spire-api 0.4.0

Rust library for the SPIRE APIs
Documentation

spire-api

Crates.io Docs.rs MSRV

A Rust library providing access to SPIRE-specific gRPC APIs that are not part of the core SPIFFE standards.

This crate is intended for applications and services that need to interact directly with SPIRE agent or server APIs beyond the Workload API.

Scope

Currently supported APIs include:

  • Delegated Identity API
    Allows authorized workloads to obtain X.509 and JWT SVIDs (and bundles) on behalf of other workloads that cannot be directly attested by the SPIRE agent.

This is particularly useful in advanced or constrained environments where direct workload attestation is not feasible.

Installation

Add spire-api to your Cargo.toml:

[dependencies]
spire-api = "0.4.0"

Quick start

Fetch a delegated X.509 SVID using selector-based attestation:

use spire_api::DelegatedIdentityClient;
use spire_api::selectors;

let client = DelegatedIdentityClient::connect_env().await?;

let x509_svid = client
    .fetch_x509_svid(spire_api::DelegateAttestationRequest::Selectors(vec![
        selectors::Selector::Unix(selectors::Unix::Uid(1000)),
    ]))
    .await?;

JWT SVIDs and trust bundles can be fetched using the corresponding client methods.

Delegated Identity API

For background and protocol-level details, see the SPIRE Delegated Identity API documentation.

Documentation

Full API documentation is available on docs.rs.

License

Licensed under the Apache License, Version 2.0. See LICENSE for details.