I'd like to do git push from a powershell script during in the Azure Devops release pipeline from a self hosted build server.

It works from the build pipeline, but from the release pipeline i end up with authentication errors. "Allow scripts to access the OAuth token" is activated and the build machines have contribution permissions (as i said, it works in the build pipeline).

This is the error i get as seen in the devops protal:

git : remote: 001f# service=git-receive-pack
At C:\Builds\A1\_work\r1\a\Source\Scripts\CreateTagFromPipeline.ps1:11 char:1
+ git push
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (remote: 001f# service=git-receive-pack:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

PowerShell exited with code '1'.

If i log in to the machine i via remote desktop and push manually, i get some better errors:

$ git push
remote: 001f# service=git-receive-pack
remote: 0000000000aaTF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\58bb64d7-d065-4522-94e2-a153b9fdadd6', scope 'repository'.
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\58bb64d7-d065-4522-94e2-a153b9fdadd6', scope 'repository'
fatal: unable to access 'https://our-correct-repo-address-on-dev.azure.com': The requested URL returned error: 403

Again, it works in the build pipeline, but not in the release pipeline.

There can be different accounts involved in Azure DevOps Pipelines. On the organization level you have "Project Collection Build Service (YourOrg)", and on the project level you have "YourProject Build Service (YourOrg)".

Which of these is used for the build depends on whether the pipeline option "Build job authorization scope" is set to "Project Collection" or "Current Project". There doesn't currently seem to be a corresponding option for release pipelines, that one defaults to the Project Collection Build Service.

I would guess "Build\58bb64d7-d065-4522-94e2-a153b9fdadd6" is your Project Collection Build Service, but you have only granted contribute permissions to your Project Build Service and are using scope "Current Project" on the build pipeline.

-- BEGIN EDIT -- You need to give the generic contribute permissions to this identity 'Build**58bb64d7-d065-4522-94e2-a153b9fdadd6**.

1. In azure devops go to project settings
2. Go to repos -> repositories -> click on your repo
3. On the to security tab, browse for the id 58bb64d7-d065-4522-94e2-a153b9fdadd6 on "Search for users and groups"
4. Click on the identity found and make sure it has: contribute permissions, Create branch, Create tag and Read permissions set to allow

--- EDIT---

Is the build pipeline also running on a self-hosted build server?

Go to your build pipeline -> variables -> check the system.collectionId.

Is it 58bb64d7-d065-4522-94e2-a153b9fdadd6?

If that is not the collection id in your build pipeline it means identity, 58bb64d7-d065-4522-94e2-a153b9fdadd6, in your release pipeline does not have permissions to create branches.

There can be different accounts involved in Azure DevOps Pipelines. On the organization level you have "Project Collection Build Service (YourOrg)", and on the project level you have "YourProject Build Service (YourOrg)".

Which of these is used for the build depends on whether the pipeline option "Build job authorization scope" is set to "Project Collection" or "Current Project". There doesn't currently seem to be a corresponding option for release pipelines, that one defaults to the Project Collection Build Service.

I would guess "Build\58bb64d7-d065-4522-94e2-a153b9fdadd6" is your Project Collection Build Service, but you have only granted contribute permissions to your Project Build Service and are using scope "Current Project" on the build pipeline.