CODEWITHSUNDEEP
.net-coreazure-devopstfsnugetazure-pipelines
modmoto
modmoto

Reputation: 3290

Azure Devops publishing to own feed suddenly results in 403 forbidden

I have been using Azure DevOps for a project for quite some time, but suddenly publishing to my own organisation/collection feed results in a 403.

I created a feed and I can select it on the nuget push build step, but it does not work. I created a new feed to publish the NuGet packages to and this works perfectly again. It seems to me like a token expired, but I never created one or used it to authenticate. I also do not want to change my NuGet feed to the new one, as I want to use older packages as well.

This is the buildpipeline:

enter image description here

And this is the stack trace:

Active code page: 65001 SYSTEMVSSCONNECTION exists true SYSTEMVSSCONNECTION exists true SYSTEMVSSCONNECTION exists true

[warning]Could not create provenance session: {"statusCode":500,"result":{"$id":"1","innerException":null,"message":"User

'a831bb9f-aef5-4b63-91cd-4027b16710cf' lacks permission to complete this action. You need to have 'ReadPackages'.","typeName":"Microsoft.VisualStudio.Services.Feed.WebApi.FeedNeedsPermissionsException, Microsoft.VisualStudio.Services.Feed.WebApi","typeKey":"FeedNeedsPermissionsException","errorCode":0,"eventId":3000}} Saving NuGet.config to a temporary config file. Saving NuGet.config to a temporary config file. [command]"C:\Program Files\dotnet\dotnet.exe" nuget push d:\a\1\a\Microwave.0.13.3.2019072215-beta.nupkg --source https://simonheiss87.pkgs.visualstudio.com/_packaging/5f0802e1-99c5-450f-b02d-6d5f1c946cff/nuget/v3/index.json --api-key VSTS error: Unable to load the service index for source https://simonheiss87.pkgs.visualstudio.com/_packaging/5f0802e1-99c5-450f-b02d-6d5f1c946cff/nuget/v3/index.json. error: Response status code does not indicate success: 403 (Forbidden - User 'a831bb9f-aef5-4b63-91cd-4027b16710cf' lacks permission to complete this action. You need to have 'ReadPackages'. (DevOps Activity ID: 2D81C262-96A3-457B-B792-0B73514AAB5E)).

[error]Error: The process 'C:\Program Files\dotnet\dotnet.exe' failed with exit code 1

[error]Packages failed to publish

[section]Finishing: dotnet push to own feed

Is there an option I am overlooking where I have to authenticate myself somehow? It is just so weird.

Upvotes: 32

Views: 32184

Answers (9)

Jason Richmond
Jason Richmond

Reputation: 161

If I clone an existing pipeline that works and modify it for a new project the build works fine.

But if I try to create a new pipeline I get the 403 forbidden error.

This may not be a solution but I have tried everything else suggest here and elsewhere but I still cannot get it to work.

Cloning worked for me.

Upvotes: 0

ravz
ravz

Reputation: 23

Adding these two permissions solved my issue.

Project Collection Build Service (PROJECT_NAME)

[PROJECT_NAME]\Project Collection Build Service Accounts

https://learn.microsoft.com/en-us/answers/questions/723164/granting-read-privileges-to-azure-artifact-feed.html

Upvotes: 2

badsyntax
badsyntax

Reputation: 9650

Another thing to check, if using a yaml file for the Pipelines, is if the feed name is correct.

I know this might seem like a moot point, but I spent a long time debugging the ..lacks permission to complete this action. You need to have 'AddPackage'. error only to find I had referenced the wrong feed in my azure-pipelines.yaml file.

Upvotes: 2

Bartosz
Bartosz

Reputation: 4786

If you don't want to/cannot change Project-level settings like here

You can set this per feed by clicking 'Allow Project-scoped builds' (for me greyed out as it's already enabled).

That's different from the accepted answer, as you don't have to explicitly add the user and set the permissions.

enter image description here

Upvotes: 1

Dezzamondo
Dezzamondo

Reputation: 2318

To further expand on Merlin's solution & related links (specifically this one about scope), if your solution has only ONE project within it, Azure Pipelines seems to automatically restrict the scope of the job agent to the agent itself. As a result, it has no visibility of any services outside of it, including your own private NuGet repos held in Pipelines.

Solutions with multiple projects automatically have their scope unlocked, giving build agents visibility of your private NuGet feeds held in Pipelines.

I've found the easiest way to remove the scope restrictions on single project builds is to:

  1. In the pipelines project, click the "Settings" cog at the bottom left of the screen.
  2. Go to Pipelines > Settings
  3. Uncheck "Limit job authorization scope to current project"

Hey presto, your 403 error during your builds involving private NuGet feeds should now disappear!

Upvotes: 33

Jeremy Caney
Jeremy Caney

Reputation: 7622

It may not be immediately obvious or intuitive, but this error will also occur when the project your pipeline is running under is public, but the feed it is accessing is not. That might be the case, for instance, when accessing an organization-level feed.

In that scenario, there are three possible resolutions:

  1. Make the feed public, in which case authentication isn't required; or
  2. Make the project private, thus forcing the service to authenticate; or
  3. Include the Allow project-scoped builds under your feed permissions.

The instructions for the last option are included in @Merlin Liang - MSFT's excellent answer, but the other options might be preferable depending on your requirements.

At minimum, this hopefully provides additional insight into the types of circumstances that can lead to this error.

Upvotes: 2

Mengdi Liang
Mengdi Liang

Reputation: 19016

"message":"User 'a831bb9f-aef5-4b63-91cd-4027b16710cf' lacks permission to complete this action. You need to have 'ReadPackages'.

According to this error message, the error you received caused by the user(a831bb9f-aef5-4b63-91cd-4027b16710cf) does not have the access permission to your feed.

And also, as I checked from backend, a831bb9f-aef5-4b63-91cd-4027b16710cf is the VSID of your Build Service account. So, please try with adding this user(Micxxxave Build Service (sixxxxss87)) into your target feed, and assign this user the role of Contributor or higher permissions on the feed.

In addition, here has the doc you can refer:

enter image description here

There is a new UI in the Feed Permissions:

New UI to allow project-scoped builds

Upvotes: 48

Max Rios
Max Rios

Reputation: 2256

I want to add a bit more information just in case somebody ends up having the same kind of problem. All information shared by the other users is correct, there is one more caveat to keep into consideration. The policies settings are superseded by the organization settings. If you find yourself unable to modify the settings or they are grayed out click on "Azure DevOps" logo at the left top of the screen.

Azure DevOps

Click on Organization Settings at the bottom left.

Organization settings

Go to Pipeline --> Settings and verify the current configuration.

Current settings

When I created my organization it was limiting the scope at the organization level. It took me a while to realize it was superseding the project.

Upvotes: 9

Ricky Gummadi
Ricky Gummadi

Reputation: 5240

Still wondering where that "Limit job authorization scope to current project" setting is, took me a while to find it, its in the project settings, below screenshot should help

enter image description here

Upvotes: 7

Related Questions