Snapcraft export-login has a default expiration


Yesterday the CircleCI CLI snap stopped auto publishing from our builds. Today I discovered that when creating an auth file with snapcraft export-login, it has a default expiration time of 1 year. This tripped me up a little bit.

Where should I document this information?

Will a PR to snapcraft updating the help text to include this work? Somewhere else?

That would be much appreciated, thank you!

@cprov is 1 year still the max time possible?

Will do.

No. I just created one that’s good for 3 years. I haven’t tested what the max might be,

@kyrofa at moment, even if one specifies a large expiration date on the root macaroon (dashboard), the discharge (from SSO) will limit it to one year validity:

$ snapcraft export-login --expires="2048-01-01T00:00:00" exported-long
[snip ...]
expires:     2020-02-29T22:20:07.149124

which is effectively the same as not specifying any expiration:

snapcraft export-login exported-long
[snip ...]
expires:     2020-02-29T22:27:39.757243

i.e. expires only makes sense between now and now + 1y

Remembering the discharge will require daily auto-refreshes, which stop work if the SSO account password has changed or if the expiration date has elapsed.

I set mine for 3 years and the command output show’d that it was three years. Was that incorrect then?

@FelicianoTech there was a recent change in the macaroon generator endpoint to allow longer (or no) expiration time, but it depends on the permissions involved. The API documentation will be updated soon.

Briefly, some permissions, if used, will force limited expiration. They are: edit_account, modify_account_key, package_access, package_purchase, store_admin and store_review

In the case of default export-login permissions, package_access forces 1y expiration. If you specify a set of permissions not involving the ones mentioned above, you can obtain a macaroon with longer (or no) expiration, which seems to be your case.

1 Like

Thanks for the information.

Wanted to make a suggestion for a smaller change. I hit this with my token expiring today, but I found the error given back from the snap login was confusing - as a result it took me a good chunk of time to work out this was an issue with the token.

I got the error Error fetching account information from store: The request is missing an Authorization header field containing a valid macaroon

Would it be possible for the server to respond with something like Authorization token no longer valid, may have expired?

I think it that threw me was calling it a macaroon and having no reference to why it’s no longer valid, given I’d no idea the exported creds expired by default this was a double whammy.