[docs] Add instructions for Apple Developer account program roles and permissions required for using EAS build #29949
Conversation
|
📘 Your docs preview website is ready! |
docs/pages/app-signing/apple-developer-program-roles-and-permissions.mdx
Outdated
Show resolved
Hide resolved
amandeepmittal
changed the title
|
|
||
| The owner of the individual Apple Developer account needs to generate the following credentials: | ||
|
|
||
| - **Distribution signing certificate**: Required to sign development and release builds that are installed on an iOS device. |
There was a problem hiding this comment.
We have this doc explaining the credential types, since we're explaining them in brief, we could deep link here: https://docs.expo.dev/app-signing/app-credentials/#ios
There was a problem hiding this comment.
Added a callout to include that docs link to gracefully mention it.
| - **Distribution provisioning profile**: Required to sign the build that is submitted to the Apple App Store. | ||
| - **Push key**: Required when using a push notification service. | ||
|
|
||
| With EAS CLI, all of the above credentials can be created and synced automatically with the Apple Developer account. Once the owner login to their [Expo account](/accounts/account-types/), they can create or update the provisioning profile by running `eas credentials` using the EAS CLI. |
There was a problem hiding this comment.
| With EAS CLI, all of the above credentials can be created and synced automatically with the Apple Developer account. Once the owner login to their [Expo account](/accounts/account-types/), they can create or update the provisioning profile by running `eas credentials` using the EAS CLI. | |
| With EAS CLI, all of the above credentials can be created and synced automatically with the Apple Developer account. Once the Apple Developer account owner logs in to their [Expo account](/accounts/account-types/), they can create or update the provisioning profile by running `eas credentials` using the EAS CLI. |
|
|
||
| An Apple Developer account is required to create iOS device builds on EAS. This account allows you to generate [app signing credentials](/app-signing/managed-credentials/#generating-app-signing-credentials) such as certificates, identifiers, and profiles, submit the app for review, and manage app's distribution. | ||
|
|
||
| If the Apple Developer account is an individual account, only the account owner can generate the app signing credentials. This guide provides steps that the account owner has to follow to ensure app signing credentials are generated. It also provides steps for the team developer to create an EAS Build. |
There was a problem hiding this comment.
| If the Apple Developer account is an individual account, only the account owner can generate the app signing credentials. This guide provides steps that the account owner has to follow to ensure app signing credentials are generated. It also provides steps for the team developer to create an EAS Build. | |
| An Apple Developer user profile must have **Access to Certificates, Identifiers, and Profiles** enabled in their App Store Connect user permissions in order to generate app signing credentials. If the Apple Developer account is an individual account, only the owner of the account can have this access. On organization Apple Developer accounts, multiple team members can have this access, but some organizations choose to limit this access. This guide provides steps that a user with **Access to Certificates, Identifiers, and Profiles** can follow to ensure app signing credentials are generated and available to other EAS users. It also provides steps for the team developer to create an EAS Build by using the pre-generated credentials. |
There was a problem hiding this comment.
My rough attempt to explain all scenarios where you may not have this access. This might also be the place to put a picture of this checkbox
|
|
||
| > See [Apple's documentation on Program Roles](https://developer.apple.com/support/roles/) for details on the different roles and their permissions based on the type of Developer account. | ||
|
|
||
| ## Steps for Apple Developer account owner |
There was a problem hiding this comment.
| ## Steps for Apple Developer account owner | |
| ## Steps for Apple Developer with access to certificates, identifiers, and profiles |
I dunno how often we want to repeat this, but this is only way I know how to describe this user.
what you call this person can also drive what you change "owner" to in the proceeding paragraphs. Maybe "authorized user"?
There was a problem hiding this comment.
Yeah, I realize "owner" might not be a good word to use here. Looking https://developer.apple.com/support/roles/, majorly, there are three to four types of account roles can have access to certificates and profiles. Let's go with "authorized users". Thanks for the suggestion!
| This ensures that the provisioning profile associated with the Expo account has necessary permissions. | ||
|
|
||
| > For projects with existing credentials, see [Using existing credentials](/app-signing/existing-credentials/) for details on how to sync these to EAS or manage them manually. | ||
|
|
There was a problem hiding this comment.
| ### Uploading pre-generated Apple credentials | |
| Some development teams may choose to generate distribution certificates and provisioning profiles outside of EAS. These credentials can be added by any EAS user with Developer or higher permissions via `eas credentials` or in **Credentials** under **Project Settings** on the Expo dashboard. You will need the **.p12** and **.mobileprovision** files, as well as any passwords set when generating the distribution certificate, when uploading the credentials. |
Context: bigger teams will generate these on their own and distribute the files to those who need them because a) everyone having access to certificates, identifiers, and profiles can be a security concern, and b) you only get, I think, 3 distribution certs at once. These certs might be shared with EAS apps, non-RN apps, etc. So, someone going wild with generating credentials in EAS could grind the built process somewhere else in the organization to a halt.
So, I think it's good to mention somewhere that generating them via EAS isn't the only option. Also, what's nice here is that the individual apple account owner or otherwise responsible for Apple credentials person doesn't even need to be a member of your Expo organization (in one case, I was working with someone from a security team in some area of the org I never otherwise interacted with).
There was a problem hiding this comment.
I'm adding this as a sub section under Additional information as I'm not sure if this should come just after the introduction or something needs to be highlighted that early in the documentation.
There was a problem hiding this comment.
@amandeepmittal just wrapped up my attempts to inject some context about the specific permission in question and how it sometimes impacts Apple developer orgs, as well.
…ccounts (#30136) # Why <!-- Please describe the motivation for this PR, and link to relevant GitHub issues, forums posts, or feature requests. --> Closes ENG-11089 # How <!-- How did you build this feature or fix this bug and why? --> Add a section about Federated develop apple accounts that provides info that the user will see a submission error and link to the https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team section as suggested by @keith-kurak. # Test Plan <!-- Please describe how you tested this change and how a reviewer could reproduce your test, especially if this PR does not include automated tests! If possible, please also provide terminal output and/or screenshots demonstrating your test/reproduction. --> By running docs locally. # Checklist <!-- Please check the appropriate items below if they apply to your diff. This is required for changes to Expo modules. --> - [x] Documentation is up to date to reflect these changes (eg: https://docs.expo.dev and README.md). - [x] Conforms with the [Documentation Writing Style Guide](https://github.com/expo/expo/blob/main/guides/Expo%20Documentation%20Writing%20Style%20Guide.md) - [ ] This diff will work correctly for `npx expo prebuild` & EAS Build (eg: updated a module plugin).
docs/pages/app-signing/apple-developer-program-roles-and-permissions.mdx
Outdated
Show resolved
Hide resolved
amandeepmittal
deleted the
aman/eng-12321-documentation-needed-for-apple-team-member-permissions
branch
Why
Closes ENG-12321
How
Add instructions to explain how a developer on the team can create an EAS Build for iOS when an Individual Apple Developer account is used by an Organization. This doc provides the context of how the Apple Developer account owner is required to create a distribution certificate, provisioning profile, and push key (with necessary steps to EAS Tutorial that covers them) and then the steps the developer on the team needs to take to run
eas build -p ioscommand to create a build.This guide also adds a section about the when Apple Developer account owner will require to generate and update a new provisioning profile and add info about using EAS Build and EAS Submit for federated Apple Developer accounts.
Added this guide under EAS Build > App credentials since that section covers all info associated to app signing and credentials.
Test Plan
By running docs locally and visiting http://localhost:3002/app-signing/apple-team-permissions/. Or see Preview http://docs.expo.dev-pr-29949.s3-website-us-east-1.amazonaws.com/app-signing/apple-developer-program-roles-and-permissions/.
Checklist
npx expo prebuild& EAS Build (eg: updated a module plugin).