Resolving "incompatible issuer" error when enabling stack activators with Terraform
Last updated: December 19, 2025
When using Terraform to manage Spacelift stack activators, you may encounter an "incompatible issuer" error when trying to enable a stack (setting enabled = false → true). This error occurs because enabling a stack activator requires higher privileges than what's available to the standard job token used in Administrative workflows.
Why this error occurs
When Terraform runs inside an Administrative stack, it uses a short-lived job token issued by Spacelift. While this token can perform most provider operations, certain higher-privilege actions like enabling a stack activator require a stronger issuer type - either a user session or an API key.
This is a deliberate security measure, since enabling a stack can immediately trigger code execution and provide access to attached contexts or credentials.
What operations are affected
The restriction only applies to:
Enabling a stack activator (
enabled = false → true)
These operations continue to work with the standard job token:
Creating new stack activators
Disabling stack activators (
enabled = true → false)Leaving activators disabled
All other Spacelift provider operations
Recommended approach
You can enable stacks manually through the Spacelift UI, which uses a user session and has the necessary privileges to perform this operation.
Workaround using API keys
If you need to enable stack activators via Terraform, you can work around this limitation by using API key authentication:
Create an API key with appropriate permissions
Use a Context at the Space or organization level to provide:
TF_VAR_api_key_idTF_VAR_api_key_secret(write-only)
Configure your Terraform provider to use these credentials when needed
This approach securely injects the API key values into your Administrative stack, allowing Terraform to authenticate with an API-key issuer for enabling stack activators, while the rest of your workflow continues using the standard job token.