NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Attribute-based Access Control for Microservices-based Applications Using a Service Mesh

Published

Author(s)

Ramaswamy Chandramouli, Zack Butcher, Aradhna Chetal

Abstract

Deployment architecture in cloud-native applications now consists of loosely coupled components, called microservices, with all application services provided through a dedicated infrastructure, called a service mesh, independent of the application code. Two critical security requirements in this architecture are to build (1) the concept of zero trust by enabling mutual authentication in communication between any pair of services and (2) a robust access control mechanism based on an access control such as attribute-based access control (ABAC) that can be used to express a wide set of policies and is scalable in terms of user base, objects (resources), and deployment environment. This document provides deployment guidance for building an authentication and authorization framework within the service mesh that meets these requirements. A reference platform for hosting the microservices-based application and a reference platform for the service mesh are included to illustrate the concepts in the recommendations and provide the context in terms of the components used in real-world deployments.
Citation
Special Publication (NIST SP) - 800-204B
Report Number
800-204B
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.SP.800-204B
Local Download

Keywords

attribute-based access control, authentication policy, authorization policy, CI/CD, DevSecOps, JSON web token, microservices-based application, mutual TLS, next generation access control, policy enforcement point, role-based access control, service mesh, service proxy, zero trust.
Information technology

Citation

Chandramouli, R. , Butcher, Z. and Chetal, A. (2021), Attribute-based Access Control for Microservices-based Applications Using a Service Mesh, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-204B, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932741 (Accessed October 3, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created August 6, 2021, Updated November 29, 2022
Was this page helpful?