Macaroon-permission-required: Permission "channel" is required as a macaroon caveat

BlenderRelease · February 5, 2021, 1:09pm

Hi,

Started to have these issues yesterday. This used to work fine until now.

macaroon-permission-required: Permission "channel" is required as a macaroon caveat

I regen the creds file and various values for channel.

snapcraft export-login --snaps app --channels edge,beta,candidate --acls package_upload

The upload will now fail 100% with the creds login.
However, if I login with no cred file, it works fine.

Also tried creds file with no spec of channels, just upload acl, this worked fine.

snapcraft export-login --snaps app --acls package_upload

however, after it “released” it the command gave me this error

Revision 78 of 'app' created.
Could not retrieve information for 'app'.

Version

snapcraft, version 4.4.4

NOTE:
Something broke 2 days ago with multipass when building the app. Had to reinstall. Not sure if this is relevant.

iconloop · August 26, 2021, 6:15pm

Hi~

I faced same issue like you. How did you resolve the problem?

I tried to upload by github-action

snapcore/action-publish@v1

lucyllewy · August 26, 2021, 11:07pm

To upload and release a snap with an offline macaroon you need to request the following permissions with the --acls flag (according to snapcore/action-publish: A Github action for publishing snaps):

package_access,package_push,package_update,package_release

iconloop · August 27, 2021, 12:16am

command to generate credential for upload to edge channel:

$ snapcraft export-login --expires="2023-08-27T00:00:00" --snaps loopchain --channels edge snap.login

I generate credentials without --acls options, these permissions capabilities:

snaps:       ['loopchain']
channels:    ['edge']
permissions: ['package_access', 'package_manage', 'package_metrics', 'package_push', 'package_register', 'package_release', 'package_update']

github-action logs:

/snap/bin/snapcraft upload loopchain_20210826.0.dev_amd64.snap --release edge/20210826.0.dev
Preparing to upload 'loopchain_20210826.0.dev_amd64.snap'.
After uploading, the resulting snap revision will be released to 'edge/20210826.0.dev' when it passes the Snap Store review.
Install the review-tools from the Snap Store for enhanced checks before uploading this snap.
Pushing 'loopchain_20210826.0.dev_amd64.snap' [                          ]   0%
...push progressing...
Pushing 'loopchain_20210826.0.dev_amd64.snap' [==========================] 100%
Received:
- macaroon-permission-required: Permission "channel" is required as a macaroon caveat.
/snap/bin/snapcraft logout
Credentials cleared.
Error: The process '/snap/bin/snapcraft' failed with exit code 2

iconloop · August 27, 2021, 12:55am

It works fine with credential without --channel options.

snaps:       ['loopchain']
channels:    No restriction
permissions: ['package_access', 'package_manage', 'package_metrics', 'package_push', 'package_register', 'package_release', 'package_update']

I don’t know why restricted channel failed to upload.

jamesh · August 27, 2021, 5:02am

Does the auth token work if you try to release to edge rather than edge/20210826.0.dev? I wonder if this is just a bad error message from the store that should read something like "channel" caveat prevents release to channel "edge/20210826.0.dev".

It’s probably possible to create a macaroon that allows you to release to a branch, but that’s not really going to help if you’re creating date stamped branch names. What you’re probably after is some kind of wildcard matching, and I’ve got no idea whether the store supports that. You could try adding edge/* to the allowed channels list in your auth token, but I’ve got no idea whether it’d actually work.

iconloop · September 29, 2021, 2:46am

Sorry for reply late.

Does the auth token work if you try to release to edge rather than edge/20210826.0.dev ?

It works fine.

You could try adding edge/* to the allowed channels list in your auth token, but I’ve got no idea whether it’d actually work.

It works fine too. But, failed on edge.

When add edge* to allowed channels, it works to upload edge and edge/my-branch-name.

Thank you.

jamesh · September 29, 2021, 5:19am

You could probably also restrict the exported login to channels edge,edge/*, which would be a little more exact. In practice it shouldn’t matter as it seems highly unlikely that a new risk name will be introduced that starts with “edge”.

iconloop · September 29, 2021, 7:04am

@jamesh

I had try to add multiple channels as edge edge/*.

Thank you for your more exact suggestion.