We have a number of projects within my organisation. One such project has created a project-scoped Azure Artifact feed that they wish to share with our other projects.
However, when the other projects access their Artifacts page, from the feed drop-down they can only see the "Organization scoped feeds" and nothing under "Project-scoped feeds". What do we need to do make this feed visible and available to the other projects, particularly for use in their pipelines.
I'm at a loss, as I've drawn a complete blank so far.
According to the doc: To see a project-scoped feed in the list you have to be navigated to the project the feed is scoped to. We could know that we cannot see the project-scoped feed in another project.
particularly for use in their pipelines.
When connecting to a private project scoped feed from an Azure DevOps pipeline that is in the same organization but in a different project, the project that the feed is scoped to must allow access to the other project's build service. The build service must also be separately added to the feed permissions, regardless of the scope of the feed.
Add build service account: Build service account is Project Collection Build Service (Org name), we need configure feed permission in the project-scoped feed for this service. then we could access the project-scoped feed in the pipeline.
We also need open project settings->settings and ensure the option Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to current project for release pipelines is disabled. We could refer to the pic below.
Then we could access and use the project-scoped feed in another project pipeline.
Project-scoped feeds can't be 'shared' with other projects per se, but that doesn't really restrict how they are used. You can certainly have identities with permission to both, including build identities. Make sure the identity has "Read project-level information" permission in the project security settings for the project which contains the feed, as well as appropriate permissions on the feed itself. You can think of it similarly to Git repos -- you don't see other projects' Git repos, but there's nothing stopping you from using Git repos in multiple projects if you have permission to access them.
Another option is Upstream Sources.
This is a very old post. But, in case, someone is still facing the problem and the above solutions have not worked like me then please follow as below.
Step One:
Select project hosting the feed
Select Project settings
Select Permissions
Select groups tab
Select Contributors
Select Members tab
Click Add
Select [Name of the project Consuming the Feed] Build Services ([Organization Name]) ex: FeedConsumer Build Services (xyz)
Click Save
Step Two:
Select project hosting the feed
Select Artifacts
Select your feed.
Select Feed Settings
Select Permissions
Click Add Users/Groups button
Select [Name of the project Consuming the Feed] Build Services ([Organization Name]) ex: FeedConsumer Build Services (xyz)
Select the role as a contributor
Click Save
Step Four:
Add nuGet.config file to the consumer project's root path where there is a .csproj or .sln file.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="[Feed Name]" value="https://pkgs.dev.azure.com/[Company Name]/[Project Name]/_packaging/[Feed Name]/nuget/v3/index.json" />
</packageSources>
</configuration>
Follow these steps to get the above xml
Select project hosting the feed
Select Artifacts
Select the required feed
Click Connect to Feed
Select NuGet.exe
It should be there in Project Setup
This should allow you to use the feed in one project to another project without giving you an unauthorized error. Happy Coding!!
Reference: https://learn.microsoft.com/en-us/azure/devops/artifacts/how-to/project-scoped-feeds-pipeline-project-permissions?view=azure-devops
Related
I have created a Project scoped nuget feed in azure dev. I have some developers that I want them to be able to list/restore and read nuget packages so that they can add them in the projects they are working on.
I have added them in my organization (they are using an email address like outlook.com and gmail.com) without any project access and then from the nuget feed permissions I gave the permissions as Readers
When they try to run nuget list they get
Unable to load the service index for source https://pkgs.dev.azure.com/myorganizationname/e1f090d9-f848-428b-b774-7fd9dfc873ef/_packaging/Nuget-Test-Feed/nuget/v3/index.json.
Response status code does not indicate success: 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/e1f090d9-f848-428b-b774-7fd9dfc873ef' does not exist, or you do not have permission to access it. (DevOps Activity ID: 09410946-865a-4d69-9b05-f1fd1d668891)).
Why they are not be able to access this feed?
Project nuget feed in azure dev cannot be accessed from reader
That is because the Project-scoped feeds inherit the visibility of the project.
So, if the user is not added to the project, will not access the feed.
To resolve this issue, please try to add the user to the project.
As test, I add my test use as Project Readers:
Then my test user could access the feed:
I'm trying to add a new repository to my project but don't see the option. I have 5 projects and all of them I am able to, any reason why not here?
Here I see the "add" option:
But here I don't:
Your current account does not have the permission to delete or add new repositories under your current project called Homeazzon.
Please enter Homeazzon project-->Project Settings-->Repos-->Repositories-->Security
check every Azure Devops Group and User and then set Create repository and Delete repository to Allow.
I have one older project in my Azure DevOps organisation that does not have this "project Build Service" account in Project Settings=>Repos=>Security. If I create a new project in my organisation then I can get it there just fine.
How could I get that project Build Service account to my older projects as well?
How could I get that project Build Service account to my older projects as well?
I am afraid there is out of box way to get that project Build Service account to your older projects.
As workaround, you could add a group for that project Build Service account on the Organization Settings->Permissions, add members in that group.
Then, go to Project Settings->Teams->select the Team project-> Add users and/or groups:
After that, we could search that group in the Repos=>Security, do some change in the permission and save it:
Hope this helps.
Right now my NuGet restore fails since the project build user doesn't have contributor access to the package feed.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Unable to load the service index for source pkgs.dev.azure.com[..]index.json.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Response status code does not indicate success: 403 (Forbidden - User 'xxxxxxx' lacks permission to complete this action. You need to have 'ReadPackages'.
The solution is to change the build authorization scope from current project to project collection. This seems very doable as seen here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/build/options?view=azure-devops
But where, in DevOps' myriad menus, can this scope be set?
EDIT 2023: The Artifacts UI in DevOps has changed since this answer and this answer is no longer valid. See J-M's answer on a similar question:
https://stackoverflow.com/a/73136309/5358731
There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html
In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:
Click "Artifacts" in the project with the failing build
Select the feed you were trying to consume in your build and click the cog in the top right corner
Click "Feed Settings"
Go to the Permissions tab
Click the 3 dots [...] that appeared to the right of the tab
Click "Allow project-scoped builds"
This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.
Full credit to Tim Lynch from the developer community page.
All answers are valid but it depends.
Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.
Then also remember Scoped build identities .
Azure DevOps uses two built-in identities to execute pipelines.
A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)
A project-scoped identity, which has access to a single project
...
By default, the collection-scoped identity is used, unless the Limit
job authorization scope to current project is set in Project Settings > Settings.
With this in mind follow the next steps:
You need to check which identity is being used for your pipelines:
For me is project-scoped identity
Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)
No. 1 If the identity is collection-scoped
No. 2 If the identity is project-scoped
No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)
Remember again you need to use Owner or Contributor roles.
Go to your feed settings:
In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":
It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.
I'm using VSTS on Visualstudio.com to host our Solution. I have one solution with multiple Visual Studio projects, all hosted in a Team Project inside TFS. Now I'll have some one to help me with development, but I don't want him to have access to all the Visual Studio projects, only some of them. How can I give him access to some of the Visual Studio projects while denying access to the other ones?
If you are using TFVC as source control, you can refer to these steps below:
Add the user to your VSTS
Go to the admin page of that team project
Select Security tab
Click Create group to create a new group (e.g. CodeGroup)
Set View project-level information to Allow in Permissions tab
Add the corresponding user to that group in Members tab
Click Version Control tab
Select the folder of the project (one of the project in your solution folder)
Click Add to add CodeGroup (step4)
Set Read and Check in permissions to Allow
If you are using Git as source control, you can’t set the security for an item (project in a solution) in the repository.
On the other hand, If there are some project references that the user can’t access, I recommend that you can package and push the assembly to the feed of your VSTS: Package Management in Team Services and TFS