Bypass pipeline setting enabled at organizational level in Azure DevOps
In my Azure DevOps organization I enabled "Limit job authorization scope to current project for non-release pipelines" and for release pipelines.
Within my organization I have a project where a certain pipeline needs to access a feed from a different project. I want to allow this.
I tried to connect the aff ected pipeline to the target project using a npm service connection and a PAT but it did not work.
Is there a workaround that can I use, or will the Organizational level Setting block any kind of attempt or workaround?
pool:
vmImage: ubuntu-latest
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- task: npmAuthenticate@0
inputs:
workingFile: 'my_configuration_file_for_node_package_manager'
customEndpoint: 'Name_of_my_service_connection'
- script: |
# Fail this step if any of the scripts fail
set -e
# Run npm scripts
npm install
npm run lint
npm run test:ci
npm run build
displayName: 'npm install, lint, test and build'
Workaround: so I created 2 projects (source project and target project).
I get the following error. 2024-06-06T13:35:21.1839639Z ##[section]Starting: npmAuthenticate 2024-06-06T13:35:21.1844933Z ============================================================================== 2024-06-06T13:35:21.1845088Z Task : npm authenticate (for task runners) 2024-06-06T13:35:21.1845208Z Description : Don't use this task if you're also using the npm task. Provides npm credentials to an .npmrc file in your repository for the scope of the build. This enables npm task runners like gulp and Grunt to authenticate with private registries. 2024-06-06T13:35:21.1845491Z Version : 0.238.2 2024-06-06T13:35:21.1845563Z Author : Microsoft Corporation 2024-06-06T13:35:21.1845650Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/package/npm-authenticate 2024-06-06T13:35:21.1845803Z ============================================================================== 2024-06-06T13:35:21.7016864Z ##[error]Error: The .npmrc file you selected at /home/vsts/work/1/s/source-repo/.npmrc does not currently exist. 2024-06-06T13:35:21.7053999Z ##[section]Finishing: npmAuthenticate
I attached the screenshot with a my nmprc file
I can reproduce the same situation. When the option: Limit job authorization scope to current project for non-release pipelines is enabled, the access to the feed from another project will be limited.
Is there a workaround that can I use, or will the Organizational level Setting block any kind of attempt or workaround?
To workaround this issue, you can add the .npmrc file to the same path as Package.json file.
For example:
Then you can add the following content in the .npmrc file
; begin auth token
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/<Project_NAME>/_packaging/<FEED_NAME>/npm/registry/:username=[ENTER_ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/<Project_NAME>/_packaging/<FEED_NAME>/npm/registry/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/<Project_NAME>/_packaging/<FEED_NAME>/npm/registry/:email=npm requires email to be set but doesn't use the value
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/<Project_NAME>/_packaging/<FEED_NAME>/npm/:username=[ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/<Project_NAME>/_packaging/<FEED_NAME>/npm/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/<Project_NAME>/_packaging/<FEED_NAME>/npm/:email=npm requires email to be set but doesn't use the value
; end auth token
Note: You need to convert the PAT to Base64 format and add to the .npmrc file.
In Azure DevOps Pipeline, you can remove the npmAuthenticate task.
For example:
pool:
vmImage: ubuntu-latest
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- script: |
# Fail this step if any of the scripts fail
set -e
# Run npm scripts
npm install
npm run lint
npm run test:ci
npm run build
displayName: 'npm install, lint, test and build'
For more detailed info, you can refer to this doc: Connect to Feed
Update:
To use npm service connection and npmAuthenticate task to authenticate the feed resource in another project.
You can use the following sample:
1.Add an .npmrc file to your project and add the following content:
registry=https://pkgs.dev.azure.com/<ORGANIZATION_NAME>/<PROJECT_NAME>/_packaging/<FEED_NAME>/npm/registry/
always-auth=true
2.In Azure Pipeline, you need to add the argument: --userconfig xxx/.npmrc to force the Npm task to use the target .npmrc file.
Here is an example:
pool:
vmImage: ubuntu-latest
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- task: npmAuthenticate@0
inputs:
workingFile: 'your .npmrc file'
customEndpoint: 'Name_of_my_service_connection'
- script: |
set -e
# Run npm scripts
npm install --userconfig Path/.npmrc
npm run lint
npm run test:ci
npm run build
displayName: 'npm install, lint, test and build'
I tried to connect the aff ected pipeline to the target project using a npm service connection and a PAT but it did not work.
The cause of the issue is the Pipeline contains two .npmrc files. One is Project level (Use PAT) and the other is User level(Use Service account). By default, it will use User Level .npmrc file. So it will have no access to feed from another project due to limitation
- is it possible to run KVM on Azure
- Resubmitting a message from dead letter queue - Azure Service Bus
- Why do I keep getting "401 unauthorized" response when sending mails through Graph API with delegated access?
- /azure-pipeline.yml (Line: 52, Col: 9): Unexpected value 'outputs' - Error in Azure build pipeline
- Using renovate with Azure Devops and Azure feed - authentication issue
- Azure won't show roleDefinition for directory roles
- How to Retrieve Amount of Storage Backed up (in GB) by Azure?
- Azure DevOps API Add public key
- Azure Cloud shell requires storage account
- Azure KQL Query render as chart, can't set y axis data or split to none
- Overriding default 5 min timeout for checkout repo step on Azure pipeline
- How to get list of Planner Tasks via Microsoft Graph similar to My Tasks web page?
- Azure auth for Outlook Graph API
- 'IAppBuilder' does not contain a definition for 'UseOpenIdConnectAuthentication'
- How to restrict Azure Entra group read permissions for a service principal to specific groups?
- Approving pipeline stage in Azure Devops via API
- Get info about approvals and checks for Azure DevOps environments
- ./<bundle_name> --environment <environment_name> not working on azure console
- (ContainerAppLabelsModeInvalidTraffic) In container apps labels revision mode a traffic weight and label must be provided for each active revision
- Azure function permision to truncate SQL table
- Azure ACS without the generated code and HttpHandlers?
- Airflow Connection: How to create an airflow connection to Azure Blob Storage using Service Principal?
- Azure Blob Storage - RBAC access not giving List permission
- 404 The specified queue does not exist - for blob trigger Azure Function
- Problem setting Azure Application Gateway to use certificate held in Azure Key Vault
- Access Azure DevOps Artifact Feed from different organization
- How can I ensure that Azure Text-to-Speech properly pronounces word-for-word translations?
- Terraform – Azure: Assign assignable role with approval to a group
- Changing Azure PIM Group approvals and notification settings via MS Graph API
- Azure AD Authentication App Registration 401