Can Azure Artifacts packages be made available publicly? If so, I'd like publish NuGet packages from a PR to my GitHub project. I currently get the following permissions error from PR builds:
[warning]Warning_SessionCreationFailed {"statusCode":500,"result":{"$id":"1","innerException":null,"message":"User
'89e4e6df-0ac0-471f-ba63-0270050c3b79' lacks permission to complete
this action. You need to have
'ReadPackages'.","typeName":"Microsoft.VisualStudio.Services.Feed.WebApi.FeedNeedsPermissionsException,
Microsoft.VisualStudio.Services.Feed.WebApi","typeKey":"FeedNeedsPermissionsException","errorCode":0,"eventId":3000}}
[error]Error: The process '/usr/bin/dotnet' failed with exit code 1
[error]Packages failed to publish
I'm using an azure-pipelines.yml file. Here is a link to my Azure Pipelines build.
Update 1
These are the users/groups I have already added to my feed:
These are the users/groups I can add to my feed, that I haven't already done:
Update 2
This is the yaml for the Azure Pipelines task I am using to publish the NuGet package:
- task: DotNetCoreCLI#2
displayName: 'Dotnet NuGet Push'
inputs:
command: push
nuGetFeedType: internal
packagesToPush: '/home/vsts/work/1/Windows/*.nupkg'
publishVstsFeed: schema-net
According to the error message, your account does not have permissions on that feed which you want to operate.
You need verify whether your account has Contributor or higher permissions on the feed which you are trying push to.
In another, the group Project Collection Build Service is a default Contributor. But also, as default setting, it does not include the account Project Collection Build Service(xxxx) as a member. So, if you are the owner, you may need to add the Project Collection Build Service(xxxx) account into Project Collection Build Service group.
Edit:
As I check your org info from our back end, I found the user(89e4e6df-0ac0-xxxxxx-0270050c3b79), which displayed in your error message, is a Service identity account. And it's domain is build. It's a special account, not the normal user who may create or trigger the pr. So, if you do not grant permission to this service identity account, it will not have permission to access the feed you want to push to.
And also, the direct parents groups of this security account in your Org is [org name]\Security Service Group. You can check it under your org setting. You can also check its permission under your feed.
So, for solved, you need to add this service identity account in to your feed setting, and grant it contributor or higher role.
2nd Update:
For clearly understand, let me clear up some details.
At first,according to the error message which displayed in log said lack ReadPackage permission, I considered this firstly with the permission of the feed which you wanted push to in task.
In addition, the user number which also displayed in the log, 89e4e6df-0ac0-xxxxxx-0270050c3b79. As I checked from backend, it is a VSID that represent a build service account: Schema.NET Build Service (schema-net). So, firstly, it’s easy to think that this account does not has relevant permission so that it could not push package.
But, after you update the feed setting, I check user VSID from backend again and review the error log. I figure it out. According to the logs of #20190625.1, you can see that the error begin occurred on getting source package:
##[warning]Can\'t find loc string for key:
Warning_SessionCreationFailed
Because of this error, it’s failed to create the correct package source package path so that the service account does not have permission to access it because it’s a wrong path:
In fact, the correct source package url should look like this( you can refer this from #2029062502)
https://pkgs.dev.azure.com/schema-net/_packaging/f43386ca-{package id}-d2f8da200fb3/nuget/v3/index.json
Now, I think this is a issue which about the configuration of your nuget.config file.
Related
we use yaml pipelines in azure devops and use the 'limit job authorization scope' and 'Protect access to repositories in YAML pipelines' on organization level. but now we need some cross-project azure pipelines and as expected we get an authorization error when using the checkout task:
remote: TF401019: The Git repository with name or identifier SecondRepo does not exist or you do not have permissions for the operation you are attempting.
fatal: repository 'https://dev.azure.com/myorg/SecondProject/_git/SecondRepo/' not found
##[warning]Git fetch failed with exit code 128, back off 1.451 seconds before retry
We thought we were smart and gave the 'FirstProject Build Service (myorg)' (which runs the pipeline) access to the SecondRepo repository. However, we still get the authorization error described above.
i would have expected that the limit job authorization settings would not automatically give the user more rights. but as it looks to us, manually set rights are probably also deliberately removed.
is this intended?
Please make sure to disable the Limit job authorization scope to current project for non-release pipelines setting at project level and organization level for the project where you are running the pipeline. For more details, please refer to here.
I have been using azure devops pipelines for some time but today there is an error:
Access Denied: 0000000d-0000-8888-8000-000000000000 needs the following permission(s) on the resource /Organizations to perform this action: Read Organization resources
I cant find what/who is 0000000d-0000-8888-8000-000000000000 and where to configure those permissions.
Any idea?
I cant find what/who is 0000000d-0000-8888-8000-000000000000 and where
to configure those permissions.
The 0000000d-0000-8888-8000-000000000000 is the Microsoft.VisualStudio.Services.ReleaseManagement. You could get it from the Response:
Get all deployments in the project
According to your description, this issue exists from today. And it works fine before.
After investigation, there are some recent events of available degradation of Azure DevOps, which affected these services, please wait for a while and then try again. If you want to know more information, please click here: https://status.dev.azure.com/_event/257032220
You could wait for a while and check if this issue still exists, please continue to contact us.
I have a pipeline with the following:
resources:
repositories:
- repository: repo
type: git
name: TEST-staging
steps:
- checkout: repo
When the pipeline runs I get this warning:
This pipeline needs permission to access a resource before this run can continue
Which prompts me to grant access:
Granting permission here will permit the use of Repository 'TEST-staging' for all waiting and future runs of this pipeline.
I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?
EDIT: User is prompted to permit access when the pipeline names the repo e.g. - checkout: repo however, user is NOT prompted to permit access when using -checkout: self even though it's the same repo.
EDIT: The organization settings for Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to referenced Azure DevOps repositories are currently and have always been disabled.
EDIT: This FAQ question is similar to my question: Why am I am prompted to authorize resources the first time I try to check out a different repository?. That FAQ leads to this documentation: Troubleshooting authorization for a YAML pipeline. That documentation contains:
When you create a pipeline for the first time, all the resources that
are referenced in the YAML file are automatically authorized for use
by the pipeline, provided that you are a member of the User role
for that resource. So, resources that are referenced in the YAML file
at pipeline creation time are automatically authorized. When you
make changes to the YAML file and add additional resources ... then
the build fails with a resource authorization error ... In this case,
you will see an option to authorize the resources on the failed build.
If you are a member of the User role for the resource, you can select
this option. Once the resources are authorized, you can start a new
build.
EDIT: This seems to be the work item for the change that is causing us to be prompted to permit access.
So, I am being lead to these conclusions:
#Leo had the correct answer to the question "Where are those permissions listed?" except when a YAML resource is added to an existing pipeline
When YAML resources are modified or edited, the user is prompted to authorize that access even when that access is already authorized via the user's role
I have re-titled this post in the hopes that it more clearly asks the question, because as of now there does not seem to be any place in which ad-hoc authorizations are listed
I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?
According to the document Pipeline permissions and security roles, we could to know:
For permissions, you grant or restrict permissions by setting the
permission state to Allow or Deny, either for a security group or an
individual user. For a role, you add a user or group to the role.
Therefore, the permission of the pipeline is associated with the user executing the pipeline.
To be able to audit and modify which pipelines have access to which repos, we could use a higher authority account to give the current user permission to access the TEST-staging repo:
Organization Settings->Users->select the current user->Three dots->Manager User:
If the current user has permission to directly access the repo, then when this user executes the pipeline, the pipeline will have the permission to access the resource repo.
Devops folks,
I am pushing the build pipeline output to Azure Artefacts - Universal packages for a full stack .net application. The application builds successfully and produces an output in $(Build.ArtifactStagingDirectory)
Would like to publish all these build outputs to UniversalPackages and let release pipeline take it over from there.
I have checked for below things:
1. Permission - Project Collection Build Service - Contributor Role.
2. Task Configuration Confirmed below "UniversalPackages"
- task: UniversalPackages#0
inputs:
command: 'publish'
publishDirectory: '$(Build.ArtifactStagingDirectory)/**/*.nupkg'
feedsToUsePublish: 'internal'
vstsFeedPublish: '123456fg-test-1234-1234-31161a66dc4d/b92b3313-ab41-4044-test-e94146618efb'
vstsFeedPackagePublish: 'Text here-Services-Package'
versionOption: 'minor'
packagePublishDescription: 'Contains some text here)'
verbosity: 'Trace'
sorry for YAML indenting issues,
Below is the pipeline log
2020-04-04T02:36:03.9835393Z Publishing package: test, version: 0.0.1 using feed id: 76a3991f-e6fc-767b-a0dc-90e38c54e558, project: 7813b7e3-bbf1-4355-9263-31161a66dc4d
2020-04-04T02:36:04.0147395Z [command]D:\ABCAgent\_work\_tool\artifacttool\0.2.151\x64\ArtifactTool.exe universal publish --feed 76a3991f-e6fc-767b-a0dc-90e38c54e558 --service https://dev.azure.com/QWERTY/ --package-name test --package-version 0.0.1 --path D:\AzureAgentBuild\_work\1\a --patvar UNIVERSAL_PUBLISH_PAT --verbosity None --description "" --project 7813b7e3-bbf1-4355-9263-31161a66dc4d
2020-04-04T02:36:09.2875733Z {"#t":"2020-04-04T02:36:08.7883701Z","#m":"[GetDedupManifestArtifactClientAsync] Try 1/5, non-retryable exception caught. Throwing. Details:\r\nNo LastRequestResponse on exception VssServiceResponseException: Forbidden","#i":"b2d31574","#l":"Warning","#x":"Microsoft.VisualStudio.Services.WebApi.VssServiceResponseException: Forbidden\r\n
Microsoft.VisualStudio.Services.WebApi.VssServiceResponseException:
Forbidden
This permission error can be converted as 403 error code, which means the account does not have enough operation permission to publish package to universal package.
You said you had assign 'Project Collection Build Service' with 'Contributor' role. BUT, this is not a solution for all scenario. It only available while the build pipeline is using 'Project Collection Build Service' account, a collection level service account. There still has another scenario, the pipeline may using project-level service account.
You can with the methods I shared in this answer. Check this to get another similar issue and explanation.
Method 1:
Please go Feed settings => Permissions, add your project-level build service account and assign it Contributor role. Its account name should like {Project Name} Build Service ({Org Name}).
Re-run your pipeline to see whether it can run successfully.
Method 2:
Go Project settings => Settings, and make sure Limit job authorization scope to current project is disabled:
Only it disabled, the service account that pipeline used is collection-level one. At this time, your original permission configuration would be available now.
After playing around with permission for pipelines build service, the root cause was found to be with proxy being blocking the universal package with a forbidden error.
We just removed the proxy from the on-prem, self-hosted build agent and used Azure Express Route to route the traffic. This simple change fixed the issue.
Also, you can doublecheck in the Billing options if the Artifact free space is used up. I fixed it using this option.
When building an artifact using Azure DevOps, "Publish artifact" task failed with error
Publishing build artifacts failed with an error: EPERM: operation not permitted
When you are using A file server option as an Artifact publish location for Publish task, make sure the Agent/Service has access to the server.
In my case, I added the agent in Administrator group to be able to do WRITE operation.
If you use self-hosted agent, by default it runs as local NETWORK SERVICE account that doesn't have access to remote shares. So you should either:
Change agent's logon account. For some reason Microsoft doesn't recommend to change it from Services snap-in, but rather reconfigure it from their scripts.
Grant to local NETWORK SERVICE account access to remote share. To do it, you need to add computer account with your agent (i.e. "DOMAIN\ServerA$") to Share and NTFS permissions on the shared folder. See for example here.