Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[BUG] Extractor `az repos show` Permission Denied
See original GitHub issueRelease version
v4.1.3
Describe the bug
When using a target repo (within the same project) for output of the extractor script, Create pull request of the Create template branch stage in the Extractor script fails with not found / permission denied when running the az repos show ... step.
This same pipeline succeeds when the target repo is the same as that containing the extractor YAML and pipeline.
Project pipeline settings are restrictive, i.e., “Limit job auth scope” and “Protect access to repos in YAML pipelines” are on org-wide. However, the external target repo has been configured to allow the Extractor pipeline explicitly via “Project Settings > Repositories > Security > Pipeline permissions”. Additionally, the necessary User permissions are configured as defined in the wiki (“Project Build Service (OrgName)” has Contributor role).
Am I missing additional configuration required to make this work?
Aside:
My target setup is to have the apiops repo have a branch for each target API in the APIM, then run the Extractor on the desired branch to extract the APIM data for the target API and push to that API’s repo. Hoping to avoid having separate pipelines for each API with the extractor YAML residing in the API repos themselves. Maybe there’s a better approach here?
Expected behavior
Expected output:
Cloning branch main in repository MyRepoTest...
Clone URL is https://company@dev.azure.com/Company/Project/_git/MyRepoTest
Cloning into 'D:\a\_temp\artifacts-from-portal'...
Creating temporary branch artifacts-from-portal-build-286 from main...
Actual behavior
The failure logs on the az repos show ... step:
Cloning branch main in repository MyTestRepo...
ERROR: TF401019: The Git repository with name or identifier MyTestRepo does not exist or you do not have permissions for the operation you are attempting.
Clone URL is
Cloning into 'artifacts-from-portal'...
fatal: 'D:\a\_temp\artifacts-from-portal' does not appear to be a git repository
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Cloning branch main in repository MyTestRepo failed.
Reproduction Steps
- Create a repo
apiopscontaining the pipeline YAML config. - Create an empty (or minimal) target repo
MyTestRepo. - Configure
apiopsper wiki. - Configure pipeline permissions on MyTestRepo in Project Settings to allow Extractor YAML pipeline access.
- Manually run pipeline, specifying:
- Branch/tag:
apiopsrepo branch - APIM repo for pull request:
MyTestRepo - Target branch for PR:
main - All other params are configured identical to working extraction scenario where extractor YAML repo and target repo are the same
- Branch/tag:
Issue Analytics
- State:
- Created 4 months ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I can confirm simply adding a checkout as a step prior to creating the pull request is sufficient to resolve this issue. Thank you @aristosvo.
For others’ reference, if the repo is in the same project you can simply use:
That said, it would still be valuable to understand what may be breaking the permissions chain in ADO, but that’s not an issue in this repo so I’m closing this. I appreciate all the help.
I think this is a permissions issue introduced silently by Azure DevOps. We’ve raised some tickets within Microsoft, but we ended up adding an additional checkout in the pipeline:
If there is something better than this, I’m happy to learn more!