Sentry permission error

[ChristianVermeulen]

I have created a sentry_api_token through https://sentry.io/settings/account/api/auth-tokens/ with all possible permissions. Yet, we are still seeing the following permission problem.

WARN  Cannot notify sentry for new release. Response: "403": {"detail":"You do not have permission to perform this action."}

Could the repository be out of sync with Sentry api updates?

[burisu]

It works for us (we used it almost every day). A permission seems to be missing on your token. Did you add project:releases permission to your token?

[ChristianVermeulen]

It works for us (we used it almost every day). A permission seems to be missing on your token. Did you add project:releases permission to your token?

These are the permissions added on the token:

[burisu]

If you have added your token in config/deploy.rb (with set :sentry_api_token, '012...def'), I don't think that the problem comes from this gem. I checked Sentry API and the gem is on current version of Sentry API.

I found a page talking about 403 error on Sentry: https://sentry.zendesk.com/hc/en-us/articles/29148599669019-Sentry-is-not-available-seeing-403-Forbidden Do you think you are concerned by that?

[ChristianVermeulen]

Hmm, that is interesting! I can't imagine it being that though, since we run in AWS regions eu-central-1 (Frankfurt, Germany). I did a curl request to https://sentry.io to check and i'm not getting the 403. So I don't think we are falsely matched as russian ip.

This is weird though! I have also double checked it is a user token, and not an organisation / project token.

Is there any way I can enable some debugging output to see what calls are actually being done perhaps?

Thanks helping!

[ChristianVermeulen]

So I just did a quick test with the sentry api by running:

curl -H 'Authorization: Bearer XXX' https://sentry.io/api/0/organizations/XXX/projects/

And it works perfectly! So the api key and access seem to be fine 🤔.

[burisu]

There is no debugging output currently... Just in case, did you set :sentry_organization in your config/deploy.rb? It’s the last thing that could explain the issue. By default, :sentry_organization value is based on :application value, which can be different from your organization name on Sentry.

[ChristianVermeulen]

Yeah, i've checked those values as well.. I just did a manual post of a new release and it worked no problem as well. Now, to make it even more confusing, I just noticed the releases are actually present in Sentry!

So I did an isolated test of a new deploy, with a new release version, it gave me the 403 error in capistrano, but then I refresh the releases page in sentry and it was actually added!

Looking at the code in /lib/capistrano/tasks/sentry.rake L75 I do notice a second api call to also post the actual deploy. Both calls have the same error output, so it is hard to tell on which of the 2 calls we get the 403. In Sentry, there was only the release but not the deploy, so I assume it was the second call that failed.

I posted the deploy manually, and it worked and was then shown in sentry.

Could it be that the call to create the deploy happens too fast, so sentry has not actually finished creating the release yet? This would explain they 403 error in capistrano, but the release existing in sentry anyway.

[burisu]

I don't think that’s a concurrency issue. The initial error message you had (Cannot notify sentry for new release.) happens when the first request fails. You should have Cannot notify sentry for new deployment when deploy creation fails. It’s really confusing indeed, the error message you had "says" that authentication is good, but not authorization, but you added all the permission to the token... 🤯 On my side, I can reproduce the error only with a token without project:releases permission...