111

I get an error:

User XXX lacks permission to complete this action. You need to have 'AddPackage'

when trying to push a nuget package to Azure DevOps artifacts. I am the administrator This is the stage:

  - stage:
    displayName: 'Release'
    condition: succeeded()
    jobs:
      - job: 'Publish'
        displayName: 'Publish nuGet Package'
        steps:
          - download: current
            artifact: $(PIPELINE_ARTIFACT_NAME)
            displayName: 'Download pipeline artifact'
          - script: ls $(PATH_PIPELINE_ARTIFACT_NAME)
            displayName: 'Display contents of downloaded articacts path'
          - task: NuGetAuthenticate@0
            displayName: 'Authenticate in NuGet feed'
          - script: dotnet nuget push $(PATH_PIPELINE_ARTIFACT_NAME)/**/*.nupkg --source $(NUGET_FEED) --api-key $(NUGET_API_KEY)
            displayName: 'Uploads nuGet packages'

And the exact error:

error: Response status code does not indicate success: 403 (Forbidden - User '4a2eb786-540d-4690-a12b-013aec2c86e5' lacks permission to complete this action. You need to have 'AddPackage'. (DevOps Activity ID: XXXXXXX-6DF9-4A98-8A4E-42C556C6FC56)).
##[error]Bash exited with code '1'.
Finishing: Uploads nuGet packages

The git repo is in GitHub. Not sure who is considered to be the user but I don't know which other permissions to modify

Promise Preston
  • 24,334
  • 12
  • 145
  • 143
diegosasw
  • 13,734
  • 16
  • 95
  • 159

12 Answers12

150

It seems I fixed by adding to the feed's permission settings the Build Service as Contributor.

It's a bit confusing tbh but it's now working fine.

enter image description here

diegosasw
  • 13,734
  • 16
  • 95
  • 159
  • 47
    BTW, it is in `...` menu next to Delete, called `Add project-scoped builds` – LOST Jan 19 '20 at 21:44
  • 7
    I had Build Service as Contributor and I start getting the error at some point (it was working fine before that). What it fixed it, for me, was removing Build Service from the permissions list and re-adding it. – kord May 05 '20 at 14:48
  • 2
    Similar to Kord i had "Project Collection Build Service (XXXXXX-XXXXXX)" as a user, I had to remove it, then use the "...." icon and click "Add Builds and releases" which , by clicking, re-added the user... with appropriate permissions. I can now successfully use mvn deploy in my pipeline and deploy to the azure artifact area – Ryu S. Feb 05 '21 at 22:42
  • One note to add, my feed was in another project, so I thought I had to switch to that project and then click "Add project-scoped builds". Actually I needed to go to Artifacts inside the project that was building and then follow the instructions. – Brandon Rader Mar 03 '22 at 22:31
  • 20
    Just incase anyone runs into it, searching for the user after clicking "Add users/groups" does not work with partial names. ie, searching for "build" or "Build Service" will not pull up the appropriate account, but if you search for " Build Service ()" it'll come up as expected. This was fairly annoying to figure out. – Peter Bernier Aug 11 '22 at 13:42
  • I don't know what makes the difference but this solution was not working for me until I changed the agent specificaction for the job from windows-latest to windows-2019. – rortegax2 Sep 21 '22 at 09:50
  • 1
    @PeterBernier Argh! That's what I was missing. Thank you! – jmatias Oct 10 '22 at 23:19
  • @diegosasw wow. thnx. This was what I was missing. – Lazar Nikolic Oct 21 '22 at 14:13
  • I got this after i enabled the Project Settings `Limit job authorization scope to current project for non-release pipelines` even though the user was Project Collection Build Service. – Lars Pellarin Feb 22 '23 at 15:47
  • It works for us too, thanks – Milad Dastan Zand Jun 12 '23 at 14:26
69

Steps:

  1. Click on Artifacts on the left side.
  2. Select your feed from the drop down (usually selected by default)
  3. Click the Feed Setting gear on the top right corner.
  4. Click Permissions
  5. Click Add Users/groups and search for {your org} Build Service and add as Contributor.

enter image description here

Promise Preston
  • 24,334
  • 12
  • 145
  • 143
Xavier John
  • 8,474
  • 3
  • 37
  • 51
45

For those who are completely lost like me, the page mentioned by @diegosasw is in the Artifacts menu, not in the Task or in the Pipeline:

enter image description here

bubbleking
  • 3,329
  • 3
  • 29
  • 49
Gabriel Anderson
  • 1,304
  • 14
  • 17
21

A few things have changed in at least the Azure Devops web interface as of 2022-07. Although the fundamentals appear unchanged, the ... button talked about earlier is gone. Below are the steps I figured at the time of writing. Extracted from a bit of a whinging blog post, which has more details and context.

artifacts tab in AZ menu

Create a new feed, setting the scope to the project:

feed creation settings

By default, the permission list created for the new feed is as below. Note that the organisation_name Build Service (project_name) user or group has the role Collaborator by default. This may be the key stumbling block users trip over.

default feed permissions

You cannot change the role; you have to remove the organisation_name Build Service (project_name) user or group and add it again with the Contributor role.

corrected feed permissions

j-m
  • 1,473
  • 1
  • 13
  • 17
12

My solution was slightly different. New pipelines default to "Current Project" under Pipeline > Edit > Options > Build job > Buld job authorization scope.... this needed changing to "Project collection", which solved the problem:

enter image description here

Duck Ling
  • 1,577
  • 13
  • 20
10

Great find! Allowing project-scoped builds in the ... menu worked for me.

But in order to be able to push the package from Azure Pipelines to the Azure Artifacts feed at all, I had to add the same feed as Target feed under the dotnet restore step before dotnet build and finally dotnet push. https://learn.microsoft.com/en-us/azure/devops/artifacts/nuget/dotnet-exe?view=azure-devops

Martin H
  • 349
  • 4
  • 16
8

the correct answer is, at the artifact settings page (you can access following the explanation above) you need to add contributor permission to the user with the name pattern [project_name] Build Service. For example, if your project name is "IoT" you need to find the user "IoT Build Service" at the Add user/groups in the permission tab as shown above and assign the contributor permission.

atGuz
  • 91
  • 1
  • 2
8

See ArkadiuszKozie-6872's answer here: https://learn.microsoft.com/en-us/answers/questions/723164/granting-read-privileges-to-azure-artifact-feed.html

Had to grant Contributor to Project Collection Build Service (<YOUR-ORG-NAME>) too, which fixed it for me.

Kayes
  • 1,016
  • 3
  • 15
  • 22
  • This was it for me as well, it may be tied to multi-repo project, but this user was the last piece of the puzzle. Comment left for future readers... – Niall Nov 17 '22 at 13:04
3

If you still got the error, you could try to add the Team as Contributor as well.

Hope it works.

[project_name][project_name] Team - Contributor

project_name Build Service(Org_name) - Contributor

Pancat
  • 31
  • 1
3

Just a note - make sure you put your Build Service as Contributor. I had mine as Collaborator which is a completely different role and I didn't notice the difference since they just appear very similar.

teamdever
  • 309
  • 6
  • 21
2

I had the exact problem. Under Feed Settings -> Permissions I could locate the Project Collection Build Service (Organization) with the Contributor permissions but did not work. As a solution I removed that and added "Project Name" Build Service (Organization). This is the build service for the project on which I have created the pipeline specifically.

GeralexGR
  • 2,973
  • 6
  • 24
  • 33
1

Just an extra information when using "Project Name" Build Service (Organization), even of the search does not return any result, the save button becomes enabled if the name is correct

Tanguy Touzard
  • 135
  • 8