SPIFFE identity parsing added to Cerbos PDP

Cerbos PDP now supports native parsing and evaluation of SPIFFE identities in authorization policies. This unlocks precise access control for non-human identities (NHIs) like services, workloads, and containers that rely on SPIFFE-based workload identity.

This feature introduces a set of Cerbos-specific extensions to the Common Expression Language (CEL), enabling policies that evaluate SPIFFE trust domains, path components, and full identity matches.

SPIFFE has become a foundational standard for establishing workload identity in distributed systems, particularly in service mesh environments such as Istio, Linkerd, and ambient mesh architectures. As organizations adopt zero-trust principles and shift towards identity-first security models, it's critical to ensure that authorization systems can evaluate workload identities in a secure and scalable way.

Cerbos policies can now introspect SPIFFE IDs natively, without requiring external transformations or helper services.

How it works

When a principal presents a SPIFFE ID like:

  "principal": {
  "id": "spiffe://cerbos.dev/ns/privileged/sa/curl",
  "roles": ["api"]
}

Cerbos policies can directly inspect its trust domain, path, and identity match using new CEL extensions.

Examples

1. Check if the principal belongs to a given trust domain

spiffeID(P.id).isMemberOf(spiffeTrustDomain("spiffe://cerbos.dev"))

2. Match the full SPIFFE identity

spiffeMatchExact(spiffeID("spiffe://cerbos.dev/ns/privileged/sa/curl")).matchesID(spiffeID(P.id))

3. Match any one of a list of identities

spiffeMatchOneOf([
  "spiffe://cerbos.dev/ns/privileged/sa/curl",
  "spiffe://cerbos.dev/ns/privileged/sa/foo"
]).matchesID(spiffeID(P.id))

4. Extract the path component

spiffeID(P.id).path() == "/ns/privileged/sa/curl"

All available functions are documented in the SPIFFE condition reference.

Try it out

A working example is available on GitHub. This repo demonstrates:

• How to construct policies that evaluate SPIFFE-based identities
• How to write and run policy tests using the Cerbos test runner
• How SPIFFE-aware access control applies to service accounts and internal APIs

The repository includes test cases that simulate real-world M2M interactions using SPIFFE IDs as identity attributes passed to the Cerbos PDP.

Use cases

This feature is useful when:

• Authorizing internal traffic between workloads that use SPIRE or other SPIFFE-compatible issuers
• Replacing role assumptions or hardcoded service identity checks with declarative policies
• Enforcing access rules on specific service accounts, namespaces, or environments

Typical environments include Kubernetes-based platforms, multi-cloud service meshes, and microservice architectures with sidecars or proxies.

Get started

SPIFFE support is available in the v0.42 Cerbos PDP release. No changes are required to how you integrate with Cerbos — just pass the SPIFFE identity as the principal.id, and use the new spiffeID() functions in your policy conditions.

To explore the capabilities further, refer to SPIFFE CEL functions documentation, and the cerbos-spiffe-demo repository.