Reputation: 251
Assign different access to artifact feeds for PATs of same user
I am using Azure DevOps Artifacts to store private python builds. The projects, code base, and pipelines are all hosted by a different provider, not Azure DevOps.
I have a user account with full privileges. I have set up a PAT that is used to automatically publish builds from my pipelines to multiple different feeds in the same project. I would now like to allow external, but not public, access to download/read one of my feeds but not the others. I was thinking this could be achieved by creating a different PAT with appropriate permissions on that one feed but I can not seem to find a way to define what feed the PAT has access to.
I then thought I could set up a second user, using the '+' notation in gmail, e.g. [email protected] but Azure DevOps does not think email addresses that contain a '+' are valid so that does not work either.
Example
PAT 1: Can download and publish python packages on Feed A and B
PAT 2: Can download python packages from Feed A, can not access Feed B at all.
Is there a way to achieve this without setting up a new email address for the second user, creating users for ALL external parties, or giving public access to the feed I want to share?
Upvotes: 0
Views: 279
Answers (2)
Reputation: 76870
Is there a way to achieve this without setting up a new email address for the second user, creating users for ALL external parties, or giving public access to the feed I want to share?
I am afraid there is no such way to achieve this without setting up a new email address for the second user.
That is because when we set permissions on a feed, the principal to be set is a user or a group, and we could not add a PAT as the subject of the permission.
At present, we can only set the permissions for PAT to read, write, write and manage Packaging, but not specifically set the permissions for a specific feed. This part of the functionality needs to be assigned to the user principal.
So, if you have different permissions for feeds, the best way is using two accounts.
Upvotes: 0
Reputation: 984
You can't do this only with a second user. The PAT says what actions are allowed, but the final user-permission is set in the feed seetings. So I think you would need a second user.
Maybe you should consider not to use your user for publishing the builds. This can be done by the pipeline itself. Then you would be able to modify the user-permissions in the feeds.
Upvotes: 1
Related Questions
- Azure Artifacts - Sharing project-scoped feeds with other projects
- How do I add multiple authenticated feeds to dependabot?
- Is it possible to access Organization-Scoped Artifact Feeds using the Azure Devops API?
- Access Azure DevOps Artifact Feed from different organization
- Correct pipeline & feed settings/permissions
- Azure DevOps Permissions on Pipeline Artifacts
- Who can access / see project-scoped feeds?
- Azure Artifacts - Need to Create Organization-scoped Feeds
- Azure devops feed with PAT : what permissions are needed?
- Azure Devops - Accessing artifact feed in release pipeline task