Skip to main content

Workload Identity

FTL relies on Istio to mTLS to authenticate services, and provide the workload identity of a caller of the service. FTL exposes this as a Spiffe ID for each request. This is useful for services that need to know the identity of the caller. This is achieved by FTL parsing the x-forwarded-client-cert header that is set by Istio.

When running in local dev or serve mode FTL injected a fake Spiffe ID for the service. This is of the form spiffe://cluster.local/ns/<module>/sa/<module>.

Examples

Examples of retrieving the Spiffe ID in different languages:

package example

import (
"context"

"github.com/block/ftl/go-runtime/ftl"
)
//ftl:verb export
func CallerIdentity(ctx context.Context) (string, error) {
identity := ftl.WorkloadIdentity(ctx)
id, err := identity.SpiffeID()
if err != nil {
return "", err
}
return id.String(), nil
}