2

I'm facing a permission issue.

I'm developing a yaml pipeline in Azure DevOps, that uses templates from an other repository under the same project.

Those templates are pretty simple.

  • dotnet restore -OR- npm install
  • dotnet publish and push folder to universal package feed -OR- dotnet pack and push nupkg to nuget feed
parameters:
- name: jobName
  type: string
- name: projectPath
  type: string
- name: projectName
  type: string
- name: filesToDelete
  type: object

jobs:
- job:
  displayName: ${{ parameters.jobName }}
  steps:

  - task: DotNetCoreCLI@2
    displayName: Dotnet build
    inputs:
      command: 'build'
      projects: '${{ parameters.projectPath }}/${{ parameters.projectName }}.csproj'
      arguments: '-c Debug'

  - task: DotNetCoreCLI@2
    displayName: Dotnet pack
    inputs:
      command: 'pack'
      packagesToPack: '${{ parameters.projectPath }}/${{ parameters.projectName }}.csproj'
      packDirectory: 'Pub'
      nobuild: true
      versioningScheme: 'off'
      verbosityPack: 'Normal'

  - task: DotNetCoreCLI@2
    displayName: Dotnet push nuget
    inputs:
      command: 'push'
      packagesToPush: 'Pub/*.nupkg'
      nuGetFeedType: 'internal'
      publishVstsFeed: '<devops project/<devops feed>'

Target is a project scoped feed, and the pipeline runs under a self-hosted agent (but even with microsoft-hosted ones I have the same issue).

Problem comes on push step, where I get this error. User '7de7da78-xxxx-xxxx-xxxx-xxxx3612a661' lacks permission to complete this action. You need to have 'AddPackage'.

I made many searches on web trying to fix it myself, and found many people with similar issues, like this, this or this.

The most referred solution is to add Build Account as collaborator, and I added it as contributor in project settings project-settings

and collaborator in feed settings feed settings

But nothing changed, still 403.

Any suggestion?

Michele Ietri
  • 184
  • 1
  • 4
  • 16

2 Answers2

6

Azure DevOps Artifact Feed, error 403 on push package from azure pipeline

Since you have arleady add the Build Account as collaborator, please try to check if the scope restrictions on single project builds is Enable:

  1. Click the "Project Settings" at the bottom left of the screen.

  2. Go to Pipelines > Settings.

  3. Disbale "Limit job authorization scope to current project" if it enabled.

enter image description here

Leo Liu
  • 71,098
  • 10
  • 114
  • 135
2

A very commong reason for this 403 forbidden error is that you need to elevate the permissions of your Build Service user from Contributor to Collaborator.
When the Artifacts is being created by Azure DevOps, by default it assigns the role of Contributor to your service builder, while you need to have the Collaborator role in order to execute such actions.

You can change the role from Artifacts >> Feed Settings >> Permissions page in Azure DevOps.

enter image description here

Martin Dimitrov
  • 818
  • 10
  • 19
  • 1
    Thanks for the help! But actually Leo Liu answer solved the problem too! – Michele Ietri Mar 24 '23 at 13:43
  • 1
    Sure, I just had the same problem that was caused from the permissions and decided to share it for anyone who might run into this, but the previous answer isn't helping them. – Martin Dimitrov Mar 25 '23 at 08:04