotation.
- SPIRE Controller Manager - Manages SPIRE registration entries and federation relationships from Kubernetes custom resources.
- SPIRE Hardened Helm Charts - A suite of production-hardened Helm charts for deploying SPIRE on Kubernetes.
- SPIRE Identity Exchange - Standalone service that allows platform-native tokens, such as GitHub Actions or GitLab OIDC tokens, to be exchanged for SPIRE-issued SVIDs.
- Tornjak - A management UI that provides visibility and governance across one or more SPIRE deployments.
- SPIRE TPM Plugin - Agent and server plugins that add TPM 2.0-based node attestation to SPIRE.
SDKs & Libraries
Fetch and validate SPIFFE identities directly from your application code.
- go-spiffe - SPIFFE SDK for Go.
- java-spiffe - SPIFFE SDK for Java.
- py-spiffe - SPIFFE SDK for Python.
- rust-spiffe - SPIFFE SDK for Rust.
Deployment & Workload Helpers
Deliver SPIFFE identities to workloads, and bridge them to platforms that do not speak the Workload API natively.
- SPIFFE CSI Driver - A Kubernetes CSI driver that exposes the SPIFFE Workload API socket to pods.
- SPIFFE Helper - Fetches and rotates SVIDs to disk for workloads that cannot call the Workload API themselves.
- AWS SPIFFE Workload Helper - Exchanges SPIFFE SVIDs for AWS credentials via IAM Roles Anywhere.
Secrets Management
Secrets managers that can store secrets and support SPIFFE-authenticated workloads to retrieving them.
- SPIKE - A SPIFFE-native secrets manage that allows workloads to use SPIFFE authentication to retrieve secrets.
- VMware Secrets Manager - A Kubernetes-native secrets manager with support for SPIFFE authentication.
- HashiCorp Vault - Secrets manager with support for SPIFFE authentication.
- Infisical - Secrets manager with support for SPIFFE authentication.
Service Meshes & Proxies
Service meshes and proxies that use SPIFFE identities to authenticate and secure traffic between workloads.
- Envoy - Service proxy that can consume SVIDs over the Envoy SDS API to establish mTLS.
- Istio - Service mesh that issues SPIFFE identities to the workloads in the mesh.
- Ghostunnel - A TLS proxy that attaches to the SPIFFE Workload API to authenticate connections.
- HashiCorp Consul - Service mesh that can issue SPIFFE identities to the services it manages.