Why does xcodebuild require admin access to cloud sign for distribution?

I tried to make use of the new cloud signing options to xcodebuild -exportArchive on our CI server, as explained in WWDC21 session 10204, but bumped into the seemingly arbitrary limitation that distribution signing requires an App Store Connect API key with Admin-level access. Why is that?

In this case, I am trying to run the command

$ xcodebuild -exportArchive \
  -archivePath build/MyApp.xcarchive \
  -exportOptionsPlist exportOptions-AppStore.plist \
  -exportPath build \
  -allowProvisioningUpdates \
  -authenticationKeyPath AuthKey_$KEY_ID.p8 \
  -authenticationKeyID $KEY_ID \
  -authenticationKeyIssuerID $ISSUER_ID

but using a non-admin $KEY_ID (with Developer or App Manager access only) results in xcodebuild printing this error:

error: exportArchive: Cloud signing permission error

Error Domain=DeveloperAPIServiceErrorDomain Code=5 "Cloud signing permission error" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedRecoverySuggestion=You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/., NSLocalizedDescription=Cloud signing permission error}
...

The only way I have found for the above command to succeed is through the use an API key with Admin access. But in a company with several teams and CI servers sharing one App Store team, scattering unconstrained admin access around like that seems like a strong no-go.


So a feature request, if I may!

Now, the error I'm seeing appears to be the same effective error as what's seen by a developer who haven't got the "Access to Cloud Managed Distribution Certificate" setting checked under their App Store Connect user account.

So would it be possible to somehow enable that access for a given API key as well?

(Even better if API keys could also be limited to specific apps like user accounts can. But I realise it's a known issue as documented in the note in the docs.)

I can confirm this issue. There is no option in the Web-UI to enable "Access to Cloud Managed Distribution Certificate" for an API-Key.

Why does xcodebuild require admin access to cloud sign for distribution?
 
 
Q