Search code examples
azure-devopsazure-pipelinesazure-repos

Where are authorizations listed for modified Azure DevOps YAML pipelines accessing resources?

I have a pipeline with the following:

resources:         
  repositories:
  - repository: repo
    type: git
    name: TEST-staging

steps: 
- checkout: repo

When the pipeline runs I get this warning:

This pipeline needs permission to access a resource before this run can continue

Which prompts me to grant access:

Granting permission here will permit the use of Repository 'TEST-staging' for all waiting and future runs of this pipeline.

I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?

EDIT: User is prompted to permit access when the pipeline names the repo e.g. - checkout: repo however, user is NOT prompted to permit access when using -checkout: self even though it's the same repo.

EDIT: The organization settings for Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to referenced Azure DevOps repositories are currently and have always been disabled.

EDIT: This FAQ question is similar to my question: Why am I am prompted to authorize resources the first time I try to check out a different repository?. That FAQ leads to this documentation: Troubleshooting authorization for a YAML pipeline. That documentation contains:

When you create a pipeline for the first time, all the resources that are referenced in the YAML file are automatically authorized for use by the pipeline, provided that you are a member of the User role for that resource. So, resources that are referenced in the YAML file at pipeline creation time are automatically authorized. When you make changes to the YAML file and add additional resources ... then the build fails with a resource authorization error ... In this case, you will see an option to authorize the resources on the failed build. If you are a member of the User role for the resource, you can select this option. Once the resources are authorized, you can start a new build.

EDIT: This seems to be the work item for the change that is causing us to be prompted to permit access.

So, I am being lead to these conclusions:

  1. @Leo had the correct answer to the question "Where are those permissions listed?" except when a YAML resource is added to an existing pipeline
  2. When YAML resources are modified or edited, the user is prompted to authorize that access even when that access is already authorized via the user's role
  3. I have re-titled this post in the hopes that it more clearly asks the question, because as of now there does not seem to be any place in which ad-hoc authorizations are listed
Solution

  • I was having the same question. After checking a lot of things, I reached the following conclusion (as of 2023-06-21):

    There are 2 types of permissions required:

    1. Build Service access to Repo - for checking out repo from pipeline. Usually using - checkout step.
    2. Pipeline access to Repo - for declaring that repo as a pipeline dependency. Usually using - resources.

    For 1, it can be granted in UI under Project Settings -> Repo -> Security -> Read access.

    For 2, it can also be found on the same page: Pipeline permission view

    But this only applies for "pipelines under same project". For cross-project access, after checking through the whole AZDO UI, I can't find any view that displays this information. I conclude that it can only be granted during pipeline run.

    So if you inspect network when granting the access in pipeline, you will see it is actually calling this API:

    PATCH https://dev.azure.com/<org>/<project_id>/_apis/pipelines/pipelinePermissions/repository/<repo_id>
Payload: {"pipelines":[{"id":<pipeline_id>,"authorized":true}]}

    So actually we can use GET on the same API to retrieve the granted access:

    GET https://dev.azure.com/<org>/<project_id>/_apis/pipelines/pipelinePermissions/repository/<repo_id>
{
    "resource": {
        "type": "repository",
        "id": "xxx"
    },
    "pipelines": [
        {
            "id": <pipeline_id>,
            "authorized": true,
            "authorizedBy": {...},
            "authorizedOn": "xxx"
        }
    ]
}

    As of 2023-06-21, I don't see a way to list this information in UI. But this API is a workaround to retrieve such information if you really need it.

    Update on 2023-06-21 (same day):

    I just discovered why it is not shown in the UI. So let say a pipeline in ProjectA wants to checkout repo of ProjectB.

    In ProjectB repo permission setting view, it calls this API to show the permission section: GET https://dev.azure.com/<org>/<ProjectB>/_apis/pipelines/pipelinePermissions/repository/<RepoInProjectB>

    However, to checkout repo from ProjectA, what we need is actually: GET https://dev.azure.com/<org>/<ProjectA>/_apis/pipelines/pipelinePermissions/repository/<RepoInProjectB>

    And this information is not shown neither in ProjectA nor ProjectB. It's only available in API, and when the pipeline starts to run.

    I have raised a Feature Request for this: https://developercommunity.visualstudio.com/t/Allow-managing-cross-project-repo-pipeli/10397632