Crate spiffe

Crate spiffe 

Source
Expand description

This crate provides Rust bindings for the SPIFFE Workload API.

It allows workloads to fetch and watch SPIFFE-issued X.509 and JWT SVIDs, trust bundles, and related metadata, using strongly typed APIs aligned with the SPIFFE standards.

For X.509-based workloads, the primary entry point is X509Source (requires the workload-api feature). It maintains a cached view of the latest X.509 materials and automatically tracks SVID and bundle rotation.

use spiffe::{TrustDomain, X509Source};

// Connect to the Workload API using SPIFFE_ENDPOINT_SOCKET.
let source = X509Source::new().await?;

// Snapshot of current X.509 materials (SVIDs + bundles).
let context = source.x509_context()?;

// Access the default SVID.
let svid = context.default_svid().ok_or("missing svid")?;

// Inspect the certificate chain and private key.
let _cert_chain = svid.cert_chain();
let _private_key = svid.private_key();

// Access trust bundles by trust domain.
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = context
    .bundle_set()
    .get(&trust_domain)
    .ok_or("missing bundle")?;

§JWT SVIDs

use spiffe::WorkloadApiClient;

let client = WorkloadApiClient::connect_env().await?;

let audiences = &["service-a"];
let jwt_svid = client.fetch_jwt_svid(audiences, None).await?;

let _claims = jwt_svid.claims();

Re-exports§

pub use crate::spiffe_id::SpiffeId;
pub use crate::spiffe_id::SpiffeIdError;
pub use crate::spiffe_id::TrustDomain;
pub use crate::svid::jwt::JwtSvid;
pub use crate::svid::jwt::JwtSvidError;
pub use crate::svid::x509::X509Svid;
pub use crate::svid::x509::X509SvidError;
pub use crate::bundle::jwt::JwtBundle;
pub use crate::bundle::jwt::JwtBundleError;
pub use crate::bundle::jwt::JwtBundleSet;
pub use crate::bundle::x509::X509Bundle;
pub use crate::bundle::x509::X509BundleError;
pub use crate::bundle::x509::X509BundleSet;
pub use crate::workload_api::error::WorkloadApiError;
pub use crate::workload_api::LimitKind;
pub use crate::workload_api::MetricsErrorKind;
pub use crate::workload_api::MetricsRecorder;
pub use crate::workload_api::ResourceLimits;
pub use crate::workload_api::WorkloadApiClient;
pub use crate::workload_api::X509Context;
pub use crate::workload_api::X509Source;
pub use crate::workload_api::X509SourceBuilder;
pub use crate::workload_api::X509SourceUpdates;
pub use crate::endpoint::Endpoint;
pub use crate::endpoint::EndpointError;

Modules§

bundle
X.509 bundle and JWT bundle types.
cert
Certificate and PrivateKey types and helpers.
constants
Module defining constants used within the Rust-Spiffe library.
endpoint
SPIFFE endpoint parsing and validation.
spiffe_id
SPIFFE-ID and TrustDomain types compliant with the SPIFFE standard.
svid
X.509-SVID and JWT-SVID types.
transport
gRPC utilities (tonic-based).
workload_api
A client to interact with the SPIFFE Workload API to fetch X.509 and JWT materials.