pub struct WorkloadIdentity {
pub spiffe_id: Option<String>,
pub trust_domain: Option<String>,
pub attested_at: Option<DateTime<Utc>>,
pub attestor: Option<String>,
pub selectors: Vec<String>,
pub client_id: Option<String>,
}Expand description
SPIFFE-style workload identity, used for both inbound callers
(SecurityExtension.caller_workload — added in a subsequent slice)
and our own outbound identity (SecurityExtension.this_workload).
Distinct from SubjectExtension (the human/agent caller) and
ClientExtension (the OAuth client, added in a subsequent slice).
Where Subject is “who”, Client is “what app”, Workload is
“which attested process” — typically established at the network
edge via mTLS or a SPIFFE attestation API and never present on
the same request as an unauthenticated principal.
Populated by the framework / identity-resolver plugin from
attestation evidence. Plugins read it via the read_workload
capability.
Fields§
§spiffe_id: Option<String>SPIFFE-SVID identifier — spiffe://<trust-domain>/<path>.
Set when the workload presented a SPIFFE-SVID (X.509 or JWT)
or otherwise carries a SPIFFE-shaped identity.
trust_domain: Option<String>Trust domain extracted from the SPIFFE-SVID (or supplied by the attestation source for non-SPIFFE attestors). Lets policy authors gate on the trust boundary without parsing the URI.
attested_at: Option<DateTime<Utc>>When the attestation was performed. Useful for stale-evidence rejection in policy. Populated by the attestor; the framework doesn’t refresh it on its own.
attestor: Option<String>Name of the attestor that vouched for the workload — mtls,
spire-agent, aws-iid, gke-workload-identity, etc. The
vocabulary is open; operators document the values they use.
selectors: Vec<String>SPIFFE workload selectors — k8s:ns:foo, unix:uid:1000, …
Empty when no selectors were attached (the SPIFFE-ID alone is
the workload’s identity).
client_id: Option<String>OAuth client_id, when the workload also carries one. Kept
alongside SPIFFE so call sites with both shapes (a SPIFFE
workload that’s also registered as an OAuth client to a
dynamic-client-registration IdP) don’t have to populate two
extensions. The OAuth client’s authorization data
(scopes / audiences / claims) lives on the separate
ClientExtension slot, not here.
Trait Implementations§
Source§impl Clone for WorkloadIdentity
impl Clone for WorkloadIdentity
Source§fn clone(&self) -> WorkloadIdentity
fn clone(&self) -> WorkloadIdentity
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more