Azure DevOps Project pipeline not able to access NuGet package from Artifact Feed in different Project

Question

Updated 20-Feb-2020

Summary

Azure DevOps pipeline build not able to find NuGet package from our private feed under Artifacts.

Our Azure DevOps environment

In Azure, we have our company "space": dev.azure.com/OurCompany

Under that, we have multiple Projects, so for example, imagine these three:

• Green: this holds applications of a certain type
• Blue: this holds applications of a different type
• Red: this holds our "common" helper code

RED

RED holds all our common helper code are DLLs consumed by applications in GREEN and BLUE. These are made available as NuGet packages.

Under RED's Artifacts, we see an "organisational scoped feed" called "OurCompany". We understood that we couldn't use this because these NuGet packages need to be available to everyone in OurCompany, which means not only on Azure, but also on our DeskTop machines in our Corporate network (where we run Visual Studio). The "organisational scoped feed" I don't think is exposed to our Corporate Network.

We therefore created a new Feed under RED's Artifacts. When I view Permissions, I see the following entries:

• {me} : (Owner)
• [OurCompany]\Project Collection Adminstrators : (Owner)
• [RED]\Project Administrators : (Owner)
• RED Build Service (OurCompany) : (Contributor)
• Project Collection Build Service (OurCompany) : (Contributor)
• [RED]\Contributors (Contributor)

Corporate

So, back in Corporate, we add the NuGet package feed to our Visual Studio and it can then pull the NuGet packages down from Azure.

GREEN and BLUE

In here we have our products. We create a build Pipeline and we add a NuGet restore step:

- task: NuGetCommand@2
  displayName: 'Restore for Our Application'
  inputs:
    command: 'restore'
    restoreSolution: '**/*.sln'
    feedsToUse: 'select'
    vstsFeed: '{Guid1}/{Guid2}'

The two Guids were filled in when we picket the Azure Artifacts feed from the drop-down.

GREEN or BLUE NuGet Restore Failure

So this is where we run into our issue. When the NuGet restore step executes, it fails with the following message:

Unable to find version 'nnnn.n.n' of package 'TheNuGetPackage'.

The log output is vast, but the salient lines appear to be:

2020-02-18T18:36:35.2838118Z [command]C:\hostedtoolcache\windows\NuGet\5.4.0\x64\nuget.exe sources Add -NonInteractive -Name {Guid2} -Source https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json
-ConfigFile d:\a\1\Nuget\tempNuGet_356.config 2020-02-18T18:36:35.7513495Z Package source with Name: {Guid2} added successfully. 2020-02-18T18:36:41.1671856Z     [CredentialProvider.183638]Command-line v0.1.20+a5d37185a1a95acb4f0g997b9c23cab99508: "d:\a\_tasks\NuGetCommand_333b11bd-d341-40d9-bdbd-b32d5ce6f23b\2.164.0\CredentialProviderV2\plugins\netfx\CredentialProvider.Microsoft\CredentialProvider.Microsoft.exe"
-Plugin 2020-02-18T18:36:41.1673979Z     [CredentialProvider]Handling 'Request' 'GetAuthenticationCredentials'. Time elapsed in ms: 3 - Payload: {"Uri":"https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json","IsRetry":false,"IsNonInteractive":true,"CanShowDialog":true} 2020-02-18T18:36:41.1674299Z     [CredentialProvider]Handling auth request, Uri: https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json, IsRetry: False, IsNonInteractive: True, CanShowDialog: True 2020-02-18T18:36:41.1674465Z     [CredentialProvider]URI: https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json 2020-02-18T18:36:41.1674818Z     [CredentialProvider]Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTaskServiceEndpoint.VstsBuildTaskServiceEndpointCredentialProvider, cannot provide credentials for https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json 2020-02-18T18:36:41.1675261Z     [CredentialProvider]VstsBuildTaskCredentialProvider - https://dev.azure.com/OurCompany/ 2020-02-18T18:36:41.1675425Z     [CredentialProvider]VstsBuildTaskCredentialProvider - https://pkgs.dev.azure.com/OurCompany/ 2020-02-18T18:36:41.1675722Z    [CredentialProvider]VstsBuildTaskCredentialProvider - https://pkgs.dev.azure.com/OurCompany/ 2020-02-18T18:36:41.1676021Z    [CredentialProvider]VstsBuildTaskCredentialProvider - https://pkgs.dev.azure.com/OurCompany/ 2020-02-18T18:36:41.1676161Z    [CredentialProvider]VstsBuildTaskCredentialProvider - Matched prefix: https://pkgs.dev.azure.com/OurCompany/ 2020-02-18T18:36:41.1676330Z    [CredentialProvider]VstsBuildTaskCredentialProvider - Found credentials for endpoint https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json 2020-02-18T18:36:41.1680820Z   https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json: Unable to load the service index for source https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json. 2020-02-18T18:36:41.1680996Z   Response status code does not indicate success: 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/{Guid1}' does not exist, or you do not have permission to access it. (DevOps Activity ID: 0628EDE7-6E7E-465D-A6AE-7B6B0AA065D2)).

This looks like a permissions thing to me. But what seems odd is that the Artifact Feed in RED was discoverable when creating the Pipeline Build YAML when we then don't have permissions to use it.

I did try adding permissions to the Feed in RED. Clicking on the "Add users/groups". I found the following and added them as either Reader or Contributor, but with no success.

1. [GREEN]\ Green Team
2. GREEN Build Services

So:

1. Am I going about this the wrong way? If so, what ought I be doing (I thought I'd followed the Azure DevOps instructions fairly closely)
2. Am I going about this the right way? If so, what have I missed?

Update #1

Verbose error message from Restore step

https://api.nuget.org/v3/index.json: Package 'Package1.nnnn.n.n' is not found on source 'https://api.nuget.org/v3/index.json'.
https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json: Unable to load the service index for source https://pkgs.dev.azure.com/OurCompany/{Guid1}/_packaging/{Guid2}/nuget/v3/index.json. Response status code does not indicate success: 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/{Guid1}' does not exist, or you do not have permission to access it. (DevOps Activity ID: {Guid})).

Answer 1

Finally, I found the problem. I wonder if this is a bug, or just poorly documented....(or maybe I just didn't interpret it correctly).

As per Leo Lui-MSFT's suggestion above (documented by Microsoft), I'd added the permissions to the NuGet feed, and this didn't work. However, I was intrigued by his sentence:

If you've changed your builds to run at project scope

Personally, I hadn't, so I got with our System Administrator and we went through all the possible settings. Eventually, we found it - it wasn't something I had the ability to change.

So in my example above, BLUE and GREEN are the two projects that are trying to use the NuGet package in RED's Artifact feed.

So picking BLUE (or GREEN), in the bottom left hand corner of Azure DevOps you'll see a link "Project Settings". Under "Pipelines > Settings" there are four settings. We had to change the following to be:

Limit job authorization scope to current project = false

Hope that helps!

Answer 2

Azure DevOps Project pipeline not able to access Artifact Feed in different project

I think you are going the right ways. There is known issue about the project scope feed.

As the document Package permissions in Azure Pipelines stated:

To use packages from a feed in Azure Pipelines, the appropriate build identity must have permission to your feed. By default, the Project Collection Build Service is a Contributor. If you've changed your builds to run at project scope, you'll need to add the project-level build identity as a Reader or Contributor, as desired. The project-level build identity is named as follows:

[Project name] Build Service ([Organization name]) (e.g. FabrikamFiber Build Service (codesharing-demo))

You could check this thread for some more details.

Hope this helps.

Answer 3

You can do the following to have access to other project feed in the same organization:

1. Choose the following options from: Feed settings >> Permissions >> [Click on the three-dot menu] >> sel a) Allow build and releases b) Allow project-scoped builds
2. Go to the project settings (from where you want to access the feed)
3. Make sure the option is unchecked in the following setting: Project Settings >> Pipelines >> Settings >> Limit job authorization scope to current project for non-release pipelines

Answer 4

In my LibsProject I have a LibsFeed (OP's RED), which I wanted to use in a pipeline in my ConsumingProject.

I had to add the following permissions to get it to work:

• LibsFeed: Add ConsumingProject Build Service as Contributor (Read automatically changed to Contributor somehow)
• LibsProject: Add ConsumingProject Team to the LibsProject Team under LibsProject -> Project Settings -> Team

I can not even enable OP's solution, even with all thinkable admin rights

Limit job authorization scope to current project