Reputation: 125
How do I set the build authorization scope for my project?
Right now my NuGet restore fails since the project build user doesn't have contributor access to the package feed.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Unable to load the service index for source pkgs.dev.azure.com[..]index.json. /usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Response status code does not indicate success: 403 (Forbidden - User 'xxxxxxx' lacks permission to complete this action. You need to have 'ReadPackages'.
The solution is to change the build authorization scope from current project to project collection. This seems very doable as seen here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/build/options?view=azure-devops
But where, in DevOps' myriad menus, can this scope be set?
Upvotes: 6
Views: 10236
Answers (4)
Reputation: 1385
EDIT 2023: The Artifacts UI in DevOps has changed since this answer and this answer is no longer valid. See J-M's answer on a similar question: https://stackoverflow.com/a/73136309/5358731
There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html
In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:
Click "Artifacts" in the project with the failing build
Select the feed you were trying to consume in your build and click the cog in the top right corner
Click "Feed Settings"
Go to the Permissions tab
Click the 3 dots [...] that appeared to the right of the tab
Click "Allow project-scoped builds"
This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.
Full credit to Tim Lynch from the developer community page.
Upvotes: 8
Reputation: 4230
All answers are valid but it depends.
Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.
Then also remember Scoped build identities .
Azure DevOps uses two built-in identities to execute pipelines.
- A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)
- A project-scoped identity, which has access to a single project
...
By default, the collection-scoped identity is used, unless the Limit job authorization scope to current project is set in Project Settings > Settings.
With this in mind follow the next steps:
- You need to check which identity is being used for your pipelines:
For me is project-scoped identity
- Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)
- No. 1 If the identity is collection-scoped
- No. 2 If the identity is project-scoped
- No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)
Remember again you need to use Owner or Contributor roles.
Upvotes: 6
Reputation: 6335
It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.
Upvotes: 2
Reputation: 41545
Go to your feed settings:
In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":
Upvotes: 2
Related Questions
- While executing Azure DevOps build pipeline - got the message: This pipeline needs permission to access resources before this continue
- Azure Build Pipeline - Permission Required
- Azure DevOps and permissions to specific projects
- Azure DevOps Permissions - View All Projects (with restrictions)
- How to grant access to a project for all members in the organization?
- Azure DevOps Stage Permissions
- Create projects in Azure DevOps - permissions amendment?
- AzureDevops branch permissions settings
- Access rights for Azure DevOps Services pipeline
- Visual Studio Online Build access denied