Git repository permissions issue in Azure DevOps Pipeline
In an Azure Pipelines Task, I am attempting to create and push a new branch. I am able to clone the repo using the $(System.AccessToken) variable, bit when I try to push the new branch I get the following error:
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\(GUID)', scope 'repository'.
If I check my repository security, I see that both the Build Service user and Project Collection Build Service Accounts group has Contribute, Create Branch, Contribute to pull request, and Create Tag permission set to "Allow", which from all the research I've done is all I should need to do.
How can I troubleshoot this issue? I assume that either I am missing something silly, or there's a permissions inheritance issue. However, if I'm setting security on the repository itself my assumption is that should override any inherited permissions.
Pipeline:
steps:
- powershell: |
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" clone "https://repoaddress/_git/common"
cd common
git checkout develop
git checkout -b release/$(build.buildNumber) $(build.buildNumber)
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push -u origin HEAD
displayName: 'Create Branch From Tag'
Permissions:
It should caused by your build service account do not have the contribute permission for this repository.
Go Project setting --> Repositories --> click Repos you want to operate -->set repository permissions accordingly.
Note: Service account is Project Collection Build Service (org name)
Update1
I got the issue, add this service account {project name} Build Service ({Org name}) and configure the account permission, it will work.
According to the error message: Details: identity 'Build\(GUID)', scope 'repository'., we could get the service account GUID
Check this REST API, it could list the service account, we could search the service account name via the GUID, then configure the permission.
Update2
Since you are using AccessToken, it update the repo via service account, as another workaround, we could use Personal access token do the same things, and it do not need to configure service account permission.
Update2
A sample power shell script to clone the repo via PAT token:
$MyPat = 'yourPAT'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName
And we will receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before the expiration. You could refer to this doc for more details.
Seven days before your PAT expires, you receive a notification similar to the following example.
Then we could change the Expiration time.
- Unable to complete a partial restore of our Azure DevOps database
- Azure Devops Jekyll site build fails, worked previously
- Why I am receiving the error: Error: Template file pattern matches a directory instead of a file: /home/vsts/work/1/s in my yaml file pipeline file?
- Conditional dependent job in Azure Devops YAML pipelines
- Azure DevOps REST API: Match Manual Test Case steps to Test Run results?
- Is there a way to get more than 1000 Packages and versions from Azure DEVOPs Feed RESTAPI for GET Packages?
- Pipeline Shows as Failed When Successful
- Yaml manual approval step in jobs.template
- Environment variables as parameter of type object in Azure DevOps pipelines
- Skip Azure Pipeline jobs (or the whole pipeline) if change is from a merge from a specific branch
- Visual Studio 2022 can't connect to a project due to bad filters
- Azure Data Factory CI npm validate step suddenly crashing
- Error using Azure DevOps REST API and classificationnodes
- Remove TFS Connection From Visual Studio 2019
- Restricting branch creation based on Azure DevOps group permissions
- ADO - Granular Permission for Users on Team
- Dev env is skipping
- Must delete massive inadvertent checkin from remote git repo
- Job Conditions in Azure Pipelines
- Access Denied using Azure App Configuration Task in DevOps Pipeline
- Passing output variable to a template in the same job in Azure devops
- Secrets inject securely Dockerfile during build .NET
- Azure Pipeline: how to delete a variable inside Azure build pipeline
- How do I specify playwright chromium version in azure pipeline
- Azure Devops - YAML - not reading .net version from props file
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
- Updating Node js on internal windows ADO build agent
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)