Skip to main content

Module 3: SPIFFE Fundamentals Slides

Slide walkthrough for Module 3 of Mastering SPIFFE & SPIRE: Zero Trust for Cloud Native Systems: The specification that defines how workload identity...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. SPIFFE Fundamentals - The specification that defines how workload identity works
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - SPIFFE is the specification that every SPIRE deployment implements. Understanding SPIFFE means you can evaluate any work
  4. What Problems Does SPIFFE Solve? - Lesson section from the full module
  5. SPIFFE Trust Domains - Lesson section from the full module
  6. SPIFFE IDs - Lesson section from the full module
  7. SPIFFE Verifiable Identity Documents (SVIDs) - Lesson section from the full module
  8. The SPIFFE Workload API - Lesson section from the full module
  9. Identity Lifecycle - Lesson section from the full module
  10. SPIFFE Federation - Lesson section from the full module
  11. Real-World Use Cases - Multi-cloud identity — same SPIFFE IDs work across AWS, GCP, Azure, Kubernetes to VM communication — heterogeneous environments sharing trust
  12. Common Mistakes to Avoid - 5 mistakes covered
  13. Hands-On Labs - 2 hands-on labs
  14. Key Takeaways - 6 points to remember

Learning Objectives

  • Understand the SPIFFE specification and its components
  • Learn SPIFFE ID format and trust domains
  • Master X.509-SVIDs and JWT-SVIDs
  • Use the SPIFFE Workload API

Why This Module Matters

SPIFFE is the specification that every SPIRE deployment implements. Understanding SPIFFE means you can evaluate any workload identity solution — not just SPIRE — and make informed architecture decisions. This module teaches you the standard itself, so your knowledge transcends any single implementation.

Common Mistakes

  • Incorrect trust domain naming — using internal hostnames instead of stable domain names
  • Hardcoding SPIFFE IDs in application code instead of using selectors
  • Using JWT-SVID where X.509-SVID is required (e.g., for mTLS)
  • Not planning SPIFFE ID path schemas before deployment — hard to change later
  • Confusing SPIFFE (the spec) with SPIRE (the implementation)

Key Takeaways

  • SPIFFE is a specification, not an implementation — SPIRE is the implementation
  • Trust domains are the root of trust, identified by a domain name
  • SPIFFE IDs are URIs: spiffe://trust-domain/path
  • X.509-SVIDs are for mTLS, JWT-SVIDs are for HTTP APIs
  • The Workload API uses Unix domain sockets — no credentials needed
  • Federation enables cross-trust-domain communication

Hands-On Labs

  1. Exploring SPIFFE IDs

    Understand SPIFFE ID format and naming conventions.

    • Design SPIFFE ID schemas for a microservice application
    • Map Kubernetes namespaces and service accounts to SPIFFE ID paths
    • Validate SPIFFE IDs against the specification

    View lab files on GitHub

  2. Working with SVID Formats

    Inspect and compare X.509-SVIDs and JWT-SVIDs.

    • Generate a sample X.509-SVID and inspect its SAN field
    • Generate a sample JWT-SVID and decode its claims
    • Compare the two formats and discuss when to use each

    View lab files on GitHub

Read the full module | Back to course curriculum