Blocking an Azure Devops pipeline from accessing external template

Question

My context

I owned an Azure Repository account and I try to understand permissions configuration to allow a Yaml pipeline to access a template on another project.

So I built 2 projects:

1. ProjetPrincipal
2. ProjetSecondaire

That looks like this:

and

CommonTools is the happy recipient for this yaml:

# myTemplate.yaml

jobs:
    - job: DemoBug
        
      steps:
        - script: |
            #!/bin/bash

            echo 'Hello World'
          displayName: 'Run script'

And BigProject is not jealous because:

#deploy.yaml

trigger: none

resources:
  repositories:
    - repository: CommonTools
      type: git
      name: ProjetSecondaire/CommonTools

stages:         
  - stage: STAGE1
    jobs:
      - template: myTemplate.yaml@CommonTools

I created a pipeline running deploy.yaml.

What I did

This is an extract of PrincipalProject configuration

I tested all possible combination of these parameters. But whatever, the script run well.

So I don't understand these doc:

https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos?view=azure-devops&tabs=yaml

and

https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos?view=azure-devops&tabs=yaml

For instance this does not work:

What I am looking for

I this a story of user permission that counterpass these settings ?

I should I make my configuration to block access to external project and have the expected error message ?

Answer 1

I can reproduce your issue on my side. The external template in another project can be accessed successfully. If you add a step to checkout your CommonTools repo in deploy.yaml, you will get TF401019 error as shown below.

According to this official doc Access repositories, artifacts, and other resources:

• The settings Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to current project for release pipelines are used to set the job authorization scope to be project.
• Azure Pipelines use job access tokens to access other resources in Azure DevOps at run-time. A job access token is a security token that is dynamically generated by Azure Pipelines for each job at run time.
• The token's permissions are derived from job authorization scope and the permissions you set on project or collection build service account.

Based on the above information, it seems that these two settings only work at runtime. In the official example you mentioned, the pipeline checkout during runtime to access resources in other projects. Since the current Job authorization scope is project, the token does not have permission to access the repo in other projects. According to this doc Process the pipeline, the templates have been expanded before runtime. No job access token has been generated at this time, so these two settings have no effect. If the above guess is correct, then these two settings have limits.

But as a part of the repo, the template should also be a protected resource. From this perspective, this seems to be a bug.

Based on the current situation, it's suggested that you can report this issue to Azure DevOps from Developer Community. And confirm with the support whether these settings have some limits or it is a bug.