SPIFFE Ecosystem

Official and community projects in the SPIFFE ecosystem

SPIFFE is supported by a broad ecosystem of projects, ranging from the core specifications and their reference implementation through to SDKs, deployment tooling, and the many open-source and commercial platforms that issue or consume SPIFFE identities.

This page collects some of the more notable projects, grouped by what they do. Each one is marked as a SPIFFE official project, a community project, or a commercial offering. The list is not exhaustive - if a project is missing, contributions are welcome via a pull request to this site.

Key: SPIFFE official project Community project Commercial project

SPIRE & Plugins

SPIRE, the reference implementation of SPIFFE, along with the plugins and tooling that extend and operate it.

  • SPIRE - The SPIFFE Runtime Environment - the reference implementation of SPIFFE, handling node and workload attestation and SVID issuance and rotation.
  • SPIRE Controller Manager - Manages SPIRE registration entries and federation relationships from Kubernetes custom resources.
  • SPIRE Hardened Helm Charts - A suite of production-hardened Helm charts for deploying SPIRE on Kubernetes.
  • SPIRE Identity Exchange - Standalone service that allows platform-native tokens, such as GitHub Actions or GitLab OIDC tokens, to be exchanged for SPIRE-issued SVIDs.
  • Tornjak - A management UI that provides visibility and governance across one or more SPIRE deployments.
  • SPIRE TPM Plugin - Agent and server plugins that add TPM 2.0-based node attestation to SPIRE.

SDKs & Libraries

Fetch and validate SPIFFE identities directly from your application code.

Deployment & Workload Helpers

Deliver SPIFFE identities to workloads, and bridge them to platforms that do not speak the Workload API natively.

  • SPIFFE CSI Driver - A Kubernetes CSI driver that exposes the SPIFFE Workload API socket to pods.
  • SPIFFE Helper - Fetches and rotates SVIDs to disk for workloads that cannot call the Workload API themselves.
  • AWS SPIFFE Workload Helper - Exchanges SPIFFE SVIDs for AWS credentials via IAM Roles Anywhere.

Secrets Management

Secrets managers that can store secrets and support SPIFFE-authenticated workloads to retrieving them.

  • SPIKE - A SPIFFE-native secrets manage that allows workloads to use SPIFFE authentication to retrieve secrets.
  • VMware Secrets Manager - A Kubernetes-native secrets manager with support for SPIFFE authentication.
  • HashiCorp Vault - Secrets manager with support for SPIFFE authentication.
  • Infisical - Secrets manager with support for SPIFFE authentication.

Service Meshes & Proxies

Service meshes and proxies that use SPIFFE identities to authenticate and secure traffic between workloads.

  • Envoy - Service proxy that can consume SVIDs over the Envoy SDS API to establish mTLS.
  • Istio - Service mesh that issues SPIFFE identities to the workloads in the mesh.
  • Ghostunnel - A TLS proxy that attaches to the SPIFFE Workload API to authenticate connections.
  • HashiCorp Consul - Service mesh that can issue SPIFFE identities to the services it manages.