Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Extractor `az repos show` Permission Denied

See original GitHub issue

Release version


Describe the bug

When using a target repo (within the same project) for output of the extractor script, Create pull request of the Create template branch stage in the Extractor script fails with not found / permission denied when running the az repos show ... step.

This same pipeline succeeds when the target repo is the same as that containing the extractor YAML and pipeline.

Project pipeline settings are restrictive, i.e., “Limit job auth scope” and “Protect access to repos in YAML pipelines” are on org-wide. However, the external target repo has been configured to allow the Extractor pipeline explicitly via “Project Settings > Repositories > Security > Pipeline permissions”. Additionally, the necessary User permissions are configured as defined in the wiki (“Project Build Service (OrgName)” has Contributor role).

Am I missing additional configuration required to make this work?


My target setup is to have the apiops repo have a branch for each target API in the APIM, then run the Extractor on the desired branch to extract the APIM data for the target API and push to that API’s repo. Hoping to avoid having separate pipelines for each API with the extractor YAML residing in the API repos themselves. Maybe there’s a better approach here?

Expected behavior

Expected output:

Cloning branch main in repository MyRepoTest...
Clone URL is
Cloning into 'D:\a\_temp\artifacts-from-portal'...
Creating temporary branch artifacts-from-portal-build-286 from main...

Actual behavior

The failure logs on the az repos show ... step:

Cloning branch main in repository MyTestRepo...
ERROR: TF401019: The Git repository with name or identifier MyTestRepo does not exist or you do not have permissions for the operation you are attempting.
Clone URL is 
Cloning into 'artifacts-from-portal'...
fatal: 'D:\a\_temp\artifacts-from-portal' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Cloning branch main in repository MyTestRepo failed.

Reproduction Steps

  1. Create a repo apiops containing the pipeline YAML config.
  2. Create an empty (or minimal) target repo MyTestRepo.
  3. Configure apiops per wiki.
  4. Configure pipeline permissions on MyTestRepo in Project Settings to allow Extractor YAML pipeline access.
  5. Manually run pipeline, specifying:
    • Branch/tag: apiops repo branch
    • APIM repo for pull request: MyTestRepo
    • Target branch for PR: main
    • All other params are configured identical to working extraction scenario where extractor YAML repo and target repo are the same

Issue Analytics

  • State:closed
  • Created 4 months ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

comccommented, May 11, 2023

I can confirm simply adding a checkout as a step prior to creating the pull request is sufficient to resolve this issue. Thank you @aristosvo.

For others’ reference, if the repo is in the same project you can simply use:

- checkout: git://<project>/${{ parameters.APIM_REPOSITORY_NAME }}

That said, it would still be valuable to understand what may be breaking the permissions chain in ADO, but that’s not an issue in this repo so I’m closing this. I appreciate all the help.

aristosvocommented, May 11, 2023

I think this is a permissions issue introduced silently by Azure DevOps. We’ve raised some tickets within Microsoft, but we ended up adding an additional checkout in the pipeline:

- checkout: git://<organization>/<project>/${{ parameters.APIM_REPOSITORY_NAME }}

If there is something better than this, I’m happy to learn more!

Read more comments on GitHub >

github_iconTop Results From Across the Web

az webapp deployment: permission denied · Issue #26566
Describe the bug I tried to publish an existing bot to azure using Azure CLI. I got "[Errno 13] permission denied" as an...
Read more >
Permission denied while executing files between stages in ...
I have a sample project with a simple C file( hello world program). I am trying to get familiar with artifacts and hence...
Read more >
Troubleshoot access, permission issues - Azure DevOps
Their membership within a security group doesn't support access to a feature or they have been explicitly denied permission to a feature.
Read more >
Azure DevOps - Team Foundation Error TF14044
Azure DevOps - Team Foundation Error TF14044: Access Denied User needs the CreateWorkspace global permission(s)Closed - Not a Bug
Read more >
Azure Pipelines for Github allows build of plugin - Development
... Permission denied ##[error]Bash exited with code '126'. ... which shows you how to change permissions in the repo from windows.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found