Context

When trying to create child spaces using a non-root API key with administrative permissions on a parent space, users may encounter authorization errors. This is related to specific requirements around space creation and login policy configuration.

Answer

To create spaces using a non-root API key, follow these steps:

Using the organization-level toggle

1. Navigate to Organization Settings → Access Control Center → Spaces and enable:

“Allow space admins to create and edit child spaces”

2. Create or select the parent Space.

3. Create an API key inside that Space and assign it the Space Admin role.

4. Use the API key to create a child Space (via API or Terraform).

Example (Terraform):

resource "spacelift_space" "child" {
  name            = "child-space"
  parent_space_id = spacelift_space.parent.id
  inherit_entities = true
}

If your organization uses Login Policy management (rather than User Management), you'll need to add the following to your login policy to grant the necessary permissions to your API key:

package spacelift

allow {    
    input.session.login == "api::your-api-key-id"  
} 

space_read["your-space-id"] {      
    input.session.login == "api::your-api-key-id"  
}

space_write["your-space-id"] {      
    input.session.login == "api::your-api-key-id"  
}

space_admin["your-space-id"] {
    input.session.login == "api::your-api-key-id" 
}

Replace "your-api-key-id" with your actual API key ID and "your-space-id" with your space ID.