FASTLANE_SESSION Issue

[gregorskii]

Reading: https://discuss.bitrise.io/t/bitrise-repeatedly-asking-2factor-authentication-on-fastlane-actions/13992

It appears this step has an issue consuming the FASTLANE_SESSION.

Can anyone explain if this step does actually have an issue with this session?

I see in my job output that the session is set:

Connected Apple Developer Portal Account found, exposing FASTLANE_SESSION env var
Session exported

But when it gets to the login step it asks for the phone number anyways:

Two-factor Authentication (6 digits code) is enabled for account 'ACCOUNT'
More information about Two-factor Authentication: https://support.apple.com/en-us/HT204915

If you're running this in a non-interactive session (e.g. server or CI)
check out https://github.com/fastlane/fastlane/tree/master/spaceship#2-step-verification

Please select a trusted phone number to send code to:

We cannot use app specific or JWT passwords in our case, we have to be able to rely on this method of auth even if it means our team has to keep updating and fixing the 2fa expirey.

Any help would be appreciated in understanding if this task can work.

We have the scripts necessary to run fastlane without this step but I believe at that point we won't be able to rely on the Bitrise stored Apple Accounts, or can we?

Thanks.

[gregorskii]

Followup question, what if you have multiple apple developer accounts in bitrise, what is the basic logic used to pick the correct one? Does it have it, or does it assume there is only one developer account?

If I needed to run fastlane manually, how do you access the developer accounts stored in the bitrise apple developer account UI? Can you?

We do not want to have to manually manage the SESSION values as we have multiple accounts in a multi-tenant environment.

[bitce]

Hi @gregorskii,

FASTLANE_SESSION is indeed not exported properly, despite the logs stating that it is. This is a bug that is currently under investigation at the time of me typing this, so not the expected behaviour.

The workaround is to provide the variable manually, and use a Script step to launch your fastlane, instead of the Fastlane step. I can see why this is suboptimal especially in the case of managing multiple environments - but just to clarify - opting for the JWT token method actually means not having to deal with 2FA at all since the sessions don't expire.

You have a dropdown list in the Team tab of your app, where you can select which account you want your app to be using.

Unfortunately you can't access the account data stored manually. Apologies for this state, I'll make sure to bump the priority of the issue as much as we can.

[gregorskii]

Jwt auth makes sense but we manage apple accounts we are invited to. It requires owner permissions to make the JWT token and it's team based.

It's not ideal but we can look into it.

Is there any way to get the session from the bitrise stored account via shell?

Thanks!

[gregorskii]

Looks like it's an API call with known env values at runtime.

https://github.com/bitrise-steplib/steps-fastlane/blob/master/vendor/github.com/bitrise-steplib/steps-deploy-to-itunesconnect-deliver/devportalservice/devportalservice.go

Is the issue with this session obtaining the keys from the API, from setting it via the env, or consuming it via fastlane?

[gregorskii]

It looks to me like the apple developer accounts in Bitrise are user-specific, when I requested the accounts with the default automated builds account there are no users in the API call to apple_developer_portal_data. Could this be part of the issue? The availability of the accounts depending on what the user adds them and what user runs the build?

[gregorskii]

Hello,

Any update on this?

I just need some answers so I can look for next steps.

Thanks

[bitce]

Hi @gregorskii!

The fix is in progress, we will make sure to let you know here once it's ready to get released! Thanks for digging into this.

[gregorskii]

Awesome thank you @bitce. Hopefully, my digging was helpful!

As you are aware most customers will be hitting a Feb deadline for adding 2fa to their accounts. Understood that the JWT mechanism is the recommendation for how to solve this, but it does not easily work for our organization. We will be working towards that goal as it will likely be required in the future. But Apple requires that app owners create the necessary key, and then we have to store it. Our bitrise stack supports deployment for our customers, so it is a big undertaking.

Best

[godrei]

Hi @gregorskii did you enable a Bitrise session-based Apple Developer connection for the build: https://devcenter.bitrise.io/getting-started/configuring-bitrise-steps-that-require-apple-developer-account-data/ ?

Please make sure the Bitrise connected account and the one you use for App Store deployment have the same Apple ID. Also, make sure you use the latest version of the step and Fastlane.

[gregorskii]

Will try.

Quick question, does this setup support using multiple apple IDs? Assume all of the apple IDs will be logged in via the bitrise dashboard. Will it look for the one with the matching email?

Second I asked before, but, it seems the logged in accounts are user specific, we have automation running our jobs. Will the step find the apple ids even if they were added via a user account?

[godrei]

@gregorskii On the Bitrise project's Team tab, under Connected Apple Developer Portal Account section you need to specify which one of the Bitrise connected Apple Developer accounts should be used for the given Bitrise project.

The Apple Developer connection belongs to Bitrise user accounts, for the given Bitrise project you can select any (who can access the project) Bitrise user's Apple Developer connection.

[gregorskii]

@godrei that makes sense.

is it possible to use multiple apple developer accounts for the same project? ie make more the one available?

EDIT: it looks to me like this is a 1:1 relationship now that I see the Team tab on the project. You can add as many developer accounts as you want to the user/account -> Apple Developer Accounts Page, but only one session-based authentication method can be associated with a project. It seems this is true as well for the new p8 method.

Any thoughts on whether this could be a map of accounts matched by email? Have you encountered any use cases like that before?

[godrei]

Hi @gregorskii sorry for my late response.

You're right this is a 1:1 relation at the moment.

There is a feature request to change this on discuss, please vote on it to bump its priority: https://discuss.bitrise.io/t/connect-multiple-apple-developer-accounts/3318 I am not sure when we will be able to start working on this.

We plan to add step inputs where you can pass the authentication data, similarly to this change: https://github.com/bitrise-steplib/steps-deploy-to-itunesconnect-deliver/pull/88 once we have this done, you can upload multiple API keys to the Workflow Editor, set Issuer IDs as secrets and configure the step via step inputs.

[gregorskii]

Awesome thank you. I have added a “+1” to that request.

Best

[godrei]

@gregorskii do you need any more help? can we close this issue?

[gregorskii]

I think we can close it. I have the info I need.

Is the step fixed for a single account? For anyone else that may find this.

[lpusok]

@gregorskii Yes a fix was released earlier: https://github.com/bitrise-steplib/steps-fastlane/releases/tag/2.7.4

We also released a new version that does support API key based authentication, and also Step inputs (for a single user still), see: https://github.com/bitrise-steplib/steps-fastlane/releases/tag/3.0.0