3

In an Azure Pipelines Task, I am attempting to create and push a new branch. I am able to clone the repo using the $(System.AccessToken) variable, bit when I try to push the new branch I get the following error:

remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\(GUID)', scope 'repository'.

If I check my repository security, I see that both the Build Service user and Project Collection Build Service Accounts group has Contribute, Create Branch, Contribute to pull request, and Create Tag permission set to "Allow", which from all the research I've done is all I should need to do.

How can I troubleshoot this issue? I assume that either I am missing something silly, or there's a permissions inheritance issue. However, if I'm setting security on the repository itself my assumption is that should override any inherited permissions.

Pipeline:

steps:
- powershell: |
   git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" clone "https://repoaddress/_git/common"
   cd common
   git checkout develop
   git checkout -b release/$(build.buildNumber) $(build.buildNumber)
   git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push -u origin HEAD
   
  displayName: 'Create Branch From Tag'

Permissions: enter image description here

Mike Cole
  • 14,474
  • 28
  • 114
  • 194

1 Answers1

6

It should caused by your build service account do not have the contribute permission for this repository.

Go Project setting --> Repositories --> click Repos you want to operate -->set repository permissions accordingly.

Note: Service account is Project Collection Build Service (org name)

enter image description here

Update1

I got the issue, add this service account {project name} Build Service ({Org name}) and configure the account permission, it will work.

enter image description here

According to the error message: Details: identity 'Build\(GUID)', scope 'repository'., we could get the service account GUID

Check this REST API, it could list the service account, we could search the service account name via the GUID, then configure the permission.

Update2

Since you are using AccessToken, it update the repo via service account, as another workaround, we could use Personal access token do the same things, and it do not need to configure service account permission.

Update2

A sample power shell script to clone the repo via PAT token:

$MyPat = 'yourPAT'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

And we will receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before the expiration. You could refer to this doc for more details.

Seven days before your PAT expires, you receive a notification similar to the following example.

enter image description here

Then we could change the Expiration time.

Vito Liu
  • 7,525
  • 1
  • 8
  • 17
  • I have given that account Contribute permissions already and it still doesn't work. – Mike Cole Apr 06 '21 at 04:37
  • Hi @MikeCole, I have updated the answer, please check the update1 and then kindly share the result here. – Vito Liu Apr 07 '21 at 01:55
  • I already had those permissions set and still have the error. Check my addition to the original post. Thank you. – Mike Cole Apr 07 '21 at 14:49
  • Hi @MikeCole, Could you run this [REST API](https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/list?view=azure-devops-rest-6.1) to list all service account, and search for the GUID contained in the error message, then configure the service account repo permission and try it again, then kindly share the result here? Thanks. – Vito Liu Apr 08 '21 at 06:22
  • The user found is the Project Collection Build Service for the organization. It has all 4 of the highlighted permissions set to Allow. – Mike Cole Apr 08 '21 at 15:21
  • Hi @MikeCole, Can I confirm some info with you? 1. The pipeline source is same as repo in the script, right? 2. You have set the permission in the repo you used in the script. – Vito Liu Apr 09 '21 at 08:16
  • This is a Stage Task in a release workflow, not a stand-alone pipeline. Does that make a difference? – Mike Cole Apr 09 '21 at 15:33
  • Hi @MikeCole, I have tested it in the release and it works, this is very strange, do you mind changing the authentication method to PAT and try it again, then kindly share the result here? Thanks. – Vito Liu Apr 14 '21 at 06:50
  • Hi @MikeCole, Just checking in to see whether this issue is still blocking you now? Any update for this issue? – Vito Liu Apr 16 '21 at 06:31
  • I'll do some research to see how to use PAT instead of AccessToken. However, this makes this solution susceptible to the PAT timing out after 1 year. I did try in a completely different project/repository using the AccessToken and got the same exact error message. – Mike Cole Apr 16 '21 at 15:51
  • Hi @MikeCole, You could do the same thing via PAT token, right? I have updated the answer, you could check the update2. Have a nice day. – Vito Liu Apr 19 '21 at 02:53
  • The PAT seems to have worked. I was able to clone my repository, create a new branch, and push that branch back to the server. I sure wish I could figure out how to make it work with the access token. – Mike Cole Apr 19 '21 at 17:17
  • I do have the same - PAT works and SAT doesn't. Project Collection Build Service has been granted with full permissions on the repo – kagarlickij Jun 30 '22 at 15:47