Expand description
This crate provides Rust bindings for the SPIFFE Workload API.
It allows workloads to fetch and watch SPIFFE-issued X.509 and JWT SVIDs, trust bundles, and related metadata, using strongly typed APIs that comply with the SPIFFE standards.
The primary entry point for X.509-based workloads is X509Source, which
maintains a live connection to the Workload API and automatically tracks
SVID and bundle rotation.
§X.509 (recommended)
use spiffe::{TrustDomain, X509Source};
// Connect to the Workload API using SPIFFE_ENDPOINT_SOCKET
let source = X509Source::new().await?;
// Get the current X.509 context (SVIDs + bundles)
let context = source.x509_context()?;
// Access the default SVID
let svid = context.default_svid().ok_or("missing svid")?;
// Inspect the certificate chain and private key
let cert_chain = svid.cert_chain();
let private_key = svid.private_key();
// Access trust bundles by trust domain
let trust_domain = TrustDomain::try_from("example.org")?;
let bundle = context.bundle_set().get_bundle(&trust_domain).unwrap();
§JWT SVIDs
JWT-based identity is supported via WorkloadApiClient and related types.
use spiffe::{JwtSvid, WorkloadApiClient};
let mut client = WorkloadApiClient::default().await?;
let audiences = &["service-a"];
let jwt_svid = client.fetch_jwt_svid(audiences, None).await?;
let claims = jwt_svid.claims();§Features
spiffe-types: Core SPIFFE types (IDs, SVIDs, bundles)workload-api: Workload API client and streaming support
Most users should enable both features (default).
Re-exports§
pub use crate::bundle::jwt::JwtBundle;pub use crate::bundle::jwt::JwtBundleError;pub use crate::bundle::jwt::JwtBundleSet;pub use crate::bundle::x509::X509Bundle;pub use crate::bundle::x509::X509BundleError;pub use crate::bundle::x509::X509BundleSet;pub use crate::bundle::BundleSource;pub use crate::spiffe_id::SpiffeId;pub use crate::spiffe_id::SpiffeIdError;pub use crate::spiffe_id::TrustDomain;pub use crate::svid::jwt::JwtSvid;pub use crate::svid::jwt::JwtSvidError;pub use crate::svid::x509::X509Svid;pub use crate::svid::x509::X509SvidError;pub use crate::svid::SvidSource;pub use crate::workload_api::client::WorkloadApiClient;pub use crate::workload_api::x509_context::X509Context;pub use crate::workload_api::x509_source::X509Source;pub use crate::workload_api::x509_source::X509SourceBuilder;
Modules§
- bundle
- X.509 bundle and JWT bundle types.
- cert
- Certificate and PrivateKey types and functions.
- constants
- Module defining constants used within the Rust-Spiffe library.
- endpoint
- Provides functions to validate SPIFFE socket endpoint paths.
- error
- Error types for Workload API client operations.
- spiffe_
id - SPIFFE-ID and TrustDomain types compliant with the SPIFFE standard.
- svid
- X.509-SVID and JWT-SVID types.
- workload_
api - A client to interact with the Workload API to fetch X.509 and JWT materials.