Crate spiffe

Expand description

Rust client library for the SPIFFE Workload API.

This crate provides standards-compliant access to SPIFFE identities and trust material. It allows workloads to fetch and watch SPIFFE-issued X.509 and JWT SVIDs, trust bundles, and related metadata, using strongly typed APIs aligned with the SPIFFE specifications.

§Quick Start

For X.509-based workloads, use X509Source (requires the x509-source feature):

use spiffe::{bundle::BundleSource, TrustDomain, X509Source};

let source = X509Source::new().await?;
let _svid = source.svid()?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For JWT-based workloads, use JwtSource (requires the jwt-source feature):

use spiffe::{bundle::BundleSource, TrustDomain, JwtSource};

let source = JwtSource::new().await?;
let _jwt_svid = source.get_jwt_svid(&["service-a", "service-b"]).await?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For direct Workload API access, use WorkloadApiClient (requires a workload-api-* feature):

use spiffe::WorkloadApiClient;

let client = WorkloadApiClient::connect_env().await?;
let _jwt_svid = client.fetch_jwt_svid(&["audience"], None).await?;

§Feature Matrix

The crate has no default features — everything is opt-in.

Most users should enable x509-source (for X.509 workloads), jwt-source (for JWT workloads), or a workload-api-* bundle (for direct Workload API access). The granular features exist to let you minimize dependency surface when you only need X.509 or only need JWT.

Feature	Description
`x509`	X.509 SVID and bundle types + parsing (gates heavy ASN.1/X.509 deps)
`transport`	Endpoint parsing (no runtime deps)
`transport-grpc`	gRPC connector
`jwt`	JWT SVID and bundle types + parsing
`jwt-verify-rust-crypto`	Offline JWT verification (rust-crypto backend)
`jwt-verify-aws-lc-rs`	Offline JWT verification (aws-lc-rs backend)
`logging`	Log-based observability
`tracing`	Tracing-based observability

§Workload API bundles

These features enable the async Workload API client (WorkloadApiClient). Choose the smallest bundle that matches your use case:

Feature	Includes
`workload-api-x509`	Workload API client + X.509 support (no JWT)
`workload-api-jwt`	Workload API client + JWT support (no X.509)
`workload-api`	Workload API client with both X.509 + JWT support
`workload-api-full`	Alias/bundle for both X.509 + JWT support (same capability as `workload-api`)

§Advanced / compositional

Feature	Description
`workload-api-core`	Workload API infrastructure only (transport/proto/client plumbing; no X.509/JWT parsing/types)
`x509-source`	High-level X.509 watcher/caching built on the Workload API
`jwt-source`	High-level JWT watcher/caching built on the Workload API

Notes:

The x509 feature gates heavy X.509 parsing dependencies.
For direct Workload API usage, use workload-api-x509 or workload-api-jwt when you only need one, and workload-api (or workload-api-full) when you need both.

§X.509

use spiffe::{TrustDomain, X509Source};
use spiffe::bundle::BundleSource;

let source = X509Source::new().await?;
let _svid = source.svid()?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For JWT-based workloads, use JwtSource (requires the jwt-source feature):

use spiffe::{bundle::BundleSource, TrustDomain, JwtSource};

let source = JwtSource::new().await?;
let _jwt_svid = source.get_jwt_svid(&["service-a", "service-b"]).await?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For advanced configuration, see the x509_source and jwt_source modules.

Re-exports§

pub use crate::spiffe_id::SpiffeId;
pub use crate::spiffe_id::SpiffeIdError;
pub use crate::spiffe_id::TrustDomain;
pub use crate::svid::jwt::JwtSvid;
pub use crate::svid::jwt::JwtSvidError;
pub use crate::svid::x509::X509Svid;
pub use crate::svid::x509::X509SvidError;
pub use crate::bundle::jwt::JwtBundle;
pub use crate::bundle::jwt::JwtBundleError;
pub use crate::bundle::jwt::JwtBundleSet;
pub use crate::bundle::x509::X509Bundle;
pub use crate::bundle::x509::X509BundleError;
pub use crate::bundle::x509::X509BundleSet;
pub use crate::workload_api::X509Context;
pub use crate::workload_api::WorkloadApiClient;
pub use crate::workload_api::WorkloadApiError;
pub use crate::x509_source::ReconnectConfig as X509ReconnectConfig;
pub use crate::x509_source::ResourceLimits as X509ResourceLimits;
pub use crate::x509_source::X509Source;
pub use crate::x509_source::X509SourceBuilder;
pub use crate::x509_source::X509SourceError;
pub use crate::x509_source::X509SourceUpdates;
pub use crate::jwt_source::JwtSource;
pub use crate::jwt_source::JwtSourceBuilder;
pub use crate::jwt_source::JwtSourceError;
pub use crate::jwt_source::JwtSourceUpdates;
pub use crate::jwt_source::ReconnectConfig;
pub use crate::jwt_source::ReconnectConfig as JwtReconnectConfig;
pub use crate::jwt_source::ResourceLimits;
pub use crate::jwt_source::ResourceLimits as JwtResourceLimits;

Modules§

bundle: X.509 bundle and JWT bundle types.
cert: Certificate and PrivateKey types and helpers.
constants: Module defining constants used within the Rust-Spiffe library.
jwt_source: JWT Source: high-level watcher/caching abstraction for JWT bundles.
spiffe_id: SPIFFE-ID and TrustDomain types compliant with the SPIFFE standard.
svid: X.509-SVID and JWT-SVID types.
transport: Transport primitives (endpoint parsing, optional gRPC connector).
workload_api: A client to interact with the SPIFFE Workload API to fetch X.509 and JWT materials.
x509_source: X.509 Source: high-level watcher/caching abstraction.

Crate spiffe

Crate spiffe Copy item path

§Quick Start

§Feature Matrix

§Workload API bundles

§Advanced / compositional

§X.509

Re-exports§

Modules§

Crate spiffe