Documentation
Start typing to search…

SPIRE Upstream Authority SM

Suggest Edit

Prerequisites

  • Akeyless Gateway v3.40.0 or later
  • An Authentication Method attached to a role with Read permission for Items
  • Certificate Item stored in Akeyless Platform containing the certificate and private_key in pem format.

Authentication

The following Authentication Methods are supported:

ℹ️

Note:

In this guide, we will use an API Key Authentication Method for simplicity

ℹ️

Note:

The API Key Authentication Method is not recommended for production use. It works well for getting started with Akeyless, quick proofs of concept (POCs), and other temporary scenarios.

Create a new API Key Authentication Method using the CLI:

akeyless create-auth-method --name /Dev/Spire-Auth

Create an Access Role:

akeyless create-role --name /Dev/Spire-Role

Associate your API Key Authentication Method to the Access Role that was created:

akeyless assoc-role-am --role-name /Dev/Spire-Role \
--am-name /Dev/Spire-Auth

Set Read permission for Secret & Keys for the Access Role:

akeyless set-role-rule --role-name /Dev/Spire-Role \
--path /SPIRE/SVID/'*' \
--capability read

Configuration

Run the following command to download and unpack pre-built spire-server and spire-agent executable and example configuration files in a spire-1.7.0 directory:

curl -s -N -L https://github.com/spiffe/spire/releases/download/v1.7.0/spire-1.7.0-linux-amd64-glibc.tar.gz | tar xz

Next, run the following command to create the certificate item in Akeyless:

akeyless create-certificate \
--name </SPIRE/SVID/certificate_name> \
--certificate <Path/To/certificate.pem> \
--private-key <Path/To/private_Key.pem>

Use the following command to download the AkeylessUpstreamAuthority SM plugin:

curl -o AkeylessUpstreamAuthority-sm https://download.akeyless.io/Akeyless_Artifacts/Linux/spire/plugin/server/spire-upstream-sm-amd64-linux-v0.0.1

Change the file permissions so it will be executable:

chmod +x AkeylessUpstreamAuthority-sm

Validate the SHA256 CHECKSUM:

sha256sum AkeylessUpstreamAuthority-sm

The sha256sum command generates a unique, fixed-size hash value (256 bits) for the binary file, ensuring that data remains unchanged.

Server Configuration

Edit the UpstreamAuthority Plugin as follows in spire-1.7.0/conf/server/server.conf file.

UpstreamAuthority  "akeyless_sm" {
     plugin_cmd = "/path/to/plugin_cmd"
     plugin_checksum = "sha256 of the plugin binary"
     plugin_data {
       access_id = "<Your_Access_ID>"
       access_key = "<Your_Access_KEY>"
       akeyless_gateway_url = 'https://<Your-Akeyless-GW-URL>:8000/api/v2>' # or use port 8081
       certificate_name = "</SPIRE/SVID/certificate_name>"
     }
}

Where:

  • plugin_cmd - The location of the binary file that was created.

  • plugin_checksum - sha256 of the binary.

  • access_id - The Auth Method Access-ID

  • access_key - Optional, The AccessKey. Relevant only for API Key.

  • akeyless_gateway_url - Akeyless Gateway URL API v2 endpoint.

  • certificate_name - The certificate item that was created earlier in Akeyless. In our example /SPIRE/SVID/certificate_name

For K8s, GCP or AzureAD Auth methods set the following settings as well:

  • k8s_auth_config_name - Kubernetes Auth Config name as created under your Gateway

  • gcp_audience - The audience to verify the JWT received by the client. By default, akeyless.io

  • azure_object_id - Optional for Azure, objectID

SPIRE Server Initialization

To initialize the server, run the following command:

bin/spire-server run -config conf/server/server.conf &

Once the server is running, the Agent needs to be configured as well. Add the following line to the conf/agent/agent.conf file in the agent section to set the path to the SPIRE server CA bundle:

trust_bundle_path = "/Path/To/certificate/file"
ℹ️

Info (trust bundle):

The "/Path/To/certificate.pem" is a path on your machine where a certificate.pem file will be exist and the value of the file will be the value of the certificate that was created earlier in Akeyless.

Run the following command to generate a token that will be used to attest the agent to the server

bin/spire-server token generate -spiffeID spiffe://example.org/myagent

SPIRE Agent Initialization

Use the generated token to attest the agent to the server

bin/spire-agent run -config conf/agent/agent.conf -joinToken <token_string> &
ℹ️

Info (SPIFFE/SPIRE):

For the full configuration steps, visit the official Quickstart for Linux and macOS X guide

Updated about 18 hours ago

Footer Section