Documentation
Solutions Guide

Machine Identity

Configure workload identity with SPIFFE/SPIRE. Eliminate hardcoded secrets with automatic credential management for services and CI/CD.

Estimated time: 25 minutes

Use Cases

CI/CD Pipelines

GitHub Actions, GitLab CI, Jenkins get short-lived credentials

Kubernetes Pods

Pods receive SPIFFE identities based on service account

Microservices

mTLS between services with automatic certificate rotation

Cloud Functions

Lambda, Cloud Functions receive workload identities

Setup Steps

1

Deploy SPIRE Server

Start the SPIRE server as part of TigerAccess auth service.

tigeraccess start --roles=auth \
  --spire-enabled=true \
  --trust-domain=company.com
2

Install SPIRE Agent

Deploy the SPIRE agent on each workload host.

# On each host
tigeraccess start --roles=agent \
  --spire-socket=/run/spire/sockets/agent.sock \
  --auth-server=auth.company.com:3025
3

Register Workloads

Define which workloads can receive identities.

tacctl spiffe register \
  --spiffe-id=spiffe://company.com/web-service \
  --selector=k8s:ns:production \
  --selector=k8s:sa:web-service \
  --ttl=1h
4

Configure CI/CD Integration

Enable OIDC federation for GitHub Actions, GitLab CI, etc.

tacctl create -f - <<EOF
kind: github_connector
metadata:
  name: github-actions
spec:
  client_id: ${GITHUB_APP_ID}
  client_secret: ${GITHUB_APP_SECRET}
  allowed_organizations:
    - company
  role_mappings:
    - organization: company
      roles: [deploy-agent]
EOF
5

Use Machine Identity

Workloads automatically receive and renew certificates.

# In your application
import (
    "github.com/spiffe/go-spiffe/v2/workloadapi"
)

client, _ := workloadapi.New(ctx)
svid, _ := client.FetchX509SVID(ctx)
// Use svid.Certificates for mTLS

GitHub Actions Integration

Example Workflow

# .github/workflows/deploy.yml
name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Get TigerAccess credentials
        uses: tigeraccess/auth-action@v1
        with:
          proxy: access.company.com:443
          role: deploy-agent

      - name: Deploy to Kubernetes
        run: |
          # Credentials are automatically available
          kubectl apply -f k8s/

      - name: Access database
        run: |
          # Short-lived database credentials
          tac db connect prod-db --query="SELECT 1"

Kubernetes Integration

Pod with SPIFFE Identity

# Kubernetes pod with SPIFFE identity
apiVersion: v1
kind: Pod
metadata:
  name: web-service
  namespace: production
spec:
  serviceAccountName: web-service
  containers:
    - name: app
      image: company/web-service:latest
      volumeMounts:
        - name: spiffe-workload-api
          mountPath: /run/spire/sockets
          readOnly: true
      env:
        - name: SPIFFE_ENDPOINT_SOCKET
          value: unix:///run/spire/sockets/agent.sock
  volumes:
    - name: spiffe-workload-api
      csi:
        driver: csi.spiffe.io
        readOnly: true

Machine Identity Enabled

With machine identity configured, your workloads benefit from:

  • Zero hardcoded secrets in code or config
  • Automatic credential rotation (1-24 hour TTL)
  • mTLS between all services
  • Complete audit trail for machine access

Related Guides

Zero Trust Security

Implement zero trust architecture

Just-in-Time Access

Time-bound access for machines

Session Recording

Audit machine access