Skip to main content

Aevum — SPIFFE/SPIRE cryptographic agent identity complication.

Project description

aevum-spiffe

SPIFFE/SPIRE agent identity complication for Aevum.

Provides cryptographically-attested agent identity via JWT-SVIDs from the SPIFFE Workload API. When on_approved() is called, emits a spiffe.attested AuditEvent recording the SPIFFE ID and SVID metadata in the sigchain.

Requires SPIRE or a compatible SPIFFE Workload API (Vault SPIFFE secrets engine, KUDO, etc.) to be running at attestation time.

pip install aevum-spiffe[spiffe]
from aevum.core import Engine
from aevum.spiffe import SpiffeComplication

engine = Engine()
comp = SpiffeComplication(
    socket_path="unix:///run/spire/sockets/agent.sock",  # optional
    audience=["aevum"],                                   # optional
)
engine.install_complication(comp)
engine.approve_complication("aevum-spiffe")
comp.on_approved(engine)   # emits spiffe.attested into the sigchain

The chain now contains a signed spiffe.attested event:

{
  "event_type": "spiffe.attested",
  "actor": "aevum-spiffe",
  "payload": {
    "spiffe_id": "spiffe://example.org/billing-agent",
    "trust_domain": "example.org",
    "audience": ["aevum"],
    "svid_type": "jwt",
    "source": "workload-api",
    "socket": "unix:///run/spire/sockets/agent.sock",
    "expiry": "2026-05-06T15:00:00+00:00"
  }
}

Lifecycle note

The Aevum Engine does not call lifecycle hooks automatically at approval time. After engine.approve_complication("aevum-spiffe"), callers must invoke comp.on_approved(engine) explicitly to trigger attestation. This is the correct pattern for all complications that need to act at approval time.

Downstream use

Other complications can read the attested SPIFFE ID:

spiffe_comp = engine.get_active_complication_by_capability("spiffe-identity")
spiffe_id = spiffe_comp.get_actor_spiffe_id() if spiffe_comp else None
payload = {"actor_spiffe_id": spiffe_id, ...}

Without SPIRE

If the SPIFFE socket is unavailable or py-spiffe is not installed, on_approved() logs a warning and continues without attestation. Engine startup is never blocked.

Trust boundary

The SPIFFE ID in the spiffe.attested event is cryptographically attested by SPIRE's attestation plugins. It is NOT caller-asserted (unlike the actor field). An auditor can verify the attestation by checking the SVID's parent trust chain against the SPIFFE trust bundle.

The JWT token itself is NOT stored in the AuditEvent — it expires (typically 1 hour) and is large. Only the SPIFFE ID string and metadata are recorded.

See also

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aevum_spiffe-0.6.0.tar.gz (6.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aevum_spiffe-0.6.0-py3-none-any.whl (5.7 kB view details)

Uploaded Python 3

File details

Details for the file aevum_spiffe-0.6.0.tar.gz.

File metadata

  • Download URL: aevum_spiffe-0.6.0.tar.gz
  • Upload date:
  • Size: 6.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for aevum_spiffe-0.6.0.tar.gz
Algorithm Hash digest
SHA256 84bac5056d5ff5e973fe0e9d393cde8bfa8109a0c7584be356e32f0d02dbeb74
MD5 d2a0ea6bfea9f16e9bb16fdd6de276cf
BLAKE2b-256 2d9b6fea7f267364e0b66f7849aa9e9506bc1ea3b226d9d73d6b98b0f5acdc4e

See more details on using hashes here.

Provenance

The following attestation bundles were made for aevum_spiffe-0.6.0.tar.gz:

Publisher: release.yml on aevum-labs/aevum

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file aevum_spiffe-0.6.0-py3-none-any.whl.

File metadata

  • Download URL: aevum_spiffe-0.6.0-py3-none-any.whl
  • Upload date:
  • Size: 5.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for aevum_spiffe-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 163f28d60933f1b9c55a89f113c0ee2c42655da301edf66e568e9166a95e91e2
MD5 b41ab5828c316ed528f8298c80842d0d
BLAKE2b-256 b4e58c7bbf4fe4bc74494d27fb817d77b8871a150e027b05c0fee2ec3d19b1cd

See more details on using hashes here.

Provenance

The following attestation bundles were made for aevum_spiffe-0.6.0-py3-none-any.whl:

Publisher: release.yml on aevum-labs/aevum

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page