JWT Workload Attestor
The JWT attestor identifies workloads by validating a JWT presented during SVID issuance against a configured list of trusted external issuers. Any workload that can acquire a JWT from a trusted OIDC provider — a CI/CD job, a managed service, a service mesh sidecar — can attest itself using this method. Claims from the validated JWT become attestation attributes, which can be used in SPIFFE ID path templates and issuance policies.
Configuration
Enable the JWT attestor in the WorkloadAttestation section:
section: WorkloadAttestation
schema: v1
spec:
jwt:
enabled: true
allowedIssuers:
- issuer: https://idp.example.com
- issuer: https://other-issuer.example.com
jwksURI: https://other-issuer.example.com/oauth/discovery/keys
| Field | Default | Description |
|---|---|---|
jwt.enabled | false | Enable or disable JWT attestation |
jwt.allowedIssuers | [] | List of trusted JWT issuers |
jwt.allowedIssuers[].issuer | — | Required. The iss claim value expected in JWTs from this issuer, and the OIDC discovery endpoint. |
jwt.allowedIssuers[].jwksURI | — | Optional. JWKS endpoint for signature verification. When set, OIDC discovery is skipped and issuerURL is only matched literally against the iss claim.` |
When applied via Managed Configuration, changes propagate live without an agent restart.
How It Works
The workload presents a JWT to the agent via the identity-exchange-token gRPC metadata key. The agent checks the token's iss claim against allowedIssuers, then validates the signature using JWKS — either from the configured jwksURI or via OIDC discovery at <issuer>/.well-known/openid-configuration. On success, all claims from the token become attestation attributes.
For a diagram of the token exchange flow in a CI/CD context, see Issuing SVIDs to CI/CD Jobs.
Mixed Workloads
Configuring the JWT attestor does not require all workloads on the cluster to present a JWT; workloads may attest using any enabled attestor. The JWT attestor will only fail attestation when a JWT is presented with an issuer not in jwt.allowedIssuers[]. Non-JWT workloads are unaffected.
Attributes
The JWT attestor emits one attribute per claim in the validated JWT, using the jwt.claim. prefix:
| Attribute | Description |
|---|---|
jwt.claim.<name> | The value of claim <name> from the validated JWT |
For example, a JWT with claims sub, iss, env, and team produces:
| Attribute | Example value |
|---|---|
jwt.claim.sub | service-account@project.iam.gserviceaccount.com |
jwt.claim.iss | https://idp.example.com |
jwt.claim.env | production |
jwt.claim.team | platform |
Use these attributes in SPIFFE ID path templates, X.509 SVID customization, and JWT SVID additional claims.
CI/CD Integration
CI/CD systems are a common source of OIDC tokens. Provider-specific setup guides: