How to allow external access to a private Azure DevOps NuGet feed

Question

The situation is as follows:

• DevOps Org A maintains a private NuGet feed
• DevOps Org B needs to use packages from the above feed within its Pipelines

Current solution involves:

• adding a user U from Org B as a guest in Org A DevOps with Stakeholder role
• creating PAT for user U in Org A with just Packaging -> Read scope
• using the PAT to register a service connection for the feed in Org B
• using NuGetAuthenticate task in Org B Pipeline before the NuGetCommand restore task

The issue is that user U can log in to Org A's DevOps and view boards, work items, members, etc

The question is how to restrict access so that the only thing that anyone from Org B can do is restore packages from Org A's feed and nothing else?

I have set every permission to Deny on user U's Permissions screen in Org A's DevOps.

As soon as I set View project-level information to Deny, the pipeline in Org B fails with a 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not exist, or you do not have permission to access it. error.

Answer 1

We have a similar problem, but also wanted to limit the shared artifacts to a certain feed view.

Therefore, we decided to create a helper-project that only holds one feed. This feed is empty but uses your original feed as an upstream source scoped to the view that we want to share.

The helper project has only one user (a service user) that has read-access on the helper-feed. We can use the service user's PAT for sharing.

As the helper project is practically empty, we do not risk to share any unwanted information (code, issues etc.)

Answer 2

There is no need to add a user U from Org B in Org A DevOps. Since you only need a PAT with Packaging -> Read scope from Org A. You can just have any user in Org A(who has the access the permission to the NuGet feed) generate a PAT for you.

Or yon can ask any user in Project Collection Administrators group of Org A to create a new normal user account as a service account. And then you can ask them to generate a PAT from this service account of Org A.

In above ways, You donot need to wrong about users of Org B can log in to Org A's DevOps.

Answer 3

You don't mention if you tried this yet, preserving the View project-level information set to deny, how about you explicitly add the guest user u as a Reader to the package feed in Org A.

Editing permissions for a feed

Answer 4

If both orgs are connected to the same Azure Active Directory, upstream sources may get you what you want.

1. In the feed in Org A, set a view to be visible to everyone in your Azure Active Directory (sorry, that's the minimum visibility for cross-org upstreams). The @Local view is probably a good choice, because every package version that is fully ingested into the feed (whether by a direct push or by downloading through an upstream) is automatically added to that view.
2. In Org B, create a new feed or use an existing one.
3. Make sure users of the feed in Org B have appropriate permissions. "Readers" can only use package versions that have already been fully ingested into the feed. "Collaborators" can additionally use and ingest (by using) package versions that exist in the feed's upstreams
4. In the feed in Org B, add an upstream to the view in Org A.
5. Set your clients in Org B to restore packages from the feed in Org B instead of the feed in org A.

Note that we cache upstream information, so there may be a delay of up to several hours between publishing to the feed in Org A and the package being visible in Org B. Improvements are planned, but I don't have a timeline I can share at this time.