Yesterday the CircleCI CLI snap stopped auto publishing from our builds. Today I discovered that when creating an auth file with
snapcraft export-login, it has a default expiration time of 1 year. This tripped me up a little bit.
Where should I document this information?
Will a PR to
snapcraft updating the help text to include this work? Somewhere else?
That would be much appreciated, thank you!
@cprov is 1 year still the max time possible?
No. I just created one that’s good for 3 years. I haven’t tested what the max might be,
@kyrofa at moment, even if one specifies a large expiration date on the root macaroon (dashboard), the discharge (from SSO) will limit it to one year validity:
$ snapcraft export-login --expires="2048-01-01T00:00:00" exported-long
which is effectively the same as not specifying any expiration:
snapcraft export-login exported-long
expires only makes sense between
now + 1y
Remembering the discharge will require daily auto-refreshes, which stop work if the SSO account password has changed or if the expiration date has elapsed.
I set mine for 3 years and the command output show’d that it was three years. Was that incorrect then?
@FelicianoTech there was a recent change in the macaroon generator endpoint to allow longer (or no) expiration time, but it depends on the permissions involved. The API documentation will be updated soon.
Briefly, some permissions, if used, will force limited expiration. They are:
edit_account, modify_account_key, package_access, package_purchase, store_admin and store_review
In the case of default
package_access forces 1y expiration. If you specify a set of permissions not involving the ones mentioned above, you can obtain a macaroon with longer (or no) expiration, which seems to be your case.
Thanks for the information.
Wanted to make a suggestion for a smaller change. I hit this with my token expiring today, but I found the error given back from the
snap login was confusing - as a result it took me a good chunk of time to work out this was an issue with the token.
I got the error
Error fetching account information from store: The request is missing an Authorization header field containing a valid macaroon
Would it be possible for the server to respond with something like
Authorization token no longer valid, may have expired?
I think it that threw me was calling it a
macaroon and having no reference to why it’s no longer
valid, given I’d no idea the exported creds expired by default this was a double whammy.