SPIFFE / SPIRE¶
Back an agent's identity with a SPIFFE / SPIRE JWT-SVID. Two modes, with
mode="auto" (default) choosing between them:
- File — reads a JWT-SVID written by
spiffe-helper. Needs nopyspiffe. - SDK — fetches a JWT-SVID from the SPIRE agent's Workload API
socket via
pyspiffe.
Prerequisites¶
- A workload registered with a SPIRE server, served by a local SPIRE agent.
- SDK mode only:
pip install promptise[identity-spiffe]. - The resource the agent calls must trust your SPIRE trust domain and
accept the requested
audience.
Usage¶
from promptise.identity import AgentIdentity
# File mode (spiffe-helper):
identity = AgentIdentity.from_spiffe(
"billing-bot", token_file="/run/spiffe/jwt-svid.token"
)
# SDK mode (Workload API):
identity = AgentIdentity.from_spiffe(
"billing-bot",
mode="sdk",
socket_path="unix:///run/spire/agent/api.sock", # or $SPIFFE_ENDPOINT_SOCKET
audience="api://my-mcp-server",
)
Verify¶
print(identity.credential_provider) # spiffe-file or spiffe-sdk
credential = identity.get_credential() # a signed JWT-SVID
Troubleshooting¶
| Symptom | Likely cause |
|---|---|
ProviderConfigError: … pip install promptise[identity-spiffe] |
SDK mode but pyspiffe not installed. Install it, or use file mode. |
CredentialAcquisitionError: fetching a JWT-SVID … failed |
No SPIRE agent on the socket, or no registration entry. |
CredentialAcquisitionError: … could not be extracted |
The installed pyspiffe exposes the token under an unexpected accessor. |
| File mode: file-not-found | spiffe-helper not running or writing elsewhere. |