Azure DevOps: PATCH REST Call in Release Pipeline returns (403) Forbidden

Question

Context

I use a PowerShell Script with an Azure PowerShell task (Task version 4.* preview) to trigger the most recent release of a certain release pipeline. After retrieving the id of the last release as well as the id of the related environment via

GET https://vsrm.dev.azure.com/$azureDevOpsOrganizationName/$azureDevOpsProjectName/_apis/release/deployments?queryOrder=descending&`$top=1&definitionId=$azureDevOpsReleasePipelineId&definitionEnvironmentId=$azureDevOpsReleaseEnvironmentId&api-version=5.0

I want to make a PATCH REST Call to trigger the related release via

PATCH https://vsrm.dev.azure.com/$azureDevOpsOrganizationName/$azureDevOpsProjectName/_apis/Release/releases/$lastDeploymentId/environments/$($lastDeploymentEnvironmentId)?api-version=5.0-preview.6

with the following body

$triggerMostRecentReleaseBody = @{
    comment = 'some comment'
    status = 2
    scheduledDeploymentTime = $null
}
$triggerMostRecentReleaseBodyJSON = $triggerMostRecentReleaseBody | ConvertTo-Json

To be able to make these REST Calls I enabled the OAuth token for being available in the pipeline:

and retrieve the token via $env:SYSTEM_ACCESSTOKEN in the PowerShell script.

The Issue

The GET request works perfectly fine but when executing the PATCH Call it returns the error

(403) Forbidden

So the question is how to enable the OAuth token to make these kind of REST Calls?

Answer 1

The issue is that the permissions related to the OAuth token are not sufficient by default to make the PATCH Call.

To grant the necessary permissions add the Project Collection Build Service (xxx) user to the Project Administrators group: