Skip to content

Exact permissions granted

This page is exhaustive by design: everything sprig’s installer touches, so your security review has one canonical source. The installer also has a preview mode (--what-if) that prints its plan without changing anything.

Run-time identity: the platform managed identity

Section titled “Run-time identity: the platform managed identity”
Grant Scope Purpose
Contributor (Azure RBAC) Each builder resource group only, granted at onboarding Create/update the builder’s static web apps
Storage Table Data Contributor The platform storage account Metadata + audit store
Application.ReadWrite.OwnedBy (Graph app role) Tenant, restricted to applications the identity itself created Per-app Entra registrations, owner assignment, share assignment

No subscription-scope RBAC. No Application.ReadWrite.All. No directory read of other applications.

Object Kind Notes
sprig-platform-api App registration Token audience for the platform API; exposes one delegated scope; defines the Ops app role
sprig-cli App registration (public client) Device-code sign-in for the builder plugin; pre-authorized for the API scope so builders see no consent prompts

Per published app, at publish time: one app registration (single-tenant, SPA + web platforms, delegated Fabric scope GraphQLApi.Execute.All and Graph User.Read), one service principal with assignment required, owner assigned. Created and owned by the platform identity.

Resource Where Purpose
Resource group rg-sprig-platform Subscription Platform footprint
Storage account (+ 4 tables) Platform RG Metadata, audit
Function App (Linux consumption) + plan Platform RG Publish API
User-assigned managed identity Platform RG The platform identity above
App Insights + Log Analytics Platform RG Monitoring
Subscription budget Subscription Spend alerts
Action Detail
Resource group rg-sprig-user-<alias> The builder’s sandbox
RBAC assignment Platform identity → Contributor on that group only
Azure Policy assignment Allowed resource types pinned to Microsoft.Web/staticSites
Metadata row Builder registered in the platform store

What the person running the installer needs

Section titled “What the person running the installer needs”

Once, at install time: Owner on the target subscription and Entra rights to create app registrations and grant admin consent. The installer runs under that person’s az login; it stores no credentials.

  • No secrets on builder machines (device-code sign-in; tokens cached per-user by MSAL).
  • No platform access to data planes (Fabric is reached by viewers’ browsers, not by the platform).
  • No outbound calls from the platform to any vendor endpoint — sprig has no telemetry service.