azure-devopspaket

Best way to authenticate in Azure DevOps YAML pipeline to access my Azure DevOps package feed (used by Paket commands)

When calling Paket install via a command line step the script issues an unauthorized exception (401) when trying to access my Azure DevOps package feed (with upstream sources).

Running the build steps on my local system works using the Git Credentials Manager to login and authenticate for resolving and publishing packages via my Azure DevOps package feed.

I am aiming at a solution in which I do not have to specify the plain user name and password in the Azure DevOps Yaml script file. So far I have tried to authenticate via a private access token using the "az devops login" command but until now I failed to get it running.

I also read about Azure DevOps "Service connections" but this seems to be overkill for my problem.

Yaml script without authentication logic:

trigger:
- develop

pool:
  vmImage: 'windows-latest'

variables:
  solution: './*.sln'
  buildPlatform: 'Any CPU'
  buildConfiguration: 'Release'

steps:
- task: NuGetToolInstaller@1

- task: CmdLine@2
  inputs:
    script: 'InstallPackages.cmd'

- task: NuGetCommand@2
  inputs:
    restoreSolution: '$(solution)'

- task: VSBuild@1
  inputs:
    solution: '$(solution)'
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

- task: VSTest@2
  inputs:
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

Paket version 5.215.0
Resolving packages for group Main:
Performance:
 - Resolver: 544 milliseconds (1 runs)
    - Runtime: 111 milliseconds
    - Blocked (retrieving package versions): 433 milliseconds (1 times)
 - Average Request Time: 57 milliseconds
 - Number of Requests: 4
 - Runtime: 1 second
Paket failed with
-> Unable to retrieve package versions for 'Microsoft.VisualStudio.Threading.Analyzers'
...
-> Could not load resources from 'https://worues.pkgs.visualstudio.com/_packaging/Fact4CoreFeed/nuget/v3/index.json': Unauthorized (401)
Solution

  • Best way to authenticate in Azure DevOps YAML pipeline to access my Azure DevOps package feed (used by Paket commands)

    If you do not want to specify the plain user name and password in the Azure DevOps Yaml script file, you could authenticate via a private access token in the nuget.config file.

    The sample nuget.config now looks like:

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget" value="https://api.nuget.org/v3/index.json" />
    <add key="VSTSFeed" value="https://dev.azure.com/_packaging/FeedName/nuget/v3/index.json " />
  </packageSources>
  <activePackageSource>
    <add key="All" value="(Aggregate source)" />
  </activePackageSource>
  <packageSourceCredentials>
    <VSTSFeed>
      <add key="Username" value="%USER_VARIABLE%" />      
      <add key="ClearTextPassword" value="%PAT%" />
    </VSTSFeed>
  </packageSourceCredentials>
</configuration>

    Note: Since the password key is "ClearTextPassword", it's a terrible idea and a security concern if you're saving nuget.config with a clear PAT, so it's best to create variable to store PAT in the variables tab and change the variable type to secret.

    Hope this helps.