backend: Add Apple iCloud Drive backend

[lostb1t]

What is the purpose of this change?

Add support for a new backend, iCloud Drive

Was the change discussed in an issue or in the forum before?

#1778

Checklist

• I have read the contribution guidelines.
• I have added tests for all changes in this PR if appropriate.
• I have added documentation for the changes if appropriate.
• All commit messages are in house style.
• I'm done, this Pull Request is ready for review :-)

Notes

This feature branch is in a working state, feedback on finished implementations is appreciated. Ill keep it in draft untill everything is implemented and ill update the TODO accordingly

This PR is only for iCloud Drive. Ill continue work on Photos once this PR is merged.

Todo

Rclone Interfaces

Fs

• List
• Mkdir
• Rmdir
• Put

Object

• Open
• Update
• Remove

Mover

• Move

DirMove

• DirMove

Copier

• Copy

[ncw]

Nice work :-)

Some quick questions

• where did the client_id come from?
• are you running through the integration tests?

Thank you

[lostb1t]

Nice work :-)

Some quick questions

• where did the client_id come from?
• are you running through the integration tests?

Thank you

not sure what client_id you are referring to? and no I havent run any integration test yet.
Will do whenimplemented all interfaces.

[lostb1t]

fyi: so iCloud doesn't have functionality for updating/replacing files. At least not something I can find reverse engineering

So if a file exists I move it to iCloud trash. And upload a new version of the file.
After successful upload the file is removed from trash or restored from trash if upload failed.

[lostb1t]

@ncw how one handle folder invalidation? drive uses etags for files and folders. If a file or folder within a folder changes then the parent folders etag changes. This means I have to clear almost the whole tree from child to parent.

Not sure how to handle that in general, what if a users change it locally but file/folder has changed remotely in between. What error should I raise on that? (if etags are not matching)

cachedir doesn't seem to refresh after invalidation, see:

rclone/backend/icloud/icloud.go

Line 424 in 37816e9

// TODO: wing it for now. Dont know why it doesnt pick up refreshed entries after flushing

When calling flushdir at the end of rmdir I see the call for FindLeaf but the cachedir entries aren't updated.

[ncw]

@lostb1t

not sure what client_id you are referring to?

This one at the top of the source!

clientId      = "e9f98057fb916de2bbd755ef280d7257146a76e5118f27ab2e9a3d065c20c17e"

and no I haven't run any integration test yet. Will do when implemented all interfaces.

Running the integration tests will guide you through what you need to do. You can start running them as soon as you've done List.

fyi: so iCloud doesn't have functionality for updating/replacing files. At least not something I can find reverse engineering

So if a file exists I move it to iCloud trash. And upload a new version of the file. After successful upload the file is removed from trash or restored from trash if upload failed.

Seems OK!

how one handle folder invalidation? drive uses etags for files and folders. If a file or folder within a folder changes then the parent folders etag changes. This means I have to clear almost the whole tree from child to parent.
Not sure how to handle that in general, what if a users change it locally but file/folder has changed remotely in between. What error should I raise on that? (if etags are not matching)

Do you have to use the etags? They are optional for most cloud storage systems and rclone doesn't use them. This means that the last write wins which is what we want. If you can't ignore etags then refresh the etag and try again.

cachedir doesn't seem to refresh after invalidation, see:

rclone/backend/icloud/icloud.go

Line 424 in 37816e9

// TODO: wing it for now. Dont know why it doesnt pick up refreshed entries after flushing

When calling flushdir at the end of rmdir I see the call for FindLeaf but the cachedir entries aren't updated.

Not sure!

[lostb1t]

@lostb1t

not sure what client_id you are referring to?

This one at the top of the source!

clientId      = "e9f98057fb916de2bbd755ef280d7257146a76e5118f27ab2e9a3d065c20c17e"

and no I haven't run any integration test yet. Will do when implemented all interfaces.

Running the integration tests will guide you through what you need to do. You can start running them as soon as you've done List.

fyi: so iCloud doesn't have functionality for updating/replacing files. At least not something I can find reverse engineering
So if a file exists I move it to iCloud trash. And upload a new version of the file. After successful upload the file is removed from trash or restored from trash if upload failed.

Seems OK!

how one handle folder invalidation? drive uses etags for files and folders. If a file or folder within a folder changes then the parent folders etag changes. This means I have to clear almost the whole tree from child to parent.
Not sure how to handle that in general, what if a users change it locally but file/folder has changed remotely in between. What error should I raise on that? (if etags are not matching)

Do you have to use the etags? They are optional for most cloud storage systems and rclone doesn't use them. This means that the last write wins which is what we want. If you can't ignore etags then refresh the etag and try again.

cachedir doesn't seem to refresh after invalidation, see:

rclone/backend/icloud/icloud.go

Line 424 in 37816e9

// TODO: wing it for now. Dont know why it doesnt pick up refreshed entries after flushing

When calling flushdir at the end of rmdir I see the call for FindLeaf but the cachedir entries aren't updated.

Not sure!

etags are needed for file operations unfortunately, but I can just refresh it when it got stale.

the clientid is a static that icloud.com uses. So I reuse it to mimic the browser.

[lostb1t]

@ncw small question. iCloud Drive does not allow uploading empty files so check the size and raise ErrorCantUploadEmptyFiles when its 0

But when using macOS finder to copy a file, I get an partial file with zero length (while the actually file isn't empty)

Not sure howto handle this.

[ncw]

@lostb1t

small question. iCloud Drive does not allow uploading empty files so check the size and raise ErrorCantUploadEmptyFiles when its 0

That sounds correct.

But when using macOS finder to copy a file, I get an partial file with zero length (while the actually file isn't empty)

Are you using rclone mount in the finder?

So you are seeing a zero length file in the finder? I'm not sure what you mean by a partial file?

Can you reproduce this without the rclone mount? So using rclone copy? If so please paste your command line and the log with -vv.

[lostb1t]

Its slow but finished alle interfaces and all integration test are passing 🎉

Only documentation left before its ready for review.

[ncw]

Its slow but finished all interfaces and all integration test are passing 🎉

Well done!

You are running the full suite from test_all?

Only documentation left before its ready for review.

:-)

[epetousis]

@lostb1t not sure if it's too early for bug reports, but currently it looks like app folders aren't being represented as folders, but rather as files.

[lostb1t]

@lostb1t not sure if it's too early for bug reports, but currently it looks like app folders aren't being represented as folders, but rather as files.

bug reports are welcome. Will fix with the following pass, tnx

[lostb1t]

@epetousis this has been fixed

[lostb1t]

crap i broke my icloud. Too many trash items and now the endpoint is broken lol

the icloud web api is a mess

[epetousis]

Fix works great. Much appreciated!

[cyayon]

Hi,
I setup successfully and authentication seems ok, but I do not see any files or directories on my iCloud account.
I tried ls, lsl, lsd... no file.

thanks.

[lostb1t]

Hi,

I setup successfully and authentication seems ok, but I do not see any files or directories on my iCloud account.

I tried ls, lsl, lsd... no file.

thanks.

@cyayon Could you post a log from the command with the -vv flag (e.g. output from rclone -vv ls

[cyayon]

Hi,

here is the verbose.

./rclone-icloud version
rclone v1.67.0-DEV
- os/version: arch (64 bit)
- os/kernel: 6.8.5-arch1-1 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.22.2
- go/linking: dynamic
- go/tags: none

./rclone-icloud -vvv --config rclone-icloud.conf lsd icloud:/
2024/04/20 11:04:04 DEBUG : rclone: Version "v1.67.0-DEV" starting with parameters ["./rclone-icloud" "-vvv" "--config" "rclone-icloud.conf" "lsd" "icloud:/"]
2024/04/20 11:04:04 DEBUG : Creating backend with remote "icloud:/"
2024/04/20 11:04:04 DEBUG : Using config file from "/home/pkg/pkgbuild/rclone/rclone-icloud/rclone/rclone-icloud.conf"
2024/04/20 11:04:04 DEBUG : icloud: Valid session, no need to reauth
2024/04/20 11:04:04 DEBUG : fs cache: renaming cache item "icloud:/" to be canonical "icloud:"
2024/04/20 11:04:05 DEBUG : 8 go routines active

./rclone-icloud -vvv --config rclone-icloud.conf ls icloud:/
2024/04/20 11:04:58 DEBUG : rclone: Version "v1.67.0-DEV" starting with parameters ["./rclone-icloud" "-vvv" "--config" "rclone-icloud.conf" "ls" "icloud:/"]
2024/04/20 11:04:58 DEBUG : Creating backend with remote "icloud:/"
2024/04/20 11:04:58 DEBUG : Using config file from "/home/pkg/pkgbuild/rclone/rclone-icloud/rclone/rclone-icloud.conf"
2024/04/20 11:04:59 DEBUG : icloud: Valid session, no need to reauth
2024/04/20 11:04:59 DEBUG : fs cache: renaming cache item "icloud:/" to be canonical "icloud:"
2024/04/20 11:04:59 DEBUG : 8 go routines active

[lostb1t]

do you maybe have advanced data protection enabled?

[cyayon]

Yes I have.
Is there an issue with that ?

[lostb1t]

yes its currently unsupported

[cyayon]

Ok, I understand.
Do you plan to support it or is it too complicated to implement ?
Thanks

[lostb1t]

i hope to add support for it eventually.Its a different flow, need to dive in a bit to see what it entails

[cyayon]

Thanks !--Christophe YayonOn 20 Apr 2024, at 12:56, lostb1t ***@***.***> wrote: i hope to add support for it eventually.Its a different flow, need to dive in a bit to see what it entails —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[cyayon]

I just disabled the advanced protection and it do not change everything. No file or directory found ...
Same verbose infos.

[lostb1t]

I just disabled the advanced protection and it do not change everything. No file or directory found ...
Same verbose infos.

try to delete the remote and add it again (reauthenticate)

[cyayon]

Great ! it works.
Thanks

[cescofry]

Works for me on ArchLinux 6.8.7-1.

I had an issue with 2fa, when prompted none of my devices would show the code on screen. However I managed to get it working by going on my iPhone to settings->AppleID->Sigh-in & Security->Two-Factor Authentication->Get Verification Code.

I also struggled when looking for iCloud in the list of rclone remotes as it has not be inserted in the right alphabetical spot.

Great work @lostb1t, cannot wait to see this landed on main. If you need some help to finish this work or just for some testing let me know.

[lostb1t]

You gotta be kidding me.

[r10r]

No - why should I 🤔

[lostb1t]

Wasn’t directed to you but Apple :)

Seems they finally dropped their legacy auth after like 20 years. Yeah this requires a rewrite.

i expect more reports will come in soon.

[r10r]

Wasn’t directed to you but Apple :)

😆 Let me know if I can help you with testing.

[cyayon]

Hi,
Perhaps, it could help ?
icloud-photos-downloader/icloud_photos_downloader#970

[vintagefuture]

This is such a shame... I was so happy to see this happening!
I just tested as well but I get the same problem:

~ rclone --version  
rclone v1.69.0-beta.8384.b9207e572
- os/version: linuxmint 22 (64 bit)
- os/kernel: 6.8.0-48-generic (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.23.2
- go/linking: static
- go/tags: none

2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all-set,1,false", result="AcQzsfBDzcjufalaXYjY2lc8L2e8YKNkg-lYJ5VgSMI2WoQ"
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all,2,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all,2,false", result=""
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all,3,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all,3,false", result=""
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all,4,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all,4,false", result=""
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all,5,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all,5,false", result=""
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all,6,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all,6,false", result=""
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all,7,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config in: state="*all,7,false", result=""
2024/11/04 16:13:14 DEBUG : iCloud Drive: config out: out=&{State:*all-advanced Option:false OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:14 DEBUG : iCloud Drive: config: reading config parameter "config_fs_advanced"
Edit advanced config?
y) Yes
n) No (default)
y/n> n

2024/11/04 16:13:16 DEBUG : iCloud Drive: config in: state="*all-advanced", result="false"
2024/11/04 16:13:16 DEBUG : iCloud Drive: config out: out=&{State:*postconfig Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/04 16:13:16 DEBUG : iCloud Drive: config in: state="*postconfig", result=""
2024/11/04 16:13:16 DEBUG : iCloud Drive: config in: state="", result=""
2024/11/04 16:13:16 DEBUG : icloud: Authenticating as ***********
2024/11/04 16:13:17 DEBUG : iCloud Drive: config out: out=<nil>, err=HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"
2024/11/04 16:13:17 DEBUG : iCloud Drive: config out: out=<nil>, err=HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"
Error: HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"

Advanced data protection is disabled and I'm using a brand new app password.

I wouldn't know where to start to troubleshoot this issue, but I'm more than happy to help with testing or anything else needed to solve this last challenge!

[cyayon]

Hi,
Same issue today, my 2FA token expired and I am unable to renew :

CRITICAL: Fatal error: HTTP error 400 (400 Bad Request) returned body: "{"success":false,"error":"Invalid Session Token"}"

[IkHadHonger]

Hi, Same issue today, my 2FA token expired and I am unable to renew :

CRITICAL: Fatal error: HTTP error 400 (400 Bad Request) returned body: "{"success":false,"error":"Invalid Session Token"}"

Yes same for me

[ncw]

@LostB1 this is just about to be released into v1.69

However it sounds like it is broken :-(

Shall I

1. Mark it as experimental in the docs - perhaps needs more words you could supply?
2. Leave it out the 1.69 release?

Any other ideas?

[lostb1t]

@ncw if possible i would leave it out.

The change needed isn't a big one but im currently in the middle of moving houses. So currently not able to make the required changes.

[cyayon]

Hi,Since a few days I was able to refresh token. It seems Apple restored the legacy authentication.--Christophe YayonOn 14 Nov 2024, at 17:42, lostb1t ***@***.***> wrote: @ncw if possible would leave it out. The change needed isn't a bug one but im currently in the middle of moving houses. So currently not able to make the required changes. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[vintagefuture]

Hi,

it works for me too!

My bad, I was using the app password instead of regular password + 2FA. It worked at first try!

[cyayon]

Apple has done something and restored the legacy method.--Christophe YayonOn 14 Nov 2024, at 20:14, vintagefuture ***@***.***> wrote: Hi, it works for me too! My bad, I was using the app password instead of regular password + 2FA. It worked at first try! —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[uwolfer]

I can confirm that logging in with the Apple ID and 2FA works. Logging in with app specific password does not. I think it would make sense to add a clear note in the config process.

Thanks for implemetioning this feature @lostb1t!

[lostb1t]

thats interesting. No way to be sure for how long/if it was just a fluke, but if it works then the release can proceed in my opinion.

[ncw]

Ah good. @lostb1t can you send a PR explaining that in the docs please?

[vintagefuture]

Hi @ncw

I know that @lostb1t is busy at the moment, so I took the liberty of creating a small PR — it just adds a note clarifying that the app-specific password won't work:

#8197

@lostb1t Thank you so much for your hard work! I can finally use Obsidian on my Linux box!

[ncw]

Thank you @vintagefuture - I've merged that.

[egigoka]

Any chance to add an option to receive 2fa via sms? icloud-photos-downloader/icloud_photos_downloader#803

I don't wanna use my main apple id authenticated on backup systems so i've tried to use secondary apple id and it have no authorized systems to send 2fa except sms.

[lostb1t]

Any chance to add an option to receive 2fa via sms? icloud-photos-downloader/icloud_photos_downloader#803

I don't wanna use my main apple id authenticated on backup systems so i've tried to use secondary apple id and it have no authorized systems to send 2fa except sms.

Not planning on adding it myself.

[BingoKingo]

Hi, I got these when using a Apple ID (cn)

NOTICE: Fatal error: HTTP error 302 (302 Found) returned body: "{\"domainToUse\":\"iCloud.com.cn\"}"
CRITICAL: Failed to create file system for "iCloud:": missing icloud trust token: try refreshing it with "rclone config reconnect iCloud:"

Any progress?

[lostb1t]

Hi, I got these when using a Apple ID (cn)

NOTICE: Fatal error: HTTP error 302 (302 Found) returned body: "{\"domainToUse\":\"iCloud.com.cn\"}"

CRITICAL: Failed to create file system for "iCloud:": missing icloud trust token: try refreshing it with "rclone config reconnect iCloud:"

Any progress?

china right? not supported right now (china uses a different server)

could you create an issue for this? will add it soon

[RigleGit]

Thanks for the feature! When are we going to be able to use it? I wanted to use it in my fresh Fedora 41 install and the latest rclone doesn't include it yet. Thanks!

[egigoka]

Thanks for the feature! When are we going to be able to use it? I wanted to use it in my fresh Fedora 41 install and the latest rclone doesn't include it yet. Thanks!

You can grab the binary or package from beta.rclone.org.

Testing on my MacBook and openSUSE server, works fine.

[RigleGit]

Thanks @egigoka ! I was able to install and configure it perfectly. The only thing I'm facing is errors like this when I open Obsidian:

2025/01/10 19:17:42 ERROR : Personal/Diary/Prueba.md: Failed to copy: HTTP error 412 (412 Precondition Failed) returned body: "{\n \"uuid\" : \"ed80441e-e390-4ca2-95fb-b6e822b79b35\",\n \"messageForDeveloper\" : \"Request has out of order children to be chained but the parents were missing\",\n \"error_code\" : \"VALIDATING_REFERENCE_ERROR\",\n \"serverErrorCode\" : \"VALIDATING_REFERENCE_ERROR\",\n \"reason\" : \"Request has out of order children to be chained but the parents were missing\"\n}"

I used the --vfs-cache-mode writes to mount it. Am I doing anything wrong? First time using rclone.

[egigoka]

Thanks @egigoka ! I was able to install and configure it perfectly. The only thing I'm facing is errors like this when I open Obsidian:

2025/01/10 19:17:42 ERROR : Personal/Diary/Prueba.md: Failed to copy: HTTP error 412 (412 Precondition Failed) returned body: "{\n \"uuid\" : \"ed80441e-e390-4ca2-95fb-b6e822b79b35\",\n \"messageForDeveloper\" : \"Request has out of order children to be chained but the parents were missing\",\n \"error_code\" : \"VALIDATING_REFERENCE_ERROR\",\n \"serverErrorCode\" : \"VALIDATING_REFERENCE_ERROR\",\n \"reason\" : \"Request has out of order children to be chained but the parents were missing\"\n}"

I used the --vfs-cache-mode writes to mount it. Am I doing anything wrong? First time using rclone.

I don't mount it directly, just use as backend for duplicati, so I don't know how to fix mounting problems.

[eljonny]

EDIT:
I originally got to this through a thread on reddit, I see the following recent open issue: #8587
Apologies, please disregard.
If anyone makes it here from the reddit article, the gist of 8587 is Apple is throttling/blocking based on user agent, so override your user agent with the --user-agent parameter.

OG:
Does this still work for anyone?
I am trying to use this in the latest 1.69 beta from January and I am getting an error mentioned many times in this thread:

$ rclone config -vvvvv
2025/09/28 12:21:00 DEBUG : rclone: Version "v1.69.0-beta.8510.4b6c7c6d8" starting with parameters ["rclone" "config" "-vvvvv"]
2025/09/28 12:21:00 DEBUG : Using config file from "/home/jhyry/.config/rclone/rclone.conf"
No remotes found, make a new one?
n) New remote
s) Set configuration password
q) Quit config
n/s/q> n

Enter name for new remote.
name> icloud

Option Storage.
Type of storage to configure.
Choose a number from below, or type in your own value.
...
59 / iCloud Drive
   \ (iclouddrive)
...
Storage> iclouddrive

2025/09/28 12:21:11 DEBUG : icloud: config in: state="*all", result=""
2025/09/28 12:21:11 DEBUG : icloud: config out: out=&{State:*all-set,0,false Option: OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:11 DEBUG : icloud: config: reading config parameter "apple_id"
Option apple_id.
Apple ID.
Enter a value.
apple_id> MY_APPLE_ID

2025/09/28 12:21:20 DEBUG : icloud: config in: state="*all-set,0,false", result="MY_APPLE_ID"
2025/09/28 12:21:20 DEBUG : Saving config "apple_id" in section "icloud" of the config file
2025/09/28 12:21:20 DEBUG : icloud: config out: out=&{State:*all,1,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:20 DEBUG : icloud: config in: state="*all,1,false", result=""
2025/09/28 12:21:20 DEBUG : icloud: config out: out=&{State:*all-set,1,false Option: OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:20 DEBUG : icloud: config: reading config parameter "password"
Option password.
Password.
Choose an alternative below.
y) Yes, type in my own password
g) Generate random password
y/g> y
Enter the password:
password:
Confirm the password:
password:

2025/09/28 12:21:33 DEBUG : icloud: config in: state="*all-set,1,false", result="HASHED_RESULT"
2025/09/28 12:21:33 DEBUG : Saving config "password" in section "icloud" of the config file
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all,2,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config in: state="*all,2,false", result=""
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all,3,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config in: state="*all,3,false", result=""
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all,4,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config in: state="*all,4,false", result=""
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all,5,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config in: state="*all,5,false", result=""
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all,6,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config in: state="*all,6,false", result=""
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all,7,false Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config in: state="*all,7,false", result=""
2025/09/28 12:21:34 DEBUG : icloud: config out: out=&{State:*all-advanced Option:false OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:34 DEBUG : icloud: config: reading config parameter "config_fs_advanced"
Edit advanced config?
y) Yes
n) No (default)
y/n> n

2025/09/28 12:21:41 DEBUG : icloud: config in: state="*all-advanced", result="false"
2025/09/28 12:21:41 DEBUG : icloud: config out: out=&{State:*postconfig Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2025/09/28 12:21:41 DEBUG : icloud: config in: state="*postconfig", result=""
2025/09/28 12:21:41 DEBUG : icloud: config in: state="", result=""
2025/09/28 12:21:42 DEBUG : icloud: Authenticating as MY_APPLE_ID
2025/09/28 12:21:42 DEBUG : icloud: config out: out=<nil>, err=HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"
2025/09/28 12:21:42 DEBUG : icloud: config out: out=<nil>, err=HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"
Error: HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"
...
2025/09/28 12:21:42 NOTICE: Fatal error: HTTP error 400 (400 Bad Request) returned body: "{\"success\":false,\"error\":\"Invalid Session Token\"}"

Maybe they got rid of legacy auth again or something.
ADP is disabled and "Access iCloud Data on the Web" is enabled.
It does not give me the chance to enter a 2FA token.

Thanks so much for this!
I've never used rclone before so I could just be doing something wrong.