5

I have an Azure DevOps project (just one).

I have a Build Pipeline set to run in the "Hosted VS2017" Agent Pool. This Agent Pool appears to be in the [MyProject]\Build Administrators, Contributors, Project Administrators, and Release Administrators roles.

I also have an Artifacts nuget feed in the DevOps project. It has [MyProject]\Project Valid Users set as "Reader" role. It appears that Project Valid Users has all of the Agent Pool's roles mentioned above as members.

I have an azure-pipelines.yml script that adds that adds the artifacts feed as a nuget source right at the beginning:

# Add nuget source
- powershell: Invoke-RestMethod "https://dist.nuget.org/win-x86-commandline/latest/nuget.exe" -OutFile "$env:UserProfile/nuget.exe"
- script: '%UserProfile%\nuget.exe sources Add -Name "devops" -Source "https://pkgs.dev.azure.com/MyProject/_packaging/feed/nuget/v3/index.json"'

The build yml then dot a dotnet build but fails inside NuGet.targets with:

Unable to load the service index for source https://pkgs.dev.azure.com/MyProject/_packaging/feed/nuget/v3/index.json.
Response status code does not indicate success: 401 (Unauthorized).

how can I make this work? My build needs packages from other builds that are on that artifacts feed...

Jeff
  • 35,755
  • 15
  • 108
  • 220

3 Answers3

8

There is a better alternative imo. You can continue using your script to dotnet restore. Simply add a task just before that with NuGetAuthenticate@0

steps:
- task: NuGetAuthenticate@0
- script: dotnet restore --no-cache --force

this task will authenticate the pipeline with the nuget feeds that require so and are found at the NuGet.config file.

More info here

Notice that when the nuGet feed is within Azure DevOps there is nothing else required. If the feed is external you can configure at your Azure DevOps a nuGet Service Connections (at the link there is further info).

diegosasw
  • 13,734
  • 16
  • 95
  • 159
  • 3
    Many thanks for this, was looking for HOURS how to have Azure Artifacts private feed AND on-premise public feed. Authenticate do the job perfectly – cdie Nov 19 '19 at 09:45
  • I am using cloud hosted agent and Azure Artifacts feed. After adding NugetAuthenticate task, my problem was solved. – ViBi Oct 19 '22 at 00:53
1

Use the built-in tasks for installing and running NuGet and you won't have authentication problems.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
  • dotnet build doesn’t use nuget command line to restore and the behavior of dotnet restore is isn’t reproducible by just running nuget restore. How would I be able to use the nuget task for this? – Jeff Sep 17 '18 at 14:12
1

Use the dotnet task's restore command. If you're using a single Azure Artifacts feed, just select it from the dropdown in the task (instead of the PowerShell you mentioned). If multiple feeds (doesn't look like it from your question, but just in case), you'll need to check in a NuGet.config that references all of those feeds, then point the task to that config.

You may also need to pass the '--no-restore' flag to your 'dotnet build' command.

If you still encounter issues, ensure the correct build identity has access to your feed.

Alex Mullans
  • 1,699
  • 2
  • 17
  • 34
  • I don’t understand what you mean by “just select it from the dropdown in the task“. Why would dotnet restore behave differently than dotnet build which actually just does an implicit restore? – Jeff Sep 17 '18 at 17:53
  • Right now, the only way to tell dotnet about an authenticated feed (i.e. to create a nuget.config that has a `` field with the build's access token) is to use either the `dotnet` or the `nuget` task's `restore` command. We have on the backlog a "NuGet authenticate" task that would generate that config and leave it around on disk for you to use as part of a scripted invocation of `dotnet build` or `dotnet restore`. – Alex Mullans Sep 17 '18 at 22:35
  • Why does dotnet restore work but dotnet build integrated restore not? My understanding is that they are nearly the same in terms of how they work – Jeff Sep 18 '18 at 01:59
  • Would $env:SYSTEM_ACCESSTOKEN not work for my purposes? – Jeff Sep 18 '18 at 03:43
  • 1
    `dotnet restore` and `dotnet build` call the same code to restore. The difference is in the current implementation of the VSTS `dotnet` task, which only provides the properly authenticated NuGet.config when you select the 'restore' step. – Alex Mullans Sep 18 '18 at 17:14
  • Yes, you could manually run a `nuget sources add` with `-Username -Password $env:SYSTEM_ACCESSTOKEN -StorePasswordInClearText`. – Alex Mullans Sep 18 '18 at 17:16
  • Hm unfortunately when doing a command to echo %SYSTEM_ACCESSTOKEN% it prints no value – Jeff Sep 18 '18 at 20:35
  • You may need to allow your steps to access the token. This page has a working example: https://learn.microsoft.com/en-us/azure/devops/pipelines/scripts/powershell?view=vsts#use-the-oauth-token-to-access-the-rest-api – Alex Mullans Sep 19 '18 at 00:35
  • it seems like the documentation obsolete or incorrect - there is no options tab. I’m using yml and that page looks more like the UI pipeline builder....does corresponding documentation exist for yml? – Jeff Sep 19 '18 at 01:10
  • Sorry for the delay, had to ask around. Yes, documentation here: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#secret-variables. `$(System.AccessToken)` in your PowerShell script should do the trick. – Alex Mullans Sep 20 '18 at 18:51