Macaroon Bakery
Bake custom lnd macaroons so every agent gets only the permissions it needs.
Never hand out admin.macaroon in production — bake a scoped one instead.
Quick Start
CODEBLOCK0
Docker
The litd container is auto-detected. You can also specify --container:
CODEBLOCK1
Remote Nodes
To bake macaroons on a remote lnd node, provide the connection credentials:
CODEBLOCK2
You need lncli installed locally and copies of the node's TLS cert and a macaroon
with macaroon:generate permission (typically admin.macaroon).
Preset Roles
| Role | What the agent can do | Cannot do |
|---|
| INLINECODE3 | Pay invoices, decode invoices, get node info | Create invoices, open channels, see balances |
| INLINECODE4 |
Create invoices, lookup invoices, get node info | Pay, open channels, see wallet balance |
|
read-only | Get info, balances, list channels/peers/payments | Pay, create invoices, open/close channels |
|
channel-admin | All of read-only + open/close channels, connect peers | Pay invoices, create invoices |
|
signer-only | Sign transactions, derive keys (for remote signer) | Everything else |
Baking Custom Macaroons
For permissions not covered by presets, bake a custom macaroon:
CODEBLOCK3
Discovering Permissions
CODEBLOCK4
Inspecting Macaroons
CODEBLOCK5
Signer Macaroon Scoping
When using the lightning-security-module skill, the credentials bundle includes
admin.macaroon by default. For production, bake a signing-only macaroon on the
signer machine:
CODEBLOCK6
Macaroon Rotation
Rotate macaroons regularly to limit the window if one is compromised:
CODEBLOCK7
Best Practices
- - One macaroon per agent role. Don't share macaroons between agents with
different responsibilities.
- - Never use admin.macaroon in production. It's the master key.
- Inspect before deploying. Always verify what a baked macaroon can do.
- Rotate on a schedule. Monthly for production, immediately if compromised.
- Scope signer macaroons too. The remote signer's credentials bundle should
use
signer-only, not
admin.
- - Store with 0600 permissions. Macaroons are bearer tokens — treat like passwords.
Common Permission URIs
| Permission | Description |
|---|
| INLINECODE12 | Node info (version, pubkey, sync status) |
| INLINECODE13 |
On-chain wallet balance |
|
uri:/lnrpc.Lightning/ChannelBalance | Lightning channel balance |
|
uri:/lnrpc.Lightning/ListChannels | List open channels |
|
uri:/lnrpc.Lightning/ListPeers | List connected peers |
|
uri:/lnrpc.Lightning/SendPaymentSync | Pay a Lightning invoice |
|
uri:/lnrpc.Lightning/DecodePayReq | Decode a BOLT11 invoice |
|
uri:/lnrpc.Lightning/AddInvoice | Create a Lightning invoice |
|
uri:/lnrpc.Lightning/LookupInvoice | Look up an invoice by hash |
|
uri:/lnrpc.Lightning/ListInvoices | List all invoices |
|
uri:/lnrpc.Lightning/ListPayments | List all payments |
|
uri:/lnrpc.Lightning/ConnectPeer | Connect to a peer |
|
uri:/lnrpc.Lightning/OpenChannelSync | Open a channel |
|
uri:/lnrpc.Lightning/CloseChannel | Close a channel |
|
uri:/signrpc.Signer/SignOutputRaw | Sign a transaction output |
|
uri:/signrpc.Signer/ComputeInputScript | Compute input script for signing |
|
uri:/signrpc.Signer/MuSig2Sign | MuSig2 signing |
|
uri:/walletrpc.WalletKit/DeriveKey | Derive a key |
|
uri:/walletrpc.WalletKit/DeriveNextKey | Derive next key in sequence |
Macaroon 面包坊
烘焙自定义的 lnd macaroon,让每个代理只获得其所需的权限。
在生产环境中切勿分发 admin.macaroon——请烘焙一个限定范围的 macaroon。
快速开始
bash
烘焙一个仅支付 macaroon
skills/macaroon-bakery/scripts/bake.sh --role pay-only
烘焙一个仅发票 macaroon
skills/macaroon-bakery/scripts/bake.sh --role invoice-only
烘焙一个只读 macaroon
skills/macaroon-bakery/scripts/bake.sh --role read-only
检查任意 macaroon
skills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon
列出所有可用的 lnd 权限
skills/macaroon-bakery/scripts/bake.sh --list-permissions
Docker
litd 容器会自动检测。你也可以指定 --container:
bash
自动检测 litd 容器(默认)
skills/macaroon-bakery/scripts/bake.sh --role pay-only
显式指定容器
skills/macaroon-bakery/scripts/bake.sh --role pay-only --container litd
检查容器内的 macaroon
skills/macaroon-bakery/scripts/bake.sh --inspect /root/.lnd/data/chain/bitcoin/testnet/admin.macaroon --container litd
远程节点
要在远程 lnd 节点上烘焙 macaroon,请提供连接凭据:
bash
在远程节点上烘焙仅支付 macaroon
skills/macaroon-bakery/scripts/bake.sh --role pay-only \
--rpcserver remote-host:10009 \
--tlscertpath ~/remote-tls.cert \
--macaroonpath ~/remote-admin.macaroon \
--save-to ~/remote-pay-only.macaroon
你需要在本地安装 lncli,并拥有该节点的 TLS 证书副本以及具有 macaroon:generate 权限的 macaroon(通常是 admin.macaroon)。
预设角色
| 角色 | 代理可以做什么 | 不能做什么 |
|---|
| pay-only | 支付发票、解码发票、获取节点信息 | 创建发票、打开通道、查看余额 |
| invoice-only |
创建发票、查询发票、获取节点信息 | 支付、打开通道、查看钱包余额 |
| read-only | 获取信息、余额、列出通道/对等节点/支付 | 支付、创建发票、打开/关闭通道 |
| channel-admin | 所有只读权限 + 打开/关闭通道、连接对等节点 | 支付发票、创建发票 |
| signer-only | 签署交易、派生密钥(用于远程签名器) | 其他所有操作 |
烘焙自定义 Macaroon
对于预设角色未覆盖的权限,请烘焙自定义 macaroon:
bash
自定义:代理只能支付和检查钱包余额
skills/macaroon-bakery/scripts/bake.sh --custom \
uri:/lnrpc.Lightning/SendPaymentSync \
uri:/lnrpc.Lightning/DecodePayReq \
uri:/lnrpc.Lightning/WalletBalance \
uri:/lnrpc.Lightning/GetInfo
自定义并指定输出路径
skills/macaroon-bakery/scripts/bake.sh --custom \
uri:/lnrpc.Lightning/AddInvoice \
uri:/lnrpc.Lightning/GetInfo \
--save-to ~/my-agent.macaroon
发现权限
bash
列出所有可用的 URI 权限
skills/macaroon-bakery/scripts/bake.sh --list-permissions
过滤特定服务
skills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i invoice
过滤路由相关权限
skills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i router
检查 Macaroon
bash
查看 macaroon 具有哪些权限
skills/macaroon-bakery/scripts/bake.sh --inspect
检查 admin macaroon 以查看完整权限
skills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon
签名器 Macaroon 范围限定
使用 lightning-security-module 技能时,凭据包默认包含 admin.macaroon。对于生产环境,请在签名器机器上烘焙一个仅签名 macaroon:
bash
在签名器容器上
skills/macaroon-bakery/scripts/bake.sh --role signer-only \
--container litd-signer --rpc-port 10012
或在原生签名器上
skills/macaroon-bakery/scripts/bake.sh --role signer-only \
--rpc-port 10012 --lnddir ~/.lnd-signer
然后使用限定范围的 macaroon 重新导出凭据包
Macaroon 轮换
定期轮换 macaroon 以限制被攻破后的影响窗口:
bash
1. 使用相同角色烘焙新的 macaroon
skills/macaroon-bakery/scripts/bake.sh --role pay-only --save-to ~/pay-only-v2.macaroon
2. 更新代理配置以使用新的 macaroon
3. 删除旧 macaroon 的根密钥(使其失效)
skills/lnd/scripts/lncli.sh bakemacaroon --rootkeyid 0
注意:使用 lncli listmacaroonids 和 deletemacaroonid 进行精细控制
最佳实践
- - 每个代理角色使用一个 macaroon。 不要在不同职责的代理之间共享 macaroon。
- 切勿在生产环境中使用 admin.macaroon。 它是主密钥。
- 部署前进行检查。 始终验证烘焙的 macaroon 能做什么。
- 按计划轮换。 生产环境每月一次,被攻破时立即轮换。
- 也限定签名器 macaroon 的范围。 远程签名器的凭据包应使用 signer-only,而不是 admin。
- 以 0600 权限存储。 Macaroon 是持有者令牌——像密码一样对待。
常见权限 URI
| 权限 | 描述 |
|---|
| uri:/lnrpc.Lightning/GetInfo | 节点信息(版本、公钥、同步状态) |
| uri:/lnrpc.Lightning/WalletBalance |
链上钱包余额 |
| uri:/lnrpc.Lightning/ChannelBalance | 闪电通道余额 |
| uri:/lnrpc.Lightning/ListChannels | 列出打开的通道 |
| uri:/lnrpc.Lightning/ListPeers | 列出连接的对等节点 |
| uri:/lnrpc.Lightning/SendPaymentSync | 支付闪电发票 |
| uri:/lnrpc.Lightning/DecodePayReq | 解码 BOLT11 发票 |
| uri:/lnrpc.Lightning/AddInvoice | 创建闪电发票 |
| uri:/lnrpc.Lightning/LookupInvoice | 按哈希查询发票 |
| uri:/lnrpc.Lightning/ListInvoices | 列出所有发票 |
| uri:/lnrpc.Lightning/ListPayments | 列出所有支付 |
| uri:/lnrpc.Lightning/ConnectPeer | 连接对等节点 |
| uri:/lnrpc.Lightning/OpenChannelSync | 打开通道 |
| uri:/lnrpc.Lightning/CloseChannel | 关闭通道 |
| uri:/signrpc.Signer/SignOutputRaw | 签署交易输出 |
| uri:/signrpc.Signer/ComputeInputScript | 计算用于签名的输入脚本 |
| uri:/signrpc.Signer/MuSig2Sign | MuSig2 签名 |
| uri:/walletrpc.WalletKit/DeriveKey | 派生密钥 |
| uri:/walletrpc.WalletKit/DeriveNextKey | 派生序列中的下一个密钥 |
