Reputation: 667
Azure DevOps agent lacks permission to push to feed
I currently have a self-hosted agent running as a service with under DOMAIN\admin account
, who's also the organization admin, (the agent PAT is full-access).
My project has a NuGet Feed, with the [ORGANIZATION]\Project Collection Service Accounts as Owner and Project Collection Build Service (ORGANIZATION) as Contributor. As a "debug" I also added DOMAIN\admin to the feed permissions.
I built a pipeline that does the following: Build, Test, Pack, and Nuget Push.
The Nuget Push fails with the following error: 403 (Forbidden - User '0a681a12-11c5-4573-ab59-82be15aaabbd' lacks permission to complete this action. You need to have 'ReadPackages'.
I'm not sure why this happens, the PAT is full access, and the service is under an admin. Any help?
Edit
When registering the Agent at the Service account step I get this warning:
ERR NativeWindowsServiceHelper] Can't enumerate account rights, return code 3221225524.
Edit 2
I just build a Release Pipeline with the Nuget Push job and worked. Also edited the build pipeline to publish the artifact. Any idea why?
Upvotes: 5
Views: 2344
Answers (1)
Reputation: 35474
In Azure DevOps Build Pipeline, it will use the Build Service Account to Push the nuget package to Azure Feed.
The Build Service account has two levels: Organization level and Project level.
Project Level: Your-project-name Build Service (your-collection-name)
Organization level: Project Collection Build Service (your-collection-name)
You need to based on your Pipeline Settings to grant the Contributor Role to related Build Service account.
For Yaml Pipeline, you can navigate to Project Settings -> Settings and check the option: Limit job authorization scope to current project for non-release pipelines.
If the option is enabled, it will use Project Level Build Service account, or it will use Organization Level account.
For Classic Pipeline, you need to navigate to Option tab and check the Build job authorization scope
If the Pipeline is using the Project level Build Service account, you need to grant the Contributor role to Your-project-name Build Service (your-collection-name) in Azure Feed -> Settings -> Permissions.
For example:
For more detailed info, you can refer to this doc: Manage build service account permissions
Upvotes: 7
Related Questions
- Azure DevOps Artifact Feed, error 403 on push package from azure pipeline
- Azure Pipelines agent credentials
- AzDO Pipeline waiting for permission to agent pool
- Azure pipeline defaults to wrong agent
- Azure DevOps Pipeline CMD task [error]Access is denied
- Self Hosted Azure DevOps Pipeline Agent fails with error Token Audience is not valid
- azure devops local agent pipeline permission denied
- Azure DevOps API Feed Management - Set Feed Permissions doesn't work
- Cannot create new agent pool, Access denied error
- Azure Pipelines Hosted Agent Can't Access DevOps project Feed