Deployment issue. "Authorization failed: Principal has insufficient permissions"

CoreyMosley · August 23, 2023, 7:16pm

For context, I have an application deployed to production as internal beta and my development instance which I am iterating development on. Seemingly out of nowhere there is a regression on my ability to make deployments. In the past, I’ve circumvented this by removing the production deployment and that seems to “reset” something and allow me to deploy to development again.

This time, I have been able to keep the internal beta in production and make deployments to development for the last 24 hours no problem. Now I come back from lunch and the problem occurs again. I can no longer make any deployments via “forge deploy” or “forge deploy -e development”.

Here is the error I am recieving:

Error: Server error: [
    {
        "message": "Authorization failed: Principal has insufficient permissions",
        "locations": [],
        "path": [
            "appInstallationsByEnvironment"
        ],
        "extensions": {
            "errorSource": "UNDERLYING_SERVICE",
            "errorType": "PERMISSION_DENIED",
            "statusCode": 403,
            "classification": "DataFetchingException"
        }
    }
], requestId=b122e8c3171fef7f

GeorgeZhao · August 25, 2023, 4:07am

Hi Corey,

Seemingly out of nowhere there is a regression on my ability to make deployments. In the past, I’ve circumvented this by removing the production deployment and that seems to “reset” something and allow me to deploy to development again.

Do you mean you have 2 instances and you are unable to install an app to the development instance when it’s already installed in the production instance?

Also, I am unable to pull out the logs for the request ID given. Could you try again and give me the new trace ID? And can you send me the app ID if possible?

CoreyMosley · August 25, 2023, 3:20pm

Yes, we have 2 instances. One is our “sandbox” instance for development testing and the other is our production instance.

I am able to install anywhere. The problem is that I receive this error when I attempt to deploy changes to development while installed on production.

Here is a new requestId and error from a development deployment attempt while installed in production. Also, the appId. Thanks for the help!

Error: Server error: [
    {
        "message": "Authorization failed: Principal has insufficient permissions",
        "locations": [],
        "path": [
            "appInstallationsByEnvironment"
        ],
        "extensions": {
            "errorSource": "UNDERLYING_SERVICE",
            "errorType": "PERMISSION_DENIED",
            "statusCode": 403,
            "classification": "DataFetchingException"
        }
    }
], requestId=ab88133e848f895a

App ID: 30405e71-60f4-4906-bdd5-d4a638beae68

SapanGupta · August 28, 2023, 3:24am

Hi Corey,
Thanks a lot for providing the new requestId as well as application details, this has been useful.
I’ve verified that the permissions on our side are correct, however, the version of forge-cli you’re using is very old (4.5.x), which contain some API calls that won’t work for your scenario.
Can you please try upgrading cli version (refer https://developer.atlassian.com/platform/forge/cli-reference/#upgrading for instructions). If you check the version after upgrading, it should be 6.x.y.

Please let me know if this doesn’t work for you.

CoreyMosley · August 28, 2023, 3:02pm

Correct. I am using a older version of forge CLI. I had errors trying to setup @latest.

EDIT:
This was caused by an internal blocker. We have fixed the blocker and now testing to see if the problem resolves in forge/cli@latest.

EDIT:
Upgrading to 6.x.x has created problem with the forge login command. I am getting errors with the lint command:

“Error: Keytar error detected: The name org.freedesktop.secrets was not provided by any .service files”

in CI/CD now and when I try to use the forge login command:

“Error: The CLI couldn’t securely store your login credentials in a local keychain. Ensure you have libsecret installed. If a local keychain is not available, use environment variables before trying again. See https://go.atlassian.com/dac/platform/forge/getting-started/#log-in-with-an-atlassian-api-token for more.”

npm WARN deprecated memfs@3.6.0: this will be v4
npm ERR! code 1
npm ERR! path /usr/local/lib/node_modules/@forge/cli/node_modules/ngrok
npm ERR! command failed
npm ERR! command sh -c node ./postinstall.js
npm ERR! ngrok - downloading binary https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.zip
npm ERR! ngrok - downloading progress:
npm ERR! ngrok - error downloading from URL RequestError: read ECONNRESET
npm ERR!     at ClientRequest.<anonymous> (/usr/local/lib/node_modules/@forge/cli/node_modules/got/dist/source/core/index.js:970:111)
npm ERR!     at Object.onceWrapper (node:events:628:26)
npm ERR!     at ClientRequest.emit (node:events:525:35)
npm ERR!     at origin.emit (/usr/local/lib/node_modules/@forge/cli/node_modules/@szmarczak/http-timer/dist/source/index.js:43:20)
npm ERR!     at TLSSocket.socketErrorListener (node:_http_client:502:9)
npm ERR!     at TLSSocket.emit (node:events:513:28)
npm ERR!     at emitErrorNT (node:internal/streams/destroy:151:8)
npm ERR!     at emitErrorCloseNT (node:internal/streams/destroy:116:3)
npm ERR!     at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
npm ERR!     at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20) {
npm ERR!   code: 'ECONNRESET',
npm ERR!   timings: {
npm ERR!     start: 1693234656817,
npm ERR!     socket: 1693234656820,
npm ERR!     lookup: 1693234656915,
npm ERR!     connect: 1693234656950,
npm ERR!     secureConnect: undefined,
npm ERR!     upload: undefined,
npm ERR!     response: undefined,
npm ERR!     end: undefined,
npm ERR!     error: 1693234656986,
npm ERR!     abort: undefined,
npm ERR!     phases: {
npm ERR!       wait: 3,
npm ERR!       dns: 95,
npm ERR!       tcp: 35,
npm ERR!       tls: undefined,
npm ERR!       request: undefined,
npm ERR!       firstByte: undefined,
npm ERR!       download: undefined,
npm ERR!       total: 169
npm ERR!     }
npm ERR!   }
npm ERR! }
npm ERR! ngrok - install failed, retrying
npm ERR! ngrok - downloading binary https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.zip
npm ERR! ngrok - downloading progress:
npm ERR! ngrok - error downloading from URL RequestError: read ECONNRESET
npm ERR!     at ClientRequest.<anonymous> (/usr/local/lib/node_modules/@forge/cli/node_modules/got/dist/source/core/index.js:970:111)
npm ERR!     at Object.onceWrapper (node:events:628:26)
npm ERR!     at ClientRequest.emit (node:events:525:35)
npm ERR!     at origin.emit (/usr/local/lib/node_modules/@forge/cli/node_modules/@szmarczak/http-timer/dist/source/index.js:43:20)
npm ERR!     at TLSSocket.socketErrorListener (node:_http_client:502:9)
npm ERR!     at TLSSocket.emit (node:events:513:28)
npm ERR!     at emitErrorNT (node:internal/streams/destroy:151:8)
npm ERR!     at emitErrorCloseNT (node:internal/streams/destroy:116:3)
npm ERR!     at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
npm ERR!     at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20) {
npm ERR!   code: 'ECONNRESET',
npm ERR!   timings: {
npm ERR!     start: 1693234657491,
npm ERR!     socket: 1693234657491,
npm ERR!     lookup: 1693234657492,
npm ERR!     connect: 1693234657525,
npm ERR!     secureConnect: undefined,
npm ERR!     upload: undefined,
npm ERR!     response: undefined,
npm ERR!     end: undefined,
npm ERR!     error: 1693234657559,
npm ERR!     abort: undefined,
npm ERR!     phases: {
npm ERR!       wait: 0,
npm ERR!       dns: 1,
npm ERR!       tcp: 33,
npm ERR!       tls: undefined,
npm ERR!       request: undefined,
npm ERR!       firstByte: undefined,
npm ERR!       download: undefined,
npm ERR!       total: 68
npm ERR!     }
npm ERR!   }
npm ERR! }

ibuchanan · August 28, 2023, 10:00pm

@CoreyMosley,

I think there were some login changes between 4.x and 6.x. To jump straight to the point, I think you’ll want to use the --non-interactive switch described for the login command, and set the env vars FORGE_EMAIL and FORGE_API_TOKEN. This should fix for both local dev & CI/CD.

For a bit more detail, check out the guide describing how to setup CI/CD with Forge:
https://developer.atlassian.com/platform/forge/set-up-cicd/