Accepted SPIFFE trust domains. In non-federated setups you usually configure exactly one trust domain.
| jwks-uri | string JWKS (JWK Set) endpoint URL used to fetch the issuer's public keys. Common in OIDC and also used for JWT bundles. |
| jwks-ca-cert | string <ca-cert> One or more root certificates in PEM format. CA certificates, in PEM format, to use when validating the TLS connection to jwks-uri. Multiple certs may be added as one string. By default, the system root CA bundle is used (see jwks-use-root-ca-certs). Configure this leaf when using a private CA. TLS verification can be disabled entirely with jwks-tls-verify false. |
| jwks-use-root-ca-certs | boolean Default: true Use the system root CA certificate bundle when validating the TLS certificate of jwks-uri. |
| jwks-server-name-indication | string Override the TLS SNI hostname used when connecting to jwks-uri. By default the hostname from jwks-uri is used. |
| jwks-tls-verify | boolean Default: true Verify the TLS certificate of jwks-uri. Should only be set to false in test environments, never in production. |
| jwks-refresh-interval | string <duration> Default: "5m" A duration in years, days, hours, minutes and seconds. Format is Examples: How often to refresh the JWKS from jwks-uri. |
| jwks-request-timeout | string <duration> Default: "5s" A duration in years, days, hours, minutes and seconds. Format is Examples: Timeout for JWKS retrieval. |
| jwks-cache-max-age | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Max time to use cached keys if JWKS fetch fails. |
| name | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ Trust domain name. This is compared to the JWT 'iss' claim and
also used to validate that 'sub' begins with 'spiffe:// |
| allowed-algorithms | Array of strings <enumeration>
JOSE algorithms accepted for signatures, e.g. 'es256', 'es384', 'rs256'. The default set is: 'es256', 'es384', 'rs256'. |
| allowed-clock-skew | string <duration> Default: "60s" A duration in years, days, hours, minutes and seconds. Format is Examples: Allowed clock skew when validating exp/nbf/iat. |
| require-exp | boolean Default: true Require 'exp' claim. |
| require-aud | boolean Default: true Require 'aud' claim. |
| issuer | string Expected 'iss' claim value, e.g. 'https://spiffe.example.com'. If not set, the 'iss' claim is not validated and any issuer is accepted. |
| allowed-audiences | Array of strings If set, the JWT 'aud' claim must contain at least one of these values. |
required | Array of objects Authorization-oriented constraints on the SPIFFE IDs allowed to log in (post-authentication). Each entry matches a glob pattern against the 'sub' claim, e.g. 'spiffe://example.org/ns/prod/sa/*'. |
| verbose-logging | boolean Default: false Enable verbose logging for SPIFFE authentication attempts. Do not enable in production. The log entries will appear in the volga topic system:logs on the site where the logging occurred. |
to (object) or sites (object) or deployments (object) |
Created
Bad Request
Unauthorized
Forbidden
Not Found
Conflict (instance exists)
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
- name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
| issuing-ca | string <leafref> Name of TLS CA used to issue x.509 SPIFFE certificates. If not set, X.509 SVIDs will not be issued even if token-spiffe-x509 is configured on a role. The signing CA should be configured to rotate every 12-24 months. Use 6-12 for stronger security posture. Note that the distribute settings for the issuing ca must be compatible with the distribute setting for spiffe-settings. |
| jwt-signing-key | string <leafref> Name of transit key to use when signing SPIFFE JWTs. The key should be of type ecdsa-p256, ecdsa-p384, or rsa-2048 or stronger. The recommendation is ecdsa-p256. If not set, JWT-SVIDs will not be issued even if token-spiffe-jwt is configured on a role. The signing key should be configured to rotate every 6-12 months. Use 3-6 months for stronger security posture. Note that the distribution settings for the issuing-ca must cover a superset of sites compared to the distribution settings for the spiffe-settings, i.e., the issuing-ca must be distributed to all sites where the spiffe-settings are distributed. |
| jwt-issuer required | string The 'iss' claim value placed in all JWT-SVIDs issued by this instance. Typically the HTTPS URL of this Strongbox deployment, e.g. 'https://strongbox.example.com'. The host part is also used as the SPIFFE trust domain when constructing SPIFFE IDs for issued SVIDs. |
to (object) or sites (object) or deployments (object) |
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net distribute: to: all
| issuing-ca | string <leafref> Name of TLS CA used to issue x.509 SPIFFE certificates. If not set, X.509 SVIDs will not be issued even if token-spiffe-x509 is configured on a role. The signing CA should be configured to rotate every 12-24 months. Use 6-12 for stronger security posture. Note that the distribute settings for the issuing ca must be compatible with the distribute setting for spiffe-settings. |
| jwt-signing-key | string <leafref> Name of transit key to use when signing SPIFFE JWTs. The key should be of type ecdsa-p256, ecdsa-p384, or rsa-2048 or stronger. The recommendation is ecdsa-p256. If not set, JWT-SVIDs will not be issued even if token-spiffe-jwt is configured on a role. The signing key should be configured to rotate every 6-12 months. Use 3-6 months for stronger security posture. Note that the distribution settings for the issuing-ca must cover a superset of sites compared to the distribution settings for the spiffe-settings, i.e., the issuing-ca must be distributed to all sites where the spiffe-settings are distributed. |
| jwt-issuer required | string The 'iss' claim value placed in all JWT-SVIDs issued by this instance. Typically the HTTPS URL of this Strongbox deployment, e.g. 'https://strongbox.example.com'. The host part is also used as the SPIFFE trust domain when constructing SPIFFE IDs for issued SVIDs. |
to (object) or sites (object) or deployments (object) |
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net distribute: to: all
| fields | string Retrieve only requested fields from the resource See section fields |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
OK
Not Modified
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net distribute: to: all
| jwks-uri | string JWKS (JWK Set) endpoint URL used to fetch the issuer's public keys. Common in OIDC and also used for JWT bundles. |
| jwks-ca-cert | string <ca-cert> One or more root certificates in PEM format. CA certificates, in PEM format, to use when validating the TLS connection to jwks-uri. Multiple certs may be added as one string. By default, the system root CA bundle is used (see jwks-use-root-ca-certs). Configure this leaf when using a private CA. TLS verification can be disabled entirely with jwks-tls-verify false. |
| jwks-use-root-ca-certs | boolean Default: true Use the system root CA certificate bundle when validating the TLS certificate of jwks-uri. |
| jwks-server-name-indication | string Override the TLS SNI hostname used when connecting to jwks-uri. By default the hostname from jwks-uri is used. |
| jwks-tls-verify | boolean Default: true Verify the TLS certificate of jwks-uri. Should only be set to false in test environments, never in production. |
| jwks-refresh-interval | string <duration> Default: "5m" A duration in years, days, hours, minutes and seconds. Format is Examples: How often to refresh the JWKS from jwks-uri. |
| jwks-request-timeout | string <duration> Default: "5s" A duration in years, days, hours, minutes and seconds. Format is Examples: Timeout for JWKS retrieval. |
| jwks-cache-max-age | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Max time to use cached keys if JWKS fetch fails. |
| name | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ Trust domain name. This is compared to the JWT 'iss' claim and
also used to validate that 'sub' begins with 'spiffe:// |
| allowed-algorithms | Array of strings <enumeration>
JOSE algorithms accepted for signatures, e.g. 'es256', 'es384', 'rs256'. The default set is: 'es256', 'es384', 'rs256'. |
| allowed-clock-skew | string <duration> Default: "60s" A duration in years, days, hours, minutes and seconds. Format is Examples: Allowed clock skew when validating exp/nbf/iat. |
| require-exp | boolean Default: true Require 'exp' claim. |
| require-aud | boolean Default: true Require 'aud' claim. |
| issuer | string Expected 'iss' claim value, e.g. 'https://spiffe.example.com'. If not set, the 'iss' claim is not validated and any issuer is accepted. |
| allowed-audiences | Array of strings If set, the JWT 'aud' claim must contain at least one of these values. |
required | Array of objects Authorization-oriented constraints on the SPIFFE IDs allowed to log in (post-authentication). Each entry matches a glob pattern against the 'sub' claim, e.g. 'spiffe://example.org/ns/prod/sa/*'. |
| verbose-logging | boolean Default: false Enable verbose logging for SPIFFE authentication attempts. Do not enable in production. The log entries will appear in the volga topic system:logs on the site where the logging occurred. |
to (object) or sites (object) or deployments (object) |
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
| jwks-uri | string JWKS (JWK Set) endpoint URL used to fetch the issuer's public keys. Common in OIDC and also used for JWT bundles. |
| jwks-ca-cert | string <ca-cert> One or more root certificates in PEM format. CA certificates, in PEM format, to use when validating the TLS connection to jwks-uri. Multiple certs may be added as one string. By default, the system root CA bundle is used (see jwks-use-root-ca-certs). Configure this leaf when using a private CA. TLS verification can be disabled entirely with jwks-tls-verify false. |
| jwks-use-root-ca-certs | boolean Default: true Use the system root CA certificate bundle when validating the TLS certificate of jwks-uri. |
| jwks-server-name-indication | string Override the TLS SNI hostname used when connecting to jwks-uri. By default the hostname from jwks-uri is used. |
| jwks-tls-verify | boolean Default: true Verify the TLS certificate of jwks-uri. Should only be set to false in test environments, never in production. |
| jwks-refresh-interval | string <duration> Default: "5m" A duration in years, days, hours, minutes and seconds. Format is Examples: How often to refresh the JWKS from jwks-uri. |
| jwks-request-timeout | string <duration> Default: "5s" A duration in years, days, hours, minutes and seconds. Format is Examples: Timeout for JWKS retrieval. |
| jwks-cache-max-age | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Max time to use cached keys if JWKS fetch fails. |
| name | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ Trust domain name. This is compared to the JWT 'iss' claim and
also used to validate that 'sub' begins with 'spiffe:// |
| allowed-algorithms | Array of strings <enumeration>
JOSE algorithms accepted for signatures, e.g. 'es256', 'es384', 'rs256'. The default set is: 'es256', 'es384', 'rs256'. |
| allowed-clock-skew | string <duration> Default: "60s" A duration in years, days, hours, minutes and seconds. Format is Examples: Allowed clock skew when validating exp/nbf/iat. |
| require-exp | boolean Default: true Require 'exp' claim. |
| require-aud | boolean Default: true Require 'aud' claim. |
| issuer | string Expected 'iss' claim value, e.g. 'https://spiffe.example.com'. If not set, the 'iss' claim is not validated and any issuer is accepted. |
| allowed-audiences | Array of strings If set, the JWT 'aud' claim must contain at least one of these values. |
required | Array of objects Authorization-oriented constraints on the SPIFFE IDs allowed to log in (post-authentication). Each entry matches a glob pattern against the 'sub' claim, e.g. 'spiffe://example.org/ns/prod/sa/*'. |
| verbose-logging | boolean Default: false Enable verbose logging for SPIFFE authentication attempts. Do not enable in production. The log entries will appear in the volga topic system:logs on the site where the logging occurred. |
to (object) or sites (object) or deployments (object) |
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
Fetch the CA certificate bundle for verifying x509-SVIDs issued by this tenant. Consumers of x509-SVIDs use this to verify the certificate chain without authenticating to Strongbox.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
tenant: system
cert: | -----BEGIN CERTIFICATE----- MIICGjCCAcCgAwIBAgITAOhCghMs02nt/Et/U6tlNKRbzDAKBggqhkjOPQQDAjBj MRgwFgYDVQQDEw9BdmFzc2EgQVBJIHJvb3QxEjAQBgNVBAcTCVN0b2NraG9sbTEL MAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0 aW9uMCIYDzIwMjExMjMwMTQxMzQ4WhgPMjAyNTA1MTAxNzQ5NDhaMGMxGDAWBgNV BAMTD0F2YXNzYSBBUEkgcm9vdDESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQG EwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24wWTAT BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT7XREAgO0C2o/akCa9yFGViGoJi7oL+YLT Zr0QN5mu+6ymkYOjZAC0laQXv1zGe9W3X6eM8FwdmwP7wAGrzFuQo08wTTAOBgNV HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHR8EIDAeMBygGqAY hhZodHRwOi8vY3JsLmF2YXNzYS5uZXQvMAoGCCqGSM49BAMCA0gAMEUCIBjoTpxR oc+ycvTOg3SriC38o6sKQeY+G4KeqU72wR8DAiEAuBDRyrZK1tiTyL5+dzcf2rOc XWQ9mlueeqeDsCzNsYk= -----END CERTIFICATE-----
Fetch the public JWKS for verifying JWT-SVIDs issued by this tenant. Consumers of JWT-SVIDs use this to verify signatures without authenticating to Strongbox.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
tenant: system
jwks: "{\"keys\":[{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU\",\"y\":\"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0\",\"kid\":\"1\"}]}"
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
- name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all distribution-status: to: all
| fields | string Retrieve only requested fields from the resource See section fields |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net distribute: to: all distribution-status: to: none
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all distribution-status: to: all