Adding EntitlementManagement.ReadWrite.All permissions to Spacelift-managed Azure service principals

Last updated: September 16, 2025

When using Spacelift's managed Azure cloud integration, you may need additional OAuth permissions like EntitlementManagement.ReadWrite.All for creating access packages or other Azure AD operations. However, since Spacelift manages the service principal, you cannot directly modify its permissions.

Current Limitations

Spacelift's security team is unable to add the EntitlementManagement.ReadWrite.All permission to Spacelift-managed service principals. This is a security restriction on Spacelift's side.

Alternative Solutions

Option 1: Switch to Self-Managed Integration

The most straightforward solution is to change your Azure integration from Spacelift-managed to self-managed. This gives you full control over the service principal and allows you to add any required permissions, including EntitlementManagement.ReadWrite.All.

Option 2: Use Azure OIDC Integration

Consider using Azure OIDC integration instead. This approach allows you to:

  • Control the Azure AD application and its permissions

  • Use federated identity credentials for authentication

  • Avoid managing long-lived secrets

Note: While Azure OIDC supports wildcards in subject identifiers (like space:entra:stack:*:run_type:TRACKED:scope:read), you'll need to create separate federated identity credentials for each stack and run type combination, which can be cumbersome for large deployments.

Flexible Federated Identity Credentials Limitation

Azure's flexible federated identity credentials feature, which would allow wildcard matching, currently only supports tokens from specific providers (GitHub, GitLab, and Terraform Cloud). Spacelift tokens are not yet officially supported. Both Spacelift and customers can reach out to Microsoft to request adding Spacelift as a supported issuer.

Recommendation

For immediate needs requiring EntitlementManagement.ReadWrite.All permissions, switching to a self-managed Azure integration is the most practical solution. This gives you complete control over the service principal's permissions while maintaining full functionality with Spacelift.