How do I set the build authorization scope for my project?

Question

Right now my NuGet restore fails since the project build user doesn't have contributor access to the package feed.

/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Unable to load the service index for source pkgs.dev.azure.com[..]index.json. /usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Response status code does not indicate success: 403 (Forbidden - User 'xxxxxxx' lacks permission to complete this action. You need to have 'ReadPackages'.

The solution is to change the build authorization scope from current project to project collection. This seems very doable as seen here:

https://learn.microsoft.com/en-us/azure/devops/pipelines/build/options?view=azure-devops

But where, in DevOps' myriad menus, can this scope be set?

A suspiciously similar setting do exist in the organization settings page, under Pipelines/Settings as a toggle named "Limit job authorization scope to current project". However, it is turned off by default which means pipelines should have access to all the projects in the organization. — idursun, Oct 31 '19 at 14:57
@HughLin-MSFT Sorry for the delay, but no. See Elven Spellmaker's comment below. — HenrikMöller, Dec 06 '19 at 11:57

Mark · Answer 1 · 2023-02-03T06:47:02.357

EDIT 2023: The Artifacts UI in DevOps has changed since this answer and this answer is no longer valid. See J-M's answer on a similar question: https://stackoverflow.com/a/73136309/5358731

~~There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html~~

~~In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:~~

~~Click "Artifacts" in the project with the failing build~~

~~Select the feed you were trying to consume in your build and click the cog in the top right corner~~

~~Click "Feed Settings"~~

~~Go to the Permissions tab~~

~~Click the 3 dots [...] that appeared to the right of the tab~~

~~Click "Allow project-scoped builds"~~

~~This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.~~

~~Full credit to Tim Lynch from the developer community page.~~

This doesn't appear to work for us, unfortunately. We flipped the switch mentioned here https://stackoverflow.com/a/58646507/2604915 and this seemed to work for us... Until this morning, where it no longer works again. I'm awaiting a screensharing session with Microsoft to see if we can glean anything from this. — Elven Spellmaker, Nov 15 '19 at 10:04
Worked for me. Was consistently receiving a 403 error. Upon flipping the switch worked. However, prior to all, please follow the instructions outlined under Option 2 which I performed: https://www.paraesthesia.com/archive/2019/02/07/using-azure-devops-artifacts-nuget-feeds-in-pipelines/ — user3051574, Apr 18 '20 at 15:23

score 6 · Answer 2 · answered Feb 08 '20 at 05:15

All answers are valid but it depends.

Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.

Then also remember Scoped build identities .

Azure DevOps uses two built-in identities to execute pipelines.

A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)

A project-scoped identity, which has access to a single project

...

By default, the collection-scoped identity is used, unless the Limit job authorization scope to current project is set in Project Settings > Settings.

With this in mind follow the next steps:

You need to check which identity is being used for your pipelines:

For me is project-scoped identity

Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)

No. 1 If the identity is collection-scoped
No. 2 If the identity is project-scoped
No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)

Remember again you need to use Owner or Contributor roles.

In Azure DevOps Server no choice for Limit job authorization scope to current project. Any idea to apply your way ? — arslanaybars, Apr 28 '20 at 12:33
@arslanaybars please update my anwser, so you can reach more people with your solution if you want — David Noreña, May 23 '20 at 00:59
Thank you for highlighting this. I wasn't aware of collection-scoped vs. project-scoped. My project was using collection-scoped (as it accesses templates in another project), so I added permissions for `Project Collection Build Service ({OrgName})` to the Artifact Feed and it worked! — Josh Wright, Jan 05 '23 at 15:48

score 2 · Answer 3 · answered Oct 28 '19 at 14:00

2

Go to your feed settings:

In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":

answered Oct 28 '19 at 14:00

Shayki Abramczyk

36,824
16
89
114

The OP states that they wish to set the authorization scope on the build, but cannot find it. It is not related to the permission settings on the feed. – Sander Oct 30 '19 at 05:55
Yea but I think if he will do it the problem will be solved. – Shayki Abramczyk Oct 30 '19 at 07:19
@ShaykiAbramczyk Sadly no, the Project Collection Build Service is already a contributor. – HenrikMöller Oct 30 '19 at 09:59
1

Man I love you. I spend soooo long trying to solve my problems with this – Jonas Nov 25 '22 at 15:56

idursun · Answer 4 · 2019-10-31T16:27:50.020

2

It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.

edited Oct 31 '19 at 16:27

answered Oct 31 '19 at 15:19

idursun

6,261
1
37
51

1

Thanks for this. I spent two days figuring where to set this – Suresh Kumar Jan 11 '23 at 13:05

How do I set the build authorization scope for my project?

4 Answers4

Linked