Reputation: 1428
on-premises azure devops build agent gets 403 error - other builds in different projects work fine
I have a new project set up in Azure Dev Ops using the same on-premises build pool as all my other projects. This also fails with a Hosted Build Agent.
However the build from this pipeline fails when publishing to our Azure DevOps package feed:
Response status code does not indicate success:
403 (Forbidden - User '2ed245a3-1b32-42a2-ab9d-dfaad036294e' lacks permission to complete this action. You need to have 'AddPackage'. (DevOps Activity ID: B36E439D-1022-42DC-A396-5D2896FB3882)
I don't know what to do about this - I've done nothing different to what I usually do when creating this project, so it looks like some backend wiring up within DevOps hasn't successfully completed. I don't really want to delete this project and re-create it as I've migrated a lot of source code from a prior VSTVC repository in a different project into a git repository in this one.
I've checked the pipeline build job authorization scope - this is set to "project collection" (same as all my other build pipelines in the other projects that all work fine.
I'm using the pipeline step NuGet version 2, Target feed location "This organisation/collection" and selected the correct target feed.
Assuming something has gone wrong I don't know how to fix the permissions in the project to ensure this step works fine.
Any suggestions?
Upvotes: 1
Views: 2690
Answers (2)
Reputation: 43
I was facing the same problem some, i fixed it adding the permission in my feed to allow project-scope-builds.
You have to go to Artifacts-->Feed settings (gear on righ-up)-->Permissions tab
Click on "allow project-scope-builds", this gonna let you to add packages to your feed fixing the issue.
I hope can help you, cheers!!.
Upvotes: 1
Reputation: 18958
Based on the error ID showed in your question, I check the corresponding logs from our backend with these ID.
To solve the issue your are facing, please go Feed - open Feed Setting.
Change to Permissions tab and click on Add users/groups. Then add your build service account reco****tions Build Service(bibl***group), and assign it Contributor or Owner role.
For the error message you are facing, its UserId represents your build service account reco****tions Build Service(bibl***group), which is one build-in service account for Pipeline. You could find it under your [bibl***group]\Security Service group. And the Activity ID shows "you" are forbidden to access the feed.
In fact, when you running some pipeline, the execution of all external operations of the pipeline (including some APIs, restore packages from feed and etc) is completed by Service Account. So, you need to assign the corresponding permission to Service Account based on the specific action in pipeline.
Upvotes: 2
Related Questions
- Azure Build Pipeline - Permission Required
- Build agent (azure devops) builds fine but local build fails
- Visual Studio Encounters 403 Error Connecting to DevOps Project
- Azure Pipelines Hosted Agent Can't Access DevOps project Feed
- Azure DevOps build agent does not have accesstokens in its tokencache
- Azure DevOps REST API returns a 403 when using the system OAuth token during a build
- VSTS-hosted build agents refuse to run due to false capability error
- I am unable to access the build server agent pool
- on-premises build agent is failing to build solution with projects on .net 4.7.1
- Visual Studio Online Build access denied