Cloud Manager Deployment Fails due to sling-distribution-importer permissions | AEM Cloud Service
During a Cloud Manager deployment on AEM as a Cloud Service environments the deploy step fails and errors like the ones below are observed.
[Queue Processor for Subscriber agent forwardPublisherSubscriber] org.apache.jackrabbit.vault.fs.io.Importer Error while committing changes. Retrying import from checkpoint at /. Retries 4/10 [Queue Processor for Subscriber agent forwardPublisherSubscriber] org.apache.sling.distribution.journal.impl.subscriber.DistributionSubscriber Error processing queue item org.apache.sling.distribution.common.DistributionException: Error processing distribution package dstrpck-1583514457813-c81e7751-2da6-4d00-9814-434187f08d32. Retry attempts 162/infinite. ... Caused by: org.apache.sling.api.resource.PersistenceException: Unable to commit changes to session. ... Caused by: javax.jcr.AccessDeniedException: OakAccess0000: Access denied [EventAdminAsyncThread #7] org.apache.sling.distribution.journal.impl.publisher.DistributionPublisher [null] Error processing distribution package dstrpck-1583514457813-c81e7751-2da6-4d00-9814-434187f08d32. Retry attempts 344/infinite. Message: Error trying to extract package at path /etc/packages/com.myapp/myapp-base.ui.content-5.1.0-SNAPSHOT.zip
The sling-distribution-importer user needs additional permissions per the content paths defined in the ui.content package. This usually means we need to add permissions for both /conf and /var.
The solution to this is to add a RepositoryInitializer OSGi configuration script to your apps deployment package to add ACLs for the sling-distribution-importer user.
In the example error above, the package myapp-base.ui.content-*.zip includes content under /conf and /var/workflow. In order for the deployment to not fail, we would need to add permissions for sling-distribution-importer under those paths.
Here's an example  of one such OSGi configuration that adds additional permissions for the sling-distribution-importer user. This configuration adds permissions under /var. This xml file below  needs to be added to the application package under /apps/myapp/config (where myapp is the folder where your application code is stored).