Azure Devops publishing to own feed suddenly results in 403 forbidden

Question

I have been using Azure DevOps for a project for quite some time, but suddenly publishing to my own organisation/collection feed results in a 403.

I created a feed and I can select it on the nuget push build step, but it does not work. I created a new feed to publish the NuGet packages to and this works perfectly again. It seems to me like a token expired, but I never created one or used it to authenticate. I also do not want to change my NuGet feed to the new one, as I want to use older packages as well.

This is the buildpipeline:

And this is the stack trace:

Active code page: 65001 SYSTEMVSSCONNECTION exists true SYSTEMVSSCONNECTION exists true SYSTEMVSSCONNECTION exists true

[warning]Could not create provenance session: {"statusCode":500,"result":{"$id":"1","innerException":null,"message":"User

'a831bb9f-aef5-4b63-91cd-4027b16710cf' lacks permission to complete this action. You need to have 'ReadPackages'.","typeName":"Microsoft.VisualStudio.Services.Feed.WebApi.FeedNeedsPermissionsException, Microsoft.VisualStudio.Services.Feed.WebApi","typeKey":"FeedNeedsPermissionsException","errorCode":0,"eventId":3000}} Saving NuGet.config to a temporary config file. Saving NuGet.config to a temporary config file. [command]"C:\Program Files\dotnet\dotnet.exe" nuget push d:\a\1\a\Microwave.0.13.3.2019072215-beta.nupkg --source https://simonheiss87.pkgs.visualstudio.com/_packaging/5f0802e1-99c5-450f-b02d-6d5f1c946cff/nuget/v3/index.json --api-key VSTS error: Unable to load the service index for source https://simonheiss87.pkgs.visualstudio.com/_packaging/5f0802e1-99c5-450f-b02d-6d5f1c946cff/nuget/v3/index.json. error: Response status code does not indicate success: 403 (Forbidden - User 'a831bb9f-aef5-4b63-91cd-4027b16710cf' lacks permission to complete this action. You need to have 'ReadPackages'. (DevOps Activity ID: 2D81C262-96A3-457B-B792-0B73514AAB5E)).

[error]Error: The process 'C:\Program Files\dotnet\dotnet.exe' failed with exit code 1

[error]Packages failed to publish

[section]Finishing: dotnet push to own feed

Is there an option I am overlooking where I have to authenticate myself somehow? It is just so weird.

Answer 1

"message":"User 'a831bb9f-aef5-4b63-91cd-4027b16710cf' lacks permission to complete this action. You need to have 'ReadPackages'.

According to this error message, the error you received caused by the user(a831bb9f-aef5-4b63-91cd-4027b16710cf) does not have the access permission to your feed.

And also, as I checked from backend, a831bb9f-aef5-4b63-91cd-4027b16710cf is the VSID of your Build Service account. So, please try with adding this user(Micxxxave Build Service (sixxxxss87)) into your target feed, and assign this user the role of Contributor or higher permissions on the feed.

In addition, here has the doc you can refer:

There is a new UI in the Feed Permissions:

Answer 2

To further expand on Merlin's solution & related links (specifically this one about scope), if your solution has only ONE project within it, Azure Pipelines seems to automatically restrict the scope of the job agent to the agent itself. As a result, it has no visibility of any services outside of it, including your own private NuGet repos held in Pipelines.

Solutions with multiple projects automatically have their scope unlocked, giving build agents visibility of your private NuGet feeds held in Pipelines.

I've found the easiest way to remove the scope restrictions on single project builds is to:

1. In the pipelines project, click the "Settings" cog at the bottom left of the screen.
2. Go to Pipelines > Settings
3. Uncheck "Limit job authorization scope to current project"

Hey presto, your 403 error during your builds involving private NuGet feeds should now disappear!

Answer 3

I want to add a bit more information just in case somebody ends up having the same kind of problem. All information shared by the other users is correct, there is one more caveat to keep into consideration. The policies settings are superseded by the organization settings. If you find yourself unable to modify the settings or they are grayed out click on "Azure DevOps" logo at the left top of the screen.

Click on Organization Settings at the bottom left.

Go to Pipeline --> Settings and verify the current configuration.

When I created my organization it was limiting the scope at the organization level. It took me a while to realize it was superseding the project.