Two-factor Authentication With fastlane

Question

Im releasing my app to firebase distribution throw Fastlane while using CI machine. Im facing an issue with the 2FA.

Im using Match to retrieve my certificates. This is what I have under "Appfile"

app_identifier "com.example.example" # the bundle 
apple_id "appleAcount@gmail.com" # Your Apple
team_id "abcd..."  # Developer Portal Team ID
ENV["FASTLANE_USER"] = "appleAcount@gmail.com"
ENV["MATCH_PASSWORD"] = ""
ENV["FASTLANE_PASSWORD"] = ""
ENV["FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD"] = ""

This is the error I'm receiving:

Two-factor Authentication (6 digits code) is enabled for account 'appleAcount@gmail.com' More information about Two-factor Authentication: https://support.apple.com/en-us/HT204915

If you're running this in a non-interactive session (e.g. server or CI) check out https://github.com/fastlane/fastlane/tree/master/spaceship#2-step-verification

(Input sms to escape this prompt and select a trusted phone number to send the code as a text message)

(You can also set the environment variable SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER to automate this) (Read more at: https://github.com/fastlane/fastlane/blob/master/spaceship/docs/Authentication.md#auto-select-sms-via-spaceship_2fa_sms_default_phone_number)

Please enter the 6 digit code:

I have read this "https://docs.fastlane.tools/best-practices/continuous-integration/" but with no luck. can anyone help me solve this issue?

Answer 1

The fastlane team did a great job ❤ in recent releases (from 2.157.0 to 2.163.0 so far) to support the use of an API key for App Store Connect API in many actions (pilot, deliver, match, etc. - the status for each tool is available here).

Using an API key removes the need to provide an Apple account to authenticate and authorize the fastlane actions to do their operations on App Store Connect, which also means that you will no longer be fighting with 2 factor issues on your CI machine or have to manually regenerate a session via fastlane spaceauth when it becomes invalid.

From App Store Connect API Key page:

Generating an API key allows you to configure, authenticate, and use one or more Apple services for that key. Keys don’t expire, but can’t be modified to access more services once created. You can have a maximum of 50 active keys at a time

There are other benefits of using an API key and it is the recommended solution as explained in the fastlane documentation:

fastlane has historically used Apple IDs with username and password to authenticate using a cookie-based web session. fastlane will continue using this same cookie-based web session to authenticate with an unofficial version of the App Store Connect API.

However, it is recommended to use the API Key authentication when you are able to. The benefits include:

• No 2FA needed
• Better performance
• Documented API
• Increased reliability

I will not detail the steps to set up and use an API key here as it is already well explained in the documentation but here are the main steps:

1. Create a new API key from App Store Connect (you must have the "Account Holder" role to create one) and assign it the "App Manager" role (cf. Role permissions documentation),
2. Store the key and its info on your CI,
3. In your Fastfile, call the app_store_connect_api_key action with the values stored in 2.
4. Pass the value returned by 3. as an api_key parameter when you call an action, or let the action retrieve its value by itself from the lane context (if it supports it).

2FA problem due to invalid session:

Should vanish :)

Answer 2

You need to set up a environment variable 'FASTLANE_SESSION'='---\n....\n' token.

To get this token you need to authenticate manually using this command:

fastlane spaceauth -u YOUR_APP_STORE_EMAIL

example fastlane spaceauth -u joe@test.com.

You will need to revalidate every 2-3 weeks (some say 30 days) your session. The process is kinda of a pain right now.