Mike Cole
Mike Cole

Reputation: 14743

Git repository permissions issue in Azure DevOps Pipeline

In an Azure Pipelines Task, I am attempting to create and push a new branch. I am able to clone the repo using the $(System.AccessToken) variable, bit when I try to push the new branch I get the following error:

remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\(GUID)', scope 'repository'.

If I check my repository security, I see that both the Build Service user and Project Collection Build Service Accounts group has Contribute, Create Branch, Contribute to pull request, and Create Tag permission set to "Allow", which from all the research I've done is all I should need to do.

How can I troubleshoot this issue? I assume that either I am missing something silly, or there's a permissions inheritance issue. However, if I'm setting security on the repository itself my assumption is that should override any inherited permissions.

Pipeline:

steps:
- powershell: |
   git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" clone "https://repoaddress/_git/common"
   cd common
   git checkout develop
   git checkout -b release/$(build.buildNumber) $(build.buildNumber)
   git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push -u origin HEAD
   
  displayName: 'Create Branch From Tag'

Permissions: enter image description here

Upvotes: 7

Views: 22313

Answers (2)

Philipp Stabel
Philipp Stabel

Reputation: 1

I have fixed it without using the PAT. I only had to add the Organization Name to the Link.

Example:

http://{Organization name}@dev.azure.com/.../_git/...

And in the project settings under "settings" i had to disable "Protect access to repositories in YAML pipelines"

Upvotes: 0

Vito Liu
Vito Liu

Reputation: 8298

It should caused by your build service account do not have the contribute permission for this repository.

Go Project setting --> Repositories --> click Repos you want to operate -->set repository permissions accordingly.

Note: Service account is Project Collection Build Service (org name)

enter image description here

Update1

I got the issue, add this service account {project name} Build Service ({Org name}) and configure the account permission, it will work.

enter image description here

According to the error message: Details: identity 'Build\(GUID)', scope 'repository'., we could get the service account GUID

Check this REST API, it could list the service account, we could search the service account name via the GUID, then configure the permission.

Update2

Since you are using AccessToken, it update the repo via service account, as another workaround, we could use Personal access token do the same things, and it do not need to configure service account permission.

Update2

A sample power shell script to clone the repo via PAT token:

$MyPat = 'yourPAT'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

And we will receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before the expiration. You could refer to this doc for more details.

Seven days before your PAT expires, you receive a notification similar to the following example.

enter image description here

Then we could change the Expiration time.

Upvotes: 7

Related Questions