Module 11 of 13

The SPIFFE/SPIRE Ecosystem

Real-world integrations: Vault, Cilium, CI/CD, and enterprise patterns

3 hours2 labsFree

Watch as Slides Course overview Lab code

Start here

Learning objectives

Integrate SPIRE with HashiCorp Vault for secret management
Connect SPIRE with Cilium for network identity
Use SPIFFE identity in CI/CD pipelines
Understand enterprise adoption patterns and case studies

SPIRE does not exist in isolation. It integrates with the broader cloud-native ecosystem to provide identity for secrets management, network security, CI/CD pipelines, and GitOps workflows.

SPIRE + HashiCorp Vault

Vault can use SPIFFE identities for authentication. Instead of distributing Vault tokens (another secret to manage), workloads authenticate to Vault using their SVID. Vault verifies the SVID against the SPIRE trust bundle and issues a Vault token with the appropriate policies.

SPIRE + Cilium

Cilium (eBPF-based networking) can use SPIFFE identities for network-level identity enforcement. This combines Kubernetes-native networking with cryptographic workload identity for defense-in-depth.

SPIFFE in CI/CD Pipelines

CI/CD pipelines are workloads too. They need identity to pull from registries, deploy to clusters, and access secrets. SPIFFE gives pipelines cryptographic identity instead of long-lived tokens.

# GitHub Actions with SPIFFE identity:
# 1. GitHub OIDC token identifies the workflow
# 2. SPIRE attests the workflow as a workload
# 3. Pipeline receives an SVID
# 4. Uses SVID to authenticate to production systems

# No long-lived secrets in GitHub!
# Identity is ephemeral and scoped to the specific workflow run

Enterprise Adoption Patterns

Bloomberg: Uses SPIRE for workload identity across 100,000+ services
Uber: Integrated SPIFFE for inter-service authentication
Pinterest: Uses SPIRE for zero-trust networking
ByteDance: Deploys SPIRE at massive scale for cloud-native identity

Real world

Where this shows up

Vault authentication with SPIFFE — eliminating Vault token distribution
CI/CD workload identity — GitHub Actions getting SPIFFE SVIDs instead of static secrets
Cilium with SPIFFE — combining eBPF networking with cryptographic identity
Terraform with SPIFFE — infrastructure provisioning tools authenticating to APIs

Common mistakes

What usually breaks

Using static Vault tokens alongside SPIFFE (defeats the purpose)
Not securing the OIDC discovery endpoint for JWT verification
Attempting to replace all existing auth at once instead of migrating incrementally

Alternatives

Other production approaches

Vault alone

Good for secret storage but creates its own token management problem. SPIFFE + Vault eliminates Vault token distribution.

Cloud IAM alone

Works within one cloud but breaks in multi-cloud. SPIFFE provides portable identity.

Kubernetes Service Accounts alone

Limited to one cluster, no mTLS, no automatic rotation, no federation.

Labs

Hands-on labs

Vault Authentication with SPIFFE

Configure Vault to accept SPIFFE identities for authentication.

Deploy Vault with the JWT auth method
Configure Vault to trust the SPIRE trust bundle
Authenticate a workload using its JWT-SVID
Retrieve secrets with the SPIFFE-authenticated token

View lab on GitHub

CI/CD Workload Identity

Give CI/CD pipelines SPIFFE identity instead of static credentials.

Configure SPIRE to attest CI/CD runners
Issue SVIDs to pipeline workloads
Use the SVID to deploy to Kubernetes
Remove all static credentials from the pipeline

View lab on GitHub

Recap

Key takeaways

Vault + SPIFFE eliminates the need to distribute Vault tokens
CI/CD pipelines should have cryptographic identity, not static secrets
SPIFFE integrates with the entire CNCF ecosystem (Cilium, Envoy, OPA, Istio)
Enterprise adoption is real — Bloomberg, Uber, Pinterest use SPIRE at scale
The ecosystem is growing — early adopters have a skills advantage

Related resources