A collection of Rust libraries for working with SPIFFE and SPIRE, covering identity representation, SPIRE-specific APIs, and TLS/mTLS integration.
These crates aim to provide standards-compliant, well-engineered building blocks for integrating SPIFFE and SPIRE into Rust applications.
The project focuses on:
- Correctness and clarity of APIs
- Alignment with SPIFFE specifications
- Conservative security-oriented design
- Explicit dependency and feature management
This repository does not claim formal security audits or guaranteed production fitness. Users should evaluate suitability based on their own requirements and threat models.
These crates emphasize sound engineering practices and security-conscious design:
- ✅ Zero unsafe code — enforced via
#![deny(unsafe_code)] - ✅ Comprehensive testing — unit and integration tests, including CI runs against SPIRE deployments
- ✅ Feature-gated dependencies — no default features; enable only what you need
- ✅ Standards aligned — follows the SPIFFE specifications
- ✅ Maintained — regular updates with a documented MSRV policy (Rust 1.85+)
Standards-aligned SPIFFE primitives and a client for the SPIFFE Workload API.
Use this crate if you need:
- X.509 and JWT SVID handling
- Trust bundle management
- Streaming identity updates
- Strongly typed SPIFFE identifiers and trust domains
See the spiffe README for usage and API documentation.
Rust bindings for SPIRE-specific gRPC APIs that are not part of the SPIFFE standards.
Use this crate if you need:
- The SPIRE Delegated Identity API
- Direct interaction with SPIRE agent or server extensions
See the spire-api README for details.
Integration between SPIFFE identities and rustls.
Use this crate if you need:
- Mutual TLS (mTLS) using SPIFFE identities
- Automatic handling of SVID and trust bundle rotation
- Connection-level authorization based on SPIFFE IDs
See the spiffe-rustls README for configuration and examples.
- SPIFFE identities or Workload API access →
spiffe - SPIRE gRPC APIs →
spire-api - mTLS with SPIFFE over rustls →
spiffe-rustls
The project follows established Rust ecosystem practices:
- Safety: No
unsafecode - Testing: Unit and integration test coverage
- Documentation: Public API documentation with examples on docs.rs
- CI: Automated testing across feature combinations and MSRV
- Error handling: Explicit, strongly typed errors using
thiserror - Observability: Optional integration with
logandtracing
Each crate is independently versioned and documented. Refer to the corresponding crate README for installation instructions, examples, and API documentation.
Contributions are welcome. Please see CONTRIBUTING.md for guidelines.
# Clone the repository
git clone https://github.com/maxlambrecht/rust-spiffe.git
cd rust-spiffe
# Run tests
make all
# Run integration tests (requires SPIRE setup)
make integration-testsPlease file bugs and feature requests via GitHub Issues.
For security-related issues, please follow the disclosure process described in SECURITY.md.
Licensed under the Apache License, Version 2.0. See LICENSE for details.