← Week 3: Integration and Application

Day 15: SPIRE on AWS — EC2, ECS, Lambda, and the OIDC Bridge

Phase 4 · August 19, 2026

← Week 3: Integration and Application

Agenda (2–3 hours)

  • Read (60 min): AWS blog on SPIRE on EKS; SPIRE AWS IID attestor README; Lambda OIDC federation docs
  • Study (60 min): Map each AWS compute type to its SPIRE strategy
  • Challenge (30 min): Lambda identity architecture decision
← Week 3: Integration and Application

AWS Compute × SPIRE Support Matrix

Compute Agent runs? Attestation SVID delivery Notes
EC2 Yes (daemon) AWS IID Workload API socket Native SPIRE
ECS (EC2 launch) Yes (sidecar) AWS IID Workload API socket One agent per task
ECS (Fargate) Yes (sidecar) AWS IID (partial) Workload API socket Fargate limits IID
EKS Yes (DaemonSet) k8s PSAT Workload API socket Best supported
Lambda No OIDC token exchange Manual fetch Needs bridge
Lambda@Edge No Effectively unsupported

Lambda is the gap. Your provisioning service likely runs on Lambda (or Fargate).

← Week 3: Integration and Application

The Lambda Identity Gap

Lambda invocations are ephemeral and stateless:

  • No persistent agent → no one to attest the workload
  • No Unix socket → no Workload API to connect to
  • Each invocation may run on a different execution environment

What Lambda does have:

  • An IAM execution role (attested by AWS STS automatically)
  • An OIDC token available in the execution environment (AWS_WEB_IDENTITY_TOKEN_FILE)
  • AWS signed credentials in the execution environment

The bridge: OIDC federation — exchange the Lambda's OIDC token for a SPIFFE SVID.

← Week 3: Integration and Application

OIDC Federation Bridge (the Lambda SPIFFE pattern)

Lambda invocation
  │
  ├── Has: AWS_WEB_IDENTITY_TOKEN_FILE (OIDC JWT signed by AWS STS)
  │   JWT claims: sub = arn:aws:sts::123456789012:assumed-role/provisioning/session
  │
  └── Step 1: POST OIDC JWT to a SPIFFE-aware token exchange endpoint
              (your own service, or Vault, or SPIRE OIDC federation plugin)
      Step 2: Endpoint validates JWT against AWS OIDC discovery
              (https://oidc.eks.us-east-1.amazonaws.com/id/<cluster>/.well-known/openid-configuration)
      Step 3: Endpoint issues a short-lived JWT-SVID or X.509-SVID
      Step 4: Lambda uses the SVID for downstream mTLS or Bearer auth

This is not native SPIRE — it's a custom bridge. AWS OIDC → SPIFFE SVID exchange
is an architectural pattern, not a built-in SPIRE feature (as of 2026).

← Week 3: Integration and Application

Alternative: IAM for AWS, SPIFFE for Non-AWS

A more pragmatic architecture for your service:

Lambda → calls AWS services (ACM PCA, DynamoDB) → use IAM role  ← simple, native
Lambda → calls internal peer services inside VPC → use IAM SigV4 or mTLS with long-lived cert
Lambda → calls external non-AWS services          → OIDC federation → SVID

You don't need SPIFFE for everything. IAM is already a workload identity system —
it's just AWS-specific. SPIFFE adds value when:

  1. You have non-AWS peers that need portable identity
  2. You want a unified identity model across AWS and non-AWS compute
  3. You're building something that will survive a future cloud migration

For Amazon Leo specifically: all infrastructure is AWS-native.
IAM + VPC + mTLS with ACM-issued certs may be sufficient.

← Week 3: Integration and Application

EKS: The Best-Supported AWS Case

If your team runs on EKS, SPIRE is well-supported:

SPIRE server (Deployment, 2 replicas, shared RDS PostgreSQL)
SPIRE agent (DaemonSet — one pod per node)
  → node attestation: k8s PSAT (each agent pod attests itself)
  → workload attestation: k8s (namespace + service account + labels)

Your pod → connects to agent socket via projected volume
         → receives X.509-SVID for mTLS to other pods
         → or JWT-SVID for HTTP calls

Cert manager for SPIRE's own TLS; ACM PCA as upstream CA via SPIRE plugin.
This is a well-trodden deployment path.

← Week 3: Integration and Application

Challenge Assignment

Make an architecture decision for your provisioning service:

Given: your service runs as a Lambda function (or potentially ECS Fargate).

Write a 1-page decision memo in spiffe-analysis.md:

  1. Should you adopt SPIRE for your provisioning service? (Yes / No / Partial)
  2. If yes, what compute path?
    • Lambda: OIDC bridge → JWT-SVID? Or: IAM for Lambda, SPIFFE only for long-running peers?
    • ECS Fargate: SPIRE sidecar with IID attestation?
    • EKS migration: DaemonSet SPIRE if moving to k8s?
  3. What is the concrete first step? (one sentence, actionable)
  4. What is the main blocker? (one sentence)

Format: decision + rationale + next step. This is a real architectural decision
you might face when you return to work.

← Week 3: Integration and Application

Resources

  • SPIRE on AWS: spiffe.io/docs/latest/deploying/spire_on_aws
  • SPIRE EKS quickstart: github.com/spiffe/spire-examples/tree/main/examples/k8s
  • AWS OIDC federation for Lambda: docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
  • AWS blog: "Workload identity federation with SPIFFE on AWS"