Fix CloudKit container permissions

I've have been experiencing the same CKError (10) which is a permission failure--but not one per their documentation. In other words, it is not a security role thing. One attempt was on a completely new container with no defined roles. https://developer.apple.com/documentation/cloudkit/ckerror/code/permissionfailure

"This error typically occurs in the public database in one of these circumstances:

• You have roles defined for record types.

• Your app is trying to accept a share that the current user was not invited to."

Following some archive documentation, I was adding my container to a second app as described in the section "Share Containers Between Apps" here: https://developer.apple.com/library/archive/documentation/DataManagement/Conceptual/CloudKitQuickStart/EnablingiCloudandConfiguringCloudKit/EnablingiCloudandConfiguringCloudKit.html

This gave me the same error as described above (10/2007)

However, unlike you, creating a new container and using it in ANY of my development/TestFlight apps did not work. Doing so resulted in the same error.

My troubleshooting so far was:

• Uncheck/Recheck the container identifier in signing + capabilities

• Kill Xcode followed by reboot of iPhone + Mac

• Remove all mobile device provisioning profiles that Xcode manages

• Delete all provisioning profiles on the iPhone using Xcode Devices window

• Create new container and attempt to connect in app

Nothing seemed to work. Seems like it is an Apple problem and not me (us)! Glad I found your post before making my own of the same nature.

I filed a Feedback Assistant bug yesterday for this exact error code (10/2007). Please file a Feedback Assistant bug too and feel free to reference my number so they can see it is affecting more than one developer. FB8826569

Yep, having this issue, very annoying - I hope it'll be fixed in the next few days as it seems to be an issue on Apple's side.

Meanwhile I've filed a radar: FB8877360, and also posted here: https://developer.apple.com/forums/thread/665280

I had the same issue, I had retrieved the container via: let container = CKContainer.default() spent a few hours one day working on it, then the following morning decided to try: let container = CKContainer(identifier: "mycontainer.id") and it worked.

So I tried print the default container identifier, which turned out to be mycontainer.id -- so I reverted my code to: let container = CKContainer.default() and it worked again. My conclusion is that either:

• calling it with the identifier explicitly fixed some setting, to make it match the setting in the XCode project settings (which had always been mycontainer.id),

or:

• there was an issue where Apple had to finish updating some database permissions or something internally, which took a few hours or more (less than a day in my case though thankfully).

Anyway, figured I'd post this in case for when someone else runs into it -- seems to be a reasonably common issue.

The error message typically indicates that your app ID isn't properly associated with your iCloud container, which can be a configuration issue on your side, or a bug on the system side.

To rule out the configuration issue, consider the following:

a. When creating a CloudKit container, use CKContainer(identifier:) to explicitly specifying the container ID. This avoids confusion in the case where your app uses multiple containers. If you use Core Data CloudKit, specify the container ID with NSPersistentCloudKitContainerOptions:

 let cloudKitContainerOptions = NSPersistentCloudKitContainerOptions(containerIdentifier: yourCloudKitContainerIdentifier)

b. Be sure that your app ID and CloudKit container are correctly associated with the following steps:

1. Log in Apple's Developer Portal with your account, go to the Certificates, Identifiers & Profiles page, and find the app ID of your app.

2. Click the app ID to navigate to the Capabilities page, make sure iCloud is check, then click Edit to navigate to the iCloud Container Assignment page.

3. Find your iCloud container on the page.

4. Make sure the container ID is checked, meaning that the container ID is associated with your App ID. Without the association, your app won't be able to access the container.

5. Refresh your provisioning profile. If you are using Xcode’s Automatically manage signing, uncheck the box, check it back, and then pick the right team so Xcode refreshes the provisioning profile. Otherwise, you need to manually create the provisioning profile, download it, and install it for your Xcode.

If the error is still there, try with a new CloudKit container. (You can't delete an iCloud container after creating it, but in this case, you might want to create one to help diagnose the issue.) If the error goes away after you simply switching to the new CloudKit container, you can confirm that the association between your app ID and the CloudKit container isn't established, even though the Portal shows it is.

You can now forget the problematic CloudKit container, and use the new one to continue your development.

If the problematic CloudKit container has been shipped, and hence you need to fix the issue, start with filing a feedback report with the following information:

• Your app ID.
• The CloudKit container ID that triggers the problem.
• The code that you use to specify the CloudKit container.
• The screenshots that show the association between the app ID and the CloudKit container.
• The fact that simply switching to a new container fixes the issue.

You can then contact Apple's Developer Technical Support with the feedback report ID so they can work with the CloudKit team to correctly associate your app ID and CloudKit container ID from the server side.