Skip to content

temporal-sa/temporal-proxy-spiffe-worker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
starter
starter
 
 
worker
worker
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
spiffe.go
spiffe.go
 
 

Repository files navigation

Temporal Worker with SPIFFE Authentication

An example of how to use SPIFFE to authenticate a Temporal Worker to a Temporal Cloud Proxy.

Prerequisites

  • Go 1.24.4+
  • A Temporal Cloud account and namespace
  • Temporal Cloud Proxy configured for SPIFFE (see below)
  • A running SPIFFE agent (e.g., SPIRE)

How to Run

# Run the worker
go run ./worker

# In another shell, run the starter/workflow
go run ./starter

Example Worker Config

Create a SPIFFE ID

sub, err := spiffeid.FromString("spiffe://example.org/myservice/worker")

Add headers to the Temporal Client

c, err := client.Dial(client.Options{
    HostPort:  "127.0.0.1:9000", // address of Temporal Cloud proxy
    Namespace: "<namespace>.<account>", // Temporal Cloud namespace must be provided
    HeadersProvider: &spiffeauth.SpiffeHeadersProvider{
        Config: spiffeauth.SpiffeConfig{
            SpiffeID:   sub,
            SocketPath: "unix:///tmp/spire-agent/public/api.sock",
            Audience:   "temporal_cloud_proxy",
    },
    WorkloadId: "my-workload", // maps to proxy config
    },
})

Example Proxy Config

- workload_id: "my-workload"
  ...
  authentication:
    type: "spiffe"
    config:
      trust_domain: "spiffe://example.org/myservice/"
      endpoint: "unix:///tmp/spire-agent/public/api.sock"
      audiences:
        - "temporal_cloud_proxy"

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages