Checking the ubiquity container was the key for me. Check the documentation for url(forUbiquityContainerIdentifier: containerIdentifier), and it lets you know it is required for permissions. That probably shouldn't be buried in that piece of documentation!