This application uses its SPIFFE identity to authenticate to Vault and retrieve a secret, without any long-lived credentials. The diagram below shows how the trust is established and how the secret is fetched on each request.
sequenceDiagram
participant SS as SPIRE Server
participant C as Cofide Connect
participant V as Vault
participant SA as SPIRE Agent
participant A as Application
rect rgb(236, 242, 255)
Note over SS,V: Setup
SS->>C: 1. Push trust bundle
Note over C: 2. OIDC discovery endpoint
made available at known URL
Note over V: 3. Configured to trust SPIRE
as JWT issuer via OIDC URL
Note over C: 4. Attestation policy permits
SVID issuance for this workload
end
rect rgb(236, 255, 242)
Note over A,V: Per request
A->>SA: 5. Request JWT SVID (workload API)
SA-->>A: JWT SVID
A->>V: 6. Login with JWT SVID
V-->>A: Temporary Vault token
A->>V: 7. Fetch secret
V-->>A: Secret value
end
{
"key": "super-secret-value"
}