SPN Access Map
All automated processes run under dedicated service accounts or service principal names (SPNs) -- never personal accounts. This eliminates the "bus factor" risk where a single person's absence, license change, or account deactivation could break production systems.
Identity Access Diagram
graph LR
subgraph Identities
PA["sp-fabric-platform-admin<br/>(Terraform SPN)"]
DW["sp-fabric-data-worker<br/>(CI/CD SPN)"]
ADM["geris_fabric_admin<br/>(Human admin)"]
SVC["svc-powerplatform<br/>(Flow owner)"]
MI["Function App MI<br/>(Managed Identity)"]
end
subgraph Resources
WS[All Workspaces]
KV[Key Vault]
BLOB[Blob Storage]
OL[OneLake]
TF[Terraform State]
SEM[Semantic Models]
WH[Gold Warehouse]
end
PA -->|Admin| WS
PA -->|Get Secrets| KV
PA -->|Contributor| TF
DW -->|Contributor| WS
DW -->|Get Secrets| KV
DW -->|Blob Data Contributor| BLOB
DW -->|Read/Write| WH
ADM -->|Admin| WS
ADM -->|Owner| SEM
ADM -->|Capacity Admin| WS
SVC -->|Member Gold| WS
MI -->|Write| OL
MI -->|Get Secrets| KV
Identity Inventory
| Identity | Type | License | Purpose |
|---|---|---|---|
sp-fabric-platform-admin | SPN (App Registration) | None (API-only) | Terraform, fabric-cicd, workspace creation. Workspace Admin role on all workspaces |
sp-fabric-data-worker | SPN (App Registration) | None (API-only) | dbt CI/CD builds, blob storage, Key Vault secrets. Backs fabric-ci-service-connection in Azure DevOps |
geris_fabric_admin@geris.nl | Entra ID service account | Fabric Pro + Capacity Admin | Workspace Admin on all production workspaces. Owns semantic models for scheduled refresh |
svc-powerplatform@geris.nl | Entra ID service account | PA Premium + Business Basic | Power Automate flow ownership, shared mailbox for automated emails. Member of Gold workspace for SQL endpoint queries |
| Azure Function Managed Identity | Managed Identity | None | OneLake writes (Bronze), Key Vault access |
SPN Resource Access
sp-fabric-platform-admin
Used by Terraform to provision and manage Fabric workspaces, warehouses, lakehouses, and role assignments.
| Role | Scope | Purpose |
|---|---|---|
| Admin | All 4 workspaces (Gold, Bronze, Semantic, Reports) | Terraform workspace management |
| Get Secrets | kv-fabric-dbt-keys | Read own credentials (fabric-admin-* secrets) |
| Contributor | Terraform state blob | Read/write state files |
Auth method: Client secret stored in Key Vault. Pipelines fetch fabric-admin-tenant-id, fabric-admin-client-id, and fabric-admin-client-secret via AzureKeyVault@2 and set them as FABRIC_* environment variables.
sp-fabric-data-worker
Used by all CI/CD pipelines for dbt builds, security script execution, manifest storage, and function deployments.
| Role | Scope | Purpose |
|---|---|---|
| Contributor | rg-fabric-dbt-platform resource group | ARM resource management |
| Storage Account Contributor | gerisdbtartifacts storage account | Manage static website, containers |
| Storage Blob Data Contributor | gerisdbtartifacts storage account | Upload/download manifests, docs |
| Key Vault Secrets User | kv-fabric-dbt-keys | Read secrets for pipeline auth |
| Reader | kv-fabric-dbt-keys | List secret metadata |
| Contributor | Gold workspace | dbt warehouse builds |
Auth method: Azure DevOps service connection (fabric-ci-service-connection). All pipelines authenticate via AzureCLI@2 tasks which reuse the az session.
Key Rules
- SPNs cannot own semantic models -- they lack Pro licenses. Use
geris_fabric_admin@geris.nlfor semantic model ownership and scheduled refresh. svc-powerplatform@geris.nlis the only identity that should own Power Automate connections and flows in production.- Personal accounts retain workspace access for development but must not be the sole owner of any automated process.
svc-powerplatformneeds Member on Gold -- the Power Automate SQL Server connector requires Member, not Viewer, for SQL endpoint access.
Key Vault Access
Single vault: kv-fabric-dbt-keys in resource group rg-fabric-dbt-platform.
| Secret | Used By | Purpose |
|---|---|---|
fabric-admin-tenant-id | infra-deploy.yml | Terraform Fabric provider auth |
fabric-admin-client-id | infra-deploy.yml | Terraform Fabric provider auth |
fabric-admin-client-secret | infra-deploy.yml | Terraform Fabric provider auth |
Who can read secrets:
sp-fabric-data-worker(Key Vault Secrets User role)- Azure Function Managed Identity (Key Vault access policy)
Who can write secrets:
- IT administrators via Azure Portal
sp-fabric-data-worker(Storage Account Contributor -- for blob operations, not KV writes)
Workspace Access Matrix
| Workspace | geris_fabric_admin | svc-powerplatform | sp-fabric-data-worker | sp-fabric-platform-admin | Personal accounts |
|---|---|---|---|---|---|
| Gold | Admin | Member | -- | Admin | Admin (dev) |
| Bronze | Admin | -- | Contributor | Admin | Admin (dev) |
| Semantic | Admin | -- | -- | Admin | Admin (dev) |
| Reports | Admin | -- | -- | Admin | Admin (dev) |
Note: sp-fabric-data-worker needs Contributor on CI workspace for dbt builds and on production Bronze for OneLake shortcut reads. Personal accounts retain Admin for development -- do NOT remove personal access before cutover is complete.
Credential Rotation Procedure
Service principal secrets expire after 1 year. Rotate before expiry to avoid CI/CD pipeline failures.
Affected SPNs:
sp-fabric-data-worker-- backsfabric-ci-service-connectionand Key Vault secretfabric-client-secretsp-fabric-platform-admin-- used for Terraform and workspace management
Rotation Steps for sp-fabric-data-worker
-
Create new secret in Entra ID:
- Azure Portal > Entra ID > App registrations >
sp-fabric-data-worker - Certificates & secrets > New client secret > Set expiry (1 year recommended)
- Copy the new secret value immediately (it cannot be retrieved later)
- Azure Portal > Entra ID > App registrations >
-
Update Key Vault:
- Azure Portal >
kv-fabric-dbt-keys> Secrets >fabric-client-secret - New version > paste the new secret value > Create
- Azure Portal >
-
Update Azure DevOps service connection:
- Azure DevOps > Project Settings > Service connections >
fabric-ci-service-connection - Edit > paste the new secret > Verify > Save
- Azure DevOps > Project Settings > Service connections >
-
Verify pipelines:
- Run
infra-deploy,dbt-dev-build, andsecurity-deploymanually - Check that all three complete without authentication errors
- Run
-
Delete old secret:
- Return to Entra ID > App registrations >
sp-fabric-data-worker> Certificates & secrets - Delete the previous (now-superseded) secret
- Only delete after verifying all pipelines work with the new secret
- Return to Entra ID > App registrations >
-
Update calendar reminder:
- Set a reminder for 11 months from today (1 month before new secret expires)
Rotation for sp-fabric-platform-admin
Follow the same steps, but update the secret wherever sp-fabric-platform-admin credentials are stored (Terraform backend config, any Azure DevOps service connections that reference this SPN).
Service Connection
| Service Connection | Backed by | Pipelines Authorized | Purpose |
|---|---|---|---|
fabric-ci-service-connection | sp-fabric-data-worker | All pipelines | dbt builds, terraform apply, manifest upload, security scripts, fabric-cicd |
To verify service connection health:
- Azure DevOps > Project Settings > Service connections
- Click
fabric-ci-service-connection> Verify - If verification fails, check: SPN secret expiry, SPN permissions in Entra ID, Fabric tenant SPN API access setting
Related Pages
- RBAC Architecture -- 7-layer security overview
- Workspace Roles -- per-workspace role matrix
- Pipeline Architecture -- how pipelines authenticate