Identity

Identity commands are used to verify workload identity, attest principals, and enforce trust boundaries before policy execution.

Deep dive: why agent identity matters

Identity is the root input to governance. Without strong identity, policy has no reliable subject to evaluate. An action that appears to come from support-bot could actually be spoofed by an untrusted process, a stale container image, or a compromised host. Faramesh treats identity as a first-class precondition, not a logging attribute.

In production, identity ties together five things: principal name, workload attestation, trust bundle, environment (tenant/org), and cryptographic proof chain. If any of these fail verification, the action is denied before rule matching. This prevents policy confusion attacks where an untrusted workload tries to inherit trusted permissions.

Identity trust lifecycle

phasewhat Faramesh verifies

attestCreates signed evidence linking workload identity to runtime metadata and issuer bundle.

verifyValidates issuer chain, signature integrity, expiry, and audience constraints.

trustAssigns trust level and domain-scoped policy posture for subsequent decisions.

enforcePolicy evaluation runs only with validated identity context; failures are fail-closed.

Verify identity

Validate a workload or principal identity document.

bash

faramesh identity verify --spiffe spiffe://example.org/agent

Show current identity

Print identity context for the current daemon/client environment.

bash

faramesh identity whoami

Issue attestation

Create an identity attestation for downstream trust checks.

bash

faramesh identity attest --workload support-bot

Set trust level

Update trust state for a principal to constrain what it may execute.

bash

faramesh identity trust --domain example.org --bundle ./bundle.pem

Need help? Use any of these support options.

open an issue join slack community/forum

MIT License

docs github community get started →