Azure DevOps: User lacks permission to complete this action. You need to have 'AddPackage'

Question

I get an error:

User XXX lacks permission to complete this action. You need to have 'AddPackage'

when trying to push a nuget package to Azure DevOps artifacts. I am the administrator This is the stage:

  - stage:
    displayName: 'Release'
    condition: succeeded()
    jobs:
      - job: 'Publish'
        displayName: 'Publish nuGet Package'
        steps:
          - download: current
            artifact: $(PIPELINE_ARTIFACT_NAME)
            displayName: 'Download pipeline artifact'
          - script: ls $(PATH_PIPELINE_ARTIFACT_NAME)
            displayName: 'Display contents of downloaded articacts path'
          - task: NuGetAuthenticate@0
            displayName: 'Authenticate in NuGet feed'
          - script: dotnet nuget push $(PATH_PIPELINE_ARTIFACT_NAME)/**/*.nupkg --source $(NUGET_FEED) --api-key $(NUGET_API_KEY)
            displayName: 'Uploads nuGet packages'

And the exact error:

error: Response status code does not indicate success: 403 (Forbidden - User '4a2eb786-540d-4690-a12b-013aec2c86e5' lacks permission to complete this action. You need to have 'AddPackage'. (DevOps Activity ID: XXXXXXX-6DF9-4A98-8A4E-42C556C6FC56)).
##[error]Bash exited with code '1'.
Finishing: Uploads nuGet packages

The git repo is in GitHub. Not sure who is considered to be the user but I don't know which other permissions to modify

Answer 1

I wanted to use organization scoped feed, and I was trying to push to it from my project.

Accepted solution was not working for me - changing Role for the Project Collection Build Service was not enough.

Turns out, there's a Build Service user for a Project scope. It can be checked under Organization settings -> Permissions -> Users tab.

So I had to manually add that user to my Organization scoped feed in the Permissions list and give it Feed Publisher (Contributor) role.

Answer 2

Here's what got this to work for me in June 2024. I believe some of the previous answers are out of date.

1. Pipelines (in the Azure DevOps sidebar) > go to three dots on top right of Pipelines screen > Manage Security > Copy the user under 'Users' to clipboard. My case is: ProjectNameHere Build Service (OrgNameHere)
2. Artifacts (in the Azure DevOps sidebar) > Feed Settings (gear icon top right screen) > Permissions tab > add user from Step 1 as a Contributor.

Answer 3

If the error consists of a GUID representing the user as in the below error

Response status code does not indicate success: 403 (Forbidden - User 'a112123-5123-4123-b28e-b02484411234' lacks permission to complete this action. You need to have 'AddPackage'. (DevOps Activity ID: 70E74793-BC13-44CB-945E-7066E80622F5)).

To identify by name what user the error is referring to... Use endpoint, where {your org name} is the orgname listed in your Azure Devops Url

https://vssps.dev.azure.com/{your org name}/_apis/graph/users

By listing the name you can be reassured you have the correct identifier to add to the feeds permissions.

Answer 4

On the feed view, it's over here (as of 11/2023):

Answer 5

Just an extra information when using "Project Name" Build Service (Organization), even of the search does not return any result, the save button becomes enabled if the name is correct

Answer 6

Just a note - make sure you put your Build Service as Contributor. I had mine as Collaborator which is a completely different role and I didn't notice the difference since they just appear very similar.

Answer 7

I had the exact problem. Under Feed Settings -> Permissions I could locate the Project Collection Build Service (Organization) with the Contributor permissions but did not work. As a solution I removed that and added "Project Name" Build Service (Organization). This is the build service for the project on which I have created the pipeline specifically.

Answer 8

See ArkadiuszKozie-6872's answer here: https://learn.microsoft.com/en-us/answers/questions/723164/granting-read-privileges-to-azure-artifact-feed.html

Had to grant Contributor to Project Collection Build Service (<YOUR-ORG-NAME>) too, which fixed it for me.

Answer 9

My solution was slightly different. New pipelines default to "Current Project" under Pipeline > Edit > Options > Build job > Buld job authorization scope.... this needed changing to "Project collection", which solved the problem:

Answer 10

A few things have changed in at least the Azure Devops web interface as of 2022-07. Although the fundamentals appear unchanged, the ... button talked about earlier is gone. Below are the steps I figured at the time of writing. Extracted from a bit of a whinging blog post, which has more details and context.

Create a new feed, setting the scope to the project:

By default, the permission list created for the new feed is as below. Note that the organisation_name Build Service (project_name) user or group has the role Collaborator by default. This may be the key stumbling block users trip over.

You cannot change the role; you have to remove the organisation_name Build Service (project_name) user or group and add it again with the Contributor role.

Answer 11

For those who are completely lost like me, the page mentioned by @diegosasw is in the Artifacts menu, not in the Task or in the Pipeline:

Answer 12

Steps:

1. Click on Artifacts on the left side.
2. Select your feed from the drop down (usually selected by default)
3. Click the Feed Setting gear on the top right corner.
4. Click Permissions
5. Click Add Users/groups and search for {your org} Build Service and add as Contributor.

Answer 13

If you still got the error, you could try to add the Team as Contributor as well.

Hope it works.

[project_name][project_name] Team - Contributor

project_name Build Service(Org_name) - Contributor

Answer 14

the correct answer is, at the artifact settings page (you can access following the explanation above) you need to add contributor permission to the user with the name pattern [project_name] Build Service. For example, if your project name is "IoT" you need to find the user "IoT Build Service" at the Add user/groups in the permission tab as shown above and assign the contributor permission.

Answer 15

Great find! Allowing project-scoped builds in the ... menu worked for me.

But in order to be able to push the package from Azure Pipelines to the Azure Artifacts feed at all, I had to add the same feed as Target feed under the dotnet restore step before dotnet build and finally dotnet push. https://learn.microsoft.com/en-us/azure/devops/artifacts/nuget/dotnet-exe?view=azure-devops

Answer 16

It seems I fixed by adding to the feed's permission settings the Build Service as Contributor.

It's a bit confusing tbh but it's now working fine.