Authorize service-to-service calls with SPIFFE and Cerbos
Use SPIFFE IDs as Cerbos principals to make fine-grained authorization decisions for service-to-service communication in zero-trust environments.
Workload identity
Use cryptographic SPIFFE IDs as principals in Cerbos policies for service-to-service authorization
Zero-trust policies
Authorize every service call based on the caller's verified identity, trust domain, and service path
Combine with user context
Layer workload identity with end-user identity for policies that consider both who is calling and on whose behalf
How Cerbos works with SPIFFE
SPIFFE handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with SPIFFE
- SPIRE issues workload identities, Each service in your infrastructure receives a SPIFFE Verifiable Identity Document (SVID) from the SPIRE agent, establishing cryptographic workload identity.
- mTLS authenticates the caller, Services communicate over mTLS using their SVIDs. The receiving service or service mesh verifies the caller's certificate and extracts the SPIFFE ID.
- Pass the SPIFFE ID to Cerbos, Your application sends the verified SPIFFE ID as the principal identifier in a Cerbos authorization check, along with the target resource and action.
- Cerbos evaluates workload policies, Policies match on the SPIFFE ID, trust domain, or service path to determine whether the calling service is authorized to perform the requested action.
FAQ
How does Cerbos use SPIFFE IDs?
The calling service's SPIFFE ID is passed as the principal identifier in Cerbos authorization checks. Policies can match on the full SPIFFE ID or extract the trust domain and service path to make fine-grained decisions about which services can access which resources.
Does Cerbos verify SPIFFE certificates?
Cerbos does not perform SPIFFE certificate verification directly. mTLS termination and SVID verification happen at the transport layer, typically via SPIRE or an Envoy sidecar. Cerbos receives the verified SPIFFE ID from your application or service mesh and uses it for policy evaluation.
Can I combine SPIFFE workload identity with user identity?
Yes. A common pattern is to pass both the SPIFFE ID of the calling service and the end-user identity as principal attributes. Policies can then authorize based on which service is making the call and on whose behalf.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + SPIFFE
- Cerbos extends SPIFFE roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.