Defakto and Workload Identity
Introduction​
Defakto provides each of your workloads with a SPIFFE Verifiable Identity Document (SVID) that represents the workload's identity. This identity remains consistent regardless of where your workload runs—whether you change runtime platforms, migrate between cloud providers, or scale across different infrastructure environments, your SPIFFE IDs can remain the same.
An SVID is a cryptographic document that uniquely identifies your workload and enables secure, authenticated communication with other services. Rather than relying on static credentials, provider-specific service accounts, or network-based security, this approach provides workloads with portable identities that are automatically rotated.
How Workload Identity Works​
Before issuing an identity to any workload, the system must solve a fundamental security problem: how do we know who should receive an SVID? If identities are issued to the wrong party, they could impersonate legitimate workloads and compromise your system.
In workload environments, establishing this trust chains back to the underlying infrastructure platform itself. Every compute environment—whether it's an AWS EC2 instance, a Kubernetes pod, or a serverless function—can provide cryptographic evidence about what it is and where it's running. This evidence is called attestation.
Trust Domains​
A trust domain is the root authority for a set of workload identities. Think of it like the country that issues a passport, or a state or province that issues a driver’s license. A trust domain can span an entire organization, a sub-unit like a department, or a purpose like “production” or “development”.
Defakto Architecture​
There are three major components to Defakto:
Agent​
The Agent runs alongside your workloads, and has several purposes. It gathers information about the workloads and their environment (attestation), and sends this to the Signer for use in creating SVIDs. It presents a local API to the workloads so that they can request SVIDs.
Signer​
Signers belong to a trust domain and create SVIDS using information gathered by the Agent. These SVIDS are cryptographically signed using keys under the control of the signer. Signers run within your network.
Defakto Control Plane​
This is a highly-available cloud service that acts as the administrative interface and dashboard for the Defakto workload identity system. It distributes public key material and synchronizes configuration to the signers. The control plane is highly available, and existing signers and agents are resilient to a control plane outage or network partition.
The primary method of interacting with the control plane is the
spirlctl command-line tool. Defakto also supports a
Terraform provider that allows you to
define your architecture in code.
The lifecycle of an SVID​
The SVID is the foundational document that workloads use to authenticate with services and each other. Workloads (or helper code) request an SVID from the Agent, which in turn communicates with a remote Signer. The Agent gathers information about the workload and its platform, and sends that to the Signer, which generates the workload’s SPIFFE ID and SVIDs.
