DEV Community

Siri Varma Vegiraju
Siri Varma Vegiraju

Posted on

How to use SPIFFE for Service Invocation in Dapr

πŸ”„ What is Dapr Service Invocation?

Dapr (Distributed Application Runtime) provides a service invocation API that allows microservices to call each other over HTTP or gRPC, abstracting away service discovery, retries, and load balancing.

🧩 Key Concepts:

  • Each app is identified by an App ID (e.g., order-service, payment-service).
  • Apps call each other using Dapr sidecars: For example: POST http://localhost:3500/v1.0/invoke/payment-service/method/charge
  • Dapr handles:

    • Service discovery
    • Retries and timeouts
    • Observability (tracing, metrics)
    • Security (when mTLS is enabled)

πŸ” How SPIFFE Helps

SPIFFE (Secure Production Identity Framework for Everyone) and SPIRE (its runtime) provide zero-trust identity to workloads via SPIFFE IDs (like spiffe://example.org/ns/default/sa/order-service).

When integrated with Dapr, SPIFFE enhances service invocation security by enabling:

βœ… Strong Workload Identity

  • SPIRE issues short-lived X.509 certificates to workloads based on their identity (namespace, service account, etc.).
  • These are used in mutual TLS (mTLS) connections.

βœ… Authentication

  • Every Dapr sidecar uses mTLS for communication.
  • With SPIFFE, the Dapr sidecar can validate exactly which workload is calling, not just a hostname or IP, but a verified identity.

βœ… Authorization

  • Combined with Dapr’s Invoke Allowlist, you can restrict which SPIFFE identities (or App IDs) are allowed to call specific services.
  • This adds fine-grained control over inter-service communication.

🧠 Summary

Feature Dapr Alone With SPIFFE Integration
Service Invocation By App ID over HTTP/gRPC via sidecars Same, but with stronger identity guarantees
Identity Verification Via Dapr-managed mTLS Via SPIFFE-issued certificates and SPIFFE IDs
Access Control Allowlist by App ID Allowlist tied to cryptographically verified IDs
Security Posture Good Strong (zero-trust, workload-authenticated)

Top comments (0)