Configuring secure access for Backstage integration with Spacelift

Last updated: December 19, 2025

The Backstage integration with Spacelift requires admin-level access to function properly, but you can implement a secure, least-privilege setup through proper scoping and permission management.

Understanding the integration requirements

The Backstage plugin operates with the privileges of the configured Spacelift Integration Key, which grants admin rights to the selected Space. The plugin acts under a single machine identity and doesn't apply per-user permissions from Backstage directly.

Best practices for secure configuration

1. Scope the integration key to a dedicated Space

To limit exposure and maintain security:

  • Create a dedicated top-level Space containing only the stacks and subspaces you want visible in Backstage

  • Avoid using your organization's root Space for the integration

  • Use Space hierarchy to provide visibility only where needed

2. Control plugin access within Backstage

Since the plugin doesn't inherit per-user permissions automatically:

  • Use Backstage's permission framework to restrict who can view or trigger actions in the Spacelift plugin

  • Align Backstage group membership with Spacelift Spaces (e.g., only platform or infrastructure teams can access production stacks)

3. Design Spaces and roles to match team structures

Leverage Spacelift's RBAC system effectively:

  • Model your Spaces after your organizational or environment structure (dev, staging, prod, etc.)

  • Assign predefined or custom roles such as Reader, Writer, Admin, or granular custom roles like run:trigger, stack:manage, context:read

  • Leverage Identity Provider (IdP) groups such as GitHub or Okta for automatic role assignment

Alternative approaches

While read-only API keys and direct GitHub identity passthrough aren't currently supported for the Backstage integration, the combination of scoped integration keys, Backstage-side permission controls, and Space-based RBAC design provides a secure solution that minimizes privilege while maintaining team autonomy and enterprise security standards.

For more detailed information, refer to the Backstage integration documentation.