Aevum — SPIFFE/SPIRE cryptographic agent identity complication.
Project description
aevum-spiffe
SPIFFE/SPIRE agent identity complication for Aevum.
Provides cryptographically-attested agent identity via JWT-SVIDs from the
SPIFFE Workload API. When on_approved() is called, emits a spiffe.attested
AuditEvent recording the SPIFFE ID and SVID metadata in the sigchain.
Requires SPIRE or a compatible SPIFFE Workload API (Vault SPIFFE secrets engine, KUDO, etc.) to be running at attestation time.
pip install aevum-spiffe[spiffe]
from aevum.core import Engine
from aevum.spiffe import SpiffeComplication
engine = Engine()
comp = SpiffeComplication(
socket_path="unix:///run/spire/sockets/agent.sock", # optional
audience=["aevum"], # optional
)
engine.install_complication(comp)
engine.approve_complication("aevum-spiffe")
comp.on_approved(engine) # emits spiffe.attested into the sigchain
The chain now contains a signed spiffe.attested event:
{
"event_type": "spiffe.attested",
"actor": "aevum-spiffe",
"payload": {
"spiffe_id": "spiffe://example.org/billing-agent",
"trust_domain": "example.org",
"audience": ["aevum"],
"svid_type": "jwt",
"source": "workload-api",
"socket": "unix:///run/spire/sockets/agent.sock",
"expiry": "2026-05-06T15:00:00+00:00"
}
}
Lifecycle note
The Aevum Engine does not call lifecycle hooks automatically at approval time.
After engine.approve_complication("aevum-spiffe"), callers must invoke
comp.on_approved(engine) explicitly to trigger attestation. This is the
correct pattern for all complications that need to act at approval time.
Downstream use
Other complications can read the attested SPIFFE ID:
spiffe_comp = engine.get_active_complication_by_capability("spiffe-identity")
spiffe_id = spiffe_comp.get_actor_spiffe_id() if spiffe_comp else None
payload = {"actor_spiffe_id": spiffe_id, ...}
Without SPIRE
If the SPIFFE socket is unavailable or py-spiffe is not installed,
on_approved() logs a warning and continues without attestation.
Engine startup is never blocked.
Trust boundary
The SPIFFE ID in the spiffe.attested event is cryptographically attested
by SPIRE's attestation plugins. It is NOT caller-asserted (unlike the actor
field). An auditor can verify the attestation by checking the SVID's parent
trust chain against the SPIFFE trust bundle.
The JWT token itself is NOT stored in the AuditEvent — it expires (typically 1 hour) and is large. Only the SPIFFE ID string and metadata are recorded.
See also
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aevum_spiffe-0.4.0.tar.gz.
File metadata
- Download URL: aevum_spiffe-0.4.0.tar.gz
- Upload date:
- Size: 6.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7c08ea4210aeeecc42d9cc4f3d26368de20e8a3fb75e87f9a0ad53ae9f0064cc
|
|
| MD5 |
c6e40f4d86f1c5df29b8dc2c22770266
|
|
| BLAKE2b-256 |
f9f6a6587a84448b68ba0520fe0fe08d4fe27da68fd288ff020656a33e698a2c
|
File details
Details for the file aevum_spiffe-0.4.0-py3-none-any.whl.
File metadata
- Download URL: aevum_spiffe-0.4.0-py3-none-any.whl
- Upload date:
- Size: 5.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b6b2e4f1dbcc936114d095671312d3508430ff51275adca67746097932118577
|
|
| MD5 |
21e2828d9bb3422e675831bf6c760510
|
|
| BLAKE2b-256 |
406ec879c2eed9686dc69d0898fc18bb5aa3d58bade320ecbf3a5114b3d00e1f
|
