How do I avoid Backstage plugin hell?

Freeze to a minimal plugin set, upgrade quarterly, and treat plugins like dependencies with owners and SLAs. Default to official/maintained plugins. If a plugin isn’t proving value in 30 days, remove it.

What if teams refuse the paved road?

Offer an escape hatch with documented support boundaries. Make the paved road faster and safer (fewer approvals, fewer outages). Most teams will self-select into less friction.

Can I do this without Kubernetes?

Yes. Swap ArgoCD for ECS CodeDeploy or Cloud Run + Terraform. The paved-road pattern—templates, workflows, modules—still applies.

What about secrets and auth?

Use cloud-native managers (AWS Secrets Manager, GCP Secret Manager) and inject at runtime. Authenticate CI with OIDC and short-lived tokens—no static keys. Bake secret rotation actions into the portal.

In the repo. TechDocs/MkDocs for service docs, linked from the catalog. No separate wiki for operational docs—keep it near the code and the people who own it.

Platform-productivity · Oct 27, 2025 · 10 minute read

Stop Building a Portal. Build a Paved Road.

Internal developer portals are only valuable when they unlock self-service on the paved road. Here’s the playbook we use to ship it in two weeks—without inventing bespoke tooling you’ll regret.

Back to all posts

Stop Building a Portal. Build a Paved Road.

Key takeaways

Implementation checklist