Why Workload Identity Is Hard to Explain (And How I Tried to Fix It)
I've spent a lot of time explaining workload identity to people. Like, a lot. And I've watched a lot of eyes glaze over.
It's not that people aren't smart. It's that when you explain something they already know, like a database or a container or whatever, they can picture it in their head. They've got something to attach your words to.
But when you're explaining an emerging standard like SPIFFE? There's nothing there. You're basically asking their brain to build something out of thin air.
So I figured maybe I should just... build the picture for them.
The Passport Thing Doesn't Work
People in the SPIFFE community like to use a passport analogy. Your SPIFFE ID is like your passport number, your SVID is like the physical passport, it expires and gets renewed, etc.
It's fine. But it kind of assumes everyone travels internationally.
Here's what I actually know for sure: pretty much everyone has worked at a company with a badge system.
You get hired. Security takes your picture and gives you a badge. Badge expires eventually. You get a new one. You tap it to get into the building. You show it to prove you work there.
That's SPIFFE. Same thing. But for software instead of people.
So I Built This Thing
It's called The Secret Lives of Identity. It's an interactive visualization that walks through SPIFFE and SPIRE from scratch. No assumed knowledge.
The name comes from The Secret Lives of Data by Ben Johnson, which is this really well done visualization of the Raft consensus algorithm. That project kind of showed me what's possible when you stop trying to explain something with words and just show it.
The badge metaphor runs through the whole thing:
Your SPIFFE ID is like your employee ID number. It's permanent, doesn't change.
Your SVID is your actual badge. Expires, gets renewed automatically.
The SPIRE Server is corporate HQ. Issues badges, keeps track of everyone.
The SPIRE Agent is the security desk on your floor. Verifies you locally, hands out badges.
Attestation is proving you actually work here before anyone gives you a badge.
mTLS is two employees showing each other their badges before they'll share anything.
Once you frame it that way, people get it. The metaphor does most of the work.
It Was Too Long
First version had like 90 frames. Everything. Attestation details, selectors, rotation, federation, trust bundles, all of it.
I showed it to some people at AWS re:Invent who'd never touched SPIFFE before. They actually understood it, which was great. But I kept hearing the same thing:
"It's kind of long."
Yeah. Fair.
Not everyone has 30 minutes. Some people just need to know what SPIFFE is so they can decide if they care. They don't need the deep dive yet.
So I split it into three tracks:
| Track | Time | What you get |
| Bronze | ~5 min | Core concepts, the problem it solves |
| Silver | ~15 min | How SPIRE works, attestation flow |
| Gold | ~25 min | Everything, including lifecycle and federation |
Each one tells a complete story. Bronze isn't a teaser for Silver. It's its own thing. You walk away understanding SPIFFE even if you never click Silver.
Workloads Aren't People
One thing I went back and forth on: how do you actually show a workload?
First instinct was a person icon. Fits the badge metaphor, employees have badges, makes sense.
But then... SPIFFE is about non-human identity. That's the whole point. If the workload looks like a person, people are gonna think "oh so like logging in" and that's not it at all.
Ended up going with a circuit chip thing. Like a processor with traces coming out of it. Reads as "machine" without looking like a server rack. The center of the chip is where the identity lives. When it's attested, it glows gold. When it's not, it's gray with a question mark.
Small thing but it actually makes a difference in how the whole thing feels.
What I Took Away From This
Building this kind of reinforced something I already sort of knew: education is a design problem.
Being accurate isn't enough. You have to be clear. And clear doesn't mean dumbed down. It means finding the right abstraction. Right metaphor. Right order to show things.
SPIFFE is a solid standard. SPIRE works. But adoption depends on people actually understanding it, and that depends on someone taking the time to bridge the gap between what it technically is and what it feels like.
That's what I was trying to do anyway.
Links
The site: thesecretlivesofidentity.com
The code: github.com/infamousjoeg/thesecretlivesofidentity
It's open source, Apache 2.0. If something's wrong, open an issue. If you want to improve it, PRs welcome.
And if you know someone who keeps struggling to explain workload identity to their team or their leadership or whoever... maybe send this their way. That's who I built it for.
