Reputation: 1359
Correct pipeline & feed settings/permissions
We are close to rolling out our first pilot of Azure pipelines and Azure Artifacts but I am (still) somehow lost with the right settings for pipelines and artifacts.
Our setup is the following.
Every Azure project has a feed where the pipelines of the multiple GIT repos within that project push their universal packages to.
The pipeline itself is consuming universal packages from feeds of the same but also other projects of the same ADO org.
Now I have seen the settings for pipelines "Limit job authorization scope to current project for non-relase pipelines" and the feed settings "Organization and Project scope" and I do not know what to set to support our scenario. I have read the official documentation but somehow I am still not sure what to configure.
Can you help?
Thank you
Upvotes: 1
Views: 1136
Answers (1)
Reputation: 28096
Which scope do you prefer, Project-Scope feed or Organization-Scope feed?
The biggest difference between them is:
1.If you create a Org-scope feed in ProjectA, someone(If you grant Feed permissions to him) can view and manage the feed from any project within same org. It means people can view the feed details even in ProjectB.
2.If you create a Project-scope feed in ProjectA, then only members of ProjectA can view this feed via Artifacts page:
But as I know, they both works for your scenario no matter which scope you choose.
So you have two directions:
1.Create a org-scope feed in ProjectA, then configure the feed settings:
Then grant Contributor role to ProjectB Build Service and ProjectB Team:
So that members in ProjectB Team group(ProjectB Team) can see the feed in ProjectB's artifacts page, and the pipeline(ProjectB Build Service) can download/publish package from/to the feed.
2.Create project-scope feeds per project. ProjectA=>FeedA, ProjectB=>FeedB, ProjectC=>FeedC.
For scenario where ProjectA will push package to FeedA, and ProjectB/ProjectC will consume the package from FeedA: You can edit FeedA's feed settings, add corresponding role to ProjectA build service, ProjectB Team and ProjectB build service, ProjectC Team and ProjectC build service. Consuming package needs reader role while publishing package needs at least contributor role.
And normally you can disable Limit job authorization scope to current project for non-relase pipelines option to avoid/resolve 404 error like this ticket.
Upvotes: 1
Related Questions
- Azure devops Artifacts - failed to get feed
- Azure DevOps Artifact Feed, error 403 on push package from azure pipeline
- Azure artifact feed ididentifier in azure pipeline
- Unable to generate artifacts in a Azure DevOps pipeline
- No artifact created in Azure pipeline
- Sending Azure Build Artifacts to Feed
- Azure DevOps Permissions on Pipeline Artifacts
- Azure Artifacts - Need to Create Organization-scoped Feeds
- Azure devops feed with PAT : what permissions are needed?
- Azure Devops - Accessing artifact feed in release pipeline task