← Week 2: SPIRE Internals and Attestation

Day 11: SPIRE Server Internals — CA, Datastore, Registration Entries

Phase 4 · August 15, 2026

← Week 2: SPIRE Internals and Attestation

Agenda (2–3 hours)

  • Read (60 min): SPIRE server reference (CA config, UpstreamAuthority plugins, datastore options)
  • Study (45 min): SPIRE CA hierarchy and how it connects to your Phase 2 PKI knowledge
  • Challenge (45 min): Design SPIRE's CA integration with ACM PCA
← Week 2: SPIRE Internals and Attestation

SPIRE's CA Options

SPIRE manages a CA hierarchy to sign SVIDs. Three modes:

1. Self-signed (development / small deployments)

ca_subject {
  country      = ["US"]
  organization = ["Amazon Leo"]
  common_name  = ""
}
ca_ttl = "168h"          // intermediate CA cert lifetime
default_svid_ttl = "1h"  // leaf SVID lifetime

SPIRE generates and manages the root CA internally. Simple; CA key is in server memory.

2. UpstreamAuthority plugin (production)
SPIRE's CA is an intermediate CA subordinate to an external root.
SPIRE generates a CSR and the upstream authority signs it.

3. External CA integration (advanced)
SPIRE delegates all signing to an external system (Vault, ACM PCA).

← Week 2: SPIRE Internals and Attestation

UpstreamAuthority Plugins

The UpstreamAuthority plugin type determines who signs SPIRE's intermediate CA cert.

Plugin Description Good for
disk Reads root CA key from disk file Local dev, testing
aws_pca Uses ACM Private CA as root AWS production
vault Uses HashiCorp Vault PKI Multi-cloud
certmanager Uses k8s cert-manager k8s-native
spire Nested SPIRE (SPIRE signing SPIRE) Multi-region federation

For Amazon Leo: aws_pca is the natural choice.
SPIRE generates the intermediate CA key locally; ACM PCA signs the intermediate cert.
ACM PCA holds the root key (in CloudHSM once supported).

← Week 2: SPIRE Internals and Attestation

SPIRE + ACM PCA: The CA Chain

ACM PCA Root CA (in CloudHSM eventually)
└── ACM PCA Intermediate CA
    └── SPIRE Intermediate CA  ← ACM PCA signs this CSR
        └── Workload SVIDs     ← SPIRE signs these

Config:

UpstreamAuthority "aws_pca" {
  plugin_data {
    region                = "us-east-1"
    certificate_authority_arn = "arn:aws:acm-pca:..."
    signing_algorithm     = "SHA384WITHRSA"
    ca_signing_template_arn = "arn:aws:acm-pca:...:template/..."
  }
}

The SPIRE server's intermediate CA cert is rotated automatically (default: 168h).
Each rotation issues a new CSR to ACM PCA.

← Week 2: SPIRE Internals and Attestation

Datastore Options

SPIRE server needs persistent storage for:

  • Registration entries (workload → SPIFFE ID mappings)
  • Attested nodes (which agents have been attested)
  • CA state (current CA cert and key material)
Backend Plugin Good for
SQLite sql Single server, dev, small prod
PostgreSQL sql (same plugin, different config) HA, multi-server
MySQL sql Same

For HA: multiple SPIRE servers can share a PostgreSQL backend.
The SPIRE server is typically not itself a critical-path bottleneck (SVIDs
are cached by agents), but its availability affects new SVID issuance.

← Week 2: SPIRE Internals and Attestation

SPIRE Server API

The SPIRE server exposes two gRPC APIs:

Node API (port 8081 — agent-facing):

  • AttestAgent — node attestation
  • RenewAgent — renew agent SVID
  • FetchJWTBundles — trust bundle fetch

Management API (Unix socket or port — admin-facing):

# Create a registration entry via CLI
spire-server entry create \
  -parentID spiffe://leo.amazon.com/spire/agent/aws_iid/us-east-1/i-0abc123 \
  -spiffeID spiffe://leo.amazon.com/ns/prod/svc/provisioning \
  -selector unix:uid:1001 \
  -selector unix:path:/opt/leo/provisioning-service/bin/server \
  -ttl 3600

In production you'd automate this with Terraform or the SPIRE server API directly.

← Week 2: SPIRE Internals and Attestation

SPIRE Server High Availability

For production deployments:

  1. Multiple SPIRE server instances — share a PostgreSQL datastore
  2. SPIRE server bundle CA — all servers share the same CA material (synchronized via datastore)
  3. Load balancing — agents connect via a load balancer; any server can handle attestation
  4. SPIRE agents cache SVIDs — server downtime doesn't break running workloads

The HA story is important for your team: if SPIRE is the identity backbone,
server availability is a dependency. Ops burden is higher than ACM PCA (managed service).

← Week 2: SPIRE Internals and Attestation

Challenge Assignment

Design a SPIRE server architecture for the provisioning service:

  1. How many SPIRE server instances would you run? Single vs. multi?
  2. Which UpstreamAuthority plugin would you use? Why?
  3. What datastore backend would you choose for production?
  4. What is your plan if the SPIRE server is down for 2 hours?
    (Remember: SVIDs expire in 1 hour — what happens to running workloads?)
  5. Write one paragraph: "If my team adopted SPIRE, the biggest operational
    concern would be _____ because _____, and we'd mitigate it by _____."

Save in spiffe-analysis.md under "SPIRE Deployment Architecture."

← Week 2: SPIRE Internals and Attestation

Resources

  • SPIRE server config: spiffe.io/docs/latest/deploying/spire_server
  • UpstreamAuthority aws_pca: github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_aws_pca.md
  • SPIRE HA: spiffe.io/docs/latest/architecture/scale-and-ha
  • SPIRE datastore config: github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md