Can I grant permissions to a pipeline so it can read information for a different project in Azure Devops using the API?

Asked 17/3, 2020 at 18:6 Answered 6/3, 2023 at 10:9

Solved permissions azure-devops azure-devops-rest-api

I'm trying to use this Azure DevOps API call:

GET https://dev.azure.com/{organization}/_apis/projects/{projectId}?api-version=5.1

Documented here, to retrieve the name of a project when I have it's ID. Note that the pipeline is attempting to retrieve project information for a project other than the one in which it's defined. Here's the code, which works when the pipeline provides its own project ID:

  $VstsBaseRestUrl = "$(System.TeamFoundationCollectionUri)"

  $projectsUrl = "$VstsBaseRestUrl/_apis/projects/${{ parameters.project }}?api-version=5.1"

  $rawResponse = Invoke-WebRequest -UseDefaultCredentials -Uri $projectsUrl -Method Get -ContentType "application/json" -Headers @{
        Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"
    }

The response is returned as:

{"$id":"1","innerException":null,"message":"VS800075: The project with id 'vstfs:///Classification/TeamProject/xxxxx' does not exist, or you do not have permission to access it.","typeName":"Microsoft.TeamFoundation.Core.WebApi.ProjectDoesNotExistException, Microsoft.TeamFoundation.Core.WebApi","typeKey":"ProjectDoesNotExistException","errorCode":0,"eventId":3000}

I'm using the correct project ID, so how do I grant permission to the pipeline to authorise this call?

Note: I'd rather not use a PAT if I don't have to, i.e. somehow granting this to the build account so that the SYSTEM_ACCESSTOKEN approach continues to work.

Polyamide answered 17/3, 2020 at 18:6 Comment(0)

how do I grant permission to the pipeline to authorise this call?

Let's say you call above rest api to retrieve Project B's information from the pipeline in project A.

You need to grant the build service account of project A the View project-level information in project B. Below is the detailed steps.

1, Go the project settings of project B(the project you want to retrieve the information) --> Permissions --> select Build Administrator group(You can also create a new group)

2, Click Members tab of Build Administrator group --> Click Add --> Add the build service account of project A.

The build service account of project A is like this: NameofProjectA Build Service (NameofOrganization) eg. ProjectA Build Sevice (MyOrganization)

Optional:

You can also create a new group in project B and add The build service account of project A to its memebers. And make sure View project-level information is allowed

Calie answered 18/3, 2020 at 3:29 Comment(2)

Thanks Levi. Your quick answer is much appreciated. – Polyamide 18/3, 2020 at 9:51

Finally after hours of googling, Thanks for the help – Diploma 16/2, 2022 at 11:31

I got the same error triggering a pipeline in another project after i enabled the Project Settings Limit job authorization scope to current project for non-release pipelines even though the user was Project Collection Build Service.

Rip answered 6/3, 2023 at 10:9 Comment(0)

Recommended topics

Hot tags