Reputation: 1278
Azure DevOps - Unable to Create Var Group using Azure DevOps API and Auth Token
Requirements: We would like to create a Variable Group (along with some variables) in a given Project.
- Option1: We are able to create a new Variable Group successfully when we create a request via PostMan using PAT Token which has FULL access.
- Option2: Our end goal is to invoke the ADO Rest API in the Web App which uses
OAuth. When the end user logs in and make a call (pls see the input
details below) we are getting '401 Un Authorized - The user is not authorized to access this resource.' error. The Web App's application has the Variable Groups manage scope as shown below.
TroubleShooting: As part of troubleshooting, for Option1 which uses PAT (with full access) in Postman, we have updated the permissions of the PAT to just have Create, Read and Manage Var Groups as shown below.
Now, even the Option1 is not working after making the PAT to have Custom Defined access.
Are we missing something?
Postman Details:
URL: https://dev.azure.com/myorgname/_apis/distributedtask/variablegroups?api-version=6.0-preview.2
Verb: Post
Headers: Authorization: Basic
Body:
{
"name": "This is ignored",
"description": "This is ignored",
"type": "Vsts",
"variables": {
"BuildConfiguration": {
"value": "Release"
}
},
"variableGroupProjectReferences": [
{
"name": "VarGroup",
"description": "The variable group to store the information about the variables using in the Pipeline",
"projectReference": {
"id": "#ProjectId#",
"name": "#ProjectName#"
}
}
]
}
Upvotes: 0
Views: 725
Answers (1)
Reputation: 42123
I can also reproduce your issue with option 1, not only Read, create, & manage for Variable Groups, even I select all the scopes via Custom defined, it still does not work.
According to this doc - https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-full-scoped-pats
Some of our public APIs are currently unassociated with a PAT scope, and can therefore only be used with “full-scoped” PATs. Because of this, restricting the creation of full-scoped PATs might block some workflows. We're working to identify and document the affected APIs and eventually associate them with the appropriate scope. For now, these workflows can be unblocked by using the allow list.
I believe this should be the reason for this issue, there may be some additional permissions to create variable groups. For option 2, there may be a similar cause.
So in this case, you may need to use the Full access PAT temporarily, as mentioned in the doc We're working to identify and document the affected APIs and eventually associate them with the appropriate scope.
Upvotes: 0
Related Questions
- AzureDevOps RestAPI does not return groups that are a member of a certain group
- Azure DevOps SaaS - Unable to distinct group and team name in REST API
- Having no permission for updating Variable Group via Azure DevOps REST API from running Pipeline
- How to add team members in Azure Devops via API? Also Groups API does not work
- Adding an AAD group to Azure DevOps using the rest api
- Newly created azure ad group not available in azure devops (rest api)
- Azure DevOps REST API Error: You are not authorized to create a subscription
- How to manage Azure DevOps group permissions using Rest API
- Unable to authenticate against Azure DevOps _apis/distributedtask/variablegroups using PAT
- How to manage Azure DevOps group permissions with REST API