Unauthorised Access when running match and SMS 2FA

[simonarcher]

New Issue Checklist

• Updated fastlane to the latest version
• I read the Contribution Guidelines
• I read docs.fastlane.tools
• I searched for existing GitHub issues

Issue Description

Since this morning when running match and after its requesting me to submit my 2FA code via SMS I get a Unauthorized Access error

Command executed

 lane :test_match do
    match(type: "appstore", app_identifier: ["com.xxx.app.development", "com.xxx.app.development.ShareExtension", "com.xxx.app.development.klikkieWidget", "com.xxx.app.development.MomentExtension"])
  end

Complete output when running fastlane, including the stack trace and command used

[14:03:41]: Which number would you like to run?
16
[14:03:46]: Running lane `ios test_match`. Next time you can do this by directly typing `bundle exec fastlane ios test_match` 🚀.
[14:03:46]: Driving the lane 'ios test_match' 🚀
[14:03:46]: -----------------------------
[14:03:46]: --- Step: update_fastlane ---
[14:03:46]: -----------------------------
[14:03:46]: Looking for updates for fastlane...
[14:03:48]: Nothing to update ✅
[14:03:49]: -------------------
[14:03:49]: --- Step: match ---
[14:03:49]: -------------------

+----------------------------------------+------------------------------------------------------+
|                                   Summary for match 2.212.1                                   |
+----------------------------------------+------------------------------------------------------+
| type                                   | appstore                                             |
| readonly                               | false                                                |
| generate_apple_certs                   | true                                                 |
| skip_provisioning_profiles             | false                                                |
| storage_mode                           | git                                                  |
| git_branch                             | master                                               |
| shallow_clone                          | false                                                |
| clone_branch_directly                  | false                                                |
| skip_google_cloud_account_confirmation | false                                                |
| keychain_name                          | login.keychain                                       |
| force                                  | false                                                |
| force_for_new_devices                  | false                                                |
| include_mac_in_profiles                | false                                                |
| include_all_certificates               | false                                                |
| force_for_new_certificates             | false                                                |
| skip_confirmation                      | false                                                |
| safe_remove_certs                      | false                                                |
| skip_docs                              | false                                                |
| platform                               | ios                                                  |
| derive_catalyst_app_identifier         | false                                                |
| fail_on_name_taken                     | false                                                |
| skip_certificate_matching              | false                                                |
| skip_set_partition_list                | false                                                |
| verbose                                | false                                                |
+----------------------------------------+------------------------------------------------------+

[14:03:49]: Cloning remote git repo...
[14:03:49]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
[14:03:51]: Checking out branch master...
[14:03:51]: 🔓  Successfully decrypted certificates repo
[14:03:51]: Verifying that the certificate and profile are still valid on the Dev Portal...
Available session is not valid any more. Continuing with normal login.
Two-step Verification (4 digits code) is enabled for account 'xxxx'
More information about Two-step Verification: https://support.apple.com/en-us/HT204152

Please select a trusted device to verify your identity
1. +•• •• ••••••11	SMS	(-xxx)
2. +•• •• ••••••75	SMS	(-xxx)
3. +•• •• ••••••94	SMS	(-xxx)
?  2
Successfully requested notification
Please enter the 4 digit code: 3369
Requesting session...
+------------------+----------------+
|           Lane Context            |
+------------------+----------------+
| DEFAULT_PLATFORM | ios            |
| PLATFORM_NAME    | ios            |
| LANE_NAME        | ios test_match |
+------------------+----------------+
[14:04:14]: Unauthorized Access

+------+------------------+-------------+
|           fastlane summary            |
+------+------------------+-------------+
| Step | Action           | Time (in s) |
+------+------------------+-------------+
| 1    | default_platform | 0           |
| 2    | xcode_select     | 0           |
| 3    | update_fastlane  | 2           |
| 💥   | match            | 24          |
+------+------------------+-------------+

[14:04:14]: fastlane finished with errors

Looking for related GitHub issues on fastlane/fastlane...

➡️  The request could not be completed because: Unauthorized Access
    https://github.com/fastlane/fastlane/issues/20078 [closed] 42 💬
    28 Jun 2022

➡️  `download_dsyms` fails to use session from spaceauth
    https://github.com/fastlane/fastlane/issues/18763 [closed] 2 💬
    13 Sep 2021

➡️  match permission denied
    https://github.com/fastlane/fastlane/issues/17810 [closed] 11 💬
    26 Apr 2021

and 22 more at: https://github.com/fastlane/fastlane/search?q=The%20request%20could%20not%20be%20completed%20because%3A%0A%09Unauthorized%20Access&type=Issues&utf8=✓

🔗  You can ⌘ + double-click on links to open them directly in your browser.

[!] The request could not be completed because:
	Unauthorized Access

Environment

🚫 fastlane environment 🚫

### Stack

| Key                         | Value                                       |
| --------------------------- | ------------------------------------------- |
| OS                          | 13.2.1                                      |
| Ruby                        | 2.7.2                                       |
| Bundler?                    | false                                       |
| Git                         | git version 2.37.1 (Apple Git-137.1)        |
| Installation Source         | ~/.rbenv/versions/2.7.2/bin/fastlane        |
| Host                        | macOS 13.2.1 (22D68)                        |
| Ruby Lib Dir                | ~/.rbenv/versions/2.7.2/lib                 |
| OpenSSL Version             | OpenSSL 1.1.1l  24 Aug 2021                 |
| Is contained                | false                                       |
| Is homebrew                 | false                                       |
| Is installed via Fabric.app | false                                       |
| Xcode Path                  | /Applications/Xcode.app/Contents/Developer/ |
| Xcode Version               | 14.2                                        |
| Swift Version               | 5.7.2                                       |


### System Locale

| Error                       |
| --------------------------- |
| No Locale with UTF8 found 🚫 |


### fastlane files:

<details><summary>`./fastlane/Fastfile`</summary>

```ruby
# This file contains the fastlane.tools configuration
# You can find the documentation at https://docs.fastlane.tools
#
# For a list of all available actions, check out
#
#     https://docs.fastlane.tools/actions
#
# For a list of all available plugins, check out
#
#     https://docs.fastlane.tools/plugins/available-plugins
#

# Uncomment the line if you want fastlane to automatically update itself
# update_fastlane

default_platform(:ios)
xcode_select "/Applications/Xcode.app"

platform :ios do

  before_all do
    Dotenv.load ".env.ios"
    update_fastlane
  end

  desc "Push a new Staging build to TestFlight"
  lane :test_match do
    match(type: "appstore", app_identifier: ["com.klikkie.app.development", "com.klikkie.app.development.ShareExtension", "com.klikkie.app.development.klikkieWidget", "com.klikkie.app.development.MomentExtension"])
  end
end

`./fastlane/Appfile`

app_identifier("xxxx") # The bundle identifier of your app
apple_id("xxx@xxxx") # Your Apple email address

itc_team_id("xxx") # App Store Connect Team ID
team_id("xxx") # Developer Portal Team ID

# For more information about the Appfile, see:
#     https://docs.fastlane.tools/advanced/#appfile

fastlane gems

Gem	Version	Update-Status
fastlane	2.212.1	✅ Up-To-Date

Loaded fastlane plugins:

Plugin	Version	Update-Status
fastlane-plugin-badge	1.5.0	✅ Up-To-Date
fastlane-plugin-slack_bot	1.3.0	✅ Up-To-Date

Loaded gems

Gem	Version
did_you_mean	1.4.0
rouge	2.0.7
xcpretty	0.3.0
terminal-notifier	2.0.0
unicode-display_width	1.8.0
terminal-table	1.8.0
multipart-post	2.0.0
word_wrap	1.0.0
optparse	0.1.1
tty-screen	0.8.1
tty-cursor	0.7.1
tty-spinner	0.9.3
artifactory	3.0.15
babosa	1.0.4
colored	1.2
highline	2.0.3
commander	4.6.0
faraday-cookie_jar	0.0.7
faraday_middleware	1.2.0
gh_inspector	1.1.3
naturally	2.2.1
rubyzip	2.3.2
security	0.1.3
xcpretty-travis-formatter	1.0.1
emoji_regex	3.2.3
uri	0.10.0
rexml	3.2.5
nanaimo	0.3.0
colored2	3.1.2
claide	1.1.0
CFPropertyList	3.0.6
atomos	0.1.3
xcodeproj	1.22.0
plist	3.7.0
public_suffix	5.0.1
addressable	2.8.1
excon	0.99.0
ruby2_keywords	0.0.5
faraday-retry	1.0.3
faraday-rack	1.0.0
faraday-patron	1.0.0
faraday-net_http_persistent	1.2.0
faraday-net_http	1.0.1
faraday-multipart	1.0.4
faraday-httpclient	1.0.1
faraday-excon	1.1.0
faraday-em_synchrony	1.0.0
faraday-em_http	1.0.0
faraday	1.10.3
unf_ext	0.0.8.2
unf	0.1.4
domain_name	0.5.20190701
http-cookie	1.0.5
fastimage	2.2.6
json	2.6.3
mini_magick	4.12.0
dotenv	2.8.1
bundler	2.2.30
simctl	1.6.10
jwt	2.7.0
webrick	1.8.1
httpclient	2.8.3
multi_json	1.15.0
signet	0.17.0
os	1.1.4
memoist	0.16.2
googleauth	1.3.0
mini_mime	1.1.2
retriable	3.1.2
trailblazer-option	0.1.2
declarative	0.0.20
uber	0.1.0
representable	3.2.0
google-apis-core	0.11.0
google-apis-playcustomapp_v1	0.13.0
google-apis-androidpublisher_v3	0.36.0
rake	13.0.6
digest-crc	0.6.4
google-apis-storage_v1	0.19.0
google-apis-iamcredentials_v1	0.17.0
google-cloud-errors	1.3.1
google-cloud-env	1.6.0
google-cloud-core	1.6.0
google-cloud-storage	1.44.0
aws-eventstream	1.2.0
aws-sigv4	1.5.2
aws-partitions	1.725.0
jmespath	1.6.2
aws-sdk-core	3.170.0
aws-sdk-kms	1.63.0
aws-sdk-s3	1.119.1
forwardable	1.3.1
logger	1.4.2
cgi	0.1.0
date	3.0.0
timeout	0.1.0
stringio	0.1.0
ipaddr	1.2.2
openssl	2.1.2
zlib	1.1.0
mutex_m	0.1.0
ostruct	0.2.0
strscan	1.0.3
io-console	0.5.6
delegate	0.1.0
fileutils	1.4.1
singleton	0.1.0
open3	0.1.0
yaml	0.1.0
psych	3.1.0
badge	0.13.0
fastlane-plugin-badge	1.5.0
fastlane-plugin-slack_bot	1.3.0

generated on: 2023-03-13

```

 [REPLACE THIS WITH YOUR INFORMATION] 

[simonarcher]

Its been a week and Im still appear to be stuck here and cant make builds via Fastlane anymore.

Is there any word on whether this is a wider issue? And any possible work arounds in the meantime?

thanks!

[simonarcher]

Hi @joshdholtz !

Apologies for tagging you directly here, but I just wonder if you might be able to give your thoughts about the issue I might be facing here?
I see the last release had some changes with regards to the Apple 2FA and just wondering if you think maybe there's some relation here.
Or if you might be able to suggest what I could do to work around this for now? As my workflow is now blocked by this issue and unsure how to progress further.

Thanks! Appreciate your thoughts on this 😊

[sitting-duck]

Hello all, I also have this issue and it is blocking my workflow as well, I am very much interested in this subject too. Thanks.

[theahmadzai]

Same issue on github action, any fix? :3

[simonarcher]

so since there's been no action or response to this issue, I managed to work around it by updating my flow to use the App Store Connect API to use as authentication.
Not sure if it's helpful as a solution for everyone else, but its worked for me for now. :)

[majaklajic]

Same issue on Bitrise with Deploy to App Store Connect with Deliver step lib.

[sec0ndhand]

so since there's been no action or response to this issue, I managed to work around it by updating my flow to use the App Store Connect API to use as authentication.
Not sure if it's helpful as a solution for everyone else, but its worked for me for now. :)

This is absolutely the fix for this. I would vote to close this issue, as there is a path forward, and fast lane can't likely change apple's policy on 2FA.

[kononenkoAnton]

so since there's been no action or response to this issue, I managed to work around it by updating my flow to use the App Store Connect API to use as authentication.
Not sure if it's helpful as a solution for everyone else, but its worked for me for now. :)

This is absolutely the fix for this. I would vote to close this issue, as there is a path forward, and fast lane can't likely change apple's policy on 2FA.

This solution will not work for enterprise account, since it does not have iTunes Connect

[vaibhav-nickelfox]

Hello folks, any solution for enterprise accounts?

[bhat-ganesh]

I was able to setup App Store Connect API for authentication successfully. But still getting the Unautorized access on match.

I haven't changed the password on the user. last I know it never had 2FA enabled. Do I need to now enable 2FA for my user (now) for appstore_connect_api_key to work?

SPACESHIP_SKIP_2FA_UPGRADE=1 is set in my configuration.

If you have any pointers, pls share. Thank you.

The below should setup up appstore connection via API key for further fastlane commands.

19:22:54  [06:52:53]: $ bundle exec fastlane run app_store_connect_api_key key_id:'REDACTED' issuer_id:'REDACTED' key_content:'REDACTED'
19:22:54  [06:52:53]: 
19:22:54  [06:52:53]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile
19:22:55  [06:52:54]: Sending anonymous analytics information
19:22:55  [06:52:54]: Learn more at https://docs.fastlane.tools/#metrics
19:22:55  [06:52:54]: No personal or sensitive data is sent.
19:22:55  [06:52:54]: You can disable this by adding `opt_out_usage` at the top of your Fastfile
19:22:55  [06:52:54]: ---------------------------------------
19:22:55  [06:52:54]: --- Step: app_store_connect_api_key ---
19:22:55  [06:52:54]: ---------------------------------------
19:22:55  [06:52:54]: Result: {:key_id=>"REDACTED", :issuer_id=>"REDACTED", :key=>"REDACTED", :is_key_content_base64=>false, :duration=>500, :in_house=>false}

(Although not needed) I also did an explicit setting of api_key for match

lane :"myLane" do
  app = "com.test.myApp"
  api_key = lane_context[SharedValues::APP_STORE_CONNECT_API_KEY]
  match(
    app_identifier: "#{app}",
    git_branch: "#{app}",
    force_for_new_devices: false,
    type: "developer_id",
    platform: "macos",
    generate_apple_certs: false,
    api_key: api_key
  )
end

But still ending up with Unauthorized error when match runs

19:23:09  [06:53:07]: Checking out branch com.test.myApp...
19:23:09  [06:53:07]: 🔓  Successfully decrypted certificates repo
19:23:09  [06:53:07]: Verifying that the certificate and profile are still valid on the Dev Portal...
19:23:09  This account is being prompted to upgrade to 2FA
19:23:09  Attempting to automatically bypass the upgrade until a later date
19:23:09  To disable this, remove SPACESHIP_SKIP_2FA_UPGRADE=1 environment variable
19:23:13  +------------------+------------------------+
19:23:13  |               Lane Context                |
19:23:13  +------------------+------------------------+
19:23:13  | DEFAULT_PLATFORM | ios                    |
19:23:13  | PLATFORM_NAME    | macos                  |
19:23:13  | LANE_NAME        | macos myApp            |
19:23:13  +------------------+------------------------+
19:23:13  [06:53:11]: Unauthorized Access
19:23:13  
19:23:13  +------+------------------+-------------+
19:23:13  |           fastlane summary            |
19:23:13  +------+------------------+-------------+
19:23:13  | Step | Action           | Time (in s) |
19:23:13  +------+------------------+-------------+
19:23:13  | 1    | default_platform | 0           |
19:23:13  | 💥   | match            | 15          |
19:23:13  +------+------------------+-------------+
19:23:13  
19:23:13  [06:53:11]: fastlane finished with errors

[bhat-ganesh]

Turns out this does not set up the appstore_connect_api_key for further fastlane commands

fastlane run app_store_connect_api_key key_id:'REDACTED' issuer_id:'REDACTED' key_content:'REDACTED'

After further rtfm, I set the appstore_connect_api_key in match as mentioned here and was able to get past the 2FA 🎉

lane :"myLane" do
    app_store_connect_api_key(
      key_id: 'REDACTED'
      issuer_id: 'REDACTED'
      key_content: 'REDACTED'
    )

  app = "com.test.myApp"

  match(
    app_identifier: "#{app}",
    git_branch: "#{app}",
    force_for_new_devices: false,
    type: "developer_id",
    platform: "macos",
    generate_apple_certs: false
  )
end

[patricpfranca]

The same issue persists! Even when entering the Apple API key, it keeps returning the 2FA.

[Stas-Buzunko]

Turns out this does not set up the appstore_connect_api_key for further fastlane commands

fastlane run app_store_connect_api_key key_id:'REDACTED' issuer_id:'REDACTED' key_content:'REDACTED'

After further rtfm, I set the appstore_connect_api_key in match as mentioned here and was able to get past the 2FA 🎉

lane :"myLane" do
    app_store_connect_api_key(
      key_id: 'REDACTED'
      issuer_id: 'REDACTED'
      key_content: 'REDACTED'
    )

  app = "com.test.myApp"

  match(
    app_identifier: "#{app}",
    git_branch: "#{app}",
    force_for_new_devices: false,
    type: "developer_id",
    platform: "macos",
    generate_apple_certs: false
  )
end

this suggestion worked for me but I had to change app_identifier: to ["my-app-id"] otherwise got some error while building

[Am1nCmd]

does it already solved?

I got the same issue here

Requesting session...
+------------------------------------+
|            Lane Context            |
+------------------+-----------------+
| DEFAULT_PLATFORM | ios             |
| PLATFORM_NAME    | ios             |
| LANE_NAME        | ios reg_devices |
+------------------+-----------------+
[18:58:59]: Unauthorized Access

+---------------------------------------+
|           fastlane summary            |
+------+------------------+-------------+
| Step | Action           | Time (in s) |
+------+------------------+-------------+
| 1    | default_platform | 0           |
| 💥   | register_devices | 36          |
+------+------------------+-------------+

[18:58:59]: fastlane finished with errors