spiffe · kfox1111 · Jul 23, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/cmd/jwt_credential_process.go b/cmd/jwt_credential_process.go
@@ -37,10 +37,24 @@ func newJWTCredentialProcessCmd() (*cobra.Command, error) {
 			params := jwtsvid.Params{
 				Audience: sf.audience,
 			}
-			svid, err := client.FetchJWTSVID(ctx, params)
+			svids, err := client.FetchJWTSVIDs(ctx, params)
 			if err != nil {
 				return fmt.Errorf("fetching jwt: %w", err)
 			}
+			svid := svids[0]
+			if sf.hint != "" {
+				found := false
+				for _, s := range svids {
+					if s.Hint == sf.hint {
+						found = true
+						svid = s
+						break
+					}
+				}
+				if !found {
+					return fmt.Errorf("could not find the specified SVID")
+				}
+			}
 			// TODO(strideynet): Implement SVID selection mechanism, for now,
 			// we'll just use the first returned SVID (a.k.a the default).
 			slog.Debug("Fetched JWT SVID", "svid", jwtSVIDValue(svid))

diff --git a/cmd/main.go b/cmd/main.go
@@ -111,6 +111,7 @@ type sharedJWTFlags struct {
 	endpoint        string
 	sessionDuration int
 	workloadAPIAddr string
+	hint            string
 }
 
 func (f *sharedJWTFlags) addFlags(cmd *cobra.Command) error {
@@ -125,6 +126,7 @@ func (f *sharedJWTFlags) addFlags(cmd *cobra.Command) error {
 	cmd.Flags().IntVar(&f.sessionDuration, "session-duration", 3600, "The duration, in seconds, of the resulting session. Optional. Can range from 15 minutes (900) to 12 hours (43200).")
 	cmd.Flags().StringVar(&f.workloadAPIAddr, "workload-api-addr", "", "Overrides the address of the Workload API endpoint that will be use to fetch the X509 SVID. If unspecified, the value from the SPIFFE_ENDPOINT_SOCKET environment variable will be used.")
 	cmd.Flags().StringVar(&f.roleARN, "role-arn", "", "The ARN of the role to assume.")
+	cmd.Flags().StringVar(&f.hint, "hint", "", "Hint to use to find the SVID.")
 	return nil
 }