Why can my snap not create files with layout and system-files plug?

I have a snap with the following layout:

layout:
  /var/lib/aziot:
    symlink: $SNAP_COMMON/var/lib/aziot
  /var/lib/iotedge:
    symlink: $SNAP_COMMON/var/lib/iotedge
  /var/sockets/aziot:
    symlink: $SNAP_COMMON/shared/sockets/aziot
  /var/secrets/aziot:
    symlink: $SNAP_COMMON/shared/secrets/aziot
  /etc/aziot:
    symlink: $SNAP_COMMON/shared/config/aziot
  /usr/libexec/aziot/aziot-edged:
    symlink: $SNAP/usr/libexec/aziot/aziot-edged
  /etc/docker/daemon.json:
    symlink: $SNAP/docker/config/daemon.json

plugs:

plugs:
  ...
  run-iotedge:
    interface: system-files
    write: 
      - /var/run/iotedge
      - /run/iotedge
      - /etc/aziot

and app definition:

apps:
  ...
  iotedge:
    command: usr/bin/iotedge
    plugs:
      - docker
      - identity-service
      - home
      - log-observe
      - mount-observe
      - network
      - system-observe
      - run-iotedge

In the install script I make the directory of <target-path> of /etc/aziot in the layout:

#!/bin/bash

set -eux
exec 1> >(logger -s -t "$SNAP_INSTANCE_NAME.$(basename $0)") 2>&1

mkdir -p $SNAP_COMMON/shared/config/aziot/certd/config.d

I connected the file-related interfaces of the snap:

~/iotedge$ snap connections azure-iot-edge
Interface         Plug                                 Slot               Notes
content           azure-iot-edge:aziotctl-executables  -                  -
content           azure-iot-edge:docker-executables    -                  -
content           azure-iot-edge:identity-service      -                  -
docker            azure-iot-edge:docker                -                  -
home              azure-iot-edge:home                  :home              -
hostname-control  azure-iot-edge:hostname-control      :hostname-control  manual
log-observe       azure-iot-edge:log-observe           :log-observe       manual
mount-observe     azure-iot-edge:mount-observe         :mount-observe     manual
network           azure-iot-edge:network               :network           -
network-bind      azure-iot-edge:network-bind          :network-bind      -
system-files      azure-iot-edge:run-iotedge           :system-files      manual
system-observe    azure-iot-edge:system-observe        :system-observe    manual

When I run my app, it tries to make a file in /etc/aziot, but it is not allowed due to permission denied:

Command failed: could not create /etc/aziot/config.toml

Caused by:
    Permission denied (os error 13)

Do I have to do any extra actions to give the snap permission?

The full snapcraft.yml: https://github.com/Azure/iotedge/blob/feature/snapping/snap/snapcraft.yaml

I’m using snapcraft 8.0.1

Try switching the layout away from “symlink” and make it “bind” …

So, I think I found reasons for permission errors and files not existing when working on this snap. Namely its file structure is provided by another snap: azure-iot-identity.

The file structures are connected by a content interface:

There was another plug on the iotedge snapcraft:

  identity-service:
    interface: content
    content: aziot-identity-service
    target: $SNAP_COMMON

And the folders symlinked to in our layout are actually made by azure-iot-identity snap that provides the slot:

  identity-service:
    interface: content
    content: aziot-identity-service
    source:
      write: [ $SNAP_DATA/shared ]

In the install stage of the azure-iot-identity the folder structure is created (and through the content interface it then provides this folder structure in $SNAP_COMMON in azure-iot-edge):

mkdir -p $SNAP_DATA/shared/{secrets,sockets}/aziot
mkdir -p $SNAP_DATA/shared/config/aziot/{keyd,certd,identityd,tpmd}/config.d
mkdir -p $SNAP_DATA/var/lib/{aziot/{keyd,certd,identityd,tpmd},tpm}
mkdir -p $SNAP_COMMON/libaziot_keys_homedir

When debugging I either found missing paths or missing permissions. I cannot remember exactly all the errors, but since I connected them and reverted all my changes in the install and config changes, things seem to work like intended.