Azure DevOps: User lacks permission to complete this action. You need to have 'AddPackage'

Question

I get an error:

User XXX lacks permission to complete this action. You need to have 'AddPackage'

when trying to push a nuget package to Azure DevOps artifacts. I am the administrator This is the stage:

  - stage:
    displayName: 'Release'
    condition: succeeded()
    jobs:
      - job: 'Publish'
        displayName: 'Publish nuGet Package'
        steps:
          - download: current
            artifact: $(PIPELINE_ARTIFACT_NAME)
            displayName: 'Download pipeline artifact'
          - script: ls $(PATH_PIPELINE_ARTIFACT_NAME)
            displayName: 'Display contents of downloaded articacts path'
          - task: NuGetAuthenticate@0
            displayName: 'Authenticate in NuGet feed'
          - script: dotnet nuget push $(PATH_PIPELINE_ARTIFACT_NAME)/**/*.nupkg --source $(NUGET_FEED) --api-key $(NUGET_API_KEY)
            displayName: 'Uploads nuGet packages'

And the exact error:

error: Response status code does not indicate success: 403 (Forbidden - User '4a2eb786-540d-4690-a12b-013aec2c86e5' lacks permission to complete this action. You need to have 'AddPackage'. (DevOps Activity ID: XXXXXXX-6DF9-4A98-8A4E-42C556C6FC56)).
##[error]Bash exited with code '1'.
Finishing: Uploads nuGet packages

The git repo is in GitHub. Not sure who is considered to be the user but I don't know which other permissions to modify

Answer 1

It seems I fixed by adding to the feed's permission settings the Build Service as Contributor.

It's a bit confusing tbh but it's now working fine.

Answer 2

For those who are completely lost like me, the page mentioned by @diegosasw is in the Artifacts menu, not in the Task or in the Pipeline:

Answer 3

Steps:

1. Click on Artifacts on the left side.
2. Select your feed from the drop down (usually selected by default)
3. Click the Feed Setting gear on the top right corner.
4. Click Permissions
5. Click Add Users/groups and search for {your org} Build Service and add as Contributor.

Answer 4

Great find! Allowing project-scoped builds in the ... menu worked for me.

But in order to be able to push the package from Azure Pipelines to the Azure Artifacts feed at all, I had to add the same feed as Target feed under the dotnet restore step before dotnet build and finally dotnet push. https://learn.microsoft.com/en-us/azure/devops/artifacts/nuget/dotnet-exe?view=azure-devops

Answer 5

the correct answer is, at the artifact settings page (you can access following the explanation above) you need to add contributor permission to the user with the name pattern [project_name] Build Service. For example, if your project name is "IoT" you need to find the user "IoT Build Service" at the Add user/groups in the permission tab as shown above and assign the contributor permission.

Answer 6

My solution was slightly different. New pipelines default to "Current Project" under Pipeline > Edit > Options > Build job > Buld job authorization scope.... this needed changing to "Project collection", which solved the problem: